Title : [writeups] Hack Dat Kiwi - Gaychal (80)
Released : 2015-11-21 22:06:56 -0500
Viewed : 911

Challenge Description

Gaychal (Reversing)

I found some suspicious PHP code on my website. The code was attached to my theme's footer file. It's either the DRM of the theme, or a virus; however it's encoded and I can't figure it out. Do that for me please :)

http://c4c045.hack.dat.kiwi/reversing_exploiting/gaychal/gaychal.txt



After execute the codes, we got the flag


the flag is a8cc6eb651a10688e12779b1558193f8



of course, this task is not as simple as that. The next way is to directly read the contents of the code in it. Once I learned, I realize this is a multi-encoded string. Then I created a program to automatically detect the type of code used, as well as decode it. But in the middle of the process, I found an error. A few bytes can not be decoded.


[@jamz!jAcer]: [~/www/pentest/ctf/kiwi]: php gaychal-eval-12.php
PHP Warning:  pack(): Type H: illegal hex digit z in /home/jamz/www/pentest/ctf/kiwi/gaychal-eval-12.php on line 23
PHP Warning:  pack(): Type H: illegal hex digit � in /home/jamz/www/pentest/ctf/kiwi/gaychal-eval-12.php on line 23
PHP Warning:  pack(): Type H: illegal hex digit � in /home/jamz/www/pentest/ctf/kiwi/gaychal-eval-12.php on line 23
PHP Warning:  pack(): Type H: illegal hex digit m in /home/jamz/www/pentest/ctf/kiwi/gaychal-eval-12.php on line 23
PHP Warning:  pack(): Type H: illegal hex digit � in /home/jamz/www/pentest/ctf/kiwi/gaychal-eval-12.php on line 23
PHP Warning:  pack(): Type H: illegal hex digit  in /home/jamz/www/pentest/ctf/kiwi/gaychal-eval-12.php on line 23
PHP Warning:  pack(): Type H: illegal hex digit � in /home/jamz/www/pentest/ctf/kiwi/gaychal-eval-12.php on line 23
PHP Warning:  pack(): Type H: illegal hex digit � in /home/jamz/www/pentest/ctf/kiwi/gaychal-eval-12.php on line 23
PHP Warning:  pack(): Type H: illegal hex digit ^ in /home/jamz/www/pentest/ctf/kiwi/gaychal-eval-12.php on line 23
PHP Warning:  pack(): Type H: illegal hex digit r in /home/jamz/www/pentest/ctf/kiwi/gaychal-eval-12.php on line 23
PHP Warning:  pack(): Type H: illegal hex digit � in /home/jamz/www/pentest/ctf/kiwi/gaychal-eval-12.php on line 23
PHP Warning:  pack(): Type H: illegal hex digit ^ in /home/jamz/www/pentest/ctf/kiwi/gaychal-eval-12.php on line 23

So I re-modify the program to decode. Bit manually, because I had to remove 12 bytes that can not be decoded in the midst of hash. And this is my codes

<?php
    $fp=fopen('gaychal-pack','a');
    fwrite($fp,
    #echo substr(
        fgz(fgz(fgz(fgz(fgz(fgz(fgz(fpack(fgz(fhex2bin(fgz(fpack(fgz(fgz(fbdecode(fgz(fbdecode(fhex2bin(fbdecode(fpack(fgz(fpack(fbdecode(fbdecode(fbdecode(fbdecode(fbdecode(fpack(fpack(fpack(fpack(fbdecode(fbdecode(fbdecode(fgz(fgz(fhex2bin(fhex2bin(fgz(fpack(fbdecode(fhex2bin(fhex2bin(fgz(fpack(fhex2bin(fpack(fpack(substr(base64_decode(fpack(fpack(gzuncompress(base64_decode(file_get_contents('gaychal-base64')))))),12)))))))))))))))))))))))))))))))))))))))))))))))))
    );
    fclose($fp);
    
    function fhex2bin($str){return hex2bin(str_replace(array("eval(hex2bin('","'",")",";"),"",$str));}
    function fbdecode($str){return base64_decode(str_replace(array("eval(base64_decode('","');"),"",$str));}
    function fpack($str){return pack('H*',str_replace(array("eval(pack('H*','","'));"),"",$str));}
    function fgz($str){return gzuncompress(base64_decode(str_replace(array("eval(gzuncompress(base64_decode('","')));"),"",$str)));}

As you can see, I have to add a function to eliminate the 12 bytes that are not needed. After the run, I get a final code.


echo "the flag is ".md5("5+5=9<-- fix this"),PHP_EOL;


Yarp, then i fixed the result of 5+5 and then encrypt it to MD5.



echo "the flag is ".md5("5+5=10"),PHP_EOL;

the flag is c250ff31b4437f03e16f42d5ac07b993

Yarp. we got the flag :)

Flag: c250ff31b4437f03e16f42d5ac07b993