RSS

Hack.LU CTF 2012: Big Zombie Business writteup

This entry was posted on Oct 25 2012

It’s a disaster! Not only that these useless piles of rotten meat obfuscate all their stupid code, they have also lost our precious root password, or “Flag” as they call it. Is there a chance you can reverse this obfuscation to extract the Flag?

credits: 200 +3 (1st), +2 (2nd), +1 (3rd)

So, we started to access the page in browsers. In chrome I couldn’t access it, so I used firefox instead for this challenge.

Now let’s see the source:


html,body{background:#000;height:100%;min−height:100%}#zombie{border:1px solid #fff;}#zombie2{color:#fff}
(\u0066\u0075\u006e\u0063\u0074\u0069\u006f\u006e(){\u0069\u0066(\u0074\u0079\u0070\u0065\u006f\u0066 \u0063\u006f\u006e\u0073\u006f\u006c\u0065==\u0075\u006e\u0064\u0065\u0066\u0069\u006e\u0065\u0064)\u0063\u006f\u006e\u0073\u006f\u006c\u0065={'\154\157\147':\u0066\u0075\u006e\u0063\u0074\u0069\u006f\u006e(){}};\u0073\u0065\u0074\u0049\u006e\u0074\u0065\u0072\u0076\u0061\u006c((\u0066\u0075\u006e\u0063\u0074\u0069\u006f\u006e(){\u0076\u0061\u0072 \u0063=\u0063\u006f\u006e\u0073\u006f\u006c\u0065.\u006c\u006f\u0067;\u0076\u0061\u0072 \u0075=\u0066\u0075\u006e\u0063\u0074\u0069\u006f\u006e(){\u0063('45\143\102\162\141\141\141\141\101\101\101\111\116\132\132\132\132','\143\157\154\157\16272\162\145\14473\146\157\156\16455\163\151\172\14572626060\160\17073')};\u0075(),\u0075(),\u0075();\u0072\u0065\u0074\u0075\u0072\u006e \u0075})(),100);\u0066=\u0066\u0075\u006e\u0063\u0074\u0069\u006f\u006e(){\u006c\u006f\u0063\u0061\u0074\u0069\u006f\u006e='\156\157\146\154\141\147'};\u006e={\u0076\u0061\u006c\u0075\u0065:\u0066,\u0063\u006f\u006e\u0066\u0069\u0067\u0075\u0072\u0061\u0062\u006c\u0065:\u0066\u0061\u006c\u0073\u0065};(\u0061=\u0064\u006f\u0063\u0075\u006d\u0065\u006e\u0074.\u0061\u0064\u0064\u0045\u0076\u0065\u006e\u0074\u004c\u0069\u0073\u0074\u0065\u006e\u0065\u0072)('\104\117\115\101\164\164\162\115\157\144\151\146\151\145\144',\u0066,\u0066\u0061\u006c\u0073\u0065);a('\104\117\115\116\157\144\145\111\156\163\145\162\164\145\144',\u0066,\u0066\u0061\u006c\u0073\u0065);\u0061('\104\117\115\103\150\141\162\141\143\164\145\162\104\141\164\141\115\157\144\151\146\151\145\144',\u0066,\u0066\u0061\u006c\u0073\u0065);\u0066\u006f\u0072(\u0069 \u0069\u006e \u006d=['\167\162\151\164\145','\167\162\151\164\145\154\156','\143\162\145\141\164\145\105\154\145\155\145\156\164','\141\160\160\145\156\144\103\150\151\154\144','\143\154\157\156\145\116\157\144\145','\151\156\163\145\162\164\102\145\146\157\162\145','\162\145\160\154\141\143\145\103\150\151\154\144','\143\162\145\141\164\145\105\154\145\155\145\156\164\116\123'])\u004f\u0062\u006a\u0065\u0063\u0074.\u0064\u0065\u0066\u0069\u006e\u0065\u0050\u0072\u006f\u0070\u0065\u0072\u0074\u0079(\u0064\u006f\u0063\u0075\u006d\u0065\u006e\u0074.\u0063\u006f\u006e\u0073\u0074\u0072\u0075\u0063\u0074\u006f\u0072.\u0070\u0072\u006f\u0074\u006f\u0074\u0079\u0070\u0065,\u006d[\u0069],\u006e);\u0076\u0061\u0072 \u0079=\u0061\u006c\u0065\u0072\u0074;\u004f\u0062\u006a\u0065\u0063\u0074.\u0064\u0065\u0066\u0069\u006e\u0065\u0050\u0072\u006f\u0070\u0065\u0072\u0074y(\u0077\u0069\u006e\u0064\u006f\u0077,'\141\154\145\162\164',{\u0076\u0061\u006c\u0075\u0065:\u0066\u0075\u006e\u0063\u0074\u0069\u006f\u006e(){\u0079('\142\162\141\141\141\151\156\172\172\172')},\u0063\u006f\u006e\u0066\u0069\u0067\u0075\u0072\u0061\u0062\u006c\u0065:\u0066\u0061\u006c\u0073\u0065});\u0076\u0061\u0072 \u007a=\u0070\u0072\u006f\u006d\u0070\u0074;\u004f\u0062\u006a\u0065\u0063\u0074.\u0064\u0065\u0066\u0069\u006e\u0065\u0050\u0072\u006f\u0070\u0065\u0072\u0074\u0079(\u0077\u0069\u006e\u0064\u006f\u0077,'\160\162\157\155\160\164',{\u0076\u0061\u006c\u0075\u0065:\u0066\u0075\u006e\u0063\u0074\u0069\u006f\u006e(\u0071){brain(z('\127\150\141\16447\16340\155\17140\172\157\155\142\151\14540\156\141\155\14577'),\u0071)},\u0063\u006f\u006e\u0066\u0069\u0067\u0075\u0072\u0061\u0062\u006c\u0065:\u0066\u0061\u006c\u0073\u0065});\u0066\u006f\u0072(\u0069 \u0069\u006e \u006d=['\143\157\156\146\151\162\155','\143\157\156\163\157\154\145'])\u004f\u0062\u006a\u0065\u0063\u0074.\u0064\u0065\u0066\u0069\u006e\u0065\u0050\u0072\u006f\u0070\u0065\u0072\u0074\u0079(\u0077\u0069\u006e\u0064\u006f\u0077,\u006d[\u0069],\u006e);})();

