Monday, September 23, 2013

CSAW CTF 2013 :: RE: Impossible (500 points)

We are given a nds rom for this puzzle.

Tools used:

  1. CheatEngine (1 of my favorite old tool to hack a game)
  2. OllyDbg
  3. NO$GBA for my nds emulator
Lets keep this puzzle simple. It is mentioned that the boss hp is 9000++ which means there is probably no way to kill him unless we cheat. The following is a screenshot of the impossible boss...


Lets fire up CheatEngine... The following is a screenshot of this tool...


What this tool does is that it allows us to search for values in memory... which eventually narrow down where is the boss hp memory address. Once we know where is the address, we can easily modify it to 0 =).

We used the scan type option in the tool to narrow down addresses. Below are the steps on how we did it.
  1. Start Game
  2. find unknown initial value
  3. Reset Game
  4. shoot target
  5. find decreased value
  6. Reset Game
  7. find increased value
  8. repeat from step 3


As you can see from the above screenshot, we have narrowed down the possible hp memory address to this few addresses. Seems like address 03BC2264 is a potential candidate. Wait a minute didn't the question say that the boss hp is more than 9000... seems like it is more than 900,000! We changed the value @ the memory address to 0. Reset the game and shoot 1 round at the boss! We won the game!


But it seems like the key is incomplete/wrong... Lets fire up ollydbg to see what we can find out... since we got the memory address of the boss hp, the key should be somewhere around that memory region... true enough we found it above the boss hp!





The key is ou6UbzM8fgEjZ????cXKVN?

If you recall.... earlier we use cheatengine tool to actively fix the value @ 03BC2264 (DWORD) to be 0 and it happen that the key we wanted is overwriting/overlapping this address as well. To resolve the 0 bytes issue, disable actively fixing the value @ 03BC2264 after the game had initialized (when the boss appears on the screen). You should get the full key once the boss is dead after shooting it once. 


The key is ou6UbzM8fgEjZQcRrcXKVN

Always lazing
NoirD3vil



CSAW CTF 2013 :: RE: Crackme (300 points)

For this puzzle we are given a linux binary and nc 128.238.66.218 54321.


Upon connecting to the server, we are prompted for a registration code key. Obviously we need to RE the given binary and find the key...

Lets fire up IDA PRO!

First thing first! Lets see what String do we have.


Lets trace where the Thank you, valued customer is being referenced...


So we see a branch condition when the user enter a correct password... as shown below


What is this dword_804913C value?


That is a freaking large number... in fact it is a negative integer if you are considering it as a signed integer.

 Ok from here we can tell that a call is make to sub_8048EA0 where the user input is passed into it and eventually a DWORD value is passed out from the function call into EAX. The EAX is then matched with EDX which contains the large number. Question is what is the correct password that leads to a key match? If only this is a local binary, we can simply patch it lol!

Ok lets take a look at the function sub_8048EA0.

Not too complicated =)
some char* are passed in to this function. There is a variable that start at 1337 value. we loop through the given char* (user input) and do simple math as such

pseudo code:

variable1337 = 1337;
do{
   variable1 = 32 * variable1337 + (a char of the input string)
   get next char
   variable1337  = variable1337  + variable1
}loop all chars in the given char*

so what i do next is to write this in a script simple c program and brute force it. Remember that the calculation is a signed int.... therefore i converted the large value into a signed integer (-282184360) for comparison.

I guess that the password should be some common english letters/numbers/symbols therefore i brute force the chars that have the ascii between 65 and 123... and i brute force the password length from length 1 onwards...

and finally... after few minutes...

we got a match! 6 chars long `saV^W


Not too difficult =) Time to laze again...

Ok as requested... Here is my noob lazy program. Nothing too fancyful... =) but should be quite easy to understand

#include <stdio.h>
#include <string.h>

int generate(char *key)
{
  int temp = 0, start =1337; 
  char character; 

  if ( *key == NULL )
return 0;
  else{
character = key[0];
do{
      temp = (32 * start) + character;
 key++;
      character = key[0];
      start += temp;
    }
    while ( character != NULL );
  }

  return start;
}

int main(int argc, char* argv[])
{
char key[9]; // just in case shit happen we got to brute force more chars
int start = 65, end = 123;
memset(key,0,9);
for(int a= start; a < end; a++){
for(int b= start; b < end; b++){
for(int c = start; c < end; c++){
for(int d = start; d < end; d++){
for(int e = start; e < end; e++){
for(int f = start; f < end; f++)
{
key[0] = (char)a;
key[1] = (char)b;
key[2] = (char)c;
key[3] = (char)d;
key[4] = (char)e;
key[5] = (char)f;
int a = generate(key);
if(a == -282184360){
printf("found %s\n\r", key);
}
}
}
}
}
}
}
return 0;
}

Always Lazing
NoirD3vil

CSAW CTF 2013 :: Recon: Jordan Wiens (100 Points)

Only a link (http://key.psifertex.com/) is given as the question.

