Midnight Sun CTF 2020 Qual - pysonIVY

Information

Points: 253

Solves: 15

Description:

It seems our powerplant has been hit by a really sophisticated APT attack. The only thing we could find on the control server was this file. Please can you figure it out? It looks like the reactor is going critical anytime now.

Attachment: malware.pyc

Hints:

1.  2020-04-03 20:04:56 UTC the username is a valid Unix username starting with p

2. 2020-04-03 21:51:23 UTC Username is a valid Unix username that matches [a-z_][a-z0-9_-]* and starts with pl

Write up

One compiled python provided. So let's decompile this with uncompyle6;

# Decompiled malware.pyc import marshal, types, base64, hashlib, os PAYLOAD = 'rTZrDbYKPWjLavV/23Z0UdDW9D2xPo3xq/wgYkJqUsoERezJoxCGTtY0uNJcfFD6hrcQl5s8dwvujQvfAnRpPScvhXA6JEtbirUs3YTOeutX4scEOfhAlbfSsAuK1bdU9CGeO2HuYVcKncqlKKuiMWfI+KbE3aPiBks0TnXxVEr/mBGoUEcYgCMo1sne3wo1Gy+CBP5R1dHBXd7+0sDKIPNEGZOnQYTzhhorCc/DNNs3Qkf2XhFmlaQ2lWPgvSZA68b1jvrIR0Z05hdMbJGgICfJGy136J82m8O/GneW5XRDzxcUUBklR1jPjZyPjhxvKw/ML1822h67APWXsUCP67Iy2ku025rwWJe2bX/mzAChUq+euK1Ji8UagQiZ3PAC1CsR0V71jc6CPMI6IRSNHnCqiRJZHuL9CH+j+rNJbBc2X1TPdntBf3tlgQg9MMJJ4TgLazfA8eq0ZTQ9UK/o52kfY2uh7HK1N+xIZWeIAKXY6Msidg/NUFjhRThIR6DqV3G33IFTmLahxIirBta91UjOZcIpu3UpL2Fa60pLwX6rlQIA13nKxx/dOkvfJUfvsUOK5TcwzzxpcVgfemC/KxNZ4hajFnttIDXS0yo2DZxvt5uTxY258mY6xTHMohkEJ77y8HhBlMw/bXJKWt+315mdiakjQn/gLyH13Mf2XGmTD92brPpF8H2oaGsQzj7l6jkyo24dMslPHJ/vpr9heKTAYyvgqPaGlJCTyPHe41diumg1nSB81t5kMw4lJ1gOD3XJOWeuN76bNP0vh/7g5IEZ7ugGHl3zq/7Rua5rKvDIvHxudiolnLxlz3Zv7/pqztZY9t0vpsYj/fYuLtLrRJFcYZY/BxG7DR0Y5EI4MfpUb+M53/g/ziCjpYFNchq2qVTfw3uP3AUyBv4Eoh+91tOSJMLhl1lPgBP/vnBhP2kBq6Ca1JHeZZVyEyWEXHcoSm2K7NV2EFekWuT5k81oX6QljarnX5uZuZiq0WOhyaFKGeLHNc9SPWSWkRmO2esQO1Rt9bglE7ogg70rBT588GQttG58A3c+zhthFMuoN04S1SK+99tg2mzYX4DxgMHGsyt3ScZlMisOpEkrnmrV0G8WKZzt/DSs6/sau89YJKCySDGp6aObpnC+11d234pcx1MhA9GMQ9yXReYSylTmwcJkYdFoPL2YfHnw2fzP45SnhWmQORqR+ZfPBheHwTTRdUkCwOnMlJEbrEPu9OId' def rc4(data, key): res = [] S = [] for i in range(256): S.append(i) j = 0 for i in range(256): j = (j + S[i] + key[(i % len(key))]) % 256 S[j], S[i] = S[i], S[j] i = 0 j = 0 for b in data: i = (i + 1) % 256 j = (j + S[i]) % 256 S[j], S[i] = S[i], S[j] K = S[((S[i] + S[j]) % 256)] res.append(K ^ b) return bytes(res) if __name__ == '__main__': x = hashlib.sha256(bytes((66 ^ i ^ x for i, x in enumerate(os.getlogin().encode('ascii')[:6])))).hexdigest().encode('ascii') payload_dec = rc4(base64.b64decode(PAYLOAD), x) try: payload_code = marshal.loads(payload_dec) payload_func = types.FunctionType(payload_code, globals(), 'payload') payload_func() except: pass

It makes RC4 key(=x) with sha256 and some XOR thing from os.getlogin().

Key is made from first 6 letters from unix username. Since we know the first two letter(pl). We can bruteforce unknown part(4 letters)

It seems look like standard RC4 algorithm. So, we tried the all cases that os.getlogin() can produce.

