Jump to content
Main menu
Main menu
move to sidebar
hide
Navigation
Main page
Recent changes
Random page
Help about MediaWiki
Special pages
YawgNetWiki
Search
Search
Appearance
Log in
Personal tools
Log in
Pages for logged out editors
learn more
Contributions
Talk
Editing
AND!XOR DC28
(section)
Page
Discussion
English
Read
Edit
View history
Tools
Tools
move to sidebar
hide
Actions
Read
Edit
View history
General
What links here
Related changes
Page information
Appearance
move to sidebar
hide
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Reverse Engineering== <div class="toccolours mw-collapsible mw-collapsed">Challenge 2<div class="mw-collapsible-content"> <pre> U cUm ax a supa secure medical LAPPY covered n stickers. It hz a TACO_CORP_PROMPT on itz scrEn. and!xor:~$ look at TACO_CORP_PROMPT D prolly not HIPAA compliant login 4 Taco Corps medical rEsrch divisN. Did dey release d virus only 2 seL thR salsa vaccine az a cure? and!xor:~$ hack LAPPY wit RUBBER_DUCKY O damn, we hav a l337 haxor Ovr hEr. d louder U R d less U hEr. tAk a L%k @ yor pwned target. and!xor:~$ look at LAPPY D credz auth binary wz XtractD. wot acownt iz Usd 2 login? Saved undR youZer binz... </pre> On the badge under /USR/BIN/ is a new file: TACOTH <pre> file andxor/USR/BIN/TACOTH andxor/USR/BIN/TACOTH: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=1109a4c77bf523765870c7d93233c78223777b5d, for GNU/Linux 3.2.0, not stripped </pre> Time for some reverse engineering with Ghidra <pre> hack flag wit 8GAT35@VAXX34.0RG Ans Submitted. L%k 2 C flag. and!xor:~$ look ChaLenG Complete! ditto stoke waltz hinds agora buyer likes ivied stalk </pre> <div class="toccolours mw-collapsible mw-collapsed">Binary Breakdown<div class="mw-collapsible-content"> * The key seems to be this bit of code: <pre> if ((((((x00 == 0) || (x01 == 0)) || (x02 == 0)) || ((x03 == 0 || (x04 == 0)))) || ((((x05 == 0 || ((x06 == 0 || (x07 == 0)))) || (x08 == 0)) || ((((x09 == 0 || (x10 == 0)) || (x11 == 0)) || (((x12 == 0 || (x13 == 0)) || ((x14 == 0 || ((x15 == 0 || (x16 == 0)))))))))))) || (crc == 0)) { puts("FAILZ!"); } else { puts("SUCCESS!"); } </pre> * So we need to identify x00 thru x16 and make them !=0 along with the crc <pre> if (((int)local_28[0] - 0x30U & 0x3fffffff) == 8) { x00 = 1; } \\ so 0x38 or '8' </pre> * x00 = 8 <pre> if (((local_28[1] == 'G') && (local_28[2] == 'A')) && (local_28[3] == 'T')) { x01 = 1; x02 = 1; x03 = 1; } </pre> * x01 = G * x02 = A * x03 = T <pre> if ((iVar1 + 1) % 0x24 == 0) { x04 = 1; x05 = 1; } </pre> * x04 and x05 seem to need a bit more investigation ** This was frustrating me a ton and I ended up just bruteforcing a bit here with some for loops for i in $(cat list4); do echo Trying$i && sudo ./TACOTH $i; done > results * This only really worked since it was my last couple characters to figure out. Result ended up being '35' <pre> __stream = fopen(".temp","w+"); fputc(0x47,__stream); fclose(__stream); local_36 = local_24; iVar1 = atoi(&local_36); iVar1 = fgetc(__stream); </pre> * I'm not 100% sure but it looks like these two resolve themselves though I don't have a defined view of what local_24 is from here, it should be 'G' which is what gets written to .temp in hex <pre> if (local_22 == '@') { x06 = 1; } </pre> * local_22 doesn't appear defined anywhere, but this pretty easily needs to be an '@' ** However, there