Announcement

Collapse
No announcement yet.

Capture the Flag

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Capture the Flag


    This thread is dedicated to 'capture-the-flag' challenges. Its purpose is to act as a place where members can upload compiled projects which demonstrate the use of different techniques and ideas to improve project security.

    Compiled projects should be posted as an open invitation and challenge for others to attempt to reverse-engineer. The challenge might be to capture a project's password or a hidden message. Or to simply capture the project's source code in its entirety. But the basic premise of the challenge remains the same - defeat the project's security mechanisms. Or 'capture its flag' so to speak.

    Apart from being good fun, the motivation here is to share different ideas about project security. And to then put those ideas to the test by inviting others to break that security. It's a good way to gauge 'real world' effectiveness of any ideas you may have. And is also a great way to improve one's own skills and understanding when it comes to AMS and Lua programming in general.

    So, the thread's open for anyone who wants to participate. And I encourage all members to do so. I'd also encourage "follow up" for any CTF challenges which you post. That is to say, after a challenge goes up and its 'flag' has been 'captured', I'd encourage the author of that challenge to follow up by posting the APZ from which the project was originally compiled. Am not saying this a 'rule' or anything (maybe you want some things kept secret) but is something I'd definitely encourage so that others can learn and benefit from the process.

    So to get things started, below is the first of these capture-the-flag challenges. This one's a long-awaited 'redux' of an example posted in a related thread some time back - but with some core improvements and modifications - and with a new 'flag' to capture.

    Hope everyone has some fun with this thread.
    CTF!

    bi0hazard















  • #2
    Well, I'm back folks. It's been a crazy and hectic few months around here.

    Firstly, let me apologize for the very long delay in getting this thread up and running. I promised some that I'd have it ready ages ago but failed to deliver. I committed myself to a teaching contract at the start of the year which turned out to be way more work than initially anticipated. And as it involved working with HSC level students working towards their university admissions, it would've been remiss of me not to give them my undivided attention. Which meant all else had to get put on hold for a while. So, sorry to those who I've kept waiting.

    Anyway, here it is. This is the 'redux' version of the Daffy Duck CTF Challenge (originally posted in a different thread some time back) which demonstrates a number of techniques that can be used to improve project security.

    Ended up pretty much 'gutting' all of the core functions of the original version, in favor of a more streamlined approach. This version is much more logically organised (and easier to follow) for any who want to analyze its code later on. Also made a conscious choice not to obfuscate the variable names/functions this time - which'll make it less resistant to reversing but easier for folks to study the code.



    The screencap above will be familiar to those who saw the original version. Its outward appearance remains the same but the code is very different and there's been a couple of extra little security features added, too.

    Once again, you can see from the image that the application requires a password which (when correctly entered) will reveal a hidden message. So, your CTF challenge is to capture the password to reveal Daffy Duck's hidden message.

    Again, no need for screencaps - just state the password. Though I'd request the password NOT be made public just yet. If you do manage to figure it out, make a post stating that you've successfully captured the password - but send the actual password to me privately, via PM. Once everyone's had a chance to figure it out, I'll make the password public together with a code-commented version of the project APZ.

    colc
    Hey, Col. The problems/bugs which you identified in the original version have now been addressed. Please don't hesitate to let me know if you encounter any others.

    Imagine Programming
    Hey, sensei. I know the security in this won't keep you out for long. So have thrown in a special little 'easter egg' this time around - just for you! And would luv it if you posted a screencap of that, if/when you come across it (you'll know what I'm referring to when you find it).

    Also, a few caveats for everyone:
    • This example must be run under full Admin priveleges (don't try to run it under a guest account)
    • Tested under Win7 & WinXP (but not Win10)
    • This will return false-positives in some of the lesser-known virus-scanners. It's an unavoidable by-product with this type of security. Most of the better-known scanners using more accurate heuristics will return a clean bill of health on it. If you're concerned, just run it in a sandbox instead.

