A journey into Radare 2 – Part 1: Simple crackme

Standard

Prologue

I was playing a lot with radare2 in the past year, ever since I began participating in CTFs and got dAnalyze alleeper into RE and exploitation challenges. I found radare2 very helpful with many CTFs tasks and my solutions had shortened significantly. It’s sometimes also my go-to tool for malware analysis tasks such as configuration retrievals. Sadly, I believe that only few people are familiar with radare2. It might be because they’re afraid to break out of their comfort zone (IDA Pro, OllyDBG, gdb) or they have simply not heard of it. Either way, I honestly believe that you must include radare2 in your toolbox.

Because I got really enthusiastic about the project and I want more and more researchers to be familiar with it, use it and hopefully contribute to the project, I decided to create a series of articles and use-cases of r2. Since these articles aim to teach you the basics of radare2, its features and capabilities, I’ll explain much more than you actually need to know in order to solve each task.

Welcome to IDA 10.0. (see radare2/doc/fortunes.fun for more fortunes)

radare2

radare2 is an open source framework for reverse engineering and binaries analysis which implements a rich command line interface for disassembling, analyzing data, patching binaries, comparing data, searching, replacing, visualizing and more. It has great scripting capabilities, it runs on all major platforms (GNU/Linux, .Windows *BSD, iOS, OSX, Solaris…) and it supports tons of architectures and file formats. But maybe above all of its features stands the ideology – radare2 is absolutely libre.

This framework is composed of a set of utilities that can be used either together from r2 shell or independently – We’ll get familiar with tools such as rahash2, rabin2, ragg2. Together they create one of the most powerful tools in the field of static and dynamic analysis, hex editing and exploitation (I’ll dive deeper in the following articles).

It is important to note that r2’s learning curve is pretty steep – although r2 have a GUI and a WebUI, none of them is quite enough to compete with the GUI or the convenience of IDA, IMHO. The CLI, however, including its Visual Mode, is still the core of radare2 and where its power lays. Because of its complexity I’ll try to make things as clear and simple as I can.

This is more or less how r2 learning curve works.

This is more or less how r2 learning curve works.

Before we begin you can check out the “Unfair comparison between r2, IDA Pro and Hopper” to get an idea of what we’re dealing with.

 

Getting radare2

Installation

Radare2’s development is pretty quick – the project evolves every day, therefore it’s recommended to use the current git version over the stable one. Sometimes the stable version is less stable than the current git version!

If you don’t want to install the git version or you want the binaries for another machine (Windows, OS X, iOS, etc) check out the download page at the radare2 website.

Updating

As I said before, it is highly recommended to always use the newest version of r2 from the git repository. All you need to do to update your r2 version from the git is to execute:

And you’ll have the latest version from git. I usually update my version of radare2 in the morning, while watching cat videos.

Uninstalling

I Can’t think of a reason for you to uninstall radare2 so early in the article but if you do have you can simply execute:

Getting Started

You can download the first challenge here.

Now that radare2 is installed on your system and you have downloaded the binary, we are ready to start exploring the basic usage of radare2. I’ll work on a Remnux machine but most of the commands and explanations (if not all of them) would be the same for Windows machines and others.

Command Line Arguments

As most command line utilities, the best approach to reveal the list of the possible arguments is to execute the program with the -h flag.

I won’t paste here the full output, Instead I’ll point out those which I usually use in my daily work:

Continue reading

Solving PwCTF Prequel

Standard

Epilogue

PwCTF is an on-site CTF event in Israel. It will take part on January 29-31 in Cybertech Tel-Aviv 2018. Honestly I’ve never heard of it before but I thought I’ll give it a try and ended up to be the first to finish the prequels. In the following writeup I’ll go step by step on how I solved each challenge. Here we go.

 

The first challenge

It was a morning time, I was eating my breakfast while reading messages on my security groups. One of the messages, by my friend Netanel Fisher, announced of the opening of CTF Prequalification Challenge. They said “challenge” and immediately caught my attention. I cannot say “no” to a challenge. So, I thought to myself that I’ll sign up and see what challenges are there. I clicked on the link to the CTF’s website and got into this lovely landing page:

It is clearly a login page, but since I didn’t have an account yet I (obviously) can’t log in. I searched for the register tab but couldn’t find it anywhere. There was only “Home” and “About” pages at the top navigation bar. I thought it might be a bug in the website so I changed the URL from /login.php to /register.php, ended up with “302 Not Found” and redirected back to the login page. There is where I started to think that the challenge is to register.

As every other initial web challenge, the first thing to do is to look at the source code. I pressed F12 on my browser and opened the source code. First thing to see is tons of comments, here are the most important of them:

 

From a quick glance, it is easy to spot some rows that seem like hints:

  • Line 13 says “<!– Rotation –>” ― Obviously ROT13 cipher
  • Line 64 says “Base” ― What else if not Base64
  • Line 1337 ― This leet line contains long string of numbers (HEX?) and a challenging sentence
  • Line 2048 is the last line and says “Reversing To Line esaB” ― The reversed “Base” seems like another hint

I started from the long sequence of numbers. To me it seemed like hexadecimal representation of something. The sequence only contains three numbers which repeat themselves in different order: 30, 31, and 62. I also noticed that 62 always comes after 30. Another things that immediately pops to mind is that 0x30 and 0x31 are the ASCII representation of “0” and “1” accordingly. 0x62 is the letter “b”. With that in mind, we should probably see this HEX string decoded into a binary string of zeroes and ones.

Let’s use python to decode the sequence and confirm whether my first impression was right:

Just as we thought, it is a binary sequence where each byte is starting with “0b”, a binary literal prefix. Now we’ll try to decode the binary string. Again, I’ll use python for this:

Cool! We decoded the binary string and came out with a Base64 sequence. Fit exactly to the hint on line #64. But wait a second, if a Base64 sequence has “==” it should be at the end, not at the beginning. Remember the last hint? The one on line #2048: <!-- I Think You Missed It :S. Bip, Bip, Bip, Reversing To Line esaB... --> . The word “Base” is reversed here. We should reverse our output and then decode it:

We didn’t end up with an output that makes any sense. First I thought that it might be some type of file, but I checked the list of file signatures and nothing matched 0xae. Then I remembered another hint which we didn’t use, the one about ROT13. Let’s rotate the characters and make another try with the decoding:

HOORAY! We solved it and got the credentials. Now we can log into the website.

The final code

Here’s the final script to solve the first challenge. It receives a hexadecimal sequence and prints the answer:

The second challenge

After using these credentials to login, we are facing this screen:


It’s a simple README screen with a description. Two of the words in the description are bolded and combined into “SOURCE CONTROL“. There’s also a button, let’s click on it.

This is the source of a README.md file, a popular file that can be found in source-control repositories. This hint, along with the previous one, can tell us about the possible existent of a Source Control on this server. The most popular of them is Git. First thing I tried is to change “README.md” to “flag.md”, “flag.txt” et cetera,  but all I got was 404 messages. Next thing I wanted to try is if indeed the server contains a Git repository. So I tried to access .git and got a 302 error code.

Seems like I am on the right direction. Let’s see if we can access the HEAD file.

What is a HEAD file?
The HEAD file is a symbolic reference to the branch you’re currently on. By symbolic reference, we mean that unlike a normal reference, it doesn’t generally contain a SHA-1 value but rather a pointer to another reference.

We successfully accessed HEAD and that means that the repository is downloadable. We can manually clone the repository file by file using wget but there’s better approach ― using GitDumper by internetwache. This is my favorite tool to dump Git repositories.

It should take a few minutes and at the end we’ll have a folder with the repository contained. Let’s cd to it and execute git status:

git status
Displays paths that have differences between the index file and the current HEAD commit, paths that have differences between the working tree and the index file, and paths in the working tree that are not tracked by Git.

