26
Feb
2012

CODEGATE 2012 – Network 500

This is part of C&C traffics without any certification.
It has been advanced using auth process.
Find the C&C server address and make a bot command to meet a condition below.

Answer: auth_key|next_attack_time|next_attack_target

We get a PCAP file with a bunch of UDP traffic. There’s also a HTTP GET for a picture showing some disassembly. We OCR’d the image, corrected some OCR mistakes and turned it into a binary. The binary is basically iterating over the string “1.2.3.4:4444” and obfuscating it in a certain way.

After a while we managed to simplify the algorithm to:

char *s="1.2.3.4:4444";
int key[]={2,5,3,3,2,1,2,7,8,9,4,0,3,2,1,5};

for(i = 0; i < strlen(s); i++) {
  printf("%d\n", (s[i] * 425) + 10 + key[i & 3]);
}

Meanwhile we started looking at the PCAP again. Some of the responses seemed to be in plaintext, other were weird long numberstrings. As it turns out all commands are XOR’d with 0xE9. Thus we could decrypt all commands sent in the session in the PCAP:

A7A8A4ACD3BEA6A6BA         -> NAME:WOOS
BDA0A4ACD3A7A6BE           -> TIME:NOW
BDBBA8AAA2                 -> TRACK
B9ACA8AAAC                 -> PEACE
AAA6A7AFA0AED3AABBB0B9BDA6 -> CONFIG:CRYPTO
AAA6A7AFA0AED3BCBBA5       -> CONFIG:URL

Now what to do with the responses to CONFIG:CRYPTO and CONFIG:URL? When hex-decoding them they make little sense.. But wait, there was is still the algorithm from the picture we reversed.. Some more head-desking later we realized the long numberstring responses are concatenated decimal numbers, ciphered using that algorithm.

So to “undo” this obfuscation, we need to split the long numberstring back into tokens. Since we know how the algorithm works, and it multiplies every original by 425, we know we are looking for substrings of the numberstring that are cleanly dividable by 425!

A little script was crafted and we could successfully deobfuscate the two responses from the PCAP. They yield “1.234.41.3:7657” and “http://coge.hackthepacket.com/woos/crypto.png” respectively. But *now* what? We’re still lacking the details that are needed to construct the flag.

Well, we have a valid IP address and UDP port now. Time to build our own client!

<?
function decrypt_resp($s) {
    $key = array(2,5,3,3,2,1,2,7,8,9,4,0,3,2,1,5);
    $out = "";
    $i = 0;

    while($i<strlen($s)) {
        $l[]=0;
        for($j = 0; $j < 6; $j++) {
            $p = substr($s, $i, $j);

            if ($p == 0)
                continue;

            if ((intval($p) % 425) == 0)
                $l[count($l)-1] = $p;
        }
        $i += strlen($l[count($l)-1]);
    }

    $i=0;
    foreach($l as $b) {
        $b /= 425;
        $b -= (10 + $key[$i&3]);
        $out .= chr($b);
        $i++;
    }
    return $out;
}

function crypt_cmd($s) {
    return $s ^ str_repeat("\xe9", strlen($s));
}

function hexs($s) {
    return join(array_map(
        create_function('$a', 'return sprintf("%02X",ord($a));'),
        str_split($s)
    ));
}

$fp = fsockopen("udp://1.234.41.3", 7657, $errno, $errstr);

if (!$fp)
    die("ERROR: $errno - $errstr\n");

while(1) {
    $line=readline("CMD> ");

    fwrite($fp, hexs(crypt_cmd($line))."\n");
    $res = fread($fp,8192);

    if (preg_match('/^[0-9]+$/', $res) != 0)
        echo "DEC: ".decrypt_resp($res)."\n";
    else
        echo "RES: ".$res."\n";
}

fclose($fp);
?>

Using this we started playing around:

CMD> NAME:ADMIN
RES: HI, ADMIN. NICE APPROACH!
CMD> TRACK
RES: IF YOU WANT TO KNOW, CONTACT TO ADMINISTRATOR
CMD> PEACE
RES: YOU NEED AUTH KEY IF YOU WANT TO SOLVE THIS PROBLEM PEACEFULLY ^^ THE AUTH KEY IS 'JANEMARRIEDTARZAN'
CMD> DERP:
RES: SORRY, INVALID OP CODE. DON'T FORGET XOR!
CMD> TIME:NOW
RES: 2012-02-25-23-25
CMD> TIME:ATTACK
RES: LAST ATTACK WAS 2012-02-25-21-00

Eventually we noticed the “COMMANDS” hint that was given

CMD> COMMANDS
RES: COMMAND, ADMIN, DUEDATE, ATTACK, TEXT, EXE, NAME, PASSWORD, TIME, PNG, AUTH, CONFIG, UPDATE, BINARY, DROPZONE, NOW, TRACK, CRYPT

And then, after some more playing:

CMD> TIME:DUEDATE
RES: I DON'T KNOW WHEN IT WILL BE START. TRY IT WITH ANOTHER CONDITION
CMD> NAME:ADMIN:AUTH:JANEMARRIEDTARZAN:CONFIG:URL
DEC: www.Hackth3pAck3t.c0m:7777/wo00o
CMD> NAME:ADMIN:AUTH:JANEMARRIEDTARZAN:TIME:DUEDATE
RES: NEXT ATTACK WILL BE AT 2020-02-20-20-02

FLAG: JANEMARRIEDTARZAN|2020-02-20-20-02|www.Hackth3pAck3t.c0m:7777/wo00o

Comments are closed.