    Happy reversing!
    Attached Files

    Comment


    • #3
      Minor update (attached):
      - Just needed to reorder one of the functions
      Attached Files

      Comment


      • #4
        There we go! I don't think there are many people left on the forum to participate in this, however I hope herrin will also pitch in! Anyhow, I've put the flag submission website online at amsctf.0xb.nl. You can apply for an account on that website and select "Challenge Creator / Solver" as role if you want to submit new challenges. Please enter the proper IR forum member URL when you do, so that I can approve your request and send you a message about your account status.

        BioHazard, Herrin or anyone else can then create challenges and post the valid flag there. Be aware that the flag is not stored, however a large hash is. This means that for comparison, a user has to have the exact flag for it to be approved on amsctf.0xb.nl. Anyone on these forums can apply for an account on this website, however I might not approve every 'creator' account for the simple fact that I don't want malicious content on there.

        When Bio has added his challenge there, I will add my LH challenge there as well. Let's go!

        To add a challenge: Login -> Dashboard -> New Challenge. For the IR Forum URL, please refer to the exact post in a thread. You can get the URL to the post if you click the number of the post in the top right of it. I.e. Bio's post before this one is numbere #3, click that and you have the URL
        Bas Groothedde
        Imagine Programming :: Blog

        AMS8 Plugins
        IMXLH Compiler

        Comment


        • #5


          really a great job
          compliments bio
          to study in depth

          Comment


          • #6
            Here's another one. The challenge in this one is to find the correct password and post it to amsctf.0xb.nl after you've applied for an account. This one should not be too difficult, but it might throw people off as well. Think out of the virtual box, because there is none! Don't share screenshots of the correct password, however show a screenshot of the amsctf website displaying that you have succeeded.

            obfuscation-routine0.zip
            Attached Files
            Bas Groothedde
            Imagine Programming :: Blog

            AMS8 Plugins
            IMXLH Compiler

            Comment


            • #7
              Originally posted by herrin View Post

              really a great job
              compliments bio
              to study in depth
              Hey now, that didn't take you long to break my initial security to get at the proj.dat, Herrin. Well done! Remind me to double-padlock all of cupboards if you ever come around to visit, haha!

              I see you found my custom cryptoKey Generator! But LOL, you'll still have to reverse the encryption process to get at the password - a task which has been known to induce a migraine or two. Good luck, you're halfway there!



              Originally posted by Imagine Programming View Post
              Here's another one. The challenge in this one is to find the correct password and post it to amsctf.0xb.nl after you've applied for an account. This one should not be too difficult, but it might throw people off as well. Think out of the virtual box, because there is none! ...
              Well, I have your sourcecode. And can see your evil MemoryEx plugin has been used. I also have your obfuscation-routine0.LH file but am not sure where to go from here. Wouldn't this require knowledge of how to decompile Lua Header files? Am going to need some tips or clues to move forward with this one, sensei?

              Comment


              • #8
                I can't give too many tips, however I didn't prevent debuggers. I also don't prevent you hooking into functions, so you could technically separate the Lua part from the rest of the LH file. Also, remember what you can add to an LH file; it's not just Lua, it allows for another language...
                Bas Groothedde
                Imagine Programming :: Blog

                AMS8 Plugins
                IMXLH Compiler

                Comment


                • #9
                  Here are the screenshots that should prove I solved the challenge. I at first didn't use a debugger to solve it, so I couldn't find the easter egg. I asked Bio about this and he instructed me to use one, so the beautiful easter egg shows up. Nice touch, I really love how you even took that into consideration! BioHazard

                  (EDIT) - I also increased the points for obfuscation-routine0, as it didn't seem fair that it was worth less than Bio's challenge. I might have made it a bit more difficult than I anticipated. If anyone doing that challenge has the feeling they're not making progress, ask for another hint
                  Bas Groothedde
                  Imagine Programming :: Blog

                  AMS8 Plugins
                  IMXLH Compiler

                  Comment


                  • #10
                    Originally posted by Imagine Programming View Post
                    Here are the screenshots that should prove I solved the challenge. I at first didn't use a debugger to solve it, so I couldn't find the easter egg. I asked Bio about this and he instructed me to use one, so the beautiful easter egg shows up. Nice touch, I really love how you even took that into consideration!
                    Ah-hah, yes. Never doubted you for a second, sensei! Nicely done. And happy that you liked my little 'easter egg' (LOL, shame it's not quite Easter yet). I actually wanted to consult you with that one. Originally, my intention was to code for detection of both 'local' and 'kernel mode' debuggers. Detecting for local debuggers was simple enough but couldn't quite get the call parameters correct for 'remote' (kernel mode) debuggers. Will PM you about that - am guessing that you'll probably know the missing puzzle piece?


