Flare-On 5 CTF WriteUp (Part 2)

. 6 min read

This is part 2 of the Flare-On 5 CTF writeup series.

4 - binstall

It is time to get serious. Reverse Engineering isn't about toys and games. Sometimes its about malicious software. I recommend you run this next challenge in a VM or someone else's computer you have gained access to, especially if they are a Firefox user.

Similar to the last challenge, binstall.exe is a .NET PE. However this time it has been obfuscated using ConfuserEx.

4-1

All original method names and removed and strings are encrypted. Running de4dot gives somewhat a clean assembly.

4-2

Strings are still encrypted. For example, ExpandEnvironmentVariables takes a string as an argument which is decrypted at runtime. De4dot supports string decryption by specifying the method token of the decrypter. However, the author was not able to get it to work likely because the decryptor methods were generic which de4dot doesn't seem to support.

Decryption of strings is not a priority as we can always debug the binary and get the strings at runtime. However, let's do it anyway. ConfuserEx being quite a popular obfuscator there are many public (and private) deobfuscators sparing us from writing our own decrypter. A tool named "ConfuserEx Static String Decryptor" was able to decrypt all the strings and we get a clean assembly as shown below.

4-3

Analyzing binstall.exe

With the obfuscation out of the way, let us begin analysis. Main first calls smethod_7. Note that this is not the original name of the method. The obfuscator removed original method names during the obfuscation process. Consequently, since de4dot cannot guess the original name it generates a name based on the method signature.

4-4

smethod_7 calls smethod_3, smethod_2 and smethod_4.

4-5

smethod_2 opens the FireFox profiles.ini file and removes all occurrences of the string Path=Profiles/ from it. Additionally, it also clears the FireFox cached files.

Similarly smethod_3 clears off the Chrome browser cache.

4-6

smethod_0 and smethod_1 are helper methods to delete a directory and a file respectively.

Lastly, smethod_4 clears the Internet Explorer cache.

4-7

Going back to Main the next call is to smethod_5 with path constructed from the %APPDATA% environment variable and ending in browserassist.dll.

4-8

smethod_5 decodes a piece of base64 encoded data and decrypts it by xoring it with 0x33. The decrypted data is written to the file browserassist.dll.

Lastly, Main calls smethod_6.

4-9

This method adds browserassist.dll to the AppInit_DLLs registry key. The AppInit_DLLs are a set of Dynamic Linked Libraries (DLL) that are loaded upon startup into the address space of every executable that links with user32.dll. Essentially, this means everytime a GUI application is run, browserassist.dll would also be loaded into it. This is a typical modus operandi of malware.

Extracting browserassist.dll is easy. We can either copy the base64 text and decrypt ourselves or run the malware in a virtual machine and copy the dropped DLL from the said location.

Analyzing browserassist.dll

As its name suggest, browserassist.dll must be intended to be loaded in a Web Browser. However, being registered as an AppInit DLL it will be loaded in all GUI applications. Naturally, the DLL is likely to check whether it is running in the correct process before it begins its operations.

Analyzing the disassembled code there is indeed a call toGetModuleFileNameA to retrieve the full path of the process in which the DLL is loaded.

4-10

The filename is then passed to a function which calculates a hash value from it. For success, the hash must match 4932B10F.

4-11

The hashing algorithm is simple, the decompiled code of which is shown below.

4-12-1

We can reimplement the same algorithm in C.

4-13-1

For the string "firefox.exe" this yields the same hash as expected by it. This explains why the challenge description recommends running this on a system where Firefox is installed.

$ gcc hash.c -o hash
$ ./hash firefox.exe
firefox.exe -> 4932B10F

If the hash matches, it compares the File Version Info.

4-14

In particular, the major version must be less than 55. If all of the conditions match it proceeds to start a thread. The thread function constructs a string on stack byte by byte.

4-15

The string is then xored with 0xD7.

4-16

The xored string is passed to another function which looks to decrypt something.

4-17

Dynamic Analysis

At this point let us switch to dynamic analysis. We install an old version of Firefox like 34.0 from https://ftp.mozilla.org/pub/firefox/releases/34.0/win32/en-US/ in a Virtual Machine. Running binstall.exe drops browserassist.dll which is also added to the list of AppInit DLLs. We can now start Firefox under x32dbg, set it up to break on module load. In this way, x32dbg pauses whenever a new DLL is being loaded. Once browserassist is loaded, set a breakpoint on the CryptDecrypt call.

When the breakpoint is hit, stepping over the call we can get the decrypted data.

