John Pierce

. SLAE, Security+

PANW CTF Labyrenth Unix Track Challenge 5

This challenge actually encrypts all of your .png files in the Downloads directory and destroys the original.  Luckily, I had done some static analysis before running, checked to make sure my directory was clean, then just touched a couple of new files into the directory for testing.

Uploaded the file to virustotal and no problems.  They ran it and got:

Congratulations! All your png are belong to us! labyrinth

Mach-O executable, objective C
Some interesting bits:
krypto.danger[0x10028167d] <+925>:  leaq   0x215b2(%rip), %rdi       ; "dekrypt"

I found the string “laby” near png, echoed 'a' to laby.png.  It was named laby.png.laby after running the program and the contents were changed to:

xxd ../laby.png.laby
0000000: 0301 5219 aa53 bae6 e7eb ea66 13e6 49cf  ..R..S.....f..I.
0000010: 79ff 4041 b717 dc62 9e43 e34f abcf 98fc  y.@A...b.C.O....
0000020: 4284 abcb 8171 e98a dbf8 18d2 7b10 52bc  B....q......{.R.
0000030: 12f3 3121 e342 fc99 6b3e abab 668b 5aac  ..1!.B..k>..f.Z.
0000040: 4301 a322 8cca 0d78 ea11 a925 a8e2 bf0e  C.."...x...%....
0000050: 99eb 

Subsequent tests showed known cleartext would not be a good way to go.  Looks like it's using time to seed the encryption.  Working through the code, I found this:


This is not the password and entering it into a file ?.png doesn't do anything good,
doesn't work as a command line argument either.

I also found a reference to RNCryptor.swift - randomly generated number to encrypt?  I searched and found source code to this and reviewed.  Encryption is using AES, so no point working through the methodology.

Set a breakpoint at 0x1002859e0, as it's called with a password per the source code.

Password should be in $rdi under the calling convention used.

00000001002859e0         push       rbp                                         ; XREF=__TZFC6krypto9RNCryptor11encryptDatafTCSo6NSData8passwordSS_S1_+78, __TTWCC6krypto9RNCryptor9EncryptorS_13RNCryptorTypeS_FS2_CfT8passwordSS_x+31
00000001002859e1         mov        rbp, rsp
00000001002859e4         sub        rsp, 0x20
00000001002859e8         mov        qword [ss:rbp+var_8], rdx
00000001002859ec         mov        qword [ss:rbp+var_10], rsi
00000001002859f0         mov        qword [ss:rbp+var_18], rdi
00000001002859f4         mov        qword [ss:rbp+var_20], rcx
00000001002859f8         call       __TMaCC6krypto9RNCryptor9Encryptor
00000001002859fd         xor        r8d, r8d
0000000100285a00         mov        edx, r8d
0000000100285a03         mov        rsi, qword [ds:0x1002dedc0]                 ; @selector(allocWithZone:), argument "selector" for method imp___stubs__objc_msgSend
0000000100285a0a         mov        rdi, rax                                    ; argument "instance" for method imp___stubs__objc_msgSend
0000000100285a0d         call       imp___stubs__objc_msgSend
0000000100285a12         mov        rdi, qword [ss:rbp+var_18]                  ; argument #1 for method __TFCC6krypto9RNCryptor9EncryptorcfT8passwordSS_S1_
0000000100285a16         mov        rsi, qword [ss:rbp+var_10]                  ; argument #2 for method __TFCC6krypto9RNCryptor9EncryptorcfT8passwordSS_S1_
0000000100285a1a         mov        rdx, qword [ss:rbp+var_8]                   ; argument #3 for method __TFCC6krypto9RNCryptor9EncryptorcfT8passwordSS_S1_
0000000100285a1e         mov        rcx, rax                                    ; argument #4 for method __TFCC6krypto9RNCryptor9EncryptorcfT8passwordSS_S1_
0000000100285a21         call       __TFCC6krypto9RNCryptor9EncryptorcfT8passwordSS_S1_
0000000100285a26         add        rsp, 0x20
0000000100285a2a         pop        rbp
0000000100285a2b         ret        
                        ; endp

So, that worked!  The password is PAN{Gr0und_C0ntr01_2_M@j0r_T0m!}

Most Recent Articles

First bit::

This is a writeup of the format string vulnerability in level 4 of the 64bitprimer VM from vulnhu

First bit::

Installation of the software to make a yubikey 4 work in FIDO U2F mode on Debian Jessie i386

First bit::

Lesson(s) learned

First bit::

This one stumped me. Overall, it was a great competition for me as I got to learn a whole lot of new things. I had never worked on a Mac, other than as a user, had never used Hopper, lldb or any of the other tools for reversing on a Mac, and haven't got any experience in the Objective C/Swift framework.

First bit::

4 rounds, lots of debugging


Categories: Network security, Videos
First bit::

Explains the workings of a DMZ, walks through setting up and testing of a DMZ in a virtual machine lab environment

Categories: Network security, Videos
First bit::

In this video I go through the process of setting up an SSH tunnel to hide an IP and also setting

Categories: Exploits, Videos
First bit::

Useful for someone who is interested in what a buffer overflow is. Does not go into the details of development, just explains generally and demonstrates the use of one.

Categories: Exploits, Videos
First bit::

a demonstration of a vulnerability discovered and published by Muts in 2004, exploited on a Windows XP SP3 machine using Python, Immunity Debugger, and Metasploit.

Categories: Network security, Videos
First bit::

In this video I demo some simple iptables rules and show them how to perform network traffic analysis to test them out.