Metasploitable 3
The King of Clubs
From the meterpreter I found in the Elasticsearch vulnerability, I used the search command to look for files that start with king:
meterpreter > search -f king*
Found 5 results...
C:\Windows\System32\kingofclubs.exe (824563 bytes)
C:\vagrant\resources\flags\kingofclubs.exe
(824563 bytes)
C:\wamp\www\wordpress\wp-content\uploads\2016\09\king_of_damonds-150x150.png
(46738 bytes)
C:\wamp\www\wordpress\wp-content\uploads\2016\09\king_of_damonds-214x300.png
(130832 bytes)
C:\wamp\www\wordpress\wp-content\uploads\2016\09\king_of_damonds.png
(585695 bytes)
meterpreter > download
kingofclubs.exe
[*] downloading:
kingofclubs.exe -> kingofclubs.exe
[*] download : kingofclubs.exe -> kingofclubs.exe
I
examine the file, as expected it’s a Windows executable, and 32bits.
root@igor-kali:~/metasploitable3# file kingofclubs.exe
kingofclubs.exe: PE32
executable (console) Intel 80386 (stripped to external PDB), for MS Windows,
UPX compressed
root@igor-kali:~/metasploitable3# binwalk kingofclubs.exe
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 Microsoft executable, portable
(PE)
I ran it with wine
root@igor-kali:~/metasploitable3# wine kingofclubs.exe
Could not load wine-gecko.
HTML rendering will be disabled.
Could not load wine-gecko.
HTML rendering will be disabled.
wine: configuration in ‘/root/.wine’
has been updated.
Who are you? What is your
true identity?
root@igor-kali:~/metasploitable3# wine kingofclubs.exe
Who are you? What is your
true identity?
OK…hmmm....
I decompressed the UPX Exec file and copied it
to my Windows host and used OllyDbg
to take a look at the code.
root@igor-kali:~/metasploitable3# upx -d
kingofclubs.exe
Ultimate Packer for
eXecutables
Copyright (C) 1996 -
2013
UPX 3.91 Markus Oberhumer, Laszlo Molnar &
John Reiser Sep 30th 2013
File size Ratio Format
Name
-------------------- ------
----------- -----------
962291 <- 824563
85.69% win32/pe kingofclubs.exe
Once I skipped the whole ntdll module all the way to the kingofcl module part, I noticed the
stack was showing me some ASCII data that looked like the same header as the
three_of_spades.png I already did.
 |
| PNG Header XOR 0x0F |
I ran an hexdump on the new decompressed
exe file and searched for the characters I found in the three_of_spades.png
root@igor-kali:~/metasploitable3# hexdump -C
kingofclubs.exe | grep -A 1 _AH
0003e000
|
86 5f 41 48 02 05 15 05 0f 0f 0f 02 46 47 4b 5d
|
|._AH........FGK]|
|
0003e010
|
0f 0f 0d 06 0f 0f 0d d6 07 09 0f 0f 0f 32 53 bd
|
|.............2S.|
|
So I ran my byte_xor.py script again with
the same key 0x0f
root@igor-kali:~/metasploitable3# cat
byte_xor.py
#!/usr/bin/python
input_file = ‘kingofclubs.exe’
output_file = input_file+’.out’
b = bytearray(open(input_file, ‘rb’).read())
for i in range(len(b)):
b[i] ^= 0x0f
open(output_file, ‘wb’).write(b)
Now binwalk shows me a PNG
file in 0x3E000, same address my hexdump|grep did
root@igor-kali:~/metasploitable3# binwalk
kingofclubs.exe.out
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
253952 0x3E000 PNG image, 521 x 729, 8-bit/color
RGBA, non-interlaced
254014 0x3E03E Zlib compressed data, best compression
Now I use foremost and extract the file
root@igor-kali:~/metasploitable3# foremost
kingofclubs.exe.out -o king_of_clubs
Processing: kingofclubs.exe.out
|*|
root@igor-kali:~/metasploitable3# file
king_of_clubs/png/00000496.png
king_of_clubs/png/00000496.png: PNG image data, 521 x 729, 8-bit/color
RGBA, non-interlaced
 |
| Ready to party! |
And that's it! All 15 flags done!
 |
| Caught Them All!! |
I won second place 😃
The results are in for the #Metasploitable3 CTF. Check out the winners: https://t.co/Yv7gaKcjUS— Rapid7 (@rapid7) January 4, 2017
No comments:
Post a Comment