Cybersecurity
Software

Wide

Challenge Info

We've received reports that Draeger has stashed a huge arsenal in the pocket dimension Flaggle Alpha. You've managed to smuggle a discarded access terminal to the Widely Inflated Dimension Editor from his headquarters, but the entry for the dimension has been encrypted. Can you make it inside and take control?

My Solution

My first thought is that we are going to be dealing with some sort of encryption but lets unzip the file and see what we are dealing with.
1$ unzip WIDE.zip
2Archive:  WIDE.zip
3   creating: rev_wide/
4[WIDE.zip] rev_wide/wide password: 
5  inflating: rev_wide/wide           
6  inflating: rev_wide/db.ex          
7$ cd rev_wide/
8$ ls
9db.ex wide
We see that we are dealing with 2 files:
  • db.ex
  • wide
Lets see what these files are:
1file db.exe 
2
3db.ex: Matlab v4 mat-file (little endian) , numeric, rows 1835627088, columns 29557
4
5% file wide
6
7wide: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=13869bb7ce2c22f474b95ba21c9d7e9ff74ecc3f, not stripped
We see that
db.ex
is some sort of matlab file, more interestingly we see that
wide
is a linux executable. Lets run
strings
on it and see if we can learn anything quickly
1$ strings wide  
2
3/lib64/ld-linux-x86-64.so.2
4libc.so.6
5exit
6fopen
7<SNIP...>
8Which dimension would you like to examine? 
9That option was invalid.
10[X] That entry is encrypted - please enter your WIDE decryption key: 
11[X]                          Key was incorrect                           [X]
12Usage: %s db.ex
13[*] Welcome user: kr4eq4L2$12xb, to the Widely Inflated Dimension Editor [*]
14[*]    Serving your pocket dimension storage needs since 14,012.5 B      [*]
15[x] There was a problem accessing your database [x]
16[*]                       Displaying Dimensions....                      [*]
17[*]       Name       |              Code                |   Encrypted    [*]
18[X] %-16s | %-32s | %6s%c%7s [*]
19<SNIP...>
Looking through the strings we see what looks like a menu and the username of
kr4eq4L2$12xb
. We also see a reference to
db.ex
as it looks to be explaining the usage of the script. Apart from this, nothing else seems to be all that interesting in
wide
. Lets do the same thing with
db.ex
1$ strings db.ex  
2
3Primus
4people breathe variety practice
5Our home dimension
6Cheagaz
7scene control river importance
8The Ice Dimension
9Byenoovia
10fighting cast it parallel
11The Berserk Dimension
12Cloteprea
13facing motor unusual heavy
14The Hungry Dimension
15Maraqa
16stomach motion sale valuable
17The Water Dimension
18Aidor
19feathers stream sides gate
20The Bone Dimension
21Flaggle Alpha
22admin secret power hidden
23HOt*
240ANe
Looks to just be sentences or words. Still don't know too much about these files. Lets try some dynamic analysis and see how this works before jumping into IDA Pro. I have decided to run the file in an ubuntu docker container as its quick and easy to spin up.
Running
./wide
we get that example usage output that we saw earlier. Lets try running it the way it wants us to.
1$ ./wide db.ex
2
3[*] Welcome user: kr4eq4L2$12xb, to the Widely Inflated Dimension Editor [*]
4[*]    Serving your pocket dimension storage needs since 14,012.5 B      [*]
5[*]                       Displaying Dimensions....                      [*]
6[*]       Name       |              Code                |   Encrypted    [*]
7[X] Primus           | people breathe variety practice  |                [*]
8[X] Cheagaz          | scene control river importance   |                [*]
9[X] Byenoovia        | fighting cast it parallel        |                [*]
10[X] Cloteprea        | facing motor unusual heavy       |                [*]
11[X] Maraqa           | stomach motion sale valuable     |                [*]
12[X] Aidor            | feathers stream sides gate       |                [*]
13[X] Flaggle Alpha    | admin secret power hidden        |       *        [*]
14Which dimension would you like to examine? 1
15The Ice Dimension
16Which dimension would you like to examine? 2
17The Berserk Dimension
18Which dimension would you like to examine? 3
19The Hungry Dimension
20Which dimension would you like to examine? 4
21The Water Dimension
22Which dimension would you like to examine? 5
23The Bone Dimension
24Which dimension would you like to examine? 6
25[X] That entry is encrypted - please enter your WIDE decryption key: password
26[X]                          Key was incorrect                           [X]
We now get a prompt to enter a dimension. I iterate through them and the one that peaks my interest is option 6 as its now asking for a decryption key. Maybe we can find something if we decompile the binary. Lets open IDA Pro.
This is clearly where the options are display, we iterate though each option and the counter
var_20
is incremented after every iteration. Once we reach the value in
var_1C
, presumably the number of options available, we jump to another block where a subroutine called
menu
is called.
Now this is the interesting part of
menu
as we see the same message that we got when we ran the executable
That entry is encrypted - please enter your WIDE decryption key:
. We also see towards the bottom of the block a call to
wcscmp
. I was not familiar with that c call but after a quick google I found it is a function to compare 2 wide strings which are strings with a character size larger than 8 bits. We see that
wcscmp
is comparing the value stored in
s2
to the value stored in the stack variable
pwcs
. Lets see what is stored at the location of
s2
.
We see the declaration of a wide char with
wchar_t s2
followed by a series of strings. IDA Pro is assuming these are normal size strings but we now know its a wide string. Lets tell IDA its a wide string by clicking on the definition, and click
Option+a
. The following prompt appears.
If we deselect the UTF-8 we can select several other character encodings. Lets go with the largest
UTF-32LE
. Now this looks really different.
Lets paste into the prompt for the encryption key
1Which dimension would you like to examine? 6
2[X] That entry is encrypted - please enter your WIDE decryption key: sup3rs3cr3tw1d3
3HTB{som3_str1ng5_4r3_w1d3}
4Which dimension would you like to examine? Our home dimension
5Which dimension would you like to examine?
YAY!!! it works and reveals the flag.