RSS

CSAW CTF 2012: Web 1

0 Comments | This entry was posted on Oct 07 2012

Here we were given a login form and a piece of text instructing us to bypass the authentication.

http://128.238.66.216/c4ca4238a0b923820dcc509a6f75849b/



Lara Anderton needs to break into PreCrime to free her husband, but they just installed a fancy new security system. Help her break into it!

When the login form appeared for the first time, we watched its cookies using Mozilla Firefox addon “Live HTTP Headers”. We found a couple of them:


auth=0

user: Lara+Anderton

First we tried to set auth = 1 and “Replay”-ed the POST request. The result was
Eyeballs.*

Again the next attempt was to set auth=1 and user=admin. This time we didn’t return empty handed. It displayed the following text


*Eyeballs.*key{I'd like a word with my husband.}

Solution: I'd like a word with my husband.

CSAW CTF 2012: Exploitation 1

0 Comments | This entry was posted on Oct 04 2012

Here the challenge was

nc 128.238.66.218 54321

Read the key out of ./key in the current working directory

Also we were given a binary called exploitation-release

Given the challenge, instead of doing reversing the binary, we blindly tried a buffer overflow by entering a lot of  ’a', and that worked! It immediately gave out the key.

CSAW CTF 2012: Recon 3

0 Comments | This entry was posted on Oct 03 2012

So, this was the challenge we had to solve:

Julian Cohen – 100 Points Julian Cohen

Obviously, we were given in the search the username HockeyInJune

After scratching our heads and searching his twitter, his github, his websites, we remember a general hint that was given: “Hint for Recon: Lots of judges really like Reddit.”

So, I started searching on Reddit and found one of his comments pointing to a webpage 

You don’t like roosters? :(

NSFWhttp://cockcab.com/

on http://www.reddit.com/user/HockeyInJune/comments/

On that page we saw the key. Challenge solved! 

CSAW CTF 2012: Reversing 1

0 Comments | This entry was posted on Oct 02 2012

For this problem, we had to patch an executable named csaw2012reversing.exe for 100 points.

After loaded in OllyDbg, we solved this problem by NOP-ing calls at virtual address 0x00D21106

Solution: welcome_to_csaw!

CSAW CTF 2012: Recon 1

0 Comments | This entry was posted on Oct 02 2012

We were only provided with the google search string on Jordan Wiens.

From Jordan’s Twitter account, we noticed that he has used the nick @psifertex there. Googling with psifertex led us to http://psifertex.com/. But the site contained nothing but the following text:

Nothing to see here, move along.

 What to do next? Let’s see what site’s robots.txt file says. Hmm, something was there.

User-agent: *
Disallow: /
Disallow: /csaw

It means that there is a directory /csaw there. Pretty interesting. We blindly tried to access the index.html there. What we found was the following:

Some Understanding Becomes Dominant On Manipulation And Inquisitive Naming

Don't bother brute forcing file paths, you'll never find it that way.

Collecting the initial letters of the first line gives the word: SUBDOMAIN. But, still the question was: which one?

We tried to google for the subdomain(s) of psifertex: site:psifertex.com, but the only subdomain we found was Corrupt The Youth. The source of the home page had this line commented:

Stuck! We tried nslookup psifertex.com and got 69.163.249.183 as response. Accessing http://69.163.249.183/ threw the following error:

Site Temporarily Unavailable

We apologize for the inconvenience. Please contact the webmaster/ tech support immediately to have them rectify this.
error id: "bad_httpd_conf"

We tried the quoted text above as the key, but no luck.

Also we found a download section with a bunch of rubbish documents lying around and one admin login form, too.

As the last resort, we started bruteforcing for possible unlisted subdomains:

http://csaw.psifertex.com
http://csawctf.psifertex.com
http://csawctf.psifertex.com
http://key.psifertex.com

The last one was the one which we were hunting for.

Solution: secret sonambulist

CSAW CTF 2012: Reversing 3

0 Comments | This entry was posted on Oct 02 2012

Here the challenge was to get the key out of a binary called CSAWQualification.exe for 300 points.

We used the same ILSpy decompiler that we used to solve one previous challenge. Following was the output from the decompiler:

// CSAWQualification.Program
private static void Main(string[] args)
{
Console.WriteLine("Do you really just run random binaries given to
you in challenges?");
Console.ReadLine();
Environment.Exit(0);
MD5CryptoServiceProvider mD5CryptoServiceProvider = new
MD5CryptoServiceProvider();
AesCryptoServiceProvider aesCryptoServiceProvider = new
AesCryptoServiceProvider();
foreach (string current in Directory.EnumerateDirectories(Program.target))
{
byte[] first =
mD5CryptoServiceProvider.ComputeHash(Encoding.UTF8.GetBytes(current.Replace(Program.target,
"")));
if (first.SequenceEqual(Program.marker))
{
byte[] rgbKey =
mD5CryptoServiceProvider.ComputeHash(Encoding.UTF8.GetBytes("sneakyprefix"
+ current.Replace(Program.target, "")));
ICryptoTransform cryptoTransform =
aesCryptoServiceProvider.CreateDecryptor(rgbKey, new byte[]
{
0,
1,
2,
3,
4,
5,
6,
7,
8,
9,
10,
11,
12,
13,
14,
15
});
byte[] bytes = cryptoTransform.TransformFinalBlock(Program.data, 0,
Program.data.Length);
Console.Write(Encoding.UTF7.GetString(bytes));
}
}
Console.ReadLine();
}

