I luvz hacking

challenges sites -

do you?

Yaniv Miron aka Lament

CyberLord

@lament1337

HackFest 2014 CANADA

/ About me

Yaniv Miron aka Lament

Security Researcher and Consultant

Certified Locksmith & CISO Certified

Found 0-days @ IBM, Oracle, Microsoft, Apache, Facebook (F-U for not giving

me credit & bounty) and more.

/ Whats going on here?

There are many CTF games and these hacking challenges are kind of online

Capture The Flag.

I would like to share my experience with demoing some examples of these online

hacking challenges.

Some of them are Stego, Logic and Reversing.

Hacking challenges sites?

There are different sites that offer challenges, some of them actually grade

and rank the users and some just let the

users download challenges and try them

offline.

HackThisSite.Org

One of the largest sites in this area

Different cool challenges in there

Other sites

http://canyouhack.it

http://www.dareyourmind.net

http://crackmes.de

Many more

The Ranks

Different levels gives

different ranks

The Different Challenges

Why the h311 are you giving

solutions?

Unfortunately most of them are somewhere online.

Unfortunately people just copy the solutions from others and paste the

answer.

Because its a small % out of the real challenges and you need to learn

somehow.

Solutions

There are different ways to solve different tasks, it could be that there are easier

ways than what Im showing here but this is the path that I took.

Im trying to show how to think rather than just show the quick way to get a solution.

Sometimes it makes the solution more

complicated.

DEMO Time !

Stego5.bmp #1

Hack The Planet

stego5.bmp

Stego5.bmp #2

First thing first, is it really a BMP file?

Stego5.bmp #3

Looks like it:

Stego5.bmp #4

So whats next? I think I saw something similar in the past Maybe as a user avatar? Lets save it

avatar.jpg

Stego5.bmp #5

We have a problem You cant really compare BMP (The original) and JPG (the

Avatar)

Or can we?

Stego5.bmp #6

Lets just turn the JPG to BMP

Stego5.bmp #7

Now lets try to compare them with some hex

Stego5.bmp #8

Stego5.bmp #9

LSB?

Its widely used in Stego

Stego5.bmp #10

We will take the stego5.bmp hex, turn it into binary.

Stego5.bmp #11

Lets write a python script cuz were kewl

Stego5.bmp #12

And back to ascii

Looks interesting

maybe its

syn-ack-?

Logic.Binary #1

Q1:

Binary: 2011010013001000003011101113011010

013011011102

Logic.Binary #2

Binary are 1s and 0s isnt it?

Clean the 2s and the 3s

Binary: 0110100100100000011101110110100101

101110

Logic.Binary #3

Put it nicely

Binary: 01101001 00100000 01110111 01101001 01101110

Logic.Binary #4

Binary -> ASCII

Answer is: i win

Logic.Riddle #1

Q2:

I call, but I never talk. I knock, but I never enter. I feel a bit insecure.

Logic.Riddle #2

Port scanner knocks but never enter, calling the ports but never talks with them.

Insecure?

A2: nmap

Logic.URL #1

Q3:

Sometimes when you are coding a web based program you make a mistake with

URL's. Correct this link.

The link we get is: http://yahoo.com/search?q=hobble%20stic

ks

Logic.URL #2

A3:

It looks like a Google link, as this is the format Google is using. Lets change it to:

http://google.com/search?q=hobble%20sticks

Logic.URL #3

Logic.Num #1

Q4:

Logic.Num #2

1 of 2 = 12

1 of 1 and 1 of 2 = 1112

3 of 1 and 1 of 2 = 3112

1 of 3, 2 of 1 and 1 of 2 = 132112

1 of 1, 1 of 3, 1 of 2, 2 of 1 and 1 of 2 = 1113122112

3 of 1, 1 of 3, 1 of 1, 2 of 2, 2 of 1 and 1 of 2 = 311311222112

A4: 311311222112

Reversing.app7 #1

We get a file called app7win.zip with 2 files inside:

app7win.exe

encrypted.enc

Lets try to run it

Reversing.app7 #2

So it seems that we need to find a password here

Lets try to remove the encrypted.enc file from the folder, maybe it will help:

Reversing.app7 #3

Lets see whats inside this encrypted.enc file

Doesnt look promising(at least at the moment)

Reversing.app7 #4

Lets see it with OllyDbg

Reversing.app7 #5

jnz->jz?

