Chaos Construction 2013: hackquest review-writeup
As many know, this weekend in St. Petersburg held a festival of computer creativity, incl. on which was hackquest (by type of Capture The Flag). Since I do not have a personal blog now, I decided to share the solution of the tasks here, I think many will be interested :) including there were tasks that were discussed on Habré (uploading "forbidden" music to the VC). Subject was - Prism, NSA, etc.
I have not saved the entire list of tasks, but many of them are still working, recovering from memory.
Download, find the application for iOS. I am not particularly strong in reverse, I decided to leave it on after. But reading twitter (it is useful to be subscribed to the organizers), I came across a record about the service hackapp.com
Service for finding security bugs in mobile applications. We ship our file, it generates a report on it - hackapp.com/open#e55bece90691913812ef6e0da5c8278a , we find the key
Flag : 8204e7efa933e2521a69417c4ab2357e
')
I have to say that I did not decide this task. Decision asked after the command (Hardc0de). Go to the job site, we see a website with a form where you can fill in the address of the site check on “PRISM” (necessarily falling under the regular schedule (. *). Com). Immediately I suspected SSRF here (1 reason - the organizers of ONSec, the second - just logically). I ’ve been digging the SSRF Bible , registering the .com domain, setting the script to my server with tshark enabled — nothing, in general, as soon as I’d beat it. Solution - bypass the regular season with /? i.e. write to host
127.0.0.1:80/?.com
We force the script to connect to the localhost ( ? .Com is simply cut out in the function on the server as a URI), pass in the same & debug (which could be seen in the html comments). The moment is that the port must be specified, otherwise it would not start. And through the debug parameter you need to conduct SSRF, examples can be found in the Smuggling examples (SSRF bible) section. And digging.
The task was not solved by anyone . We download the file, we determine that it is not mp3 (by titles), we give the archive extension, open it - the archive is broken, inside there are two files - calc.exe and reverse_something.txt. We start to dig, inside there are JPEG headers backwards. We take out the picture, in the picture is also quilted. It seems like in it - the key.
According to the link - source
The task is pretty clear, you need to set yourself a cookie using this algorithm. microtime - we can find out through the date header, which gives the script. pid / gid / uid - some will be equal to zero, some not so big to sort through. memory_get_usage - run the script in itself, measure the memory consumption (and the flow will be different for x32 and x64). But with getmyinode it was not clear, since the value is really great. In general, in some magical way, the task was solved with $ seed = 0. That is, code to generate cookies:
Did not solve, reverse under macos. All that I tried is to drive through the strings :)
The task was not solved by anyone. There were different thoughts, which are correct - not sure, so I will not write anything)
It is necessary to decrypt the first message, having a tool. Download ccrypto.jar, unpack it via java.decompiler.free.fr , get the application source.
I decided this task on the second day, and since I didn’t go to bed and stayed at the club (another task was solved at night), I simply didn’t have enough for this algorithm) was helped by a friend, counted manually. The reverse algorithm is not as trivial as it seems, try :)
Combined two tasks because they are similar, WPA
WPS
We go to the hack zone, boot from the backtack and do everything according to the guidelines. With WPA on the standard dictionary, the key is within half a second.
WPA Guide - www.aircrack-ng.org/doku.php?id=cracking_wpa
In Russian about WPS - habrahabr.ru/company/xakep/blog/143834 (by the way, wps didn’t, there wasn’t time. They just had to wait for a successful brutal).
Tasky on the spot. We approach, we ask, they say - we need to find cameras, near which there are stickers with inscriptions. It is necessary to read what is on them, and inform the organizers, while not hitting them face. Solution options are different) It is reported that cameras <5
And one was, trivia. 5 questions, among which there is one to which I killed a lot of time - "Call a hacker attack, the name of which consists only of hex characters." Any dd05 or fl00d is not suitable, i.e. replacement will not work. The task is solved, does anyone have any ideas? :)
Match, is a bunch of flash drives. On one of them was flag.txt, we pass.
And the two most interesting tasks, in my opinion.
We approach, they give a samsung tablet with android 4.1, when you get it, you are locked with face-authorization by a person from the conference. It is necessary to unlock, the number of attempts is 5. We find a bug
We approach the same person, we fota it with open eyes, with closed eyes and try our happiness. With three attempts I did not work. After I turned the photo 90 degrees, turned the brightness on the laptop to the maximum - and everything was ok :) the device was unlocked
This topic has already been raised on Habré
Uploading blocked audio recordings to VKontakte - habrahabr.ru/post/183554
Lock audio records Vkontakte. Restoring a playlist - habrahabr.ru/post/183470
Including there in the comments there is a mention on the speech, which tells about checking the downloaded records. After watching the video, it becomes clear that specific universal bytes are being checked (since fuzzing with the substitution of bytes in the center, in the end did not give anything) for all types of files. The organizers wrote that you need to find 3 bytes and take a hash from them - and there will be a key. But on the night from 10 to 11 a solution was found of just 1 byte, which, unfortunately, I cannot publish here :) but give direction - the byte is purely visual, all the file data is saved.
