{"id":13051,"date":"2016-06-28T11:33:13","date_gmt":"2016-06-28T09:33:13","guid":{"rendered":"http:\/\/www.codilime.com\/?p=13051"},"modified":"2016-12-02T16:50:05","modified_gmt":"2016-12-02T15:50:05","slug":"whitehat11-re3","status":"publish","type":"post","link":"https:\/\/codisec.com\/whitehat11-re3\/","title":{"rendered":"Whitehat11 RE3"},"content":{"rendered":"

Link: https:\/\/wargame.whitehat.vn\/Challenges\/DetailContest\/143<\/a>
\nPoints: 100
\nCategory:\u00a0RE<\/p>\n

Description<\/h2>\n

http:\/\/material.wargame.whitehat.vn\/contests\/11\/digital_fortrees.exe
\nflag = SHA1(FirstRoom:SecondRoom:ThridRoom)<\/p><\/blockquote>\n

tl;dr<\/h2>\n

Simple python program packed with py2exe. After recovering python code back from it, turns out all you need to do is factorize 28-digit number made of 3 primes.<\/p>\n

Solution<\/h2>\n

The task authors provided us with an .exe file. After running it in a Windows VM we see the following output:<\/p>\n

                                       \/\\\r\n                                      \/`:\\\r\n                                     \/`'`:\\\r\n                                    \/`'`'`:\\\r\n                                   \/`'`'`'`:\\\r\n                                  \/`'`'`'`'`:\\\r\n                                   |`'`'`'`:|\r\n     _ _  _  _  _                  |] ,-.  :|_  _  _  _\r\n    ||| || || || |                 |  |_| ||| || || || |\r\n    |`' `' `' `'.|                 | _'=' |`' `' `' `'.|\r\n    :          .:;                 |'-'   :          .:;\r\n     \\-..____..:\/  _  _  _  _  _  _| _  _'-\\-..____..:\/\r\n      :--------:_,' || || || || || || || `.::--------:\r\n      |]     .:|:.  `' `'_`' `' `' `' `'    | '-'  .:|\r\n      |  ,-. .[|:._     '-' ____     ___    |   ,-.'-|\r\n      |  | | .:|'--'_     ,'____`.  '---'   |   | |.:|\r\n      |  |_| .:|:.'--' ()\/,| |`|`.\\()   __  |   |_|.:|\r\n      |  '=' .:|:.     |::_|_|_|\\|::   '--' |  _'='.:|\r\n      | __   .:|:.     ;||-,-,-,-,|;        | '--' .:|\r\n      |'--'  .:|:. _  ; ||       |:|        |      .:|\r\n      |      .:|:.'-':  ||       |;|     _  |]     _:|\r\n      |      '-|:.   ;  ||       :||    '-' |     '--|\r\n      |  _   .:|].  ;   ||       ;||]       |   _  .:|\r\n      | '-'  .:|:. :   [||      ;|||        |  '-' .:|\r\n  ,', ;._____.::-- ;----;<'-,--,:-'>'--------;._____.::.`.\r\n ((  (          )_;___,' ,' ,  ; \/\/________(          ) ))\r\n  `. _`--------' : -,' ' , ' '; \/\/-       _ `--------' ,'\r\n       __  .--'  ;,' ,'  ,  ': \/\/    -.._    __  _.-  -\r\n   `-   --    _ ;',' ,'  ,' ,;\/_  -.       ---    _,\r\n       _,.   \/-:,_,_,_,_,_,_(\/:-\\   ,     ,.    _\r\n     -'   `-'--'-'-'-'-'-'-'-''--'-' `-'`'  `'`' `-\r\n \r\nWelcome to DIGITAL FORTRESS\r\nBe careful with your choice:\r\n1: Draw infinity map\r\n2: Go through all room on your map\r\nWhat's your choice:<\/pre>\n
It looks like the input is correctly validated, I couldn’t get anything interesting by typing in random stuff. However, once we choose one of the options the application crashes with a very interesting stack trace:<\/p>\n
What's your choice: 1\r\nTraceback (most recent call last):\r\n  File \"digital_fortrees.py\", line 25, in <module>\r\n  File \"digital_fortrees.py\", line 20, in main\r\n  File \"urllib2.pyc\", line 126, in urlopen\r\n  File \"urllib2.pyc\", line 391, in open\r\n  File \"urllib2.pyc\", line 409, in _open\r\n  File \"urllib2.pyc\", line 369, in _call_chain\r\n  File \"urllib2.pyc\", line 1173, in http_open\r\n  File \"urllib2.pyc\", line 1148, in do_open\r\nurllib2.URLError: <urlopen error [Errno 11001] getaddrinfo failed><\/pre>\n
Huh, so it’s python? That makes the whole problem so much easier. All I needed to do was run\u00a0unpy2exe<\/a>\u00a0to extract\u00a0digital_fortrees.py.pyc out of it. Now we\u00a0can run\u00a0uncompyle2<\/a>\u00a0to get back the python code. Turns out all it does is print the ascii art and ask for user’s choice. Once it gets a valid choice it downloads and executes an appropriate python script. The references for follow up scripts are clearly visible in source code, so I just downloaded the 2 follow up scripts.<\/p>\n
drawmap.py<\/code> runs in endless loop, finds prime numbers and for each number creates a directory named with the number. Doesn’t sound particularly useful. Let’s check out letgo.py<\/code>.<\/p>\n
import os                                                                       \r\n                                                                                \r\ndef gothrough():                                                                \r\n    key = 1                                                                     \r\n    roomtogo = [r for r in os.listdir(os.curdir)if os.path.isdir(r)]            \r\n    for room in roomtogo:                                                       \r\n        key *= int(room)                                                        \r\n        os.system(\"start cmd \/k echo Room number \" + room + \": get key part\")   \r\n    if (key == <28-digit number hardcoded here>):                                   \r\n        os.system(\"start cmd \/k echo Congrats! Where did you get these key parts?\")\r\n    else:                                                                       \r\n        os.system(\"start cmd \/k echo Nothing here! wrong key parts\")            \r\n                                                                                \r\ngothrough()<\/pre>\n
Ok, this is pretty simple. All we need to do is factorize the number in line 9. I’m lazy, so I just used\u00a0Wolfram Alpha<\/a>\u00a0to do this. As expected the number factorizes into 3 primes, that make up the flag.<\/p>\n","protected":false},"excerpt":{"rendered":"
Link: https:\/\/wargame.whitehat.vn\/Challenges\/DetailContest\/143 Points: 100 Category:\u00a0RE Description http:\/\/material.wargame.whitehat.vn\/contests\/11\/digital_fortrees.exe flag = SHA1(FirstRoom:SecondRoom:ThridRoom) tl;dr Simple python program packed with py2exe. After recovering python code back from it, turns out all you need to do is factorize 28-digit number made of 3 primes. Solution…<\/span> <\/p>\n
Read more ›<\/div>\n
<\/a><\/p>\n","protected":false},"author":6,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[13],"tags":[10],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\t\n