Apr 09

Nuit du hack 2011 CTF Forensic

Forensic 100

On a dumpe la RAM d’une machine sur laquelle tournait un serveur VNC.
Le but est de recupere le mot de passe de ce serveur.

* * *

We have dumped the RAM of a Machine on which was running a VNC server.
The goal is to get the password of that VNC server.

Dump.

We need to analyze  dumped memory. I used volatility framework version 1.4_rc1. It’s a great tool for memory forensic. There are Linux and Windows 7 support since version 1.4_rc1.

Continue reading

Apr 04

Nuit du hack 2011 CTF Crypto 300

Crypto300 (150 pts.) source

Python source code is very clear and concise, and could sometimes bring out lots of clues. This is particularly true for this challenge.

Summary: key exchange algorithm based on permutations (braid based cryptography), has some vulnerabilities

Continue reading

Mar 09

Codegate CTF 2011 Vuln 300

This challenge was an exploitation of suid binary.
binary

Summary: ROPing buffer overflow with NX and ASLR

Continue reading

Mar 08

Codegate CTF 2011 Binary 200

Let’s open this PE-file in IDA Pro. There is TLS-callback at address 0x00401450. TLS-callback is just anti-debugging trick (with SEH, dynamic import etc), so we can skip it and start execution from entry point: 0x00401000.

On the entry point we can see some decoding cycle and one call at address 0x00401058. If we go into call, we can see two interesting calls at the end of procedure (0x004012DB: CALL 00401070 and 0x0040130C: CALL 004010C0). But we can’t jump on that calls because JE operation at address 0x004012B8 bypasses  it. To go into calls we must change JE on NOP. (JE is depends on system time. For more information, look procedure at address 0x0040149E).


Function at address 0x00401070 decodes string with flag (XOR algorithm).

Procedure at address  0x004010C0 prints answer in the console:


Download file

Mar 08

Codegate CTF 2011 Issue 500 (bootsector)

Find a key.
[link to submit form]

binary

$ file challenge.bin 
challenge.bin: x86 boot sector, code offset 0xc0

Summary: bootsector with password check, bruteforcing 2 bytes hash.

Continue reading

Mar 08

Codegate CTF 2011 Crypto 400

The attacker got a secret!

File

Summary: Padding oracle attack analysis

Continue reading

Mar 07

Codegate CTF 2011 Forensic 300, Issue 300

Forensic 300

Description:

We are investigating the military secret’s leaking.we found traffic with leaking secrets while monitoring the network.Security team was sent to investigate, immediately. But, there was no one present. It was found by forensics team that all the leaked secrets were completely deleted by wiping tool.And the team has found a leaked trace using potable device.Before long, the suspect was detained. But he denies allegations.

Now, the investigation is focused on potable device.The given files are acquired registry files from system.The estimated time of the incident is Mon, 21 February 2011 15:24:28(KST).Find a trace of portable device used for the incident.
The Key : “Vendor name” + “volume name” + “serial number” (please write in capitals)
Down

We were given tar archive with MS Windows registry files:

./default.bak
./SAM.bak
./proneer.NTUSER.DAT.bak
./system.bak
./software.bak
./SECURITY.bak

After some search in Google I found this article which had link on tools “Windows USB Storage (USBSTOR) Parser”

$ ./usp -sys ../system.bak -user ../proneer.NTUSER.DAT.bak | grep -C 10 6:24:28
Instance ID/Serial #:	       ddf08fb7a86075&0
Driver:                        {4d36e967-e325-11ce-bfc1-08002be10318}\0004
Volume ID:                     7fcea8e8-39e6-11e0-9e0f-000c290f784e
Disk ID:                       7fcea8e6-39e6-11e0-9e0f-000c290f784e
Volume name:                   PR0N33R
Parent ID Prefix:              <none found>
Vendor ID:                     1b1c
Product ID:                    0a31
Revision:                      0.00
Vendor/product                 corsair/ufd
Acct that mounted vol:         proneer acct, on 02/21/11 06:24:28.760 [UTC]

The answer is: CORSAIRPR0N33RDDF08FB7A86075

Issue 300

Find the answer.

We have PNG image with Qrcode.