 

But all of them was invalid! Why!

 

After confirm the correctness of brute force code, we think the decompiled code is wrong.

So, let's lookup them with python bytecode.

# Disassemble the python bytecode from pyc import dis, marshal, sys header_sizes = [ (8, (0, 9, 2)), (12, (3, 6)), (16, (3, 7)), ] header_size = next(s for s, v in reversed(header_sizes) if sys.version_info >= v) with open("malware.pyc", "rb") as f: metadata = f.read(header_size) code = marshal.load(f) dis.dis(code)

Most of the bytecodes are look fine. But there is a trap in RC4 code.

23 >> 116 LOAD_CONST 2 (0) 118 STORE_FAST 6 (i = 0 j)

This bytecode means store 0 to variable 'i = 0\n    j'

But when we decompile this bytecode, will shows

    i = 0     j = 0

It's not same as assigning 0 to i and j!!

Author : Trolled!!

After change the code of RC4, we bruteforce the username. Finally, we got 'plc-42' and proper decrypted payload.

Let's disassemble it.

# disamble the decoded payload import marshal, types, base64, hashlib, os, dis PAYLOAD = 'rTZrDbYKPWjLavV/23Z0UdDW9D2xPo3xq/wgYkJqUsoERezJoxCGTtY0uNJcfFD6hrcQl5s8dwvujQvfAnRpPScvhXA6JEtbirUs3YTOeutX4scEOfhAlbfSsAuK1bdU9CGeO2HuYVcKncqlKKuiMWfI+KbE3aPiBks0TnXxVEr/mBGoUEcYgCMo1sne3wo1Gy+CBP5R1dHBXd7+0sDKIPNEGZOnQYTzhhorCc/DNNs3Qkf2XhFmlaQ2lWPgvSZA68b1jvrIR0Z05hdMbJGgICfJGy136J82m8O/GneW5XRDzxcUUBklR1jPjZyPjhxvKw/ML1822h67APWXsUCP67Iy2ku025rwWJe2bX/mzAChUq+euK1Ji8UagQiZ3PAC1CsR0V71jc6CPMI6IRSNHnCqiRJZHuL9CH+j+rNJbBc2X1TPdntBf3tlgQg9MMJJ4TgLazfA8eq0ZTQ9UK/o52kfY2uh7HK1N+xIZWeIAKXY6Msidg/NUFjhRThIR6DqV3G33IFTmLahxIirBta91UjOZcIpu3UpL2Fa60pLwX6rlQIA13nKxx/dOkvfJUfvsUOK5TcwzzxpcVgfemC/KxNZ4hajFnttIDXS0yo2DZxvt5uTxY258mY6xTHMohkEJ77y8HhBlMw/bXJKWt+315mdiakjQn/gLyH13Mf2XGmTD92brPpF8H2oaGsQzj7l6jkyo24dMslPHJ/vpr9heKTAYyvgqPaGlJCTyPHe41diumg1nSB81t5kMw4lJ1gOD3XJOWeuN76bNP0vh/7g5IEZ7ugGHl3zq/7Rua5rKvDIvHxudiolnLxlz3Zv7/pqztZY9t0vpsYj/fYuLtLrRJFcYZY/BxG7DR0Y5EI4MfpUb+M53/g/ziCjpYFNchq2qVTfw3uP3AUyBv4Eoh+91tOSJMLhl1lPgBP/vnBhP2kBq6Ca1JHeZZVyEyWEXHcoSm2K7NV2EFekWuT5k81oX6QljarnX5uZuZiq0WOhyaFKGeLHNc9SPWSWkRmO2esQO1Rt9bglE7ogg70rBT588GQttG58A3c+zhthFMuoN04S1SK+99tg2mzYX4DxgMHGsyt3ScZlMisOpEkrnmrV0G8WKZzt/DSs6/sau89YJKCySDGp6aObpnC+11d234pcx1MhA9GMQ9yXReYSylTmwcJkYdFoPL2YfHnw2fzP45SnhWmQORqR+ZfPBheHwTTRdUkCwOnMlJEbrEPu9OId' def rc4(data, key): res = [] S = [] for i in range(256): S.append(i) j = 0 for i in range(256): j = (j + S[i] + key[(i % len(key))]) % 256 S[j], S[i] = S[i], S[j] # i = 0 # j = 0 fuck this for b in data: i = (i + 1) % 256 j = (j + S[i]) % 256 S[j], S[i] = S[i], S[j] K = S[((S[i] + S[j]) % 256)] res.append(K ^ b) return bytes(res) if __name__ == '__main__': x = hashlib.sha256(bytes((66 ^ i ^ x for i, x in enumerate("plc_42".encode('ascii')[:6])))).hexdigest().encode('ascii') payload_dec = rc4(base64.b64decode(PAYLOAD), x) payload_code = marshal.loads(payload_dec) payload_func = types.FunctionType(payload_code, globals(), 'payload') dis.dis(payload_code)

