Monday, June 17, 2013

3dub 1 - DEF CON Quals 2013 badmedicine writeup

This challenge started off with a login page.  If you would try to login as 'admin', it would say that doing so was disabled.

So, I started up burp's proxy to see what everything that was being sent.
I then attemped to login a user other than 'admin' and noticed that it also sent a cookie.

Then I attempted to login as 'bdmin'.

It sent the cookie: '0ac8259ca0'
I then attempted 'cdmin' and received the cookie: '0bc8259ca0'

So, assuming there was a pattern, I figured the cookie for 'admin' was:  '098259ca0'

I sent a username and then edited the cookie to  '098259ca0'.

The key is: who wants oatmeal raisin anyways twumpAdby

... I prefer chocolate chip

3dub 2

2pt challenge @
we are given a simple login page typical username and password setup

We assumed sql so..


so it is SQLinjection...we are pretty n00b over here so we used our toolkit to our advantage

It says there is a keys table so lets make a query to the table and grab that info
SQL(name' UNION ALL SELECT * FROM keys -- )


3dub 4 - WRITEUP

In this challenge we were confronted with a standard Admin panel page:

Awesome page right?

If you click on "usernames.txt" you get sent to a getfile.php page that presents this page:

Well that's cool... let's change the filename GET parameter to "passwords.txt".

 So we messed around a bit and saw that the access code parameter was a md5 of the file name.

So when we changed the md5 to passwords.txt's md5 (b55dcb609a2ee6ea10518b5fd88c610e)
and the filename to passwords.txt we get access to the passwords.txt page:
Well that looked too hard (SHA  512) for our simple minds  to break. So we decided that we should just go look around a bit at other pages since we can access any page we want so we looked at the login page:

Well since there is no auth code on this page it must have been a red herring, good thing we didn't try decrypting those passwords. With only one page (that we know of) left to check we looked at the getfile.php page:

We see there is a key page that we can't access directly but instead it produces an encrypted version of the key.txt using a random seeded value as the key to encrypt as well as base64encoding the encrypted text. We went and got the encrypted string by accessing key.txt ('IC7U94oEd1fDqQvxz6ub0RQ6IdJXfbgAqV+FxpxXMnGwLplE37Hjc+X7OwruViqvDYyyI8nFjRaDmMgPWvNoFA==)

Since the string was encrypted with PHP (and our Python was bad and we should feel bad) we thought it would be easier to decode it with PHP. But first we need to get the seed value for random so that we can guess the encryption key. The seed value is based off UNIX EPOC time from the time() function in PHP. So it creates the seed based off the time the page is loaded. So we can totally guess this seed now. We get our time in EPOC minus a few hundred for sanity reasons and brute force every seed value till we get the right answer. code to win:
function aes_crypt($data,$key)
    // if $encrypted is HEXed, then return it to binary
  // $encrypted = pack('H*',$encrypted);

    $cyphertext = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $data, MCRYPT_MODE_CBC);
   return base64_encode($cyphertext);

$base = '137135834310';
function aes_decrypt($encrypted,$key)
    // if $encrypted is HEXed, then return it to binary
  // $encrypted = pack('H*',$encrypted);
    return mcrypt_decrypt(MCRYPT_RIJNDAEL_128,$actkey,$encrypted,MCRYPT_MODE_CBC);

$data = 'IC7U94oEd1fDqQvxz6ub0RQ6IdJXfbgAqV+FxpxXMnGwLplE37Hjc+X7OwruViqvDYyyI8nFjRaDmMgPWvNoFA==';
$i = 1371311111;
$fp = fopen('data.txt', 'w');
while ($i < 1371999999){
   print "$i<br>";
   //print aes_crypt("The flag is:",'2234');
   $decode = aes_decrypt(base64_decode($data),$i);
   //print "$decode<br>";
   //print time();
   fwrite($fp, "$decode\n\n");

Wednesday, June 12, 2013

Randy - 200 - bkpCTF 2013

This was a very interesting challenge. To start we downloaded and ran the executable on my Ubnutu VM.