is a big loop that occurs and after is this: <pre> if (((x07 != 0) && (x08 != 0)) && ((x09 != 0 && (x10 != 0)))) { x06 = 1; } </pre> * so we need to get x07-x10 and x06 will fall in line, let's look at the loop <pre> local_2f = 0x78787878; local_2b = 0x7878; local_6c = 7; while (local_29 = 0, local_6c < 0xb) { switch(local_28[local_6c]) { case 'A': if (local_6c == 8) { x08 = 1; local_2f = 0x63616261; local_2b = 0x7375; } break; case 'B': if (local_6c == 8) { a02 = 1; local_2f = 0x69626162; local_2b = 0x7365; } break; case 'C': if (local_6c == 9) { a03 = 1; local_2f = 0x61626163; local_2b = 0x616c; } else { if (local_6c == 10) { a03 = 1; local_2f = 0x61626163; local_2b = 0x616c; } } break; case 'D': if (local_6c == 7) { a04 = 1; local_2f = 0x62626164; local_2b = 0x7265; } break; case 'E': if (local_6c == 8) { a05 = 1; local_2f = 0x65676165; local_2b = 0x7372; } break; case 'F': if (local_6c == 9) { a06 = 1; local_2f = 0x6c626166; local_2b = 0x7365; } else { if (local_6c == 10) { a06 = 1; local_2f = 0x6c626166; local_2b = 0x7365; } } break; case 'G': if (local_6c == 7) { a07 = 1; local_2f = 0x69626167; local_2b = 0x6e6f; } break; case 'H': if (local_6c == 8) { a08 = 1; local_2f = 0x69626168; local_2b = 0x7374; } break; case 'I': if (local_6c == 9) { a09 = 1; local_2f = 0x63696269; local_2b = 0x7365; } else { if (local_6c == 10) { a09 = 1; local_2f = 0x63696269; local_2b = 0x7365; } } break; case 'J': if (local_6c == 7) { a10 = 1; local_2f = 0x6262616a; local_2b = 0x7265; } break; case 'K': if (local_6c == 8) { a11 = 1; local_2f = 0x6162616b; local_2b = 0x616c; } break; case 'L': if (local_6c == 9) { a12 = 1; local_2f = 0x6761616c; local_2b = 0x7265; } else { if (local_6c == 10) { a12 = 1; local_2f = 0x6761616c; local_2b = 0x7265; } } break; case 'M': if (local_6c == 7) { a13 = 1; local_2f = 0x6163616d; local_2b = 0x7377; } break; case 'N': if (local_6c == 8) { a14 = 1; local_2f = 0x6863616e; local_2b = 0x736f; } break; case 'O': if (local_6c == 9) { a15 = 1; local_2f = 0x756b616f; local_2b = 0x736d; } else { if (local_6c == 10) { a15 = 1; local_2f = 0x756b616f; local_2b = 0x736d; } } break; case 'P': if (local_6c == 7) { a16 = 1; local_2f = 0x6b636170; local_2b = 0x6465; } break; case 'Q': if (local_6c == 8) { a17 = 1; local_2f = 0x6c626971; local_2b = 0x7361; } break; case 'R': if (local_6c == 9) { a18 = 1; local_2f = 0x62626172; local_2b = 0x6e69; } else { if (local_6c == 10) { a18 = 1; local_2f = 0x62626172; local_2b = 0x6e69; } } break; case 'S': if (local_6c == 7) { a19 = 1; local_2f = 0x6f626173; local_2b = 0x6172; } break; case 'T': if (local_6c == 8) { a20 = 1; local_2f = 0x6c626174; local_2b = 0x7365; } break; case 'U': if (local_6c == 9) { a21 = 1; local_2f = 0x696c6775; local_2b = 0x7265; } else { if (local_6c == 10) { a21 = 1; local_2f = 0x696c6775; local_2b = 0x7265; } } break; case 'V': if (local_6c == 7) { x07 = 1; local_2f = 0x75636176; local_2b = 0x6d75; } break; case 'W': if (local_6c == 8) { a23 = 1; local_2f = 0x62626177; local_2b = 0x656c; } break; case 'X': if (local_6c == 9) { x09 = 1; local_2f = 0x696e6578; local_2b = 0x6c61; } else { if (local_6c == 10) { x10 = 1; local_2f = 0x696e6578; local_2b = 0x6c61; } } break; case 'Y': if (local_6c == 7) { a25 = 1; local_2f = 0x62626179; local_2b = 0x7265; } break; case 'Z': if (local_6c == 8) { a26 = 1; local_2f = 