Wargames.MY 2015 - Challenge 7 (jengkrengkrongkreng) Write-Up
This article is about Wargames.MY 2015 - Challenge 7Initial Hint: blackhole exploit main password
the challenge provide us 7z archive with password protected. So by using initial hint to find out the archive password. As malware analyst at MyCERT, knowing every malicious binary will zipped-up with 'infected' as archive password.
List of files in archive:
There's nothing inside logo.jpg except Miranda Kerr picture(NSFW).
Nothing much you can see if you open index.html on web browser, except it will show you 'youporn.com' site.
But 265KB for index.html is too much lets look into it.
Nothing much, but the interesting part is the base64 data.
Here's full base64 strings.
Here's decoded base64 string.
Those are just jQuery file, but on bottom of the code there's interesting code
document.write("<script type='text/javascript' src= '---.. ..--- ---.. --... ----- --... .- ----. ---.. ...-- ...-- --... . -... -.... -... -.. ----. ..... --... -.. ----- . -.. ...-- ..-. --... ....- ----- ---.. ..--- ...-- ..-. -.. ..--- ..-. ..--- -.... --... . ....- ....- -... ----. -.. .---- ..-. ----- ....- ..--- ..-. .---- --... .- ----- ..... ---.. --... .---- ---.. ...-- ...--'></script>")
after decode the morse code, here the result.
828707A98337EB6BD957D0ED3F740823FD2F267E44B9D1F042F17A05871833
Look back at index.html and you will notice this portion of code
<!-- Kunci ada kat sini lah bro.. function encrypt(s,pw) { var a=0; var myString=''; var textLen=s.length; var pwLen=pw.length; for (i=0;i<textLen;i++) { a=parseInt(s.charCodeAt(i)); a=a^(pw.charCodeAt(i%pwLen)); a=a+""; while (a.length<3 0xff="" a="" decrypt="" end="" form1.tdecrypt.value="myString;" form1.tencrypt.value="myString;" function="" gt="" i="" if="" lt="" myholder="s.charAt(i+2);" mystring="" of="" pre="" pw="" pwlen="pw.length;" s.charat="" s.length-2="" s="" textlen="s.length;" tring.fromcharcode="" var="" while="">
The hint: there's a 'key' inside the code, the code shown xor encrypt/decrypt routine in javascript, but there's a twist. Decrypt function never work, and always return same string regardless of input.
But we know decryption process using '0xFF' as key instead of parameter.
Using 3rd party xor decryption, pass the string from the morse code and 0xFF as key, here the result:
THOU SHALL LEARN MORSE CODE
There's our flag for this challenge.
For who might need the challenge file, you can download it here
Kudos to Wargames.MY Crewz for 1337 aw3s0m3 challenge. hope to see more challenge again next year! 3>
Subscribe to:
Post Comments
(
Atom
)
Nice, Btw mcm mna ko tau password Zip file tu?
ReplyDeletenaturally kat tempat kerja aku memang selalu dapat file2 gini, dan password utk zip tu selalu 'infected'
DeleteThx :)
Delete