Whitehat Contest 11 RE3
We are given a big Windows binary named digital_fortrees.exe
, and when I run strings
on it looking for flag, I saw a lot of names like this:
unittest/__init__.pycPK unittest/case.pycPK unittest/loader.pycPK unittest/main.pycPK unittest/result.pycPK unittest/runner.pycPK unittest/signals.pycPK unittest/suite.pycPK unittest/util.pycPK
So, it is possible that this file contains Python pyc
files, and those files are stored like zip files (because of the PK
header). Try to open that file with 7-zip, we can see that there are actually a lot of pyc
files:
But I didn't see any suspected pyc
files (I got lost most of the time, and I still don't know how to look for those files efficiently :( ). When I run it, the program gives me 2 options: to generate the map or to go through all rooms on the map. It seems like option 1 creates prime number named folders in the working directories, and the second option traverses through all of those directories and open cmd
on its way (it did froze my computer :( ). Let's use Cheat Engine and see if we can narrow down on what pyc
we should look, by searching for some special strings in the app. Then suddenly I saw some interesting things:
There are 2 suspicious links inside: http://material.wargame.whitehat.vn/contests/11/drawmap.py
and http://material.wargame.whitehat.vn/contests/11/letgo.py
. The second file describe the traversing process:
import os def gothrough(): key = 1 roomtogo = [r for r in os.listdir(os.curdir)if os.path.isdir(r)] for room in roomtogo: key *= int(room) os.system("start cmd /k echo Room number " + room + ": get key part") if (key == 1000012277050240711531267079): os.system("start cmd /k echo Congrats! Where did you get these key parts?") else: os.system("start cmd /k echo Nothing here! wrong key parts") gothrough()
So it'll look for directories, convert them to number and multiplies them together. And the result should be equal to 1000012277050240711531267079
. According to the flag format, it should be the product of 3 prime numbers. We can factor it ourselves, or use FactorDB.
The flag is SHA1(FirstRoom:SecondRoom:ThridRoom)
= 89225c98a509271436fd55c3c6aeef44fd07728a
.