Wargames.MY 2015 - Challenge 7 (jengkrengkrongkreng) Write-Up

3 comments
This article is about Wargames.MY 2015 - Challenge 7

Initial Hint: blackhole exploit main password

the challenge provide us 7z archive with password protected. So by using initial hint to find out the archive password. As malware analyst at MyCERT, knowing every malicious binary will zipped-up with 'infected' as archive password.

List of files in archive:








There's nothing inside logo.jpg except Miranda Kerr picture(NSFW).

Nothing much you can see if you open index.html on web browser, except it will show you 'youporn.com' site.

But 265KB for index.html is too much lets look into it.

Nothing much, but the interesting part is the base64 data.

Here's full base64 strings.
Here's decoded base64 string.

Those are just jQuery file, but on bottom of the code there's interesting code

document.write("<script type='text/javascript' src= '---.. ..--- ---.. --... ----- --... .- ----. ---.. ...-- ...-- --... . -... -.... -... -.. ----. ..... --... -.. ----- . -.. ...-- ..-. --... ....- ----- ---.. ..--- ...-- ..-. -.. ..--- ..-. ..--- -.... --... . ....- ....- -... ----. -.. .---- ..-. ----- ....- ..--- ..-. .---- --... .- ----- ..... ---.. --... .---- ---.. ...-- ...--'></script>")

after decode the morse code, here the result.
828707A98337EB6BD957D0ED3F740823FD2F267E44B9D1F042F17A05871833

Look back at index.html and you will notice this portion of code
<!-- Kunci ada kat sini lah bro..
function encrypt(s,pw)
{
	var a=0;
	var myString='';
	var textLen=s.length;
	var pwLen=pw.length;

	for (i=0;i<textLen;i++) 
	{
		a=parseInt(s.charCodeAt(i));
		a=a^(pw.charCodeAt(i%pwLen));
		a=a+"";
		while (a.length<3 0xff="" a="" decrypt="" end="" form1.tdecrypt.value="myString;" form1.tencrypt.value="myString;" function="" gt="" i="" if="" lt="" myholder="s.charAt(i+2);" mystring="" of="" pre="" pw="" pwlen="pw.length;" s.charat="" s.length-2="" s="" textlen="s.length;" tring.fromcharcode="" var="" while="">

The hint: there's a 'key' inside the code, the code shown xor encrypt/decrypt routine in javascript, but there's a twist. Decrypt function never work, and always return same string regardless of input.
But we know decryption process using '0xFF' as key instead of parameter.
Using 3rd party xor decryption, pass the string from the morse code and 0xFF as key, here the result:
THOU SHALL LEARN MORSE CODE

There's our flag for this challenge.
For who might need the challenge file, you can download it here

Kudos to Wargames.MY Crewz for 1337 aw3s0m3 challenge. hope to see more challenge again next year!

3 comments :

  1. Nice, Btw mcm mna ko tau password Zip file tu?

    ReplyDelete
    Replies
    1. naturally kat tempat kerja aku memang selalu dapat file2 gini, dan password utk zip tu selalu 'infected'

      Delete