{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-k3rn3lctf-2021-en","result":{"data":{"markdownRemark":{"id":"8f2d88fc-4ea8-5c0e-9b64-2706574a154f","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-k3rn3lctf-2021\">original page</a>.</p>\n</blockquote>\n<p>I participated in <a href=\"https://ctftime.org/event/1438\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">K3RN3LCTF</a>, which ran from November 13, 2021, with team <a href=\"https://ctftime.org/team/168239\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">0neP@dding</a> (though I actually competed solo).</p>\n<p>I only solved 2 Rev challenges this time, but I still managed to finish 139th out of 501 teams — which might mean the competition was tougher than I expected.</p>\n<p>This was an eccentric CTF that did not hesitate to distribute real malware in its Rev challenges. Here is a brief writeup.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#zabomb-rev\">Zabomb (Rev)</a></li>\n<li><a href=\"#wire-rev\">WiRE (Rev)</a></li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"zabomb-rev\" style=\"position:relative;\"><a href=\"#zabomb-rev\" aria-label=\"zabomb rev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Zabomb (Rev)</h2>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">Description\nYou received a suspicious <span class=\"token function\">file</span> from the k3rn3l4rmy hacking group, the title says <span class=\"token string\">'Not a Zip Bomb, Please Open'</span>, you decide NOT to <span class=\"token function\">open</span> it and instead try to reverse it.\n\nIt is recommended that you <span class=\"token keyword\">do</span> NOT <span class=\"token function\">open</span> this, it will fill your entire disk.</code></pre></div>\n<p>I was handed a genuine malware Zip Bomb.</p>\n<p>Reference: <a href=\"https://ja.2007es.com/new-zip-bomb-stuffs-4\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">New Zip Bomb Packs 4.5 PB of Data into a 46 MB File</a></p>\n<p>Looking at the contents of the ZIP file, I found that it contained two types of compressed files: one with an enormous size and one with a small size.</p>\n<p>Using 7-ZIP or similar to extract only the specific file was all that was needed.</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\">7za<span class=\"token punctuation\">.</span>exe x <span class=\"token operator\">-</span>y <span class=\"token operator\">-</span>oC:\\output\\ <span class=\"token operator\">-</span>ir!filename bomb<span class=\"token punctuation\">.</span>zip\n<span class=\"token comment\"># flag{w0w_c0mpres51on_&amp;_d3comp53ssi0N_!s_s0_c3wl_ju5t_d0n7_gO_b0OM}</span></code></pre></div>\n<p>Reference: <a href=\"http://blog.livedoor.jp/ryanorano/archives/58882007.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Extracting Only Specific Files from a ZIP on the Command Line (Windows)</a></p>\n<h2 id=\"wire-rev\" style=\"position:relative;\"><a href=\"#wire-rev\" aria-label=\"wire rev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>WiRE (Rev)</h2>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">Description\n\nWe wire an encryption message that contains flag from remote server and dumped it out to kernelCTF_dump.pcapng file, i'm pretty sure that client has implementation of algorithm to decrypt data and get flag, will you take up the challenge?</code></pre></div>\n<p>I was given a mysterious pcap file and a PE binary.</p>\n<p>It turned out that the PE binary was a client program that encrypts and transmits messages, and the pcap file was a recording of the encrypted FLAG being exchanged.</p>\n<p>Decompiling the binary revealed that the client operates in the following sequence:</p>\n<ul>\n<li>Attempts a TCP connection to local port 9905</li>\n<li>If the TCP connection succeeds, encrypts a message and sends it</li>\n<li>Receives the encrypted FLAG data from the connected server</li>\n<li>Closes the connection</li>\n</ul>\n<p>Analyzing the packets in the pcap file according to this flow, I found that the encrypted FLAG data <code class=\"language-text\">d33411044a6202726302656e6901636e637462017d6702756e760101756e7b0173104c0a</code> was received.</p>\n<p>Here is the encryption logic:</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">void</span> main<span class=\"token punctuation\">.</span><span class=\"token function\">safeWrapMessage</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">void</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token punctuation\">{</span>\n  byte <span class=\"token operator\">*</span>pbVar1<span class=\"token punctuation\">;</span>\n  byte <span class=\"token operator\">*</span>pbVar2<span class=\"token punctuation\">;</span>\n  code <span class=\"token operator\">*</span>pcVar3<span class=\"token punctuation\">;</span>\n  byte <span class=\"token operator\">*</span>pbVar4<span class=\"token punctuation\">;</span>\n  byte <span class=\"token operator\">*</span><span class=\"token operator\">*</span>local_res8<span class=\"token punctuation\">;</span>\n  \n  pbVar1 <span class=\"token operator\">=</span> <span class=\"token operator\">*</span>local_res8<span class=\"token punctuation\">;</span>\n  pbVar2 <span class=\"token operator\">=</span> local_res8<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">for</span> <span class=\"token punctuation\">(</span>pbVar4 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>byte <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token number\">0x0</span><span class=\"token punctuation\">;</span> <span class=\"token punctuation\">(</span>longlong<span class=\"token punctuation\">)</span>pbVar4 <span class=\"token operator\">&lt;</span> <span class=\"token punctuation\">(</span>longlong<span class=\"token punctuation\">)</span>pbVar2<span class=\"token punctuation\">;</span> pbVar4 <span class=\"token operator\">=</span> pbVar4 <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>local_res8<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">&lt;=</span> pbVar4<span class=\"token punctuation\">)</span> <span class=\"token keyword\">goto</span> LAB_004dbf48<span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">(</span><span class=\"token operator\">*</span>local_res8<span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span>longlong<span class=\"token punctuation\">)</span>pbVar4<span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> pbVar1<span class=\"token punctuation\">[</span><span class=\"token punctuation\">(</span>longlong<span class=\"token punctuation\">)</span>pbVar4<span class=\"token punctuation\">]</span> <span class=\"token operator\">^</span> <span class=\"token number\">0x31</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>longlong<span class=\"token punctuation\">)</span>local_res8<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">&lt;</span> <span class=\"token number\">5</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">return</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n  <span class=\"token operator\">*</span><span class=\"token operator\">*</span>local_res8 <span class=\"token operator\">=</span> <span class=\"token operator\">*</span><span class=\"token operator\">*</span>local_res8 <span class=\"token operator\">^</span> <span class=\"token number\">0x84</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>byte <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token number\">0x1</span> <span class=\"token operator\">&lt;</span> local_res8<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token punctuation\">(</span><span class=\"token operator\">*</span>local_res8<span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">*</span>local_res8<span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">^</span> <span class=\"token number\">0x69</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>byte <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token number\">0x2</span> <span class=\"token operator\">&lt;</span> local_res8<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n      <span class=\"token punctuation\">(</span><span class=\"token operator\">*</span>local_res8<span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">2</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">*</span>local_res8<span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">2</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">^</span> <span class=\"token number\">0x41</span><span class=\"token punctuation\">;</span>\n      <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>byte <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token number\">0x3</span> <span class=\"token operator\">&lt;</span> local_res8<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token punctuation\">(</span><span class=\"token operator\">*</span>local_res8<span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">3</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">*</span>local_res8<span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">3</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">^</span> <span class=\"token number\">0x52</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">return</span><span class=\"token punctuation\">;</span>\n      <span class=\"token punctuation\">}</span>\n      runtime<span class=\"token punctuation\">.</span><span class=\"token function\">panicIndex</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n    runtime<span class=\"token punctuation\">.</span><span class=\"token function\">panicIndex</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n  runtime<span class=\"token punctuation\">.</span><span class=\"token function\">panicIndex</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\nLAB_004dbf48<span class=\"token operator\">:</span>\n  runtime<span class=\"token punctuation\">.</span><span class=\"token function\">panicIndex</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  pcVar3 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>code <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token function\">swi</span><span class=\"token punctuation\">(</span><span class=\"token number\">3</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">(</span><span class=\"token operator\">*</span>pcVar3<span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">return</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>The entire FLAG is XOR-encrypted with 0x31, and then the first 4 characters are XOR-encrypted again.</p>\n<p>So, XORing <code class=\"language-text\">d33411044a6202726302656e6901636e637462017d6702756e760101756e7b0173104c0a</code> with 0x31 and then replacing the first 4 characters with the known “flag” prefix yielded the FLAG.</p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>With WiRE, Ghidra’s decompiled output was not great, and I had trouble reaching the Flag.</p>\n<p>When I tried IDA Free for decompilation, I found that the output was more readable and useful for understanding the program’s behavior compared to Ghidra, which allowed me to solve it.</p>\n<p>It seems that readability of decompiler output can vary depending on the binary, so when I cannot solve something, it is worth trying both Ghidra and IDA going forward.</p>","fields":{"slug":"/ctf-k3rn3lctf-2021-en","tagSlugs":["/tag/ctf-en/","/tag/reversing-en/","/tag/english/"]},"frontmatter":{"date":"2021-11-15","description":"A brief writeup from K3RN3LCTF 2021 — an eccentric CTF that distributed actual malware in its Rev challenges.","tags":["CTF (en)","Reversing (en)","English"],"title":"K3RN3LCTF 2021 Writeup","socialImage":{"publicURL":"/static/dc4d8b7f8795f3c3d3489d9957d155f2/no-image.png"}}}},"pageContext":{"slug":"/ctf-k3rn3lctf-2021-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}