On the recently concluded PlaidCTF (which was an awesome competition) by PPP there was a problem.  Here it goes:

Question: We managed to get the source code for an encryption service running at 54.234.224.216:4433.

I have listed the python source provided below:

#!/usr/bin/python
import os
import struct
import SocketServer
import zlib
from Crypto.Cipher import AES
from Crypto.Util import Counter

# Not the real keys!
ENCRYPT_KEY = '0000000000000000000000000000000000000000000000000000000000000000'.decode('hex')
# Determine this key.
# Character set: lowercase letters and underscore
PROBLEM_KEY = 'XXXXXXXXXXXXXXXXXXXX'

def encrypt(data, ctr):
    aes = AES.new(ENCRYPT_KEY, AES.MODE_CTR, counter=ctr)
    return aes.encrypt(zlib.compress(data))

class ProblemHandler(SocketServer.StreamRequestHandler):
    def handle(self):
        nonce = os.urandom(8)
        self.wfile.write(nonce)
        ctr = Counter.new(64, prefix=nonce)
        while True:
            data = self.rfile.read(4)
            if not data:
                break

            try:
                length = struct.unpack('I', data)[0]
                if length > (1<<20):
                    break
                data = self.rfile.read(length)
                data += PROBLEM_KEY
                ciphertext = encrypt(data, ctr)
                self.wfile.write(struct.pack('I', len(ciphertext)))
                self.wfile.write(ciphertext)
            except:
                break

class ReusableTCPServer(SocketServer.ForkingMixIn, SocketServer.TCPServer):
    allow_reuse_address = True

if __name__ == '__main__':
    HOST = '0.0.0.0'
    PORT = 4433
    SocketServer.TCPServer.allow_reuse_address = True
    server = ReusableTCPServer((HOST, PORT), ProblemHandler)
    server.serve_forever()

The key on this challenge is to see that the stream encryption is being done on the compressed input. In the source provided, if the user input is similar to the secret value in the PROBLEM_DATA variable then the zlib.compress() function would show a reduced length ciphertext. This is somewhat (and I use the term loosely) similar to the CRIME vulnerability. The AES Counter mode RFC has the implementation details of the cipher. So I wrote the following script.

import socket
import sys
from itertools import *
import struct
def display(msg,numbytes):
	#print >>sys.stderr, 'received "%s"' % msg
	#print >>sys.stderr, 'bytes "%d"' % numbytes
	print >>sys.stderr, 'bytes %d ' % numbytes + msg.encode('hex')
# Create a TCP/IP socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Connect the socket to the port where the server is listening
server_address = ('54.234.224.216', 4433)
print >>sys.stderr, 'connecting to %s port %s' % server_address
sock.connect(server_address)
#mesage len = 20 lowercase and underscore letters
try:
	amount_received = 0
	nonce = sock.recv(8)
	amount_received += len(nonce)
	# Send data
	#strng = 'crime_some'
	#minciphlen = 1000
	#strng = 'crimes_pays'
	#strng = 'so_'
	#strng = 'crime_some_times_pays'
	#strng = 'somet_'
	strng = 'cr'
	minchar = ''
	ciphlen = 1000
	sampleset = 'hijklmnopqrstuvwxyz_abdefgc'
	#while True:
	strng = strng + minchar	
	minciphlen = ciphlen
	minchar = ''
	for s in map("".join,permutations(sampleset,1)):
		#message = nonce +  (strng + s)*10  #'\x00'*11 + s
		message = strng + s
		datalen = struct.pack('I',len(message))  # datalen = '\xe4\x00\x00\x00'
		sock.sendall(datalen)
		#print >>sys.stderr, 'sending '+ message
		sock.sendall(message)
		#print >>sys.stderr, 'message sent'
		amount_received = 0
		# Look for the response
		data = sock.recv(4)
		amount_received += len(data)
		ciphlen = struct.unpack('I', data)[0]
		#print >>sys.stderr, message + ' ' 
		amount_received = 0
		if ciphlen <= minciphlen:
			minciphlen = ciphlen
			minchar = s
			print str(ciphlen) + ' It is ' + strng + minchar
		data = sock.recv(ciphlen)
		#display(data,ciphlen)		
finally:
    print >>sys.stderr, 'closing socket'
    sock.close()

