01 Feb 2016 @ 7:53 PM 

Yet another x64 ELF, this time also obfuscated.
RE4-obfMoar while loops!

We have option to select one of 3 cells. Then we have to provide paths. Each step is accepted as a character. By following scanf() and jumping though the decompiled code, it was evident that there are 7 possible letters = “asdqwez”. When we provide the path, it is verified by a function(sub_400960()) and decided whether program will continue or not. If the path is accepted, it is fed to MD5. At the final state (‘e’), the hash is calculated and compared to these values “6dff819e14ce1bfc112d1817e69cff1f”, “6a9e23f57e9f5590b0c168a781bf07c7”, “05aeebcadfe7f05a7e778d904d6d297e”. We can guess that each one of the hash is for one of the cell.

Now the check function (sub_400960()) is small and can be decompiled to pretty easily. Rest of the code also can be reconstructed by looking around decompiled code and eliminating loops. The final code should look something like this.

#include <stdio.h>
#include <stdlib.h>

int CheckFunc(unsigned int *a1, unsigned int *a2)
{
	if (a1[0] < a1[1])
	{
		if (a2[0] == a2[1])
		{
			a2[(a2[0] - 1) + 2] = a1[a1[0] + 2];
			a1[0] = a1[0] + 1;
			a2[0] = a2[0] - 1;
			return 0;
		}
		else
		{
			if (a1[a1[0] + 2] < a2[a2[0] + 2])
			{
				a2[(a2[0] - 1) + 2] = a1[a1[0] + 2]; 
				a1[0] = a1[0] + 1;
				a2[0] = a2[0] - 1;
				return 0;
			}
			else
			{
				return 1;
			}
		}
	}
	return 1;
}
int main()
{
	unsigned int DF1[14] = { 0 }, DF2[14] = { 0 }, DF3[14] = { 0 };
	int cell, count, ret;
	char c = 0;
	//MD5_CTX ctx;
	printf("Select your cell (1-3): ");
	scanf("%d", &cell);
	switch (cell)
	{
	case 1:
		count = 12;
		break;
	case 2:
		count = 10;
		break;
	case 3:
		count = 11;
		break;
	}
	DF1[0] = count;
	DF1[1] = count;

	DF2[0] = count;
	DF2[1] = count;

	DF3[0] = count;
	DF3[1] = count;

	while (DF3[0])
	{
		DF3[(DF3[0] - 1) + 2] = DF3[0];
		DF3[0] = DF3[0] - 1;
	}
	//MD5_Init(&ctx);
	while (c != 'e')
	{
		printf("Enter your path: ");
		scanf("%c", &c);
		switch (c)
		{
		case 'a':
			ret = CheckFunc(DF3, DF1);			
			break;
		case 's':
			ret = CheckFunc(DF1, DF3);
			break;
		case 'd':
			ret = CheckFunc(DF3, DF2);
			break;
		case 'q':
			ret = CheckFunc(DF2, DF1);
			break;
		case 'w':
			ret = CheckFunc(DF1, DF2);
			break;
		case 'z':
			ret = CheckFunc(DF2, DF3);
			break;
		}
		
		if (ret == 1)
		{
			printf("Bad boy!");
			exit(0);
		}
		//MD5_Update(&ctx, &c, 1);
	}
	if (DF2[0] == 0 && DF1[0] == DF1[1] && DF3[0] == DF3[1])
	{
		//MD5_Final(&ctx);
		//get md5 string

		//6dff819e14ce1bfc112d1817e69cff1f
		//6a9e23f57e9f5590b0c168a781bf07c7
		//05aeebcadfe7f05a7e778d904d6d297e

		//see if string is of any of this
	}
	
	return 0;
}

Now we have 3 arrays and it is doing some operation on that. First thing in mind is the hash cracking – key space is small (asdqwz) and we may get lucky. I ran Hashcat till 16 chars without any luck. Mean while I was trying to figure out what exactly was the operation that is happening here. By the prison and path, it was clear that it is some kind of puzzle, but which puzzle will have 6 types of moves and these weird conditions. It didn’t make any sense. Finally drawn the array in a notebook to figure out if that makes any sense. Suddenly it all became clear – this is Tower of Hanoi!

The cells are number of disks (10, 11, 12 – not in order) and 3 arrays are poles. The CheckFunction makes sure that the move is valid.

Solution for this is to solve Tower of Hanoi and provide the solution in this format (asdqwz). A recursive solver was written and final solution was provided to challenge.

import sys
import subprocess
import time

solution = 'adwazqadwszwadwazqazwszqadwazqadwszwadwszqazwszwadwazqadwszwadwazqazwszqadwazqazwszwadwszqazwszqadwazqadwszwadwazqazwszqadwazqadwszwadwszqazwszwadwazqadwszwadwszqazwszqadwazqazwszwadwszqazwszwadwazqadwszwadwazqazwszqadwazqadwszwadwszqazwszwadwazqadwszwadwazqazwszqadwazqazwszwadwszqazwszqadwazqadwszwadwazqazwszqadwazqazwszwadwszqazwszwadwazqadwszwadwszqazwszqadwazqazwszwadwszqazwszqadwazqadwszwadwazqazwszqadwazqadwszwadwszqazwszwadwazqadwszwadwazqazwszqadwazqazwszwadwszqazwszqadwazqadwszwadwazqazwszqadwazqadwszwadwszqazwszwadwazqadwszwadwszqazwszqadwazqazwszwadwszqazwszwadwazqadwszwadwazqazwszqadwazqadwszwadwszqazwszwadwazqadwszwadwszqazwszqadwazqazwszwadwszqazwszqadwazqadwszwadwazqazwszqadwazqazwszwadwszqazwszwadwazqadwszwadwszqazwszqadwazqazwszwadwszqazwszwadwazqadwszwadwazqazwszqadwazqadwszwadwszqazwszwadwazqadwszwadwazqazwszqadwazqazwszwadwszqazwszqadwazqadwszwadwazqazwszqadwazqadwszwadwszqazwszwadwazqadwszwadwszqazwszqadwazqazwszwadwszqazwszwadwazqadwszwadwazqazwszqadwazqadwszwadwszqazwszwadwazqadwszwadwe'


p = subprocess.Popen("./jail_break_bin", stdin=subprocess.PIPE)
p.stdin.write(str(2) + '\n')
p.stdin.write(str(2) + '\n')
for c in solution:
	p.stdin.write(c + '\n')
p.stdin.close()
ret = p.wait()


dan@ubuntu:~/nullc$ python jail.py
Welcome to the Mini-Prison (not secure, but hard to escape)!!
You should select a cell and find a path to escape to the flag.
You will not be disappointed!!
Select your cell (1-3):
Go on enter your path:You Found The Path.
The flag is nullcon{t00_34sy_t0_br34k_th15_pr1510n_by_d0nf05}

Posted By: Dan
Last Edit: 01 Feb 2016 @ 07:57 PM

EmailPermalink
Tags
Categories: CTF, HackIM2016


 

Responses to this post » (None)

 
Post a Comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>


 Last 50 Posts
Change Theme...
  • Users » 1
  • Posts/Pages » 19
  • Comments » 41
Change Theme...
  • VoidVoid « Default
  • LifeLife
  • EarthEarth
  • WindWind
  • WaterWater
  • FireFire
  • LightLight

About



    No Child Pages.