Here is the write-up for the DEFCON 19 quals challenge b100 run by DDTEK. This one is somewhat funny.
Description
Category: Binary L33tness
Your journey begins: Download
jtd@hackbox:~/DEFCONquals2011/bl100$ ./b100_6817e51fa3b60f176b56
./b100_6817e51fa3b60f176b56 [1-11|all]
jtd@hackbox:~/DEFCONquals2011/bl100$ ./b100_6817e51fa3b60f176b56
./b100_6817e51fa3b60f176b56 [1-11|all] 1
Running this binary gives us what appears to be several base64 encoded strings (one for 1-11), as evidenced by the ‘==’ at the end. So I wrote a simple python script to decode the strings and write them to file. gbb.py
jtd@hackbox:~/DEFCONquals2011/bl100$ ./b100_6817e51fa3b60f176b56 all > full
jtd@hackbox:~/DEFCONquals2011/bl100$ python gbb.py
jtd@hackbox:~/DEFCONquals2011/bl100$ file t_1
t_1: gzip compressed data, was "bin2-a", from Unix, last modified: Fri Apr 1 04:28:09 2011
All of the files are as such: bin2-[a-k] gzip files. So because they end up forming one binary when combined I cat them all together and then gunzipped them.
jtd@hackbox:~/DEFCONquals2011/bl100$ cat t_1 t_2 t_3 t_4 t_5 t_6 t_7 t_8 t_9 t_10 t_11 > t_combined.gz
jtd@hackbox:~/DEFCONquals2011/bl100$ gunzip -c t_combined.gz > t_combined_gunzipped
jtd@hackbox:~/DEFCONquals2011/bl100$ file t_combined_gunzipped
t_combined_gunzipped: 7-zip archive data, version 0.3
And it contains a 7-zip archive.
jtd@hackbox:~/DEFCONquals2011/bl100$ 7z e t_combined_gunzipped
jtd@hackbox:~/DEFCONquals2011/bl100$ file bin2
bin2: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, not stripped
And what does it do?
jtd@hackbox:~/DEFCONquals2011/bl100$ ./bin2
It gives us another base64 encoded string, this time in the shape of a deformed trollface. So I modified my gbb.py into and use it to decode the mutant trollface. gtb.py
jtd@hackbox:~/DEFCONquals2011/bl100$ cat troll_out
S0 S0RRY 41NT NUTH1N BUT 4 P34NUT S0 S0RRY 41NT NUTH1N BUT 4 P34NUT S0 S0RRY 41NT NUTH1N BUT 4 P34NUT S0 S0RRY 41NT NUTH1N BUT 4 P34NUT S0 S0RRY 41NT NUTH1N BUT 4 P34NUT S0 S0RRY 41NT NUTH1N
[snip]
41NT NUTH1N BUT 4 P34NUT S0 S0RRY 41NT NUTH1N BUT 4 P34NUT S0 S0RRY 41NT NUTH1N BUT 4 P34NUT S0 S0RRY 41NT NUTH1N BUT 4 P34NUT S0 S0RRY 41NT NUTH1N BUT 4 P34NUT S0 S0RRY 41NT NUTH1N BUT 4 P34NUT S0 S0RRY 41NT NUTH1N BUT 4 P34NUT S0 S0RRY 41NT NUTH1N BUT 4 P34NUT S0 S0RRY 41NT NUTH1N BUT 4 P34NUT S0 S0RRY 41NT NUT
Yeah, ddtek trolled us. The correct step was not to decode the output of running bin2, but to decode something hidden in it (the real trollface).
jtd@hackbox:~/DEFCONquals2011/bl100$ strings bin2
jtd@hackbox:~/DEFCONquals2011/bl100$ strings bin2 | head -n 4792 | tail -n 4779 > real_trollfile
OH MY, another base64 encoded string.
