Page tree
Skip to end of metadata
Go to start of metadata

1. 300: Powerful_Shell

Points: 300

Tags: binary powershell reverse

Powerful_Shell
Crack me.
powerful_shell.ps1-1fb3af91eafdbebf3b3efa3b84fcc10cfca21ab53db15c98797b500c739b0024

If you download the file first, you can see what type of script is hiding it by casting char to int value.

$ECCON="";
$ECCON+=[char](3783/291);
$ECCON+=[char](6690/669);
$ECCON+=[char](776-740);
$ECCON+=[char](381-312);
$ECCON+=[char](403-289);
$ECCON+=[char](-301+415);
$ECCON+=[char](143-32);
$ECCON+=[char](93594/821);
$ECCON+=[char](626-561);
$ECCON+=[char](86427/873);
$ECCON+=[char](112752/972);
$ECCON+=[char](43680/416);
$ECCON+=[char](95127/857);
$ECCON+=[char](-682+792);
$ECCON+=[char](-230+310);
$ECCON+=[char](-732+846);
$ECCON+=[char](1027-926);
$ECCON+=[char](94044/922);
$ECCON+=[char](898-797);
$ECCON+=[char](976-862);
$ECCON+=[char](52419/519);
$ECCON+=[char](1430/13);
$ECCON+=[char](18216/184);
$ECCON+=[char](21715/215);
$ECCON+=[char](12320/385);
$ECCON+=[char]([int][Math]::sqrt([Math]::pow(61,2)));
$ECCON+=[char](6976/218);

.....

$ECCON+=[char](803-793);
$ECCON+=[char](10426/802);
Write-Progress -Activity "Extracting Script" -status "20040" -percentComplete 99;
$ECCON+=[char](520-510);
Write-Progress -Completed -Activity "Extracting Script";.([ScriptBlock]::Create($ECCON))

If you just run. You can see that it ends in the following screen. 


To avoid this, remove the execution part at the bottom of the code and check the $ECCON variable.

$ECCON+=[char](873-863);
$ECCON+=[char](721-708);
$ECCON+=[char](803-793);
$ECCON+=[char](10426/802);
Write-Progress -Activity "Extracting Script" -status "20040" -percentComplete 99;
$ECCON+=[char](520-510);

$ECCON > powerful_shell_stage2.ps1  // add!

powerful_shell_stage2.ps1 The file looks more complicated ... 

Actually, we do not need the above part, but if we delete the ending part from the branching statement which is terminated ...

exit to exit~

A cute keyboard comes out ... This part can only be passed if you enter the same value as the secret key in the code and is used to decode the base64 statement at the bottom.

The secret value is hhjhhjhjkjhjhf

When you enter a secret value ...

The password is requested again!!!!!!!

At the bottom of the code there is an executable part for the base64 decoding value, and you can get another script by modifying this part.

I am happy ...

If you remove the last pipeline and run it, you will see a type similar to the previous one.

Converting the char of that code to ASCII ...

$ECCON=Read-Host -Prompt 'Enter the password'
If($ECCON -eq 'P0wEr$H311'){
	Write-Host 'Good Job!';
	Write-Host "SECCON{$ECCON}"
}

Key: SECCON{P0wEr$H311}



2. 100 : Log search (ElasticSearch)



Response 304 를 확인하면 된다 







SECCON{N0SQL_1njection_for_Elasticsearch!}

 



3. 100: SHA-1 is dead

http://sha1.pwn.seccon.jp/

Upload two files satisfy following conditions:

  1. file1 != file2
  2. SHA1(file1) == SHA1(file2)
  3. 2017kb < sizeof(file1) < 2018kb
  4. 2017kb < sizeof(file2) < 2018kb

* 1kb = 1024 bytes

Answer:  


풀이

  • SHA-1 Collision 문제겠네
  • Google 에서 TEST 용으로 나온 파일 뒤에 padding 만 채워서, 2017 kb  만 맞추면 되겠다
  • shattered-1.pdf / shattered-2.pdf 

  File Modified
PDF File shattered-2.pdf Apr 11, 2018 by ff8081816eb51ac4016eb5ec80d90002
PDF File shattered-1.pdf Apr 11, 2018 by ff8081816eb51ac4016eb5ec80d90002
File powerful_shell_stage3.ps1 Apr 14, 2018 by juwon1405
File powerful_shell_stage2.ps1 Apr 14, 2018 by juwon1405
File powerful_shell.ps1 Apr 14, 2018 by juwon1405

 

  • No labels