Nullcon Hack IM 2011 walk through
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Nullcon Hack IM 2011 walk through

  • 15,240 views
Uploaded on

Walk through of the whole Hack IM contest organized as a pre conference hacking challange.

Walk through of the whole Hack IM contest organized as a pre conference hacking challange.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • Awesome work
    Are you sure you want to
    Your message goes here
    Be the first to like this
No Downloads

Views

Total Views
15,240
On Slideshare
14,612
From Embeds
628
Number of Embeds
10

Actions

Shares
Downloads
174
Comments
1
Likes
0

Embeds 628

http://blog.anantshri.info 280
http://anantshri.info 131
http://www.anantshri.com 71
http://anantshri.com 71
http://www.anantshri.info 65
http://5718a698ad83412ce3107f02178e6947.haxdroid.com 3
http://www.linkedin.com 2
http://translate.googleusercontent.com 2
https://www.linkedin.com 2
http://www.techgig.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. HACKIM 2011WALKTHROUGHHackIM Walk-Through Created by Anant Shrivastava for Null
  • 2. HackIM 2011 Walk ThroughContentsPrelude .......................................................................................................................................................... 3Introduction .................................................................................................................................................. 3Level 0 ........................................................................................................................................................... 4Level 1 ........................................................................................................................................................... 5Level 2 ........................................................................................................................................................... 6Level 3 ........................................................................................................................................................... 8Level 4 ........................................................................................................................................................... 9Level 5 ......................................................................................................................................................... 11Level 6 ......................................................................................................................................................... 12Level 7 ......................................................................................................................................................... 13Level 8 ......................................................................................................................................................... 15Level 9 ......................................................................................................................................................... 17Level 10 ....................................................................................................................................................... 19Level 11 ....................................................................................................................................................... 20Level 12 ....................................................................................................................................................... 24List of tools used. ........................................................................................................................................ 28 HackIM Walk-Through Created by Anant Shrivastava for Null
  • 3. PreludeBefore I begin I would like to thank the organizers of nullcon and specially the nullcon HackIM Contest. Ihave enjoyed 5-6 days during the challenge and have also got to meet a lot of new people.Besides all the stuff that’s listed below there were a large number of discussions that took place at IRCboth on the main channel and on private one to one chat, that helped one and all in solving theproblems. For this special thank goes to FB1H2S - Rahul Sasi and karniv0re. All three of us were teamedtogether to compete against each other in the battle.IntroductionI am presenting a walkthrough of all 12 levels of HackIM 2011.I have designed the walkthrough in below points for each level. 1. Description and hints of level. (Optional) 2. Screenshots as required. 3. Steps how that level could be cracked. 4. Pitfalls / Diversion points: places which can distract you from the actual solution.Note: I have intentionally not provided password for each level. HackIM Walk-Through Created by Anant Shrivastava for Null
