Calc.exe is a .NET program (finally :D), which can evaluate (mostly) mathematical expressions.
At first no functions are enabled except some basic mathematical operations like addition, subtraction, etc.
But we can enable different functions by using a digitally signed X509 certficates.
We also got an example cert “guestCert.crt” which enabled some basic math and trigonomical functions.
The program also adds a function called FLAG which returns the flag as string.
The problem is we cannot load any certificate as there is a lot of checks before, so we had to find some vulnerability. The program uses a known crypto library, called BouncyCastle and the attached “BouncyCastle.Crypto.dll” is exactly the same as the one we can download from NuGet. As no known vulnerability exists for this library (or at least at the certificate verification part), we had to look for vulnerabilities in the program.
Although the certificate loaded into the store while it is checked, no self-signed certificates are allowed and it is removed as soon as its verification fails.
But there is a bug in the code: although some checks like the VerifyCertificate is in a try-catch block and returns a boolean value, the IsCalcExeCert can throw exception while calling SingleOrDefault method. To trigger the exception we have to put two values with the 2.5.4.1337 key into the SubjectName’s field.
Although our certificate is not deleted from the trusted CA store, it is not loaded into the program, so we cannot call the FLAG function yet. But we can sign a new client certificate with this now trusted cert as a CA (certificate authority). This way our new certificate will be accepted.
The attached C# code snippet (calcexe1.cs) will generate the fake CA and the fake certificate.
This challenge was a VM implemented where every instruction was an emoji. For the first part of the challenge we had to reverse a flag ch...… Continue reading