I decoded it with [grtb.py]
jtd@hackbox:~/DEFCONquals2011/bl100$ file real_trollfile_decoded
real_trollfile_decoded: gzip compressed data, was "bin3", from Unix, last modified: Fri Apr 1 02:35:15 2011
HOLY HABERDASHERY BATMAN! another archive. :(
jtd@hackbox:~/DEFCONquals2011/bl100$ mv real_trollfile_decoded real_trollfile_decoded.gz
jtd@hackbox:~/DEFCONquals2011/bl100$ gunzip -c real_trollfile_decoded.gz > real_trollfile_unzipped
jtd@hackbox:~/DEFCONquals2011/bl100$ file real_trollfile_unzipped
real_trollfile_unzipped: lzop compressed data - version 1.030, LZO1X-999, os: Unix
yet another archive. WTF is lzop??
jtd@hackbox:~/DEFCONquals2011/bl100$ apt-cache search lzop
zope-debhelper - debhelper script for zope packaging
lzop - fast compression program
file-roller - an archive manager for GNOME
jtd@hackbox:~/DEFCONquals2011/bl100$ sudo apt-get install lzop
jtd@hackbox:~/DEFCONquals2011/bl100$ mkdir lzop
jtd@hackbox:~/DEFCONquals2011/bl100$ cd lzop
jtd@hackbox:~/DEFCONquals2011/bl100/lzop$ lzop -x ../real_trollfile_unzipped
jtd@hackbox:~/DEFCONquals2011/bl100/lzop$ file bin3
bin3: compress'd data 16 bits
UUUHHHGGG
jtd@hackbox:~/DEFCONquals2011/bl100/lzop$ file unlzopped
jtd@hackbox:~/DEFCONquals2011/bl100/lzop$ mv bin3 bin3.gz
jtd@hackbox:~/DEFCONquals2011/bl100/lzop$ gzip -d bin3.gz
jtd@hackbox:~/DEFCONquals2011/bl100/lzop$ file bin3
bin3: gzip compressed data, was "bin3", from Unix, last modified: Thu Mar 31 10:10:38 2011
YAA (yet another archive)
jtd@hackbox:~/DEFCONquals2011/bl100/lzop$ mv bin3 bin3.gz
jtd@hackbox:~/DEFCONquals2011/bl100/lzop$ gunzip -c bin3.gz > un_yaa
jtd@hackbox:~/DEFCONquals2011/bl100/lzop$ file un_yaa
un_yaa: ARC archive data, uncompressed
FML
jtd@hackbox:~/DEFCONquals2011/bl100/lzop$ apt-cache search arc | grep "ARC"
libmarc-record-perl - Perl extension for handling MARC records
libmarc-crosswalk-dublincore-perl - Convert data between MARC and Dublin Core
libmarc-xml-perl - Perl library to access MARC data encoded as XML
libmarc-lint-perl - Perl extension for checking validity of MARC records
arc - Archive utility based on the MSDOS ARC program
nomarch - Unpacks .ARC and .ARK MS-DOS archives
libidzebra-2.0-mod-grs-marc - IDZebra filter grs.marc (ISO2709 MARC reader)
libmarc-charset-perl - Bidirectional MARC-8 Unicode converter module for perl
jtd@hackbox:~/DEFCONquals2011/bl100/lzop$ sudo apt-get install arc
jtd@hackbox:~/DEFCONquals2011/bl100/lzop$ mkdir arc
jtd@hackbox:~/DEFCONquals2011/bl100/lzop$ cd arc
jtd@hackbox:~/DEFCONquals2011/bl100/lzop/arc$ arc x ../un_yaa
Extracting file: bin3
jtd@hackbox:~/DEFCONquals2011/bl100/lzop/arc$ file bin3
bin3: xz compressed data
URGE TO KILL RISING
jtd@hackbox:~/DEFCONquals2011/bl100/lzop/arc$ apt-cache search xz
liblzma-doc - XZ-format compression library - API documentation
makexvpics - updates .xvpics thumbnails from the command line
zblast-x11 - X11 version of zblast, shoot 'em up space game
