Description
Solution
We’re presented with a zip file.
[ihuomtia@pc plc]$ ls
Diamond_Hands_Crypto_Casino.zipLet’s extract it and see what’s inside.
[ihuomtia@pc plc]$ unzip Diamond_Hands_Crypto_Casino.zip
Archive: Diamond_Hands_Crypto_Casino.zip
creating: Diamond Hand's Crypto Casino.app/
inflating: __MACOSX/._Diamond Hand's Crypto Casino.app
creating: Diamond Hand's Crypto Casino.app/Contents/
inflating: __MACOSX/Diamond Hand's Crypto Casino.app/._Contents
creating: Diamond Hand's Crypto Casino.app/Contents/_CodeSignature/
inflating: __MACOSX/Diamond Hand's Crypto Casino.app/Contents/.__CodeSignature
[...]
Casino.app/Contents/Frameworks/Squirrel.framework/Versions/Current -> A
Diamond Hand's Crypto Casino.app/Contents/Frameworks/Mantle.framework/Versions/Current -> AAs we can see there are two folders, let’s check the folder “Diamond Hand’s Crypto Casino.app”.
[ihuomtia@pc plc]$ ls
"Diamond Hand's Crypto Casino.app" __MACOSXHere we have a bunch of more folders, after checking them out the most interesting one seems to be the “Resources” folder.
[ihuomtia@pc plc]$ cd Diamond\ Hand\'s\ Crypto\ Casino.app/
[ihuomtia@pc Diamond Hand's Crypto Casino.app]$ ls
Contents
[ihuomtia@pc Diamond Hand's Crypto Casino.app]$ cd Contents/
[ihuomtia@pc Contents]$ ls
_CodeSignature Frameworks Info.plist MacOS PkgInfo Resources
[ihuomtia@pc Contents]$ cd ..
[ihuomtia@pc Diamond Hand's Crypto Casino.app]$ cd ..
[ihuomtia@pc plc]$ cd Diamond\ Hand\'s\ Crypto\ Casino.app/Contents/
[ihuomtia@pc Contents]$ ls
_CodeSignature Frameworks Info.plist MacOS PkgInfo Resources The file app.asar stands out from the rest, let’s check it out
INFO
ASAR stands for “Asynchronous JavaScript and XML” (AJAX) Simplified ARchive, and it is a simple archive format used primarily by Electron applications. Electron is a framework for building cross-platform desktop applications using web technologies like JavaScript, HTML, and CSS.
[ihuomtia@pc Contents]$ cd Resources/
[ihuomtia@pc Resources]$ ls
[...]
app.asar
[...]
After a little bit of research it appears that we can extract this file using the asar utility, after installing it we can extract the content of app.asar.
[ihuomtia@pc Resources]$ asar e app.asar
error: missing required argument 'dest'
[ihuomtia@pc Resources]$ asar e app.asar app
[ihuomtia@pc Resources]$ ls
[...]
app
app.asar
[...]
We can see that we have a bunch of Javascript files and web related documents.
[ihuomtia@pc app]$ ls
forge.config.js icon.icns index.html main.js node_modules package.json prod.js renderer.js style.css
After checking main.js, there seems to be a command that executes only when the host is running MacOS.
[ihuomtia@pc app]$ cat main.js
const { app, BrowserWindow } = require("electron");
const path = require("path");
[...]
async function runMacOS() {
doCommand(
"echo U2FsdGVkX18dLoy5VJmru0jW8cEVgMQS5JYhHSk8D369laaZ7d7nBJXslDqS4CFoqIfwoKGM6Urhmx079RXgIA== | openssl enc -aes-256-cbc -d -a -pass pass:infected"
);
[...]
app.on("activate", () => {
if (BrowserWindow.getAllWindows().length === 0) {
createWindow();
}
});
Basically executing the same command reveals the flag.
[ihuomtia@pc app]$ echo U2FsdGVkX18dLoy5VJmru0jW8cEVgMQS5JYhHSk8D369laaZ7d7nBJXslDqS4CFoqIfwoKGM6Urhmx079RXgIA== | openssl enc -aes-256-cbc -d -a -pass pass:infected
flag{6d0560223d733e5a6761476f8d23b4e3}
And here’s the flag: flag{6d0560223d733e5a6761476f8d23b4e3}