A Taste Of Reality

We are given a PE32 file which displays an encrypted flag when you run it.


After analyzing the file with a debugger, it was found that it stores the encrypted flag at 0x00409B10.


It calls the subroutine at 0x004010A6 which will copy the encrypted key from the above memory address to 0x00BB1EA0

After returning from this subroutine, it checks for the presence of a debugger by checking the value of BeingDebugged flag at offset 0x2 in the PEB (Process Environment Block):


If it is being debugged, it jumps to the address, 0x0040106E where it displays the message box with the encrypted flag:


We need to patch the conditional jump right after it checks the BeingDebugged flag. There is also a breakpoint placed after the conditional jump. Binary edit the file to overwrite 0xCC with 0x90

Now, we reach the decryption routine of the flag. It performs an XOR decryption of the encrypted flag with a 4 byte key, 0x8899AABB


We can set a breakpoint right after the decryption subroutine and view the decrypted flag in the memory dump:


key:number2isalittlebitharder:p

In this challenge, we were given a PCAP file and we have to find the flag using it.



Since no other information is given in the question apart from the PCAP file, we open it with Wireshark. Now, let's check the HTTP traffic.

Using the filter: http.request.method == "GET", we check all the HTTP GET requests captured in the PCAP file:

We can see several HTTP GET requests to download files whose name is a 32 char hex string.


Let us now sort this using the Info Column and we get this:


We open the PCAP with Network Miner which will analyze the PCAP file and extract any files from it. You can get Network Miner from here:

http://sourceforge.net/projects/networkminer/

Network Miner is able to reconstruct a few files from the TCP Streams:



After checking these files, it was found that the file with the name: d33cf9e6230f3b8e5a0c91a0514ab476 is a 7-zip file. But when you try to open it with 7-zip, it would not work. So, the 7-zip file is corrupted.

This is where the other chunks being downloaded in the PCAP will come to use. So, let's go ahead and get all those chunks.

Since Network Miner was unable to get all of them, we use tcpflow to get all the TCP Streams from the PCAP file.



Let us search these TCP Streams for some interesting information at first. We check the first TCP stream from our search results and find that it has an Index of Files:



So we extract the HTML response from this TCP stream and view it with the Browser:



So, we have a directory listing of the files. By looking at the size of these files we can see that almost all of them have a size of 61440 bytes. We analyze all the TCP streams with a size >= 58000 (the smallest file in the directory listing above).

 Now, we have the TCP Streams of interest:


We now need to extract the data from these TCP Streams. These TCP Streams also contain the HTTP Response Headers, so we need to remove that.

Since the HTTP Response Headers end with \r\n\r\n (in Hex, 0xd0xa0xd0xa), we can use that as a delimiter and extract all the data after this:


we extract data from all these streams, then calculate the MD5 hash of each of these chunks and compare with the ones we got in the directory index above. We keep only the ones required.

Now, we need to put all these chunks of data together with the 7-zip file and extract it. The sequence of these chunks can be determined according to the file timestamps mentioned in the directory index above. Since there are 2 pairs of files having the same timestamp, we have to try combining the chunks in different orders to get it working.

When we try to extract it, it asks for a password:



We check the TCP Streams once again for the password by searching for some common keywords like password, secret and so on:


So, the Entire Password is again broken down into chunks and present in the TCP Stream:


It was present in the first TCP Stream.

So, the password is: M)m5s6S^[>@#Q3+10PD.KE#cyPsvqH

Flag is present on the image inside the archive file.



This challenge was good and it gives a lot of scope for automation. The entire process of extracting the chunks of data from the TCP Streams and then comparing their MD5 hashes with the required chunks can be automated.