{"id":2458,"date":"2018-04-03T18:12:43","date_gmt":"2018-04-03T16:12:43","guid":{"rendered":"https:\/\/www.asafety.fr\/?p=2458"},"modified":"2018-04-03T18:29:29","modified_gmt":"2018-04-03T16:29:29","slug":"ctf-ndh-2018-quals-write-up-reverse-sostealthy","status":"publish","type":"post","link":"https:\/\/www.asafety.fr\/en\/reverse-engineering\/ctf-ndh-2018-quals-write-up-reverse-sostealthy\/","title":{"rendered":"[CTF NDH 2018 Quals] Write-Up \u2013 Reverse : SoStealthy"},"content":{"rendered":"<p><\/p>\n<p style=\"text-align: center;\"><strong>Write-up of the challenge \u201cReverse \u2013 SoStealthy\u201d of Nuit du\u00a0Hack 2018 CTF qualifications.<\/strong><\/p>\n<p>The weekend of 03\/31\/2018 is pre-qualification for the <strong><a href=\"https:\/\/nuitduhack.com\/fr\/\" target=\"_blank\" rel=\"noopener\">Nuit du Hack 2018<\/a><\/strong>\u00a0as a <strong>Jeopardy CTF<\/strong>. Having had the opportunity and the time to participate with some colleagues and friends, here\u2019s a write-up resolution of the challenges which we could participate.<\/p>\n<ul>\n<li>Category: <strong>Reverse<\/strong><\/li>\n<li>Name: <strong>SoStealthy<\/strong><\/li>\n<li>Description : <em>During an incident response, we captured the network traffic from a suspected compromised host. Could you help us reverse the installed malware?<\/em><\/li>\n<li>File :\u00a0<a href=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/suspicious.zip\">suspicious.pcap<\/a> (5.80MB &#8211; 7b34f24ad1a87204bc5b1aa4044013c270e171d89d07c1eab0f24e9e2cc5498b)<\/li>\n<li>Points : <strong>150<\/strong><\/li>\n<\/ul>\n<p>For this challenge a suspicious PCAP file is provided. There are several HTTP requests in it. We begin by extracting HTTP objects from Wireshark :<\/p>\n<div id=\"attachment_2461\" style=\"width: 310px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/01-5.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-2461\" class=\"size-medium wp-image-2461\" src=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/01-5-300x182.png\" alt=\"Wireshark extract HTTP objets\" width=\"300\" height=\"182\" srcset=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/01-5-300x182.png 300w, https:\/\/www.asafety.fr\/wp-content\/uploads\/01-5-768x465.png 768w, https:\/\/www.asafety.fr\/wp-content\/uploads\/01-5.png 985w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><p id=\"caption-attachment-2461\" class=\"wp-caption-text\">Wireshark extract HTTP objets<\/p><\/div>\n<p>There is a lot of objects. Analyze them :<\/p>\n<div id=\"attachment_2462\" style=\"width: 310px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/02-5.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-2462\" class=\"size-medium wp-image-2462\" src=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/02-5-300x213.png\" alt=\"HTTP object list\" width=\"300\" height=\"213\" srcset=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/02-5-300x213.png 300w, https:\/\/www.asafety.fr\/wp-content\/uploads\/02-5-768x545.png 768w, https:\/\/www.asafety.fr\/wp-content\/uploads\/02-5.png 874w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><p id=\"caption-attachment-2462\" class=\"wp-caption-text\">HTTP object list<\/p><\/div>\n<p>A &#8220;favicon&#8221; file is suspicious, with some code :<\/p>\n<div id=\"attachment_2463\" style=\"width: 310px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/03-4.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-2463\" class=\"size-medium wp-image-2463\" src=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/03-4-300x124.png\" alt=\"Suspicious favicon\" width=\"300\" height=\"124\" srcset=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/03-4-300x124.png 300w, https:\/\/www.asafety.fr\/wp-content\/uploads\/03-4-768x318.png 768w, https:\/\/www.asafety.fr\/wp-content\/uploads\/03-4-1024x424.png 1024w, https:\/\/www.asafety.fr\/wp-content\/uploads\/03-4.png 1256w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><p id=\"caption-attachment-2463\" class=\"wp-caption-text\">Suspicious favicon<\/p><\/div>\n<p>This file begins with an XML header then a JavaScript code loads an ActiveX payload base64 encoded. It&#8217;s definitively suspicious.<\/p>\n<div id=\"attachment_2464\" style=\"width: 285px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/04-3.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-2464\" class=\"wp-image-2464 size-medium\" src=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/04-3-275x300.png\" alt=\"JScript header\" width=\"275\" height=\"300\" srcset=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/04-3-275x300.png 275w, https:\/\/www.asafety.fr\/wp-content\/uploads\/04-3.png 741w\" sizes=\"auto, (max-width: 275px) 100vw, 275px\" \/><\/a><p id=\"caption-attachment-2464\" class=\"wp-caption-text\">JScript header<\/p><\/div>\n<div id=\"attachment_2465\" style=\"width: 310px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/05-2.