Friday, October 25, 2013

hack.lu 2013 CTF :: Reversing: RoboAuth (150 points)

The challenge:

Oh boy, those crazy robots can't catch a break! Now they're even stealing our liquid gold from one of our beer tents! And on top of that they lock it behind some authentication system. Quick! Access it before they consume all of our precious beverage!

Flag: password1_password2

An executable file is uploaded it to Wikisend and can be downloaded from here. The image below show how it looks like when it is executed.



The objective of this challenge is to reverse the executable file to obtain the passwords which is the flag.

First, we open up the executable with IDA pro to look for useful information. In the string tab, a particularly interesting string is spotted.



Go to the code that uses this string...


From the image above, it is observed that the executable call scanf then compare the input with a value to decide the location to jump.

Open the executable with ollydbg and set breakpoints at the two mov operation. Debug the executable and we will see the value in the EAX that might be the first password.


Enter and yes ! It is the first password !


One down, one to go.

Go back to IDA pro, it is observed that executable is moving some values into the memory...



 and there is a subroutine that seems to be decoding the value that moved into the memory.



Go to ollydbg and set breakpoint before and after the decoding subroutine.

Before decoding:



After decoding:


We notice that a particular string that is decoded but is not used anywhere yet. So we set a hardware breakpoint to see where the string is used. (Do note that we need to go to the debugging option to ignore INT3)

Upon entering the second password, we will something like this.


Analysing the code, we notice that it is comparing the second password input character by character with the interesting string (u1nnf2lg) XOR with 2.

XORing u1nnf2lg with 2 we will get w3lld0ne.

Entering both passwords and ..


The flag for this challenge: r0b0RUlez!_w3lld0ne

whit3sn0w ^^






Monday, September 23, 2013

CSAW CTF 2013 :: RE: Impossible (500 points)

We are given a nds rom for this puzzle.

Tools used:

  1. CheatEngine (1 of my favorite old tool to hack a game)
  2. OllyDbg
  3. NO$GBA for my nds emulator
Lets keep this puzzle simple. It is mentioned that the boss hp is 9000++ which means there is probably no way to kill him unless we cheat. The following is a screenshot of the impossible boss...


Lets fire up CheatEngine... The following is a screenshot of this tool...


What this tool does is that it allows us to search for values in memory... which eventually narrow down where is the boss hp memory address. Once we know where is the address, we can easily modify it to 0 =).

We used the scan type option in the tool to narrow down addresses. Below are the steps on how we did it.
  1. Start Game
  2. find unknown initial value
  3. Reset Game
  4. shoot target
  5. find decreased value
  6. Reset Game
  7. find increased value
  8. repeat from step 3


As you can see from the above screenshot, we have narrowed down the possible hp memory address to this few addresses. Seems like address 03BC2264 is a potential candidate. Wait a minute didn't the question say that the boss hp is more than 9000... seems like it is more than 900,000! We changed the value @ the memory address to 0. Reset the game and shoot 1 round at the boss! We won the game!


But it seems like the key is incomplete/wrong... Lets fire up ollydbg to see what we can find out... since we got the memory address of the boss hp, the key should be somewhere around that memory region... true enough we found it above the boss hp!





The key is ou6UbzM8fgEjZ????cXKVN?

If you recall.... earlier we use cheatengine tool to actively fix the value @ 03BC2264 (DWORD) to be 0 and it happen that the key we wanted is overwriting/overlapping this address as well. To resolve the 0 bytes issue, disable actively fixing the value @ 03BC2264 after the game had initialized (when the boss appears on the screen). You should get the full key once the boss is dead after shooting it once. 


The key is ou6UbzM8fgEjZQcRrcXKVN

Always lazing
NoirD3vil



CSAW CTF 2013 :: RE: Crackme (300 points)

For this puzzle we are given a linux binary and nc 128.238.66.218 54321.


Upon connecting to the server, we are prompted for a registration code key. Obviously we need to RE the given binary and find the key...

Lets fire up IDA PRO!

First thing first! Lets see what String do we have.


Lets trace where the Thank you, valued customer is being referenced...


So we see a branch condition when the user enter a correct password... as shown below


What is this dword_804913C value?


That is a freaking large number... in fact it is a negative integer if you are considering it as a signed integer.

 Ok from here we can tell that a call is make to sub_8048EA0 where the user input is passed into it and eventually a DWORD value is passed out from the function call into EAX. The EAX is then matched with EDX which contains the large number. Question is what is the correct password that leads to a key match? If only this is a local binary, we can simply patch it lol!

Ok lets take a look at the function sub_8048EA0.