\u0077\u0069\u0074\u0068(\u006e\u0065\u0077 \u0058\u004d\u004c\u0048\u0074\u0074\u0070\u0052\u0065\u0071\u0075\u0065\u0073\u0074()){\u006f\u0070\u0065\u006e('\107\105\124','77\151756361',\u0066\u0061\u006c\u0073\u0065);\u0073\u0065\u006e\u0064();\u0069\u0066(\u0073\u0074\u0061\u0074\u0075\u0073==200)\u0065\u0076\u0061\u006c(\u0072\u0065\u0073\u0070\u006f\u006e\u0073\u0065\u0054\u0065\u0078\u0074)}

Hmm … some obsfucated javascript. I tried to decode some of it:

html,body{background:#000;height:100%;min−height:100%}#zombie{border:1px solid #fff;}#zombie2{color:#fff}

(function () {
if (typeof console == undefined) console = {
'log': function () {}

};
setInterval((function () {
var c = console.log;
var u = function () {
c('%cBraaaaAAAINZZZZ', 'color:red;font−size:200px;')

};
u(), u(), u();
return u
})(), 100);
f = function () {
location = 'noflag'

};
n = {
value: f,
configurable: false
};
(a = document.addEventListener)('DOMAttrModified', f, false);
a('DOMNodeInserted', f, false);
a('DOMCharacterDataModified', f, false);
for (i in m = ['write', 'writeln', 'createElement', 'appendChild', 'cloneNode', 'insertBefore', 'replaceChild', 'createElementNS']) Object.defineProperty(document.constructor.prototype, m[i], n);
var y = alert;
Object.defineProperty(window, 'alert', {
value: function () {
y('\braaainzzz')

},
configurable: false
});
var z = prompt;
Object.defineProperty(window, 'prompt', {
value: function (q) {
brain(z('What's my zombie name?'), q)
},
configurable: false
});
for (i in m = ['confirm', 'console']) Object.defineProperty(window, m[i], n);
})();

with(new XMLHttpRequest()){open('GET','?i=23',false);send();if(status===200)eval(responseText)}}

So now it’s somewhat better. Now we tried to analyse it and found that the script was sending a file named “noflag” with the content “No flag for you :) ” which tricked us to think that the flag was somewhere else. Also: when NoScript was activated, we saw this image in firebug console:


Zombie

Now, after a lot of strugling  with the javascript code, I thought to use a javascript addon to see the interpreted javascript from browser. We ran it and saw interesting things:

function brain(a, b) {
if (a === "charlie fucking sheen") {
_(b);
}
}

function _(__) {
var $ = document.querySelector("script").textContent;
var $$ = "";
for (var ___ = 0; ___ < __.length; ___++) {
$$ += String.fromCharCode(__.charCodeAt(___) ^ $.charCodeAt(___));
}
Function($$)();
alert("you are close");
}


function brain(a, b) {
if (a === "charlie fucking sheen") {
_(b);
}
}

function _(__) {
var $ = document.querySelector("script").textContent;
var $$ = "";
for (var ___ = 0; ___ < __.length; ___++) {
$$ += String.fromCharCode(__.charCodeAt(___) ^ $.charCodeAt(___));
}
Function($$)();
alert("you are close");
}

function brain(a, b) {
if (a === "charlie fucking sheen") {
_(b);
}
}

brain.toString = brain.valueOf = r = function () {location = "noflag";};

function _(__) {
var $ = document.querySelector("script").textContent;
var $$ = "";
for (var ___ = 0; ___ < __.length; ___++) {
$$ += String.fromCharCode(__.charCodeAt(___) ^ $.charCodeAt(___));
}
Function($$)();
alert("you are close");
}

_.toString = _.valueOf = r;

When inserting "charlie fucking sheen" into the box, we get some more interesting things:


Zombie

And

function () {
x = document.querySelector("img")[fed];
whoop = "Flag: " + x[0] + x[377] + "_" + x[346] + x[377] + x[568] + "_" + x[18] + x[2] + x[5] + x[90] + x[90] + "_" + x[90] + x[5] + x[32] + x[9] + "_" + x[11] + x[1] + x[98] + x[1] + x[18] + x[131] + x[508] + x[5] + x[12] + x[2];
}

function anonymous() {
(function () {x = document.querySelector("img")[fed];whoop = "Flag: " + x[0] + x[377] + "_" + x[346] + x[377] + x[568] + "_" + x[18] + x[2] + x[5] + x[90] + x[90] + "_" + x[90] + x[5] + x[32] + x[9] + "_" + x[11] + x[1] + x[98] + x[1] + x[18] + x[131] + x[508] + x[5] + x[12] + x[2];}());
}

Hmm ... Exactly what we needed! Now, showing the whoop variable in firebug:


Zombie

So:  "do_you_still_like_javascript"

Now, I want to congrats the organisers, Team Fluxfingers, for a nice challenge and a perfect ctf, and the winners: More Smoked Leet Chicken, PPP and [TechnoPandas] Congrats!

Post a Comment