RSS

Baltic CTF: North America 400

0 Comments | This entry was posted on May 27 2012

Just give me a key. https://www.dropbox.com/s/tp14wjlmaro55t3/0.rar

May be you need a pass from this file? ok its 3

Looking at this 0.rar file, we saw that it contained another rar file (named 1.rar).

Extracting the 1.rar file with the password 3, we saw that 1.rar contained 2.rar, which

required another password.

Trying a trial version of “Rar Password Cracker” we found the second password: 5

This revealed 3.rar. The password needed for extracting 3.rar, was 11

It became obvious that getting this key manually for each rar file, wouldn’t be feasible;

so we wrote a bash script to try the passwords.

All passwords that we found with “Rar Password Cracker” only consisted of digits,

so we can restrict the character set to use, to find the next keys.

Also the next key is always higher than the previous key.

#!/bin/bash
start=3;
end=9;

# Loop over 100 rar files (0.rar, 1.rar, 2.rar, ...)
for j in $(seq 0 100); do
# Start trying passwords (password at least as high as previous password)
for i in $(seq ${start} ${end}); do
./7z.exe x -y -trar -p${i} ${j}.rar > /dev/null;

# If we found the password, go to the extracted rar file and find the password for that one:
if [ $? -eq 0 ]; then
echo "Password ${j}.rar: ${i}";
start=$i;
end=$(($i*3));
break;
fi;
done;
done

Password 0.rar: 3
Password 1.rar: 5
Password 2.rar: 11
Password 3.rar: 17
Password 4.rar: 37
Password 5.rar: 67
Password 6.rar: 131
Password 7.rar: 257
Password 8.rar: 521
Password 9.rar: 1031
Password 10.rar: 2053
Password 11.rar: 4099
Password 12.rar: 8209
Password 13.rar: 16411

This approach wasn’t very fast. We also noticed that (at least for the higher numbers) the next key is close to 2x the previous key. So we wrote a python script to use a more optimal algorithm.

At the end, there we had RAR files from 0.rar, 1.rar, …, 125.rar, 126.rar. RAR file 126.rar contained final.rar.

The final script we used (which was also able to extract this final.rar file).

#!/usr/bin/python

import os
import subprocess

# We know that the start key = 3, but the way we wrote the algorithm,
# 2 (start key = prev_key * 2 = 4) is a better choice.
prev_key = 2

# Open file descriptor to /dev/null.
# Write standard output and standard error from unrar to it.
fnull = open(os.devnull, 'w')

# Loop over the RAR archives (there are 127 of them):
for archive_id in range(0,128,1):

# "127.rar" doesn't exist, but is named "final.rar".
if archive_id == 127:
archive_id = 'final'

double_key = prev_key * 2
try_key = double_key
key_found = 0
step = 1
pos_neg = -1

while key_found == 0:

# Build the command line, by putting each argument as element in a list.

# unrar_cmd = [ '7z', 'e', '-y', '-trar', '-p' + str(try_key), str(archive_id) + '.rar' ]
unrar_cmd = [ 'unrar', 'e', '-y' ,'-p' + str(try_key), str(archive_id) + '.rar' ]

error = subprocess.call(unrar_cmd, stdout = fnull, stderr = fnull)

if (error == 0):
# If the unrarring succeeds, we have found the key.
prev_key = try_key
key_found = 1
print 'Password {0:s}.rar: {1:d}'.format(str(archive_id), try_key)
else:
# Make a new key to try:
if (pos_neg == -1):
try_key = double_key - step
pos_neg = 1
else:
try_key = double_key + step
pos_neg = -1
step += 1

