C0c0n 2011 CTF Walkthrough


Published on

This is the walk-through for the C0C0n 2011 CTF.

Published in: Technology
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

C0c0n 2011 CTF Walkthrough

  1. 1. C0C0N 2011 – CTF WalkthroughRiyaz Walikar a.k.a karniv0rehttp://www.riyazwalikar.comGreetings fellow readers!! As usual another great CTF has ended and most of us who played this havelost some hair from their heads with the collective effort of yanking it out or banging our heads on thenearest walls . On a more serious note, people who thought only corrupt could be nightmarishlycreepy, you can now go ahead and add Anant a.k.a infinity to the list!Great job guys, to the team who made this possible!!This was all in all, an enjoyable event, with the levels being fairly designed to supposedly increase inorder of complexity, frustration and technical incoherence as you progressed up. I managed to finish allexcept one level, to which I will come to in a bit.The CTF was divided into multiple sections as listed below and each section had 3 levels. 1. Crypto Levels – Mostly to do with some sort of cipher/obfuscation/symbol substitution. 2. Programming Levels – Programming related questions. People actually had to write programs!! 3. Reverse Engineering Levels – Reverse engineering binaries, PYCs and APKs. 4. Log Analysis Levels – Analysis of Apache logs, PMLs and Wireshark Pcap dumps.As is with all CTFs, different people would have different approaches which may lead to the sameanswer that enables you to complete a level and unlock the next. This is my approach and I agree it isnot the best, not the most elegant or the most uber out there, but hell it worked . I have also tried totag the levels based on their difficulty as Easy, Average, Hard and WTF! This categorization/classificationis entirely based on my experience with the CTF and is entirely my opinion. Your opinion may differ sodon’t take it too seriously. Page | 1
  2. 2. Crypto LevelsCrypto Level 1URL: http://nullcon.net/challenge/c0c0n/clevel-1.phpDifficulty: AverageSolution: The source code of the page shows two HTML comments. The first one appears to be anobfuscated/encoded string. The == at the end points us to the string being base64 encoded. However asubsequent decoding does not provide anything conclusive.The second HTML comment is an apparent clue to the use of ROT-13 before you decode the string usingBase 64. Page | 2
  3. 3. Having played a similar level at last year’s nullcon HackIM challenge, this wasn’t very hard. Using theROT-13 decoder at http://web.forret.com/tools/rot13.asp, I obtained the following:Base 64 decoding this, after adding the necessary padding gives:Call it intuition or just the way the characters were arranged, this had to be re-Base64 decoded!! Page | 3
  4. 4. A quick Google search for "Google Beer" gives "URKontinent". Converting this to title case gives"Urkontinent" which is the flag.Crypto Level 2URL: http://nullcon.net/challenge/c0c0n/clevel-2.phpDifficulty: EasySolution: This was one easy because I had recently finished reading The Code Book by Simon Singh. Thebook’s appendix contains an explanation of the symbol substitution. This has also been depicted in theDan Brown book, The Lost Symbol. This is a mono-alphabetic simple geometric substitution cipher calledPigpen Cipher (also called the Masonic Cipher). Page | 4
