An ISO file is provided to you in this challenge. A file listing is shown below:
./casper ./casper/filesystem.manifest ./casper/filesystem.manifest-desktop ./casper/filesystem.size ./casper/filesystem.squashfs ./casper/initrd.lz ./casper/vmlinuz ./install ./isolinux ./isolinux/boot.cat ./isolinux/isolinux.bin ./isolinux/isolinux.cfg ./md5sum.txt ./README.diskdefines
This looks like a linux bootable CD. Before you start digging through the contents, you can try booting it up in a VM. The exact configuration will vary depending on the software you use (VMWare, VirtualBox, etc).
Once you’ve booted from the ISO you should see a splash screen, followed by Linux booting up, and then this image is displayed to you:
This looks like a Tic Tac Toe game, and if you click on the image you’ll find that it’s actually interactive.
You’ll soon discover that the game is unwinnable through legitimate play. Losing displays he following image:
The next step will be taking a closer look at the contents of the ISO to see what can be learned about the game.
Even if you weren’t sure where to begin with the files on the ISO, listing all of the files gives you a pretty good hint:
filesystem.squashfs is by far the largest file on the ISO and probably a good place to start.
Mount the squashfs file to someplace on your system, for example:
mount /media/derp/2017-03-11-12-14-38-00/casper/filesystem.squashfs /mnt/squash -t squashfs -o loop
Listing the root of the filesystem gives you your next clue:
Most of the filesystem looks normal except for the shell script with the gibberish name.
The first script you check is just a reference to another script, which is a reference to another script, and so on. This could be really tedious to handle manually, so you could write a script to follow the references to the final destination.
The following script can get the job done:
Executing this script will print a large number of paths, ending with:
The last script looks different than all prior:
The name should be a bit concerning, since it explicitly tells you it’s a red herring, but let’s take a look anyway.
The first thing you should notice is that the file is absolutely huge for a python script:
The script appears to contain some huge blobs of encoded data:
The obfuscation techniques used throughout the script aren’t highly problematic. There are many no-op lines prefixed by if conditions that always evaluate to False. Variable names are randomized, but again, nothing you couldn’t reverse via replacement. Even without renaming the script is fairly readable.
The hash comment at the end is conspicuous. Searching Google for this hash should reveal a CTF write-up for an unrelated CTF challenge, as well as the obfuscator that likely produced this script: https://github.com/astrand/pyobfuscate
This obfuscator inserts the commented hash at the end to mark obfuscated files. Handy. There is no automated way to reverse the obfuscation and recover the original variable names, so finding the obfuscator is just a curiosity.
Reading through the code you’ll discover that the large blobs are likely base64 encoded images, which was also apparent from the data itself but it’s good to have confirmation.
You might also stumble upon this interesting bit of code:
You could read a little bit further to understand what this means, or just try the command line option by running the script directly. This is easiest by using the VM you created earlier. Lose the game, minimize it, and then launching xterm by right clicking on the desktop.
You’ll be presented with an instantly winnable game.
Winning reveals the following image:
The phrase “no key in this one” suggests that maybe there are more copies of this game that you didn’t reach by starting from just the shell script at the root of the filesystem. You can search the file system for the obfuscation token we previously found.
There is only one new script to review. You could analyze it, but it would be worthwhile to just try running it with the –cheat option previously discovered.
That’s no good. Something must be loading this file successfully, so try searching the filesystem for the file name.
The tac command describes itself as:
“Write each FILE to standard output, last line first.”
You can now modify the command slightly to pass the –cheat option.
Winning this time reveals the following image:
Success! No significant analysis or RE of the game itself was necessary.