Play The Game for fun and Pineapple
with a lot of delay...
In April at the STHACK security event in Bordeaux we have found a curious visit card from the Novidy's Group :
After scanning The QRCode with my smartphone I get this url : http://2uqcr3jdmdpru7xyf56hza3k3nquqv3ddhw4ow5hwgkpuvcfuasq.b32.i2p/
It's an I2P url ! What's I2P ?
'I2P is an anonymous overlay network - a network within a network. It is intended to protect communication from dragnet surveillance and monitoring by third parties such as ISPs.
I2P is used by many people who care about their privacy: activists, oppressed people, journalists and whistleblowers, as well as the average person.
No network can be "perfectly anonymous". The continued goal of I2P is to make attacks more and more difficult to mount. Its anonymity will get stronger as the size of the network increases and with ongoing academic review.
I2P is available on desktops, embedded systems (like the Raspberry Pi) and Android phones. Help spread the word!'
Downloading and installing i2p : https://geti2p.net/en/download
For debian Jessie :
Create /etc/apt/sources.list.d/i2p.list and add the following lines :
deb https://deb.i2p2.de/ jessie main
deb-src https://deb.i2p2.de/ jessie main
launch these commands :
$ apt-key add i2p-debian-repo.key.asc
$ apt-get update
$ apt-get install i2p i2p-keyring
Finaly Launch I2P :
$ i2prouter start
After setting up a proxy to work with my browser for visiting the site throught I2P I get this image : obf.jpg
The page source give me more indications :
Nice ! It's a chall with nice prices :]
Step 1 :
So what can I do with this image ?
The Foremost tool extract a protected zip file with a password.
The password is on the picture, trying to guess it was a fail !
With gimp and the "Amelioration -> Désentrelacer" filter I can see the password : @p3nYoUr3ye5!
First step is done !
$ cat nice.txt
not so bad Dude!
email to validate this step is : O1SIy-1bZHo-sdbEJ-mUkh1-eLc49@novidys.com
Step 2
Now I have a dump file, it's a PCAP file of ICMP requests with datas encoded in hexadecimal.
The python script for recover the splitted datas :
#!/usr/bin/python
import dpkt
input = file("dump.pcap", "rb")
# We are going to extract all ICMP payloads and concatenate them in one file
output = open("output", "w")
pcap = dpkt.pcap.Reader(input)
for ts, buf in pcap:
eth=dpkt.ethernet.Ethernet(buf)
ip=eth.data
icmp=ip.data
# The parsed packets in the dpkt.pcap.Reader contains two members: "ts" and "buf".
# The member "ts" is just the timestamp which lived in the packet when captured
# by Wireshark; it is the clock when captured this packet. The member "buf" holds
# the real packet data captured by capture tool, it's the raw traffic data.
if (ip.p==dpkt.ip.IP_PROTO_ICMP) and len(icmp.data.data) > 0 :
try:
#print icmp.data.data
output.write(icmp.data.data)
except:
print 'Error extracting ICMP payload data from this packet.'
#continue
input.close()
output.close()
The decoded output file in hexadecimal give me some base64 and finally a gz archive for finish the step 2 !
$ cat output | xxd -r -p | base64 -d > output_to_base64_to_gzip
$ tar -xvzf output_to_base64_to_gzip
my.img
step.txt
$ cat step.txt
we need you to go deeper
the email to validate this step is 5LH7w-rIOLh-fRjeG-vQKDj-osAKV@novidys.com
Step 3 :
Next I have a file my.img
$ file my.img
my.img: Linux rev 1.0 ext4 filesystem data, UUID=5308fb61-f662-4c0a-8caa-ba552c53cfab (needs journal recovery) (extents) (huge files)
I can mount it :
$ sudo mount my.img /mnt/forensic
I obtain 250 files with this Russian text inside and the name of the files looks like base64 string.
