https://soffensive.github.io/tags/ctf/Recent content in Ctf on soffensive blogHugoenWed, 21 Feb 2018 04:27:00 -0800https://soffensive.github.io/posts/ctf/2018-02-21-using-angr-and-symbolic-execution-for-reverse-engineering-challenges-rpi-mbe-labs/Wed, 21 Feb 2018 04:27:00 -0800https://soffensive.github.io/posts/ctf/2018-02-21-using-angr-and-symbolic-execution-for-reverse-engineering-challenges-rpi-mbe-labs/<p>This blog posts will highlight how you can utilize the angr dynamic binary analysis framework and symbolic execution for reverse engineering tasks.</p> <p>More precisely, we will look at the first two tasks in the <code>lab1</code> of the <a href="https://github.com/RPISEC/MBE/tree/master/src/lab01" target="_blank" rel="noopener noreffer ">RPISEC MBE labs</a>.</p> <p>While angr&rsquo;s internals are quite complex and require substantial effort for mastering, getting started for our simple examples requires not too much knowledge.  </p> <h2 id="lab1c">lab1C</h2> <p>The first example we will look at is <code>lab1C</code> from <code>lab01</code>, which requires the user to enter a certain password:</p>https://soffensive.github.io/posts/ctf/2018-01-23-pwnable-kr-crypto1-challenge/Tue, 23 Jan 2018 03:29:00 -0800https://soffensive.github.io/posts/ctf/2018-01-23-pwnable-kr-crypto1-challenge/<p>In the pwnable.kr challenge <code>crypto1</code> in the rookies section, we are given the following two files <code>client.py</code> and <code>server.py</code>:</p> <h2 id="clientpy">client.py</h2> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="ch">#!/usr/bin/python</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">Crypto.Cipher</span> <span class="kn">import</span> <span class="n">AES</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">base64</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">os</span><span class="o">,</span> <span class="nn">sys</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">xmlrpclib</span> </span></span><span class="line"><span class="cl"><span class="n">rpc</span> <span class="o">=</span> <span class="n">xmlrpclib</span><span class="o">.</span><span class="n">ServerProxy</span><span class="p">(</span><span class="s2">&#34;http://localhost:9100/&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">BLOCK_SIZE</span> <span class="o">=</span> <span class="mi">16</span> </span></span><span class="line"><span class="cl"><span class="n">PADDING</span> <span class="o">=</span> <span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">pad</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">s</span><span class="p">:</span> <span class="n">s</span> <span class="o">+</span> <span class="p">(</span><span class="n">BLOCK_SIZE</span> <span class="o">-</span> <span class="nb">len</span><span class="p">(</span><span class="n">s</span><span class="p">)</span> <span class="o">%</span> <span class="n">BLOCK_SIZE</span><span class="p">)</span> <span class="o">*</span> <span class="n">PADDING</span> </span></span><span class="line"><span class="cl"><span class="n">EncodeAES</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">c</span><span class="p">,</span> <span class="n">s</span><span class="p">:</span> <span class="n">c</span><span class="o">.</span><span class="n">encrypt</span><span class="p">(</span><span class="n">pad</span><span class="p">(</span><span class="n">s</span><span class="p">))</span><span class="o">.</span><span class="n">encode</span><span class="p">(</span><span class="s1">&#39;hex&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">DecodeAES</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">c</span><span class="p">,</span> <span class="n">e</span><span class="p">:</span> <span class="n">c</span><span class="o">.</span><span class="n">decrypt</span><span class="p">(</span><span class="n">e</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s1">&#39;hex&#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># server&#39;s secrets</span> </span></span><span class="line"><span class="cl"><span class="n">key</span> <span class="o">=</span> <span class="s1">&#39;erased. but there is something on the real source code&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">iv</span> <span class="o">=</span> <span class="s1">&#39;erased. but there is something on the real source code&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">cookie</span> <span class="o">=</span> <span class="s1">&#39;erased. but there is something on the real source code&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># guest / 8b465d23cb778d3636bf6c4c5e30d031675fd95cec7afea497d36146783fd3a1</span> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">sanitize</span><span class="p">(</span><span class="n">arg</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">c</span> <span class="ow">in</span> <span class="n">arg</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">c</span> <span class="ow">not</span> <span class="ow">in</span> <span class="s1">&#39;1234567890abcdefghijklmnopqrstuvwxyz-_&#39;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="kc">False</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="kc">True</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">AES128_CBC</span><span class="p">(</span><span class="n">msg</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">cipher</span> <span class="o">=</span> <span class="n">AES</span><span class="o">.