After trying in all possible online,offline and mobile decoders, we decided that there are error in format information:

encoded data (including error correct code)
format information

I take first similar qrcode via http://www.tineye.com/ and transplanted format information from him to our qrcode, using gimp.

Result:

The answer is cue@1k0de

Mar 07

Codegate CTF 2011 Mini writeups

Some mini writeups on Codegate 2011 Prequals: Issue100,200, Net100,200, Crypto100,200.

Continue reading

Mar 07

Codegate CTF 2011 Crypto300 Writeup

Description:

we are investigating an illegal online gambling site. To find any evidence to support for illegal gambling, we must access the oracle database with administrator privileges. The suspect says that he does not know the administrator password, but we know for sure that he is lying.

The password is estimated to be longer than 8 characters. However, we don’t have enough time to apply a brute-force attack. In order to request an arrest warrant, we must find the evidence of illegal gambling before the YUT-Challenge is over.

By using social engineering, we were able to find various data about the suspect. By analyzing the data, the suspect always include last four digits(‘1024’) of his phone number in his password. Hence, we may assume that his phone number is included in the administrator password for the database.

The given file is the dump file of sys.user$ table in oracle database. (The data file of system tablespace is too big to upload.)

Find the password of ‘SYSTEM’ account.

Download database

Summary: bruteforce with John the Ripper
Continue reading

Jan 20

Padocon CTF 2011 Binary500 Writeup (300)

The challenge consists of a windows binary and connection details:
HOST : 168.188.130.216
PORT : 888
Binary (Daemon.exe)

Summary: reversing the algorithm with some encryption and coding a client

Continue reading

Jan 19

Padocon CTF 2011 Binary100 Writeup (200)

This task we were given a binary and a host/port where it is running:
HOST : 168.188.130.217
PORT : 8080
Binary
Note: At the beginning of the contest, there was no binary. But nobody solved it and the binary was added, I guess it’s because of strange format of the input.

Summary: reversing (or guessing) simple algorithm and coding a client
Continue reading

Dec 05

Наши успехи на iCTF 2010 (схематично)

Nov 02

Hack.lu 2010 CTF #22 (Pirates Wisdom) writeup

Pirates Wisdom
Captian Iglo heard there is a secret wisdom in the well known pirate wisdom system.
Log in to ssh pirates.fluxfingers.net:9022
user: ctf
password: ctf
and get the content of key.txt.
You get rewarded with 300 coins.
binary

Summary: simple heap’s chunk reusage error with a bit obfuscated logic

Continue reading

Oct 31

Hack.lu 2010 CTF #1 (Fun 300, Rock Lizard Spock) writeup

On the high seas, the nights get boring. Try to win the game against the captain!
pirates.fluxfingers.net port 6565/tcp

Let’s go & connect there:

> nc pirates.fluxfingers.net 6565
/9j/4AAQSkZJRgABAQEAYABgAAD//gAJbWQ1d2luc//bAEMABQ
MEBAQDBQQEBAUFBQYHDAgHBwcHDwsLCQwRDxISEQ8RERMWHBcT
<...>
EgWAYlOhQqadCpxQPCn4JDjQoVacgqCQ4dtCAY4+FChVJb7BVE
A6fCnKIB0+FChSuX3C8XQPuhoUKFd+JM//Z

The service gives us some base64 and waits 2 seconds for reply. Unbase64ing the data, we get this jpeg:

There is no EXIF tag, and `strings` don’t show anything interesting (only ‘md5wins’ which is not the flag). I connected again and got another image:

This looks like a pebble lying on sand, and it has a string: “p4ss: nothere” in it. Hard to understand what it’s for, so let’s connect some more times and dump some more data. Script for that:

<?php
$were = array();
while (true) {
 $s = fsockopen("pirates.fluxfingers.net", 6565);
 $ln = fgets($s);
 fclose($s);
 $ln = base64_decode($ln);
 $md5 = md5($ln);
 if (!isset($were[$md5])) {
  file_put_contents("$md5.jpg", $ln);
  $were[$md5] = true;
  echo "!";
 } else
  echo ".";
}
?>
>\php\php dump_images.php
!..........!...!!...........!.............................^C

>

The service sends out 5 different base64ed jpeg images:

spock.jpg rock.jpg paper.jpg sciss.jpg yasch.jpg

They all have useless text comments in them and nothing else. But they have something in common. They all are symbols from Rock Paper Scissors Lizard Spock game :)
Spock is beaten by lizard, Rock is beaten by paper, Paper – by scissors, and Lizard with Scissors are beaten by rock.