Not too complicated =)
some char* are passed in to this function. There is a variable that start at 1337 value. we loop through the given char* (user input) and do simple math as such

pseudo code:

variable1337 = 1337;
do{
   variable1 = 32 * variable1337 + (a char of the input string)
   get next char
   variable1337  = variable1337  + variable1
}loop all chars in the given char*

so what i do next is to write this in a script simple c program and brute force it. Remember that the calculation is a signed int.... therefore i converted the large value into a signed integer (-282184360) for comparison.

I guess that the password should be some common english letters/numbers/symbols therefore i brute force the chars that have the ascii between 65 and 123... and i brute force the password length from length 1 onwards...

and finally... after few minutes...

we got a match! 6 chars long `saV^W


Not too difficult =) Time to laze again...

Ok as requested... Here is my noob lazy program. Nothing too fancyful... =) but should be quite easy to understand

#include <stdio.h>
#include <string.h>

int generate(char *key)
{
  int temp = 0, start =1337; 
  char character; 

  if ( *key == NULL )
return 0;
  else{
character = key[0];
do{
      temp = (32 * start) + character;
 key++;
      character = key[0];
      start += temp;
    }
    while ( character != NULL );
  }

  return start;
}

int main(int argc, char* argv[])
{
char key[9]; // just in case shit happen we got to brute force more chars
int start = 65, end = 123;
memset(key,0,9);
for(int a= start; a < end; a++){
for(int b= start; b < end; b++){
for(int c = start; c < end; c++){
for(int d = start; d < end; d++){
for(int e = start; e < end; e++){
for(int f = start; f < end; f++)
{
key[0] = (char)a;
key[1] = (char)b;
key[2] = (char)c;
key[3] = (char)d;
key[4] = (char)e;
key[5] = (char)f;
int a = generate(key);
if(a == -282184360){
printf("found %s\n\r", key);
}
}
}
}
}
}
}
return 0;
}

Always Lazing
NoirD3vil

CSAW CTF 2013 :: Recon: Jordan Wiens (100 Points)

Only a link (http://key.psifertex.com/) is given as the question.

The link doesn't give much information except the phrase, "Michael Vario sure does some suspicious signs, hope he doesn't do me."

If you do a Google search on "Michael Vario" you will notice that there are writeups on PGP keys.
Now search for Jordon Wiens PGP keys will lead you to his PGP keys at:

The key contains both the key and an embedded image.


Using an online base64 decoder tool (
http://www.motobit.com/util/base64-decoder-encoder.asp) save the decoded key into a jpeg image.




If you try opening the jpeg image, it will show as corrupted. Open the jpeg image in Hex Editor and you will notice that the actual pgp key is still in the header portion. Remove the portion and save the jpeg again.





Open up the new jpeg image in Paint to view the key.






Regards,

David Billa
"Live for Something or Die for Nothing!" 


CSAW CTF 2013 :: Web: Guess harder (100 Points)

For this challenge, we were given an ip address to head to. http://128.238.66.215

Upon navigating to the IP address given, the following page was displayed as shown below. This suggests that we would need to provide the correct password, before we would be able to proceed.



Viewing the source-file of the HTML page, yields nothing. It was nothing but just a simple HTML page. We decided to use one of our favourite firefox extensions, Tamper Data, to monitor the information flow. Tamper Data allows us to view and modify HTTP/HTTPS headers and POST parameters.

Using Tamper Data, we saw that there was an interesting cookie that was being transmitted.
We changed the cookie from "admin=false" to "admin=true".
Forwarding this amended headers and post parameters to the server yield us the key!


CSAW CTF 2013 :: Recon: historypeats (100 Points)

Only a Google search for "historypeats" is given as the question.

This is pretty straightforward.

Google search for historypeats will lead you to their GitHub page at: https://github.com/historypeats

Check for their latest activities under Public Activity tab.

The latest activity is showed as removed comments from historypeats/putscan.

Go into that posting and by clicking on Removed Comments will lead you to:


The key is shown here as:

key{whatDidtheF0xSay?}

Regards,

David Billa
"Live for Something or Die for Nothing!" 


CSAW CTF 2013 :: Exploitation 1 - 100 points

For this challenge, the following code snippet was given in a file, exploit1.c

[snip]void handle(int newsock) {
    int backdoor = 0;
    char buffer[1016];
    memset(buffer, 0, 1016);

    send(newsock, "Welcome to CSAW CTF.", 21, 0);
    recv(newsock, buffer, 1020, 0);
    buffer[1015] = 0;

    if ( backdoor ) {
        fd = fopen("./key", "r");
        fscanf(fd, "%s\n", buffer);
        send(newsock, buffer, 512, 0);
    }
    close(newsock);
}
[snip]


A netcat connection command was also provided. "nc 128.238.66.212 31337".