  • 4. Level 0Description : This was truly an Idiot’s Test. This was just checking whether we know how to look at thesource-code or not.Hint : L0 == I just wanna say one word to you.. just one word.firebug .or you could just mind your actionClue was evident in the source code.<!-- <td><input name="password" type="password" class="textfield" id="password" value ="" /> -->This specified that password value is “” null zero nothing.All that is needed to crack this level was a blank password. However a quicker way is by just visiting theaction url.i.e. level-0-proc.phpOnce you are through with level o you get HackIM Walk-Through Created by Anant Shrivastava for Null
  • 5. Lets see what we have next.Level 1Description : Not exactly an idiot’s test however it does check’s how attentive you are to various details.Hint : L1 == Dig Deep to find the TreasureLets look at the source code again. HackIM Walk-Through Created by Anant Shrivastava for Null
  • 6. We are unable to find any clue and yet we reached the end of html document marked by </html>However if we look closely we have not reached the end of page.So that’s the hint, lets see what we find at the bottom.<!-- fnirorreqevaxjngre -->So we found some text. However one glance will tell its not password, it can be confirmed by testing iton page itself. Now the architect is bad he don’t want us to get things directly.So lets try some basic cipher’s on this. One of the very basic cipher is Caesar cipher. We could use onlinetools for such conversion.One example : http://www.purplehell.com/cgi-bin/riddles/rot.plThis tool gives you all type of rot ciphers. So giving the above text as input and checking output at Rot 13we will get our password.Pitfall: The pitfall is that no specific text specifies that its Rot it’s just assumption.Level 2Description : This was the start of good tricks on the HackIM challenge.Hint : L2 == elePHPant arriveS - Courtesy PHPCamp Pune11 HackIM Walk-Through Created by Anant Shrivastava for Null
  • 7. After checking that an image is specified, first thought goes in for stegnography. However looking in thesource code we get reference to original image.<!-- Courtesy http://www.padraigcahillartist.com/men.html for the image -->So a quick md5 based check on original and new image can be done to check that file is tampered ornot.Result is negative here means that the file is not altered.So lets look in more details then. We also have one more comment in source pages.<!-- application/x-httpd-php-source -->Lets see what this is, a quick google search will lead to following page :http://serverfault.com/questions/180104/what-is-addtype-application-x-httpd-php-sourceThis clearly tells everyone that this directive is given in apache server when admin wants to provideaccess to certain files to show the source code without getting executed.The most common such extension is php. Trying this on both the url level-2.phps and level-2-proc.phpsreveals the password now all it needs is copy paste.Note : hint was released towards the end of game hence I didn’t used the hint. Otherwise hint specifiedthe file extension in the capitalization.Pitfall : we might spend a lot of time with the image thinking it’s a a clue or it’s a direction. However it’sa decoy. HackIM Walk-Through Created by Anant Shrivastava for Null
  • 8. Level 3Description : This was more of a word play.Hint : L3 == Read Between the LinesClue : <!-- But -->So now we don’t have much to work on in terms of hints. So lets look at the clues then.If we look in parts online the above two sentences, we get multiple references to simpson’s.However the details comes out if we start looking at some specific words.“My lisa, worm, simpson.”With my lisa a reference comes in mind of Melissa, this leads us to the wiki page of Melissa wom. HackIM Walk-Through Created by Anant Shrivastava for Null
  • 9. So we can be sure of the correct way coz one of the name is simpson’s. so just a look at each name tellsus thatSo we know the answer now.Level 4Description: This was much of a straight forward programming contest.Hint : L4 == http://tinyurl.com/6g37s39 : LMGTFYThe question was very clear with just one twist. The previous answer that we need as first iteration isnot available to us.Lets check the source code for any hint we can find. HackIM Walk-Through Created by Anant Shrivastava for Null
