Analysing TCP StreamLooking through the wireshark capture, we can see a PNG file being transmitted.
We can extract the PNG file and keep it for use later.
Looking further into the stream, we notice an odd transmission going on:
The PA30 bytes stand out, and googling them reveals that they are binary deltas, and a blog post seemed to be interesting.
Within the blog, Jaime has kindly included a Python script that performs the binary patching using such delta files.
We are given a VM for this challenge, and that is all we have to work with.
Getting the BinaryViewing the cronjobs of the VM reveals a binary in We can then extract the binary out of the VM via scp.
Binary AnalysisA quick look into main reveals references to the Documents directory.
We can find several encrypted files in the Documents directory.
Further down in main of the binary, we can find a function named encrypt
We are given a GUI application, with 16 different buttons to click on. It seems that when the buttons are clicked in the correct order, the flag will be displayed.
Extracting MMBD File And AnalysisUpon digging into the strings, we can find references to Multimedia Builder. A quick search on Github reveals a project that helps to extract the original multimedia builder file.
After extracting the mmbd file and opening it Multimedia Builder, we can see a plugin object.
We are given a docker image to start with.
Upon creating docker container with the image, a binary named AntiochOS can extracted.
Binary AnalysisLooking through the binary in IDA, we can find the function that handles the approach command.
The function calculates the CRC32 of the first input (name). If it matches any of the hashes in the array, it moves on to ask for the second input.
The second input is also passed into the CRC32 function, and it needs to the same as the second value in the struct.
The challenge provides the a decryptor for the files. Simple RE can be done to deduce the encryption algorithm.
Binary AnalysisLooking into the binary, we can easily find the decryption routine. The contents of the file is decrypted by XOR-ing the key with the ciphertext, rotating the bits left by the index, followed by subtracting the value of index.
This decryption routine is done multiple times.
The contents of the files are decrypted in blocks of 8, which suggests that the length of the key is 8.
We are given a HTML file with minimal Javascript.
The Javascript takes the base64-encoded string of goldenticket and XORs it with the base64-decoded string of P1xNFigYIh0BGAofD1o5RSlXeRU2JiQQSSgCRAJdOw== to decrypt the flag.
We can write a script to decrypt the flag, following the logic stated above.
Flag:
[email protected]