Based on the netcat command given and the code snippet given, it can be inferred that we were suppose to open a netcat connection to the IP and port provided. The code snippet was likely to be from the server part of the connection.

Taking a closer look at the code snippet, it seems like the program will read from a .key file when backdoor is true/1. It can also be inferred that a buffer size of 1016 has been set aside, however in recv(), a size of 1020 has been declared as the size of the buffer. This will result in a buffer overflow problem when a string of more than 1016 characters is send to the netcat server. As a result of how the function variables is stored on the stack, the buffer overflow will affect the value of the backdoor variable.

Therefore to solve this challenge, all we needed to do was send any character string of random data of length 1016 and four 1s to the server. The server should reply with the data stored in the .key file.






As shown, we have managed to successfully obtain the keys for this challenge!


CSAW CTF 2013 :: Recon: Brandon Edwards (100 Points)

Only a Google search for "Brandon Edwards" is given as the question.

From the judges website you can gather information that Brandon Edwards is the 
co-founder of Exodus Intelligence.

From the twitter account of Exodus Intelligence you can get the twitter account of Brandon Edwards: https://twitter.com/drraid

Now Google using his nick "drraid" and you can gather information that he is also one of the contributor for Sophsec Intrusion Lab (http://www.sophsec.com/).

Sophsec has their own github page at: https://github.com/sophsec

Poke around the page and you will get the key from the first commit's index.html at:


b.edwards csaw key{a959962111ea3fed179eb044d5b80407}

Regards,

David Billa
"Live for Something or Die for Nothing!"


CSAW CTF 2013 :: CSAW Reversing 2013 1 (100 Points)

The challenge for "CSAW Reversing 2013 1" is to obtain the flag from within the given binary and it can be easily achieved with just 3 steps.

Step 1: Open the executable for examination using OllyDbg and you will notice the executable contains the IsDebuggerPresent function which allows an application to determine whether or not it is being debugged so that it can modify its behaviour.


Step 2: Download the IsDebuggerPresent plugin for OllyDbg and extract to your OllyDbg plugins folder, if you do not have this plugin. Restart OllyDbg for this plugin to be available for use. Re-open the executable and use the "ExtraHide" option for this plugin against this executable.


Step 3: The flag to this challenge will be displayed once you run the executable (press F9 in OllyDbg).


Flag captured! 100 points in the bag by cheating!! Yay!!! :Þ

Cheers,
Braeburn Ladny

CSAW CTF 2013 :: Misc 100: Black and White

We were given a png image for this challenge. On first look, the image seems to be all white

The title of the challenge was actually the clue. "Black and White"

What would happen if I dump black paint all over it? Open up Paint and dump black paint on the image... Voila!!!

Cheers,
thegrayone

CSAW CTF 2013 :: Reversing: DotNet (100 points)

For this challenge, a .net executable file is given. I have uploaded the file to mediafire and its downloadable from here. The image below shows how it looks like when it is executed and its a console application.




The objective of this challenge is to reverse the executable file to obtain the passcode to unlock the flag.

For this challenge, I used the Red Gate .NET Reflector to open the executable and view the source code.




The program validates the passcode by performing a bitwise XOR with a preset value (num2) and ensure it equal to another preset value (num3). In order to get the passcode, I just perform a bitwise XOR with num2 and num3.

0xc5ec4d790L ^ 0xf423abdb7L = 0xf1cfe6a27L

Convert the value to decimal value = 13371337255

Enter the passcode and ...




 flag{I'll create a GUI interface using visual basic...see if I can track an IP address.}

Enter the flag and captured. 100 points


Once upon a time ^-^,
whit3sn0w





Sunday, September 22, 2013

CSAW CTF 2013 :: Misc 50: Networking 1 & 2

Misc 50: Networking 1

This is a warmup challenge and is very straightforward. We were given a pcap file.

Open up the pcap file in wireshark and Follow TCP Stream. The flag is shown!!

flag{d316759c281bf925d600be698a4973d5}

Misc 50: Networking 2

This time we are given a .process file. Just open it up in Notepad++ and you will see the flag

flag{f9b43c9e9c05be5e08ea163007af5144}

Cheers,
thegrayone

CSAW CTF 2013 :: Web: Herpderper (300 points)

Tools Used:
Notepad++
Android Emulator & Android SDK
Burpsuite
apktool
keytool, jarsigner (JDK)

Ok, this is going to be a long article. Grab a cup of coffee and relax. In fact, grab one cup of coffee for me too =D

For this challenge, we were provided with an apk (Herpderper.apk)

As this is in the web category, I'm guessing we have to observe the web traffic from the application. In order to view the web traffic from the application, we would have to perform MITM on the Android Emulator.