  • 10. <!-- U3RhcnQgd2l0aCBQcmV2aW91cyBBbnN3ZXIgPSBGMQ== -->This looks more like a base64 encoded string. Let’s check it here,http://ostermiller.org/calc/encode.htmlThis gives us the answer to the previous answer. Which is marked as F1. However we need a decimalnumber for alphanumeric. So we can go for hexadecimal to decimal conversion.Now all is left to write a simple code to perform the calculation or you could try by hand if you wish to.I wrote a simple javscript function to do the task, you could use your programming language of choiceAttaching my code for reference.function calc(){ var first_no = 0; var second_no = 0; var previous_ans=241; var i; for (i=0;i<=31337;i++) { ans = first_no + second_no + previous_ans + (first_no * second_no); first_no = first_no+ 1; second_no = second_no + 2; previous_ans = ans; } document.write("Answer :: " + ans + "</BR>");}Once you run this code you get the answer. HackIM Walk-Through Created by Anant Shrivastava for Null
  • 11. Pitfall : 1. F1 could be confused by F1 key, I even tried placing the F1 key ascii conversion as previous answer. 2. Second pitfall is shortsightedness in variable type. If you take int or long in c the output is incorrect. You need to take long double.Level 5Description : this level marked the beginning of craziness in HackIM. First level asking for downloadingfile.Hint: L5 == Everything isnt always the way it seems to be | Listen it, use your imagination you cantimagine anything else being a hackerCode Hint : <!-- After all Everything is .. & .. so, Please dont kill theArchitects :P -->Just a quick look @ the wave file reveals that the file consist of zero’s and one’s. that directs in twoways, morse code and DTMF tone’s.However morse code could be ruled out as the file doesn’t have any specific spacing between dots anddashes to denote word / character ending. HackIM Walk-Through Created by Anant Shrivastava for Null
  • 12. DTMF decoder used : http://www.dialabc.com/sound/detect/index.htmlThis gives us the output as 32 bits of data. Now 32 bits of data could mean many things however from anetwork and security point of view most direct reference comes out to be IP Address.So 32 bit converted to IP address and now this IP address to be converted back to hostname, here wecan use reverse ip lookup : it shows that this ip contains total of 24 websites hosted. However theanswer was a bit of surprise coz this level didn’t define when to stop.Answer is one of the domain names specifically domain name related to this website.Level 6Description: a executable decoding based round.Hint: L6 == The world would be incomplete without VoodooThis level required an exe to be downloaded. This exe is a program that repeats whatever your wrote onto the mail id. Also without any options this yielded a lot of information. At that point its clear thatpassword is inside the exe so let’s open it. And then inside file I started with the message I can see incase of no option on command-line. HackIM Walk-Through Created by Anant Shrivastava for Null
  • 13. Pitfall : people may start sniffing or debugging the exe. Some may even try to decompile it. However theanswer was very straight forward.Level 7Description : This level asked you to download .evt file and give out name of faulting application.Hint : L7 == Lets note it down first - Courtesy anant HackIM Walk-Through Created by Anant Shrivastava for Null
  • 14. This event was more of a straight forward one if you just know what needs to be used.This file extension belongs to log viewer for windows. Those working on windows tried opening the fileon log viewer and received an error. So the next best alternative that anyone can foresee as well asevident from the Hint (). Lets try using notepad / notepad++ / gedit / vim.Now we can see the file all what we need is to find the correct application.This is where the trick comes in picture.Pitfall : we may get confused with various application/service names that are listed. HackIM Walk-Through Created by Anant Shrivastava for Null
  • 15. However if we look closely at the question the question asks us the name of application. So lets search.exe in the file and lo and behold we got the answer in just one click.Note : big brother per my understanding refers to log viewer.Level 8Description : This was a tricky one. This was a tcp dump. And we needed to find out time @ routers with111.* series ip.Hint : L8 == And I will Reply great vengeance upon them with furious Attack; and they shall know that Iam the lorD, when I shall lay my vengeance upon three. Ezekiel23:28 | RFC 2328 Section D.3 CiscoImplementationBefore the hint was released which was one day after people reached this level, the first task was toidentify which protocol can contain the information related to time stamp. Prominent protocols in thedump were : ICMP, SMB and OSPF. Just a quick glance at ICMP do not contain timestamp from machineand smb is not from router. HackIM Walk-Through Created by Anant Shrivastava for Null
