okasokasokasokas
Midnight Sun CTF 2020 Qual - pysonIVY 본문
Information
Points: 253
Solves: 15
Description:
It seems our powerplant has been hit by a really sophisticated APT attack. The only thing we could find on the control server was this file. Please can you figure it out? It looks like the reactor is going critical anytime now.
Attachment: malware.pyc
Hints:
1. 2020-04-03 20:04:56 UTC the username is a valid Unix username starting with p
2. 2020-04-03 21:51:23 UTC Username is a valid Unix username that matches [a-z_][a-z0-9_-]* and starts with pl
Write up
One compiled python provided. So let's decompile this with uncompyle6;
It makes RC4 key(=x) with sha256 and some XOR thing from os.getlogin().
Key is made from first 6 letters from unix username. Since we know the first two letter(pl). We can bruteforce unknown part(4 letters)
It seems look like standard RC4 algorithm. So, we tried the all cases that os.getlogin() can produce.
But all of them was invalid! Why!
After confirm the correctness of brute force code, we think the decompiled code is wrong.
So, let's lookup them with python bytecode.
Most of the bytecodes are look fine. But there is a trap in RC4 code.
This bytecode means store 0 to variable 'i = 0\n j'
But when we decompile this bytecode, will shows
It's not same as assigning 0 to i and j!!
After change the code of RC4, we bruteforce the username. Finally, we got 'plc-42' and proper decrypted payload.
Let's disassemble it.
Result :
In short, this code get string, xor 66 to all character, do base64 encode and compare if it is same with
"LysmLCslKjY5Oy03HS9zJSp1HTUjLDYdNnIdISpxISkdJiM2HSZxIS0vMisuIzYrciw/"
And got the flag!
midnight{you_m1gh7_want_t0_ch3ck_dat_d3compilati0n}
Thanks to aventador for make us thinking outside the box. I was 100% sure that decompiled code is correct. But the truth is..
'Hacking > Write-up' 카테고리의 다른 글
Codegate 2018 Final - G0Crack(Rev) (0) | 2018.04.09 |
---|---|
SECCON CTF 2017 - z80 - 300 points (0) | 2017.12.10 |