Tuesday , October 17 2017
Home / White Paper / Easy Way to Bypass Cracking the Perimeter Registration Challenge

Easy Way to Bypass Cracking the Perimeter Registration Challenge

Cracking the perimeter is very interesting course provided by Offensive Security, for more detail you may find more information from http://www.offensive-security.com/information-security-training/cracking-the-perimeter/.
Before registration you must face a challenge provided at http://www.fc4.me.
Here is the challenge:

The “Cracking the Perimeter” Online course is not an introductory security course. Many pre-requisites are required, such as good familiarity with a Ollydbg, and a general mastery of offensive network security techniques.

This is a two stage registration Challenge:

Stage 1: You must bypass the registration form by inserting the correct Security String.
Stage 2: Once you have the security string, you will need to go through an additional step in order to extract your final Code and Registration key, which will be used in the CTP registration form on the offsec website

Use of automated scanners will result in a 3 minute block from the website. No exploitation or vulnerability scanning is required to bypass the form. Use the source Luke!
This is a two stage registration Challenge:
Stage 1: You must bypass the registration form by inserting the correct Security String.
Stage 2: Once you have the security string, you will need to go through an additional step in order to extract your final Code and Registration key, which will be used in the CTP registration form on the offsec website

First Challenge

To bypass first challenge is very easy, what you need is only modify the source code of www.fc4.me. So, go view the source. From the source code we may see some java scripts source included : 41.js and fc4.js, save the source code on your local. Then save the html also at the same folder. Then, you need to modify fc4.js , example like this:
fc4.js

[js]function fc4me(srvstr) {
var data=hexMD5("x74x72x79x68x61x72x64x65x72"+srvstr);
alert(data);
return false;
}[/js]

then open the html on your browser, by clicking submit button you can get the security string:

Then fill the security string on form and youve done first challenge.
Second Challenge
Second challenge is pretty easy. After you click submit then we will get base64 encoded string, for me this is mine:

Not over yet! You need a Registration Code and a 128 Bytes Registration Key!
If you cant go further, TRY HARDER…

[text]RW1haWw6IGd1ZV9nYW50ZW5nQGdtYWlsLmNvbSAsIFJlZ2lzdHJhdGlvbiBDb2RlOiAxMTQzNCB8IE5vdyBkZWNvZGUgeW91ciBDVFAgU2VjcmV0IEtleSBhbmQgeW91IGFyZSBkb25lISA6I
Fx4MzFceEMwXHg1MFx4NjhceDIwXHg3N1x4NzdceDc0XHg2OFx4NzNceDcxXHg3Nlx4MjBceDY4XHg3N1x4NzJceDIwXHgyM1x4NjhceDc0XHgyNVx4NzVceDc3XHg2OFx4MjRceDc5XHgyNF
x4NzRceDY4XHg3NVx4NzZceDIyXHg3Mlx4NjhceDIyXHgyNFx4NzJceDcyXHg2OFx4MjNceDI0XHg3Mlx4NzJceDY4XHgyMFx4NzRceDc4XHgyNVx4NjhceDcwXHgyMlx4MjdceDI0XHg2OFx
4NzVceDIzXHgyNVx4NzRceDY4XHg3M1x4NzdceDcxXHg3NFx4NjhceDI3XHg3NFx4NzVceDc0XHg2OFx4NzFceDc4XHgyMlx4NzFceDY4XHgyMFx4MjRceDIyXHgyNFx4NjhceDcwXHg3Mlx4
MjdceDIyXHg2OFx4NzRceDc1XHg3OFx4MjRceDY4XHgyM1x4MjVceDc2XHg3MFx4NjhceDc4XHg3Mlx4NzhceDIwXHg2OFx4NzlceDI0XHg3OVx4NzlceDY4XHgyNFx4NzZceDc2XHgyMlx4N
jhceDc0XHg3OVx4NzNceDc1XHg2OFx4MjNceDc2XHg3NFx4NzFceDY4XHg3M1x4NzZceDcyXHg3M1x4NjhceDc2XHg3MFx4NzVceDcyXHg2OFx4MjdceDIzXHgyMlx4MjdceDY4XHgyM1x4Mj
BceDc2XHg3OFx4NjhceDc2XHgyM1x4NzBceDI0XHg2OFx4MjVceDI0XHg3Mlx4MjNceDY4XHg3OVx4NzVceDcwXHg3MVx4NjhceDcyXHg3Nlx4MjRceDc4XHg2OFx4NzFceDI3XHgyNVx4MjJ
ceDU0XHg1RVx4OEJceEZFXHg4Qlx4RDdceEZDXHhCOVx4ODBceDAwXHgwMFx4MDBceEJCXHg0MVx4MDBceDAwXHgwMFx4MzFceEMwXHg1MFx4QUNceDMzXHhDM1x4QUFceEUyXHhGQVx4NTRc
eDVFXHhDQw==[/text]

decoded string:

