RE Series #9: HTB Headache2

Before we start, this will probably be the last RE Series from HTB, as I’ve completed almost all of the RE challenges on HTB. Almost, because some of them has trouble running on my machine, and I’m honestly too lazy to fix broken challenges. I’ll probably now pivot towards analyzing real-life malware, and hopefully what I’ve learn here would be relevant!

In this challenge, even though it’s Insane, it’s really just very tedious.

The file we get is a data file, and cannot be executed. However, when we run “binwalk” on it, we see that a file is embedded within. We can extract the file using “binwalk -e headache2”

When we try to run the code, it constantly fails with Seg Fault. Lets open it with Ghidra and see what’s running under the hood.

Static Analysis with Ghidra

Opening the file with Ghidra, we see that it calls several functions, but we’re going to skip all of that, and jump straight to the bottom where several variables are initialized, and there is a switch case.

Depending on what string what entered, it XORs the variables with different keys.

For example in this instance, if “ateam” was the string, it would XOR the variables with 0x7C.

We copy the entire chunk of data, and throw it into CyberChef

5d6836707940564a
67515d7b4f5d7133
000000006b36726c
0000000000007f23
301b0c17142d3b27
5b1a1b0c2e301c26
301b5f2130360303
5f5f28301b5b073b
0000000000004e0b
0000000000000012
1f40731f576e7864
4265735f5e1f5858
411862731f447873
510d6e59406f731f
230b0b3d073e2834
122f23521213113f
2343121d1f0f0b13
1a12352343081f04
171f1d361f192f13
4304130e0c112343
192b23430e171623
0a1913140b501010
3d23094c05230e19
230913255252190e
55514718481e232e
1c283204261f0915
2e3831382e08382f
00000000207c022e
1308041220190f13
0f1a0c041f170e14
12090f1a16041318
7a15121a1c1a0403
0000000000000026

We also pad those data that is less than 8 bytes long with Zeros.

At first we get something like this, and we see some strings that looks like its been reversed

We swap the endianess of the string, and we now see the key being shown

I am bad??

Which is the wrong flag.

Since there are so many XOR operates, lets try to brute force it, and extract out all possible flags

Since there are 560 characters to be decoded, we set the sample length to be 560, so that we can see the characters at the tail end being XORed.

We copy the entire text, paste it to a text engine, and search for HTB{

Of the many fake keys, the first one is the right one, after deleting away all the dots.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: