CSAW CTF 2013 :: Trivial

Below are the Trivial questions for this years CSAW CTF 2013.

Trivial - 50 points 

• Drink all the booze, ________ all the things
• The answer is "hack"

Trivial - 50 points

• What is the abbreviation of the research published in the Hackin9 issue on nmap by Jon Oberheide, Nico Waisman, Mattieu Suiche, Chris Valasek, Yarochkin Fyodor, the Grugq, Jonathan Brossard and Mark Dowd?
• The answer is "DICKS" , DARPA Interference Checking Kludge Scanning

Trivial - 50 points

• What is the common name for a single grouping instructions used in a Return Oriented Programming payload, typically ending in a Return Instruction (RET)?
• The answer is "gadgets"

Trivial - 50 points

• What is the new web technology that provides a web browser full duplex communication to a web server over a single connection?
• The answer is "WebSockets"

Trivial - 50 points

• What is the x86 processor operating mode for running 64-bit code?
• The answer is "Long Mode"

CSAW CTF 2013 :: Recon: Odin (100 points)

Only a Google search for "Odin" is given as the question.

This is a bit tricky. "Odin" actually refers to 1 of the irc chat user whose nick is "snOwDIN". You must have joined #csaw IRC channel in order to have noticed the user.

If you do a "whois snOwDIN" you will notice that his ircname as "linkedin:chinesespies"

Access the linkedin profile at: http://www.linkedin.com/in/chinesespies

And the key{cookies_are_for_csaw} will be shown in the page itself.

 See screenshot below:

Regards,

David Billa
"Live for Something or Die for Nothing!"

CSAW CTF 2013 :: REVERSING 2 (200 points)

For this puzzle we are given a window executable.

Hmm but the program keeps on crashing when i tried opening it...
Whatever... lets try firing up ollydbg to see what is going on. Hmmm... we got a messagebox call... but the text seems to be encrypted...

If we were to fire up IDA pro, we can see that there is a branch condition. Apparently by default the program will directly jump to address 0040106E to display the MessageBox.

Lets try to change this flow in ollydbg and see what will happen. I got a feeling that the other path might decrypt and display out the plain key.... Lets set breakpoint at address 00401040. On break change EAX to 0.  Once that is done, step through the program till you hit the messagebox.

Ermmm... the messagebox pops up... but no key is inside what possibly could have gone wrong???

Lets take a look on what has been passed in to the messagebox function. We can see that there is a push ESI @ address 00401075. But the text is empty! Let me Follow in dump on ESI.. Ahhh key found! 

 flag{number2isalittlebitharder:p}

Always Lazing

NoirD3vil

CSAW CTF 2013 :: Recon: Kevin Chung (100 points)

Only a Google search for "Kevin Chung" is given as the question. In addition a hint: "Where can you graduate from?" was also given.

You can start searching for where Kevin Chung graduated from. He is from NYU-Poly and while he was there he was a CSAW High School Forensics Finalist and Champion. This information is also available from the judges subpage within the csaw ctf website (https://ctf.isis.poly.edu/judges/)

Search in CSAW High School Forensics Previous Winners website:

https://hsf.isis.poly.edu/previous_winners/

Under 2009 winners there is a hyperlinked Kevin Chung name. Clicking on the link will lead you to key.txt which contains the key.

https://hsf.isis.poly.edu/assets/uploads/pages/previous_winners/key.txt

key{who_in_the_world_is_kevin_chung}

Regards,

David Billa
"Live for Something or Die for Nothing!"

CSAW CTF 2013 :: Web: Nevernote (200 points)

The question provided by the challenge:

http://128.238.66.214

from: Nevernote Admin <nevernoteadmin@nevernote.com>
to: challenger@ctf.isis.poly.edu
date: Thurs, Sep 19, 2013 at 3:05 PM
subject: Help

Friend,
Evil hackers have taken control of the Nevernote server and locked me out. While I'm working on restoring access, is there anyway you can get in to my account and save a copy of my notes? I know the system is super secure but if anybody can do it - its you.
Thanks,
Nevernote Admin



The objective of the challenge is to obtain the note of the Nevernote Admin.

The link provided will show login page of Nevernote shown below. There is a link to the registration page to where an account can be registered.

 
I tried logging in with both username and password blank and I got into Nevernote without having to register. (Apparently they accept blank username and password for account creation and someone had registered using that)

 Upon logging in, Nevernote shows all the notes and mails received.

Since the objective of this challenge is to obtain the note of the admin, I opened up one of the note to take a look.

