A box of chocolate

my public personal notebook

Whitehat Contest 11 RE3

Writeup

We are given a big Windows binary named digital_fortrees.exe, and when I run strings on it looking for flag, I saw a lot of names like this:

unittest/__init__.pycPK
unittest/case.pycPK
unittest/loader.pycPK
unittest/main.pycPK
unittest/result.pycPK
unittest/runner.pycPK
unittest/signals.pycPK
unittest/suite.pycPK
unittest/util.pycPK

So, it is possible that this file contains Python pyc files, and those files are stored like zip files (because of the PK header). Try to open that file with 7-zip, we can see that there are actually a lot of pyc files: f:id:dakutenpura:20160628031114p:plain

But I didn't see any suspected pyc files (I got lost most of the time, and I still don't know how to look for those files efficiently :( ). When I run it, the program gives me 2 options: to generate the map or to go through all rooms on the map. It seems like option 1 creates prime number named folders in the working directories, and the second option traverses through all of those directories and open cmd on its way (it did froze my computer :( ). Let's use Cheat Engine and see if we can narrow down on what pyc we should look, by searching for some special strings in the app. Then suddenly I saw some interesting things: f:id:dakutenpura:20160628032904p:plain

There are 2 suspicious links inside: http://material.wargame.whitehat.vn/contests/11/drawmap.py and http://material.wargame.whitehat.vn/contests/11/letgo.py. The second file describe the traversing process:

import os

def gothrough():
    key = 1
    roomtogo = [r for r in os.listdir(os.curdir)if os.path.isdir(r)]
    for room in roomtogo:
        key *= int(room)
        os.system("start cmd /k echo Room number " + room + ": get key part")
    if (key == 1000012277050240711531267079):
        os.system("start cmd /k echo Congrats! Where did you get these key parts?")
    else:
        os.system("start cmd /k echo Nothing here! wrong key parts")

gothrough()

So it'll look for directories, convert them to number and multiplies them together. And the result should be equal to 1000012277050240711531267079. According to the flag format, it should be the product of 3 prime numbers. We can factor it ourselves, or use FactorDB.

The flag is SHA1(FirstRoom:SecondRoom:ThridRoom) = 89225c98a509271436fd55c3c6aeef44fd07728a.