When you connect to the service it provides you the nonce, so I prepended the nonce to the plaintext. The above script shows the plaintext and the length of the cipher text. To start off with this, you start with a string of length 1, and see which is the smallest length response, that gives your first character. Then in the

strng

variable above, you add that character and run again, and the lowest length ciphertext tells you the next character and so on. I noticed that sometimes the output had a few characters with the lowest length. So I tried each of them and ended up with the following flag:

crime_sometimes_pays 

If you’re like me and recently upgraded to Verizon FiOS and you have your PS3 on the wired segment and the Media Server (such as PS3 Media Server, TVersity, etc.) on the wireless segment, you’re in for a ride with the configuration.
By default, you can’t route the traffic between the wired and wireless segments over UDP! You can send ICMP echo packets (i.e., ping) but the PS3 just won’t detect the Media server. You may disable the Host-based firewall (e.g., Norton, Kaspersky, McAfee, etc.) but it still won’t work.

If you happen to read posts like these, you will see that you have to disable “IGMP proxy”. IGMP Proxy basically reduces the traffic on the multicast addresses to a bare minimum. Unfortunately for you, this causes the traffic between PS3 Media Server and PS3 to drop.

So you log into your FiOS router’s administration console typically located at 192.168.1.1. Click on Advanced -> Yes -> Firmware Upgrade and check the firmware version. You will see that it is an ActionTec router (based on the Auto-update URL). But nowhere do you see the option to update the “IGMP Proxy” settings. That’s because that feature is “hidden” in the latest firmwares.

So you just need to copy/paste the following URL into the browser address bar and you will see the option to disable “IGMP proxy”.
http://192.168.1.1/index.cgi?active_page=6059
Disable it and Voila! The PS3 Media Server and PS3 can now talk to each other.

While compiling socat-2.0.0-b5 on cygwin (Windows) I got a few errors and here’s how I fixed it:
xioopts.c: In function 'applyopts_single':
xioopts.c:3998: error: 'struct single' has no member named 'fd1'
xioopts.c:4000: error: 'struct single' has no member named 'fd1'
make[1]: *** [xioopts.o] Error 1
Edit the file xioopts.c in your favorite editor and replace ‘fd1’ by ‘rfd’ in both lines (3998 & 4000). That fixed this error but then I got my next error.

xio-ip.c:480: error: structure has no member named `ipi_spec_dst'
Edit xio-ip.c and comment out the entire snprintf statement in xio-ip.c line 480.

Continue compilation and it should now work fine.

I had to wipe my existing OS and had to reinstall Nessus on the new BT5R3 image. However, I still wanted all my previous scan data and users to be unaffected in the new OS. So how did I do that? Here’s how:

Take a backup and restore the following folders on the new install:

1. Users Folder (/opt/nessus/var/nessus/users)
2. Master.key (/opt/nessus/var/nessus/master.key)
3. Policies.db (/opt/nessus/var/nessus/policies.db)

If you do get an error after this follow these steps to get rid of errors and just reactivate the nessus feed as follows:

1. service nessusd stop
2. /opt/nessus/sbin/nessus-fix –reset
3. /opt/nessus/bin/nessus-fetch –register [activation code]
4. /opt/nessus/sbin/nessusd -R
5. service nessusd start

The question was:
Question: This is semi-real. 🙁
140.197.217.85:10435
Password: 5fd78efc6620f6

When you would connect using netcat you would see a 9 numbers and a user PIN. This would repeat thrice and then you would have to choose the right pin for the fourth pair 6×6 matrix of numbers. My first reaction was either the PINS were constant or they were following a pattern. So I wrote up this quick python script to solve this puzzle which helped me understand the problem also.

