Monday, September 23, 2013

CSAW CTF 2013 :: RE: Crackme (300 points)

For this puzzle we are given a linux binary and nc 128.238.66.218 54321.
Upon connecting to the server, we are prompted for a registration code key. Obviously we need to RE the given binary and find the key...

Lets fire up IDA PRO!

First thing first! Lets see what String do we have.


Lets trace where the Thank you, valued customer is being referenced...


So we see a branch condition when the user enter a correct password... as shown below


What is this dword_804913C value?


That is a freaking large number... in fact it is a negative integer if you are considering it as a signed integer.

 Ok from here we can tell that a call is make to sub_8048EA0 where the user input is passed into it and eventually a DWORD value is passed out from the function call into EAX. The EAX is then matched with EDX which contains the large number. Question is what is the correct password that leads to a key match? If only this is a local binary, we can simply patch it lol!

Ok lets take a look at the function sub_8048EA0.

Not too complicated =)
some char* are passed in to this function. There is a variable that start at 1337 value. we loop through the given char* (user input) and do simple math as such

pseudo code:

variable1337 = 1337;
do{
   variable1 = 32 * variable1337 + (a char of the input string)
   get next char
   variable1337  = variable1337  + variable1
}loop all chars in the given char*

so what i do next is to write this in a script simple c program and brute force it. Remember that the calculation is a signed int.... therefore i converted the large value into a signed integer (-282184360) for comparison.

I guess that the password should be some common english letters/numbers/symbols therefore i brute force the chars that have the ascii between 65 and 123... and i brute force the password length from length 1 onwards...

and finally... after few minutes...

we got a match! 6 chars long `saV^W


Not too difficult =) Time to laze again...

Ok as requested... Here is my noob lazy program. Nothing too fancyful... =) but should be quite easy to understand

#include <stdio.h>
#include <string.h>

int generate(char *key)
{
  int temp = 0, start =1337; 
  char character; 

  if ( *key == NULL )
return 0;
  else{
character = key[0];
do{
      temp = (32 * start) + character;
 key++;
      character = key[0];
      start += temp;
    }
    while ( character != NULL );
  }

  return start;
}

int main(int argc, char* argv[])
{
char key[9]; // just in case shit happen we got to brute force more chars
int start = 65, end = 123;
memset(key,0,9);
for(int a= start; a < end; a++){
for(int b= start; b < end; b++){
for(int c = start; c < end; c++){
for(int d = start; d < end; d++){
for(int e = start; e < end; e++){
for(int f = start; f < end; f++)
{
key[0] = (char)a;
key[1] = (char)b;
key[2] = (char)c;
key[3] = (char)d;
key[4] = (char)e;
key[5] = (char)f;
int a = generate(key);
if(a == -282184360){
printf("found %s\n\r", key);
}
}
}
}
}
}
}
return 0;
}

Always Lazing
NoirD3vil

Posted by at 6 comments:
Labels: ,

CSAW CTF 2013 :: Recon: Jordan Wiens (100 Points)

Only a link (http://key.psifertex.com/) is given as the question.

The link doesn't give much information except the phrase, "Michael Vario sure does some suspicious signs, hope he doesn't do me."

If you do a Google search on "Michael Vario" you will notice that there are writeups on PGP keys.
Now search for Jordon Wiens PGP keys will lead you to his PGP keys at:

The key contains both the key and an embedded image.


Using an online base64 decoder tool (http://www.motobit.com/util/base64-decoder-encoder.asp) save the decoded key into a jpeg image.


If you try opening the jpeg image, it will show as corrupted. Open the jpeg image in Hex Editor and you will notice that the actual pgp key is still in the header portion. Remove the portion and save the jpeg again.



Open up the new jpeg image in Paint to view the key.




Regards,

David Billa
"Live for Something or Die for Nothing!" 
Posted by at 4 comments:
Labels: ,

CSAW CTF 2013 :: Web: Guess harder (100 Points)

For this challenge, we were given an ip address to head to. http://128.238.66.215

Upon navigating to the IP address given, the following page was displayed as shown below. This suggests that we would need to provide the correct password, before we would be able to proceed.



Viewing the source-file of the HTML page, yields nothing. It was nothing but just a simple HTML page. We decided to use one of our favourite firefox extensions, Tamper Data, to monitor the information flow. Tamper Data allows us to view and modify HTTP/HTTPS headers and POST parameters.

Using Tamper Data, we saw that there was an interesting cookie that was being transmitted.
We changed the cookie from "admin=false" to "admin=true".
Forwarding this amended headers and post parameters to the server yield us the key!


Posted by at No comments:
Labels: ,

CSAW CTF 2013 :: Recon: historypeats (100 Points)

Only a Google search for "historypeats" is given as the question.

This is pretty straightforward.

Google search for historypeats will lead you to their GitHub page at: https://github.com/historypeats

Check for their latest activities under Public Activity tab.

The latest activity is showed as removed comments from historypeats/putscan.

Go into that posting and by clicking on Removed Comments will lead you to:

https://github.com/historypeats/putscan/commit/a31512af6e8f2ae76bce11c0bd363f899e3488d1

The key is shown here as:

key{whatDidtheF0xSay?}

Regards,

David Billa
"Live for Something or Die for Nothing!" 