[text]Email: gue_ganteng@gmail.com , Registration Code: 11434 | Now decode your CTP Secret Key and you are done! :
x31xC0x50x68x20x77x77x74x68x73x71x76x20x68x77x72x20x23x68x74x25x75x77x68x24x79x24x74
x68x75x76x22x72x68x22x24x72x72x68x23x24x72x72x68x20x74x78x25x68x70x22x27x24x68x75x23
x25x74x68x73x77x71x74x68x27x74x75x74x68x71x78x22x71x68x20x24x22x24x68x70x72x27x22x68
x74x75x78x24x68x23x25x76x70x68x78x72x78x20x68x79x24x79x79x68x24x76x76x22x68x74x79x73
x75x68x23x76x74x71x68x73x76x72x73x68x76x70x75x72x68x27x23x22x27x68x23x20x76x78x68x76
x23x70x24x68x25x24x72x23x68x79x75x70x71x68x72x76x24x78x68x71x27x25x22x54x5Ex8BxFEx8B
xD7xFCxB9x80x00x00x00xBBx41x00x00x00x31xC0x50xACx33xC3xAAxE2xFAx54x5ExCC[/text]

Dump the shellcode :

[text]perl -e print "x31xC0x50x68x20x77x77x74x68x73x71x76x20x68x77x72x20x23x68x74x25x75x77x68x24x79x24x74
x68x75x76x22x72x68x22x24x72x72x68x23x24x72x72x68x20x74x78x25x68x70x22x27x24x68x75x23x25x74x68
x73x77x71x74x68x27x74x75x74x68x71x78x22x71x68x20x24x22x24x68x70x72x27x22x68x74x75x78x24x68x23
x25x76x70x68x78x72x78x20x68x79x24x79x79x68x24x76x76x22x68x74x79x73x75x68x23x76x74x71x68x73x76
x72x73x68x76x70x75x72x68x27x23x22x27x68x23x20x76x78x68x76x23x70x24x68x25x24x72x23x68x79x75x70
x71x68x72x76x24x78x68x71x27x25x22x54x5Ex8BxFEx8BxD7xFCxB9x80x00x00x00xBBx41x00x00x00x31xC0x50
xACx33xC3xAAxE2xFAx54x5ExCC" > shellcode[/text]

So we got our registration code:11434

Then, use ndisasm to generate assembly code:

[text]ndisasm -b 32 shellcode > shellcode.asm[/text]

then for me the generated assembly code is:

[text]00000000 31C0 xor eax,eax
00000002 50 push eax
00000003 6820777774 push dword 0x74777720
00000008 6873717620 push dword 0x20767173
0000000D 6877722023 push dword 0x23207277
00000012 6874257577 push dword 0x77752574
00000017 6824792474 push dword 0x74247924
0000001C 6875762272 push dword 0x72227675
00000021 6822247272 push dword 0x72722422
00000026 6823247272 push dword 0x72722423
0000002B 6820747825 push dword 0x25787420
00000030 6870222724 push dword 0x24272270
00000035 6875232574 push dword 0x74252375
0000003A 6873777174 push dword 0x74717773
0000003F 6827747574 push dword 0x74757427
00000044 6871782271 push dword 0x71227871
00000049 6820242224 push dword 0x24222420
0000004E 6870722722 push dword 0x22277270
00000053 6874757824 push dword 0x24787574
00000058 6823257670 push dword 0x70762523
0000005D 6878727820 push dword 0x20787278
00000062 6879247979 push dword 0x79792479
00000067 6824767622 push dword 0x22767624
0000006C 6874797375 push dword 0x75737974
00000071 6823767471 push dword 0x71747623
00000076 6873767273 push dword 0x73727673
0000007B 6876707572 push dword 0x72757076
00000080 6827232227 push dword 0x27222327
00000085 6823207678 push dword 0x78762023
0000008A 6876237024 push dword 0x24702376
0000008F 6825247223 push dword 0x23722425
00000094 6879757071 push dword 0x71707579
00000099 6872762478 push dword 0x78247672
0000009E 6871272522 push dword 0x22252771
000000A3 54 push esp
000000A4 5E pop esi
000000A5 8BFE mov edi,esi
000000A7 8BD7 mov edx,edi
000000A9 FC cld
000000AA B980000000 mov ecx,0x80
000000AF BB41000000 mov ebx,0x41
000000B4 31C0 xor eax,eax
000000B6 50 push eax
000000B7 AC lodsb
000000B8 33C3 xor eax,ebx
000000BA AA stosb
000000BB E2FA loop 0xb7
000000BD 54 push esp
000000BE 5E pop esi
000000BF CC int3[/text]

modify the assembly code, heres an example:

