Securinets Prequals 2K20
SOLUTION :
On unzipping task.zip file, a lot of shared libraries was present along with the elf file. The elf file ran normally like any other elf.
Elf asked for username and password.
I checked for strings in the elf and saw various python function and pydata in the output.
So python data is present in this elf.This is present when a python file is Converted into an ELF.
So first we have to reverse this elf back to python file.
Conversion of ELF back to python file
I used pyinstaller [https://github.com/JasonAHeron/pyinstaller] for conversion. Both things i.e python->ELF and ELF-> python can be done using this.
We have to use archive_viewer.py for this. The command is as follows :
python archive_viewer.py task
There are 4 options in archive_viewer.py
U: go Up one level
O <name>: open embedded archive name
X <name>: extract name
Q: quitWe have to extract it, so we will use X and save it as decode.pyc
Here we have to do one more step. While extraction python bytecode file signatures get removed so we have to manually add it.
I am using the Bless Hex editor for adding the hexes.
The hexes that need to be added is :
03 F3 0D 0A 00 00 00 
Now our pyc file is ready. We have to decompile it.
Use uncompyle6 decompiler in Linux,.Online decompiler may show error while decompiling.
The decompiled file is below.
Reversing the python code to get the flag
Now we have to reverse the code to get the flag.
We are Given an AES cipher in this. There is a function get_random_string() which is using random.randint() but seed(2020) function is used so every time the same sequence will be generated.
the encryption code was this :
tmp = get_random_string(cipher1)
res = phase1(cipher1, tmp)
cipher2 = ''
for i in range(len(cipher1)):
cipher2 += chr(ord(res[i]) + 1)cipher2 = cipher2[::-1]
tool = cipher('securinets')
last_c = tool.encrypt(cipher2)
last_c = b64decode(last_c)
We have to make the input such that it is equal to last_ci
last_ci = 'tMGb4+vbwHmn1Vq826krTWNtO0YHhOxrgz0SxBmsKiiV6/PlMyy1cavIOWuyCo8agFAOSDZhDY9OLXaKDqiFGA=='So let’s move in the reverse order of the encryption.
Calling tool.decrypt(last_ci) will give us the decrypted text. On checking the Ascii value of the decrypted text, it came out to be of length 48.
[246, 196, 187, 187, 208, 109, 181, 165, 41, 200, 110, 196, 25, 143, 192, 126, 224, 220, 21, 23, 178, 246, 129, 189, 140, 78, 232, 146, 140, 113, 125, 184, 150, 232, 193, 231, 152, 185, 12, 208, 8, 8, 8, 8, 8, 8, 8, 8]
You can see the last 8 values are 8. Those are padded values so only the first 40 values are useful.
so we have got the cipher2 value, now we have to reverse the array using [::-1].
After that, we have to -1 from each element of the above array.The array came out to be :
[207, 11, 184, 151, 230, 192, 231, 149, 183, 124, 112, 139, 145, 231, 77, 139, 188, 128, 245, 177, 22, 20, 219, 223, 125, 191, 142, 24, 195, 109, 199, 40, 164, 180, 108, 207, 186, 186, 195, 245]Now to get the 40 values of tmp the array we have to just seed(2020) and run random.randint(23, 255) 40 times.
Xoring tmp array and the decrypted array will give the flag.
After Xoring the output came out to be:
h4rdc0r362782cb85ba466014d649915072c85ee
The flag is :
You can submit with securinets{h4rdc0r3:62782cb85ba466014d649915072c85ee}You can get the whole solution code from here:
