Wednesday , January 25 2017
Home / White Paper / Easy Way to Bypass Cracking the Perimeter Registration Challenge

Easy Way to Bypass Cracking the Perimeter Registration Challenge

Cracking the perimeter is very interesting course provided by Offensive Security, for more detail you may find more information from
Before registration you must face a challenge provided at
Here is the challenge:

The “Cracking the Perimeter” Online course is not an introductory security course. Many pre-requisites are required, such as good familiarity with a Ollydbg, and a general mastery of offensive network security techniques.

This is a two stage registration Challenge:

Stage 1: You must bypass the registration form by inserting the correct Security String.
Stage 2: Once you have the security string, you will need to go through an additional step in order to extract your final Code and Registration key, which will be used in the CTP registration form on the offsec website

Use of automated scanners will result in a 3 minute block from the website. No exploitation or vulnerability scanning is required to bypass the form. Use the source Luke!
This is a two stage registration Challenge:
Stage 1: You must bypass the registration form by inserting the correct Security String.
Stage 2: Once you have the security string, you will need to go through an additional step in order to extract your final Code and Registration key, which will be used in the CTP registration form on the offsec website

First Challenge

To bypass first challenge is very easy, what you need is only modify the source code of So, go view the source. From the source code we may see some java scripts source included : 41.js and fc4.js, save the source code on your local. Then save the html also at the same folder. Then, you need to modify fc4.js , example like this:

[js]function fc4me(srvstr) {
var data=hexMD5("x74x72x79x68x61x72x64x65x72"+srvstr);
return false;

then open the html on your browser, by clicking submit button you can get the security string:

Then fill the security string on form and youve done first challenge.
Second Challenge
Second challenge is pretty easy. After you click submit then we will get base64 encoded string, for me this is mine:

Not over yet! You need a Registration Code and a 128 Bytes Registration Key!
If you cant go further, TRY HARDER…


decoded string:

[text]Email: [email protected] , Registration Code: 11434 | Now decode your CTP Secret Key and you are done! :

Dump the shellcode :

[text]perl -e print "x31xC0x50x68x20x77x77x74x68x73x71x76x20x68x77x72x20x23x68x74x25x75x77x68x24x79x24x74
xACx33xC3xAAxE2xFAx54x5ExCC" > shellcode[/text]

So we got our registration code:11434

Then, use ndisasm to generate assembly code:

[text]ndisasm -b 32 shellcode > shellcode.asm[/text]

then for me the generated assembly code is:

[text]00000000 31C0 xor eax,eax
00000002 50 push eax
00000003 6820777774 push dword 0x74777720
00000008 6873717620 push dword 0x20767173
0000000D 6877722023 push dword 0x23207277
00000012 6874257577 push dword 0x77752574
00000017 6824792474 push dword 0x74247924
0000001C 6875762272 push dword 0x72227675
00000021 6822247272 push dword 0x72722422
00000026 6823247272 push dword 0x72722423
0000002B 6820747825 push dword 0x25787420
00000030 6870222724 push dword 0x24272270
00000035 6875232574 push dword 0x74252375
0000003A 6873777174 push dword 0x74717773
0000003F 6827747574 push dword 0x74757427
00000044 6871782271 push dword 0x71227871
00000049 6820242224 push dword 0x24222420
0000004E 6870722722 push dword 0x22277270
00000053 6874757824 push dword 0x24787574
00000058 6823257670 push dword 0x70762523
0000005D 6878727820 push dword 0x20787278
00000062 6879247979 push dword 0x79792479
00000067 6824767622 push dword 0x22767624
0000006C 6874797375 push dword 0x75737974
00000071 6823767471 push dword 0x71747623
00000076 6873767273 push dword 0x73727673
0000007B 6876707572 push dword 0x72757076
00000080 6827232227 push dword 0x27222327
00000085 6823207678 push dword 0x78762023
0000008A 6876237024 push dword 0x24702376
0000008F 6825247223 push dword 0x23722425
00000094 6879757071 push dword 0x71707579
00000099 6872762478 push dword 0x78247672
0000009E 6871272522 push dword 0x22252771
000000A3 54 push esp
000000A4 5E pop esi
000000A5 8BFE mov edi,esi
000000A7 8BD7 mov edx,edi
000000A9 FC cld
000000AA B980000000 mov ecx,0x80
000000AF BB41000000 mov ebx,0x41
000000B4 31C0 xor eax,eax
000000B6 50 push eax
000000B7 AC lodsb
000000B8 33C3 xor eax,ebx
000000BA AA stosb
000000BB E2FA loop 0xb7
000000BD 54 push esp
000000BE 5E pop esi
000000BF CC int3[/text]

modify the assembly code, heres an example:

