LABYRENTH CTF WINDOWS TRACK CHALLENGE #7

File: PuppetPals.exe

SHA256: 337D094ED647EAE05F871A0295A6DB55E1FA07BE7EB4D9DD2D0B2E45FC44C1C1

Packed: No

Architecture: 32Bit

Tools used: exeinfo, IDA Pro, OllyDbg

Codes & Binaries: https://github.com/jmprsp/labyrenth/tree/master/Window-Challenge-7

Description: This challenge is written in C++. A PCAP file given. Decrypt the message that is hidden in the traffic to get the flag.

firstlook
Figure 1. First look

The above figure tells us a lot of stuff.

  1. It is likely that it is not packed
  2. It is probably attempting to connect to an IP (172.16.95.1)
  3. There are some sort of debug messages
  4. uses socket to send data out

Let’s try to get the flag!

network
Figure 2. Socket

x-referencing from the import list we will see the above figure. Looks like the challenge is attempting to connect to 172.16.95.1:8080. It seems to only send 1 character at a time… Now, I want to know what is being send over the network. Tracing who calls this function bring us to the figure below.

ataglance
Figure 3. Steal, encrypt, encode, Send

 

The figure above shows that the challenge reads content from file.txt, encrypt the content, encode the encrypted content and send it out.

Let’s take a look at 0x00412359. How did I derive that it is a base64 encoding function? Take a look at 0x00411840 and you will see some tell tale signs as shown in the figure below. Most importantly I see “=” sign being appended near the end of the function.

base64
Figure 4. 0x00411840
base64_key
Figrue 5. 64 character long string

Here is a piece of code i grabbed from online of a base64 implementation.

applebase64
Figure 6. Base64 implementation

Notice there are some similarities between the code and the assembly codes. However the basis_64 variable seems to be different. Custom base64 encoding??? That is my guess. Now is there anyway to prove it? Let’s get our hands dirty with ollydbg! First create a file “file.txt” and placed it together with the challenge executable’s location. Put some contents in it… for my case I entered “AAAABBBBCCCCDDDDEEEEFFFF” into file.txt

We shall set breakpoint at

  1. 0x0412345 – call to suspected encryption routine
  2. 0x041234A – after encryption routine (or use F4 to break @ here)
  3. 0x0412359 – call to suspected base64 routine
  4. 0x041235E – after encoding routine (or use F4 to break @ here)
1
Figure 7. Visualizing encrypting and encoding in action via ollydbg

In the above figure, we can see that the string “AAAABBBBCCCCDDDDEEEEFFFF” and its length 0x18 (decimal 24) is passed into the subroutine @ 0x00411127.

2
Figure 8. encrypted

After the routine, we can see that the value in the memory has changed. It seems like the encrypted data has the same length as the plain text.

3
Figure 9. encoding

@0x0412359 we can see that the encrypted data is passed into the routine @004111B3 (our suspected base64)… Let’s do a quick check here. We shall change the encrypted contents to “PIKACHU THUNDERBOLT NOW!

pikachu
Figure 10. edit binary: PIKACHU

Run to the next breakpoint @0x041235E (after the encoding routine).

4
Figure 11. encoded

We can see from the memory address pointed by eax that there are some garblish data in it… “GYc4QGlypBtGBKpz/YpBQ9UfpgtzsPVC

Now we shall use an online tool for a quick check… (https://www.malwaretracker.com/decoder_base64.php) using “qtgJYKa8y5L4flzMQ/BsGpSkHIjhVrm3NCAi9cbeXvuwDx+R6dO7ZPEno21T0UFW” as the custom key.

olly_base64_decoded
Figure 12. custom base64 online tool

As shown from the above figure, we indeed decoded the encoded data back to our pikachu text! Now we need to figure out how the encryption is done and we are almost there. Sadly i don’t have a lazy/simple solution here. I reversed the encryption algo into php code and did a algo reversal to get the plain text from the encrypted data. You may find the encryption code and decryption code in the github link provided.

Back in figure 2, we mentioned that only 1 byte is sent at a time to 172.16.95.1. Using scapy we can extract the data out from the pcap (as shown below).

exfiltratreddata
Figure 13. extract data from pcap

Analyzing the encryption routine, you will see that “AWildKeyAppears!” is being used as a key to encrypt the data.

php1
Figure 14. Reversing the encryption routine (part 1)

The following is a php code of the encryption routine found in the challenge.

php2
Figure 15. Reversed Encryption routine

The following is the codes to reverse the encryption process. Basically it undo what an encryption routine does.

php3
Figure 16. Reversing the encryption algo

 

Running the extracted data with the codes I had reversed earlier…

solved
Figure 17. Flag secured

FLAG: PAN{did_1_mention_th0se_pupp3ts_fr34ked_m3_out_recent1y?}

Advertisements
LABYRENTH CTF WINDOWS TRACK CHALLENGE #7

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s