I used Burp Suite. Fire it up and set the proxy settings.

Next we will launch the Android Emulator with the proxy settings enabled and pointing to BurpSuite. Create an emulated android device with the AVD Manager that comes with the Android SDK install. I created one that is running Android 4.0. To launch the emulator with proxy enabled, type the following command in the cmdline. (PS: the emulator binary is in the AndroidSDK/tools folder)

emulator -avd urEmulatorName -http-proxy proxyaddress:proxyport

Install the apk with the following command

adb install herpderper.apk

After installation, start the app and you should see a login screen.

Type in any email and password and try to login. If everything works correctly, burpsuite would be able to intercept the login request. However, burpsuite's intercept proxy does not see any requests. At the same time, the application displays a "Unknown Error" message in the UI. This is strange =/. Let's fire up "adb logcat", try to login again and see if there is any exception thrown

There is a debug message saying "Untrusted certificate chain". The application seems to be checking the SSL certificate presented by Burpsuite against something. We would have to reverse the apk and try to see how the application is checking the SSL certificate. We can use dex2jar and jd-gui to try and decompile and see the reconstructed java code. But I prefer looking at it in smali, to do this we need apktool. Run the following cmd to decompile the apk to smali

apktool d herpderper.apk herp
The decompiled files will be saved into the folder herp. Navigate to the /herp/smali/ops/black/herpderper folder (This is where all the source files are)

Open up all the smali files in Notepad++
Do a "Find All in All Opened Documents" with the string "Untrusted certificate chain"

The string is found in the class TrustModifier$AlwaysTrustManager. If we inspect the constructor of this class, we can see that it intializes a sequence of values that looks like SSL Cert values

We could create a self-signed cert with the same values and configure Burpsuite to serve that cert. But there is a easier way, we could patch the apk and make the application skip the ssl check completely. The ssl checks occur in the method checkServerTrusted. I added a line of code so that the method straight away returns without running the rest of the code. This effectively bypassed the SSL checks performed by the application

Now recompile the smali code back into an apk and install the patched apk to the emulator.
Run the following commands (You will be prompted for a password, just use the same password for both prompts)

- adb uninstall ops.black.herpderper
- apktool b herp patched.apk
- keytool -genkey -v -keystore my.keystore -alias anyalias -keyalg RSA -validity 10000
- jarsigner -sigalg MD5withRSA -digestalg SHA1 -keystore my.keystore patched.apk anyalias
- adb install patched.apk

Now, when we run the application and try to login with an email and password. The request is now properly intercepted by Burpsuite. However, when we forwarded the request, the received response was "integrity check failed". Let's see what is actually in the request

A post request is made to "https://webchal.isis.poly.edu/csaw.php" with 3 parameters
- 1 Base64-encoded username email (identity)
- 1 Base64-encoded password (secret)
- 1 long chunk of hex string (integrityid)

If we look back at the smali codes and try to find this integrityid parameter. It is in the AuthRequest class.

Upon further inspection of the code in this class, we found out that integrityid is actually the signature of the apk in a hex encoded format. Remember that we had to resign the patched apk in order to install it? (the jarsign command) This means that the server is actually checking that the application has not been tampered with. The next challenge is how do we get the signature of the original apk?

I found this article on androidcracking blog that described how to get the signature from a apk file. I copied the java code, compiled it into a jar file and ran the jar file against the original herpderper.apk. The output is the signature of the original herpderper.apk

Now go back to the Android emulator and try to login any email/password again. When Burpsuite intercepts the request, change the integrityid parameter to the signature that was just produced by the jar file and forward the request.

Now, the server responds with a "login failed" message. This means we have successfully bypassed its integrity check. The next part was where I was stuck for the longest time. I tried SQL injection and all kinds of stuffs but I will cut to the chase.

If we look at the "login failed" response from the server, there is actually a role parameter being returned. The solution is just to add a "role" parameter to the request. The value doesn't even matter. Once you submit that request, the server will respond with a "success" message together with the flag

(This screenshot is from a script that I wrote to make my life easier =D)

I apologise for the missing screenshots of the server responses. This is because I am writing this article after the CTF is over and CSAW has already shut down the server for this challenge. I'll remember to save screenshots as I play the next time =/

This was really an enjoyable challenge. I hope you enjoyed it as well as I did. Until next time.

Cheers,
thegrayone