  • 16. That leaves OSPF protocol. By the time hint started pouring in, RFC 2328 is for OSPF protocol, while thedocument in itself is a good readout however the document is quite a lot to read and has a lot manythings to deviate from the path. Second part of hint helped in pin pointing the value: Section D.3 whichtalks about the cryptographic implementation.The point to be referred here was: However, it is expected that many implementations will use "secondssince reboot" (or "seconds since 1960", etc.) as the cryptographic sequence number. Such a choice willessentially prevent rollover, since the cryptographic sequence number field is 32 bits in length.Now this is where we got the idea about the time stamp. So just a quick conversion of cryptographic seqno from hex to decimal and a date conversion give us a number which to our horror is not the correctanswer.Now the third part of hint is what needs to be checked. : Cisco implementation. Howeverhttp://ciscorambling.blogspot.com/2008/11/what-is-epoch-time.html is all that is needed for the level.For epoch conversion we can use any online tool Ex : http://www.epochconverter.com/Now the problem is left to enter the date in proper format. This is where the clue hidden inside thesource comes into the picture. <!-- Answer should be in the format Day Month Year; 12 December 2012 -->Pitfall : 1. The pitfall is not checking the Cisco implementation properly. 2. Second pitfall could be entering the date in improper format. HackIM Walk-Through Created by Anant Shrivastava for Null
  • 17. Level 9Description : this was a play around on the web form and its methods.Hint : L9 == Leechers will be banned. Seeders welcome :) | Bhavnao ko samjho sabdo mey kya rakhahai... | Developers are bound to make mistake that why hackers exist...This level was a two part challenge. Only Post method was allowed and not GET (Leechers get data andseeders Post the data). So setting user id as administrator and password as blank, and method set aspost requires JavaScript to be disabled as the validation is at client side. HackIM Walk-Through Created by Anant Shrivastava for Null
  • 18. Now looking at the source code of this web page gives us the required details.A Quick search of this comment’s first few characters of the string (/9j/) points to one of many links :http://support.microsoft.com/kb/836555This is about various MIME types and this comes out to be an image format in binary format which isbase64 encoded. To decode this we can use:http://www.opinionatedgeek.com/dotnet/tools/base64decode/This helps decoding the image back to jpg format however the download comes out as .bin just we needto rename it. HackIM Walk-Through Created by Anant Shrivastava for Null
  • 19. So all that is needed now is to zoom in the file and get the password.Level 10Description : This was a windump or rather a windows memory dump,Hint : L10 == Open the doors of the Windows, & take a trip down the memory laneThis level contains a memory dump taken from windows machine , instead of me explaining it would bebetter if I point you to the correct direction.http://carnal0wnage.blogspot.com/2009/03/dumping-memory-to-extract-password.htmlalso you will need updates from : http://moyix.blogspot.com/2009/01/registry-code-updates.htmlNote: backtrack has this utility preinstalled except the updates. HackIM Walk-Through Created by Anant Shrivastava for Null
  • 20. Once you have the SAM file dump all you need is to crack / decode / decrypt the password. You can useonline rainbow tables or if you have a local copy then you can use that too.NOTE: you might need to disable the JavaScript in this page to allow you to enter correct password.Level 11Description : One of the most complex levels of the contest.Hint : L11 == After stumbling upon love ... dont stop there my dear, there is still lots to be done | Dontjust accelerate your minds meter my dear, peep into my heart, for youll see, safely concealed in it, is agolden key, but if ure at loss bumblebee, take some free help openly from Linuss pet Geeko MascotLizard | If geeko dont help ask from his good brother CAMOU.....The first confusion comes from the file extension, ulti.toppi. However the hint comes in the form of link.CAP. However there is a easy solution, in linux you have a simple utility called file.#file ulti.toppi HackIM Walk-Through Created by Anant Shrivastava for Null
  • 21. Output :Now we know that file is a tcpdump and we can use wireshark to view the data. However to our surprisethe file is a wifi sniffed data which is wpa protected.Aircrack comes to the rescue to crack the wpa key, however the problem with aircrack is that it requiresa dictionary to work on a dump. Luckily Backtrack has one of the best dictionaries. So a simple aircrackattack with wpa dictionary reveals the password. Once the password is found it could be used todecrypt the password using airodump. Now we can load back the decrypted dump into wireshark. Nowwireshark reveals a plain text ftp transmission and a file exchange, file names meter.jpg. HackIM Walk-Through Created by Anant Shrivastava for Null