It shows us that there are two files that were deleted from the repository. “interesting.txt” will probably contains the answer. Let’s find which commits changed the file:

git log
Shows the commit logs.

We received a huge output, the file must have been changed in each of these commits to confuse us. We can write a quick bash one-liner to reveal all the versions of this file:

Et voilà! We got a link to the registration form and successfully finished the prequels 🙂

 

Epilogue

The prequels to the PwCTF wasn’t highly technical, it didn’t involve hardcore reverse engineering, exploitation and similar, but there’s no doubt that it was challenging. Netanel which is responsible of creating this event and Tomer who helped writing the CTF’s challenges, are both invested time end efforts to make it as great as it was. Thank you guys, I really enjoyed solving it.

Share

Fantastic Malware and Where to Find Them

Standard

We, as malware analysts, are always in need of new samples to analyze in order to learn, train or develop new techniques and defenses. One of the most common questions I get is “Where to find malware to analyze?” so I’m sharing here my private collection of repositories, databases and lists which I use on a daily basis. Some of them are updated frequently and some of them are not. The short description under each link wasn’t written by me, it was written by the owners of the repositories.

If you want to add another resource to the list please inform me in the comments.

Please, be careful when using these sites. Almost all of them contain malicious files. Use with caution!

General Samples

theZoo
theZoo is a project created to make the possibility of malware analysis open and available to the public.

contagio
Contagio is a collection of the latest malware samples, threats, observations, and analyses.

Hybrid Analysis
Free malware analysis service powered by Payload Security. Using this service you can submit files for in-depth static and dynamic analysis. You can also download samples from analysis submitted by others.

AVCaesar
AVCaesar is a malware analysis engine and repository, developed by malware.lu

Das Malwerk
DAS MALWERK collects executable malware from all kinds of shady places on the internet

KernelMode.info
An active community devoted to malware analysis and kernel development

MalShare
The MalShare Project is a collaborative effort to create a community-driven public malware repository that works to build additional tools to benefit the security community at large.

 

 

VirusBay
VirusBay is a web-based, collaboration platform where researchers can put their hands on malicious samples uploaded by colleagues and SOC professionals.

FreeTrojanBotnet
FreeTrojanBotnet’s goal is to gather submissions from operators and various mailing lists and concentrate them in a database easy to navigate

Virusign
Virusign downloads malware and sort files in order of relevance, for researchers to download samples and analyze them to create new signatures.

malware.one
A binary substring searchable malware catalog containing terabytes of malicious code. (Samples are not downloadable)

VirusShare
A repository of malware samples to provide security researchers, incident responders, forensic analysts, and the morbidly curious access to samples of malicious code.

Malwarebytes Research Center
Forums to post new threats and URLs

Mobile Malware (Google Group)
A mailing list for researching mobile malware. This group allows material related to new mobile malware samples, analysis, new techniques, questions pertaining to the field, and other related material.

SARVAM
Search And RetrieVAl of Malware contains a database with tons of malicious samples.

Malekal
Malekal’s collection of malware

Malc0de
An updated database of domains hosting malicious executables.

VX Vault
S!Ri.URZ Collection of malware and URLs

Scumware
Providing access to a database which contains data such as: URL, MD5, IP, TLD, etc

Sucuri Malware Labs
Latest findings that Sucuri Labs seeing in the “wild”

abuse.ch
abuse.ch is running a couple of projects helping internet service providers and network operators protecting their infrastructure from malware. It includes several malware trackers.

Cybercrime Tracker
Lists the C&C panels of certain in-the-wild botnets.


Android Samples

Koodous
Koodous is a collaborative platform that combines the power of online analysis tools with social interactions between the analysts over a vast APKs repository.

AndroMalShare
AndroMalShare is a project to share Android malware samples

Android-Malware (Github)
Collection of Android malware samples collected from several sources/mailing lists


OSX Samples

Objective-See Mac Malware
Objective-See was created to provide simple, yet effective OS X security tools. Always free of charge. This repository contains malware samples for MAC.