# Close file descriptor to /dev/null.
fnull.close()

$ ./rar-cracking.py
Password 0.rar: 3
Password 1.rar: 5
Password 2.rar: 11
Password 3.rar: 17
Password 4.rar: 37
Password 5.rar: 67
Password 6.rar: 131
Password 7.rar: 257
Password 8.rar: 521
Password 9.rar: 1031
Password 10.rar: 2053
Password 11.rar: 4099
Password 12.rar: 8209
Password 13.rar: 16411
Password 14.rar: 32771
Password 15.rar: 65537
Password 16.rar: 131101
Password 17.rar: 262147
Password 18.rar: 524309
Password 19.rar: 1048583
Password 20.rar: 2097169
Password 21.rar: 4194319
Password 22.rar: 8388617
Password 23.rar: 16777259
Password 24.rar: 33554467
Password 25.rar: 67108879
Password 26.rar: 134217757
Password 27.rar: 268435459
Password 28.rar: 536870923
Password 29.rar: 1073741827
Password 30.rar: 2147483659
Password 31.rar: 4294967311
Password 32.rar: 8589934609
Password 33.rar: 17179869209
Password 34.rar: 34359738421
Password 35.rar: 68719476767
Password 36.rar: 137438953481
Password 37.rar: 274877906951
Password 38.rar: 549755813911
Password 39.rar: 1099511627791
Password 40.rar: 2199023255579
Password 41.rar: 4398046511119
Password 42.rar: 8796093022237
Password 43.rar: 17592186044423
Password 44.rar: 35184372088891
Password 45.rar: 70368744177679
Password 46.rar: 140737488355333
Password 47.rar: 281474976710677
Password 48.rar: 562949953421381
Password 49.rar: 1125899906842679
Password 50.rar: 2251799813685269
Password 51.rar: 4503599627370517
Password 52.rar: 9007199254740997
Password 53.rar: 18014398509482143
Password 54.rar: 36028797018963971
Password 55.rar: 72057594037928017
Password 56.rar: 144115188075855881
Password 57.rar: 288230376151711813
Password 58.rar: 576460752303423619
Password 59.rar: 1152921504606847009
Password 60.rar: 2305843009213693967
Password 61.rar: 4611686018427388039
Password 62.rar: 9223372036854775837
Password 63.rar: 18446744073709551629
Password 64.rar: 36893488147419103363
Password 65.rar: 73786976294838206473
Password 66.rar: 147573952589676412931
Password 67.rar: 295147905179352825889
Password 68.rar: 590295810358705651741
Password 69.rar: 1180591620717411303449
Password 70.rar: 2361183241434822606859
Password 71.rar: 4722366482869645213711
Password 72.rar: 9444732965739290427421
Password 73.rar: 18889465931478580854821
Password 74.rar: 37778931862957161709601
Password 75.rar: 75557863725914323419151
Password 76.rar: 151115727451828646838283
Password 77.rar: 302231454903657293676551
Password 78.rar: 604462909807314587353111
Password 79.rar: 1208925819614629174706189
Password 80.rar: 2417851639229258349412369
Password 81.rar: 4835703278458516698824713
Password 82.rar: 9671406556917033397649483
Password 83.rar: 19342813113834066795298819
Password 84.rar: 38685626227668133590597803
Password 85.rar: 77371252455336267181195291
Password 86.rar: 154742504910672534362390567
Password 87.rar: 309485009821345068724781063
Password 88.rar: 618970019642690137449562141
Password 89.rar: 1237940039285380274899124357
Password 90.rar: 2475880078570760549798248507
Password 91.rar: 4951760157141521099596496921
Password 92.rar: 9903520314283042199192993897
Password 93.rar: 19807040628566084398385987713
Password 94.rar: 39614081257132168796771975177
Password 95.rar: 79228162514264337593543950397
Password 96.rar: 158456325028528675187087900777
Password 97.rar: 316912650057057350374175801351
Password 98.rar: 633825300114114700748351602943
Password 99.rar: 1267650600228229401496703205653
Password 100.rar: 2535301200456458802993406410833
Password 101.rar: 5070602400912917605986812821771
Password 102.rar: 10141204801825835211973625643089
Password 103.rar: 20282409603651670423947251286127
Password 104.rar: 40564819207303340847894502572071
Password 105.rar: 81129638414606681695789005144163
Password 106.rar: 162259276829213363391578010288167
Password 107.rar: 324518553658426726783156020576289
Password 108.rar: 649037107316853453566312041152659
Password 109.rar: 1298074214633706907132624082305051
Password 110.rar: 2596148429267413814265248164610099
Password 111.rar: 5192296858534827628530496329220121
Password 112.rar: 10384593717069655257060992658440473
Password 113.rar: 20769187434139310514121985316880427
Password 114.rar: 41538374868278621028243970633760839
Password 115.rar: 83076749736557242056487941267521569
Password 116.rar: 166153499473114484112975882535043101
Password 117.rar: 332306998946228968225951765070086169
Password 118.rar: 664613997892457936451903530140172297
Password 119.rar: 1329227995784915872903807060280345027
Password 120.rar: 2658455991569831745807614120560689193
Password 121.rar: 5316911983139663491615228241121378581
Password 122.rar: 10633823966279326983230456482242756773
Password 123.rar: 21267647932558653966460912964485513283
Password 124.rar: 42535295865117307932921825928971026459
Password 125.rar: 85070591730234615865843651857942052871
Password 126.rar: 170141183460469231731687303715884105757
Password final.rar: 340282366920938463463374607431768211507

