i18 Challenge - Part 2

5: Lett fluidmekanikk

An executable file.
Clue one: The program also accepts the password as an argument.
Clue two: The password exists (perhaps) in a dictionary.

We get an executable file asking for a password. Enter the wrong one and it quits. I’m a complete beginner in Reverse Engineering but I have enjoyed a few tutorial videos so let’s jump right in with Immunity.

Now the goal is to find a way to bypass the login system. If we check the other strings we can see a password!

If we try it though, the program just trolls us and shows “Good job! Incorrect password, though.” before exiting.

The important part to look for now are the JNZ:

We see several JNZ, and if we check the one right after the fake password trolling, it goes to 008B172B. So this is the exit of the program. What about the correct answer though?

In this screenshot, we can see that right before the Correct line, we have a jump happening that goes to 008B171E which is the Incorrect option and then the program exit. So by simply replacing the assembly of this jump with JZ, we bypass the verification system as now it will avoid the jump if the password is NOT the right one and give us the Correct answer!

6: For the record…

This is just to look up.
Clue one: For example, in a distributed, hierarchical directory service.
Clue two: challenge.i18.no. CLASS1 TYPE16

The look up part gave it up kind of for me. I started directly looking for a DNS recon using nslookup:

Now I checked all the possible record types: A, MX, and TXT.

In the TXT records we find the answer!

7: Not quite a 0day

Another executable file. Apparently vulnerable, by the file name to judge. Hmm.
Clue one: The task can be solved in several ways.
Clue two: Some features of C can make your program vulnerable if you use them incorrectly.
Clue three: Look for square brackets and align in ascending order.

I spent a long time on this one. I thought it would be another Reverse Engineering job so started to look at the program in Immunity, but for almost 2hrs I couldn’t find anything. I checked the first two clues which confused me even more so after another half an hour of googling about C vulnerabilities, I checked the last clue. It said to look for square brackets, so I did just that in Immunity.

Found 13 lines of them and after ordering them, the letters contained in each bracket make up the line “hacktheplanet”.

Probably the weirdest challenge so far, very puzzle / CTF-like.

8: På riktig bølgelengde

Clue: Things are not always as they appear.

We just got this image. After doing a little bit of info recon on the file itself, not much comes up except the size of it for such a small image. So that and the clue tells me that something is up.

After a little bit of research, I find this useful article about hidden files in images. One important information is that in the HEX, a jpg has the terminating byte of ffd9. If we search for it with:

We see that there is still a lot going on after the ffd9 where it should have ended. We have “4944 3303” as the following bytes, and with a quick google search we find out that it is the initial bytes of an MP3 file. Still thanks to the previous article, we know that we can use the dd command to extract it. But first we need to find the offset in an hex editor. I used Bless Hex Editor which has a nice and simple GUI. I found the offset “0x3BD8” where the MP3 file starts:

Still according to the article linked above: “dd only takes decimal values, so we convert the hexadecimal location from hex to decimal”. Which gives us the decimal 15320. Now we can run the dd command:

The file is created but after that I have been lost for too long. I can’t find a way to make this MP3 work so I gave up for now, and I’ll probably come back to this challenge later. If anyone spots an obvious mistake I made, please contact me!

See you for part 3!