Friday, February 25, 2011

Nullcon HackIM 2011 CTF Writeup - Levels 5-12

Level 5


Beautiful wave file , made us go mad hearing it again and again with the dial tones. After almost a whole day long of tinkering with the wav file finally decided to decode if its Morse code, still no luck. Attempted to convert this wav into meaninful formats or decimal and tried DTMF. Yes able to get a beautiful long sequence of binary numbers. Tried converting those decimals into binary and got struck at 69.163.136.179. Hmmmm looked so familiar yet the scorer was not accepting it as the answer. Tried reaching the IP address through a browser gives a typical HTTP error about a mis-configured server.Hmmm sooo sad. One last hint was to try to resolve this IP and it was nullcon.net . How simple it seemed , yet it was a tough nut to crack during the CTF. Tried entering nullcon.net in the Answer field ..yes finally we made it :)


Hint : Everything isn't always the way it seems to be | Listen it, use your imagination you can't imagine anything else being a hacker

Level 6

Level says simple and nonsense.Tried strings command as mentioned below :

root@deva-desktop:/home/deva# strings  helllo_world.exe  |less

abracadabra:Jai Ho Mark stands out pretty much different from the rest of the found strings.Yes level 6 was cleared with Jai Ho.It reminds me sometimes hackers are also so lazy, similar to DefCon prequals;P


Level 7

Big Brother is Watching You: 


The provided attachment file contained an event log from windows. Tried opening it with the classic Windows event manager, got an error and aborted. 


Tried using a simple utility and yes we are able to view the complete list of events. As the input field was waiting for the name of the faulting application, simple filters on the event brought me straight to this line given below showing us the answer for this level :)




Level 8 


The provided raw dump made us go crazier.Nothing was found. No hints available, still burning through the midnight oil, we were able to identify 4-5 packets showing a different AuthData and AuthType in WireShark. 


After analysing the values, it was found that 55 packets with OSPF and OSPF Hello packets are high in this capture.Packet 128 showed the AuthType as simple password and AuthData as prince.Sure this prince is a sign of trouble and hint and we analysed the other values:


The next packets started showing the AuthType as Cryptographic and by the time the second clue was released leading us straight to the implementation of date/time of the device by Cisco. A simple conversion of hex to decimal gave us  0x2b915353-->730944339. Another epoch conversion of 730944339 gave us 01 Mar 1993.


Finally we hit on the target with the value and yes.. we were allowed to level 9.
I have to certainly agree with everyone who played this CTF and this was the level which took most of our time  in a good way :p
Hint 1 : And I will Reply great vengeance upon them with furious Attack; and they shall know that I am the lorD, when I shall lay my vengeance upon three. Ezekiel 23:28 

Hint 2 : RFC 2328 Section D.3 Cisco Implementation

Level 9
Web asura web asura who is the worst asura of all !

Started trying out with default passwords and it promptly said You are not an administrator.Made us realise it is expecting only Administrator and tried sending Administrator/password, still no luck.Tried with adminsitraator/blank password and blind SQL attacks proved futile.

Leechers will be banned,seeders welcome made us also think that it might got to do with something other than POST/GET.So tried sending the value of password as blank again through Firefox addons Tamperdata drove us straight to another screen identifying the attack. No luck again, made us search again on the source code and oh yes there was a hidden clue, a BASE64 decoded text. 


With much relief extracted the values and passed it to a base64decoder and it spit out a image attached herewith which contained the password for this level

1337'5BringRevolution

Hint :  Leechers will be banned. Seeders welcome | Bhavnao ko samjho sabdo mey kya rakha hai... | Developers are bound to make mistake that why hackers exist...


