Wargames.MY 2015 - Challenge 7 (jengkrengkrongkreng) Write-Up

This article is about Wargames.MY 2015 - Challenge 7

Initial Hint: blackhole exploit main password

the challenge provide us password protected 7z archive. So by using initial hint to find out the archive password. As malware analyst at MyCERT, knowing every malicious binary will zipped-up with ‘infected’ as archive password. So the password for 7z is indeed ‘infected’.

List of files in archive: wgmy-writeup

There’s nothing inside logo.jpg except Miranda Kerr picture(NSFW).

Nothing much you can see if you open index.html on web browser, except it will show you ‘youporn.com’ site.

But 265KB for index.html is too much lets look into it.

Nothing much, but the interesting part is the base64 data.

Here’s full base64 strings.

After decode the base64 string.

Nothing suspicious, just the usual jQuery file, but on bottom of the code there’s interesting code

document.write("<script type='text/javascript' src= '---.. ..--- ---.. --... ----- --... .- ----. ---.. ...-- ...-- --... . -... -.... -... -.. ----. ..... --... -.. ----- . -.. ...-- ..-. --... ....- ----- ---.. ..--- ...-- ..-. -.. ..--- ..-. ..--- -.... --... . ....- ....- -... ----. -.. .---- ..-. ----- ....- ..--- ..-. .---- --... .- ----- ..... ---.. --... .---- ---.. ...-- ...--'></script>")

after decode the morse code, here the result.


Look back at index.html and you will notice this portion of code

<!-- Kunci ada kat sini lah bro..
function encrypt(s,pw)
	var a=0;
	var myString='';
	var textLen=s.length;
	var pwLen=pw.length;

	for (i=0;i<textLen;i++) 
		while (a.length<3 0xff="" a="" decrypt="" end="" form1.tdecrypt.value="myString;" form1.tencrypt.value="myString;" function="" gt="" i="" if="" lt="" myholder="s.charAt(i+2);" mystring="" of="" pre="" pw="" pwlen="pw.length;" s.charat="" s.length-2="" s="" textlen="s.length;" tring.fromcharcode="" var="" while="">

The hint: there’s a ‘key’ inside the code, the code shown xor encrypt/decrypt routine in javascript, but there’s a twist. Decrypt function never work, and always return same string regardless of input.

But we know decryption process using ‘0xFF’ as key instead of parameter.

Using 3rd party xor decryption, pass the string from the morse code and 0xFF as key, here the result:


That is our flag for this challenge.

Kudos to Wargames.MY Crewz for 1337 aw3s0m3 challenge. hope to see more challenge again next year!