  5. 5. For people who have never heard of this before, a quick Google search for "Image Ciphers" also providesobvious clues to this being the Pigpen Cipher substituted string. Decoding this is straight forward withthe help of the following key.The code then translates to the string "FLAGISTHENAMEGIVENTOTHEENLIGHTENEDGROUP". A quickGoogle search for "name given to the enlightened group" gives "Illuminati" as the first result which alsohappens to be the flag!!Crypto Level 3URL: http://nullcon.net/challenge/c0c0n/clevel-3.phpDifficulty: AverageSolution: The level description was the hint. This is written in the Braille system which is a method thatis widely used by blind people to read and write, and was the first digital form of writing (source:Wikipedia). Using a Braille Character Chart, the above text can be decoded to:I devised Braille in 1825 based on a method of communication originally developed by Charles Barbier.Who am I?Google and general knowledge tells you the answer is Louis Braille which also happens to be the flag! Page | 5
  6. 6. Programming LevelsProgramming Level 1URL: http://nullcon.net/challenge/c0c0n/plevel-1.phpDifficulty: HardSolution: This level was one of the crappiest. Finally wrote a python script to generate the necessarynumber. The pseudocode is as below:a=0b=a+1for (x = 0 to 31334) c = a+b a = b b = ca = hex(c)for (x = 0 to len(a)) if (x mod 3 == 0) p = a.position(x-1) b = b + todecimal(p)print bThe final answer that the script would generate is 13590 which is the flag for this level. Page | 6
  7. 7. Programming Level 2URL: http://nullcon.net/challenge/c0c0n/plevel-2.phpDifficulty: AverageSolution: A quick Google search for "Goldbach Partition" or "Goldbach’s Conjecture" generates a lot ofhelpful results. Basically, it states that Every even integer greater than 2 can be expressed as the sum oftwo primes.There are two ways of doing this: Method 1 is to write a program to identify all primes smaller than13590 and then all combinations of their sums can be checked if they equal 13590. A comma separatedlist of the result would be the answer.Method 2 is for the lazy types like me. Google for an online generator, which although sounds like astraight forward job requires some special Googling skills. Format the output in CSV format and paste itin the flag box.The flag is the following string of numbers:13,13577,23,13567,37,13553,53,13537,67,13523,103,13487,113,13477,127,13463,139,13451,149,13441,173,13417,179,13411,191,13399,193,13397,223,13367,251,13339,263,13327,277,13313,281,13309,293,13297,331,13259,349,13241,373,13217,419,13171,431,13159,439,13151,443,13147,463,13127,487,13103,491,13099,541,13049,547,13043,557,13033,587,13003,607,12983,617,12973,631,12959,673,12917,683,12907,691,12899,701,12889,761,12829,769,12821,809,12781,827,12763,877,12713,887,12703,919,12671,937,12653,953,12637,971,12619,977,12613,1013,12577,1021,12569,1049,12541,1051,12539,1063,12527,1087,12503,1093,12497,1103,12487,1117,12473,1153,12437,1181,12409,1213,12377,1217,12373,1289,12301,1301,12289,1321,12269,1327,12263,1427,12163,1429,12161,1433,12157,1447,12143,1471,12119,1481,12109,1483,12107,1489,12101,1493,12097,1549,12041,1553,12037,1579,12011,1583,12007,1609,11981,1619,11971,1621,11969,1637,11953,1657,11933,1663,11927,1667,11923,1693,11897,1723,11867,1759,11831,1777,11813,1783,11807,1789,11801,1801,11789,1811,11779,1847,11743,1871,11719,1873,11717,1889,11701,1901,11689,1913,11677,1933,11657,1973,11617,1993,11597,1997,11593,2003,11587,2011,11579,2039,11551,2063,11527,2087,11503,2099,11491,2143,11447,2153,11437,2179,1 Page | 7
