{"id":2806,"date":"2017-04-05T19:05:08","date_gmt":"2017-04-05T17:05:08","guid":{"rendered":"http:\/\/securite.intrinsec.com\/?p=2806"},"modified":"2017-04-05T19:05:08","modified_gmt":"2017-04-05T17:05:08","slug":"write-up-nuit-du-hack-2017-ctf-quals-matriochka-step-3","status":"publish","type":"post","link":"https:\/\/www.intrinsec.com\/en\/write-up-nuit-du-hack-2017-ctf-quals-matriochka-step-3\/","title":{"rendered":"Write-up \u2013 Hack Night 2017 CTF Quals \u2013 Matryoshka step 3"},"content":{"rendered":"<h1>Introduction<\/h1>\n<p>Several Intrinsec consultants participated in <a href=\"https:\/\/quals.nuitduhack.com\/scoreboard\/\">Nuit du Hack 2017 Qualifying CTF<\/a>, which took place on the night of March 31st. We finished 36th and here is a write-up about one of the events. <em>reverse<\/em> that we did not resolve before the end of the regulation time.<\/p>\n<p>Here is the statement of the test:<img fetchpriority=\"high\" decoding=\"async\" class=\"alignnone size-full wp-image-2847\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2017\/04\/enonce.png\" alt=\"\" width=\"612\" height=\"317\" \/><\/p>\n<h1>Identification<\/h1>\n<p>The &quot;step3&quot; binary of the test is accessible <a href=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2017\/04\/step3.zip\">here<\/a>.<\/p>\n<p>(SHA256: f7c926721b03de5f2afefaeeb552441f848ea280031c95b1c6ffe1a7103762b2)<\/p>\n<p>The binary retrieved once step 2 is validated is a 64-bit Linux executable <em>stripper<\/em>, as shown by the output of the &quot;file&quot; command:<img decoding=\"async\" class=\"alignnone size-full wp-image-2807\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2017\/04\/Capture.png\" alt=\"\" width=\"943\" height=\"97\" \/>During the first execution, two interesting elements are observed:<br \/>\n<img decoding=\"async\" class=\"size-full wp-image-2809 aligncenter\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2017\/04\/first-execution.png\" alt=\"\" width=\"232\" height=\"132\" \/><\/p>\n<ul>\n<li>The password is passed as a parameter.<\/li>\n<li>The program output, &quot;Try again :(&quot;, is displayed after the program terminates, indicating the use of subroutines created via functions such as &quot;fork()&quot; or &quot;system()&quot;.<\/li>\n<\/ul>\n<p>The final comparison validating the challenge is easily identifiable: a hard-coded string is compared with a variable whose value is derived from the entered password:<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2838\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2017\/04\/result.png\" alt=\"\" width=\"765\" height=\"414\" \/><\/p>\n<p>The goal here is therefore to find the password that will generate this string.<\/p>\n<h1>Bypassing anti-debug protection<\/h1>\n<p>After a quick analysis of the program&#039;s &quot;main()&quot; function using the IDAPro tool, several calls to the &quot;fork()&quot; function are confirmed:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-2810 aligncenter\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2017\/04\/fork_intro.png\" alt=\"\" width=\"507\" height=\"539\" \/><\/p>\n<p>If we look closely at this snippet of assembly code, which is reused several times, we can see a call to the &quot;rand()&quot; function in the first <em>basic block<\/em>. This function returns a pseudo-random number which, depending on its parity, will determine which branch will be executed.<\/p>\n<p>The left branch will therefore execute a &quot;fork()&quot;. The two processes will then perform the following comparison:<\/p>\n<pre><code>eax test, eax<\/code><\/pre>\n<p>Two scenarios will then occur:<\/p>\n<ul>\n<li>Execution by the parent process: the eax register contains the PID of the child process and is therefore different from 0. The comparison will then be validated, the jump made, and the system call &quot;syscall(0x3c)&quot; bypassed.<\/li>\n<li>Execution by child process: the eax register is 0, the system call &quot;syscall(0x3c)&quot; is executed, and the child process terminates.<\/li>\n<\/ul>\n<p><em><u>Note<\/u> As indicated in <a href=\"https:\/\/w3challs.com\/syscalls\/?arch=x86_64\">this painting<\/a> In system call matching, the value &quot;0x3c&quot; corresponds to the function &quot;exit()&quot;.<\/em><\/p>\n<p>Now, if we look at the right branch, the condition is reversed: the parent process ends and the child continues its execution.<\/p>\n<p>To bypass this protection in GDB, several options are available:<\/p>\n<ul>\n<li>Remove calls to &quot;fork()&quot; with instructions <em>padding<\/em> (\u00abnop\u00bb, \u00abmov eax, eax\u00bb, etc.)<\/li>\n<li>Write a GDBInit configuration file<\/li>\n<\/ul>\n<p>It should be noted, however, that modifying the binary can cause problems later if the developer has implemented code integrity checking. Therefore, the second option seemed to us to be the most sensible.<\/p>\n<p>The idea is simple: place a <em>breakpoint<\/em> on all calls to the &quot;fork()&quot; function, which will define the behavior of the <em>debugger<\/em>\u00a0(&quot;follow the father&quot; or &quot;follow the son&quot;).