From the page where they show the note, I notice that there is a 'enc=' field. The 'enc=' field seems to be use to fetch the note and is useful for this challenge. I decided to test it using the field with ../ to see if it vulnerable to directory traversal attack .

 It does generate any error so I decided to try a few more.

and after a few tries...

It shows the admin note that contains the key for this challenge.

key{akjdsf98LolCats234lkas0!#@%23Ferrari134545!@#250saDucati9dfL$Jdc09234lkjasf}

Enter the key and flag captured. 200 points.

Once upon a time  ^-^,
whit3sn0w

CSAW CTF 2013 :: Recon: Julian Cohen (100 points)

Only a Google search for "Julian Cohen" is given as the question.

From the judge's subpage (https://ctf.isis.poly.edu/judges/), you can find the twitter account for Julian Cohen which is https://twitter.com/HockeyInJune

Now we know that his nick is HockeyInJune. By searching using the nick, you can get to his Reddit page (http://www.reddit.com/r/HockeyInJune).

Look for his posting under the CSAW CTF 2013 where he have posted a link to a website: http://deathbycats.com/

Using "dig" command in Linux, you can find the ip address of the website which will be 23.23.196.37

Accessing the IP directly on the URL will show the flag. See screenshot below:

Regards,

David Billa
"Live for Something or Die for Nothing!"

CSAW CTF 2013 :: Bikinibonanza (150 points)

For this puzzle we are given a .net executable.

This is how it looks like when executed...

First thought: enter the correct key and hit on submit for the flag to be shown...
Lets fire up reflector to decompile this .net executable

There are several eval_?? functions when decompiled. The trick to figure out which eval_?? the statements are pointing to is to click on it in reflector, the program will direct you to the correct eval_?? function.

In one of the eval_?? function, we can see that it is doing some comparison work. The comparison might be the key to solving the puzzle. Let us copy this portion and write our own code...

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Security.Cryptography;

namespace test
{
    class Program
    {
        static int getkey(int num2, int num1)
        {
            return (new int[] {
                2, 3, 5, 7, 11, 13, 0x11, 0x13, 0x17, 0x1d, 0x1f, 0x25, 0x29, 0x2b, 0x2f, 0x35,
                0x3b, 0x3d, 0x43, 0x47, 0x49, 0x4f, 0x53, 0x59, 0x61, 0x65, 0x67, 0x6b, 0x6d, 0x71
             }[num1] ^ num2);
        }


        static void generate(string text1, int num1, ref string textRef1)
        {
            int num2 = 0;
            if (0 < text1.Length)
            {
                do
                {
                    char ch = text1[num2];
                    int num = 1;
                    if (1 < num1)
                    {
                        do
                        {
                            ch = Convert.ToChar(getkey(Convert.ToInt32(ch), num));
                            num++;
                        }
                        while (num < num1);
                    }
                    textRef1 = textRef1 + ch;
                    num2++;
                }
                while (num2 < text1.Length);

                Console.WriteLine(replacing(textRef1));
                Console.WriteLine(replacing(textRef1));
            }
        }

        static string replacing(string text1)
        {
            byte[] bytes = Encoding.ASCII.GetBytes(text1);
            return BitConverter.ToString(new MD5CryptoServiceProvider().ComputeHash(bytes)).Replace("-", "");
        }
        static void Main(string[] args)
        {
            String strB = null;
            DateTime now = DateTime.Now;
            string str2 = string.Format("{0}", now.Hour + 1);
            string str = "NeEd_MoRe_Bawlz";
            Console.WriteLine(str2);

            Console.WriteLine(str);
         
            generate(str, Convert.ToInt32(str2), ref strB);
        }


    }
}

on executing the above code we got this BEBF06D90D6F9652476D244470C66BEC

Throw this key into the application and we get the flag!

key(0920303251BABE89911ECEAD17FEBF30)

Always lazing

NoirD3vil...

ebCTF 2013 :: BIN200 (200 points)

The challenge for BIN200 is to uncover the hidden file contained within the given executable.

Step 1: Load the executable (ebCTF_BIN200.exe) in OllyDbg, run it and you will be prompted by the executable for a secret key. Looking through the codes reveal the executable was generated using 'Perl2Exe' - a command line utility for converting perl scripts to exe files. An interesting keyword found within the executable is '-p2x_debug', which shall be used later.

Step 2: View the events captured by OllyDbg. In OllyDbg, go to View > Log (Alt+L). There is an entry of a DLL file dumped in the AppData Temp folder. Examination of the DLL file reveals it is packed using UPX packer. Unpack the DLL using UPX unpacker.