YEAH! We got junk

Reversing.app7 #6

Oh wellIt didnt worked

Off we go to IDA Pro

Reversing.app7 #7

So we need to get 0DCAh

Reversing.app7 #8

Oh no its not gonna be that easy dude

Reversing.app7 #9

This is the

interesting part

which handles

our buffer and

the .enc file

Reversing.app7 #10

The general thing that is happening in this block is that it runs 5 times and every time

reads a character from the .enc file.

The characters that were read (in hex) are "31,4D,39,35,33" or in ascii "1M953". This

is not the password but it will help us get

the password (this is the key from the .enc

file)

Reversing.app7 #11

Reversing.app7 #12

Next, the app takes the user input + [ENTER=A]

So if our input is A it will be 41+A=4B, if its AA it will be 41+41+A=8C

Then place it in var_1C and xor it with each of the 5 chars.

Reversing.app7 #13

Reversing.app7 #14

Adds all of them and place the result in var_18 which needs to be cmp with

"0DCAh" (3530).

So 31xor8C+4Dxor8C+39xor8C+35xor8C+33

xor8C

=3AB

Is it true??? Nop

Reversing.app7 #15

Reversing.app7 #16

So to solve this problem we need to have:

31xorX+4DxorX+39xorX+35xorX+33xorX=

0DCA

So what is X ???

Reversing.app7 #17

To solve it we can just brute force it. So we will try first "A" as input, then "AA" then

"AAA" until we will get the right result.

At the end the result was that as long as our input equal 753 (2F1) it would solve

the problem. Therefore it doesn't really

matter what is the input as long as it's 753

together.

Reversing.app7 #18

I have used: ccccccc2

We need to remember that at the end of our input there is "enter" which is 10 so our

total should be actually 743.

c(99)+ c(99)+ c(99)+ c(99)+ c(99)+ c(99)+ c(99)+ 2(50)+ENTER(10)=753.

So: 31xor2F1+4Dxor2F1+39xor2F1+35xor2F1

+33xor2F1=0DCA

Reversing.app7 #19

Reversing.app7 #20

Game over!

Reversing.app13 #1

Lets

run it

Reversing.app13 #2

Reversing.app13 #3

So lets skip IDA & Olly and check the hints

Reversing.app13 #4

We can monitor the time that takes the app to check every number that we enter

Python script that gets 1-999 and monitor how much time takes the app to check it

Slowest number is the right one (?)

Close even explorer.exe because it takes CPU power and could change our results

Reversing.app13 #5

So lets do a quick & dirty BF to this app

Reversing.app13 #6

And run it

Reversing.app13 #7

Reversing.app13 #8

Lets just to it 3 more times, every time adding the last value instead of the

dummy one that we had

Reversing.app13 #9

Our monitoring worked!

Forensics.1 #1

We get this:

And a file: image.tar.gz

Forensics.1 #2

Forensics.1 #3

So we need to find a password

First thing first, extract the file. We get a dd file - image.dd

Lets check whats in there real quick

Forensics.1 #4

Looks like we got an NTFS windows system

Forensics.1 #5

Forensics.1 #6 So its mounted

Forensics.1 #7

3 empty folders

Forensics.1 #8

Well its a forensics challenge So probably we need to recover some deleted

data.

Lets try to see what kind of deleted files are there.

Forensics.1 #9

Forensics.1 #10 Weve got 17 files, different types.

Forensics.1 #11

Oh boywell lets check the other files

Weve got a media file: Voicemail 1.wav

When played we can hear the Tech Support guy telling stacy that the

password is her phone number. And what

is her phone number?

Forensics.1 #12

Lets dig some more, we can see that there is a file called Termination - Allen Smith.docx

Forensics.1 #13

Using the phone number 5195554783 we can extract the content of Your new password is.rar

Inside there is a file called Your new password is.docx

Inside we got our password

Forensics.1 #14

Weve saved the world again!

To Wrap It Up

Hacking challenges sites are KEWL

It helps you practice your skills & prepare for CTF games

You have a community to support you while trying

# E [0] F #

Q? (meet @ the lounge now or)

>>

lament [AT] ilhack [DOT] org

http://www.ilhack.org/lament

Join me @lament1337

In god we trust, all others we monitor.