LabyREnth 2017 BOSS Challenge

After completing all the main tracks. You will face the greatest challenge of all… the boss challenge.

Puzzle: You take a look around. The goblin king himself blocks your way, holding your greatest challenge yet. Can you defeat him? 7z Password: labyrenth Hint: Sorrow is knowledge: they who know the most Must mourn the deepest o’er the fatal truth, The Tree of Knowledge is not that of Life. Author(s): @danielvx

Filename: TOSLoader.exe (Extracted)

Password: labyrenth (to 7z file)

Hash: C00E7CF40B88656B08EFDC7BBB270F4AA02E5D61(SHA1)

Executing the program shows you this…

Let’s use IDA Pro on the binary…

Seems packed to me… even strings are not showing me anything useful

Let’s try running the program in debugger and see what we can observe…

For a start I set a breakpoint at ExitProcess and do a dump of the executable in memory (Especially on memory regions with executable permission).

Loading the dump in IDA Pro we can see more stuff. I can see STARS followed by a call EAX as shown below… scrolling down further we can see TOS_??? string.

so what is EAX? Looks like its calling WriteFile

Stepping down further… we can see some strings…. and a call to GetEnvironmentVariableA

Let’s set a breakpoint at GetEnvironmentalVariableA and see what it is trying to retrieve… and lets try to make the request succeed… and we will soon realize that the code is simply looking for Environment Variable (Name is TOS_??? with David Bowie’s lyrics as its value) on the host else ExitProcess will be called.

Hypothesis #1

My hypothesis is that if the required environment variables are found on the host… We will eventually get the flag. Simple =) There are a few options here

  1. Manually set the variable on the host
  2. Debug the program so that it thinks that the variable exists
  3. Give up

You might be wondering what are the stars? Are there in anyway related to a song lyrics? I have no idea =(

Let just give what the program want and see what happen next…

Crap it’s asking for more… After trying a few more of manually setting environment variables I came up with another hypothesis…

Hypothesis #2

The program checks for environment variables on the host and if the correct sequence of whether the variable exists or not the program will spit out the flag!

Since we do not know the length of the sequence to unlock the flag… doing it manually seems to be impossible and naive for a boss challenge. Till now I have not figured out the correlation of the stars and the lyrics. So heck it I am just going to brute force.

To brute force I have 2 options

  1. Get my minifigs to line up and start typing environment variables into the host
  2. Write a debugger to automate this process

I am lazy… so I plead to my minifigs… 404 they replied.

Fine I shall do it my way with my python debugger. These minifigs are way too lazy.

set the breakpoint before environment variable return to the user code. Modify the registers accordingly (if I want it to be registered as existed or not).

We need to fill in a correct string and the string length to simulate successful read of an environment variable. Question is how do we know what string to put into? Turns out that there is no fix offset from the stack or memory that I can used to determine the string… But one thing for sure… the program will do a comparison. So let’s do some shell code hunting. Before that we need to know some addresses.

The above stack shows
1. where the function returns to after calling GetEnvironmentVariableA
2. the requested variable name
3. the output buffer address

Using the return address we can scan for shell codes to locate the compare instructions and then locate the string it is trying to compare to… the string is then fed into output buffer and the string length into EAX just before the return is called (GetEnvironmentVariableA) as shown below.

So let’s write a simple bruteforcer (recursive) that spits out binary like 1010101 with 1 meaning I want GetEnvironmentVariableA to be found and 0 to mean not found. I shall then scan the output for PAN. After exhausting all my inputs nothing found… what could be wrong? After analyzing my log file and see the output generated by the program…

Wait….what…. i see a http link

Output from BOSS 1:

Holy shit! Peeking into the binary I realised it’s the same thing but different lyrics used for environment variable… what! Layering!

Hypothesis #3

Hypothesis #2 but multiple layers

So I modify the code above to include http instead of just PAN

Let’s fire up my super buggy debugger on this binary (remember to disable dll relocation)…. yes! We got a hit… another http… 

Output from BOSS 2:

Output from BOSS 3:

After a few minutes into bruteforcing…

Output from BOSS 4: PAN{dd864aebeeba3e125dce2e111e6ea04fb759333409a87da8e7bd413b3e36105b} Lo and behold… We got the flag!

And here is Mr Gold coming out of his pent house celebrating! Everything is awesome!

Signing Off

Leave a Reply

Your email address will not be published. Required fields are marked *