Hack.lu CTF 2013 | Reversing 900 : FluxArchiv [Write Up]

FluxArchiv was a nice reversing challenge in two parts. The first part involved reversing and brute-forcing, and the second part was more like stegano 🙂 We were given archiv, a 64-bit home-made password-protected file archiver which let us create an archiv, add files, delete them, list them and extract them, and a second file, FluxArchiv.arc, archive created by the elf with an unknown password.

Part 1

The description of the challenge says that the FluxArchiv.arc’s password is [A-Z0-9] and 6-char length. This obviously leads us to a brute-force, but we may do something more clever than simply « ./archiv -l FluxArchiv.arc <pass> », checking for the binary’s response. So let’s disass all the shit with IDA 🙂

Let’s see what happens when we add a file:

flux1

The function checkHashOfPassword just hashes the given password in SHA-1.

Then, we write « FluXArChiV13 », the header of the file, and we enter in a loop of 0x14 = 20 (sha1!) iterations, with:

flux2

So the SHA-1 of our password is written somewhere else in the memory, but its bytes seem permuted. The permuted sha-1 is then re-hashed again, and written right after the header « FluXArChiV13 » in the file.

flux3

We used gdb and placed a breakpoint at 0x40306F (movzx edx, ds:hash_of_password[raw]) and printed the 20 different values of rax to know the permutation. Here is the result!

$1 = 0
$2 = 7
$3 = 14
$4 = 1
$5 = 8
$6 = 15
$7 = 2
$8 = 9
$9 = 16
$10 = 3
$11 = 10
$12 = 17
$13 = 4
$14 = 11
$15 = 18
$16 = 5
$17 = 12
$18 = 19
$19 = 6
$20 = 13

Here are the first bytes of FluxArchiv.arc:

flux4

The SHA-1 starts at 0x0c : 372942df2712824505d8171f4f0bcb14153d39ba. We just have to brute-force now 😀 sha1(permutation(sha1(pass))) == 372942df2712824505d8171f4f0bcb14153d39ba.

import hashlib, itertools

def hash(password):
    h = hashlib.sha1(password).digest()
    o = ''.join(h[p] for p in (0, 7, 14, 1, 8, 15, 2, 9, 16, 3, 10, 17, 4, 11, 18, 5, 12, 19, 6, 13))
    return hashlib.sha1(o).hexdigest()

ch = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
for a, b, c, d, e, f in itertools.product(ch, repeat=6):
    if hash(a + b + c + d + e + f) == '372942df2712824505d8171f4f0bcb14153d39ba':
        print a + b + c + d + e + f
        break

And after roughly an hour of brute-force, the answer finally appeared : PWF41L ! This is the password of the archive, and also the password of the challenge to get 400 points 🙂

 

Part 2

The second part of the challenge was to find hidden data in the archive (the files inside it were useless). Steganography in a home-made file format, what an idea 😀

By analyzing the ELF, we saw there was a lot of RC4 encrypted data, using the SHA-1 of the password as key. The hidden data couldn’t be anywhere else. We decided to brute-force (again..) offsets of possible RC4 encrypted data in the file, looking for ascii text.

<?php
# Fucking mcrypt's "empty IV is not recommended"
error_reporting(0);
$file = file_get_contents('FluxArchiv.arc');
for($i = 0; $i < strlen($file); $i++) {
	$tmp = mcrypt_decrypt(MCRYPT_ARCFOUR, sha1('PWF41L', true), substr($file, $i, 10), 'stream');
	$ascii = true;
	# Looking for readable ascii (ten first decrypted chars here)
	foreach(str_split($tmp) as $byte)
		if(ord($byte) < 32 || ord($byte) > 127)
			$ascii = false;
	# If it's okay we decrypt the whole thing (1000 chars seems enough)
	if($ascii)
		print mcrypt_decrypt(MCRYPT_ARCFOUR, sha1('PWF41L', true), substr($file, $i, 1000), 'stream') . "<br>";
}

Between all the junk, we finally find this.

flux5

Flag: D3letinG-1nd3x_F4iL

(The decrypted texts (including the flag) were in fact old files of the archive that were deleted, but due to a bug in the program, only the indexes of the files were deleted… not their content :))

Enjoy.

Publicités

2 réflexions au sujet de « Hack.lu CTF 2013 | Reversing 900 : FluxArchiv [Write Up] »

Laisser un commentaire

Entrez vos coordonnées ci-dessous ou cliquez sur une icône pour vous connecter:

Logo WordPress.com

Vous commentez à l'aide de votre compte WordPress.com. Déconnexion / Changer )

Image Twitter

Vous commentez à l'aide de votre compte Twitter. Déconnexion / Changer )

Photo Facebook

Vous commentez à l'aide de votre compte Facebook. Déconnexion / Changer )

Photo Google+

Vous commentez à l'aide de votre compte Google+. Déconnexion / Changer )

Connexion à %s