python-lzma-dbg - python-lzma debug symbols
python-lzma - Python bindings for liblzma
file-roller - an archive manager for GNOME
liblzma1 - XZ-format compression library
xz-utils - XZ-format compression utilities
liblzma-dev - XZ-format compression library - development files
xzip - Interpreter of Infocom-format story-files
xzoom - magnify part of X display, with real-time updates
xzgv - Picture viewer for X with a thumbnail-based selector
libcry-ocaml-dev - MP3/Ogg Vorbis broadcast OCaml module
jtd@hackbox:~/DEFCONquals2011/bl100/lzop/arc$ sudo apt-get install xz-utils
jtd@hackbox:~/DEFCONquals2011/bl100/lzop/arc$ xz --decompress --stdout bin3 > un_xz
jtd@hackbox:~/DEFCONquals2011/bl100/lzop/arc$ file un_xz
un_xz: rzip compressed data - version 2.1 (276265 bytes)
>:(
jtd@hackbox:~/DEFCONquals2011/bl100/lzop/arc$ apt-cache search rzip
rzip - compression program for large files
lrzip - compression program with a very high compression ratio
jtd@hackbox:~/DEFCONquals2011/bl100/lzop/arc$ sudo apt-get install rzip
jtd@hackbox:~/DEFCONquals2011/bl100/lzop/arc$ rzip -d -o un_rzip un_xz
jtd@hackbox:~/DEFCONquals2011/bl100/lzop/arc$ file un_rzip
un_rzip: gzip compressed data, from Unix, last modified: Fri Apr 1 02:10:06 2011
It’s starting to feel like this is going in circles. BUT FEAR NOT!
jtd@hackbox:~/DEFCONquals2011/bl100/lzop/arc$ mv un_rzip un_rzip.gz
jtd@hackbox:~/DEFCONquals2011/bl100/lzop/arc$ gunzip -c un_rzip.gz > un_gzip
jtd@hackbox:~/DEFCONquals2011/bl100/lzop/arc$ file un_gzip
un_gzip: POSIX tar archive (GNU)
HANG IN THERE, it’ll be over soon.
jtd@hackbox:~/DEFCONquals2011/bl100/lzop/arc$ tar -xvf un_gzip
bin3
jtd@hackbox:~/DEFCONquals2011/bl100/lzop/arc$ file bin3
bin3: lzop compressed data - version 1.030, LZO1X-999, os: Unix
Just a little bit more now.
jtd@hackbox:~/DEFCONquals2011/bl100/lzop/arc$ mkdir lz
jtd@hackbox:~/DEFCONquals2011/bl100/lzop/arc$ cd lz
jtd@hackbox:~/DEFCONquals2011/bl100/lzop/arc/lz$ lzop -x ../bin3
jtd@hackbox:~/DEFCONquals2011/bl100/lzop/arc/lz$ file bin3
bin3: bzip2 compressed data, block size = 900k
jtd@hackbox:~/DEFCONquals2011/bl100/lzop/arc/lz$ bzip2 -d bin3
bzip2: Can't guess original name for bin3 -- using bin3.out
jtd@hackbox:~/DEFCONquals2011/bl100/lzop/arc/lz$ file bin3.out
bin3.out: 7-zip archive data, version 0.3
bin3-full
AANNDD…
jtd@hackbox:~/DEFCONquals2011/bl100/lzop/arc/lz$ ./bin3-full
-=-=-=-=-=-=-=-=- Wh4t W1ll B3 R3v34l3d? -=-=-=-=-=-=-=-=-
Can y3w feel it coming in the air tonight?
-=-=-=-=-=-=-=-=- Wh4t W1ll Be R3v34l3d? -=-=-=-=-=-=-=-=-
WAT?!?!? ಠ_ಠ
jtd@hackbox:~/DEFCONquals2011/bl100/lzop/arc/lz$ strings bin3-full| head -n 1039 | tail -n 35
Th1s1zt3hK3yk3yk33H33H33H33.N0t!
t00rongD1DNTg1ve
canthisbethekeybecauseitissuchalongstringandddteklikeslongstrings?
l33tsp33k1z0ut.RealTalkIsIn.
h1tth3r04dj4ck3ndd0nty3wc0m3b4ckn0m0ren0m0R3n0M0R3N0M0R3!
k3ysk3yst3hmm4g1c4lfr3wtthm0r3y3we4tth3mt3hm0r3y3wr00t
5tunt1n1z4h4b1tput171nth3a1r
! is i upside down!i!i!