<\/p>\n<p style=\"text-align: left;\">Here is an overview of the &quot;GDB&quot; configuration file:<\/p>\n<p style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2814\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2017\/04\/gdbinit.png\" alt=\"\" width=\"365\" height=\"383\" \/><\/p>\n<p style=\"text-align: left;\">The two functions &quot;fc()&quot; and &quot;fp()&quot; define the tracking mode of &quot;gdb&quot;: &quot;fc()&quot; tracks the execution of the child while &quot;fp()&quot; takes care of tracking the execution of the parent.<\/p>\n<p style=\"text-align: left;\">The instruction &quot;commands 1&quot; will execute the &quot;fp()&quot; routine when the <em>breakpoint<\/em> 1, which in our case is at address 0x400940.<\/p>\n<p style=\"text-align: left;\">Calls to the &quot;fork()&quot; function are no longer a problem for continuing binary analysis; GDB automatically switches between processes:<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2815\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2017\/04\/exec_2.png\" alt=\"\" width=\"651\" height=\"409\" \/><\/p>\n<h1 style=\"text-align: left;\">In-depth analysis<\/h1>\n<p style=\"text-align: left;\">Once this protection is bypassed, code analysis can begin.<\/p>\n<p style=\"text-align: left;\">Two XOR encryption routines are applied to the password, the first having the key &quot;pony&quot;:<img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-2816 aligncenter\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2017\/04\/xor_1.png\" alt=\"\" width=\"368\" height=\"239\" \/><\/p>\n<p>The second routine encrypts the binary blob generated by the first routine using the key &quot;platypus&quot;:<img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-2817 aligncenter\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2017\/04\/xor_2.png\" alt=\"\" width=\"437\" height=\"239\" \/><\/p>\n<p>To illustrate this behavior, here is a quick implementation of these two operations in Python:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2824\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2017\/04\/xor_3_.png\" alt=\"\" width=\"643\" height=\"162\" \/><\/p>\n<p>For example, the encrypted version of a password &quot;abcdefghi&quot; will therefore be &quot;aalily|bi&quot;.<\/p>\n<p>An encoding routine at address 0x400cdc is then applied to the encrypted password &quot;aalily|bi&quot;:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-2826 aligncenter\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2017\/04\/fakeb64_1.png\" alt=\"\" width=\"419\" height=\"325\" \/><\/p>\n<p>A dynamic analysis shows that the password value before and after encoding is contained in the RBX and RAX registers respectively:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2827\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2017\/04\/fakeb64_2.png\" alt=\"\" width=\"731\" height=\"418\" \/><\/p>\n<p>The encoding closely resembles &quot;base64&quot;, but a comparison with this algorithm shows us that the return string is different:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-2875 aligncenter\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2017\/04\/fakeb64_12.png\" alt=\"\" width=\"283\" height=\"55\" \/><\/p>\n<p>Static analysis of the encoding routine allows us to determine the list of characters used, referenced at address 0x3613c0.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2831\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2017\/04\/fakeb64_5.png\" alt=\"\" width=\"873\" height=\"78\" \/><\/p>\n<p>By placing a new <em>breakpoint<\/em> and by displaying the value of the previous string, we observe that it undergoes a permutation before the call to the encoding function. \u00a0<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2832\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2017\/04\/fakeb64_6.png\" alt=\"\" width=\"936\" height=\"74\" \/><\/p>\n<p>For clarity, we will subsequently use the term &quot;reference string&quot; to refer to this variable.<\/p>\n<h1>Implementation of a solution<\/h1>\n<p>We then implemented this encoding in Python:\u00a0<img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-2833 aligncenter\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2017\/04\/fakeb64_7.png\" alt=\"\" width=\"446\" height=\"457\" \/><\/p>\n<p>The `fake64_e()` function takes the string to be encoded (&quot;data&quot;) and the reference string for encoding (&quot;key&quot;) as parameters. Essentially, this function splits the input string into 3-byte substrings. For each substring, bitwise operations are performed, generating four numbers. These numbers correspond to index numbers of the reference string (&quot;key&quot;). When combined, these numbers generate the encoded result.<\/p>\n<p>During binary execution, this encoding algorithm is applied 16 times to the input password, and at each iteration, a permutation on the reference string is performed.