  • 22. Another good tool that can be used in this analysis is network miner which has recently reached version1. It has only one limitation it needs the file to have .cap extension. HackIM Walk-Through Created by Anant Shrivastava for Null
  • 23. Once you have extracted the image you completed ¾ part of the challenge.Now with image all we can think of is stegnograph and one of the best tools in regards with this stegotoolkit.$ Stegodetect meter.jpgHowever usage of this tool proves to be the first diversion.As suggested by stego I spent nearly 5 hrs with all three wordlist’s on jphide decoding.When all failed, we have to revert back to the hint.“but if ure at loss bumblebee, take some free help openly from Linuss pet Geeko Mascot Lizard | Ifgeeko dont help ask from his good brother CAMOU.....”Now this hint was released in parts. So after spending a lot of time and especially after release of lastpart you will get following. 1) chameleon Stegnography suite. : http://chameleon-stego.tripod.com/home.html 2) Camouflage Stegnography suite. : http://camouflage.unfiction.com/Out of all this Camouflage stegnography is what is referred to in the hints section. However we still areshort of the password, so our search starts again and we again head back to google.And we arrive @ http://dl.packetstormsecurity.net/0701-exploits/camouflage-crack.txtNow all we need is to apply the details as provided. What I did was to overwrite the passwordkeeping first character as 63 which represents “a”. so now I can use the standard comuflageapplication to uncomouflage the file with password as a. and we got the secret file out whichcontains the password. HackIM Walk-Through Created by Anant Shrivastava for Null
  • 24. And so we reach the penultimate level of The Challenge.Level 12Description : This is a final challenge, this means the challenge looks easy but not easy.Hint : L12 == Queen of Witches EnteRed mY hearT, but I did the right thing and let down the f/tartNow if we look at the file we find that file contains very random set of characters.Lets try to analyze the file. HackIM Walk-Through Created by Anant Shrivastava for Null
  • 25. This tells us that we have 26 characters in the character set, and if we look closely we will find theoccurrence or absence of characters.Now if we look at the hint once again and then look closely to the most used part of the computerour keyboard and encoding is staring right in the face.The encoding – decoding set that was used is .! = W@ = E# = R$ = T% = Y^ = U& = I* = O( = PQ = S = AW = D = SE = F = DR = G = FT = H = GY = J = HU = K = JI = L = K HackIM Walk-Through Created by Anant Shrivastava for Null
  • 26. O = ; = LPA = X = ZS = C = XD = V = CF = B = VG = N = BH = M = NJ = , = MK = ,LZXC SAPACEVBNMThis conversion can be done manually or programmatically.JavaScript based program is listed below.Note : The program gives two sentences due to an error in coding of the words as at places Q isinterpreted as S and at others its treated as A. similarly for few more characters.function ev(){ var inp ="$t@c*(@gcq@s^#&$%cs*hh^g&$%c#@r&q$@#@wcg*gc(#*e&$cq*s&@$%c&qcfqsuc!&$tcg^iis*gcg^iis*gcr*qcw!&$&%qc&g$@#gq$&*gqictqsu&grcs*ge@#@gs@kc!@ctqd@cq*h@cqhqa&grc$qiuqci&g@wc^*c$t&qc$&h@cq#*^gwc$tq$c!&iicq^#@i%cstqgr@c%*^#c(@#q(@s$&d@c*ecq@s^#&$%cugc$t@ce^$^#@kc!@c$tqguc$t@cs*hh^g&$%ce*#cq^((*#$&grc^qjc&$c&qc%*^#cq^((*#$c$tq$c!@ctqd@cr#*!gcqgwcq#@cqfi@c$*cq@#d@c$t@cs*hh^g$%c&gcqcf@$$@#c!q%keiqroc%*^cq#@c*^#ct@#*"; var coder_array = "!@#$%^&*(QWERTYUIOASDFGHJKC";var decode_array = "WERTYUIOPSDFGHJKL;XCVBNM, "; var decode_array2 = "WERTYUIOPADFGHJKL;XCVBNM, "; for (i=0;i<inp.length;i++) { document.write(decode_array[coder_array.indexOf(inp[i].toUpperCase())]); } document.write("<br />"); for (i=0;i<inp.length;i++) { document.write(decode_array2[coder_array.indexOf(inp[i].toUpperCase())]); } } HackIM Walk-Through Created by Anant Shrivastava for Null
  • 27. Level 13Description: This level was the worst part. I am still working on it.Hint : L13 == Bas ab kitna kheloge :P (no hint could help you here.)This required a document to be prepared explaining how each level was crossed.This document you are reading is an extended exercise to the challenge to document the challengein a batter way. HackIM Walk-Through Created by Anant Shrivastava for Null
  • 28. Thanks for Reading it so far.So atlast a brief introduction about myself (Shameless self promotion)Anant ShrivastavaCEH | RHCEhttp://anantshri.infohttp://blog.anantshri.infoanant.shrivastava@gmail.comList of tools used. 1) Notepad / Notepad++ / Gedit / Vim 2) Calc 3) BackTrack a. WireShark b. Aircrack-ng suite. c. Stego suite d. Volatility e. Md5sum 4) Cryptoanalysis.net 5) Network miner 6) Firefox a. Web Developer Toolbar. b. HackIM Walk-Through Created by Anant Shrivastava for Null