After running the executable we assumed that the challenge was to find the password that would output a ": )".The next step was inspect the program in IdaPro and see if our assumptions were true. Some findings from examining the executable in IdaPro included:
The program fires up prints “Password” to the screen, then waits for user input. Once the user has entered the password the first check the executable does is to verify that the length of the password is 28 characters long.

Then the executable makes a second call to _strlen once again to verify that the length of the password is 28 characters long.

The program then calls the keygen function and falls into the call to the wrong function if keygen returns zero and the call to the valid function if keygen returns one. It looks like the function that will need to be reversed is the keygen function.

After some inspection and remote debugging we were able to figure out some important information about the keygen function. The keygen function works as follows:

  1. Pull eight bytes from the user input and store the result in RAX
  2. Use the bottom four bytes of RAX as input to _srandom
  3. Call the _random function, and compare the return value to a number
  4. Increment r12 to grab the next four bytes of the user input

This entire algorithm is repeated a total of seven times. The first seven numbers that are compared after each reseeding of the random function were:

1. 0x7358837a
2. 0x34d8c3b53. 0x1f49456c
4. 0x1fea6614
5. 0x4e81abc76. 0x683d3f5d
7. 0x28c9a8feTherefore to find the key all we need to do is write a program that generates all possible four character printable ASCII values. Use those values as input to srandom, call random, and finally compare the result to each of the previous seven numbers to find a match. This will tell us what four characters were used as the seed at that particular point in the program. Once all seven seeds are found we should have the flag:). The solution program that we used is as follows:

Link to solution code:

The output of the bruteforce program reveals the flag: n0t s0 r4nd0m0 4ft3r a11!!!! 

Solution write-up by Ryan

Monday, June 10, 2013

Wolfram Beta - Misc 100 BkP 2013

This challenge had us connect to a server running a "Wolfram Beta" calculator.

The calculator asked the user for a number, then an operator, and another number.  It would then calculate the solution:

Wolfram Beta - BkP CTF 2013 Team
Wolfram Beta is a great calculator.
just put in a number at the prompt
then put in the operator
then finally the second number
and the calculation will be done INSTANTLY
no accounts necessacary, unlike some of our competition!
first num: 1
operator: +
second num: 1
Done Thinking!

We immediately assumed that the operator field was the vulnerable.  After several attempts, we found a way to inject code:

operator: +1; [code]; 1+

Since the server would kindly display program errors to us,  we knew it was a C# program.  After learning some C# code, we figured out how to read an entire file and print it out to the console.

key is:  at_least_its_not_a_python_jail

Mystery-100 BostonKeyParty 2013

This was your typical trivia recon challenge (what's a CTF without some movie references?). You just had to either Google keywords from the pictures or know generally about the movie.

Begin challenge --
My favorite movies!


third word, fourth letter (The Social Network)


$ bin/LLLSDLLaserControl -ok 1

second word, fourth letter (Tron Legacy)


Discovered open port 22/tcp on
Discovered open port 22/tcp on
Discovered open port 22/tcp on
Discovered open port 22/tcp on
Discovered open port 22/tcp on
Discovered open port 22/tcp on
Complete SYN Stealth Scan against in 25.94s (1 host left)
Complete SYN Stealth Scan at 13:30, 25.94s elapsed (3380 total ports)

second word, second letter (Live Free or die hard)


mysql> use Police06_Varmland

second word, first letter (The girl with the dragon tattoo)


h := NewHandle(GetHandleSize(params[1]));
IF h = NIL THEN EXIT(EntryPoint);
p := params[1]^;
q := h^;

first word, fourth letter


first word, first letter


first word, third letter


first word, seventh letter (Hackers)

We didn't seem to find letters 5, 6, 7, but we had enough to spell wargXXXs so we just guessed the first thing we thought of, which of course was wargames. Thus, 100 points.