[text]global _start
xor eax,eax
push eax
push dword 0x74777720
push dword 0x20767173
push dword 0x23207277
push dword 0x77752574
push dword 0x74247924
push dword 0x72227675
push dword 0x72722422
push dword 0x72722423
push dword 0x25787420
push dword 0x24272270
push dword 0x74252375
push dword 0x74717773
push dword 0x74757427
push dword 0x71227871
push dword 0x24222420
push dword 0x22277270
push dword 0x24787574
push dword 0x70762523
push dword 0x20787278
push dword 0x79792479
push dword 0x22767624
push dword 0x75737974
push dword 0x71747623
push dword 0x73727673
push dword 0x72757076
push dword 0x27222327
push dword 0x78762023
push dword 0x24702376
push dword 0x23722425
push dword 0x71707579
push dword 0x78247672
push dword 0x22252771
push esp
pop esi
mov edi,esi
mov edx,edi
mov ecx,0x80
mov ebx,0x41
xor eax,eax
push eax
xor eax,ebx
loop dont_user_hardcoded_address_baby
push esp
pop esi

then assemble using nasm and the linking with ld:

[text]bash-4.2$ nasm -f elf key.asm -g
bash-4.2$ ld -o key key.o[/text]

Debug it with gdb:

At the end of line we see int3 , int3 is a debugging trap can be used for anti debugging, but here you dont need to remove it, just set a break point at line 52 before int3 executed !

[text]bash-4.2$ gdb ./key
GNU gdb (GDB) 7.5
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-slackware-linux".
For bug reporting instructions, please see:

Reading symbols from /home/cr0security/Desktop/crack_ctp/key…done.
(gdb) l
1 global _start
2 _start:
3 xor eax,eax
4 push eax
5 push dword 0x74777720
6 push dword 0x20767173
7 push dword 0x23207277
8 push dword 0x77752574
9 push dword 0x74247924
10 push dword 0x72227675
(gdb) l
11 push dword 0x72722422
12 push dword 0x72722423
13 push dword 0x25787420
14 push dword 0x24272270
15 push dword 0x74252375
16 push dword 0x74717773
17 push dword 0x74757427
18 push dword 0x71227871
19 push dword 0x24222420
20 push dword 0x22277270
(gdb) l
21 push dword 0x24787574
22 push dword 0x70762523
23 push dword 0x20787278
24 push dword 0x79792479
25 push dword 0x22767624
26 push dword 0x75737974
27 push dword 0x71747623
28 push dword 0x73727673
29 push dword 0x72757076
30 push dword 0x27222327
(gdb) l
31 push dword 0x78762023
32 push dword 0x24702376
33 push dword 0x23722425
34 push dword 0x71707579
35 push dword 0x78247672
36 push dword 0x22252771
37 push esp
38 pop esi
39 mov edi,esi
40 mov edx,edi
(gdb) l
41 cld
42 mov ecx,0x80
43 mov ebx,0x41
44 xor eax,eax
45 push eax
46 dont_user_hardcoded_address_baby:
47 lodsb
48 xor eax,ebx
49 stosb
50 loop dont_user_hardcoded_address_baby
(gdb) l
51 push esp
52 pop esi
53 int3(gdb) l
Line number 54 out of range; key.asm has 53 lines.
(gdb) b 52
Breakpoint 1 at 0x804811e: file key.asm, line 52.
(gdb) run
Starting program: /home/cr0security/Desktop/crack_ctp/key

Breakpoint 1, 0x0804811e in dont_user_hardcoded_address_baby ()
(gdb) x/5s $esp
0xbffff084: "210ð377¿"
0xbffff089: ""
0xbffff08a: ""
0xbffff08b: ""
0xbffff08c: "0fdc37e98410de3b7b1eba79fbcf71432732b7505824e77c8e88939abd71549e13fcaece09c0f54526054bd51cfea59dbe33ce3347c3e8e55d4663ab207aa665"[/text]

then we got our 32 bytes security string as we see on our stack:


And youve done the second challenge !