Wargames.my 2017 monthly Challenge (January)

The Question.
For the January 2017 Challenge, take a look at this
+++ bankgroup.us +++
The hint from our crew : The fundamental.
Find the flag and make a good readable writeup for our crew. Send it at wgmy2016@gmail.com
Have fun and enjoy! Do note that, excessive usage of any automated scanner is not allowed!.

Because of the hint fundamental
So I try, nslookup, whois, and dig
No interesting outcome for nslookup and whois, but something interesting on dig
I tried dig bankgroup.us TXT
aj69@srv:~# dig bankgroup.us +noall +answer ANY

; <<>> DiG 9.9.5-3ubuntu0.10-Ubuntu <<>> bankgroup.us +noall +answer ANY
;; global options: +cmd
bankgroup.us.           3788    IN      HINFO   "Please stop asking for ANY" "See draft-ietf-dnsop-refuse-any"

It warn not to use ANY, then I tried straight to the TXT section hope will find something on that section
root@srv:~# dig bankgroup.us +noall +answer TXT
; <<>> DiG 9.9.5-3ubuntu0.10-Ubuntu <<>> bankgroup.us +noall +answer TXT
;; global options: +cmd
bankgroup.us.           299     IN      TXT     "N3q8ryccAASpcFcnsAAAAAAAAAA1AAAAAAAAAOOaNWJd7k4PCFF/aUiqAKhV/q9uV8Qm51pm+GJ7TUy7ofBPHvcz6ZcmIeRv6dH3Ts/mpF6hHldwnakFMsrole1lTb4vjz0jbyEyGW69sZb0d/p5E5UPEJFitc1SUu5AWOII4d2kOUsaO+8yqB4QBrlzZnzzRTXncrDJMn7GYY/Zm4DuLTlQyisTAm072O27wJS3ChzEPcozQ+htBTk4n7T1+YA" "Wt36dV7hb7R3z96Pm9VDiXhcGMAEJgIAABwsBAAIkBvEHAQpTBzOpWSfwSpXaIwMBAQVdABAAAAEADHyAlgoB4Q5axwAA"
bankgroup.us.           299     IN      TXT     "v=spf1 mx a ip4: a:nasikakwok include:domainengkau -all"

That is some interesting part, base64 and nasikakwok also domainengkau
Base64 is in 2 part so I just join them and decode it to hexadecimal then save it as ayam2.7z file

Tried opening the files, its password protected! duh!

try all possible password but that's not it, so i go the the main domain, which was a gitlab community site, after poking around, I found one repository called username/flag, but still failed

other than that, I got the original IP of the website which was under the cloudflare if you ping it directly. 

Doing some port scanning to the IP just got some closed port on SSH and ftp if I'm not mistaken.
So all was blank to me.

Maybe some of you that got it, can tell me how to get the password much be appreciated! :D


seems that someone has solve this question [POC], the zip file needs to be crack using rockyou wordlist!
maybe no luck for me. So after password was found, you will get the flag. 

[Writeup] KPMG 2016 - re1 Poland

Here is some explaination on re1_4830bb9eb4ec526e999df30852e3cb9f.exe on KPMG Security Challenge 2016.
Basically re1 and re2 use very similar algorithm which
- get 32character
- compared part by part (8 character each)
- checker on full flag on last part

I will not explain in details because it is not a complex algorithm

here you can see it comparing ECX with 0x20, it means that it want 32character to proceed

 so we insert 32 character to the prompt and press ENTER then observe it in debugger.

when you reach until here you can see on register
EAX->our input

so you get a part of the password, step until you find all 4 part of the password.

here you can get your full flag if all the 4 part checker is valid.

Test it to confirm your flag.

7h15 15 4n 345y 0n3!
Please enter the Flag:
Congratulations! It is correct... The flag is KPMG{42*am1*G50L[=H33~g=%a11Bq27KOO2a}

Thats all

[Writeup] KPMG 2016 - guess_my_password congo

Here is some explaination on guess_my_password.exe on KPMG Security Challenge 2016.

 so its PE64

looks like base64 string try decode it, i get nothing, so lets dive to the code again

 after some time i found it is a custom base64 with alphabet


I found this website HERE
and paste the custom alphabet and decode the sting back and you get the flag

[Writeup] KPMG 2016 - re2 Japan

Here is some explaination on re2_8dbeee84fa0ec05fadda075508c13be0.exe on KPMG Security Challenge 2016. I didn't manage to solve it on the competition day, unlucky me.

 So its packed with UPX, easy right? just unpack it.
Ok successfully unpack, no worries. Try run it.
 Oh no! stopped working. try load in IDA if we see something in it.

 Looks like we see something like we run the original binary, from here you can get the algo which is compared part by part from memory with our input
we can also see that our input is calculated and check to matching 32 char sting, if not you get the sayonara.

So the trick is either manual unpacking the upx or attached it to the debugger to get the answer from memory, my way is attaching the binary, run first and attached it.
run it and put 32 char string to the input and attach to the debugger and the press enter then observe it in debugger.

Bear in mind, this binary have several anti-debug trick, like IsDebuggerPresent, just patch it or use plugin.

You need to step until you find re2 module like I circle in red, then you can see the original code, you can dumped the code and rebuild the PE file or just debug the code.

 It compared first 8 char one by one.

Here we can see the register which compared our first 8 char with first 8char of the flag. Just copy and edit our input to the same one and you good to go for another part of the flag, doing it until you get the whole flag.

The binary check again at the last part to make sure you not edit the input during debug, just skip or edit the input in memory

Try it with the whole flag and the you get the flag!

Congratulations! It is correct... The flag is KPMG{S`/C&0^X3660rkv,5wJ+Ce@(fa-s*m9f}

EDIT: Thanks to master jani for pointing out to remove ASLR before doing "upx -d" to prevent crashes after unpacking.
← Newer Page 1 of 4