  8. 8. 1411,2207,11383,2221,11369,2237,11353,2239,11351,2269,11321,2273,11317,2311,11279,2333,11257,2339,11251,2347,11243,2351,11239,2377,11213,2393,11197,2417,11173,2441,11149,2459,11131,2473,11117,2477,11113,2503,11087,2521,11069,2531,11059,2543,11047,2617,10973,2633,10957,2687,10903,2699,10891,2707,10883,2729,10861,2731,10859,2753,10837,2791,10799,2801,10789,2819,10771,2837,10753,2851,10739,2857,10733,2861,10729,2879,10711,2903,10687,2927,10663,2939,10651,2963,10627,3001,10589,3023,10567,3061,10529,3089,10501,3137,10453,3163,10427,3191,10399,3221,10369,3253,10337,3257,10333,3259,10331,3301,10289,3319,10271,3323,10267,3331,10259,3343,10247,3347,10243,3413,10177,3449,10141,3457,10133,3491,10099,3499,10091,3511,10079,3529,10061,3581,10009,3583,10007,3617,9973,3623,9967,3659,9931,3719,9871,3733,9857,3739,9851,3761,9829,3779,9811,3803,9787,3821,9769,3823,9767,3847,9743,3851,9739,3911,9679,3929,9661,3947,9643,3967,9623,3989,9601,4003,9587,4051,9539,4057,9533,4079,9511,4093,9497,4099,9491,4111,9479,4127,9463,4129,9461,4153,9437,4157,9433,4159,9431,4177,9413,4219,9371,4241,9349,4253,9337,4271,9319,4297,9293,4349,9241,4363,9227,4391,9199,4409,9181,4457,9133,4463,9127,4481,9109,4523,9067,4547,9043,4549,9041,4561,9029,4583,9007,4591,8999,4621,8969,4639,8951,4649,8941,4657,8933,4703,8887,4723,8867,4729,8861,4751,8839,4759,8831,4783,8807,4787,8803,4871,8719,4877,8713,4909,8681,4943,8647,4967,8623,4993,8597,5009,8581,5051,8539,5077,8513,5147,8443,5167,8423,5171,8419,5227,8363,5237,8353,5261,8329,5273,8317,5279,8311,5297,8293,5303,8287,5347,8243,5381,8209,5399,8191,5419,8171,5443,8147,5479,8111,5501,8089,5503,8087,5521,8069,5531,8059,5573,8017,5581,8009,5639,7951,5641,7949,5653,7937,5657,7933,5683,7907,5689,7901,5711,7879,5717,7873,5737,7853,5749,7841,5801,7789,5849,7741,5867,7723,5903,7687,5987,7603,6007,7583,6029,7561,6043,7547,6053,7537,6067,7523,6073,7517,6091,7499,6101,7489,6113,7477,6131,7459,6133,7457,6173,7417,6197,7393,6221,7369,6257,7333,6269,7321,6337,7253,6343,7247,6353,7237,6361,7229,6379,7211,6397,7193,6469,7121,6481,7109,6521,7069,6547,7043,6551,7039,6563,7027,6571,7019,6577,7013,6599,6991,6607,6983,6619,6971,6673,6917,6679,6911,6691,6899,6719,6871,6733,6857,6761,6829,6763,6827Programming Level 3 - UnsolvedURL: http://nullcon.net/challenge/c0c0n/plevel-3.phpDifficulty: Double WTF! Page | 8
  9. 9. Solution: The guys who thought of this level get some extra credit. The level description presents anMD5 hash that supposedly is the MD5 of the password (flag) for this level. However a quick look at thepage source code shows the following HTML comment.The server code logic, if it uses this pseudo code, takes the input value from the user submitted form,MD5 hashes it and then compares only the first 8 characters with an internal hash (which happens to bethe MD5 hash printed on the page).In simpler words, you would need to input a string whose MD5 hashes first 4 bytes (8 characters) match"a180ce8a". This sounds awfully easy and looks possible since there exist multiple strings whose MD5hashes’ first 8 characters match.How wrong I was!! Since the MD5 algorithm has been developed in such a way that minimum change(even a single bit) would result in a completely different hash. However MD5 is now known to havecollisions, which means that 2 unique data sets can be created with identical MD5 hashes. Howevergenerating a plain text with a predefined hash, also called a pre-image collision, still remains nearlyimpossible. The best we can do is brute force by generating multiple possible combinations of data andattempt to match hashes.It is true that there are multiple strings whose MD5 