Author: Kaizen69

https://www.facebook.com/NotKaizen

Wargames.MY CTF 2018: QuickMEH Writeup

QuickMEH.exe: https://www.dropbox.com/s/gb1279diou0ixbh/quickmeh.exe?dl=0 Hash: F55AEF2B0C5E5CD2FE89CE0556832D19750B11CF58ABCA02169D4F496C372287 First we check exe in exeinfope and we found no packer. Then we run the exe and see the text “quickmeh.exe flag ”… Read more “Wargames.MY CTF 2018: QuickMEH Writeup”

by Kaizen69

Wargames.MY CTF 2018: WASM Writeup

Screenshot_1
Write-up:

We were given a html file containing javascript code. That seems interesting, so we take a further look into it.

 var bin = new Uint8Array([0,97,115,109,1,0,0,0,1,138,128,128,128,0,2,96,0,1,127,96,1,127,1,127,3,131,128,128,128,0,2,0,1,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,163,128,128,128,0,3,6,109,101,109,111,114,121,2,0,14,103,101,116,73,110,83,116,114,79,102,102,115,101,116,0,0,5,109,111,114,112,104,0,1,10,148,129,128,128,0,2,132,128,128,128,0,0,65,16,11,133,129,128,128,0,1,6,127,2,64,32,0,65,1,72,13,0,65,0,33,3,3,64,32,3,65,208,0,106,34,1,32,3,65,16,106,45,0,0,34,4,58,0,0,2,64,32,3,65,1,72,13,0,65,0,33,5,32,3,33,6,2,64,3,64,32,4,32,6,65,15,106,45,0,0,115,33,4,32,6,65,2,72,13,1,32,6,65,127,106,33,6,32,5,65,4,72,33,2,32,5,65,1,106,33,5,32,2,13,0,11,11,32,1,32,4,58,0,0,11,32,3,65,1,106,34,3,32,0,71,13,0,11,11,65,208,0,11]);
    var m = new WebAssembly.Instance(new WebAssembly.Module(bin));
    var offset = m.exports.getInStrOffset();
    var flag = prompt("teh flag?");
    var strBuf = new TextEncoder().encode(flag.slice(0, 64));
    var inBuf = new Uint8Array(m.exports.memory.buffer, offset, strBuf.length);
    for (let i = 0; i < strBuf.length; i++) {
        inBuf[i] = strBuf[i];
    }
    var morph = m.exports.morph(strBuf.length);
    var outBuf = new Uint8Array(m.exports.memory.buffer, morph, strBuf.length);
    if (btoa(new TextDecoder().decode(outBuf)) === "dxB9BH8RVRMKG1NPI3UyOFRIJyJObAZdXkF8DUEJ") {
        document.write("congratz!");
    } else {
        document.write("nope!");
    }

We can see that the code compare the base64 encoded of the output buffer to a string "dxB9BH8RVRMKG1NPI3UyOFRIJyJObAZdXkF8DUEJ". So let decode the base64 to see what we have. We use this :

var decc = new TextEncoder().encode(atob(“dxB9BH8RVRMKG1NPI3UyOFRIJyJObAZdXkF8DUEJ”));
document.write(decc)

We got this : “119,16,125,4,127,17,85,19,10,27,83,79,35,117,50,56,84,72,39,34,78,108,6,93,94,65,124,13,65,9”

Hmmmh interesting so we compare that to the output buffer generated base on the flag we type in.
We know that the flag format is “wgmy{}” so the outbuf is “119,16,125,4,127,2”
We notice that the first 5 character have the same number as decoded base64
So we know that we can brute force it. And we got the flag: wgmy{n3!th3r_w3b_n0r_@553mb1y}

by Kaizen69