The link doesn't give much information except the phrase, "Michael Vario sure does some suspicious signs, hope he doesn't do me."

If you do a Google search on "Michael Vario" you will notice that there are writeups on PGP keys.
Now search for Jordon Wiens PGP keys will lead you to his PGP keys at:

The key contains both the key and an embedded image.


Using an online base64 decoder tool (
http://www.motobit.com/util/base64-decoder-encoder.asp) save the decoded key into a jpeg image.




If you try opening the jpeg image, it will show as corrupted. Open the jpeg image in Hex Editor and you will notice that the actual pgp key is still in the header portion. Remove the portion and save the jpeg again.





Open up the new jpeg image in Paint to view the key.






Regards,

David Billa
"Live for Something or Die for Nothing!" 


CSAW CTF 2013 :: Web: Guess harder (100 Points)

For this challenge, we were given an ip address to head to. http://128.238.66.215

Upon navigating to the IP address given, the following page was displayed as shown below. This suggests that we would need to provide the correct password, before we would be able to proceed.



Viewing the source-file of the HTML page, yields nothing. It was nothing but just a simple HTML page. We decided to use one of our favourite firefox extensions, Tamper Data, to monitor the information flow. Tamper Data allows us to view and modify HTTP/HTTPS headers and POST parameters.

Using Tamper Data, we saw that there was an interesting cookie that was being transmitted.
We changed the cookie from "admin=false" to "admin=true".
Forwarding this amended headers and post parameters to the server yield us the key!


CSAW CTF 2013 :: Recon: historypeats (100 Points)

Only a Google search for "historypeats" is given as the question.

This is pretty straightforward.

Google search for historypeats will lead you to their GitHub page at: https://github.com/historypeats

Check for their latest activities under Public Activity tab.

The latest activity is showed as removed comments from historypeats/putscan.

Go into that posting and by clicking on Removed Comments will lead you to:


The key is shown here as:

key{whatDidtheF0xSay?}

Regards,

David Billa
"Live for Something or Die for Nothing!" 


CSAW CTF 2013 :: Exploitation 1 - 100 points

For this challenge, the following code snippet was given in a file, exploit1.c

[snip]void handle(int newsock) {
    int backdoor = 0;
    char buffer[1016];
    memset(buffer, 0, 1016);

    send(newsock, "Welcome to CSAW CTF.", 21, 0);
    recv(newsock, buffer, 1020, 0);
    buffer[1015] = 0;

    if ( backdoor ) {
        fd = fopen("./key", "r");
        fscanf(fd, "%s\n", buffer);
        send(newsock, buffer, 512, 0);
    }
    close(newsock);
}
[snip]


A netcat connection command was also provided. "nc 128.238.66.212 31337".

Based on the netcat command given and the code snippet given, it can be inferred that we were suppose to open a netcat connection to the IP and port provided. The code snippet was likely to be from the server part of the connection.

Taking a closer look at the code snippet, it seems like the program will read from a .key file when backdoor is true/1. It can also be inferred that a buffer size of 1016 has been set aside, however in recv(), a size of 1020 has been declared as the size of the buffer. This will result in a buffer overflow problem when a string of more than 1016 characters is send to the netcat server. As a result of how the function variables is stored on the stack, the buffer overflow will affect the value of the backdoor variable.

Therefore to solve this challenge, all we needed to do was send any character string of random data of length 1016 and four 1s to the server. The server should reply with the data stored in the .key file.






As shown, we have managed to successfully obtain the keys for this challenge!


CSAW CTF 2013 :: Recon: Brandon Edwards (100 Points)

Only a Google search for "Brandon Edwards" is given as the question.

From the judges website you can gather information that Brandon Edwards is the 
co-founder of Exodus Intelligence.