4-18

The decrypted data looks to be a URL pastebin.com/raw/hvaru8NU. Navigating to the URL we find another base64 blob.

4-19

The data is encrypted and the same call to CryptDecrypt decrypts it.

4-20

Analyzing the injected code

We can dump the code to a text file for further analysis. Formatting using a JSON beautifier we get the following.

4-21

which when displayed in a tree view looks like

4-22

Essentially the JSON code is a webinject config. Visiting any URL beginning with flare-on.com injects Javascript code into the matching js files - controller.js, model.js, view.js.

http://flare-on.com/ is the homepage of the FLARE challenges. It is modelled like a Linux a shell and supports commands like ls, cd to navigate etc.

4-23

If we take a diff between the original js files (by opening the URL in a clean browser) and the modified one we can quickly zero in on the changes.

4-24

A new command su is added in controller.js, but executing the command requires a password. The password is checked by the function cp in the same file.

4-25

The code is lightly obfuscated. After formatting and simplifying we get

4-26

The root password is k9btBW7k2y. However, typing the password at the su prompt does not give us the flag. Looking again at the diff we can find the changeDir function is modified too.

4-27

On every cd command it is checking whether the directory name matches with something. Running the code separately we can find that the dir name is key

4-28

Navigating to the directory and typing ls gives us the flag.

4-29

FLAG: c0Mm4nD_inJ3c7ioN@flare-on.com

Continue with the next part: Flare-on 5 CTF Write-up (Part 3)



Barun

Reverse Engineer with an interest in low level stuff and anything about security.

Get IoT Security Training

IoT Pentesting Exploitation Training

Tags

analog modulation Android android application security android hands on security and exploitation training android security Apktool application auditing application security auditing appsec usa appwatch arduino nano arm ARM binaries ARM course ARM exploitation book ARM exploitation video training ARM gadgets ARM Training attify attify badge attify training best security practices biggest iot attacks of all time binwalk blackberry pentesting blackhat ble BLE attacks BLE dangers BLE hacking and exploitation BLE security issues BLE sniffing BLE vulnerabilities bleah bluetooth technology box brut Exception BtleJuice capture radio traffic career in cybersecurity CCTV cameras challenges in iot retail chroot cloud based mobile application security scanner consulting CTF cyber attacks cybersecurity Damn Vulnerable iOS App dangers of iot DDoS attacks devops digital modulation dumping memory embedded hacking expert Exploit ARM devices exploitation exploiting ble exploiting smart devices firmadyne firmware analysis toolkit firmware emulation Firmware hacking firmware reverse engineering Flare-on frida getting started with firmware hacking GSMA guide to ARM exploitation hacked security IP cameras hacked smart devices hackers hackfest hacking smart devices healthcare business protection against iot threats healthcare cyber security how can healthcare fight iot threats How Mirai botnet infects your device How Mirai works how retail can prevent cyber attacks how to exploit ble how to hack radio waves how to protect iot devices how to secure iot device IDA internet of things Internet of Things Security internet security ios application security ios security iot iot attacks iot bots, malwares iot device IoT Devices IoT Exploitation iot hacking iot hacks IoT hacks on ARM devices iot penetration testing iot pentest iot pentesting iot security IoT security guidelines iot security training iot threats iot threats to healthcare industry iotsecurity IP cameras jtag jtag debugging latest iot attacks learn ARM exploitation measures to prevent cyber attacks on healthcare organisations Mirai Botnet mirai history mobile app mobile application security mobile application security testing mobile security monitor iot devices Mozilla network security in retail ninja recon technique NIST offensive iot exploitation ola cabs owasp owasp appsec penetration testers penetration testing pentesting pentesting mobile apps phishing attacks powerofcommunity PrinterSecurity privacy protection profession professional qemu quizup radio communication protocol radio coomunication radio waves hacking recent ARM attacks recent cyber attacks recent iot attacks recent security camera attacks retail iot Reversing safety measures to protect privacy sdr secure coding guidelines security security cameras security challenges in retail IoT security in healthcare iot security issue security issues faced by e-retailers security services security training security vulnerability setup smart devices smart user security social networking spi steps to prevent iot attacks on healthcare surveillance cameras hijacked threat modeling tools to exploit ble training uart Understanding Mirai Botnet virus vulnerabilities discovered in popular IoT IP cameras vulnerabilities in internet connected cameras vulnerability vulnerable ARM devices What is mirai botnet? why choose career in cybersecurity writeups xposed hooking zigbee zigbee exploitation zigbee security zwave

Instagram