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-2465\" class=\"size-medium wp-image-2465\" src=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/05-2-300x257.png\" alt=\"JScript footer\" width=\"300\" height=\"257\" srcset=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/05-2-300x257.png 300w, https:\/\/www.asafety.fr\/wp-content\/uploads\/05-2-768x659.png 768w, https:\/\/www.asafety.fr\/wp-content\/uploads\/05-2.png 794w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><p id=\"caption-attachment-2465\" class=\"wp-caption-text\">JScript footer<\/p><\/div>\n<p>We cleaned the XML header and associated footer. This script can now be run as JScript via Windows binaries &#8220;cscript.exe&#8221; or &#8220;wscript.exe&#8221; :<\/p>\n<div id=\"attachment_2467\" style=\"width: 292px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/06-2.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-2467\" class=\"size-medium wp-image-2467\" src=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/06-2-282x300.png\" alt=\"JScript cleaned\" width=\"282\" height=\"300\" srcset=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/06-2-282x300.png 282w, https:\/\/www.asafety.fr\/wp-content\/uploads\/06-2-370x395.png 370w, https:\/\/www.asafety.fr\/wp-content\/uploads\/06-2.png 758w\" sizes=\"auto, (max-width: 282px) 100vw, 282px\" \/><\/a><p id=\"caption-attachment-2467\" class=\"wp-caption-text\">JScript cleaned<\/p><\/div>\n<p>When launched, a GUI tells us to provide a &#8220;magic word&#8221; :<\/p>\n<div id=\"attachment_2468\" style=\"width: 310px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/07-1.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-2468\" class=\"size-medium wp-image-2468\" src=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/07-1-300x253.png\" alt=\"Say the magic word\" width=\"300\" height=\"253\" srcset=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/07-1-300x253.png 300w, https:\/\/www.asafety.fr\/wp-content\/uploads\/07-1-768x648.png 768w, https:\/\/www.asafety.fr\/wp-content\/uploads\/07-1.png 770w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><p id=\"caption-attachment-2468\" class=\"wp-caption-text\">Say the magic word<\/p><\/div>\n<p>The flag is the magic word, go reverse it.<\/p>\n<p>Several ways without success were tried, like decompiling the script through IDA, or trying to debug it with &#8220;cscript \/\/X&#8221; and VisualStudio. Dump the memory for post-analysis too&#8230;<\/p>\n<p>Then the name of\u00a0James Forshaw and the\u00a0<a href=\"https:\/\/github.com\/tyranid\/DotNetToJScript\" target=\"_blank\" rel=\"noopener\">DotNetToJscript<\/a>\u00a0tool inform us about the technology in place : .Net and how the initial binary was embeded in the JScript file. The embeded file is certainly a PE (Portable Executable) file, dig into this :<\/p>\n<p>PE file contains an &#8220;MZ&#8221; header. But in the base64 decoded, the MZ header isn&#8217;t at the offset &#8220;0&#8221; :<\/p>\n<div id=\"attachment_2469\" style=\"width: 208px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/112015_2323_2MalwareRes1.jpg\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-2469\" class=\"size-medium wp-image-2469\" src=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/112015_2323_2MalwareRes1-198x300.jpg\" alt=\"PE header\" width=\"198\" height=\"300\" srcset=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/112015_2323_2MalwareRes1-198x300.jpg 198w, https:\/\/www.asafety.fr\/wp-content\/uploads\/112015_2323_2MalwareRes1.jpg 278w\" sizes=\"auto, (max-width: 198px) 100vw, 198px\" \/><\/a><p id=\"caption-attachment-2469\" class=\"wp-caption-text\">PE header<\/p><\/div>\n<div id=\"attachment_2470\" style=\"width: 286px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/12.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-2470\" class=\"size-medium wp-image-2470\" src=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/12-276x300.png\" alt=\"PE header identification\" width=\"276\" height=\"300\" srcset=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/12-276x300.png 276w, https:\/\/www.asafety.fr\/wp-content\/uploads\/12-768x834.png 768w, https:\/\/www.asafety.fr\/wp-content\/uploads\/12.png 824w\" sizes=\"auto, (max-width: 276px) 100vw, 276px\" \/><\/a><p id=\"caption-attachment-2470\" class=\"wp-caption-text\">PE header identification<\/p><\/div>\n<p>We cleaned the header before the &#8220;MZ&#8221; and save the output file as &#8220;.exe&#8221; :<\/p>\n<div id=\"attachment_2479\" style=\"width: 310px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/header.