Sekai Bank
Challenge Description
Hi I heard my friend has registered herself for a new bank account! I wonder if the bank system will be secure(I managed to get the program and encrypted account details, but something seems to be missing...)
After decrypting the json file, simply login with the following details:
Username: Mizuki Password: sadgeSolution
The following 2 files were provided for the challenge:
bank.json is just full of junk stuff which implies it might be encrypted:
While banky is just an X64 ELF file:
When the executable is first ran, the following error is shown:
As there's nothing more to look around, its time to disassemble the file!
Disassembling bank
Here I will be using cutter, a free reverse engineering tool that is built upon radare! Feel free to use any other debugging tools/disassemblers such as IDA to disassemble the executable! Here, I used the aaaa analysis option.
First the entry point is disassembled which shows that libc_start_main is being called, with the main function is being passed into the first argument:
From here we can access main, which is at 0x6aa0!
Here the auto analysis auto name a function to sub.bank.json before printint out what looks like the main menu, maybe it does something to the json file before showing the main menu?
JSON File Decryption:
The following is the disassembly for the start of sub.bank.json_5ad0:
The program attempts to open the file with fopen, exiting if it fails
If successful, the program will get the file size of the file and save to file_size, where a buffer will be created with
There it will jump to another subroutine sub.fread_5c0b, as identified on cutter!
When decompiled, it shows that the fread is being used to read from the file into the buffer created:
After the file is read, a suspicious subroutine secret_key_35750 is being called with a reference being passed into it. This reference is then passed into EVP_CIPHER_CTX_new_35a50, where EVP is a popular interface provided by the OpenSSL library to perform cryptographic operation. The buffer and file size is also being passed into this subroutine, which makes it plausible that decryption might take place here! A quick look into the function confirms this:
Here it inits the Cipher Context, and uses AES CBC with a 256 bit key passed from param_1 with the IV stored in 0x3dc80. The cipher will then be used to decrypt the buffer in param4! This means that the bank.json file is being decrypted from here! Hence the key is being retrieved in secret_key_35750!
Getting the key:
The following is the decompilation of secret_key_35750:
Here the program tries to open secret.key, which will stop the program if unsuccessful which is why our program crashed!
For secret.key, it will read 2 bytes from secret.key and run them through the first byte through a function 16 times and the 2nd byte through another function 16 times(which will be shown below) and the results will be saved to a 32 bytes buffer which will be stored in param1 which will be used as the key for decryption.
Here, these two functions take in an integer which will be run through an algorithm known as a hashing algorithm. This means that the key is generated from 2 bytes which makes it brute forceable!
Here is the bruteforce script:
Here it runs through 0 - 65535, which is the larges integer 2 bytes can hold and saving it to secret.key and running the program. Once the key is correct, ideally the main menu should pop out instead of "An error occured"
Yayyy, the key is obtained:
With the credentials provided in the description, the flag can be obtained:
Flag:
Last updated