Wide
Challenge Info
We've received reports that Draeger has stashed a huge arsenal in the pocket dimension Flaggle Alpha. You've managed to smuggle a discarded access terminal to the Widely Inflated Dimension Editor from his headquarters, but the entry for the dimension has been encrypted. Can you make it inside and take control?
My Solution
My first thought is that we are going to be dealing with some sort of encryption but lets unzip the file and see what we are dealing with.
1$ unzip WIDE.zip 2Archive: WIDE.zip 3 creating: rev_wide/ 4[WIDE.zip] rev_wide/wide password: 5 inflating: rev_wide/wide 6 inflating: rev_wide/db.ex 7$ cd rev_wide/ 8$ ls 9db.ex wide
We see that we are dealing with 2 files:
db.ex
wide
Lets see what these files are:
1file db.exe 2 3db.ex: Matlab v4 mat-file (little endian) , numeric, rows 1835627088, columns 29557 4 5% file wide 6 7wide: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=13869bb7ce2c22f474b95ba21c9d7e9ff74ecc3f, not stripped
We see that is some sort of matlab file, more interestingly we see that is a linux executable. Lets run on it and see if we can learn anything quickly
db.ex
wide
strings
1$ strings wide 2 3/lib64/ld-linux-x86-64.so.2 4libc.so.6 5exit 6fopen 7<SNIP...> 8Which dimension would you like to examine? 9That option was invalid. 10[X] That entry is encrypted - please enter your WIDE decryption key: 11[X] Key was incorrect [X] 12Usage: %s db.ex 13[*] Welcome user: kr4eq4L2$12xb, to the Widely Inflated Dimension Editor [*] 14[*] Serving your pocket dimension storage needs since 14,012.5 B [*] 15[x] There was a problem accessing your database [x] 16[*] Displaying Dimensions.... [*] 17[*] Name | Code | Encrypted [*] 18[X] %-16s | %-32s | %6s%c%7s [*] 19<SNIP...>
Looking through the strings we see what looks like a menu and the username of . We also see a reference to as it looks to be explaining the usage of the script. Apart from this, nothing else seems to be all that interesting in . Lets do the same thing with
kr4eq4L2$12xb
db.ex
wide
db.ex
1$ strings db.ex 2 3Primus 4people breathe variety practice 5Our home dimension 6Cheagaz 7scene control river importance 8The Ice Dimension 9Byenoovia 10fighting cast it parallel 11The Berserk Dimension 12Cloteprea 13facing motor unusual heavy 14The Hungry Dimension 15Maraqa 16stomach motion sale valuable 17The Water Dimension 18Aidor 19feathers stream sides gate 20The Bone Dimension 21Flaggle Alpha 22admin secret power hidden 23HOt* 240ANe
Looks to just be sentences or words. Still don't know too much about these files. Lets try some dynamic analysis and see how this works before jumping into IDA Pro. I have decided to run the file in an ubuntu docker container as its quick and easy to spin up.
Running we get that example usage output that we saw earlier. Lets try running it the way it wants us to.
./wide
1$ ./wide db.ex 2 3[*] Welcome user: kr4eq4L2$12xb, to the Widely Inflated Dimension Editor [*] 4[*] Serving your pocket dimension storage needs since 14,012.5 B [*] 5[*] Displaying Dimensions.... [*] 6[*] Name | Code | Encrypted [*] 7[X] Primus | people breathe variety practice | [*] 8[X] Cheagaz | scene control river importance | [*] 9[X] Byenoovia | fighting cast it parallel | [*] 10[X] Cloteprea | facing motor unusual heavy | [*] 11[X] Maraqa | stomach motion sale valuable | [*] 12[X] Aidor | feathers stream sides gate | [*] 13[X] Flaggle Alpha | admin secret power hidden | * [*] 14Which dimension would you like to examine? 1 15The Ice Dimension 16Which dimension would you like to examine? 2 17The Berserk Dimension 18Which dimension would you like to examine? 3 19The Hungry Dimension 20Which dimension would you like to examine? 4 21The Water Dimension 22Which dimension would you like to examine? 5 23The Bone Dimension 24Which dimension would you like to examine? 6 25[X] That entry is encrypted - please enter your WIDE decryption key: password 26[X] Key was incorrect [X]
We now get a prompt to enter a dimension. I iterate through them and the one that peaks my interest is option 6 as its now asking for a decryption key. Maybe we can find something if we decompile the binary. Lets open IDA Pro.
This is clearly where the options are display, we iterate though each option and the counter is incremented after every iteration. Once we reach the value in , presumably the number of options available, we jump to another block where a subroutine called is called.
var_20
var_1C
menu
Now this is the interesting part of as we see the same message that we got when we ran the executable . We also see towards the bottom of the block a call to . I was not familiar with that c call but after a quick google I found it is a function to compare 2 wide strings which are strings with a character size larger than 8 bits. We see that is comparing the value stored in to the value stored in the stack variable. Lets see what is stored at the location of .
menu
That entry is encrypted - please enter your WIDE decryption key:
wcscmp
wcscmp
s2
pwcs
s2
We see the declaration of a wide char with followed by a series of strings. IDA Pro is assuming these are normal size strings but we now know its a wide string. Lets tell IDA its a wide string by clicking on the definition, and click . The following prompt appears.
wchar_t s2
Option+a
If we deselect the UTF-8 we can select several other character encodings. Lets go with the largest . Now this looks really different.
UTF-32LE
Lets paste into the prompt for the encryption key
1Which dimension would you like to examine? 6 2[X] That entry is encrypted - please enter your WIDE decryption key: sup3rs3cr3tw1d3 3HTB{som3_str1ng5_4r3_w1d3} 4Which dimension would you like to examine? Our home dimension 5Which dimension would you like to examine?
YAY!!! it works and reveals the flag.
Author: Thomas Karbowiak