Ostrich Lab - CTF Write Ups

Clock Out - Meta CTF

2024-06-24

Author: Morgen Malinoski

Description

I'm trying to crack this timecard software so I can illegally use it for free. Pls Help!

Notes

The program asks for a Product Key. This will likely be the flag itself. It prints out nothing if you enter a random string. Image

However, I put in the flag from another challenge and it printed out a different message. This means it likely has a string input length check: Image

Anyways, I opened it in IDA using cat | ./ida64 so that I can input into stdin. We can see where the program is reading the product key in main: Image

After checking that the length of the input is equal to 22, it calls another function, passing the input string as an argument. Image

I renamed that function key_check for simplicity. A quick glance at the pseudocode shows that it calls some sha256 related functions from OpenSSL. objdump -T clock_out shows that it imports those functions from OpenSSL 3.0: Image

On further examination, the code is looping through each character of the input string, taking the SHA256 sum of it, and comparing it against an array of SHA256 sums. I put a break point in this function and stepped through to quickly see what it was doing.

When it compares each shasum, it only compares the first 8 bytes of it: Image

So my idea is to compute the sha256 sum of each printable character, then use that information to crack the product key after dumping the data from IDA.

I dumped the shasums data from IDA using the export function. I saved it to a text file. The data itself is as follows:

08F271883F79BB7BE3B98A4DCA9781126B23C0D5E632B709F67AB10A021FB596E3B98A4DDE7D1B7262C66A7A3F79BB7B3973E02262B67E1FE3B98A4D62C66A7AD2E2ADF7AAA9402665C74C150BFE935E454349E4D10B36AA

Next, I began writing a python program which computes the shasum of all printable characters and saves that in a dictionary. After writing that, I added code which reads the file, splits it up into chunks of 8 (since that's the size of the sums), and got the decoded value from the dictionary. The code is shown below:

import string
import hashlib

to_crack = []
with open("shasums.txt", 'r') as f:
     s = f.read()
     a = ""
     for i in range(len(s)):
        a += s[i]
        if len(a) == 8:
            print(a)
            to_crack.append(a)
            a = ""
     print(a)
     to_crack.append(a)

all_chars = list(string.printable)
rainbow = {}

for c in all_chars:
    sha_2 = hashlib.sha256()
    sha_2.update(c.encode())
    a = sha_2.hexdigest()[:8]
    if c == "M":
        print(a.upper())
    rainbow[a.upper()] = c

flag = ""
for i in to_crack:
    flag += rainbow[i]
    print(flag)

print(flag)

Running that gives the flag: MetaCTF{time->tm_hour}