0x6666617a; local_2b = 0x7265; } } local_6c = local_6c + 1; } </pre> * A lot going on here but local_6c seems to be a counter given the last line. It also appears to start at 7 and stands in for the array position that appears to be our flag ** local_6c == 7 has D,G,J,M,P,S,Y modifying some a00 number while V gives x07 = 1 ** local_6c == 8 has B,E,H,K,N,Q,T,W,Z does similar while A gives x08 = 1 ** local_6c == 9 has C,F,I,L,O,R,U does similar again while X gives x09 = 1 ** local_6c == 10 has other stuff but x10 = 1 was found under X anyway so ** 'VAXX' <pre> if (((int)local_1c + (int)local_1d == 0x67) && ((int)local_1c - (int)local_1d == 1)) { x11 = 1; x12 = 1; } </pre> * This is a pretty simple one, 0x67 is 103, so 1c + 1d = 103 and 1c - 1d = 1. ** 52 and 51 work cleanly in here ** '4' and '3' <pre> if (local_1b == '.') { x13 = 1; } </pre> * Another easy one '.' <pre> uVar2 = rot13((int)local_1a); if (((int)uVar2 == 0x3d) && (uVar2 = rot13((int)local_19 + 1), (int)uVar2 == 0x60)) { x14 = 1; x15 = 1; } ---------------------------- rot13 { return (ulong)(param_1 + 0xd); } </pre> * '0' for local_1a will give us at least the first part of the if statement * 'R' for local_19 gives the next part <pre> __stream = fopen(".temp","w+"); fputc(0x47,__stream); fclose(__stream); ... iVar1 = fgetc(__stream); fclose(__stream); remove(".temp"); if (iVar1 == (int)local_18) { x16 = 1; } </pre> * Beginning bits put 'G' into .temp and check it against local_18 later so local_18 needs to be 'G' </div> </div> </div> </div> <div class="toccolours mw-collapsible mw-collapsed">Challenge 16 (G)<div class="mw-collapsible-content"> <pre> Theres an elctrnk bug. ! d NSA kind bt d ROACH frm con kind. PrograMn INTRFAC exposed. f only U c%d hack dis HW. and!xor:~$ look at ROACH U haz a senS of longing 4 Lulvil. Trevor 4get icing Dave whIl dressed az a *<|:). and!xor:~$ hack INTRFAC wit ICEDEBUGGER O damn, we hav a l337 haxor Ovr hEr. d louder U R d less U hEr. tAk a L%k @ yor pwned target. and!xor:~$ look Theres an elctrnk bug. ! d NSA kind bt d ROACH frm con kind. PrograMn INTRFAC exposed. f only U c%d hack dis HW. and!xor:~$ look at INTRFAC D mny bug badge blings raw whIl itz binary dumps. Itz az f frm warez iz jst hidden n pln cite. </pre> Looking at the BLING_BW folder on the badge, I ran file BLING_BW/* And identified DERBY.RAW as an ELF file instead of data. <pre> chmod +x DERBY.RAW ./DERBY.RAW What is the password to get Trevor in to heaven: TrevorForget WRONG! </pre> I run ltrace to see what's going on <pre> ltrace ./DERBY.RAW printf("What is the password to get Trev"...) = 49 gets(0x7fffdbb0e440, 32, 0, 0What is the password to get Trevor in to heaven: fail ) = 0x7fffdbb0e440 strcmp("fail", "ROUNDERS") = 20 puts("WRONG!"WRONG! ) = 7 +++ exited (status 0) +++ </pre> strcmp("fail", "ROUNDERS") seems to be the ticket <pre> ./DERBY.RAW What is the password to get Trevor in to heaven: ROUNDERS RIGHT! </pre> Back to the badge: <pre> and!xor:~$ hack flag wit ROUNDERS Ans Submitted. L%k 2 C flag. and!xor:~$ look ChaLenG Complete! riles forgo goats anise sixes piled strip idols mulch </pre> </div></div>
Summary:
Please note that all contributions to YawgNetWiki may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
YawgNetWiki:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Search
Search
Editing
AND!XOR DC28
(section)
Add topic