A complete statement can also be the key to victory.
This is the key.
.key the is This
Can y3w feel it coming in the air tonight?
Random thoughts give way to random problems give way to random solutions
Lorem Ipsum is a bitch.
!y3wt4w7k1n2m3? 3y3s3dy3wt4w7k1n2m3?
asdfhasdkfjhasfkjhasfjasdkfjhasdfkjhasfkh
2r98hdij23r98hdsfkjb23r9hdfkj39
8377e19ab2c48f5f70021d6ed92937cc520c3ad1
e9b1b3124eedf6e88a40b0f240b19b8f
7cf0564cb453a9186431ee9553f7f935
84ee6f2004d8dfc1a864012edf6f92a7802d60b2
you are what you don't root
Why don't you make like a tree and.. get outta here?
It's already mutated into human form, shoot it!
if it makes a difference, they make a purse that looks like a vagina
it's better to live one day as a bro than a thousand years as a douchebag
why be professional when you can be brofessional?
hey bro, you're cool bro. don't ever change bro! you're such a bro, bro!
a list is only as strong as its weakest link
As Lord Chesterfield said of the generals of his day, 'I only hope that when the enemy reads the list of their names, he tremelbes as I do.'
th3r3 wuz 4 f4m1l33 uv 4r15t0cr4tz
1f y3w c4n't 41m j0ur p1$$ 1n d4 t01l3t l1k3 4n 4dult, s1t d0wn & p1$$ l1k3 4 b1zn44zzzzzzzzzt1ch
TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQsIGNvbnNlY3RldHVyIGFkaXBpc2ljaW5nIGVs aXQsIHNlZCBkbyBlaXVzbW9kIHRlbXBvciBpbmNpZGlkdW50IHV0IGxhYm9yZSBldCBkb2xvc mUgbWFnbmEgYWxpcXVhLiBVdCBlbmltIGFkIG1pbmltIHZlbmlhbSwgcXVpcyBub3N0cnVkI GV4ZXJjaXRhdGlvbiB1bGxhbWNvIGxhYm9yaXMgbmlzaSB1dCBhbGlxdWlwIGV4IGVhIGNvb W1vZG8gY29uc2VxdWF0LiBEdWlzIGF1dGUgaXJ1cmUgZG9sb3IgaW4gcmVwcmVoZW5kZXJpd CBpbiB2b2x1cHRhdGUgdmVsaXQgZXNzZSBjaWxsdW0gZG9sb3JlIGV1IGZ1Z2lhdCBudWxsY SBwYXJpYXR1ci4gRXhjZXB0ZXVyIHNpbnQgb2NjYWVjYXQgY3VwaWRhdGF0IG5vbiBwcm9pZ GVudCwgc3VudCBpbiBjdWxwYSBxdWkgb2ZmaWNpYSBkZXNlcnVudCBtb2xsaXQgYW5pbSBpZ CBlc3QgbGFib3J1bS4K
-=-=-=-=-=-=-=-=- Wh4t W1ll B3 R3v34l3d? -=-=-=-=-=-=-=-=-
-=-=-=-=-=-=-=-=- Wh4t W1ll Be R3v34l3d? -=-=-=-=-=-=-=-=-
lol NONE OF THESE ARE THE KEY! BTW “Lorem Ipsum” best translates to “pain itself.” (dude bro, you’re such a bro, bro!)
jtd@hackbox:~/DEFCONquals2011/bl100/lzop/arc/lz$ strings bin3-full| tail
weak version `
' not found (required by
version lookup error
of Verneed record
RTLD_NEXT used in code not dynamically loaded
stack smashing detected
*** %s ***: %s terminated
zPLR
Where we're going we don't need... roads.
CAk[S
The key is: Where we're going we don't need... roads.