PaloAlto CTF 2017 : Binary Challenge 2

The challenge compute flag using time received from NIST Internet Time Servers and then
send computed flag to "labytime.com" server for verification. Before forming flag by using time received from NIST Internet Time Servers the 2nd digit of seconds in received time is set to 0. We have 10 secs to send the computed flag to "labytime.com" server to get correct flag.






Re-implemented the logic in python to calculate flag and sending it to "labytime.com" server and reading response to get flag.Below is the python implementation.

from rotate import __ROR__
import hashlib
import socket
import requests

c = [0x0C,0x74,0x0C,0x74,0x8D,0x39,0x39,0xED,0x35,0x5D,0x41,0x91,0x39,0x0D,0x15,0x45,0x8D,0x41,0x1D,0x81,0x1D,0x39,0x35,0x31,0x15,0xD9,0x35,0xDD,0x45,0x0C,0x74,0x0C,0x74,0x0C]

ror_n = len(c) & 7
decode_str = ''
for i in range(0,len(c)):
    v = __ROR__((c[i]),2) & 0xFF
    #print hex(v)
    v = (v ^ len(c))& 0xFF
    decode_str = decode_str + chr(v)
print 'data to xor : ' + decode_str

#ipaddr = ["24.56.178.140","128.138.141.172","216.228.192.69","216.229.0.179","198.111.152.100","64.113.32.5"]

ipaddr = ["24.56.178.140"]
data = ''
for ip in ipaddr:
    try:
        print 'connecting to NIST ' + ip + ' to get time'
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM,socket.IPPROTO_TCP)
        s.connect((ip,13))
        data = s.recv(0x100)
        s.shutdown(socket.SHUT_RDWR)
        print "received date :" + data
    except Exception as e:
        print ip + ":" + str(e)
    finally:
        s.close()
        
date_time = ''
if data != '':
    data = data.split(' ')
    date = str(data[1])
    time = str(data[2])
    date_time = date + ' ' + time
    #print date_time
    #print len(date_time)
    date_time = date_time.replace(date_time[len(date_time)-1],'0')
    print 'Formatted datetime : ' + date_time
    
print 'calculating flag...'
j = 0
z = ord(date_time[0])
#print type(z)
s = ''
for i in range(0,len(decode_str)):
    x = ord(decode_str[i])
    if i == len(date_time):
        j = 0
    y = ord(date_time[j])
    r = (((x ^ y) & 0xFF) + z) & 0xFF
    j = j + 1
    s = s + chr(r)
    #print hex(r),

s_sha1 = hashlib.sha1(s).hexdigest()

#print s_sha1
flag = 'PAN{' + s_sha1 + '}'
print flag
print 'sending request to labytime.com...'
res = requests.post('http://labytime.com',data={'flag':flag})
print '***************Response***************'
print res.text


Below is the request sent and response received from "labytime.com".

data to xor : !?!?AllYourFlagsAreBelongToUs!?!?!
connecting to NIST 24.56.178.140 to get time
received date :
57927 17-06-23 08:51:00 50 0 0 308.5 UTC(NIST) * 

Formatted datetime : 17-06-23 08:51:00

calculating flag...
PAN{50715146fabac0f407f20f96927052afdfcb0827}
sending request to labytime.com...

***************Response***************

<!DOCTYPE html>
<html>
<head lang="en">
<title>LabyTime CTF Flag Checker (Labyrenth 2017)</title>
<link rel="stylesheet" type="text/css" href="css/main.css">
<script type="text/javascript">
function delayer(){
    window.location = "index.php"
}
  </script>
</head>
    <body>
  <div>
    <span>F</span><span>l</span><span>a</span><span>g</span><div></div><div></div><span>C</span><span>h</span><span>e</span><span>c</span><span>k</span><span>e</span><span>r</span>
  </div>
  <div class="won">You won!<br>The real flag to submit is: PAN{tricky_tricky_better_be_quicky}</div></body>
</html>

Comments

Popular posts from this blog

VIrtual Machine Detection Techniques

NotPetya\Petya : Overwriting System MBR

Word Document : Anti Analysis Tricks

DoublePulsar Backdoor

Debugging MBR : IDA Pro and Bochs Emulator

Google CTF 2017 : Android RE Challenge

WannaCry Encryption Flow

FireEye FLARE CTF 2017 : APK Challenge 8

FireEye FLARE CTF 2017 : PEWPEWBOAT Challenge 5