The final.rar file contained a key.key file:

$ cat key.key
looks like you a FACTORMAN!

Solution: FACTORMAN!

Later, we re-coded the same in Perl also just to check whether it is more time efficient than the Python version or not.

#!/usr/bin/perl

use Math::BigInt;

$sevenZ = "7z x -y -trar -p";
$unrar = "unrar e -o+ -p";
$basekey = Math::BigInt->new('3');
$offset = Math::BigInt->new();
$archive = 0;

#Loop over all the RAR archieves
while(1)
{
if($archive == 127)
{
$archive = "final";
}

$plusminus = 1;
$offset->bzero();
$flag = 1;

while(1)
{
$plusminus = $plusminus * (-1);
$bruteforceKey = $basekey + $plusminus * $offset;
$unrarCommand = $sevenZ;
$unrarCommand = $unrarCommand.$bruteforceKey->bstr()." ".$archive.".rar > null";
system($unrarCommand);
if($? == 0)
{
print "Key for ".$archive.".rar is: ".$bruteforceKey."\n";
$basekey = 2 * $bruteforceKey;
last;
}

if($flag != 0)
{
$offset->badd(1);
$flag = 0;
}
else
{
$flag = 1;
}

}

if($archive eq "final")
{
last;
}
else
{
$archive++;
}
}

Baltic CTF: South America 100

0 Comments | This entry was posted on May 27 2012

root@bt:/tmp# cat /home/rev100/.bash_history
lynx "http://marc.info/?l=linux-kernel&m=XXXXXXXXXXXXXXX&w=2"
cd /tmp/
touch exploit.c
nano expoit.c
gcc -o doit exploit.c
strip doit
echo "evil-code" > /dev/null
./doit
# Download

https://www.dropbox.com/s/1mebjt3cndederr/doit

# Question:
which is equal to XXXXXXXXXXXXXXX?

Lets find this kernel exploint back in the mailing list.

Opening the file in IDA, gives only this string:
error:%s\n

Some unique functions in the binary to find the used exploit back via google (look in IDA):

  1. socketpair
  2. send_fd

When surfing to the linux-kernel section of http://marc.info and clicking on a message we can see that the original mailing list was: http://vger.kernel.org

The following search string in google, gives interesting results:
http://vger.kernel.org/ error: %s\n socketpair send_fd
I found this program lying around on my laptop. It kills my box
(2.6.35) instantly by consuming a lot of memory (allocated by the
kernel, so the process doesn't get killed by the OOM killer). As far
as I can tell, the memory isn't being freed when the program exits
either. Maybe it will eventually get cleaned up the UNIX socket
garbage collector thing, but in that case it doesn't get called
quickly enough to save my machine at least.

Searching for this string in google + the http://marc.info site string, gives:
http://marc.info/?l=linux-kernel&m=129055087923940

Solution: 129055087923940

100 points earned.