Play The Game for fun and Pineapple

with a lot of delay...

In April at the STHACK security event in Bordeaux we have found a curious visit card from the Novidy's Group :

After scanning The QRCode with my smartphone I get this url : http://2uqcr3jdmdpru7xyf56hza3k3nquqv3ddhw4ow5hwgkpuvcfuasq.b32.i2p/

It's an I2P url ! What's I2P ?

'I2P is an anonymous overlay network - a network within a network. It is intended to protect communication from dragnet surveillance and monitoring by third parties such as ISPs. I2P is used by many people who care about their privacy: activists, oppressed people, journalists and whistleblowers, as well as the average person.
No network can be "perfectly anonymous". The continued goal of I2P is to make attacks more and more difficult to mount. Its anonymity will get stronger as the size of the network increases and with ongoing academic review.
I2P is available on desktops, embedded systems (like the Raspberry Pi) and Android phones. Help spread the word!'

Downloading and installing i2p :

For debian Jessie :

Create /etc/apt/sources.list.d/i2p.list and add the following lines :

deb jessie main
deb-src jessie main

launch these commands :

$ apt-key add i2p-debian-repo.key.asc

$ apt-get update

$ apt-get install i2p i2p-keyring

Finaly Launch I2P :

$ i2prouter start

After setting up a proxy to work with my browser for visiting the site throught I2P I get this image : obf.jpg

The page source give me more indications :

Nice ! It's a chall with nice prices :]

Step 1 :

So what can I do with this image ?

The Foremost tool extract a protected zip file with a password.

The password is on the picture, trying to guess it was a fail !
With gimp and the "Amelioration -> Désentrelacer" filter I can see the password : @p3nYoUr3ye5!

First step is done !

$ cat nice.txt
not so bad Dude!
email to validate this step is :

Step 2

Now I have a dump file, it's a PCAP file of ICMP requests with datas encoded in hexadecimal.

The python script for recover the splitted datas :


import dpkt

input = file("dump.pcap", "rb")

# We are going to extract all ICMP payloads and concatenate them in one file
output = open("output", "w")

pcap = dpkt.pcap.Reader(input)

for ts, buf in pcap:  

# The parsed packets in the dpkt.pcap.Reader contains two members: "ts" and "buf".
# The member "ts" is just the timestamp which lived in the packet when captured 
# by Wireshark; it is the clock when captured this packet. The member "buf" holds 
# the real packet data captured by capture tool, it's the raw traffic data.

        if (ip.p==dpkt.ip.IP_PROTO_ICMP) and len( > 0 :
                        print 'Error extracting ICMP payload data from this packet.'


The decoded output file in hexadecimal give me some base64 and finally a gz archive for finish the step 2 !

$ cat output | xxd -r -p | base64 -d > output_to_base64_to_gzip
$ tar -xvzf output_to_base64_to_gzip
$ cat step.txt 
we need you to go deeper  
the email to validate this step is  

Step 3 :

Next I have a file my.img

$ file my.img 
my.img: Linux rev 1.0 ext4 filesystem data, UUID=5308fb61-f662-4c0a-8caa-ba552c53cfab (needs journal recovery) (extents) (huge files)  

I can mount it :
$ sudo mount my.img /mnt/forensic

I obtain 250 files with this Russian text inside and the name of the files looks like base64 string.

$ cat 0ENeRnncw1xz9xXZnMsuWRnNaGR9SXmQ.txt
В рамках своей миссии по обеспечению информационной безопасности 
Агентство национальной безопасности уже давно участвует в 
исследовательском сообществе компьютерной безопасности в изучении 
широкого спектра вопросов безопасности компьютеров, включая безопасность 
операционной системы. Признавая критическую роль механизмов безопасности 
операционной системы в обеспечении безопасности на более высоких уровнях, 
исследователи из исследовательской группы NSA Trusted Systems Research, 
ранее являвшейся Национальной исследовательской лабораторией по исследованию 
информации, изучали архитектуру, которая может обеспечить необходимые 
функции безопасности таким образом, который может удовлетворить Потребности 
в безопасности широкого круга вычислительных сред.

In English with Google Translate :

As part of its mission to ensure information security The National Security Agency has long been involved in
Research community of computer security in the study
A wide range of computer security issues, including security
Operating system. Recognizing the critical role of security mechanisms
Operating system in providing security at higher levels,
Researchers from the research group NSA Trusted Systems Research,
Previously the National Research Laboratory for Research
Information, studied the architecture, which can provide the necessary
Security functions in a way that can satisfy the needs
A wide range of computing environments.

One file named secret.des3 have base64 inside :

$ cat forensic/secret.des3 | base64 -d >

$ hexdump -C -n 16 
00000000  53 61 6c 74 65 64 5f 5f  d3 99 ee 14 5f 90 ca cf  |Salted__...._...|  

It's a salted DES3 file encrypted and we need a password for decryption :

I am looking for the password, after time lost to find something with the name of each file I returned to the basic strings command :

$ strings my.img | grep openssl
openssl des3 key H0t-p4T4toZz  

Decrypting the DES3 file :

$ cat secret.des3 | base64 -d >
$ openssl des3 -d -in -out secret.txt
enter des-ede3-cbc decryption password:

$ file secret.txt 
secret.txt: POSIX tar archive (GNU)  
$ mv secret.txt secret.gz
$ tar -xvwf secret.gz
extract « getTheFlag.b64 »?  
extract « doc.txt »?  

$ cat doc.txt 
Hi Dude, happy to see you again, the validation email for this step is  

Step 4, final step :

I'm not a reverser so I need to ask for help from a friend, thanks to him !

  1. Bypass the call ptrace in 0x400675
  2. Watch the flow with hopper
  3. Use angr

Import of the angr library :

$ python
Python 2.7.13 (default, Jan 19 2017, 14:48:08)  
[GCC 6.3.0 20170118] on linux2
Type "help", "copyright", "credits" or "license" for more information.  
>>> import angr
WARNING | 2017-06-12 23:15:21,769 | claripy | Claripy is setting the recursion limit to 15000. If Python segfaults, I am sorry.  

Creation of the angr project disabling the auto loading of libraries :

>>> proj = angr.Project('./getTheFlag.bin',load_options={"auto_load_libs": False})

Buffer of 16 bytes :

>>> argv1 = angr.claripy.BVS("argv1",16*8)
>>> initial_state = proj.factory.path(args=["./getTheFlag.bin",argv1])
>>> pg = proj.factory.path_group(initial_state)

We want to reach the 0x0400954 address :

>>> pgs=pg.explore(find=0x0400954)  
WARNING | 2017-06-12 23:16:32,099 | simuvex.plugins.symbolic_memory | Concretizing symbolic length. Much sad; think about implementing.  
>>> pgs
<PathGroup with 15 deadended, 1 errored>  
>>> solution = pg.errored[0]
>>> print repr(solution)

Nice, I try it as the key :

$ ./getTheFlag.bin N0v1Dy5X0rK3y
You did It Dude ;). It is the last step, the mail is  

Done!!! I get the last email address !
Few days later I receive an email telling me that I am the first to have solved the challenge.

So I won the Pineapple (voucher for simplicity reasons), thanks again Novidys for the challenge !