Salaheldin

March 14, 2019

The Sleigh Bell Lottery Cranberry Pi terminal challenge

Hint Challenge @ The 2018 SANS Holiday Hack Challenge [ Kringlecon ]

CTF Writeup

📍 Shinny Upatree at 2nd floor go right from the stairs you will find him at your right .
kc18_elves_elf_26.png

Hi, I’m Shinny Upatree.

Hey! Mind giving ole’ Shinny Upatree some help? There’s a contest I HAVE to win.

As long as no one else wins first, I can just keep trying to win the Sleigh Bell Lotto, but this could take forever!

I’ll bet the GNU Debugger can help us. With the PEDA modules installed, it can be prettier. I mean easier.


solution-icon.png

1- Using ls command list all files and directories :

ls -la

17-terminal-2.jpg

gdb The GNU Project debugger for C (and C++).

objdump Displays information about one or more object files

sleighbell-lotto The sleighbell lottery program


2- Try to run sleighbell-lotto to see Lottery in action , write the command in terminal :

./sleighbell-lotto

17-terminal-3.jpg


3- Let’s find Interesting functions :

Method 1 :

Using nm command which provides information on the symbols being used in an object file or executable file :

nm sleighbell-lotto

17-terminal-4.jpg

Everything you see here is a symbol, and the ones with T in front are ones that we can actually call, but the ones that start with an underscore (‘_’) are built-in stuff that we can just ignore (in a “real” situation, you shouldn’t discount something simply because the name starts with an underscore, of course).

Method 2 :

Using objdump command with -t option to print the symbol table entries of the file :

objdump -t sleighbell-lotto

Let’s use grep to filter the results to functions where (F) The symbol is the name of a function and also remove the ones that start with an underscore (‘_’):

objdump -t sleighbell-lotto | grep “ F “ | grep -ve “_”

17-terminal-5.jpg

The two functions that might be interesting are “main” and “winnerwinner”, so that’s what we’re going to follow!


4- Before we can call one of these functions, we need to run the project in gdb :

gdb -q sleighbell-lotto

The -q flag is simply to disable unnecessary output.


5-After you get to the (gdb) prompt, the sleighbell-lotto application is loaded and ready to run, but it hasn’t actually been started yet.

You can verify that by trying to run a command such as continue :

continue


6- Now that the program is ready to go in gdb, we can run it with the run command.

You’ll see the same output as you would if you’d run it directly until it ends, at which point we’re back in gdb.


7- In order to modify the application at runtime, it is necessary to run the program and then stop it again before it finishes cleanly. The most common way is to use a breakpoint on main function, write the following on gdb :

break main

Then run the program and watch what happens :

17-terminal-6.jpg

Now we have control of the application in the running (but paused) state! We can view/edit memory, modify registers, continue execution, jump to another part of the code, and much much more!


8- We’re going to move the program’s execution to another part of the program.

Specifically, we’re just going to use gdb’s jump command to resume execution at the start of winnerwinner function:

jump winnerwinner

17-terminal-7.jpg


kc18_elves_elf_26.png

Sweet candy goodness - I win! Thank you so much!

Have you heard that Kringle Castle was hit by a new ransomware called Wannacookie?

Several elves reported receiving a cookie recipe Word doc. When opened, a PowerShell screen flashed by and their files were encrypted.

Many elves were affected, so Alabaster went to go see if he could help out.

I hope Alabaster watched the PowerShell Malware talk at KringleCon before he tried analyzing Wannacookie on his computer.

An elf I follow online said he analyzed Wannacookie and that it communicates over DNS.

He also said that Wannacookie transfers files over DNS and that it looks like it grabs a public key this way.

Another recent ransomware made it possible to retrieve crypto keys from memory. Hopefully the same is true for Wannacookie!

Of course, this all depends how the key was encrypted and managed in memory. Proper public key encryption requires a private key to decrypt.

Perhaps there is a flaw in the wannacookie author’s DNS server that we can manipulate to retrieve what we need.

If so, we can retrieve our keys from memory, decrypt the key, and then decrypt our ransomed files.

icon-idea

Malware Reverse Engineering

Whoa, Chris Davis’ talk on PowerShell malware is crazy pants!

You should check it out!