search

SanityChecker

hashtag
[☆☆☆] Sleepy python

hashtag
Description

I found some Python code on my computer, but I don't know what it's doing. I tried to run it, but it doesn't seem to do anything. Flag is in format SK-CERT{...} and is hidden in command that is executed using os.system(...). This scenario is for environment with BASH.

Download: 1.pyarrow-up-right

hashtag
Solution

Change the os.system to print and that's the easiest way to debug the program. Deobfuscation functions are already in place.

# time.sleep(31536000)

with open("lol.sh", "w") as f:
    f.write(data)

print(command1)
print(command2)
➜ py .\1.py
chmod +x lol.sh
./lol.sh #SK-CERT{0bfu5c4710n_4nd_5l33p}
circle-check

Flag: SK-CERT{0bfu5c4710n_4nd_5l33p}

hashtag
[☆☆☆] Bash dropper

hashtag
Description

It looks like the python script created new bash file. Take a look. Flag is in format SK-CERT{...} and is hidden inside bash script.

hashtag
Solution

The deobfuscated file writes lol.sh script:

circle-check

Flag: SK-CERT{1_w1ll_l34v3_y0u_50m37h1n6_h3r3}

hashtag
[☆☆☆] Password protected

hashtag
Description

It appears that the bash script left another executable on your system. It also seems to be password-protected. I don't know the password, but I'm really curious about what secrets this file holds. The flag is in the format SK-CERT{...}. There are multiple ways to obtain the flag. For example, you can use static analysis of the binary to either read the flag from its data or find a hardcoded password. Alternatively, you can use dynamic analysis or binary patching.

hashtag
Solution

Decode the base64 blob and analyze malw

Ideally you would want to use Ghidra or Ida to analyze the file, but since sample is very small https://dogbolt.org/?id=e3a6edf8-64d9-417b-bd9d-16b0a8c2edc3arrow-up-right will do

SanityChecker.png
circle-check

Flag: SK-CERT{h4rdc0d3d_pl41n73x7}

PreviousConnectionCheckerNextThe Chronicles of Greg (Not Solved, Raw Thoughts)

Last updated