John Pierce

. CISSP, SLAE, Security+

PANW CTF Labyrenth Unix Track Challenge 4

I got a jpg.  I'm guessing probably stego.  Didn't find it with any of the things I tried as a password: song titles, song lyrics, and such.

The file ends with a base64 encoded/reversed string.  That string is made up of 4 base64 strings that start with <coppertunnel> and end with </coppertunnel> e.g.  Theres a copper, gold, silver and crystal tunnel.

So, it turns out that the base64 is encoded four rounds and after decoding 4 times, generates a zip file for each line.
I unzipped them all and got:

ls -l treasure.*
-rw-r--r-- 1 john john  18764 Apr  2 15:07 treasure.par2
-rw-r--r-- 1 john john 190108 Apr  2 15:07 treasure.vol000+306.par2
-rw-r--r-- 1 john john 190108 Apr  2 15:07 treasure.vol306+306.par2
-rw-r--r-- 1 john john 190108 Apr  2 15:07 treasure.vol612+306.par2

I took the original jpeg and removed all the crap. 
The clue from level 3 says "sometimes treasure is found in the oddest of places".  
The clue from the first of the file says: '+A song seems to echo out from the cave...'

Jareth was played by David Bowie in Labyrinth, song Magic Dance is most famous.  After trying everything I could think of to unzip the file, in desperation, I guessed  openup and it worked, in a way.

unzip -v chest.zip
Archive:  chest.zip
 Length   Method    Size  Cmpr    Date    Time   CRC-32   Name
--------  ------  ------- ---- ---------- ----- --------  ----
   18084  Defl:N     3468  81% 2016-04-02 13:56 c0d881fe  jareths_maze
--------          -------  ---                            -------
   18084             3468  81%                            1 file

Fails due to bad zip data.  There's a 1 in 256 chance that a key will work in the quick test (decrypt first 12 chars), but will fail the remainder. 

I searched at tineye.com and found three instances of the original jpg.  It was done by Ilya Nazarov and is at http://conceptartworld.com/?p=14191.  Other instances were not valid (1 dropbox, another it was a preview).  He's got a website and it says this picture is concept art for

The Lord of The Rings: War In The North

Seems like we've got a lot more data than needed to recover a 3670 byte file:

ls -l treasure*par2
-rw-r--r-- 1 john john  18764 Aug  8 10:21 treasure.par2
-rw-r--r-- 1 john john 190108 Aug  8 10:21 treasure.vol000+306.par2
-rw-r--r-- 1 john john 190108 Aug  8 10:21 treasure.vol306+306.par2
-rw-r--r-- 1 john john 190108 Aug  8 10:21 treasure.vol612+306.par2

There aren't any files listed in the non-recovery list.  Only one referenced is chest.zip and it's always stated to be 3670 bytes long.  MD5 hash is consistent throughout the main and the file descriptor packets.

I took a look at the treasure.par2 file and it is structured logically and correctly per the specification.  The vol000-305 file, however, seems a bit odd. (haven't yet checked the others.)  It's got several copies of the IFSC packet which is followed by 0x4808 bytes of MD5/CRC pairs which match the long list in the main par2 file.  Overall there are 28 copies of this list.  There are also 28 copies of the Main packet, FileDesc. There are 9 each in the vol.par2 files, 1 each in the .par2 file.  They appear to match, though the RecvSlic packets between them appear to be similar.  Is that the labyrinth?

 In total, there are 306 RevSlic packets in the vol000-305.par2 file.  The RecvSlic packets are numbered with a trailing byte that ranges from 00 00 to FF 00 then 00 01 to FF 01. Per the current spec it looks like this might not be correct.  I'll download the original par2cmdline 0.4 and try running that.  No joy.  Further research into the file specification for par2 says there's no room for additional bytes in the par files.  Seems that's so.  Specs say all is well having many copies of a bit of data, e.g. IFSC packets.  Back to just thinking about things.

Going back to stego on the picture,  I put a bunch of song names into a file (names from Labyrinth, different styles e.g.
leet speak) and ran this:

for i in $(cat playlist.txt);do steghide extract -p $i -sf labyrinth_entrance.jpg ;sed -n q </dev/tty;done

That let me run line by line (actually word by word, whitespace separator) through the list of songs testing for one that works.

Okay, it turns out that a blank password works to extract bards_song from the jpeg (damn/great!).

Here's the text:

cat bards_song
Over the hills and through the grass
By dawn of light in the mountain pass
The goblins treasure awaits the steadfast
Walking in REVerse, the eye opens as you go past
A smell leads you onward, luring you to follow
At the end of each tunnel, a PARt of treasure in the hollow
Combine them to find a door hidden by rhyme
Opened once with the words "aintnobodygottime"

aintnobodygottime is the password to chest.zip

Unzipping chest.zip extracts jareths_maze which is another Mach-O executable.  

