Tuesday, August 6, 2013

ebCTF 2013 :: BIN200 (200 points)

The challenge for BIN200 is to uncover the hidden file contained within the given executable.

Step 1: Load the executable (ebCTF_BIN200.exe) in OllyDbg, run it and you will be prompted by the executable for a secret key. Looking through the codes reveal the executable was generated using 'Perl2Exe' - a command line utility for converting perl scripts to exe files. An interesting keyword found within the executable is '-p2x_debug', which shall be used later.

Step 2: View the events captured by OllyDbg. In OllyDbg, go to View > Log (Alt+L). There is an entry of a DLL file dumped in the AppData Temp folder. Examination of the DLL file reveals it is packed using UPX packer. Unpack the DLL using UPX unpacker.

Example:
 Address=28000000
 Message=Module C:\Users\Braeburn\AppData\Local\Temp\p2xtmp-4484\p2x5123.dll

Step 3: Rerun the executable in OllyDbg with '-p2x_debug' as the argument and debug information will be displayed in the command prompt. It's clear now the hidden file is '_main.pl'.

P2X: Debug mode enabled - V090508
P2X: Expanded module filename = C:\Users\Braeburn\Downloads\ebCTF_BIN200.exe
GetTempDir: returning C:\Users\Braeburn\AppData\Local\Temp/p2xtmp-4484
ISEXT_Init: filename = p2x_stub.lib
ISEXT_Init: filename = p2x_header.pm
ISEXT_Init: filename = p2x_pre_exec_message
ISEXT_Init: filename = p2x_trial_message
ISEXT_Init: filename = p2x_exec_command
ISEXT_Init: filename = p2x_info.pm
ISEXT_Init: filename = _main.pl
ISEXT_Init: filename = P2XDLL/p2x5123.dll
P2X: ISEXT_Init done
P2X: OpenScript: C:\Users\Braeburn\Downloads\ebCTF_BIN200.exe FOUND IN PERL2EXE_STORAGE

[*] ebCTF BIN 200
      No comment...

[*] What is the secret?

Step 3: Load the unpacked DLL in IDA Pro and search for the location where the string "ISEXT_Init: filename = " will be referenced. It will be located at address 0x280AC503. After examining the flow graph from that location onwards, it is clear a different path is needed in order to dump the files to the tmp folder.

Step 4: Re-run the executable, change the instruction at address 0x280AC52E from JNZ to JZ before EIP reaches address 0x280AC503 and you will find the perl script in the tmp folder.

The secret key and the flag to this challenge will be found within the perl script.

Secret key: "Sup3RSeCr3tStuFf!"
Flag: ebctf{ededb03c7998fa751be21d1364a58600}


Flag captured! 200 points in the bag!! Yay!!!

Cheers,
Braeburn Ladny 

ebCTF 2013 :: BIN100 (100 points)

The challenge for BIN100 is almost identical to the teaser challenge (except this is a linux executable) so we shall not go into details on what the executable does. In summary, we need to roll out 3-1-3-3-7 with a dice. Oh yes, we need to a roll a 7 with a dice. That's awesome, isn't it?

There are two ways to tackle this challenge, either by patching with NOPS or changing the instructions from JNE to JE. With the latter, you have to throw a number that is NOT wanted at that checkpoint - on your 1st throw, you have to throw any number except 3 in order to proceed to the next checkpoint.

Step 1: Identify the conditional checks for the 5 throws to be made and patch them according.

If you prefer to patch the executable with NOPS, these are the addresses to do so:
00000F8C: 75 90
00000F8D: 4E 90
00001199: 75 90
0000119A: 4F 90
000013A7: 75 90
000013A8: 6D 90
000015AA: 0F 90
000015AB: 85 90
000015AC: 82 90
000015AD: 00 90
000015AE: 00 90
000015AF: 00 90
0000180A: 0F 90
0000180B: 85 90
0000180C: C1 90
0000180D: 00 90
0000180E: 00 90
0000180F: 00 90

If you prefer to reverse the flow at each of the 5 conditional checkpoints, these are the addresses where the instructions are to be changed:
00000F8C: 75 74
00001199: 75 74
000013A7: 75 74
000015AB: 85 84
0000180B: 85 84

Step 2: Save the executable.

Step 3: Run the executable to obtain the flag.



Flag captured! 100 points in the bag!! Yay!!!

Cheers,
Braeburn Ladny

ebCTF 2013 :: NET100 (100 points)

The challenge for NET100 is to figure out, through the use of a pcap file, the damage that an evil hacker did to Eindbazen.

Step 1: Load the pcap file with Wireshark.

Step 2: Go to packet num 767. This is a packet containing a HTTP GET request that reveals a wget command was executed to download the payload file (rootkit.zip). The file can be saved to a working directory by looking up Wireshark HTTP object list. In Wireshark, go to File > Export > Objects > HTTP, to bring up the HTTP object list. Any attempt to unzip the zipped file (to view flag.txt) will fail as it is protected with a password.

Step 3: Go to packet num 8. Right click on the packet, select "Follow UDP Stream", "ASCII", and save the entire conversation as an ASCII file. View the saved file with your preferred text editor. The password lies between line 593 and line 609.



Step 4: Use the extracted password to retrieve flag.txt from rootkit.zip. The flag for this challenge lies within flag.txt. 100 points in the bag!! Yay!!!

Flag: ebCTF{b78dc61ce895a3856f3520e41c07b1be}

Cheers,
Braeburn Ladny