Labyrenth 2017 Threat 02
While reading the description for the challenge I realized something odd, the description contained instructions that weren't actually needed but sounded familiar. Especially this sentence was oddThe samples are included in yara_samples.7z password is "infected"because there was no yara_samples.7z. I checked my folder from Labyrenth 2016 and had a match for the Threat 06 challenge from last year. (Labyrenth 2016 Track solution)
The challenge looks exactly the same with a different set of samples. The old solution suggests to bindiff two of the smallest files. So let's do that, at first I tried using the same approach as the 2016 solution recommended ordering by basic blocks. As I was lazy and wanted to use the given python script from last years solutions I checked what it required. Basically it wants a file containing the hex values for each file we want to compare starting with the same byte pattern. Let's say the pattern should start with 0xDE 0xAD 0xBE 0xEF the file would look like this
DEADBEEF... bytes in file1If we chose the right pattern the file should contain an entry for all of our 56 files. So I bindiffed the two smallest files ef763faec48e5e29d63c38088b2fc3cebb5086bb805e6f3b020649c7bbbf8614 and de8d6ef64a8d9137834013f7263e9bdebb3be48f562af5679779376aaab0af5a ordered the results by matching basic blocks.
DEADBEEF... bytes in file2
...
First try
I checked the first 5 sub_x entries (the directions stated that the rule should only match the given samples -> trying library functions doesn't make sense) by taking the first bytes of each and trying the following bash commandfor i in *; do xxd -p $i | tr -d '\n' | grep -o [bytepattern].* >> ~/hex_values.txt; donefollowed by yara.py (which I copied from last years solution). Without success
Second try
My next approach was to order by matched instructions with the given hint in mind
Hint: You drop me when you want to stop and lift me up when you want
when I opened sub_10001250_9 I had a good feeling about it because I saw some imports, which would make sense regarding the hint, so I gave it a try
for i in *; do xxd -p $i | tr -d '\n' | grep -o 53568b35.* >> ~/hex_values.txt; doneI checked wc ~/hex_values.txt which returned 56 = the number of samples and ran the mentioned yara.py. The result was
53568b35???????05768???????0ffd668???????08bf8ffd668???????0ffd668???????0ffd68b35???????068???????0578bd8ffd668???????057a3???????0ffd668???????057a3???????0ffd668???????057a3???????0ffd668???????057a3???????0ffd668???????057a3???????0ffd668???????057a3???????0ffd668???????057a3???????0ffd668???????057a3???????0ffd668???????057a3???????0ffd668???????057a3???????0ffd668???????053a3???????0ffd668???????053a3???????0ffd668???????057a3???????0ffd668???????057a3???????0ffd668???????057a3???????0ffd668???????0a3???????057ffd668???????057a3???????0ffd668???????057a3???????0ffd65f5ea3???????05bc3
If you have a look at the sub_1001250 you can see that the pattern matches the entire function. So all that's left is to copy that rule in the given template and netcat the server
cat rule.txt | netcat 52.42.81.161 8082
Which gives us the flag
PAN{AllByMyself}
No comments:
Post a Comment