Labyrenth CTF Windows Track Challenge #2

File: BabbySay.exe

SHA256: 7CA8D9F1BE070DEB6535326AB4DFAE4824055F777DD929D2DEE9D0ADBEBDE785

Packed: No

Tools used: exeinfo, Reflector

Codes & Binaries: https://github.com/jmprsp/labyrenth/tree/master/Window-Challenge-2

Description: This challenge is written in C#. Decompiling it is trival using tools like Reflector. You may find a copy of the decompiled source code in github.

exeinfo
Figure 1. Exeinfo indicates that the challenge is written in c#

On executing the challenge, you will see the following… looks like we need to key in a certain sequence before we can get the flag.

piano
Figure 2. A piano lesson

Decompiling the challenge using reflector is easy. The key_click function looks suspicious with all the funny characters…

reflector
Figure 3. key_click function

Being lazy… i shall just copy paste most of the codes here into another c# project (removing the if else) and writing the thangs variable to a file. Compile & run XDDDD

copypaste
Figure 4. stripping the if else and recompiling the codes

Wow we got the flag just like this…

flag
Figure 5. We got the flag!

FLAG: PAN{B4BBY_Y3LL5_50_L0UD!}

Advertisements
Labyrenth CTF Windows Track Challenge #2

Labyrenth CTF Windows Track Challenge #1

Took me a week to complete 2 tracks in Palo Alto CTF, Windows and Docs. Will be sharing my humble little solutions here. Hope you guys will learn something useful here. Some of the challenges uses malware techniques! Kudos to the organizer.

File: AntiD.exe

SHA256: 49f3638065722b96809cb72c226d86566783d510c968d516436aa7c248d608ee

Packed: Custom UPX

Tools used: ExeInfo, IDA Pro, Ollydbg, Scylla & CFF Explorer

Codes & Binaries: https://github.com/jmprsp/labyrenth/tree/master/Window-Challenge-1

Description: This challenge uses UPX to pack but modded it to prevent upx -d from working. It also uses some anti debugging techniques to deter the use of debugging tools. Flag is not in clear, one would need to analyze the math behind and decode the flag.

upxPacked
Figure 1. AntiD packed with UPX

It seems like the binary is packed with UPX. Let’s try to use the official tool to unpack. However it seems like we are unable to unpack =(

upx
Figure 2. Unable to unpack

Loading the binary in IDA Pro, we can observe that the binary is indeed packed. From the screenshot below, we can only see 1 function; an indication of a packed binary. Next, we can clearly see that there is a tail jump. To unpack this binary manually, we just need to break at the tail jump and dump the process.

tail jump
Figure 3. tail jump

But before that, I would want to disable ASLR to make my job easier while debugging it. Using CFF Explorer tool, simply uncheck “DLL can move” checkbox and apply the changes.

uncheckDLLMove
Figure 4. Disable ASLR

Run the patched AntiD.exe in ollydbg. Set a breakpoint @ 0x4091AC. Run the program till it breaks and step into the next instruction.

break
Figure 5. Break @ tail jump

Just dump the process as shown below. However running the dumped process would popup an error.

Dump
Figure 6. Dump Process

The dumped process’s IAT need to be fixed. For this, I use Scylla tool to delete the invalid imports and clicking on the fix dump button. Now we should have a working copy of the binary.

scylla
Figure 7. Fixing IAT using Scylla

Loading the unpacked binary into IDA Pro, we can see that it looks unpack now. We can see more functions, imports and plain string.

unpacked
Figure 8. Unpacked binary

X-referencing from the string, we would derive to the following function. Seems like 0x004011B0 function is the key to solving this puzzle.

figure Key
Figure 9. 0x004011B0 seems to be the key in solving this puzzle

In 0x004011B0 function, we can see some encoded variables; 40 of them and the following mathematical transformation consisting of XOR, addition and subtraction.

decodingAndChecks
Figure 10. Decoding operations & anti debugger techniques

I simply converted the codes into PHP and attempt to bruteforce the flag.

reverse
Figure 11. Flag derived

FLAG: PAN{C0nf1agul4ti0ns_0n_4_J08_W3LL_D0N3!}

 

 

Labyrenth CTF Windows Track Challenge #1

Anti Forensic: Overwriting executable while it is still running

Download from: https://github.com/jmprsp/ProcessFailures

Reference: https://recon.cx/2016/talks/Process-Failure-Modes.html

As presented in RECON 2016 by James Forshaw. He demonstrated that he is able to overwrite an application’s physical file while it is still running as a process. According to his presentation, NtCreateUserProcess returns a file handle when it is called. The file handle can be used to overwrite the running process His POC is in the form of C#/Powershell. I simply converted it to C/Executable.

slides
Figure 1. NtCreateUserProcess returning file handle

To demonstrate that it really work, I used an executable that simply popup a message box; named demo.pdf. You can see the hexadecimal of the binary file in the HxD GUI below. On executing Overwrite.exe, demo.pdf will be created as a process and while it is still running, Overwrite.exe will then overwrite demo.pdf with an actual pdf file (Process Failure modes – Final.pdf).

setup
Figure 2. Initial Setup

Usage of the program is as follows: Overwrite.exe [Full path to executable] [input file]

overwritten
Figure 3. demo.pdf overwritten with actual pdf

As we can see from the above screenshot, demo.pdf is executed as a process but HxD has already reflected the new bytes in Demo.pdf. We can also observe that demo.pdf file size has changed to 3MB from 165KB proving that this trick did indeed work.

From a RE point of view, we should keep a look out on the CREATE_INFO’s AdditionalFileAccess mask and the usage of undocumented API as shown below.

accessmask
Figure 4. AdditionalFileAccess Mask

 

Anti Forensic: Overwriting executable while it is still running

Executing DLL as a Process

Download from: https://github.com/jmprsp/ProcessFailures

Reference: https://recon.cx/2016/talks/Process-Failure-Modes.html

As presented in RECON 2016 by James Forshaw. He demonstrated that he is able to execute a DLL as a standalone process. According to his presentation, the reason why a DLL can’t be executed as a process is due to a check on the ProhibitedImageCharacteristics field. His POC is in the form of C#/Powershell. I simply converted it to C/Executable.

ProhibitedImageCharacteristics
Figure 1. ProhibitedImageCharacteristics

So by simply resetting this field to 0, we could then run a DLL as a process!

The following is a DLL with a .txt extension; just for fun… using regsvr32 is one of the way to execute a DLL and as you can see, a messagebox shows up stating that it is a DLL.

dll
Figure 2. running a DLL

Now using James approach, we can now execute pikachu.txt as an executable!

Executable
Figure 3. running the DLL as a process
taskmanager
Figure 4. pikachu.txt running as a process

Looking it from IDA Pro

Clear.PNG
Figure 5. Clearing ProhibitedImageCharacteristics

Note that one do not necessary need to clear the field with 0. Other values work as well.

Executing DLL as a Process

JmpRsp on github

Will be uploading some binaries @ https://github.com/jmprsp

The first project will be on Process Mode Failures by James Forshaw as presented in Recon 2016. The POC given by James is in Powershell/C#. I reproduced some of his work into C. Over the next few days you will find the following executables in github.

  1. Executing DLL as a process [Uploaded]
  2. Overwriting the physical file of a binary while it is still running as a process  [Uploaded]

Reference: https://recon.cx/2016/talks/Process-Failure-Modes.html

JmpRsp on github