John Pierce

. CISSP, SLAE, Security+

PANW CTF Labyrenth Unix Track Challenge 6

Screencap of test run and submission.

Challenge 6 is a GoLang challenge.  Have to enter 4 keys

Here are some potentially interesting functions:

main.check_key1
main.verify_key2
main.check_key2
main.verify_key3
main.check_key3
main.verify_key4
main.check_key4

Put a break at strconv.init 0x6f9f (right after strings.init) and looked at $rdi (2568>?Qufqr at address 1D9BE3)

The string was the port number I connected through.  It has been output by the time I hit the ret instruction at 0x8b367.

Don't need any breaks before 28a3 which is just after writeline(" Entered Key 1: abcde")

At 28b0 the first test of the key is made.  Length must be 3.  Analyzing the code, it looks at char 2, char 1, char 3.  Key should be 3at and that works!

The second key is verified in main.verify_key2 instead of main.check_key2 (1st was in main.check_key1) starting at address 0x2fa0 (break there for analysis).

So, analyzing the code, there are two rounds (and more, two worked to extract the key) that require:
round 1: the first letter plus each succeeding letter ord values must add up to a check value
round 2: the second letter plus each succeeding letter ord values must add up to a check value

I extracted the check values into a couple of arrays and brute forced the answer:

a1=[0xcb,0xac,0xd1,0xc6,0xcb,0x94,0xcf,0xcf,0xa3,0xdd]
a2=[0xb1,0xd6,0xcb,0xd0,0x99,0xd4,0xd4,0xa8,0xe2]

for i in range(0x61,0x7e):
    b1 = [i]
    b2 = [i]
    b3 = [i]
    for j in range(0,len(a1)):
        b1.append(a1[j]-i)
    s1 = ""
    for j in b1:
        s1 += chr(j)    
    b2.append(b1[1])
    for j in range(0,len(a2)):
        b2.append(a2[j]-b2[1])
    s2 = ""
    for j in b2:
        s2 += chr(j)
    if s1 == s2:
        print 'SUCCESS: s1 = ',s1,' and s2 = ',s2

Downloads/panw_hacking/GoLang/brute.py
SUCCESS: s1 =  chInch1ll@z  and s2 =  chInch1ll@z

So,
key1 = 3at
key2 = chInch1ll@z

Key 3 is 4 characters long (0x58ac).  It needs to be integer value (atoi is called), and we're using leet speak so I'll try 1337 first.

2nd character must be a 1 for the imul test at 0x5955
4th - 1st ascii values = 0x20 for the sub test at 0x5938
4th - 3rd ascii values = 0x01 for the sub test at 0x598c
rbp - 3rd ascii value = 0x383d3cdd at 0x59b1 yields

key3 = H1gh

Work on key 4:

len(key4) = 5 (0x643c)
key4[1]-key4[3] are integers and equal 183
key4[0] = 'F' and key4[4] = 'r'

key4 = F183r

 

Most Recent Articles

First bit::

This is a writeup of the format string vulnerability in level 4 of the 64bitprimer VM from vulnhu

First bit::

Installation of the software to make a yubikey 4 work in FIDO U2F mode on Debian Jessie i386

First bit::

Lesson(s) learned

First bit::

This one stumped me. Overall, it was a great competition for me as I got to learn a whole lot of new things. I had never worked on a Mac, other than as a user, had never used Hopper, lldb or any of the other tools for reversing on a Mac, and haven't got any experience in the Objective C/Swift framework.

First bit::

4 rounds, lots of debugging

Videos

Categories: Network security, Videos
First bit::

Explains the workings of a DMZ, walks through setting up and testing of a DMZ in a virtual machine lab environment

Categories: Network security, Videos
First bit::

In this video I go through the process of setting up an SSH tunnel to hide an IP and also setting

Categories: Exploits, Videos
First bit::

Useful for someone who is interested in what a buffer overflow is. Does not go into the details of development, just explains generally and demonstrates the use of one.

Categories: Exploits, Videos
First bit::

a demonstration of a vulnerability discovered and published by Muts in 2004, exploited on a Windows XP SP3 machine using Python, Immunity Debugger, and Metasploit.

Categories: Network security, Videos
First bit::

In this video I demo some simple iptables rules and show them how to perform network traffic analysis to test them out.