Example:
 Address=28000000
 Message=Module C:\Users\Braeburn\AppData\Local\Temp\p2xtmp-4484\p2x5123.dll

Step 3: Rerun the executable in OllyDbg with '-p2x_debug' as the argument and debug information will be displayed in the command prompt. It's clear now the hidden file is '_main.pl'.

P2X: Debug mode enabled - V090508
P2X: Expanded module filename = C:\Users\Braeburn\Downloads\ebCTF_BIN200.exe
GetTempDir: returning C:\Users\Braeburn\AppData\Local\Temp/p2xtmp-4484
ISEXT_Init: filename = p2x_stub.lib
ISEXT_Init: filename = p2x_header.pm
ISEXT_Init: filename = p2x_pre_exec_message
ISEXT_Init: filename = p2x_trial_message
ISEXT_Init: filename = p2x_exec_command
ISEXT_Init: filename = p2x_info.pm
ISEXT_Init: filename = _main.pl
ISEXT_Init: filename = P2XDLL/p2x5123.dll
P2X: ISEXT_Init done
P2X: OpenScript: C:\Users\Braeburn\Downloads\ebCTF_BIN200.exe FOUND IN PERL2EXE_STORAGE

[*] ebCTF BIN 200
      No comment...

[*] What is the secret?

Step 3: Load the unpacked DLL in IDA Pro and search for the location where the string "ISEXT_Init: filename = " will be referenced. It will be located at address 0x280AC503. After examining the flow graph from that location onwards, it is clear a different path is needed in order to dump the files to the tmp folder.

Step 4: Re-run the executable, change the instruction at address 0x280AC52E from JNZ to JZ before EIP reaches address 0x280AC503 and you will find the perl script in the tmp folder.

The secret key and the flag to this challenge will be found within the perl script.

Secret key: "Sup3RSeCr3tStuFf!"
Flag: ebctf{ededb03c7998fa751be21d1364a58600}


Flag captured! 200 points in the bag!! Yay!!!

Cheers,
Braeburn Ladny 

ebCTF 2013 :: BIN100 (100 points)

The challenge for BIN100 is almost identical to the teaser challenge (except this is a linux executable) so we shall not go into details on what the executable does. In summary, we need to roll out 3-1-3-3-7 with a dice. Oh yes, we need to a roll a 7 with a dice. That's awesome, isn't it?

There are two ways to tackle this challenge, either by patching with NOPS or changing the instructions from JNE to JE. With the latter, you have to throw a number that is NOT wanted at that checkpoint - on your 1st throw, you have to throw any number except 3 in order to proceed to the next checkpoint.

Step 1: Identify the conditional checks for the 5 throws to be made and patch them according.

If you prefer to patch the executable with NOPS, these are the addresses to do so:
00000F8C: 75 90
00000F8D: 4E 90
00001199: 75 90
0000119A: 4F 90
000013A7: 75 90
000013A8: 6D 90
000015AA: 0F 90
000015AB: 85 90
000015AC: 82 90
000015AD: 00 90
000015AE: 00 90
000015AF: 00 90
0000180A: 0F 90
0000180B: 85 90
0000180C: C1 90
0000180D: 00 90
0000180E: 00 90
0000180F: 00 90

If you prefer to reverse the flow at each of the 5 conditional checkpoints, these are the addresses where the instructions are to be changed:
00000F8C: 75 74
00001199: 75 74
000013A7: 75 74
000015AB: 85 84
0000180B: 85 84

Step 2: Save the executable.

Step 3: Run the executable to obtain the flag.



Flag captured! 100 points in the bag!! Yay!!!

Cheers,
Braeburn Ladny

ebCTF 2013 :: NET100 (100 points)

The challenge for NET100 is to figure out, through the use of a pcap file, the damage that an evil hacker did to Eindbazen.

Step 1: Load the pcap file with Wireshark.

Step 2: Go to packet num 767. This is a packet containing a HTTP GET request that reveals a wget command was executed to download the payload file (rootkit.zip). The file can be saved to a working directory by looking up Wireshark HTTP object list. In Wireshark, go to File > Export > Objects > HTTP, to bring up the HTTP object list. Any attempt to unzip the zipped file (to view flag.txt) will fail as it is protected with a password.

Step 3: Go to packet num 8. Right click on the packet, select "Follow UDP Stream", "ASCII", and save the entire conversation as an ASCII file. View the saved file with your preferred text editor. The password lies between line 593 and line 609.



Step 4: Use the extracted password to retrieve flag.txt from rootkit.zip. The flag for this challenge lies within flag.txt. 100 points in the bag!! Yay!!!

Flag: ebCTF{b78dc61ce895a3856f3520e41c07b1be}

Cheers,
Braeburn Ladny