{ FIT-HACK#2017 } - Binary 300 - mYFIT

-

Binary 300 - mYFIT

Pour ce dernier challenge, nous avons un programme python compilé. En utilisant uncompyle2 pour décompiler le code du binaire, on obtient le code source. Ce programme permet aux étudiants et professeurs (admin) myFIT d'accéder aux notes. Une fois connecté sur le serveur, 2 commandes sont disponibles:
  • Une pour se connecter avec son identifiant
  • Une autre pour se connecter en tant que professeur (admin) avec nom d'utilisateur et mot de passe
En regardant la fonction, process_admin_command(c) on comprend comment les identifiants d'étudiants sont générés:
def process_admin_command(c):
    if c[0] == 'help':
        print_admin_help()
    elif c[0] == 'add':
        sys.stdout.write('Name of student to add: ')
        sys.stdout.flush()
        name = sys.stdin.readline().strip()
        print 'Enter student\'s grades in the format "Discrete mathematics A", with the class first then the letter grade. End with an empty line.'
        sys.stdout.flush()
        usergrades = {}
        g = True
        while g:
            g = sys.stdin.readline().strip().split()
            usergrades[' '.join(g[:-1])] = g[-1]

        grades[max(grades.keys()) + 1] = {'name': name,
         'Student ID': hashlib.sha256(salt + name).hexdigest(),
         'grades': usergrades}
        write_grades()
    else:
        print 'Invalid command. More coming in myFIT.'
        sys.stdout.flush()
La variable Student ID est le sha256 du nom de l'étudiant précéder d'un salt (EzA1CVFsmRf8BGubQNrd). On récupère alors l'identifiant de Wilhelmina Braunschweig Ingenohl Friedeburg :
import hashlib

salt = 'EzA1CVFsmRf8BGubQNrd'
login = 'Wilhelmina Braunschweig Ingenohl Friedeburg'

h = hashlib.sha256(salt + login)
k3y = h.hexdigest()
print(k3y)
On se connecte sur le serveur et on entre la commande :
$ login fbf832b18bde7cb48fff1f79e07c8c3cdaaabcc726ca99b6f69ff7801d2b873c
On est alors connecté en tant que Wilhelmina Braunschweig Ingenohl Friedeburg, on fait la commande "view" pour voir ses notes et on obtient le flag.
Malheuresement, le serveur n'étant plus en ligne je n'ai pas pu récupérer le flag.

Commentaires

Enregistrer un commentaire

Posts les plus consultés de ce blog

Excel 4.0 macro Trojan Downloader

-
Image
Hash: 89e62ec08b0b6065134c67937bae76ccd70163770fd6992574e41b9c82c3cf1c Sample Download Link:  beta.VirusBay.io Application Name: Microsoft Excel File Type: xls VirusTotal Score: 29/60 I came across this sample on VirusBay.io. I downloaded this malicious excel file on my VM for malware analysis. OLEVBA.py First thing I did analysis of VBA macro source code in excel file using OLETools. Command >  OLEVBA.py -a The result shows, macro will auto execute on opening file and it may run executable file may be using shell command and will download a file from remote server. The executable file name is  FBpKzqF.exe Document Property: XLM macro has been used in this file which is hidden. Steps To Make Macros Sheet Visible Step 1 I enabled it by right click on the spreadsheet which is open in Excel and selected Unhide… And then a popup shows the name of spreadsheet I will select to unhide. Here name of sheet is  SODXOFScMLy . Step 2 Along with this need to unblock the excel ...
Lire la suite

TROJAN AGENT TESLA – MALWARE ANALYSIS

-
Image
Hash – 077f75ef7fdb1663e70c33e20d8d7c4383fa13fd95517fab8023fce526bf3a25 Family : Agent Tesla Signature: Microsoft Visual C# v7.0/ Basic.NET Filename: UIhLdVHHlUAKoEOpjVAsXFlIQrgS.exe VirusTotal score: Malware behavior: Steal browser information (URL, Usernames, Passwords) Steal passwords for email clients. Steal FTP Clients Steal download manager passwords. Collect OS and hardware information. Browser Information: When I debug the malware executable, Initially it creates a SQLite database to store collected information from victims machine. Below are the tables getting created. Tables created: meta logins sqlite_sequence stats compromised_credentials found it collected browsers data (Google chrome), that includes accessed URLs and related usernames and passwords. database table  logins  stores all browser related information. Below are the table columns. Apart from this, malware also look for all different types of ...
Lire la suite

{ UIUCT#2017 } - REV 350P - ARE WE OUT OF THE WOODS YET?

-
It looks like this python script was run through a custom packer. It's just Python*, which means it must be easy to reverse, right? *v3 .6 .1 : 69 c0db5 https: //www.youtube.com/watch?v=y8qQsXpcZXA You are presented with the file  packed.py  that contains the following code: import marshal, zlib, base64, itertools def xor_strings (_left, _k) : out = b'' for l, r in zip(_left, itertools.cycle(_k)): out += (l ^ ord(r)).to_bytes( 1 , byteorder= 'big' ) return out def YET_eval_code (p1, p2) : YET_code = marshal.loads(zlib.decompress(xor_strings(base64.b64decode(p2), p1))) eval(YET_code) YET_eval_code( "YET" , b'IdkZDw77+o1N7Di7tKvNdbcGSyxAHBQCMDw12oRMcF9ROnVSwvKV+QF5+XW7ro70gu6ab7p1grlxNvbOLDMNXJpNfMagxOrwCrApxe8WxToZJ7Fo1LSzaO87HkVHachzv7ItMwuLq4nI5KBzqkyYmZaLf6NnIUN7OjslBoVvqbufNX+mk6G33qpKTDwzrwa5znSK1ARqs3rO2ayzgCgJFhtzrHHI5AvrFfqYL9brp6R76oobxtoLPuobrJa/qtJ9aEzLRviUqpozgaGn9b3hZzzJ1FgKoTprUzpjRKSqP...
Lire la suite