</span><span class="n">new</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">AES</span><span class="o">.</span><span class="n">MODE_CBC</span><span class="p">,</span> <span class="n">iv</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">EncodeAES</span><span class="p">(</span><span class="n">cipher</span><span class="p">,</span> <span class="n">msg</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">request_auth</span><span class="p">(</span><span class="nb">id</span><span class="p">,</span> <span class="n">pw</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">packet</span> <span class="o">=</span> <span class="s1">&#39;</span><span class="si">{0}</span><span class="s1">-</span><span class="si">{1}</span><span class="s1">-</span><span class="si">{2}</span><span class="s1">&#39;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="nb">id</span><span class="p">,</span> <span class="n">pw</span><span class="p">,</span> <span class="n">cookie</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">e_packet</span> <span class="o">=</span> <span class="n">AES128_CBC</span><span class="p">(</span><span class="n">packet</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span> <span class="s1">&#39;sending encrypted data (</span><span class="si">{0}</span><span class="s1">)&#39;</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">e_packet</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">sys</span><span class="o">.</span><span class="n">stdout</span><span class="o">.</span><span class="n">flush</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">rpc</span><span class="o">.</span><span class="n">authenticate</span><span class="p">(</span><span class="n">e_packet</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s1">&#39;__main__&#39;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span> <span class="s1">&#39;---------------------------------------------------&#39;</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span> <span class="s1">&#39;- PWNABLE.KR secure RPC login system -&#39;</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span> <span class="s1">&#39;---------------------------------------------------&#39;</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span> <span class="s1">&#39;&#39;</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span> <span class="s1">&#39;Input your ID&#39;</span> </span></span><span class="line"><span class="cl"> <span class="n">sys</span><span class="o">.</span><span class="n">stdout</span><span class="o">.</span><span class="n">flush</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="nb">id</span> <span class="o">=</span> <span class="n">raw_input</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span> <span class="s1">&#39;Input your PW&#39;</span> </span></span><span class="line"><span class="cl"> <span class="n">sys</span><span class="o">.</span><span class="n">stdout</span><span class="o">.</span><span class="n">flush</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">pw</span> <span class="o">=</span> <span class="n">raw_input</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">sanitize</span><span class="p">(</span><span class="nb">id</span><span class="p">)</span> <span class="o">==</span> <span class="kc">False</span> <span class="ow">or</span> <span class="n">sanitize</span><span class="p">(</span><span class="n">pw</span><span class="p">)</span> <span class="o">==</span> <span class="kc">False</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span> <span class="s1">&#39;format error&#39;</span> </span></span><span class="line"><span class="cl"> <span class="n">sys</span><span class="o">.</span><span class="n">stdout</span><span class="o">.</span><span class="n">flush</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">os</span><span class="o">.</span><span class="n">_exit</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">cred</span> <span class="o">=</span> <span class="n">request_auth</span><span class="p">(</span><span class="nb">id</span><span class="p">,</span> <span class="n">pw</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">cred</span><span class="o">==</span><span class="mi">0</span> <span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span> <span class="s1">&#39;you are not authenticated user&#39;</span> </span></span><span class="line"><span class="cl"> <span class="n">sys</span><span class="o">.</span><span class="n">stdout</span><span class="o">.</span><span class="n">flush</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">os</span><span class="o">.</span><span class="n">_exit</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">cred</span><span class="o">==</span><span class="mi">1</span> <span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span> <span class="s1">&#39;hi guest, login as admin&#39;</span> </span></span><span class="line"><span class="cl"> <span class="n">sys</span><span class="o">.