We download the track from the task (which does not load into the VC), change 1 byte - voila, everything works.
In the morning showed the solution - gave the flag manually :)
It took first place and gave just such a cool thing . Like everything, thanks to the organizers, it was cool :)
Award
I have not saved the entire list of tasks, but many of them are still working, recovering from memory.
iPrism (mobile)
hack
this
secret
app
Download, find the application for iOS. I am not particularly strong in reverse, I decided to leave it on after. But reading twitter (it is useful to be subscribed to the organizers), I came across a record about the service hackapp.com
HackApp is a web based service for mobile apps static security analysis. It identifies critical and suspicious information in bundle, such as:
- Certificates and keys
- Authentication secrets
- License Control
- Compilation flaws
Service for finding security bugs in mobile applications. We ship our file, it generates a report on it - hackapp.com/open#e55bece90691913812ef6e0da5c8278a , we find the key
Affected files:
- b00067.app/Defaults.plist
It seems to be saved in app bundle
AuthTokenString: C_C_13_F_L _ @ _ G: 8204e7efa933e2521a69417c4ab2357e
Flag : 8204e7efa933e2521a69417c4ab2357e
')
Prismtestm (web)
I have to say that I did not decide this task. Decision asked after the command (Hardc0de). Go to the job site, we see a website with a form where you can fill in the address of the site check on “PRISM” (necessarily falling under the regular schedule (. *). Com). Immediately I suspected SSRF here (1 reason - the organizers of ONSec, the second - just logically). I ’ve been digging the SSRF Bible , registering the .com domain, setting the script to my server with tshark enabled — nothing, in general, as soon as I’d beat it. Solution - bypass the regular season with /? i.e. write to host
127.0.0.1:80/?.com
We force the script to connect to the localhost ( ? .Com is simply cut out in the function on the server as a URI), pass in the same & debug (which could be seen in the html comments). The moment is that the port must be specified, otherwise it would not start. And through the debug parameter you need to conduct SSRF, examples can be found in the Smuggling examples (SSRF bible) section. And digging.
listen2me (stegano)
To bypass PRISM guys sometime uses this technique
Flag is MD5 (message_from_MP3)
The task was not solved by anyone . We download the file, we determine that it is not mp3 (by titles), we give the archive extension, open it - the archive is broken, inside there are two files - calc.exe and reverse_something.txt. We start to dig, inside there are JPEG headers backwards. We take out the picture, in the picture is also quilted. It seems like in it - the key.
Gener (web)
NSA produced high secure PRNG source
According to the link - source
<?php function reallySecureRandom(){ $seed = (double)microtime()*1000000; $seed = $seed * (getmypid()>0?getmypid():1); $seed = $seed * (getmygid()>0?getmygid():1); $seed = $seed * (getmyinode()>0?getmyinode():1); $seed = $seed * (getmyuid()>0?getmyuid():1); $seed = $seed * (memory_get_usage()>0?memory_get_usage():1); mt_srand($seed); return mt_rand().mt_rand(); } if($_COOKIE['token']===md5(reallySecureRandom())) echo file_get_contents('/tmp/flag.txt'); ?> The task is pretty clear, you need to set yourself a cookie using this algorithm. microtime - we can find out through the date header, which gives the script. pid / gid / uid - some will be equal to zero, some not so big to sort through. memory_get_usage - run the script in itself, measure the memory consumption (and the flow will be different for x32 and x64). But with getmyinode it was not clear, since the value is really great. In general, in some magical way, the task was solved with $ seed = 0. That is, code to generate cookies:
<?php mt_srand(0); echo md5(mt_rand().mt_rand()); Crackme (reverse)
NSA.
Flags is MD5 (key)
.
Did not solve, reverse under macos. All that I tried is to drive through the strings :)
inveter
Reverse the 480120101078 with # chaosconstructions2013.
Hackmap around are Fibonacci numbers up to the 0x10.
Hint: 480132102026 and 481214218007 fit too.
Flag is MD5 (result)
The task was not solved by anyone. There were different thoughts, which are correct - not sure, so I will not write anything)
CryptoMsg (reverse)
# i # <L4w1u0q) mT9Q - ????????
1evryyone lies6 - 44, ~ yteU << * sZOe
1234567 -) Wj ~ 5Kb
1234568 - * Wj ~ 5Kc
2345678 - 1Ym $: Qi
abcdef - FX = # hP
abcdef1 - YY> $ iQb
hackers -] _D1vj_
1337hackers - | \ o (pS8% j ^ S
hackers1337 - UcH5znct) <S
task for cryptoanalysis -! {p]] E6 ** ma \ ND5vfI72'pe
you will never break this cipher! - q: 11 * saOO? & | CWW; / tWDD: $ mbbG2 $ lSGH
Flag is MD5 (????????)
