Monday, April 6, 2015

NDH CTF 2015-Bpythonastic

NDH 2015 Bpythonastic Writeup
Point = 300
Category = Forensics

We have   Bpythonastic.tar.gz  after decompressing it we found file : chall.raw


root@kali:~/ndh#file chall.raw
chall.raw: ELF 64-bit LSB core file x86-64, version 1 (SYSV)
 
Lets try analyzing this file using volatility but before we must to know witch operating system profile we must  use .

Using strings command we try to found information about OS  :

root@kali:~/ndh# strings chall.raw|egrep '^Linux.*[0-9.]{3,}.*SMP'
Linux version 2.6.32-5-amd64 (Debian 2.6.32-48squeeze6) (jmm@debian.org) (gcc version 4.3.5 (Debian 4.3.5-4) ) #1 SMP Tue May 13 16:34:35 UTC 2014

Now Download profile for 64-bit Debian form    https://github.com/volatilityfoundation/profiles/tree/master/Linux/Debian/x64 .



Create a directory profiles and copy all zips :


volatility.exe --plugins=profiles -f chall.raw --profile=LinuxDebian608x64 linux_pslist

0xffff88005245c000 bpython              2364            0               0      0x000000003781a000 2015-03-19 13:59:46 UTC+0000



 --plugins=profiles to specifies where zip profiles are copied .
 linux_pslist  : to list process


we found interstins process  bpython          pid =    2364          

dump memory process :

volatility.exe --plugins=profiles -f chall.raw --profile=LinuxDebian608x64 linux_dump_map -p 2364 -D dump --dump-dir d:\Bpythonastic\

Analyze files dumpd , using strings command we found :

>>> flag=Challenge()
>>> flag=base64.b64encode(pickle.dumps(flag))
>>> print flag
KGljaGFsbApDaGFsbGVuZ2UKcDAKKGRwMQpTJ2ZsYWcnCnAyClMnYTYzOWEyMWE0YTc0NzAzZmEwNDJkNjE3NjgxYWE0NGJiNGQxYzA4YmM1ZmJmN2VmZDZiNDU1ODJiMGYwZDQwMycKcDMKc1MnaWQnCnA0CkkwCnNTJ2F1dGhvcicKcDUKUydZZ2dkcmFzaWwnCnA2CnNiLg==

 lets convert the base64 strings  :

#echo KGljaGFsbApDaGFsbGVuZ2UKcDAKKGRwMQpTJ2ZsYWcnCnAyClMnYTYzOWEyMWE0YTc0NzAzZmEwNDJkNjE3NjgxYWE0NGJiNGQxYzA4YmM1ZmJmN2VmZDZiNDU1ODJiMGYwZDQwMycKcDMKc1MnaWQnCnA0CkkwCnNTJ2F1dGhvcicKcDUKUydZZ2dkcmFzaWwnCnA2CnNiLg==  | base64 -d
(ichall
Challenge
p0
(dp1
S'flag'
p2
S'a639a21a4a74703fa042d617681aa44bb4d1c08bc5fbf7efd6b45582b0f0d403'
p3
sS'id'
p4
I0
sS'author'
p5
S'Yggdrasil'
p6

The hash flag is  :a639a21a4a74703fa042d617681aa44bb4d1c08bc5fbf7efd6b45582b0f0d403
using online hash decoder


The flag is  :  Yougotit

No comments:

Post a Comment