Mittwoch, 26. Mai 2010

Defcon 18 CTF Writeup - Packet Madness 400

I didn't see any writeup on this, so i write up our version.

This level was more like a Trivia level. pkt400_b1d0e962f07dde0.pcap was given with a single package inside.

sequence numbers can be magical

The description was a red herring, but the first look was on the sequence number.
The description was not a red herring, look into the Comments to get more infos. Thx to Acidtrux/Team Anomaly for this information

Sequence number: 1 (relative sequence number)
Next sequence number: 52 (relative sequence number)
Acknowledgement number: 1 (relative ack number)

There wasn't much to look into, so i assume most of you concentrated first on the given IP-Addresses and tried to communicate with them.

(UNKNOWN) [] 69 (?) : Connection refused
But we stoped after we resolved that this is a .MIL address (CON1R.NIPR.MIL)

After solving Packet Madness 100, i just played around with the data field.


I wrote a small tool to play around with the vars. Pseudecode was like:

for a = 1 to 255
for b = 1 to len(data)
print(value - a)

The output looks like:


For completeness a has the value 80d. This means you have to subtract 80d from every byte to get this string.

Where did the nop certifier meet Rick in his most famoustale?

Now the Google part begins. We brainstormed in the round and found that the NOP Certifier could be Dave Aitel. But who is Rick?

We mailed Dave if he can tell us, who Rick is. But he didn't know it.

We got this fast, because we had luck to have my friend adc in our team :)

Dave Aitel graduated from the same uni as adc is being studying atm. So he took his old address and googled for it.

This took us little more google time.
Finally we found The Birth of a Gay Slut where we have the Rick :)

Inside the text you will see parking lot of "Stardust"

Dienstag, 25. Mai 2010

Defcon 18 CTF Writeup - Binary L33tness 500

This Level was really interesting in my opinion, so i decided to write this up. :)

The first part is to "find" the binary. was with following content, which led to a 404-Notfound.

<meta http-equiv="refresh" content="0;url=">

So the real binary was located at
I assume everybody got this fast.

noname:b500 macpro$ file b500_478f0845e1bbd201.bin
b500_478f0845e1bbd201.bin: gzip compressed data, from Unix, last modified: Fri May 21 08:04:12 2010

After extraction we have two filess

noname:b500 macpro$ file c500_b6427ab1a64e6836*
c500_b6427ab1a64e6836.bin: ELF 64-bit MSB executable, SPARC V9, total store ordering, version 1 (SYSV), dynamically linked (uses shared libs), stripped
c500_b6427ab1a64e6836.dat: data

Now the funny part begins :)

Lets talk about the constrains.
  • No access to a SUN
  • No knowledge about SPARC-ASM
  • But we have IDA which could read the binary

The disassembly looks like:

.text:0000000100000CB8 mov 0x125, %l0
.text:0000000100000CBC stx %l0, [%fp+arg_7CF]
.text:0000000100000CC0 stx %l3, [%fp+arg_7D7]
.text:0000000100000CC4 mov 8, %l0
.text:0000000100000CC8 stx %l0, [%fp+arg_7DF]
.text:0000000100000CCC ldx [%fp+arg_7CF], %o0
.text:0000000100000CD0 call _SUNW_C_GetMechSession

We looked into the documentation of getmechsession() and found the following call.

    CK_RV SUNW_C_GetMechSession(CK_MECHANISM_TYPE mech,

You can see in the assembly that mech has the constant parameters 125 and 8.

By looking into pkcs11t.h you can see the following constant.

#define CKM_DES_CBC_PAD 0x00000125

It looks like, the binary uses a DES-CBC encryption. By googling we found one example implementation on suns website

mechanism.mechanism = CKM_DES_CBC_PAD;
mechanism.pParameter = des_cbc_iv;
mechanism.ulParameterLen = 8;

rv = SUNW_C_GetMechSession(mechanism.mechanism, &hSession);

It looks like they implemented this sample code :)
So lets look where the IV is stored:

Looking at the beginning of main() we see:

set 0x100000, %l1
sllx %l1, 12, %l1
bset 0xFE0, %l1

What is located at 0x100000FE0?

0x100000FE0: 0xdeadbeefbaadfood
Sounds like an IV :-))

But DES also needs a KEY. Lets look further into the code

.text:0000000100000D6C ldx [%fp+arg_7BF], %o0
.text:0000000100000D70 sethi %hi(0x3800), %g5
.text:0000000100000D74 btog -0x101, %g5
.text:0000000100000D78 add %fp, %g5, %o1
.text:0000000100000D7C add %fp, arg_7C7, %o3
.text:0000000100000D80 mov 5, %o2
.text:0000000100000D84 call _C_CreateObject

Looking into the sample:

rv = C_CreateObject(hSession, template, sizeof (template) / sizeof (CK_ATTRIBUTE), &hKey);
and the template has this format:

CK_ATTRIBUTE template[] = {
{CKA_CLASS, &class, sizeof (class) },
{CKA_KEY_TYPE, &keyType, sizeof (keyType) },
{CKA_TOKEN, &falsevalue, sizeof (falsevalue) },
{CKA_ENCRYPT, &truevalue, sizeof (truevalue) },
{CKA_VALUE, &des_key, sizeof (des_key) }

In our assembly the value for sizeof (template) / sizeof (CK_ATTRIBUTE) == 5, so we have also 5 CK_ATTRIBUTEs like the sample.

now you can try to understand SPARC-ASM but getting the key is easier than getting the IV :-)

looking into the .data section in IDA you will find a global variable called k, yes k like KEY :-)

0x100101668 k: DD73CC7FDD7ECC7F

Now you can decrypt the .dat file

noname:b500 macpro$ openssl enc -d -des-cbc -in c500_b6427ab1a64e6836.dat -K DD73CC7FDD7ECC7F -iv DEADBEEFBAADF00D

Isn't it ironic? 500 points level got solved pretty fast without executing the binary and Packet Madness 100 took us 2 days :-)

If you have questions or suggestions for improvements, you can send an e-mail to my account "bashrx".