HackTheBox LicenseGenerator
https://app.hackthebox.com/challenges/529
Description
Arodor has been distributing promotional license keys to users across the world. We suspect that there could be some backdoor in this ‘special gift’ - can you investigate?
Exploitation
tshark -r ./capture.pcapng -Y "tcp.stream eq 0 and tcp.len > 0" -T fields -e tcp.payload | tr -d '\ ' | xxd -r -p > ./tcp_data.bin
import ctypes
with open('./tcp_data.bin', 'rb') as f:
data = f.read()
print('Parsing C2 communication...')
offset = 0
if data[offset:offset+4] == b'auth':
offset += 4
print('Found auth marker')
offset += 1
c2_key = data[offset:offset+8]
offset += 8
print(f'C2 key: {c2_key.hex()}')
offset += 1
offset += 8
shell_len = int.from_bytes(data[offset:offset+2], 'little')
offset += 2
print(f'Shellcode length: {shell_len}')
offset += shell_len
file_len = int.from_bytes(data[offset:offset+4], 'little')
offset += 4
print(f'Encrypted file length: {file_len}')
encrypted_file = data[offset:offset+file_len]
print(f'Read {len(encrypted_file)} bytes of encrypted file')
obfarray = bytearray(b'uwuxxowo')
key = bytearray(c2_key)
final = bytearray(8)
second_xor = bytearray(b'1t5_n0t_th4t_34sy_but_y0u_4r3_pr3tty_cl0s3:)')
plus = bytearray(b'th1s_w1ll_sur3ly_k33p_th1s_pr0t3ct3d')
for i in range(8):
final[i] = obfarray[i] ^ key[i]
print(f'Final XOR key: {final.hex()}')
decrypted_data = bytearray(encrypted_file)
payload_len = len(encrypted_file)
for i in range(payload_len):
decrypted_data[i] ^= second_xor[i % 44]
for i in range(payload_len):
decrypted_data[i] = ctypes.c_uint8(decrypted_data[i] - plus[i % 36]).value
for i in range(payload_len):
decrypted_data[i] ^= final[i % 8]
with open('./flag.png', 'wb') as f:
f.write(decrypted_data)
print('Saved as ./flag.png')
Look at the image and get the flag
Summary
LicenseGenerator: recover the XOR transform from the binary and invert it to reveal the flag.