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-2479\" class=\"size-medium wp-image-2479\" src=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/header-300x123.png\" alt=\"Clean header to get PE file\" width=\"300\" height=\"123\" srcset=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/header-300x123.png 300w, https:\/\/www.asafety.fr\/wp-content\/uploads\/header-768x315.png 768w, https:\/\/www.asafety.fr\/wp-content\/uploads\/header-1024x420.png 1024w, https:\/\/www.asafety.fr\/wp-content\/uploads\/header.png 1362w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><p id=\"caption-attachment-2479\" class=\"wp-caption-text\">Clean header to get PE file<\/p><\/div>\n<p>This binary with valid PE header is now ready to be decompiled through\u00a0<a href=\"https:\/\/github.com\/0xd4d\/dnSpy\/releases\" target=\"_blank\" rel=\"noopener\">dnSpy<\/a>\u00a0:<\/p>\n<p>We can now see the .Net operation and the XOR function :<\/p>\n<div id=\"attachment_2471\" style=\"width: 310px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/09.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-2471\" class=\"size-medium wp-image-2471\" src=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/09-300x170.png\" alt=\"XOR in .NET\" width=\"300\" height=\"170\" srcset=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/09-300x170.png 300w, https:\/\/www.asafety.fr\/wp-content\/uploads\/09-768x434.png 768w, https:\/\/www.asafety.fr\/wp-content\/uploads\/09-1024x579.png 1024w, https:\/\/www.asafety.fr\/wp-content\/uploads\/09-370x208.png 370w, https:\/\/www.asafety.fr\/wp-content\/uploads\/09.png 1161w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><p id=\"caption-attachment-2471\" class=\"wp-caption-text\">XOR in .NET<\/p><\/div>\n<pre>\u00a0\u00a0\u00a0\u00a0\/\/\u00a0Token:\u00a00x06000005\u00a0RID:\u00a05\u00a0RVA:\u00a00x0000226C\u00a0File\u00a0Offset:\u00a00x0000046C\r\n\u00a0\u00a0\u00a0\u00a0private\u00a0bool\u00a0MeeBish0iotho9biBuJi(string\u00a0magicWord)\r\n\u00a0\u00a0\u00a0\u00a0{\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0for\u00a0(int\u00a0i\u00a0=\u00a00;\u00a0i\u00a0&lt;\u00a0this.Tai8Aip0ua3ULi6zo1je.Length;\u00a0i++)\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0uint\u00a0num\u00a0=\u00a0(uint)(magicWord[i]\u00a0^\u00a0this.Tai8Aip0ua3ULi6zo1je[i]);\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0bool\u00a0flag\u00a0=\u00a0(ulong)num\u00a0!=\u00a0(ulong)((long)this.az5nieghahj0Iekah0ph[i]);\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0if\u00a0(flag)\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return\u00a0false;\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0return\u00a0true;\r\n\u00a0\u00a0\u00a0\u00a0}<\/pre>\n<p>The XOR key is in a decimal-array format :<\/p>\n<div id=\"attachment_2472\" style=\"width: 310px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/11-1.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-2472\" class=\"size-medium wp-image-2472\" src=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/11-1-300x239.png\" alt=\"XOR key\" width=\"300\" height=\"239\" srcset=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/11-1-300x239.png 300w, https:\/\/www.asafety.fr\/wp-content\/uploads\/11-1.png 742w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><p id=\"caption-attachment-2472\" class=\"wp-caption-text\">XOR key<\/p><\/div>\n<pre>\u00a0\u00a0\u00a0\u00a0private\u00a0int[]\u00a0az5nieghahj0Iekah0ph\u00a0=\u00a0new\u00a0int[]\r\n\u00a0\u00a0\u00a0\u00a0{\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a021,\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a091,\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a020,\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a00,\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0126,\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a00,\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a061,\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a024,\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a02,\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a082,\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a07,\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a017,\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a088,\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a022,\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a018,\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a021,\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0114,\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0117,\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a015,\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a080,\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a059,\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a024\r\n\u00a0\u00a0\u00a0\u00a0};<\/pre>\n<p>The input &#8220;magic word&#8221; string is xored with the last 22 bytes of the base64 payload itself :<\/p>\n<div id=\"attachment_2473\" style=\"width: 310px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/10.