From the twitter account of Exodus Intelligence you can get the twitter account of Brandon Edwards: https://twitter.com/drraid

Now Google using his nick "drraid" and you can gather information that he is also one of the contributor for Sophsec Intrusion Lab (http://www.sophsec.com/).

Sophsec has their own github page at: https://github.com/sophsec

Poke around the page and you will get the key from the first commit's index.html at:


b.edwards csaw key{a959962111ea3fed179eb044d5b80407}

Regards,

David Billa
"Live for Something or Die for Nothing!"


CSAW CTF 2013 :: CSAW Reversing 2013 1 (100 Points)

The challenge for "CSAW Reversing 2013 1" is to obtain the flag from within the given binary and it can be easily achieved with just 3 steps.

Step 1: Open the executable for examination using OllyDbg and you will notice the executable contains the IsDebuggerPresent function which allows an application to determine whether or not it is being debugged so that it can modify its behaviour.


Step 2: Download the IsDebuggerPresent plugin for OllyDbg and extract to your OllyDbg plugins folder, if you do not have this plugin. Restart OllyDbg for this plugin to be available for use. Re-open the executable and use the "ExtraHide" option for this plugin against this executable.


Step 3: The flag to this challenge will be displayed once you run the executable (press F9 in OllyDbg).


Flag captured! 100 points in the bag by cheating!! Yay!!! :Þ

Cheers,
Braeburn Ladny

CSAW CTF 2013 :: Misc 100: Black and White

We were given a png image for this challenge. On first look, the image seems to be all white

The title of the challenge was actually the clue. "Black and White"

What would happen if I dump black paint all over it? Open up Paint and dump black paint on the image... Voila!!!

Cheers,
thegrayone

CSAW CTF 2013 :: Reversing: DotNet (100 points)

For this challenge, a .net executable file is given. I have uploaded the file to mediafire and its downloadable from here. The image below shows how it looks like when it is executed and its a console application.




The objective of this challenge is to reverse the executable file to obtain the passcode to unlock the flag.

For this challenge, I used the Red Gate .NET Reflector to open the executable and view the source code.




The program validates the passcode by performing a bitwise XOR with a preset value (num2) and ensure it equal to another preset value (num3). In order to get the passcode, I just perform a bitwise XOR with num2 and num3.

0xc5ec4d790L ^ 0xf423abdb7L = 0xf1cfe6a27L

Convert the value to decimal value = 13371337255

Enter the passcode and ...




 flag{I'll create a GUI interface using visual basic...see if I can track an IP address.}

Enter the flag and captured. 100 points


Once upon a time ^-^,
whit3sn0w





Sunday, September 22, 2013

CSAW CTF 2013 :: Misc 50: Networking 1 & 2

Misc 50: Networking 1

This is a warmup challenge and is very straightforward. We were given a pcap file.

Open up the pcap file in wireshark and Follow TCP Stream. The flag is shown!!

flag{d316759c281bf925d600be698a4973d5}

Misc 50: Networking 2

This time we are given a .process file. Just open it up in Notepad++ and you will see the flag

flag{f9b43c9e9c05be5e08ea163007af5144}

Cheers,
thegrayone

CSAW CTF 2013 :: Web: Herpderper (300 points)

Tools Used:
Notepad++
Android Emulator & Android SDK
Burpsuite
apktool
keytool, jarsigner (JDK)

Ok, this is going to be a long article. Grab a cup of coffee and relax. In fact, grab one cup of coffee for me too =D

For this challenge, we were provided with an apk (Herpderper.apk)

As this is in the web category, I'm guessing we have to observe the web traffic from the application. In order to view the web traffic from the application, we would have to perform MITM on the Android Emulator.

I used Burp Suite. Fire it up and set the proxy settings.

Next we will launch the Android Emulator with the proxy settings enabled and pointing to BurpSuite. Create an emulated android device with the AVD Manager that comes with the Android SDK install. I created one that is running Android 4.0. To launch the emulator with proxy enabled, type the following command in the cmdline. (PS: the emulator binary is in the AndroidSDK/tools folder)

emulator -avd urEmulatorName -http-proxy proxyaddress:proxyport

Install the apk with the following command

adb install herpderper.apk

After installation, start the app and you should see a login screen.

