Link: https://wargame.whitehat.vn/Challenges/DetailContest/143
Points: 100
Category: RE
Description
http://material.wargame.whitehat.vn/contests/11/digital_fortrees.exe
flag = SHA1(FirstRoom:SecondRoom:ThridRoom)
tl;dr
Simple python program packed with py2exe. After recovering python code back from it, turns out all you need to do is factorize 28-digit number made of 3 primes.
Solution
The task authors provided us with an .exe file. After running it in a Windows VM we see the following output:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
/\ /`:\ /`'`:\ /`'`'`:\ /`'`'`'`:\ /`'`'`'`'`:\ |`'`'`'`:| _ _ _ _ _ |] ,-. :|_ _ _ _ ||| || || || | | |_| ||| || || || | |`' `' `' `'.| | _'=' |`' `' `' `'.| : .:; |'-' : .:; \-..____..:/ _ _ _ _ _ _| _ _'-\-..____..:/ :--------:_,' || || || || || || || `.::--------: |] .:|:. `' `'_`' `' `' `' `' | '-' .:| | ,-. .[|:._ '-' ____ ___ | ,-.'-| | | | .:|'--'_ ,'____`. '---' | | |.:| | |_| .:|:.'--' ()/,| |`|`.\() __ | |_|.:| | '=' .:|:. |::_|_|_|\|:: '--' | _'='.:| | __ .:|:. ;||-,-,-,-,|; | '--' .:| |'--' .:|:. _ ; || |:| | .:| | .:|:.'-': || |;| _ |] _:| | '-|:. ; || :|| '-' | '--| | _ .:|]. ; || ;||] | _ .:| | '-' .:|:. : [|| ;||| | '-' .:| ,', ;._____.::-- ;----;<'-,--,:-'>'--------;._____.::.`. (( ( )_;___,' ,' , ; //________( ) )) `. _`--------' : -,' ' , ' '; //- _ `--------' ,' __ .--' ;,' ,' , ': // -.._ __ _.- - `- -- _ ;',' ,' ,' ,;/_ -. --- _, _,. /-:,_,_,_,_,_,_(/:-\ , ,. _ -' `-'--'-'-'-'-'-'-'-''--'-' `-'`' `'`' `- Welcome to DIGITAL FORTRESS Be careful with your choice: 1: Draw infinity map 2: Go through all room on your map What's your choice: |
It looks like the input is correctly validated, I couldn’t get anything interesting by typing in random stuff. However, once we choose one of the options the application crashes with a very interesting stack trace:
|
1 2 3 4 5 6 7 8 9 10 11 |
What's your choice: 1 Traceback (most recent call last): File "digital_fortrees.py", line 25, in <module> File "digital_fortrees.py", line 20, in main File "urllib2.pyc", line 126, in urlopen File "urllib2.pyc", line 391, in open File "urllib2.pyc", line 409, in _open File "urllib2.pyc", line 369, in _call_chain File "urllib2.pyc", line 1173, in http_open File "urllib2.pyc", line 1148, in do_open urllib2.URLError: <urlopen error [Errno 11001] getaddrinfo failed> |
Huh, so it’s python? That makes the whole problem so much easier. All I needed to do was run unpy2exe to extract digital_fortrees.py.pyc out of it. Now we can run uncompyle2 to get back the python code. Turns out all it does is print the ascii art and ask for user’s choice. Once it gets a valid choice it downloads and executes an appropriate python script. The references for follow up scripts are clearly visible in source code, so I just downloaded the 2 follow up scripts.
drawmap.py runs in endless loop, finds prime numbers and for each number creates a directory named with the number. Doesn’t sound particularly useful. Let’s check out letgo.py.|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
import os def gothrough(): key = 1 roomtogo = [r for r in os.listdir(os.curdir)if os.path.isdir(r)] for room in roomtogo: key *= int(room) os.system("start cmd /k echo Room number " + room + ": get key part") if (key == <28-digit number hardcoded here>): os.system("start cmd /k echo Congrats! Where did you get these key parts?") else: os.system("start cmd /k echo Nothing here! wrong key parts") gothrough() |
Ok, this is pretty simple. All we need to do is factorize the number in line 9. I’m lazy, so I just used Wolfram Alpha to do this. As expected the number factorizes into 3 primes, that make up the flag.
Leave a Reply
You must be logged in to post a comment.