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-2473\" class=\"size-medium wp-image-2473\" src=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/10-300x47.png\" alt=\"22 last bytes of it's own code\" width=\"300\" height=\"47\" srcset=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/10-300x47.png 300w, https:\/\/www.asafety.fr\/wp-content\/uploads\/10-768x121.png 768w, https:\/\/www.asafety.fr\/wp-content\/uploads\/10-1024x161.png 1024w, https:\/\/www.asafety.fr\/wp-content\/uploads\/10.png 1086w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><p id=\"caption-attachment-2473\" class=\"wp-caption-text\">22 last bytes of it&#8217;s own code<\/p><\/div>\n<div id=\"attachment_2474\" style=\"width: 291px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/13.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-2474\" class=\"size-medium wp-image-2474\" src=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/13-281x300.png\" alt=\"Run the ActiveX with his own code in input\" width=\"281\" height=\"300\" srcset=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/13-281x300.png 281w, https:\/\/www.asafety.fr\/wp-content\/uploads\/13-768x820.png 768w, https:\/\/www.asafety.fr\/wp-content\/uploads\/13-370x395.png 370w, https:\/\/www.asafety.fr\/wp-content\/uploads\/13.png 788w\" sizes=\"auto, (max-width: 281px) 100vw, 281px\" \/><\/a><p id=\"caption-attachment-2474\" class=\"wp-caption-text\">Run the ActiveX with his own code in input<\/p><\/div>\n<p>These 22 last bytes are :<\/p>\n<pre>FkKEJ5dGVbXSkIAAAACgsA<\/pre>\n<p>The XOR key in decimal-array is :<\/p>\n<pre>key = [21,91,20,0,126,0,61,24,2,82,7,17,88,22,18,21,114,117,15,80,59,24]<\/pre>\n<p>To find the &#8220;magic word&#8221;, just do a XOR between the key and the last 22 bytes :<\/p>\n<pre>def xor_strings(xs, ys):\r\n return \"\".join(chr(ord(x) ^ ord(y)) for x, y in zip(xs, ys))\r\n\r\nlast22bytes = \"FkKEJ5dGVbXSkIAAAACgsA\"\r\nxorKey = [21,91,20,0,126,0,61,24,2,82,7,17,88,22,18,21,114,117,15,80,59,24]\r\n\r\nxorKeyStr = \"\"\r\nfor c in xorKey:\r\n xorKeyStr = xorKeyStr + str(unichr(c))\r\n\r\nprint \"Magic Word : NDH{\" + xor_strings(last22bytes, xorKeyStr) + \"}\"<\/pre>\n<p>Run :<\/p>\n<div id=\"attachment_2475\" style=\"width: 310px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/14.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-2475\" class=\"size-medium wp-image-2475\" src=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/14-300x137.png\" alt=\"XOR to get the flag\" width=\"300\" height=\"137\" srcset=\"https:\/\/www.asafety.fr\/wp-content\/uploads\/14-300x137.png 300w, https:\/\/www.asafety.fr\/wp-content\/uploads\/14.png 606w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><p id=\"caption-attachment-2475\" class=\"wp-caption-text\">XOR to get the flag<\/p><\/div>\n<p>&nbsp;<\/p>\n<pre>Flag :\u00a0NDH{S0_E45Y_T0_B3_ST34L7HY}<\/pre>\n<p>This challenge will have resisted us a good part of the night! Congrats to Estelle, Martin, Georges and Timoth\u00e9e for this one \ud83d\ude42<\/p>\n<p>Greeting to the whole team ! :)<\/p>","protected":false},"excerpt":{"rendered":"<p>Write-up of the challenge \u201cReverse \u2013 SoStealthy\u201d of Nuit du\u00a0Hack 2018 CTF qualifications. The weekend of 03\/31\/2018 is pre-qualification for [&hellip;]<\/p>\n","protected":false},"author":1337,"featured_media":1963,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[524,523,526,531,421],"tags":[],"class_list":["post-2458","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ctf","category-events","category-ndh","category-ndh2k18","category-reverse-engineering"],"_links":{"self":[{"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/posts\/2458","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/users\/1337"}],"replies":[{"embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/comments?post=2458"}],"version-history":[{"count":8,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/posts\/2458\/revisions"}],"predecessor-version":[{"id":2483,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/posts\/2458\/revisions\/2483"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/media\/1963"}],"wp:attachment":[{"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/media?parent=2458"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/categories?post=2458"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/tags?post=2458"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}