<\/p>\n<p>We therefore iterated on the encoding algorithm and retrieved the 16 reference strings to integrate them into our Python script. The final string, mentioned at the beginning of this article, was also inserted in order to apply the decoding process that will allow us to recover the exam password:<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2840\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2017\/04\/fakeb64_8_.png\" alt=\"\" width=\"751\" height=\"445\" \/><\/p>\n<p>A decoding function was therefore developed in Python:<img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-2841 aligncenter\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2017\/04\/fakeb64_9.png\" alt=\"\" width=\"535\" height=\"332\" \/><\/p>\n<p>All that remains is to perform the 16 decoding iterations on the final binary string and apply the two XOR encryptions mentioned in the previous section:<img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-2843 aligncenter\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2017\/04\/fakeb64_10.png\" alt=\"\" width=\"352\" height=\"240\" \/><\/p>\n<h1 style=\"text-align: left;\">Validation<\/h1>\n<p>After these 16 iterations and decryptions, the password appears:\u00a0<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-2844\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2017\/04\/fakeb64_11.png\" alt=\"\" width=\"942\" height=\"434\" \/><\/p>\n<p>A huge congratulations to the NDH team for providing us with a CTF with high-quality events!<\/p>\n<p>&nbsp;<\/p>","protected":false},"excerpt":{"rendered":"<p>Introduction Several Intrinsec consultants participated in the Nuit du Hack 2017 qualifying CTF, [\u2026]<\/p>","protected":false},"author":13,"featured_media":2879,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[19],"tags":[123,49,141,50],"class_list":["post-2806","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-soc-securite-operationnelle","tag-ctf","tag-ndh2k17","tag-reverse","tag-writeup"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.0 (Yoast SEO v27.4) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Write-up - Nuit du hack 2017 CTF Quals - Matriochka step 3 - INTRINSEC<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intrinsec.com\/en\/write-up-nuit-du-hack-2017-ctf-quals-matriochka-step-3\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Write-up - Nuit du hack 2017 CTF Quals - Matriochka step 3\" \/>\n<meta property=\"og:description\" content=\"Introduction Quelques consultants Intrinsec ont\u00a0particip\u00e9 au CTF de qualification de la Nuit du Hack 2017, [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intrinsec.com\/en\/write-up-nuit-du-hack-2017-ctf-quals-matriochka-step-3\/\" \/>\n<meta property=\"og:site_name\" content=\"INTRINSEC\" \/>\n<meta property=\"article:published_time\" content=\"2017-04-05T17:05:08+00:00\" \/>\n<meta name=\"author\" content=\"Admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/write-up-nuit-du-hack-2017-ctf-quals-matriochka-step-3\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/write-up-nuit-du-hack-2017-ctf-quals-matriochka-step-3\\\/\"},\"author\":{\"name\":\"Admin\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/5636e3e5276b952facbd0aadb12a858a\"},\"headline\":\"Write-up &#8211; Nuit du hack 2017 CTF Quals &#8211; Matriochka step 3\",\"datePublished\":\"2017-04-05T17:05:08+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/write-up-nuit-du-hack-2017-ctf-quals-matriochka-step-3\\\/\"},\"wordCount\":1178,\"commentCount\":0,\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/write-up-nuit-du-hack-2017-ctf-quals-matriochka-step-3\\\/#primaryimage\"},\"thumbnailUrl\":\"\",\"keywords\":[\"CTF\",\"ndh2k17\",\"reverse\",\"Writeup\"],\"articleSection\":[\"SOC S\u00e9curit\u00e9 Op\u00e9rationnelle\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.intrinsec.com\\\/write-up-nuit-du-hack-2017-ctf-quals-matriochka-step-3\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/write-up-nuit-du-hack-2017-ctf-quals-matriochka-step-3\\\/\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/write-up-nuit-du-hack-2017-ctf-quals-matriochka-step-3\\\/\",\"name\":\"Write-up - Nuit du hack 2017 CTF Quals - Matriochka step 3 - INTRINSEC\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/write-up-nuit-du-hack-2017-ctf-quals-matriochka-step-3\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/write-up-nuit-du-hack-2017-ctf-quals-matriochka-step-3\\\/#primaryimage\"},\"thumbnailUrl\":\"\",\"datePublished\":\"2017-04-05T17:05:08+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/5636e3e5276b952facbd0aadb12a858a\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/write-up-nuit-du-hack-2017-ctf-quals-matriochka-step-3\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.intrinsec.com\\\/write-up-nuit-du-hack-2017-ctf-quals-matriochka-step-3\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/write-up-nuit-du-hack-2017-ctf-quals-matriochka-step-3\\\/#primaryimage\",\"url\":\"\",\"contentUrl\":\"\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/write-up-nuit-du-hack-2017-ctf-quals-matriochka-step-3\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\\\/\\\/www.intrinsec.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Write-up &#8211; Nuit du hack 2017 CTF Quals &#8211; Matriochka step 3\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/\",\"name\":\"INTRINSEC\",\"description\":\"Notre m\u00e9tier , Prot\u00e9ger le v\u00f4tre\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.intrinsec.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/5636e3e5276b952facbd0aadb12a858a\",\"name\":\"Admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/?s=96&d=retro&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/?s=96&d=retro&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/?s=96&d=retro&r=g\",\"caption\":\"Admin\"},\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/author\\\/admin\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Write-up - Hack Night 2017 CTF Quals - Matryoshka step 3 - INTRINSEC","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intrinsec.com\/en\/write-up-nuit-du-hack-2017-ctf-quals-matriochka-step-3\/","og_locale":"en_US","og_type":"article","og_title":"Write-up - Nuit du hack 2017 CTF Quals - Matriochka step 3","og_description":"Introduction Quelques consultants Intrinsec ont\u00a0particip\u00e9 au CTF de qualification de la Nuit du Hack 2017, [&hellip;]","og_url":"https:\/\/www.intrinsec.com\/en\/write-up-nuit-du-hack-2017-ctf-quals-matriochka-step-3\/","og_site_name":"INTRINSEC","article_published_time":"2017-04-05T17:05:08+00:00","author":"Admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Admin","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.intrinsec.com\/write-up-nuit-du-hack-2017-ctf-quals-matriochka-step-3\/#article","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/write-up-nuit-du-hack-2017-ctf-quals-matriochka-step-3\/"},"author":{"name":"Admin","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/5636e3e5276b952facbd0aadb12a858a"},"headline":"Write-up &#8211; Nuit du hack 2017 CTF Quals &#8211; Matriochka step 3","datePublished":"2017-04-05T17:05:08+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intrinsec.com\/write-up-nuit-du-hack-2017-ctf-quals-matriochka-step-3\/"},"wordCount":1178,"commentCount":0,"image":{"@id":"https:\/\/www.intrinsec.com\/write-up-nuit-du-hack-2017-ctf-quals-matriochka-step-3\/#primaryimage"},"thumbnailUrl":"","keywords":["CTF","ndh2k17","reverse","Writeup"],"articleSection":["SOC S\u00e9curit\u00e9 Op\u00e9rationnelle"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.intrinsec.com\/write-up-nuit-du-hack-2017-ctf-quals-matriochka-step-3\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.intrinsec.com\/write-up-nuit-du-hack-2017-ctf-quals-matriochka-step-3\/","url":"https:\/\/www.intrinsec.com\/write-up-nuit-du-hack-2017-ctf-quals-matriochka-step-3\/","name":"Write-up - Hack Night 2017 CTF Quals - Matryoshka step 3 - INTRINSEC","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.intrinsec.com\/write-up-nuit-du-hack-2017-ctf-quals-matriochka-step-3\/#primaryimage"},"image":{"@id":"https:\/\/www.intrinsec.com\/write-up-nuit-du-hack-2017-ctf-quals-matriochka-step-3\/#primaryimage"},"thumbnailUrl":"","datePublished":"2017-04-05T17:05:08+00:00","author":{"@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/5636e3e5276b952facbd0aadb12a858a"},"breadcrumb":{"@id":"https:\/\/www.intrinsec.com\/write-up-nuit-du-hack-2017-ctf-quals-matriochka-step-3\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intrinsec.com\/write-up-nuit-du-hack-2017-ctf-quals-matriochka-step-3\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.intrinsec.com\/write-up-nuit-du-hack-2017-ctf-quals-matriochka-step-3\/#primaryimage","url":"","contentUrl":""},{"@type":"BreadcrumbList","@id":"https:\/\/www.intrinsec.com\/write-up-nuit-du-hack-2017-ctf-quals-matriochka-step-3\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.intrinsec.com\/"},{"@type":"ListItem","position":2,"name":"Write-up &#8211; Nuit du hack 2017 CTF Quals &#8211; Matriochka step 3"}]},{"@type":"WebSite","@id":"https:\/\/www.intrinsec.com\/#website","url":"https:\/\/www.intrinsec.com\/","name":"INTRINSEC","description":"Our job is to protect yours.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intrinsec.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/5636e3e5276b952facbd0aadb12a858a","name":"Admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/?s=96&d=retro&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/?s=96&d=retro&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/?s=96&d=retro&r=g","caption":"Admin"},"url":"https:\/\/www.intrinsec.com\/en\/author\/admin\/"}]}},"_links":{"self":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/2806","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/comments?post=2806"}],"version-history":[{"count":0,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/2806\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/media?parent=2806"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/categories?post=2806"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/tags?post=2806"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}