// CSAWQualification.Program
static Program()
{
// Note: this type is marked as 'beforefieldinit'.
Program.data = new byte[]
{
15,
83,
222,
204,
130,
169,
253,
55,
165,
229,
219,
240,
206,
78,
102,
131,
243,
100,
115,
102,
231,
76,
235,
175,
2,
193,
249,
172,
174,
172,
227,
120,
67,
118,
87,
221,
124,
97,
202,
124,
191,
209,
164,
8,
61,
224,
193,
83,
13,
137,
114,
140,
42,
65,
247,
237,
202,
71,
66,
38,
58,
205,
158,
199,
246,
205,
178,
248,
21,
55,
82,
239,
36,
107,
104,
230,
193,
63,
157,
178,
224,
48,
198,
4,
66,
221,
12,
211,
215,
103,
209,
14,
117,
139,
111,
162
};
Program.marker = new byte[]
{
255,
151,
169,
253,
237,
224,
158,
175,
110,
28,
142,
201,
246,
166,
29,
213
};
Program.target = "C:\\Program Files\\";
}

We noticed that because of lines like Environment.Exit(0), program was exiting prematurely.  We were somehow forced to install Visual Studio this time.  :-P Then we commented out the “culprit” lines of code, recompiled it to get the output.

CSAW CTF 2012: Reversing 2

0 Comments | This entry was posted on Oct 02 2012

Here the challenge was to get the key out of a binary named CSAWQualificationEasy.exe for 200 Points.

The binary is a .NET compiled program, so we used ILSpy to decompile it.

Below is the disassembled code for the main program segment

// CSAWQualificationEasy.Program
private static void Main(string[] args)
{
Console.WriteLine("Okay, going to compute the key. Have to remember
to write it out at the end! I keep forgetting!");
string arg = "";
byte[] array = Program.encrypted;
for (int i = 0; i < array.Length; i++)
{
byte b = array[i];
arg += Convert.ToChar((int)(b ^ 255));
}
Console.ReadLine();
}

If we would have Visual Studio installed on the system, it could be as easy as changing the Console.ReadLine() to Console.WriteLine(arg) and recompile it. As we did not have the M$ compiler installed and were too lazy to get such a bulky package installed, we rewrote it in Python.

The "encrypted" array contains this:

// CSAWQualificationEasy.Program
private static byte[] encrypted = new byte[]
{
171,
151,
154,
223,
148,
154,
134,
223,
150,
140,
223,
198,
156,
207,
198,
153,
199,
203,
206,
201,
158,
205,
205,
207,
201,
205,
205,
206,
154,
202,
207,
157,
198,
199,
154,
204,
203,
201,
207,
203,
200,
157,
200
};

Accordingly, the Python script was 

# Encrypted bytes array of the .NET program:
encrypted_list = [ 171, 151, 154, 223, 148, 154, 134, 223, 150, 140,
223, 198, 156, 207, 198, 153, 199, 203, 206, 201, 158, 205, 205, 207,
201, 205, 205, 206, 154, 202, 207, 157, 198, 199, 154, 204, 203, 201,
207, 203, 200, 157, 200 ]

# This will contain the output string:
decrypted = ""

# Reimplement the for loop to decrypt the string:
for encrypted_chr in encrypted_str:
decrypted = decrypted + chr(encrypted_chr ^ 255)

# Print decrypted string
print decrypted

The output from the script was the solution itself.

Solution: 9c09f8416a2206221e50b98e346047b7

CSAW CTF 2012: Trivia 2

0 Comments | This entry was posted on Oct 02 2012

What is the name of the Google's dynamic malware analysis tool for Android applications?

We solved this one through a search on Bing for “dynamic malware analysis tool for Android applications”

The three line preview for each link gave already some feeling where it is worth to look at. Iirc on the third page was the link for a web page where the correct solution “Bouncer” could be found.

Solution: Bouncer

CSAW CTF 2012: Trivia 5

0 Comments | This entry was posted on Oct 02 2012

What is the name of Microsoft's sophisticated distributed fuzzing
system that utilizes automated debugging, taint analysis, model
building, and constaint solving?

We googled out the following: http://research.microsoft.com/en-us/um/people/pg/public_psfiles/cacm2012.pdf

Solution: SAGE

CSAW CTF 2012: Trivia 3

0 Comments | This entry was posted on Oct 02 2012

What is the x86 opcode for and al, 0x24? Put your answer in the form 0xFFFF.

We saved the following code in a file called trivia3

al, 0x24

Then compiled it using nasm

$ nasm trivia3

Afterwards, we opened it in hexdump to view the hex code

$ hexdump -C nasm.out

00000000 24 24 |$$|
00000002

Solution: 0x2424