                    ...I also increased the points for obfuscation-routine0 ... I might have made it a bit more difficult than I anticipated. If anyone doing that challenge has the feeling they're not making progress, ask for another hint
                    Right then, I'll be taking a closer look. I have the day off from work tomorrow (Wednesday) so will have some free time to investigate properly. Haven't used IMXLH before (just some basic reading) so even though I have the project's sourcecode and can see the LH file in there, am not really sure exactly what I'm looking at. Need some time to analyze, think and reflect. It ain't over till the fat lady sings!

                    How about you, herrin? Any ideas about how to proceed with IP's challenge? LOL, maybe we can team up to collude and conspire? Doubt I can 'whip' IP all by myself - his kungfu is always lethal!
                    .....................................


                    Nb.
                    My Daffy Duck challenge is now up alongside IP's example, on his new CTF website at: https://amsctf.0xb.nl. So for anyone else who's managed to capture its flag, you can submit your answer over there. (Or you can just PM me the password - if you haven't yet registered a new account with IP). And here's some clues for anyone still trying to capture Daffy Duck's password:

                    Clue #1:
                    Herrin's already revealed an important clue with the screenshot he posted (in post #5). It displays the code I used to create a custom cryptoKey generator. Here's a screenshot of that same code snippet - but taken from the code-commented version of my project.apz:




                    Clue #2:
                    And here's a screenshot of another important piece of the project's code:




                    Clue #3:
                    Both of these code-blocks are required to reverse the encryption process that protects the application's password (which is stored locally as encrypted substrings). Decryption requires concatenating the password substrings, followed by:
                    • 5-pass Blowfish decryption
                    • Single-pass RC4 decryption

                    Clue #4:
                    The crypto-keys required for the decryption process are obfuscated. That's what the cryptoKey Generator is for.

                    There ya' go - practically giving it away! Who else is up for the challenge then? How about you, Ulrich? Can we pique your curiosity enough to get involved in this thread? And Rexxy - where are you, mate? Dare say it won't take you very long to figure this one out. And lastly (but never leastly) how about some of the newbies? You're all welcome here and among friends. So don't be too shy about putting in your two cents worth!

                    Come one, come all.

                    Comment


                    • #11
                      Edit,
                      You can get full resolution of the screenshot (in Clue#1) by opening it in a separate browser window: https://i.imgur.com/Mlx40or.png
                      Sorry about that.

                      Comment


                      • #12
                        Hint: Use Ghidra, BinaryNinja or IDA64 on the LH module
                        Bas Groothedde
                        Imagine Programming :: Blog

                        AMS8 Plugins
                        IMXLH Compiler

                        Comment


                        • #13
                          Okay, here's what I've found so far, IP:

                          The source code from the CDD's proj.dat reveals precisely nothing. LOL, because there's basically nothing in there except for this 'decoy message':




                          ... and also this line which just reveals your MemoryEx plugin loading the Lua Header file from the Docs folder:



                          So we know that any and all information regarding the password is stored in that LH file. And that the LH file is a compiled binary. So it's also known that we need a debugger/disassembler to analyse it.

                          But there are two basic obstacles thwarting me

                          i) Local debuggers familiar to me (ie OllyDbg, x32dbg, Zeta Debugger, etc) are entirely useless for this particular task - because they can't disassemble LH files. And using them to hook into the target's running process via the autorun.exe doesn't reveal anything useful. (Unless I'm having a 'homer moment' and missing the obvious. Haha, wouldn't be the first time). In fact Zeta Debugger just reports debug info as being 'stripped'. And Ollydbg just seems to lock up. And when using OllyDbg's Step'N'Search plugin to find entry-points on password input, it then just seems to keep running in an endless loop and punishing my CPU in the most unholy of ways. Leaves me scratching my head in bewilderment?