#!/usr/bin/python
import socket, re, threading, time
 
lookupdict = []

def process_array_pin(fs,s):
	i = 6
	temp = ''
	pin = ''
	while i > 0:
		line = fs.readline()
		#print line
		#re.match(".{11}(.).{12}(.).{12}(.)", line).group(1)
		test = re.split(' ',line)
		#print test[1],' ',test[3],' ',test[5],' ',test[7],' ',test[9],' ',test[11]
		i = i - 1
		try:
			temp += test[1]+test[3]+test[5]+test[7]+test[9]+test[11]
		except IndexError:
			pass
			#i = 15
			#while i > 0:
			#	print fs.readline()
			#	i = i - 1
			#s.send('2\n')
			#i = 15
			#while i > 0:
			#	print fs.readline()
			#	i = i - 1
	line = fs.readline()
	try:
		pin = re.match("..........User entered: (.*)", line).group(1)
	except:
		pass
	#pin = fs.readline()
	#print 'Line: '+line
	#print 'Pin is : '+pin
	strpin = re.sub(' ','',pin)
	#strpin = re.split(' ',pin)
	#lookupdict[temp] = strpin
	print 'Pin for : ' + temp+' is '+strpin+'\n'
	return temp,strpin
def play():
	global fs, s
	s = socket.create_connection(('140.197.217.85', 10435))
	fs = s.makefile()
	s.send('5fd78efc6620f6\n')
	print fs.readline()
	print fs.readline()
	print fs.readline()
	answer = []
	numTimes = 0
	while numTimes < 5:
		j = 3
		while j > 0:
			test = process_array_pin(fs,s)
			lookupdict.append(test[0])
			lookupdict.append(test[1])
			j = j - 1
			if j > 0:
				numlines = 3
				while numlines > 0:
					fs.readline()
					numlines = numlines - 1
		fs.readline()
		pindigits = list(lookupdict[1])
		#print pindigits
		pinpos = 0
		for num in pindigits:
			i = 0
			start = 0
			end = len(lookupdict[0])
			while i < lookupdict[0].count(num):
				indofinterest = lookupdict[0].find(num,start,end)
				#print 'index of interest '+str(indofinterest)
				if lookupdict[2][indofinterest] == lookupdict[3][pinpos]:
					if lookupdict[4][indofinterest] == lookupdict[5][pinpos]:
						answer.append(indofinterest)
						break
				i = i + 1
				start = indofinterest+1
			pinpos = pinpos + 1
		#print answer
		# Get question
		i = 6
		temp1 = ""
		while i > 0:
			line = fs.readline()
			#print line
			#re.match(".{11}(.).{12}(.).{12}(.)", line).group(1)
			test = re.split(' ',line)
			#print test[1],' ',test[3],' ',test[5],' ',test[7],' ',test[9],' ',test[11]
			temp1 += test[1]+test[3]+test[5]+test[7]+test[9]+test[11]
			i = i - 1
		#fs.read(14)
		#fs.flush()
		print "Question : " +temp1+'\n'
		answerstr = ''
		count = 0
		for i in answer:
			answerstr += temp1[i]
			#print temp1[i],
			count = count + 1
			if count < 4:
				answerstr += ' '
			else:
				answerstr += '\n'
		print "Answer : "+answerstr
		s.send(answerstr)
		output = fs.readline()
		#output = fs.readline()
		print output
		if output.find('Sun') > -1:
			output = fs.readline()
		else:
			a = 10
			while a > 0:
				print fs.readline()
				a = a - 1
			#output = fs.readline()
			#print 'Inside else\n'
			#if output.find('NOVA') > -1:
			#	print 'NOVAFOUND!!!!!\n'
			s.send('2\n')
			print 'Sent last\n'
			a = 100
			while a > 0:
				print fs.readline()
				s.send('%d%n\n')
				a = a - 1
			#print fs.readline()
			break
		del answer[:]
		del lookupdict[:]
		del pindigits[:]
		numTimes += 1
	
	s.close()
#for i in range(2000):
#threading.Thread(target=play).start()
play()

The above file reads the numbers, filters out the formatting that adds color to the digits and picks out the indices that would be chosen as the key.

So to solve this, each pattern of digits had fixed matrix positions that would be chosen as the pin. Once you successfully solve the puzzle four time you are presented with an ATM screen as follows:

 ***NOVABANK ATM menu***

 Balance: $9238740982570237012935.32

 1) withdraw
 2) deposit
 3) transfer
 4) exit

 <disconnected>

The real part is the balance i.e., 9238740982570237012935.32 is the answer. It took me various attempts to solve this one because the answer was for some reason not being accepted by the scoreboard until my teammate submitted it at which time it worked.

This was a really cool problem. Thanks DDTEK.