hashes have common first 8 characters, however itwas not true in this case. Or maybe I should have attempted a comparison with a larger data set. Igenerated over 3 miillion unique character combination and attempted to match the first 8 charactersof the hashes, but after several hours of full CPU utilization I still had no luck. I am sure this is achievablebut requires a larger data set and a faster processor. For the adventurous, here’s my python code:I ran it for a little over 8 hours and was not able to find any string which satisfied the script. I amcurrently running a more complex version of this script on a more powerful server back in office for thepast 3 days, hoping to see something before the end of this week. Page | 9
  10. 10. Reverse Engineering LevelsReversing Level 1URL: http://nullcon.net/challenge/c0c0n/rlevel-1.phpDifficulty: AverageSolution: This level is straight forward if you know the right tools. APK files are compressed archives ofxml and dex files. A tool like Dex2jar can be used to extract the jar file from the cocon_apk.apk and jd-gui can be used to decompile the jar file. The jar contained a public function called show_key thatreturned a string.The function, if carefully analyzed produces the MD5 of the string "Key:Value;Challange:cocon;Date:”and the system date. The system date is found in the HTML source code of the page.The flag for this level would then be MD5(Key:Value;Challange:cocon;Date:2011-10-16) which isf5d2fe1f612f022ee9033667963f5ae6 Page | 10
  11. 11. Reversing Level 2URL: http://nullcon.net/challenge/c0c0n/rlevel-2.phpDifficulty: EasySolution: The level description gives the hint regarding this having something to do with .NET. In anycase, when you download the program you can run it through strings to find the following output.Since this was a .Net application, I opened it using .Net Reflector to do an analysis. The button1_clickevent contained some promising code. Page | 11
  12. 12. The hex encoded text decodes to CeCmmUxzvPAIAVA9Udiv5ab07Q which is the flag for this level.Reversing Level 3URL: http://nullcon.net/challenge/c0c0n/rlevel-3.phpDifficulty: HardSolution: The cookpie.zip file contains a cookiepie.pyc file which is a compiled executable python file.What makes this level difficult is that there are very few python decompilers available. Depython, anonline python decompilation service does not decompile version 2.6 compiled python files which wasthe version in which cookpie was compiled in.I used a decompiler called Decompyle on Ubuntu and was provided with a pseudo bytecode/assemblystyle output. The de-compiled output contained references to 3 variables: C0C09CTF, PIEKING andDUMPMENOT. The final flag was the MD5 output of a combination of the username and the 3 variables.Here’s the decompiled output of the pyc file. The interesting stuff happens in section 16 of the followingdecompiled code. Page | 12
  13. 13. magic d1f20d0amoddate ead78c4e (Wed Oct 5 22:19:22 2011) 2 0 LOAD_CONST 0 (-1) 3 LOAD_CONST 1 (None) 6 IMPORT_NAME 0 (re) 9 STORE_NAME 0 (re) 3 12 LOAD_CONST 0 (-1) 15 LOAD_CONST 1 (None) 18 IMPORT_NAME 1 (os) 21 STORE_NAME 1 (os) 4 24 LOAD_CONST 0 (-1) 27 LOAD_CONST 1 (None) 30 IMPORT_NAME 2 (hashlib) 33 STORE_NAME 2 (hashlib) 5 36 LOAD_CONST 2 (welcome to COCON CTF) 39 PRINT_ITEM 40 PRINT_NEWLINE 6 41 LOAD_CONST 3 (C0C09CTF) 44 STORE_NAME 3 (val) 7 47 LOAD_CONST 4 (PIEKING) 50 STORE_NAME 4 (val243) 8 53 LOAD_NAME 5 (raw_input) 56 LOAD_CONST 5 (Please enter your userid :) 59 CALL_FUNCTION 1 62 STORE_NAME 6 (nm) 9 65 LOAD_CONST 6 (DUMPMENOT) 68 STORE_NAME 7 (val542)10 71 LOAD_NAME 5 (raw_input) 74 LOAD_CONST 7 (Please enter your key : ) 77 CALL_FUNCTION 1 80 STORE_NAME 8 (key)11 83 LOAD_NAME 2 (hashlib) 86 LOAD_ATTR 9 (md5) 89 LOAD_NAME 6 (nm) 92 CALL_FUNCTION 1 95 LOAD_ATTR 10 (hexdigest) 98 CALL_FUNCTION 0 101 LOAD_ATTR 11 (upper) 104 CALL_FUNCTION 0 107 STORE_NAME 12 (md) Page | 13