Task says we have to win the game, so let’s try to send Captain the base64 of an image that beats his image. D’oh, that doesn’t work! Remember the comment from Spock pic: “md5wins”? Let’s send him md5 of winning image. Yay, he replies with another base64! So we’re gonna code a bot that plays the game:

<?php
$objs = array("rock.jpg" => 1, "paper.jpg" => 1, "sciss.jpg" => 1, 
              "spock.jpg" => 1, "yasch.jpg" => 1);
foreach ($objs as $i => $nul)
 $objs[$i] = md5_file($i);

$s = fsockopen("pirates.fluxfingers.net", 6565);
while (true) {
 $orig = $ln = fgets($s);
 $ln = base64_decode($ln);
 $ln = md5($ln);
 if (($i = array_search($ln, $objs)) === false) {
  echo "GOT FLAG: $orig\n";
  break;
 } else {
  echo "$i - ";
  if ($i == "paper.jpg")
   $e = "sciss.jpg";
  elseif ($i == "rock.jpg")
   $e = "paper.jpg";
  elseif ($i == "yasch.jpg")
   $e = "rock.jpg";
  elseif ($i == "spock.jpg")
   $e = "yasch.jpg";
  else
   $e = "rock.jpg";
  fwrite($s, md5_file($e) . "\n");
  echo "$e\n";
 }
}
?>

Run it:

> \php\php rps.php
spock.jpg - yasch.jpg
yasch.jpg - rock.jpg
yasch.jpg - rock.jpg
paper.jpg - sciss.jpg
spock.jpg - yasch.jpg
rock.jpg - spock.jpg
sciss.jpg - rock.jpg
spock.jpg - yasch.jpg
GOT FLAG: the secret is: ev!lsYcerf0xxr0xx

The answer is ev!lsYcerf0xxr0xx

Oct 31

Hack.lu 2010 CTF #13 (My Cool Blog) writeup

Captain Rumbarrel is shocked because he found out that the filthy pirate Boozybold has stolen a whole shipment of rum! So Rumbarrel wants his revenge by hacking Boozybolds cool blog. Unfortunately he can not hack, so help him and get 250 gold coins!

From main page of his cool blog, we get three main points:

  • He has a browser check for his admin page. How can he check the browser? Obviously via User-Agent header
  • He has a banner rotation script that shows a random image on the main page
  • He has a script that auto-refreshes the main page in his browser every 3 minutes

To get into the admin page, we need to steal Boozybold’s browser identity. Thanks to banner rotation script, we can trick him into visiting our image. Let’s code a script that will sniff User-Agent:

<?php
$fo = fopen("log.log", "a");
fwrite($fo, "[" . date("j M Y G:i:s") . "] IP: " . 
  $_SERVER['REMOTE_ADDR'] . ", uag: " . $_SERVER['HTTP_USER_AGENT'] . "\n");
header("Content-Type: image/png");
readfile("empty.png");
?>

(banner rotation script requires our url to end with .png and the returned data to be a PNG)

Then I spammed banner script a bit with my url (http://…/script.php/q.png) to raise my chances :)
And in a few minutes a cool line in the log appeared:

[27 Oct 2010 22:53:00] IP: 91.214.168.57,
                                      uag: CoolBlogBrowserToVisitACP

After using this user-agent identity (for example, in firefox), an admin login form appears:

If you experiment for a while, you can find out that symbols ‘=’, ‘-‘, ‘+’, space and ‘_’ are banned (shows “You try to hack me?”), and \ gives a mysql error:

You have an error in your SQL syntax; check the manual that corresponds
to your MySQL server version for the right syntax to use near
''\' AND password=''' at line 1

(dunno why a quote doesn’t cause an error, maybe it is escaped and \ is not)

If we use \ as the login and or(1)# as the password, the query turns into something like:

SELECT 1 FROM admins WHERE username = '\' AND password = 'or(1)#'

and we get into the adminko, where we are given the flag: Th1sW4snts0h4rdlittl3monk3y.
+253 :)