</span><span class="n">stdout</span><span class="o">.</span><span class="n">flush</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">os</span><span class="o">.</span><span class="n">_exit</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nb">print</span> <span class="s1">&#39;hi admin, here is your flag&#39;</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span> <span class="nb">open</span><span class="p">(</span><span class="s1">&#39;flag&#39;</span><span class="p">)</span><span class="o">.</span><span class="n">read</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">sys</span><span class="o">.</span><span class="n">stdout</span><span class="o">.</span><span class="n">flush</span><span class="p">()</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="serverpy">server.py</h2> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="ch">#!/usr/bin/python</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">xmlrpclib</span><span class="o">,</span> <span class="nn">hashlib</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">SimpleXMLRPCServer</span> <span class="kn">import</span> <span class="n">SimpleXMLRPCServer</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">Crypto.Cipher</span> <span class="kn">import</span> <span class="n">AES</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">os</span><span class="o">,</span> <span class="nn">sys</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">BLOCK_SIZE</span> <span class="o">=</span> <span class="mi">16</span> </span></span><span class="line"><span class="cl"><span class="n">PADDING</span> <span class="o">=</span> <span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">pad</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">s</span><span class="p">:</span> <span class="n">s</span> <span class="o">+</span> <span class="p">(</span><span class="n">BLOCK_SIZE</span> <span class="o">-</span> <span class="nb">len</span><span class="p">(</span><span class="n">s</span><span class="p">)</span> <span class="o">%</span> <span class="n">BLOCK_SIZE</span><span class="p">)</span> <span class="o">*</span> <span class="n">PADDING</span> </span></span><span class="line"><span class="cl"><span class="n">EncodeAES</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">c</span><span class="p">,</span> <span class="n">s</span><span class="p">:</span> <span class="n">c</span><span class="o">.</span><span class="n">encrypt</span><span class="p">(</span><span class="n">pad</span><span class="p">(</span><span class="n">s</span><span class="p">))</span><span class="o">.</span><span class="n">encode</span><span class="p">(</span><span class="s1">&#39;hex&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">DecodeAES</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">c</span><span class="p">,</span> <span class="n">e</span><span class="p">:</span> <span class="n">c</span><span class="o">.</span><span class="n">decrypt</span><span class="p">(</span><span class="n">e</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s1">&#39;hex&#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># server&#39;s secrets</span> </span></span><span class="line"><span class="cl"><span class="n">key</span> <span class="o">=</span> <span class="s1">&#39;erased. but there is something on the real source code&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">iv</span> <span class="o">=</span> <span class="s1">&#39;erased. but there is something on the real source code&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">cookie</span> <span class="o">=</span> <span class="s1">&#39;erased. but there is something on the real source code&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">AES128_CBC</span><span class="p">(</span><span class="n">msg</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">cipher</span> <span class="o">=</span> <span class="n">AES</span><span class="o">.</span><span class="n">new</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">AES</span><span class="o">.</span><span class="n">MODE_CBC</span><span class="p">,</span> <span class="n">iv</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">DecodeAES</span><span class="p">(</span><span class="n">cipher</span><span class="p">,</span> <span class="n">msg</span><span class="p">)</span><span class="o">.</span><span class="n">rstrip</span><span class="p">(</span><span class="n">PADDING</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">authenticate</span><span class="p">(</span><span class="n">e_packet</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">packet</span> <span class="o">=</span> <span class="n">AES128_CBC</span><span class="p">(</span><span class="n">e_packet</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nb">id</span> <span class="o">=</span> <span class="n">packet</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="s1">&#39;-&#39;</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="n">pw</span> <span class="o">=</span> <span class="n">packet</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="s1">&#39;-&#39;</span><span class="p">)[</span><span class="mi">1</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">packet</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="s1">&#39;-&#39;</span><span class="p">)[</span><span class="mi">2</span><span class="p">]</span> <span class="o">!