Type in any email and password and try to login. If everything works correctly, burpsuite would be able to intercept the login request. However, burpsuite's intercept proxy does not see any requests. At the same time, the application displays a "Unknown Error" message in the UI. This is strange =/. Let's fire up "adb logcat", try to login again and see if there is any exception thrown

There is a debug message saying "Untrusted certificate chain". The application seems to be checking the SSL certificate presented by Burpsuite against something. We would have to reverse the apk and try to see how the application is checking the SSL certificate. We can use dex2jar and jd-gui to try and decompile and see the reconstructed java code. But I prefer looking at it in smali, to do this we need apktool. Run the following cmd to decompile the apk to smali

apktool d herpderper.apk herp
The decompiled files will be saved into the folder herp. Navigate to the /herp/smali/ops/black/herpderper folder (This is where all the source files are)

Open up all the smali files in Notepad++
Do a "Find All in All Opened Documents" with the string "Untrusted certificate chain"

The string is found in the class TrustModifier$AlwaysTrustManager. If we inspect the constructor of this class, we can see that it intializes a sequence of values that looks like SSL Cert values

We could create a self-signed cert with the same values and configure Burpsuite to serve that cert. But there is a easier way, we could patch the apk and make the application skip the ssl check completely. The ssl checks occur in the method checkServerTrusted. I added a line of code so that the method straight away returns without running the rest of the code. This effectively bypassed the SSL checks performed by the application

Now recompile the smali code back into an apk and install the patched apk to the emulator.
Run the following commands (You will be prompted for a password, just use the same password for both prompts)

- adb uninstall ops.black.herpderper
- apktool b herp patched.apk
- keytool -genkey -v -keystore my.keystore -alias anyalias -keyalg RSA -validity 10000
- jarsigner -sigalg MD5withRSA -digestalg SHA1 -keystore my.keystore patched.apk anyalias
- adb install patched.apk

Now, when we run the application and try to login with an email and password. The request is now properly intercepted by Burpsuite. However, when we forwarded the request, the received response was "integrity check failed". Let's see what is actually in the request

A post request is made to "https://webchal.isis.poly.edu/csaw.php" with 3 parameters
- 1 Base64-encoded username email (identity)
- 1 Base64-encoded password (secret)
- 1 long chunk of hex string (integrityid)

If we look back at the smali codes and try to find this integrityid parameter. It is in the AuthRequest class.

Upon further inspection of the code in this class, we found out that integrityid is actually the signature of the apk in a hex encoded format. Remember that we had to resign the patched apk in order to install it? (the jarsign command) This means that the server is actually checking that the application has not been tampered with. The next challenge is how do we get the signature of the original apk?

I found this article on androidcracking blog that described how to get the signature from a apk file. I copied the java code, compiled it into a jar file and ran the jar file against the original herpderper.apk. The output is the signature of the original herpderper.apk

Now go back to the Android emulator and try to login any email/password again. When Burpsuite intercepts the request, change the integrityid parameter to the signature that was just produced by the jar file and forward the request.

Now, the server responds with a "login failed" message. This means we have successfully bypassed its integrity check. The next part was where I was stuck for the longest time. I tried SQL injection and all kinds of stuffs but I will cut to the chase.

If we look at the "login failed" response from the server, there is actually a role parameter being returned. The solution is just to add a "role" parameter to the request. The value doesn't even matter. Once you submit that request, the server will respond with a "success" message together with the flag

(This screenshot is from a script that I wrote to make my life easier =D)

I apologise for the missing screenshots of the server responses. This is because I am writing this article after the CTF is over and CSAW has already shut down the server for this challenge. I'll remember to save screenshots as I play the next time =/

This was really an enjoyable challenge. I hope you enjoyed it as well as I did. Until next time.

Cheers,
thegrayone

CSAW CTF 2013 :: Trivial

Below are the Trivial questions for this years CSAW CTF 2013.

Trivial - 50 points 

  • Drink all the booze, ________ all the things
  • The answer is "hack"

Trivial - 50 points

  • What is the abbreviation of the research published in the Hackin9 issue on nmap by Jon Oberheide, Nico Waisman, Mattieu Suiche, Chris Valasek, Yarochkin Fyodor, the Grugq, Jonathan Brossard and Mark Dowd?
  • The answer is "DICKS" , DARPA Interference Checking Kludge Scanning

Trivial - 50 points

  • What is the common name for a single grouping instructions used in a Return Oriented Programming payload, typically ending in a Return Instruction (RET)?
  • The answer is "gadgets"
Trivial - 50 points

  • What is the new web technology that provides a web browser full duplex communication to a web server over a single connection?
  • The answer is "WebSockets"
Trivial - 50 points

  • What is the x86 processor operating mode for running 64-bit code?
  • The answer is "Long Mode"

CSAW CTF 2013 :: Recon: Odin (100 points)

Only a Google search for "Odin" is given as the question.