  14. 14. 12 110 LOAD_CONST 8 () 113 STORE_NAME 13 (y)13 116 SETUP_LOOP 44 (to 163) 119 LOAD_NAME 12 (md) 122 GET_ITER >> 123 FOR_ITER 36 (to 162) 126 STORE_NAME 14 (x)14 129 LOAD_NAME 13 (y) 132 LOAD_NAME 15 (str) 135 LOAD_NAME 16 (ord) 138 LOAD_NAME 14 (x) 141 CALL_FUNCTION 1 144 LOAD_CONST 9 (2) 147 BINARY_XOR 148 LOAD_CONST 10 (10) 151 BINARY_MODULO 152 CALL_FUNCTION 1 155 BINARY_ADD 156 STORE_NAME 13 (y) 159 JUMP_ABSOLUTE 123 >> 162 POP_BLOCK15 >> 163 LOAD_NAME 13 (y) 166 LOAD_NAME 8 (key) 169 COMPARE_OP 2 (==) 172 JUMP_IF_FALSE 63 (to 238) 175 POP_TOP16 176 LOAD_CONST 11 (key is ) 179 LOAD_NAME 2 (hashlib) 182 LOAD_ATTR 9 (md5) 185 LOAD_NAME 3 (val) 188 LOAD_NAME 6 (nm) 191 LOAD_CONST 1 (None) 194 LOAD_CONST 1 (None) 197 LOAD_CONST 0 (-1) 200 BUILD_SLICE 3 203 BINARY_SUBSCR 204 BINARY_ADD 205 LOAD_NAME 6 (nm) 208 BINARY_ADD 209 LOAD_NAME 4 (val243) 212 BINARY_ADD 213 LOAD_NAME 7 (val542) 216 BINARY_ADD 217 CALL_FUNCTION 1 Page | 14
  15. 15. 220 LOAD_ATTR 10 (hexdigest) 223 CALL_FUNCTION 0 226 LOAD_ATTR 11 (upper) 229 CALL_FUNCTION 0 232 BINARY_ADD 233 PRINT_ITEM 234 PRINT_NEWLINE 235 JUMP_FORWARD 11 (to 249) >> 238 POP_TOP 18 239 LOAD_CONST 12 (Key is to try harder, noteverything is found by executing files) 242 PRINT_ITEM 243 PRINT_NEWLINE 19 244 LOAD_CONST 13 (BTW i forgot to code the datastealer in this, although would have loved to) 247 PRINT_ITEM 248 PRINT_NEWLINE >> 249 LOAD_CONST 1 (None) 252 RETURN_VALUE consts -1 None welcome to COCON CTF C0C09CTF PIEKING Please enter your userid : DUMPMENOT Please enter your key : 2 10 key is Key is to try harder, not everything is found by executing files BTW i forgot to code the data stealer in this, although would haveloved to names (re, os, hashlib, val, val243, raw_input, nm,val542, key, md5, hexdigest, upper, md, y, x, str, ord) varnames () freevars () cellvars () filename /home/anant/Desktop/CTF work/cookpie.py name <module> firstlineno 2 lnotab 0c010c010c010501060106010c0106010c011b0106010700060122010d01 3f020501 Page | 15
  16. 16. The flag can deduced from the decompiled code and was the MD5 of the following combination:C0C09CTF + <username_in_reverse> + <username> + PIEKING + DUMPMENOT. The flag is obviouslydifferent for every user, or for atleast the username that is provided in the text box on the flagsubmission page.Log Analysis LevelsLog Analysis Level 1URL: http://nullcon.net/challenge/c0c0n/llevel-1.phpDifficulty: EasySolution: This was pretty easy, mostly because of the amount of attention this had got on Full Disclosurea few weeks ago. Anyways, the dump.zip contained a packet capture, and thanks to the creatorscontained a LOT of redundant data.Opening this file with Wireshark showed standard HTTP traffic, but what was noticeable was a numberof HTTP Head requests. A quick look at the Header information via the Follow TCP Stream option inWireshark showed a long string of numbers being sent in the range header. Since I had already workedon this Denial of Service exploit before, the data appeared familiar. In any case, a Google search forRange Bytes vulnerability produces several promising results.The CVE-ID for this vulnerability was CVE-2011-3192 and the attacker’s IP clearly was Page | 16
