A zip archive was given eggshell-master.zip
I tried to run some of the python files included in it. But it crashed my machine.
Then I found a file named
utils.pyc and I decompiled it using uncompile2.
# 2014.09.22 12:44:53 IST
#Embedded file name: /Users/kchung/Desktop/CSAW Quals 2014/rev100/utils.py
+++ okay decompyling utils.pyc
# decompiled 1 files: 1 okay, 0 failed, 0 verify failed
# 2014.09.22 12:44:53 IST
I opened http://kchung.co/lol.py link which displayed the following code:
A windows PE32 executable was given. Which was more or less a similar challenge to last year’s quals.
I ran the program and found that it prints an encrypted flag. I immediately loaded it in IDA with debugger and found that the program exits upon the detecting a debugger and an decryption function is called just before that. Kindly follow what is mentioned in this image to get the decrypted flag
A pcap file was given:
Hint given was misleading. But I knew that flag would be transferred through a tcp connection as a plain text according to the point given for this challenge. I created a dump of the tcp connections as
tcp.pcap. I used a tool called tcpflow which breaks down each and every tcp connection and stores its content in ASCII file.
tcpflow -r tcp.pcap
These are the various files created after running the above commmand.
058.179.133.087.62973-192.168.221.128.01301 192.168.221.128.01300-061.054.024.060.20302 192.168.221.128.01315-173.014.243.236.00080
074.095.093.093.16881-192.168.221.128.01302 192.168.221.128.01301-058.179.133.087.62973 192.168.221.128.01317-162.017.162.237.06881
173.014.243.233.16881-192.168.221.128.01277 192.168.221.128.01302-074.095.093.093.16881 192.168.221.128.01318-197.083.255.148.43786
192.168.221.128.01277-173.014.243.233.16881 192.168.221.128.01306-192.168.221.136.00023 192.168.221.128.01320-061.054.024.053.20202
192.168.221.128.01292-192.168.221.136.00022 192.168.221.128.01307-096.252.203.249.60974 192.168.221.128.01322-106.120.035.039.22827
192.168.221.128.01293-173.014.243.236.00080 192.168.221.128.01308-061.054.024.062.20402 192.168.221.136.00022-192.168.221.128.01292
192.168.221.128.01295-188.8.131.52.20902 192.168.221.128.01309-061.054.024.072.20402 192.168.221.136.00023-192.168.221.128.01306
192.168.221.128.01296-180.153.091.176.20802 192.168.221.128.01311-036.229.180.205.06881 197.083.255.148.43786-192.168.221.128.01318
192.168.221.128.01297-061.054.024.070.20202 192.168.221.128.01312-087.218.248.070.20388 alerts.txt
192.168.221.128.01298-071.245.166.078.51413 192.168.221.128.01313-064.087.001.236.16881 report.xml
192.168.221.128.01299-099.235.219.011.06881 192.168.221.128.01314-184.108.40.206.20802 tcp.pcap
Then I ran `strings` to check for any flag in plain text. And fortunately
I found the flag in plain text.
strings * | grep "flag"
An ELF 32 binary file was given
I ran a
strings command on it and flag was hard coded in it
A python file was given.
In this problem all the functions except
are removed from the python shell which is given to us.
This is similar to python jail break challenge in plaidCTF 2013.
After a few google search I came to know that in Python, a type object has a
__bases__ attribute which returns the list of all its base classes. It also has a
__subclasses__ method that returns the list of all types that inherit from it. If we use
__bases__ on a random
type, we can reach the top of the type hierarchy (object type), then read the subclasses of object to get a list of all types defined in the interpreter
40th index points to file function
In : ().__class__.__bases__.__subclasses__()
And the exploit is here:
solution for more challenges would be added very soon.