i luvz hacking challenges sites-do you yaniv miron hackfest2014
DESCRIPTION
I Luvz Hacking Challenges Sites-do You Yaniv Miron HackFest2014TRANSCRIPT
-
I luvz hacking
challenges sites -
do you?
Yaniv Miron aka Lament
CyberLord
@lament1337
HackFest 2014 CANADA
-
/ About me
Yaniv Miron aka Lament
Security Researcher and Consultant
Certified Locksmith & CISO Certified
Found 0-days @ IBM, Oracle, Microsoft, Apache, Facebook (F-U for not giving
me credit & bounty) and more.
-
/ Whats going on here?
There are many CTF games and these hacking challenges are kind of online
Capture The Flag.
I would like to share my experience with demoing some examples of these online
hacking challenges.
Some of them are Stego, Logic and Reversing.
-
Hacking challenges sites?
There are different sites that offer challenges, some of them actually grade
and rank the users and some just let the
users download challenges and try them
offline.
-
HackThisSite.Org
One of the largest sites in this area
Different cool challenges in there
-
Other sites
http://canyouhack.it
http://www.dareyourmind.net
http://crackmes.de
Many more
-
The Ranks
Different levels gives
different ranks
-
The Different Challenges
-
Why the h311 are you giving
solutions?
Unfortunately most of them are somewhere online.
Unfortunately people just copy the solutions from others and paste the
answer.
Because its a small % out of the real challenges and you need to learn
somehow.
-
Solutions
There are different ways to solve different tasks, it could be that there are easier
ways than what Im showing here but this is the path that I took.
Im trying to show how to think rather than just show the quick way to get a solution.
Sometimes it makes the solution more
complicated.
-
DEMO Time !
-
Stego5.bmp #1
Hack The Planet
stego5.bmp
-
Stego5.bmp #2
First thing first, is it really a BMP file?
-
Stego5.bmp #3
Looks like it:
-
Stego5.bmp #4
So whats next? I think I saw something similar in the past Maybe as a user avatar? Lets save it
avatar.jpg
-
Stego5.bmp #5
We have a problem You cant really compare BMP (The original) and JPG (the
Avatar)
Or can we?
-
Stego5.bmp #6
Lets just turn the JPG to BMP
-
Stego5.bmp #7
Now lets try to compare them with some hex
-
Stego5.bmp #8
-
Stego5.bmp #9
LSB?
Its widely used in Stego
-
Stego5.bmp #10
We will take the stego5.bmp hex, turn it into binary.
-
Stego5.bmp #11
Lets write a python script cuz were kewl
-
Stego5.bmp #12
And back to ascii
Looks interesting
maybe its
syn-ack-?
-
Logic.Binary #1
Q1:
Binary: 2011010013001000003011101113011010
013011011102
-
Logic.Binary #2
Binary are 1s and 0s isnt it?
Clean the 2s and the 3s
Binary: 0110100100100000011101110110100101
101110
-
Logic.Binary #3
Put it nicely
Binary: 01101001 00100000 01110111 01101001 01101110
-
Logic.Binary #4
Binary -> ASCII
Answer is: i win
-
Logic.Riddle #1
Q2:
I call, but I never talk. I knock, but I never enter. I feel a bit insecure.
-
Logic.Riddle #2
Port scanner knocks but never enter, calling the ports but never talks with them.
Insecure?
A2: nmap
-
Logic.URL #1
Q3:
Sometimes when you are coding a web based program you make a mistake with
URL's. Correct this link.
The link we get is: http://yahoo.com/search?q=hobble%20stic
ks
-
Logic.URL #2
A3:
It looks like a Google link, as this is the format Google is using. Lets change it to:
http://google.com/search?q=hobble%20sticks
-
Logic.URL #3
-
Logic.Num #1
Q4:
-
Logic.Num #2
1 of 2 = 12
1 of 1 and 1 of 2 = 1112
3 of 1 and 1 of 2 = 3112
1 of 3, 2 of 1 and 1 of 2 = 132112
1 of 1, 1 of 3, 1 of 2, 2 of 1 and 1 of 2 = 1113122112
3 of 1, 1 of 3, 1 of 1, 2 of 2, 2 of 1 and 1 of 2 = 311311222112
A4: 311311222112
-
Reversing.app7 #1
We get a file called app7win.zip with 2 files inside:
app7win.exe
encrypted.enc
Lets try to run it
-
Reversing.app7 #2
So it seems that we need to find a password here
Lets try to remove the encrypted.enc file from the folder, maybe it will help:
-
Reversing.app7 #3
Lets see whats inside this encrypted.enc file
Doesnt look promising(at least at the moment)
-
Reversing.app7 #4
Lets see it with OllyDbg
-
Reversing.app7 #5
jnz->jz?