Manwe MAC Malware Samples
Regularly updated fresh MAC malware feed


Linux Samples

Linux Sandbox
Linux Sandbox is a Cuckoo-based sandboxing system specifically crafted and tuned for Linux malware samples analysis.

Detux – The Linux Sandbox
Multiplatform Linux Sandbox. The samples are available to download.


Not working anymore or under maintenance:

OpenMalware
Open Malware Project by Danny Quis

Malwr
Malwr is a free malware analysis service and community launched in January 2011. You can submit files to it and receive the results of a complete dynamic analysis back. You can also download samples from analysis submitted by others.

MalwareBlacklist
Repository of Malware URLs and Samples

 

Again, please be careful when using these sites. Almost all of them contain malicious files. Use with caution!

 

Share

[Pragyan CTF] The Karaboudjan

Standard

Description

The Karaboudjan | Forensics 150 pts

Captain Haddock is on one of his ship sailing journeys when he gets stranded off the coast of North Korea. He finds shelter off a used nuke and decides to use the seashells to engrave a message on a piece of paper. Decrypt the message and save Captain Haddock.

->-.>-.—.–>-.>.>+.–>–..++++.


.+++.


.->-.->-.++++++++++.+>+++.++.-[->+++<]>+.+++++.++++++++++..++++[->+++<]>.–.->–.>.

clue.zip

 

This was funny challenge, I struggled with that Brainfuck but all it was is just brainfuck. Nothing more, we don’t need it to solve the challenge. Sorry guys.

I downloaded the zip file which was encrypted, I then cracked it using “fcrakzip” and dictionary attack. And found that the password is “dissect“. Inside the zip was a pcap file with one packet:

 

That’s it, we got the flag 🙂

The flag was pragyanctf{5n00p_d099}

Share

[Pragyan CTF] New Avenger

Standard

Description:

New Avenger | Stego 300 pts
The Avengers are scouting for a new member. They have travelled all around the world, looking for suitable candidates for the new position.
Finally, they have found the perfect candidate. But, they are in a bad situation. They do not know who the guy is behind the mask.
Can you help the Avengers to uncover the identity of the person behind the mask ?
Those of you who read my blog frequently are already know how much I’m into superheroes. Give me a challenge with superheroes and you bought me. Although I’m more DC guy, this challenge was with the Marvels and still it was awesome! We’re given with a gif file. I ran binwalk on it to find whether it contains another files within.

Yep, the gif file contains two more files within, lets unzip the image:

Nice! We now have two more files: image_2.zip and 1_image.jpg. Now lets try to unzip image_2.zip.

Oh-no, it requires a password. Lets have a look at 1_image.jpg.
Haha, funny image. Now I want to have a deeper look at this picture, I opened it in hex editor and found the password:

So the password is “sgtgFhswhfrighaulmvCavmpsb”, lets unzip the file:

Again?! We got 2 more files, and the password to the new zip was at the end of the new image, and the new zip contained another zip and an image. Well, I see where it going to, so I opened python and automate the process:

Ta-dah! We extracted all the zip files and gםt 16 images and 15 passwords. This was the last image:

lol.

So now we have 15 passwords, each contains 26 characters:

The password looks like garbage, it’s not Base64 or some known encoding. The first thing to pop up is the capital letter inside each password. Every password contains one or two capital letters. I know that the English alphabet contains 26 letters, so maybe I can map the location of each capital to the matching letter in the alphabet. i.e, if ‘F’ is in passw[4] i’ll take alphabet[4] which is ‘e’ and so on. I added this code to my script:

I ran the script and got meaningless string: “etitgepgztgxhiwthexstgbpc”. Damn! I was so sure that the mapping is the solution, how can’t it be?! All the facts point towards mapping the alphabet. I decided not to give up and ran Caesar Cipher on the string:

YAY! I was so happy to find Spidey is the new Avenger!

Here’s the full script:

The flag was: pragyanctf{peterparkeristhespiderman}

Share