Download crypt3r: ./ccrypto.jar
It is necessary to decrypt the first message, having a tool. Download ccrypto.jar, unpack it via java.decompiler.free.fr , get the application source.
Cryptography
void encrypt() { int val = 0; this.buff = new ArrayList(); for (int i = 0; i < this.input.length(); i++) { val = this.input.charAt(i); val -= 32; if (i > 0) { val += ((Integer)this.buff.get(i - 1)).intValue(); } else { val += this.input.length() + 13; } if (val > 94) { val -= 94; } Integer Val = Integer.valueOf(val); if (i == this.input.length() - 1) { int temp = 0; temp = ((Integer)this.buff.get(0)).intValue() + val; if (temp > 94) { temp -= 94; } this.buff.set(0, Integer.valueOf(temp)); } this.buff.add(Val); } for (int i = 0; i < this.input.length(); i++) this.output += String.valueOf((char)(((Integer)this.buff.get(i)).intValue() + 32)); } } I decided this task on the second day, and since I didn’t go to bed and stayed at the club (another task was solved at night), I simply didn’t have enough for this algorithm) was helped by a friend, counted manually. The reverse algorithm is not as trivial as it seems, try :)
WPA / WPS (WiFi)
Combined two tasks because they are similar, WPA
You have router at CC2013, which wants to be hacked.
Tricky admin have hidden ESSID of it's AP.
Use all your skills to penetrate in it's network
Flag is MD5 (key)
WPS
There is a white box which broadcast wifi somewhere in the hack zone. You need to penetrate into your network.
BTW some digits of pin were saved;) happy hacky
Flag is MD5 (key)
We go to the hack zone, boot from the backtack and do everything according to the guidelines. With WPA on the standard dictionary, the key is within half a second.
WPA Guide - www.aircrack-ng.org/doku.php?id=cracking_wpa
In Russian about WPS - habrahabr.ru/company/xakep/blog/143834 (by the way, wps didn’t, there wasn’t time. They just had to wait for a successful brutal).
onside
Tasky on the spot. We approach, we ask, they say - we need to find cameras, near which there are stickers with inscriptions. It is necessary to read what is on them, and inform the organizers, while not hitting them face. Solution options are different) It is reported that cameras <5
And one was, trivia. 5 questions, among which there is one to which I killed a lot of time - "Call a hacker attack, the name of which consists only of hex characters." Any dd05 or fl00d is not suitable, i.e. replacement will not work. The task is solved, does anyone have any ideas? :)
USBsticks
Get a USB stick from CC2013 to find a key
Match, is a bunch of flash drives. On one of them was flag.txt, we pass.
And the two most interesting tasks, in my opinion.
androface (mobile)
Unlock Android device from CC2013 hack-zone
We approach, they give a samsung tablet with android 4.1, when you get it, you are locked with face-authorization by a person from the conference. It is necessary to unlock, the number of attempts is 5. We find a bug
We approach the same person, we fota it with open eyes, with closed eyes and try our happiness. With three attempts I did not work. After I turned the photo 90 degrees, turned the brightness on the laptop to the maximum - and everything was ok :) the device was unlocked
VKmusic (reverse)
Edward. It is a spirit of peace in Russia.
However, his favorite song is currently banned. You need to find out the mechanism of detection and upload the song.
The initial analysis showed “VKAF”.
The MD5 hash hash
Note: for each offset before hash calculation (ie 12345 -> 12300)
song
This topic has already been raised on Habré
Uploading blocked audio recordings to VKontakte - habrahabr.ru/post/183554
Lock audio records Vkontakte. Restoring a playlist - habrahabr.ru/post/183470
Including there in the comments there is a mention on the speech, which tells about checking the downloaded records. After watching the video, it becomes clear that specific universal bytes are being checked (since fuzzing with the substitution of bytes in the center, in the end did not give anything) for all types of files. The organizers wrote that you need to find 3 bytes and take a hash from them - and there will be a key. But on the night from 10 to 11 a solution was found of just 1 byte, which, unfortunately, I cannot publish here :) but give direction - the byte is purely visual, all the file data is saved.
We download the track from the task (which does not load into the VC), change 1 byte - voila, everything works.
In the morning showed the solution - gave the flag manually :)
It took first place and gave just such a cool thing . Like everything, thanks to the organizers, it was cool :)
Award
Source: https://habr.com/ru/post/189828/
All Articles