[text]global _start
_start:
xor eax,eax
push eax
push dword 0x74777720
push dword 0x20767173
push dword 0x23207277
push dword 0x77752574
push dword 0x74247924
push dword 0x72227675
push dword 0x72722422
push dword 0x72722423
push dword 0x25787420
push dword 0x24272270
push dword 0x74252375
push dword 0x74717773
push dword 0x74757427
push dword 0x71227871
push dword 0x24222420
push dword 0x22277270
push dword 0x24787574
push dword 0x70762523
push dword 0x20787278
push dword 0x79792479
push dword 0x22767624
push dword 0x75737974
push dword 0x71747623
push dword 0x73727673
push dword 0x72757076
push dword 0x27222327
push dword 0x78762023
push dword 0x24702376
push dword 0x23722425
push dword 0x71707579
push dword 0x78247672
push dword 0x22252771
push esp
pop esi
mov edi,esi
mov edx,edi
cld
mov ecx,0x80
mov ebx,0x41
xor eax,eax
push eax
dont_user_hardcoded_address_baby:
lodsb
xor eax,ebx
stosb
loop dont_user_hardcoded_address_baby
push esp
pop esi
int3[/text]

then assemble using nasm and the linking with ld:

[text]bash-4.2$ nasm -f elf key.asm -g
bash-4.2$ ld -o key key.o[/text]

Debug it with gdb:

At the end of line we see int3 , int3 is a debugging trap can be used for anti debugging, but here you dont need to remove it, just set a break point at line 52 before int3 executed !

[text]bash-4.2$ gdb ./key
GNU gdb (GDB) 7.5
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-slackware-linux".
For bug reporting instructions, please see:

Reading symbols from /home/cr0security/Desktop/crack_ctp/key…done.
(gdb) l
1 global _start
2 _start:
3 xor eax,eax
4 push eax
5 push dword 0x74777720
6 push dword 0x20767173
7 push dword 0x23207277
8 push dword 0x77752574
9 push dword 0x74247924
10 push dword 0x72227675
(gdb) l
11 push dword 0x72722422
12 push dword 0x72722423
13 push dword 0x25787420
14 push dword 0x24272270
15 push dword 0x74252375
16 push dword 0x74717773
17 push dword 0x74757427
18 push dword 0x71227871
19 push dword 0x24222420
20 push dword 0x22277270
(gdb) l
21 push dword 0x24787574
22 push dword 0x70762523
23 push dword 0x20787278
24 push dword 0x79792479
25 push dword 0x22767624
26 push dword 0x75737974
27 push dword 0x71747623
28 push dword 0x73727673
29 push dword 0x72757076
30 push dword 0x27222327
(gdb) l
31 push dword 0x78762023
32 push dword 0x24702376
33 push dword 0x23722425
34 push dword 0x71707579
35 push dword 0x78247672
36 push dword 0x22252771
37 push esp
38 pop esi
39 mov edi,esi
40 mov edx,edi
(gdb) l
41 cld
42 mov ecx,0x80
43 mov ebx,0x41
44 xor eax,eax
45 push eax
46 dont_user_hardcoded_address_baby:
47 lodsb
48 xor eax,ebx
49 stosb
50 loop dont_user_hardcoded_address_baby
(gdb) l
51 push esp
52 pop esi
53 int3(gdb) l
Line number 54 out of range; key.asm has 53 lines.
(gdb) b 52
Breakpoint 1 at 0x804811e: file key.asm, line 52.
(gdb) run
Starting program: /home/cr0security/Desktop/crack_ctp/key

Breakpoint 1, 0x0804811e in dont_user_hardcoded_address_baby ()
(gdb) x/5s $esp
0xbffff084: "210ð377¿"
0xbffff089: ""
0xbffff08a: ""
0xbffff08b: ""
0xbffff08c: "0fdc37e98410de3b7b1eba79fbcf71432732b7505824e77c8e88939abd71549e13fcaece09c0f54526054bd51cfea59dbe33ce3347c3e8e55d4663ab207aa665"[/text]

then we got our 32 bytes security string as we see on our stack:

[text]0fdc37e98410de3b7b1eba79fbcf71432732b7505824e77c8e88939abd71549e13fcaece09c0f54526054bd51cfea59dbe33ce3347c3e8e55d4663ab207aa665[/text]

And youve done the second challenge !