CTF-BR! – f250

f250 – Dump

Posted 11 de maio de 2015

> ASIS CTF > ASIS CTF Quals 2015 > f250 - Dump

Where is flag?

file

Solução

Ao abrir o arquivo, podemos ver que se trata de um dump de VirtualBox SavedState V2.0. Inicialmente achamos que daria pra analisar com o Volatility, mas como estava em formato “raw“, não foi possível. O amigo \0x29a pesquisou e achou um write-up da edição de 2014 do ASIS CTF, onde também utilizaram um dump desse tipo. Lá conseguimos uma tool para fazer parser e extrair o que realmente era interessante.

Obtivemos os seguintes arquivos após a extração:

alisson@alisson-note:~/Downloads/savparser/Files$ file *
dump-8237A.out:             data
dump-acpi.out:              data
dump-apic.out:              data
dump-ConsoleData.out:       data
dump-cpum.out:              FoxPro FPT, blocks size 0, next free block index 33628185
dump-DisplayData.out:       data
dump-DisplayScreenshot.out: data
dump-em.out:                TTComp archive data
dump-HGCM.out:              data
dump-HWACCM.out:            AIX core file 32-bit 64-bit
dump-i8254.out:             data
dump-i8259.out:             data
dump-ichac97.out:           data
dump-mc146818.out:          data
dump-mm.out:                data
dump-.out:                  empty 
dump-pci.out:               data
dump-pckbd.out:             AIX core file 32-bit 64-bit
dump-pcnet.out:             data
dump-pdmblkcache.out:       AIX core file 32-bit 64-bit
dump-pdm.out:               data
dump-pgm.out:               data
dump-piix3ide.out:          PDP-11 UNIX/RT ldp
dump-rem.out:               AIX core file 32-bit 64-bit
dump-selm.out:              data
dump-SSM.out:               data
dump-tm.out:                data
dump-trpm.out:              DOS executable (block device driver \377\377\377\377\377\377)
dump-usb-ohci.out:          data
dump-vga.out:               data
dump-VMMDev.out:            dBase IV DBT of b.DBF, next free block index 16777216
dump-vmm.out:               DOS executable ()

alisson@alisson-note:~/Downloads/savparser/Files$ file *

dump-8237A.out: data

dump-acpi.out: data

dump-apic.out: data

dump-ConsoleData.out: data

dump-cpum.out: FoxPro FPT, blocks size 0, next free block index 33628185

dump-DisplayData.out: data

dump-DisplayScreenshot.out: data

dump-em.out: TTComp archive data

dump-HGCM.out: data

dump-HWACCM.out: AIX core file 32-bit 64-bit

dump-i8254.out: data

dump-i8259.out: data

dump-ichac97.out: data

dump-mc146818.out: data

dump-mm.out: data

dump-.out: empty

dump-pci.out: data

dump-pckbd.out: AIX core file 32-bit 64-bit

dump-pcnet.out: data

dump-pdmblkcache.out: AIX core file 32-bit 64-bit

dump-pdm.out: data

dump-pgm.out: data

dump-piix3ide.out: PDP-11 UNIX/RT ldp

dump-rem.out: AIX core file 32-bit 64-bit

dump-selm.out: data

dump-SSM.out: data

dump-tm.out: data

dump-trpm.out: DOS executable (block device driver \377\377\377\377\377\377)

dump-usb-ohci.out: data

dump-vga.out: data

dump-VMMDev.out: dBase IV DBT of b.DBF, next free block index 16777216

dump-vmm.out: DOS executable ()

Pesquisando pela palavra “ASIS”, encontramos algumas strings interessantes no file dump-pgm.out, mas que não levavam a lugar algum:

alisson@alisson-note:~/Downloads/savparser/Files$ grep -r -i asis .
Arquivo binário dump-pgm.out coincide com o padrão

alisson@alisson-note:~/Downloads/savparser/Files$ strings dump-pgm.out | grep -i asis

tc@box:~/ASIS$ tce-load -wi curl                                         
/a.asis.io/0QnqZU9F)"
tc@box:~/ASIS$ 537987fa50e403b67e9  FDpeDpRD        100 Apr 25 12:16 
tc@box:~/ASIS$      DGRAM                      1408 
tc@box:~/ASIS$      [loop8]
tc@box:~/ASIS$ 
tc@box:~/ASIS$
PWD=/home/tc/ASIS
curl a.asis.io/Flag.txt
curl a.asis.io/gsW85S9x.flag
wget a.asis.io/gsW85S9x.flag
/home/tc/ASIS
tc@box:~/ASIS$ id
tc@box:~/ASIS$ wget a.asis.io/940if27w
Connecting to a.asis.io (87.107.124.13:80)
tc@box:~/ASIS$ echo "Here is not Flag !"
tc@box:~/ASIS$ ls -la
.asis.i
wget a.asis.io/FDpeDpRD
p://a.asis.io/0QnqZU9F)"
/home/tc/ASIS
each other.tc@box:~/ASIS$ date
tc@box:~/ASIS$ wget a.asis.io/gsW85S9x.flag
Connecting to a.asis.io (87.107.124.13:80)
tc@box:~/ASIS$ curl a.asis.io/gsW85S9x.flag
tc@box:~/ASIS$ wget a.asis.io/FDpeDpRD
Connecting to a.asis.io (87.107.124.13:80)
tc@box:~/ASIS$ md5sum FDpeDpRD                                           
tc@box:~/ASIS$                                                           
tc@box:~/ASIS$ python -c "$(curl -fSsL http://a.asis.io/0QnqZU9F)"       
/home/tc/ASIS
Please enter the access key: Asis2015Flag
[...]

alisson@alisson-note:~/Downloads/savparser/Files$ grep -r -i asis .

Arquivo binário dump-pgm.out coincide com o padrão

alisson@alisson-note:~/Downloads/savparser/Files$ strings dump-pgm.out | grep -i asis

tc@box:~/ASIS$ tce-load -wi curl

/a.asis.io/0QnqZU9F)"

tc@box:~/ASIS$ 537987fa50e403b67e9 FDpeDpRD 100 Apr 25 12:16

tc@box:~/ASIS$ DGRAM 1408

tc@box:~/ASIS$ [loop8]

tc@box:~/ASIS$

PWD=/home/tc/ASIS

curl a.asis.io/Flag.txt

curl a.asis.io/gsW85S9x.flag

wget a.asis.io/gsW85S9x.flag

/home/tc/ASIS

tc@box:~/ASIS$ id

tc@box:~/ASIS$ wget a.asis.io/940if27w

Connecting to a.asis.io (87.107.124.13:80)

tc@box:~/ASIS$ echo "Here is not Flag !"

tc@box:~/ASIS$ ls -la

.asis.i

wget a.asis.io/FDpeDpRD

p://a.asis.io/0QnqZU9F)"

/home/tc/ASIS

each other.tc@box:~/ASIS$ date

tc@box:~/ASIS$ wget a.asis.io/gsW85S9x.flag

Connecting to a.asis.io (87.107.124.13:80)

tc@box:~/ASIS$ curl a.asis.io/gsW85S9x.flag

tc@box:~/ASIS$ wget a.asis.io/FDpeDpRD

Connecting to a.asis.io (87.107.124.13:80)

tc@box:~/ASIS$ md5sum FDpeDpRD

tc@box:~/ASIS$

tc@box:~/ASIS$ python -c "$(curl -fSsL http://a.asis.io/0QnqZU9F)"

/home/tc/ASIS

Please enter the access key: Asis2015Flag

[...]

Ficamos um bom tempo parados aqui, sem evolução. Todos links estavam offline e estávamos sem ideias.

TheZakMan chegou, salvou todo o conteúdo desse dump em um .txt, e analisando ele, acabou achando o script em python que foi usado acima, cujo pedia a key: “Please enter the access key: “. Ele utilizou o site http://pythoniter.appspot.com/ para ajeitar o código, e a missão então era fazer um reversing das funções e descobrir a flag:

#!/usr/bin/python
# -*- coding: utf-8 -*-

import hashlib
key = raw_input('Please enter the access key: ').strip()
if len(key) == 38:
    key_ar = key.split('-')
    if len(key_ar) == 5:
        if int(key_ar[0].encode('hex'), 16) == 58559604012647:
            if int(key_ar[1].encode('hex'), 16) == 27697077611219024:
                if int(key_ar[2].encode('hex'), 16) \
                    == 28839576914310229:
                    if int(key_ar[3].encode('hex'), 16) \
                        == 14469853439423811:
                        if int(key_ar[4].encode('hex'), 16) \
                            == 21189029315236706:
                            print key[18] + key[-2] + chr(ord(key[26])
                                    - 1) + key[-2] + '{' \
                                + hashlib.md5(key).hexdigest() + '}'
                        else:
                            print 'You access key is not correct! Banned!!'
                    else:
                        print 'You access key is not correct! Banned!!'
                else:
                    print 'You access key is not correct! Banned!!'
            else:
                print 'You access key is not correct! Banned!!'
        else:
            print 'You access key is not correct! Banned!!'
    else:
        print 'You access key is not correct! Banned!!'
else:
    print 'You access key is not correct! Banned!!'  #

#!/usr/bin/python

# -*- coding: utf-8 -*-

import hashlib

key = raw_input('Please enter the access key: ').strip()

if len(key) == 38:

key_ar = key.split('-')

if len(key_ar) == 5:

if int(key_ar[0].encode('hex'), 16) == 58559604012647:

if int(key_ar[1].encode('hex'), 16) == 27697077611219024:

if int(key_ar[2].encode('hex'), 16) \

== 28839576914310229:

if int(key_ar[3].encode('hex'), 16) \

== 14469853439423811:

if int(key_ar[4].encode('hex'), 16) \

== 21189029315236706:

print key[18] + key[-2] + chr(ord(key[26])

- 1) + key[-2] + '{' \

+ hashlib.md5(key).hexdigest() + '}'

else: