Notes and code for FlareOn7 2020
Challenge 2:
- Padded the UPX file with 0 to adjust the raw sie
- Unpacked it with PE explorer (final-imp-E-2.exe)
- fixed the IAT in the extracted executable http://r0x0r.vishalmishra.in/2013/07/rebuilding-import-table.html?m=1
- Used LibPeConv to load the PE and execute the deobfuscation function (main.cpp)
Challenge 3:
- Wrote a game bot to play and win
- used OpenCV and pyautogui python libs
- very useful writeups/code:
Challenge 5:
- Reversed only TKApp.dll and wrote a simple .Net file to get the flag
- Flag will be saved as an image
- Needed to extrac the runtime.dll resource from the TKApp dll using dnspy
- Challenge5.sln/Challenge5.cs
Challenge 6:
-
Exe2Aut.exe to extract autoit script
-
Wrote c# code to deobfuscate the script. https://lifeinhex.com/deobfuscating-autoit-scripts/ was a good start.
-
Debugged the script using AutoIt Debugger and Scite. Found the first decryption key (aut01tfan1999) and used the sha-256 form of it as the second decrypton key to decrypt a hardcoded binary array. Result then is used to construct an image with the flag.
-
https://docs.microsoft.com/en-us/windows/win32/seccrypto/example-c-program--importing-a-plaintext-key hellped to understand the key blob header in our case we had $bin_val_1 = header+keysize(0x20)+sha256(key)
-
Final Qrcode was generated by compiling the script back to Exe
-
Tools used:
- https://www.autoitscript.com/wiki/FAQ#How_can_I_debug_my_script.3F
- https://www.autoitscript.com/site/autoit-script-editor/
- http://www.thefoolonthehill.net/drupal/AutoIt%20Debugger
Challenge 7:
-
bufferoverflow in IIS: https://www.exploit-db.com/exploits/41738
-
here is the encoder:https://github.com/un4ckn0wl3z/Alpha2-encoder/blob/master/alpha2.c
-
decoded alphaneumeric shellcode by writing my own decoded in c to be able to debug it as a standalone code (sdg shows it is connecting to port 4444)
-
first shell code receives a 4 byte length input and after xoring it with 'ROXK' determines the length of buffer that needs to be alloctaed (4d7).
-
first shell code sent to port 4444 from attacker machine can be found from pcap. (first 4 bytes for the first recv func and the rest 4D7 bytes for the second recv function).
-
it then rc4 decodes the shell code and jump to the second shellcode.
-
second shellcode reads the content of file c:\accounts.txt and decodes it using a hardcoded key (intrepidmango) then sends it to port 1337.
-
found the decoded value in memory when I was debugging the shell code