IngeHack 2021 CTF : LunarWinds

LunarWinds is a Reverse Engineering challenge. Unfortunately, I wasn’t able to complete it during the CTF, but here is its write-up anyway.

We are given a 64bit PE and a pcap file. The goal is to figure out how the executable communicated with other hosts and find any information leakage, which may contain the flag.

Let’s first take a quick look at the captured packets. We find a variety of protocols. The most interesting one is HTTP, some requests and responses from Bing.com . We also find some ICMP packets.

Now to the executable. Opening it with IDAFree gives us a very nice decompiled code. It takes us to WinMainCRTStartup, the CRT’s entry point, it calls _tmainCRTStartup, which make a call to wmain. wmain passes the arguments to wWinMain, which is our entry-point function (main function).

The function sets a seed for PRNGs. It copies the string “www.bing.com” to the variable KICKASD, and then allocates space for the variable COOKIERECV. From the name of the variable, we get it will probably be used for cookies.

Then 2 funcitons are called, we have lllllllll, and EEEEEEEEE.

The lllllllll Function :

This function has 2 nested loops.

The inner loop :

It generates a random number, with a maximum value of about 32767, so KEY’s length is 2 bytes.

Then it calls the yyyyyyy function with the number 0x1e(30) as an argument :

This function creates an ID of the form : “ID-random_30_chars”. These are the chars used :

So this ID starts with “ID-”, followed with 30 random chars. The returned id is stored in the variable ID (33 bytes).

Then the function xxxxxxx is called with ID and KEY as arguments :

It does a block XOR between our ID and KEY, since the length of KEY is 2 bytes, and stores the result in the v6 variable.

Then sleep().

After that, zzzzzz(‘www.bing.com’, v6) is called :

What this function does is : it creates an ICMP packet, and puts v6 (The encrypted ID) as its data, and then it sends it to ‘www.bing.com’.

So we can later find the encrypted ID in the ICMP packets.

Back to the lllllllll function.

It then calls iiiiiiiiiiiiii(“HELLO”, v5).

This function is very interesting.

It first uses RC4 to encrypt our input (“HELLO”), and the state used for Key Scheduling is the random part of the plaintext ID(the last 30 bytes).

However, the encrypted message is returned in a Hexadecimal from ( see line 23).

After the RC4 encryption, the result is stored in Str.

Then rotate(KEY, Str), however KEY is casted to a char, so only the first byte is used.

This function adds the KEY to every byte of the encrypted message, in its hex from. Of course the result is Mod 256.

After that, the result is base64 encoded. and it is put in the v5 argument of the iiiiiiiiiiii function.

So, in summary, iiiiiiiiiii RC4 encrypts our message, rotates it, and base64 encodes it.

Back to the lllllllll function.

Now KKKKKKKK(“www.bing.com”, some_random_endpoint, v5) is called. It takes a random endpoint from :

This function puts v5( the encrypted message ) in the csrftoken Cookie HTTP header, and sends an HTTP request to the endpoint. It then takes the response, and extracts the csrftoken cookie value from the Set-Cookie Header.

And this inner loop is repeated until the KKKKKKK function receives a valid response.

The outer loop:

The function cccccccccc is called :

This function decrypts the csrftoken received. It b64decodes it, de-rotates it , and then decrypts it with RC4 using the same random part of the ID.

This outer loop is executed until the decrypted token is equal to “HELLO”.

And with this the function llllllllll ends.

The EEEEEEEEEE function :

As we can see, this function encrypts the message “ASK” (function iiiiiiiiiii) and sends it in a csrftoken cookie with the KKKKKKKKKK function. Notice that the state used for the RC4 encryption is the same as the last one used, the random 30 chars part of the ID.

It then decrypts the csrftoken from the response, and if the returned message is “IDLE”, it keeps repeating.

So what happens if the response is not “IDLE”; well the function QQQQQQQ is executed:

This function takes the decrypted message received, and executes it. So the messages are system commands. It then stores the results of the command in v6.

After that, if the command actually returned any outputs, it loops through theses results (separated by ‘\n’), it encrypts them, and sends them with the KKKKKKKKK function. Otherwise it sends “ERROR CMD!”.

And this process of receiving commands and sending their execution output is repeated.

Solving the challenge :

To solve this challenge, we need to decrypt the sent and received data in the csrftoken cookies.

First the ID :

The encrypted ID was sent in the ICMP packets. Since it was encrypted with a 2 bytes length KEY, and we know the first 2 chars of the ID are : “ID”, we can get the KEY and after that the full ID. What we really need is the random 30 chars part of this ID used in the RC4.

After that we need to decrypt the csrftoken cookies:

We go through a similar process as that of the function cccccccccc:

  • We extract the csrftokens from the pcap.
  • We base64 decode the data.
  • We de-rotate it using the first byte of KEY.
  • The result is a hex string, we unhexlify it.
  • And then we use RC4 with the that random part as a state(RC4 key), to decrypt the data.

Here is the encrypted ID in the ICMP packet data:

We extract the tokens :

And here the script :

This is part of the output:

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Building a Python package, and a container image with poetry

C++ Classes and Objects

SF Mini Project — Using Dynamic Interaction (DI), LWC, REST API, Message Channel & Reports

[Guest Post] Behind the Extension — Control the Show

How I Got Here: From Zero Coding Experience to Data Analyst

Embed code not available

How we built Steno, your app testing sidekick

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mohammed Seddik Mehanneche

Mohammed Seddik Mehanneche

More from Medium

CTF Writeup: 1337UP CTF 2022

HTB Return Machine Walkthrough.

Hackthebox Horizontall machine writeup

HTB — Search Walkthrough