  17. 17. Page | 17
  18. 18. Page | 18
  19. 19. Log Analysis Level 2URL: http://nullcon.net/challenge/c0c0n/llevel-2.phpDifficulty: AverageSolution: This level involved reading an Apache log to identify the name of the database and the tablethat was accessed by the attacker. As usual the creators of this level, used whatever means possible tobury this information as deep as possible since the log contained a LOT of redundant GET requests tothe server, including requests caused by running Grendel Scan!If you scroll down slowly through the file, you will see that SQLMAP was used to exploit a SQL Injectionvulnerability and a LOT of requests show that database and table name enumeration was performed.The following image shows the database name encoded in one of the requests. Note that the file wasfirst grepped for sqlmap and then parsed through a URL decoder to clean the output a bit.The 67,84,70,95,67,48,67,48,57 can be quickly ASCII equated to CTF_C0C09 and the table name can beobtained by constructing the characters from each log entry that reads table_schema=CTF_C0C09.Database name: CTF_C0C09Table name: key_efd231b97af472e52f2a5413bde54b3f Page | 19
  20. 20. Log Analysis Level 3URL: http://nullcon.net/challenge/c0c0n/llevel-3.phpDifficulty: EasySolution: This was an interesting level mostly because I work a lot with Process Monitor. I finished thislevel in less than 5 minutes, making it the fastest level that I had played in the entire CTF. Andcoincidentally, I had analyzed the same malware a few weeks ago hence I knew the answers as soon as Ifound a single reference to it in the PML file.The infectedlog.zip contained a .pml file which is basically a Process Monitor saved session. To findunwanted process activity in Process Monitor, you can eliminate known Windows processes till you hitan unwanted/unknown application, as I did till I stopped at mluchaby.exeThe process image had all the properties that most common Windows malware possess; located in theWindows folder, description that made it sound important, no company description etc. Page | 20
  21. 21. The Chinese characters in the description of the process translate to Foundation Classes Applicationwhich meant that it was a Windows MFC application. A quick Google search for mluchaby.exe showsthat it is part of the Rustock Botnet malware family. Finding the parent process was trivial since wecould obtain the Parent Process ID using the properties page of the mluchaby.exe process which was1956. Removing all applied filters and quickly applying a Include Process PID = 1956 filter gaveExplorer.exe as the result. Page | 21
  22. 22. There was however some confusion with the malware family name since Rustock is also known withseveral other names. However, the answer to the malware family was TDSS/TDL/Alureon family and notRustock, which I still believe to be an error on the part of the level developers. However, consideringhow this is such a rare oversight and in the spirit of the CTF, its alright . The final answers are asfollows:Malware family: TDL/TDSS/AlureonService: mluchabyParent Executable: Explorer.exeLast wordsIt was a brilliant CTF (mostly because I won  ), considering the variation in all the levels and thenumber of people who worked on this, I must commend them on the awesome stuff. Greetz to corrupt,Anant, Pushkar and all the others who worked on this! - Riyaz Walikar a.k.a karniv0re - http://www.riyazwalikar.com - End of File - Page | 22