John Pierce

. SLAE, Security+

PANW CTF Labyrenth Unix Track Challenge 6

Screencap of test run and submission.

Challenge 6 is a GoLang challenge.  Have to enter 4 keys

Here are some potentially interesting functions:

main.check_key1
main.verify_key2
main.check_key2
main.verify_key3
main.check_key3
main.verify_key4
main.check_key4

Put a break at strconv.init 0x6f9f (right after strings.init) and looked at $rdi (2568>?Qufqr at address 1D9BE3)

The string was the port number I connected through.  It has been output by the time I hit the ret instruction at 0x8b367.

Don't need any breaks before 28a3 which is just after writeline(" Entered Key 1: abcde")

At 28b0 the first test of the key is made.  Length must be 3.  Analyzing the code, it looks at char 2, char 1, char 3.  Key should be 3at and that works!

The second key is verified in main.verify_key2 instead of main.check_key2 (1st was in main.check_key1) starting at address 0x2fa0 (break there for analysis).

So, analyzing the code, there are two rounds (and more, two worked to extract the key) that require:
round 1: the first letter plus each succeeding letter ord values must add up to a check value
round 2: the second letter plus each succeeding letter ord values must add up to a check value

I extracted the check values into a couple of arrays and brute forced the answer:

a1=[0xcb,0xac,0xd1,0xc6,0xcb,0x94,0xcf,0xcf,0xa3,0xdd]
a2=[0xb1,0xd6,0xcb,0xd0,0x99,0xd4,0xd4,0xa8,0xe2]

for i in range(0x61,0x7e):
    b1 = [i]
    b2 = [i]
    b3 = [i]
    for j in range(0,len(a1)):
        b1.append(a1[j]-i)
    s1 = ""
    for j in b1:
        s1 += chr(j)    
    b2.append(b1[1])
    for j in range(0,len(a2)):
        b2.append(a2[j]-b2[1])
    s2 = ""
    for j in b2:
        s2 += chr(j)
    if s1 == s2:
        print 'SUCCESS: s1 = ',s1,' and s2 = ',s2

Downloads/panw_hacking/GoLang/brute.py
SUCCESS: s1 =  chInch1ll@z  and s2 =  chInch1ll@z

So,
key1 = 3at
key2 = chInch1ll@z

Key 3 is 4 characters long (0x58ac).  It needs to be integer value (atoi is called), and we're using leet speak so I'll try 1337 first.

2nd character must be a 1 for the imul test at 0x5955
4th - 1st ascii values = 0x20 for the sub test at 0x5938
4th - 3rd ascii values = 0x01 for the sub test at 0x598c
rbp - 3rd ascii value = 0x383d3cdd at 0x59b1 yields

key3 = H1gh

Work on key 4:

len(key4) = 5 (0x643c)
key4[1]-key4[3] are integers and equal 183
key4[0] = 'F' and key4[4] = 'r'

key4 = F183r

 

Computer general

Most Recent Articles

Format string exploit example, 64bitprimer CTF from vulnhub.com, level 4
Categories: Computer general, Computer general
First bit::

This is a writeup of the format string vulnerability in level 4 of the 64bitprimer VM from vulnhu

Setting up a Yubikey 4 in Debian Jessie
Categories: Computer general, Computer general
First bit::

Installation of the software to make a yubikey 4 work in FIDO U2F mode on Debian Jessie i386

Takeaways from PANW CTF 2016 Labyrenth
Categories: Reversing, Computer general
First bit::

Lesson(s) learned

PANW CTF Labyrenth Unix Track Challenge 7
Categories: Reversing, Computer general
First bit::

This one stumped me. Overall, it was a great competition for me as I got to learn a whole lot of new things. I had never worked on a Mac, other than as a user, had never used Hopper, lldb or any of the other tools for reversing on a Mac, and haven't got any experience in the Objective C/Swift framework.

PANW CTF Labyrenth Unix Track Challenge 6
Categories: Reversing, Computer general
First bit::

4 rounds, lots of debugging