file jareths_maze
jareths_maze: Mach-O 64-bit x86_64 executable

strings jareths_maze

                           ,,'``````K```````',,
                        ,'`         E         `',
                      ,'            E            ',
                    ,'          ;   P   ;          ',
       (           ;             ;  Y  ;             ;     (
        )         ;              ;  O  ;              ;     )
       (         ;                ; U ;                ;   (
        )    ;   ;    ,,'```',,,   ;R;   ,,,'```',,    ;   ;
       (    ; ',;   '`          `', E ,'`          `'   ;,' ;
        )  ; ;`,`',  _--~~~~--__   'Y'   __--~~~~--_  ,'`,'; ;     )       
       (    ; `,' ; :  /       \~~-_E_-~~/       \  : ; ',' ;     (        
  )     )   )',  ;   -_\  o    /  ' S '  \    o  /_-   ;  ,'       )   (   
 (     (   (   `;      ~-____--~'   O   '~--____-~      ;'  )     (     )  
  )     )   )   ;            ,`;,,, P ,,,;',            ;  (       )   (   
 (     (   (  .  ;        ,'`  (__ 'E' __)  `',        ;  . )     (     )  
  )     \/ ,".). ';    ,'`       ~~ N ~~        `',    ;  .(.", \/  )   (   
 (   , ,'|// / (/ ,;  '        _--~~-~~--_        '  ;, \)    \|', ,    )  
 ,)  , \/ \|  \,/  ;;       ,; |_| | |_| ;,       ;;  \,//  |/ \/ ,   ,   
",   .| \_ |\/ |#\_/;       ;_| : `~'~' : |_;       ;\_/#| \/| _/ |.   ,"  
#(,'  )  \\#\ \##/)#;     :  `\/       \/   :     ;#(\##/ /#///  (  ',)# ,
| ) | \ |/ /#/ |#( \; ;     :               ;     ; ;/ )#| \#\ \| / | ( |)
\ |.\ |\_/#| /#),,`   ;     ;./\_     _/\.;     ;   `,,(#\ |#\_/| //.| / ,
 \_/# |#\##/,,'`       ;     ~~--|~|~|--~~     ;       `',,\##/#| #\_// \/
  ##/#  #,,'`            ;        ~~~~~        ;            `',,#  #\##  //
####@,,'`                 `',               ,'`                 `',,@####|
#,,'`                        `',         ,'`                        `',,###
'                               ~~-----~~                               `'

The above omits a bunch of valueless info.  The ascii art is important, though as when the program is run, it shows:

                           ,,'``````Y```````',,
                        ,'`         O         `',
                      ,'            U            ',
                    ,'          ;   S   ;          ',
       (           ;             ;  H  ;             ;     (
        )         ;              ;  A  ;              ;     )
       (         ;                ; L ;                ;   (
        )    ;   ;    ,,'```',,,   ;L;   ,,,'```',,    ;   ;
       (    ; ',;   '`          `', N ,'`          `'   ;,' ;
        )  ; ;`,`',  _--~~~~--__   'O'   __--~~~~--_  ,'`,'; ;     )       
       (    ; `,' ; :  /       \~~-_T_-~~/       \  : ; ',' ;     (        
  )     )   )',  ;   -_\  o    /  ' P '  \    o  /_-   ;  ,'       )   (   
 (     (   (   `;      ~-____--~'   A   '~--____-~      ;'  )     (     )  
  )     )   )   ;            ,`;,,, S ,,,;',            ;  (       )   (   
 (     (   (  .  ;        ,'`  (__ 'S' __)  `',        ;  . )     (     )  
  )     \/ ,".). ';    ,'`       ~~ ! ~~        `',    ;  .(.", \/  )   (   
 (   , ,'|// / (/ ,;  '        _--~~-~~--_        '  ;, \)    \|', ,    )  
 ,)  , \/ \|  \,/  ;;       ,; |_| | |_| ;,       ;;  \,//  |/ \/ ,   ,   
",   .| \_ |\/ |#\_/;       ;_| : `~'~' : |_;       ;\_/#| \/| _/ |.   ,"  
#(,'  )  \\#\ \##/)#;     :  `\/       \/   :     ;#(\##/ /#///  (  ',)# ,
| ) | \ |/ /#/ |#( \; ;     :               ;     ; ;/ )#| \#\ \| / | ( |)
\ |.\ |\_/#| /#),,`   ;     ;./\_     _/\.;     ;   `,,(#\ |#\_/| //.| / ,
 \_/# |#\##/,,'`       ;     ~~--|~|~|--~~     ;       `',,\##/#| #\_// \/
  ##/#  #,,'`            ;        ~~~~~        ;            `',,#  #\##  //
####@,,'`                 `',               ,'`                 `',,@####|
#,,'`                        `',         ,'`                        `',,###
'                               ~~-----~~                               `'

I had to run the program in my debugger watching the character replacements as they went.  First, they were replaced with the correct characters for the password, then another round (and in one case 2 rounds) replaced them with the final values displayed above.  Everything was done out of order to make it more difficult, but eventually, I assembled the flag:

PAN{D4nKkry5t4l}

 

Most Recent Articles

First bit::

This is a writeup of the format string vulnerability in level 4 of the 64bitprimer VM from vulnhu

First bit::

Installation of the software to make a yubikey 4 work in FIDO U2F mode on Debian Jessie i386

First bit::

Lesson(s) learned

First bit::

This one stumped me. Overall, it was a great competition for me as I got to learn a whole lot of new things. I had never worked on a Mac, other than as a user, had never used Hopper, lldb or any of the other tools for reversing on a Mac, and haven't got any experience in the Objective C/Swift framework.

First bit::

4 rounds, lots of debugging

Videos

Categories: Network security, Videos
First bit::

Explains the workings of a DMZ, walks through setting up and testing of a DMZ in a virtual machine lab environment

Categories: Network security, Videos
First bit::

In this video I go through the process of setting up an SSH tunnel to hide an IP and also setting

Categories: Exploits, Videos
First bit::

Useful for someone who is interested in what a buffer overflow is. Does not go into the details of development, just explains generally and demonstrates the use of one.

Categories: Exploits, Videos
First bit::

a demonstration of a vulnerability discovered and published by Muts in 2004, exploited on a Windows XP SP3 machine using Python, Immunity Debugger, and Metasploit.

Categories: Network security, Videos
First bit::

In this video I demo some simple iptables rules and show them how to perform network traffic analysis to test them out.