Flare-On 2015 Challenge 3
For challenge 3 the archive extracts to a file called
elfie. Immediately I thought it would be a Linux challenge, as Linux file types are
ELF files. But
die shows something else.
die it is an
PE, a regular Windows file. So I renamed it to
elfie.exe and an application icon shows up. Examining the executable in Resource Hacker shows a more high-res version of the icon.
The icon itself is already an hint. The snake on it looks a lot like a Python. You can probably do a reverse image search using the logo and you will end up at the pyinstaller website.
strings the python connection can be confirmed.
So, this is actually a Python application in disguise. Generally this is done to make Python application available on platforms where it is unusual to have Python installed, in this case Windows.
Running the executable, to see what it wants as an input, reveals a goat.
The title of the window is “Look inside you can find one there”, obviously there is a need to get to the original python code for this application. There is a really good project that will unpack
pyinstaller projects. It is called python-exe-unpacker and is available on Github. After installing it can be used to extract the executable.
I also do this with challenges such as Hack The Box, in which tools can be quite machine specific. It is always good to have the exact version of the tool used at the time you solved something.
The unpacked structure has some interesting files,
elfie.exe.manifest. Every packed application requires an entry point, in the case of this executable it is
elfie file shows that it is ASCII and at first glance it looks like a mistake; there are many lines of encoding and variable assignment. The encoding is Base64.
At the end of the file a familiar python statement shows up,
import base64 followed by an
exec instruction. In order to get the actual source code the
exec can be replaced by a
This inner script was actually programmatically obfuscated using a simple AST (Abstract Syntax Tree) obfuscator. I originally got interested in Python obfuscation after the first pure Python backdoor I had to analyze that weighed in at a few thousand lines of decently obfuscated Python. It was obvious that the malware authors had somehow programmatically modified the structure of their code as well as their variable names. After being on the receiving end, creating this flare-on challenge was a fun way to explore AST obfuscation. If you’re interested in learning more, Jurien Bremer wrote a really excellent blog post and has some working code to get you started playing with ideas: hxxp://jbremer.org/Python-source-obfuscation-using-asts/
The source code is all on 1 single line, but can be viewed nicely in a decent editor. Scrolling through it a string that looks like a key catches the eye.
The key is reversed, so undoing that operation reveals the real key. It can be pasted onto the goat and after hitting Enter the goat will offer their congratulations.