Level 10: 

root@deva-desktop:/home/deva# unrar x windump.rar

UNRAR 3.93 freeware      Copyright (c) 1993-2010 Alexander Roshal
Extracting from windump.rar
Extracting  nullconnew.dmp                                            OK
All OK

wget https://www.volatilesystems.com/volatility/1.3/Volatility-1.3_Beta.tar.gz

root@deva-desktop:/home/deva/vol# python volatility hivelist -f  ../nullconnew.dmp -o 0x1609ad0
/home/deva/vol/forensics/win32/crashdump.py:31: DeprecationWarning: the sha module is deprecated; use the hashlib module instead  import sha
Address      Name
0xe1696008   \Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1672358   \Documents and Settings\Administrator\ntuser.dat
0xe1cd46b8   \Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1cd4b60   \Documents and Settings\LocalService\NTUSER.DAT
0xe1cbb7b0   \Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1cb5008   \Documents and Settings\NetworkService\NTUSER.DAT
0xe15e2b60   \WINDOWS\system32\config\software
0xe15eb758   \WINDOWS\system32\config\default
0xe15d9a58   \WINDOWS\system32\config\SECURITY
0xe1607b60   \WINDOWS\system32\config\SAM
0xe13de530   [no name]
0xe101b008   \WINDOWS\system32\config\system
0xe1008ad0   [no name]

root@deva-desktop:/home/deva/vol#  python volatility hashdump -f  ../nullconnew.dmp  -y 0xe101b008 -s 0xe1607b60
/home/deva/vol/forensics/win32/crashdump.py:31: DeprecationWarning: the sha module is deprecated; use the hashlib module instead  import sha
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:aad3b435b51404eeaad3b435b51404ee:06bc4bdaefab2b3c5909250e53f04428:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:9ecf4ed3de9812827ced31010372159b:::
prince:1004:f0ddd2c68d6f684e7bb1d8438f805b5c:426a040f2c48e605a005a3e304afe1ac:::


A simple crack on the lovely Ophcrack with small dictionary gave us the username and password for two acccounts to clear this level.




Hint : Open the doors of the Windows, & take a trip down the memory lane

Level 11 :



Solution : copyingallorpartsofaprogramisasnaturaltoaprogrammerasbreathingandasproductiveitoughttobeasfree


Hint : After stumbling upon love ... don't stop there my dear, there is still lots to be done | Don't just accelerate your mind's meter my dear, peep into my heart, for you'll see, safely concealed in it, is a golden key, but if u're at loss bumblebee, take some free help openly from Linus's pet Geeko Mascot Lizard | If geeko don't help ask from his good brother CAMOU.....

Level 12:


$t@c*(@gcq@s^#&$%cs*hh^g&$%c#@r&q$@#@wcg*gc(#*e&$cq*s&@$%c&qcfqsuc!&$tcg^iis*gcg^iis*gcr*qcw!&$&%qc&g$@#gq$&*gqictqsu&grcs*ge@#@gs@kc!@ctqd@cq*h@cqhqa&grc$qiuqci&g@wc^*c$t&qc$&h@cq#*^gwc$tq$c!&iicq^#@i%cstqgr@c%*^#c(@#q(@s$&d@c*ecq@s^#&$%cugc$t@ce^$^#@kc!@c$tqguc$t@cs*hh^g&$%ce*#cq^((*#$&grc^qjc&$c&qc%*^#cq^((*#$c$tq$c!@ctqd@cr#*!gcqgwcq#@cqfi@c$*cq@#d@c$t@cs*hh^g$%c&gcqcf@$$@#c!q%keiqroc%*^cq#@c*^#ct@#*


Lovely text , isnt it ;).This is the content provided in the final round.

Hint was released around 10:00PM on the IRC and madness scrambled upon. As we have already lost more than 4-5 days of rest, I hit the bed and off went to rest. Woke up at around 4 am and the scoreboard showed Anant has already succeeded. Still not losing hope started working on the problem keeping in mind the hint.
!=w @=e w=d. It was a simple substitution cipher and finally got the answer to clear this level.


the open security community registered non profit society is back with nullcon nullcon goa dwitiya international hacking conference.we have some smashing talks lined up this time around that will surely change your perspective of security in the future.we thank the community for supporting us,it is your $tq$ we have grown and are able to serve the community in better way;you are our hero 


Hint: Queen of Witches EnteRed mY hearT, but I did the right thing and let down the f/tart

Nullcon HackIM 2011 CTF Writeup - Levels 0-4



Level 0 :

Initially no hints were provided for level 0 to level 2.