This is a bit tricky. "Odin" actually refers to 1 of the irc chat user whose nick is "snOwDIN". You must have joined #csaw IRC channel in order to have noticed the user.

If you do a "whois snOwDIN" you will notice that his ircname as "linkedin:chinesespies"

Access the linkedin profile at: http://www.linkedin.com/in/chinesespies

And the key{cookies_are_for_csaw} will be shown in the page itself.

 See screenshot below:




Regards,

David Billa
"Live for Something or Die for Nothing!"

CSAW CTF 2013 :: REVERSING 2 (200 points)

For this puzzle we are given a window executable.

Hmm but the program keeps on crashing when i tried opening it...
Whatever... lets try firing up ollydbg to see what is going on. Hmmm... we got a messagebox call... but the text seems to be encrypted...



If we were to fire up IDA pro, we can see that there is a branch condition. Apparently by default the program will directly jump to address 0040106E to display the MessageBox.


Lets try to change this flow in ollydbg and see what will happen. I got a feeling that the other path might decrypt and display out the plain key.... Lets set breakpoint at address 00401040. On break change EAX to 0.  Once that is done, step through the program till you hit the messagebox.

Ermmm... the messagebox pops up... but no key is inside what possibly could have gone wrong???


Lets take a look on what has been passed in to the messagebox function. We can see that there is a push ESI @ address 00401075. But the text is empty! Let me Follow in dump on ESI.. Ahhh key found! 
 flag{number2isalittlebitharder:p}


Always Lazing
NoirD3vil


CSAW CTF 2013 :: Recon: Kevin Chung (100 points)

Only a Google search for "Kevin Chung" is given as the question. In addition a hint: "Where can you graduate from?" was also given.

You can start searching for where Kevin Chung graduated from. He is from NYU-Poly and while he was there he was a CSAW High School Forensics Finalist and Champion. This information is also available from the judges subpage within the csaw ctf website (https://ctf.isis.poly.edu/judges/)

Search in CSAW High School Forensics Previous Winners website:

https://hsf.isis.poly.edu/previous_winners/

Under 2009 winners there is a hyperlinked Kevin Chung name. Clicking on the link will lead you to key.txt which contains the key.


key{who_in_the_world_is_kevin_chung}


Regards,

David Billa
"Live for Something or Die for Nothing!"


CSAW CTF 2013 :: Web: Nevernote (200 points)

The question provided by the challenge:

http://128.238.66.214

from: Nevernote Admin <nevernoteadmin@nevernote.com>
to: challenger@ctf.isis.poly.edu
date: Thurs, Sep 19, 2013 at 3:05 PM
subject: Help

Friend,
Evil hackers have taken control of the Nevernote server and locked me out. While I'm working on restoring access, is there anyway you can get in to my account and save a copy of my notes? I know the system is super secure but if anybody can do it - its you.
Thanks,
Nevernote Admin



The objective of the challenge is to obtain the note of the Nevernote Admin.

The link provided will show login page of Nevernote shown below. There is a link to the registration page to where an account can be registered.


 
I tried logging in with both username and password blank and I got into Nevernote without having to register. (Apparently they accept blank username and password for account creation and someone had registered using that)

 Upon logging in, Nevernote shows all the notes and mails received.






Since the objective of this challenge is to obtain the note of the admin, I opened up one of the note to take a look.



From the page where they show the note, I notice that there is a 'enc=' field. The 'enc=' field seems to be use to fetch the note and is useful for this challenge. I decided to test it using the field with ../ to see if it vulnerable to directory traversal attack .









 It does generate any error so I decided to try a few more.

and after a few tries...


It shows the admin note that contains the key for this challenge.

key{akjdsf98LolCats234lkas0!#@%23Ferrari134545!@#250saDucati9dfL$Jdc09234lkjasf}

Enter the key and flag captured. 200 points.

Once upon a time  ^-^,
whit3sn0w