24.5.16

[Writeup] Wargames.my 2016 - Challenge 15

Another frustration, 500 points should been a sweet victory at the end. If I had enough time to play that day.....

so we get a zip file which contains this

how about we open that README.md which has something info about this file
Mori-Dark
=========

An HTML5 minimalistic super-responsive portfolio and blog template.

CSS-only hexagon hive gallery!

http://mori-dark.s3-website.eu-central-1.amazonaws.com/


open index.html on browser and we get some pr0n stuff, haha


WARNING HERE! This write up is a long step to get the answer, there is always a shortcut to get the flag quickly

so how about we get the original template and compare the difference between each file
and I found something on index.html

because it is javascript, why dont we use Malzilla to investigate later about this.
open up Malzilla and paste the index.html and click find object, select object that highlight the shellcode and then double-click to send to the decoder.


At decoder I use override eval() to get the unescape script first
then we can decode the unescape by using document write like this, and try run on malzilla and we get some gibberish, but is it?



some google-fu I found out that the string was vbscript.encode using tools called screnc
and it can be decoded, so we save the encoded text to file and decode using scrdec.exe

scrdec.exe encoded.vbe decoded.vbs

and we get the decoded sourcecode. It looks like a dropper, so we take the long hex string and paste to hex editor and we can see the MZ header, so it is a PE file. Also I noticed some UPX header in the file.

Try running it, we get a warning by Nafiez. I lol'ed at this

Unpack it with upx -d get something strange. Then I remembered flare-on challenge last year, that implemented this. more here

so we just debug the file without upx -d it.

try running it and we get the bendera! but I didn't get the chance to verified it, hope the flag is correct.

flag: nafiezawesome

*yup this guys awesome,I have met him twice i think and this is the first time I completely answered his question. I still remembered pandame.exe....

nice challenge, which I learn how to use new tools like srcdec and malzilla but still frustrating coz cannot solve on that day.
5 najashark.net: [Writeup] Wargames.my 2016 - Challenge 15 Another frustration, 500 points should been a sweet victory at the end. If I had enough time to play that day..... so we get a zip file wh...

3 comments:

  1. nice one naja. keep up the good effort

    ReplyDelete
  2. nice google-fu. aku x jumpa cara nak decode. hahahahah

    ReplyDelete

Post Comment

< >