Day 6

warmup/txt-message

This challenge states that there’s something to see on the DNS records of the domain of the site. The most common way to put informations inside DNS records (like informations for services, authenticity checks…) is to put them as TXT record.

By using a website to check the TXT records of the domain, we can see there is one entry:

That’s definitely not something we can find on usual DNS records.

The description of the challenge says that one of the records (the TXT) is odd. The two firsts characters redirect to the Wikipedia page of od, the linux command that stand for “octal dump”. Thus, the DNS record must be octal!

Going to Cyberchef, decoding from octal, we find the flag.

warmup/discount-programming-devices

The python program we are given is quite unreadable. We can see there is an exec command composed of some characters. Let’s decompose the steps.

1
_ = lambda __ : __import__('zlib').decompress(__import__('base64').b64decode(__[::-1]))

Here is defined a lambda function that take a string as parameter, and will reverse -> base64 decode -> zlib decompress. We can rewrite this as follow:

1
from zlib import decompress
2
from base64 import b64decode
3

4
def deobfuscate(obf):
5
    reverse = obf[::-1]      # Reverses the string
6
    b64 = b64decode(reverse) # Base64 decode
7
    decomp = decompress(b64) # zlib decompress
8
    return decomp

If we try to run the function with the string b'==gP54lIP4...' as parameter, we will deobfuscate it! But the result is… something that look really the same.
In fact, it’s a recursive obfuscation. Deobfuscating the string will ask to deobfuscate another one, and this multiple time.

We can try to create a script that will automaticaly do this process for us and assuring nothing dangerous is runned at the end by the exec.. or we can run the program.

Yes, in fact, this “malware” does absolutely nothing. If we run the code as it is given, it will deobfuscate itself and print the flag!