                          ii) Which all leads me back to your most recent clue: to disassemble the LH file with either IDA Pro or the NSA's demon spawn, Ghidra. LOL, it just *****s me up that they chose to name their software after an armless, bipedal, bat-winged dragon with three heads and two tails. Must have been a day of self-reflection for the NSA when they came up with that one.

                          So I went with your clue and tried those programs. Even had a whack at it with Binary Ninja. However when looking at the disassembled code in these programs, I really have no idea how to proceed. Normally, I'd expect to see a way to get the target-program's process up & running so a search could be made for entry-points on the password field. But I can't intuit how to work with these program's (at least not without wading through all their documentation). So short of doing just that, it's safe to say - I'm STUCK!

                          Maybe Rex has some ideas about how to do this? Or I think we might need more clues. Keep in mind, there aren't actually that many here who'd even be familiar with what IMXLH is. Let alone how to reverse it.

                          Comment


                          • #14

                            something here too
                            Attached Files

                            Comment


                            • #15
                              Originally posted by BioHazard View Post
                              Okay, here's what I've found so far, IP:

                              The source code from the CDD's proj.dat reveals precisely nothing. LOL, because there's basically nothing in there except for this 'decoy message':




                              ... and also this line which just reveals your MemoryEx plugin loading the Lua Header file from the Docs folder:

                              Hehe, do you like that decoy message? Anyhow, you're on the right track when it comes to reversing it - quite accurately too! Just a few more steps to take!

                              Originally posted by BioHazard View Post
                              So we know that any and all information regarding the password is stored in that LH file. And that the LH file is a compiled binary. So it's also known that we need a debugger/disassembler to analyse it.

                              But there are two basic obstacles thwarting me

                              i) Local debuggers familiar to me (ie OllyDbg, x32dbg, Zeta Debugger, etc) are entirely useless for this particular task - because they can't disassemble LH files. And using them to hook into the target's running process via the autorun.exe doesn't reveal anything useful. (Unless I'm having a 'homer moment' and missing the obvious. Haha, wouldn't be the first time). In fact Zeta Debugger just reports debug info as being 'stripped'. And Ollydbg just seems to lock up. And when using OllyDbg's Step'N'Search plugin to find entry-points on password input, it then just seems to keep running in an endless loop and punishing my CPU in the most unholy of ways. Leaves me scratching my head in bewilderment?

                              ii) Which all leads me back to your most recent clue: to disassemble the LH file with either IDA Pro or the NSA's demon spawn, Ghidra. LOL, it just *****s me up that they chose to name their software after an armless, bipedal, bat-winged dragon with three heads and two tails. Must have been a day of self-reflection for the NSA when they came up with that one.

                              So I went with your clue and tried those programs. Even had a whack at it with Binary Ninja. However when looking at the disassembled code in these programs, I really have no idea how to proceed. Normally, I'd expect to see a way to get the target-program's process up & running so a search could be made for entry-points on the password field. But I can't intuit how to work with these program's (at least not without wading through all their documentation). So short of doing just that, it's safe to say - I'm STUCK!

                              Maybe Rex has some ideas about how to do this? Or I think we might need more clues. Keep in mind, there aren't actually that many here who'd even be familiar with what IMXLH is. Let alone how to reverse it.
                              Debuggers do in fact help you out when autorun.exe is running, but you need to know where to set the breakpoint. What is behind a function call routine (i.e. loadedLH.AssemblyName) - that would take a lot of work to reverse, considering you have to jam your debugger through all the code executed by AMS and Lua before the instruction pointer is set to the start of the assembled code. So using a debugger on autorun.exe would work, but would cost you a lot of effort.

                              When you look at the disassembled LH module and view all the contents in IE IDA64, there should come a point in which you might recognise something. Press C after points of recognition, and with a certain attempt IDA will know what to do. I'll stop now before I give too much away haha!

                              herrin indeed, the On Key of that input invokes some code! Follow the code!
                              Bas Groothedde
                              Imagine Programming :: Blog

                              AMS8 Plugins
                              IMXLH Compiler

                              Comment

                              Working...
                              X