Started off trying with blank and admin/admin, admin/password and other common combinations. Still no luck hence as the next option, decided to look into the source code for hidden clues. The only catching word in the source code which caught my attention is action="level-0-proc.php", hence tried replacing "level-0.php" with "level-0-proc.php"

Voila...... got the congratulations and moved to Level 1.

Hint : I just wanna say one word to you.. just one word.firebug .or you could just mind your 'action'


Level 1 :

Title says Another Idiot Test, hence looked for hidden clues in the source code and found the below mentioned encrypted text down in the source.


A wild guess on checking if ROT 13 might help made me try the below mentioned :


deva@deva-desktop:~$ echo fnirorreqevaxjngre  | tr 'a-zA-Z' 'n-za-mN-ZA-M' 
savebeerdrinkwater


Well it looked interesting, tried this as the password and yes I got lucky again:)

Hint :  Dig Deep to find the Treasure

Level 2:

No hints were provided, no guides available , made me wonder a lot on what was expected. Several searches on Google about the image placed on the page, turned to be of no luck :(

After long moments of searching made me re-look into the code again and found the second comment 
application/x-httpd-php-source 
So started focusing on x-httpd-php-source and all searches in Google led me to php and phps files. Made me think if phpS could be a clue and tried to 
reach level-2-proc.phps. Lucky me again :)


if($_POST['password'] == "microsoftisnteviltheyjustmakereallycrappyoperatingsystems")
Well what more to do other than try the new found level2 password. Time to move to level 3.

Hint :elePHPant arriveS - Courtesy PHPCamp Pune'11(Hint published loooooooong after I cleared off the level, late late hint :D)


Level 3:

my lisa, SmIth and me, Playing a game of words with thee,
Go eat your shorts you worm, as we lost to your fake treachery

My lisa, trivia, made me narrow down to melissa since they have also mentioned about a worm and melissa fits in properly. Simple google search made me land on the wikipedia page of melissa and the author name looked interesting.
Kwyjibo. Yes you guessed it right, its the password to level 4


Level 4: 

Script It!

First Number = 0 Second Number = 0 
Answer = First Number + Second Number + Previous Answer + Product of First Number and Second Number
After This ==> First Number + 1 & Second Number + 2
Final Answer will be the value of 'Answer' when First Number = 31337

Digging on the source gave me U3RhcnQgd2l0aCBQcmV2aW91cyBBbnN3ZXIgPSBGMQ== 
A quick online Hex 64 converter gave me the hint in clear text "Start with Previous Answer = F1". Searching for value of F1 made me search on ASCII values and later landed on the F1 race which gave 241 as the maximum speed reached by McLauren.

So here is the python code which made me move across to Level 5 in ease.

fn=0
sn=0
pr_an=241
ans=0
for i in range(1,31339):
        ans=(fn+sn+pr_an)+(fn*sn)
        pr_an=ans
        fn+=1
        sn+=2

print ans

Running the script gave me 20517902536450 which helped me reach Level 5.

Hint : Handicapped, am I?

Time for rest now. Will be back later for Levels 5-12.

Sunday, February 06, 2011

Nullcon HackIM 2011 CTF - Finished 5th


Nullcon Hack IM CTF 2011 part of nullcon International Conference presented a beautiful CTF which left many folks cranking their heads over multiple scenarios and losing almost 7 days of rest.

Kudos to the moderators corrupt/void through IRC , helpful hints(:p) were provided which helped a lot of the competing members to clear the CTF .

The number of members registered for the CTF as on 6th Feb 2011 stands at 490.

A quick summary of the challenges posted below for easy reference.
- Level 0 - HTTP actions - POST/GET
- Level 1 - Hashing algorithm
- Level 2 - PHP scripts
- Level 3 - Computer & Security history
- Level 4 - Custom scripts
- Level 5 - WAV/Binary crack
- Level 6 - EXE file analysis
- Level 7 - Log analysis
- Level 8 - Packet analysis
- Level 9 - CSS/XSS Injection
- Level 10 - Windows Memory analysis
- Level 11 - WPA attack + Tcpdump analysis + Steganography (Added as requested ;)
- Level 12 - Keyboard hack

Thanks to nullcon team. Made us realise and brush up our skills on all facets starting from memory debugging to cracking wireless passwords. Cheers to them.