Result : 

9 0 LOAD_GLOBAL 0 (print) 2 LOAD_CONST 1 ('TODO: Implement interface with PLC') 4 CALL_FUNCTION 1 6 POP_TOP 10 8 LOAD_GLOBAL 0 (print) 10 LOAD_CONST 2 ('TODO: Implement CnC communications') 12 CALL_FUNCTION 1 14 POP_TOP 11 16 LOAD_GLOBAL 0 (print) 18 LOAD_CONST 3 ('TODO: Implement misattribution bait') 20 CALL_FUNCTION 1 22 POP_TOP 12 24 LOAD_GLOBAL 0 (print) 26 LOAD_CONST 4 ('TODO: Implement payload to destroy PLC') 28 CALL_FUNCTION 1 30 POP_TOP 14 32 LOAD_GLOBAL 0 (print) 34 LOAD_CONST 5 ('Alert! Your power plant has been hacked and will self-destruct within 2 hours') 36 CALL_FUNCTION 1 38 POP_TOP 15 40 LOAD_GLOBAL 0 (print) 42 LOAD_CONST 6 ('To cancel the self-destruct sequence, please input the override code') 44 CALL_FUNCTION 1 46 POP_TOP 16 48 LOAD_GLOBAL 1 (input) 50 LOAD_CONST 7 ('Override code: ') 52 CALL_FUNCTION 1 54 LOAD_METHOD 2 (strip) 56 CALL_METHOD 0 58 STORE_FAST 0 (code) 17 60 LOAD_GLOBAL 3 (base64) 62 LOAD_METHOD 4 (b64encode) 64 LOAD_GLOBAL 5 (bytes) 66 LOAD_CONST 8 (<code object <genexpr> at 0x10e248c90, file "build.py", line 17>) 68 LOAD_CONST 9 ('payload.<locals>.<genexpr>') 70 MAKE_FUNCTION 0 72 LOAD_FAST 0 (code) 74 LOAD_METHOD 6 (encode) 76 LOAD_CONST 10 ('ascii') 78 CALL_METHOD 1 80 GET_ITER 82 CALL_FUNCTION 1 84 CALL_FUNCTION 1 86 CALL_METHOD 1 88 LOAD_METHOD 7 (decode) 90 LOAD_CONST 10 ('ascii') 92 CALL_METHOD 1 94 STORE_FAST 0 (code) 18 96 LOAD_FAST 0 (code) 98 LOAD_CONST 11 ('LysmLCslKjY5Oy03HS9zJSp1HTUjLDYdNnIdISpxISkdJiM2HSZxIS0vMisuIzYrciw/') 100 COMPARE_OP 2 (==) 102 POP_JUMP_IF_FALSE 114 19 104 LOAD_GLOBAL 0 (print) 106 LOAD_CONST 12 ('TODO: Implement override function... sorry.') 108 CALL_FUNCTION 1 110 POP_TOP 112 JUMP_FORWARD 8 (to 122) 21 >> 114 LOAD_GLOBAL 0 (print) 116 LOAD_CONST 13 ('Invalid code. Override function disabled. Reactor meltdown imminent.') 118 CALL_FUNCTION 1 120 POP_TOP >> 122 LOAD_CONST 0 (None) 124 RETURN_VALUE Disassembly of <code object <genexpr> at 0x10e248c90, file "build.py", line 17>: 17 0 LOAD_FAST 0 (.0) >> 2 FOR_ITER 14 (to 18) 4 STORE_FAST 1 (x) 6 LOAD_FAST 1 (x) 8 LOAD_CONST 0 (66) 10 BINARY_XOR 12 YIELD_VALUE 14 POP_TOP 16 JUMP_ABSOLUTE 2 >> 18 LOAD_CONST 1 (None) 20 RETURN_VALUE

In short, this code get string, xor 66 to all character, do base64 encode and compare if it is same with

"LysmLCslKjY5Oy03HS9zJSp1HTUjLDYdNnIdISpxISkdJiM2HSZxIS0vMisuIzYrciw/"

 

from base64 import b64decode pc = "LysmLCslKjY5Oy03HS9zJSp1HTUjLDYdNnIdISpxISkdJiM2HSZxIS0vMisuIzYrciw/" pc = bytes(map(lambda x: x^66, b64decode(pc))) print(pc)

And got the flag!

midnight{you_m1gh7_want_t0_ch3ck_dat_d3compilati0n}

Thanks to aventador for make us thinking outside the box. I was 100% sure that decompiled code is correct. But the truth is..

 

I love this picture(From Balsn CTF 2019)