Posted by at No comments:
Labels: ,

CSAW CTF 2013 :: Exploitation 1 - 100 points

For this challenge, the following code snippet was given in a file, exploit1.c

[snip]void handle(int newsock) {
    int backdoor = 0;
    char buffer[1016];
    memset(buffer, 0, 1016);

    send(newsock, "Welcome to CSAW CTF.", 21, 0);
    recv(newsock, buffer, 1020, 0);
    buffer[1015] = 0;

    if ( backdoor ) {
        fd = fopen("./key", "r");
        fscanf(fd, "%s\n", buffer);
        send(newsock, buffer, 512, 0);
    }
    close(newsock);
}
[snip]

A netcat connection command was also provided. "nc 128.238.66.212 31337".

Based on the netcat command given and the code snippet given, it can be inferred that we were suppose to open a netcat connection to the IP and port provided. The code snippet was likely to be from the server part of the connection.

Taking a closer look at the code snippet, it seems like the program will read from a .key file when backdoor is true/1. It can also be inferred that a buffer size of 1016 has been set aside, however in recv(), a size of 1020 has been declared as the size of the buffer. This will result in a buffer overflow problem when a string of more than 1016 characters is send to the netcat server. As a result of how the function variables is stored on the stack, the buffer overflow will affect the value of the backdoor variable.

Therefore to solve this challenge, all we needed to do was send any character string of random data of length 1016 and four 1s to the server. The server should reply with the data stored in the .key file.






As shown, we have managed to successfully obtain the keys for this challenge!


Posted by at No comments:
Labels: ,

CSAW CTF 2013 :: Recon: Brandon Edwards (100 Points)

Only a Google search for "Brandon Edwards" is given as the question.

From the judges website you can gather information that Brandon Edwards is the co-founder of Exodus Intelligence.

From the twitter account of Exodus Intelligence you can get the twitter account of Brandon Edwards: https://twitter.com/drraid

Now Google using his nick "drraid" and you can gather information that he is also one of the contributor for Sophsec Intrusion Lab (http://www.sophsec.com/).

Sophsec has their own github page at: https://github.com/sophsec

Poke around the page and you will get the key from the first commit's index.html at:

https://github.com/sophsec/sophsec.github.io/commit/65104dae66b62859ebc3e30120cfb739188664bf

b.edwards csaw key{a959962111ea3fed179eb044d5b80407}

Regards,

David Billa
"Live for Something or Die for Nothing!"


Posted by at No comments:
Labels: ,

CSAW CTF 2013 :: CSAW Reversing 2013 1 (100 Points)

The challenge for "CSAW Reversing 2013 1" is to obtain the flag from within the given binary and it can be easily achieved with just 3 steps.

Step 1: Open the executable for examination using OllyDbg and you will notice the executable contains the IsDebuggerPresent function which allows an application to determine whether or not it is being debugged so that it can modify its behaviour.


Step 2: Download the IsDebuggerPresent plugin for OllyDbg and extract to your OllyDbg plugins folder, if you do not have this plugin. Restart OllyDbg for this plugin to be available for use. Re-open the executable and use the "ExtraHide" option for this plugin against this executable.


Step 3: The flag to this challenge will be displayed once you run the executable (press F9 in OllyDbg).


Flag captured! 100 points in the bag by cheating!! Yay!!! :Þ

Cheers,
Braeburn Ladny
Posted by at No comments:
Labels: ,

CSAW CTF 2013 :: Misc 100: Black and White

We were given a png image for this challenge. On first look, the image seems to be all white

The title of the challenge was actually the clue. "Black and White"

What would happen if I dump black paint all over it? Open up Paint and dump black paint on the image... Voila!!!

Cheers,
thegrayone

Posted by at No comments:
Labels: ,

CSAW CTF 2013 :: Reversing: DotNet (100 points)

For this challenge, a .net executable file is given. I have uploaded the file to mediafire and its downloadable from here. The image below shows how it looks like when it is executed and its a console application.




The objective of this challenge is to reverse the executable file to obtain the passcode to unlock the flag.

For this challenge, I used the Red Gate .NET Reflector to open the executable and view the source code.




The program validates the passcode by performing a bitwise XOR with a preset value (num2) and ensure it equal to another preset value (num3). In order to get the passcode, I just perform a bitwise XOR with num2 and num3.

0xc5ec4d790L ^ 0xf423abdb7L = 0xf1cfe6a27L

 Convert the value to decimal value = 13371337255

Enter the passcode and ...




 flag{I'll create a GUI interface using visual basic...see if I can track an IP address.}

Enter the flag and captured. 100 points


Once upon a time ^-^,
whit3sn0w





Posted by at 5 comments:
Labels: ,

Sunday, September 22, 2013

CSAW CTF 2013 :: Misc 50: Networking 1 & 2

Misc 50: Networking 1

This is a warmup challenge and is very straightforward. We were given a pcap file.

Open up the pcap file in wireshark and Follow TCP Stream. The flag is shown!!

flag{d316759c281bf925d600be698a4973d5}

Misc 50: Networking 2

This time we are given a .process file. Just open it up in Notepad++ and you will see the flag

flag{f9b43c9e9c05be5e08ea163007af5144}

Cheers,
thegrayone

Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)