=</span> <span class="n">cookie</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span> <span class="c1"># request is not originated from expected server</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">hashlib</span><span class="o">.</span><span class="n">sha256</span><span class="p">(</span><span class="nb">id</span><span class="o">+</span><span class="n">cookie</span><span class="p">)</span><span class="o">.</span><span class="n">hexdigest</span><span class="p">()</span> <span class="o">==</span> <span class="n">pw</span> <span class="ow">and</span> <span class="nb">id</span> <span class="o">==</span> <span class="s1">&#39;guest&#39;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">1</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">hashlib</span><span class="o">.</span><span class="n">sha256</span><span class="p">(</span><span class="nb">id</span><span class="o">+</span><span class="n">cookie</span><span class="p">)</span><span class="o">.</span><span class="n">hexdigest</span><span class="p">()</span> <span class="o">==</span> <span class="n">pw</span> <span class="ow">and</span> <span class="nb">id</span> <span class="o">==</span> <span class="s1">&#39;admin&#39;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">2</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">server</span> <span class="o">=</span> <span class="n">SimpleXMLRPCServer</span><span class="p">((</span><span class="s2">&#34;localhost&#34;</span><span class="p">,</span> <span class="mi">9100</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="nb">print</span> <span class="s2">&#34;Listening on port 9100...&#34;</span> </span></span><span class="line"><span class="cl"><span class="n">server</span><span class="o">.</span><span class="n">register_function</span><span class="p">(</span><span class="n">authenticate</span><span class="p">,</span> <span class="s2">&#34;authenticate&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">server</span><span class="o">.</span><span class="n">serve_forever</span><span class="p">()</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="analysis">Analysis</h2> <p>Furthermore, there is a running instance of <code>client.py</code> at <code>pwnable.kr</code> on port <code>9006</code>. Our goal is to connect to this service and retrieve the flag.</p>https://soffensive.github.io/posts/ctf/2017-08-04-small-challenge-from-gynvael-coldwin/Fri, 04 Aug 2017 15:16:00 -0700https://soffensive.github.io/posts/ctf/2017-08-04-small-challenge-from-gynvael-coldwin/<p>Gynvael Coldwin posted a small challenge at the end of his last podcast on Windows Kernel Debugging with Artem Shishkin:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">Welcome back agent 1336. </span></span><span class="line"><span class="cl">No mail. </span></span><span class="line"><span class="cl">&gt; mission --take </span></span><span class="line"><span class="cl">MISSION 012 goo.gl/qudiHJ DIFFICULTY: ██░░░░░░░░ [2╱10] </span></span><span class="line"><span class="cl">┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Our agents managed to install a hardware keylogger in suspects computer. After </span></span><span class="line"><span class="cl">they retrieved it and dumped the recorded data, here is what showed up: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> 58 f0 58 1b f0 1b 58 f0 58 44 f0 44 2d f0 2d 2d f0 2d 35 f0 35 41 f0 41 29 </span></span><span class="line"><span class="cl"> f0 29 59 43 f0 43 f0 59 29 f0 29 23 f0 23 44 f0 44 31 f0 31 52 f0 52 2c f0 </span></span><span class="line"><span class="cl"> 2c 29 f0 29 1b f0 1b 4d f0 4d 24 f0 24 1c f0 1c 42 f0 42 29 f0 29 12 42 f0 </span></span><span class="line"><span class="cl"> 42 f0 12 24 f0 24 35 f0 35 32 f0 32 44 f0 44 1c f0 1c 2d f0 2d 23 f0 23 49 </span></span><span class="line"><span class="cl"> f0 49 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Could you help us decoded it to know what was typed? </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Good luck! </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">--------------------------------------------------------------------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">If you decode the answer, put it in the comments under this video! If you write </span></span><span class="line"><span class="cl">a blogpost / post your solution online, please add a link in the comments too! </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">P.S. I&#39;ll show/explain the solution on the stream in ~two weeks. </span></span></code></pre></td></tr></table> </div> </div><p>Our first guess was that the characters use some well-known encoding such as ASCII, but this turned out to be wrong assumption. In order to obtain some knowledge about the structure of the recorded data, we ran some statistical analysis of the different byte values:</p>