$ cat 0ENeRnncw1xz9xXZnMsuWRnNaGR9SXmQ.txt
В рамках своей миссии по обеспечению информационной безопасности
Агентство национальной безопасности уже давно участвует в
исследовательском сообществе компьютерной безопасности в изучении
широкого спектра вопросов безопасности компьютеров, включая безопасность
операционной системы. Признавая критическую роль механизмов безопасности
операционной системы в обеспечении безопасности на более высоких уровнях,
исследователи из исследовательской группы NSA Trusted Systems Research,
ранее являвшейся Национальной исследовательской лабораторией по исследованию
информации, изучали архитектуру, которая может обеспечить необходимые
функции безопасности таким образом, который может удовлетворить Потребности
в безопасности широкого круга вычислительных сред.
In English with Google Translate :
As part of its mission to ensure information security
The National Security Agency has long been involved in
Research community of computer security in the study
A wide range of computer security issues, including security
Operating system. Recognizing the critical role of security mechanisms
Operating system in providing security at higher levels,
Researchers from the research group NSA Trusted Systems Research,
Previously the National Research Laboratory for Research
Information, studied the architecture, which can provide the necessary
Security functions in a way that can satisfy the needs
A wide range of computing environments.
One file named secret.des3 have base64 inside :
$ cat forensic/secret.des3 | base64 -d > secret.des3.data
$ hexdump -C -n 16 secret.des3.data
00000000 53 61 6c 74 65 64 5f 5f d3 99 ee 14 5f 90 ca cf |Salted__...._...|
It's a salted DES3 file encrypted and we need a password for decryption : http://justsolve.archiveteam.org/wiki/OpenSSL_salted_format
I am looking for the password, after time lost to find something with the name of each file I returned to the basic strings command :
$ strings my.img | grep openssl
openssl des3 key H0t-p4T4toZz
Decrypting the DES3 file :
$ cat secret.des3 | base64 -d > secret.des3.data
$ openssl des3 -d -in secret.des3.data -out secret.txt
enter des-ede3-cbc decryption password:
$ file secret.txt
secret.txt: POSIX tar archive (GNU)
$ mv secret.txt secret.gz
$ tar -xvwf secret.gz
extract « getTheFlag.b64 »?
getTheFlag.b64
extract « doc.txt »?
doc.txt
$ cat doc.txt
Hi Dude, happy to see you again, the validation email for this step is vCgPM-3t6J4-5ubAE-wk5Lh-6VnGs@novidys.com
Step 4, final step :
I'm not a reverser so I need to ask for help from a friend, thanks to him !
- Bypass the call ptrace in 0x400675
- Watch the flow with hopper
- Use angr
Import of the angr library :
$ python
Python 2.7.13 (default, Jan 19 2017, 14:48:08)
[GCC 6.3.0 20170118] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import angr
WARNING | 2017-06-12 23:15:21,769 | claripy | Claripy is setting the recursion limit to 15000. If Python segfaults, I am sorry.
Creation of the angr project disabling the auto loading of libraries :
>>> proj = angr.Project('./getTheFlag.bin',load_options={"auto_load_libs": False})
Buffer of 16 bytes :
>>> argv1 = angr.claripy.BVS("argv1",16*8)
>>> initial_state = proj.factory.path(args=["./getTheFlag.bin",argv1])
>>> pg = proj.factory.path_group(initial_state)
We want to reach the 0x0400954 address :
>>> pgs=pg.explore(find=0x0400954)
WARNING | 2017-06-12 23:16:32,099 | simuvex.plugins.symbolic_memory | Concretizing symbolic length. Much sad; think about implementing.
>>> pgs
<PathGroup with 15 deadended, 1 errored>
>>> solution = pg.errored[0].state.se.any_str(argv1)
>>> print repr(solution)
'N0v1Dy5X0rK3y\x00\x00\x00'
Nice, I try it as the key :
$ ./getTheFlag.bin N0v1Dy5X0rK3y
You did It Dude ;). It is the last step, the mail is fPlxy-gts4c-txMw9-OWnmP-WK3MX@novidys.com
Done!!! I get the last email address !
Few days later I receive an email telling me that I am the first to have solved the challenge.
So I won the Pineapple (voucher for simplicity reasons), thanks again Novidys for the challenge !
\o/
Fap'ment,
++