YEAH! We got junk
-
Reversing.app7 #6
Oh wellIt didnt worked
Off we go to IDA Pro
-
Reversing.app7 #7
So we need to get 0DCAh
-
Reversing.app7 #8
Oh no its not gonna be that easy dude
-
Reversing.app7 #9
This is the
interesting part
which handles
our buffer and
the .enc file
-
Reversing.app7 #10
The general thing that is happening in this block is that it runs 5 times and every time
reads a character from the .enc file.
The characters that were read (in hex) are "31,4D,39,35,33" or in ascii "1M953". This
is not the password but it will help us get
the password (this is the key from the .enc
file)
-
Reversing.app7 #11
-
Reversing.app7 #12
Next, the app takes the user input + [ENTER=A]
So if our input is A it will be 41+A=4B, if its AA it will be 41+41+A=8C
Then place it in var_1C and xor it with each of the 5 chars.
-
Reversing.app7 #13
-
Reversing.app7 #14
Adds all of them and place the result in var_18 which needs to be cmp with
"0DCAh" (3530).
So 31xor8C+4Dxor8C+39xor8C+35xor8C+33
xor8C
=3AB
Is it true??? Nop
-
Reversing.app7 #15
-
Reversing.app7 #16
So to solve this problem we need to have:
31xorX+4DxorX+39xorX+35xorX+33xorX=
0DCA
So what is X ???
-
Reversing.app7 #17
To solve it we can just brute force it. So we will try first "A" as input, then "AA" then
"AAA" until we will get the right result.
At the end the result was that as long as our input equal 753 (2F1) it would solve
the problem. Therefore it doesn't really
matter what is the input as long as it's 753
together.
-
Reversing.app7 #18
I have used: ccccccc2
We need to remember that at the end of our input there is "enter" which is 10 so our
total should be actually 743.
c(99)+ c(99)+ c(99)+ c(99)+ c(99)+ c(99)+ c(99)+ 2(50)+ENTER(10)=753.
So: 31xor2F1+4Dxor2F1+39xor2F1+35xor2F1
+33xor2F1=0DCA
-
Reversing.app7 #19
-
Reversing.app7 #20
Game over!
-
Reversing.app13 #1
Lets
run it
-
Reversing.app13 #2
-
Reversing.app13 #3
So lets skip IDA & Olly and check the hints
-
Reversing.app13 #4
We can monitor the time that takes the app to check every number that we enter
Python script that gets 1-999 and monitor how much time takes the app to check it
Slowest number is the right one (?)
Close even explorer.exe because it takes CPU power and could change our results
-
Reversing.app13 #5
So lets do a quick & dirty BF to this app
-
Reversing.app13 #6
And run it
-
Reversing.app13 #7
-
Reversing.app13 #8
Lets just to it 3 more times, every time adding the last value instead of the
dummy one that we had
-
Reversing.app13 #9
Our monitoring worked!
-
Forensics.1 #1
We get this:
And a file: image.tar.gz
-
Forensics.1 #2
-
Forensics.1 #3
So we need to find a password
First thing first, extract the file. We get a dd file - image.dd
Lets check whats in there real quick
-
Forensics.1 #4
Looks like we got an NTFS windows system
-
Forensics.1 #5
-
Forensics.1 #6 So its mounted
-
Forensics.1 #7
3 empty folders
-
Forensics.1 #8
Well its a forensics challenge So probably we need to recover some deleted
data.
Lets try to see what kind of deleted files are there.
-
Forensics.1 #9
-
Forensics.1 #10 Weve got 17 files, different types.
-
Forensics.1 #11
Oh boywell lets check the other files
Weve got a media file: Voicemail 1.wav
When played we can hear the Tech Support guy telling stacy that the
password is her phone number. And what
is her phone number?
-
Forensics.1 #12
Lets dig some more, we can see that there is a file called Termination - Allen Smith.docx
-
Forensics.1 #13
Using the phone number 5195554783 we can extract the content of Your new password is.rar
Inside there is a file called Your new password is.docx
Inside we got our password
-
Forensics.1 #14
Weve saved the world again!
-
To Wrap It Up
Hacking challenges sites are KEWL
It helps you practice your skills & prepare for CTF games
You have a community to support you while trying
-
# E [0] F #
Q? (meet @ the lounge now or)
>>
lament [AT] ilhack [DOT] org
http://www.ilhack.org/lament
Join me @lament1337
In god we trust, all others we monitor.