Monday, February 6, 2017

AlexCTF 2017 - Reverse Engineering: Gifted (50) & unVM me (250)


The challenges on AlexCTF were very fun, I ended up pushing myself further trying out new techniques and categories I usually don't touch as much.


Gifted


This was a very simple challenge, just strings the binary and there you go!

$ strings gifted | grep -i alexctf

AlexCTF{Y0u_h4v3_45t0n15h1ng_futur3_1n_r3v3r5ing}



unVM me


This challenge was a lot of fun, and not something you usually see. It was a python reversing challenge where you were given a pyc. Here's the description:

If I tell you what version of python I used .. where is the fun in that?

unvm_me.pyc

Looking around for a python decompiler, we can find this - https://github.com/gstarnberger/uncompyle

Creating a new python virtual environment for this uncompyle tool we can extract the source easily:

mkdir blah
$ virtualenv blah
$ source ./blah/bin/activate
$ pip install uncompyle2
$ ./blah/bin/uncompyle6 ./unvm_me.pyc > unvms.py

Looking at the source we have:

$ cat unvms.py

import md5
md5s = [174282896860968005525213562254350376167L, 137092044126081477479435678296496849608L, 126300127609096051658061491018211963916L, 314989972419727999226545215739316729360L, 256525866025901597224592941642385934114L, 115141138810151571209618282728408211053L, 8705973470942652577929336993839061582L, 256697681645515528548061291580728800189L, 39818552652170274340851144295913091599L, 65313561977812018046200997898904313350L, 230909080238053318105407334248228870753L, 196125799557195268866757688147870815374L, 74874145132345503095307276614727915885L]

print 'Can you turn me back to python ? ...'
flag = raw_input('well as you wish.. what is the flag: ')
if len(flag) > 69:
    print 'nice try'
    exit()
if len(flag) % 5 != 0:
    print 'nice try'
    exit()
for i in range(0, len(flag), 5):
    s = flag[i:i + 5]
    if int('0x' + md5.new(s).hexdigest(), 16) != md5s[i / 5]:
        print 'nice try'
        exit()

print 'Congratz now you have the flag'

So now that we have this, it's pretty easy to see what else we need to do, we just have to crack 13 MD5 hashes.
Adding this line under the md5s list helped print out the hashes:

for x in md5s: print '{0:032x}'.format(x)

This yields the output:

831daa3c843ba8b087c895f0ed305ce7
6722f7a07246c6af20662b855846c2c8
5f04850fec81a27ab5fc98befa4eb40c
ecf8dcac7503e63a6a3667c5fb94f610
c0fd15ae2c3931bc1e140523ae934722
569f606fd6da5d612f10cfb95c0bde6d
068cb5a1cf54c078bf0e7e89584c1a4e
c11e2cd82d1f9fbd7e4d6ee9581ff3bd
1df4c637d625313720f45706a48ff20f
3122ef3a001aaecdb8dd9d843c029e06
adb778a0f729293e7e0b19b96a4c5a61
938c747c6a051b3e163eb802a325148e
38543c5e820dd9403b57beff6020596d

Using john we can crack these pretty quickly:

$ john --incremental=LowerNum hashes --format=raw-md5

Here's the result:

831daa3c843ba8b087c895f0ed305ce7: ALEXC
6722f7a07246c6af20662b855846c2c8: TF{dv
5f04850fec81a27ab5fc98befa4eb40c: 5d4s2
ecf8dcac7503e63a6a3667c5fb94f610: vj8nk
c0fd15ae2c3931bc1e140523ae934722: 43s8d
569f606fd6da5d612f10cfb95c0bde6d: 8l6m1
068cb5a1cf54c078bf0e7e89584c1a4e: n5l67
c11e2cd82d1f9fbd7e4d6ee9581ff3bd: ds9v4
1df4c637d625313720f45706a48ff20f: 1n52n
3122ef3a001aaecdb8dd9d843c029e06: v37j4
adb778a0f729293e7e0b19b96a4c5a61: 81h3d
938c747c6a051b3e163eb802a325148e: 28n4b
38543c5e820dd9403b57beff6020596d: 6v3k}

Now with some sed & tr, we have the flag!

$ cat solution | sed 's/.*://g' | tr -d '\n '; echo

ALEXCTF{dv5d4s2vj8nk43s8d8l6m1ds9v41n52nv37j481h3d28n4b6v3k}