Deva [ Me , Myself & InfoSec]: 2011

Tuesday, September 27, 2011

hack.lu CTF 2011 - Quals Writeup Collection

Cryptography
power security tokens(300)
http://smokedchicken.org/2011/09/hacklu-ctf-power-security-tokens.html
simplerxor (200)
http://leetmore.ctf.su/wp/hack-lu-ctf-2011-simplexor-200/
http://hathacker.com/write-up/write-up-ctf-hack-lu-2011-simplexor/
spy aboard! (300)
http://leetmore.ctf.su/wp/hack-lu-ctf-2011-spy-aboard-300/
Wipe out the Klingons (400)
http://leetmore.ctf.su/wp/hack-lu-ctf-2011-wipe-out-the-klingons-400/

Reversing
Antique space shuttle (300)
http://leetmore.ctf.su/wp/hack-lu-ctf-2011-antique-space-shuttle-300/
http://research.shell-storm.org/files/research-20.php
BorgBinary (150)
FluxScience (450)
http://leetmore.ctf.su/wp/hack-lu-ctf-2011-fluxscience-450/
Python Crackme (100)
http://blog.beford.org/2011/09/22/hack-lu-2011-ctf-%E2%80%93-python-crackme-solution/
Space Station 0xA1EA512A (100)
Space Station 0xB321054A (300)
http://leetmore.ctf.su/wp/hack-lu-ctf-2011-space-station-0xb321054a-300/
http://research.shell-storm.org/files/research-22-en.php

Forensic
Borg-Bureaucrats (400)
Romulan Business Network (250)
http://esec-lab.sogeti.com/post/Hack.lu-CTF-2011-Write-up-:-Romulan-Business-Network
Torrent Challenge (100)
http://research.shell-storm.org/files/research-23-en.php
Web
AALabs (Part 1) (200)
http://websec.wordpress.com/2011/09/26/hack-lu-ctf-2011-challenge-writeup-%E2%80%93-aalabs-part-1/
AALabs (Part 1) (300)
Cache (150)
Freelancer (400)
http://research.shell-storm.org/files/research-21-en.php
Secret Space Code (500)
http://websec.wordpress.com/2011/09/27/hack-lu-ctf-2011-challenge-writeup-%E2%80%93-secret-space-code/
Space Journal (250)
Wookie Party Pic (200)

Network
Deathstar Escape (300)
http://blog.activalink.org/?p=127
http://hathacker.com/write-up/write-up-ctf-hack-lu-2011-deathstar-escape/
Human vs Aliens (300)

Other
Hidden Challenges (150)
http://secgroup.ext.dsi.unive.it/2011/09/23/hack-lu-2011-ctf-write-up-hidden-challenge/
Nebula DB Systems (400)
http://www.vnsecurity.net/2011/09/hack-lu-ctf-2011-nebula-db-systems/
Nebula Death Stick Services (500)
http://www.vnsecurity.net/2011/10/hack-lu-ctf-2011-nebula-death-stick-services-writeup/
Pan Galactic Gargle Blaster (100)
Scooty's last signal (100)
http://blog.beford.org/2011/09/21/hack-lu-2011-ctf-scottys-last-signal-solution/
http://esec-lab.sogeti.com/post/Hack.lu-CTF-2011-Write-up-:-Scotty-s-last-signal
Unknown Planet (200)
http://k3ys3c.blogspot.com/2011/09/ctf-hacklu-2011-unknown-planet.html
http://secgroup.ext.dsi.unive.it/2011/09/23/hack-lu-2011-ctf-write-up-unknown-planet/
http://zed.0xff.me/2011/09/21/hack-lu-2011-ctf-unknown-planet-writeup

Miscellanous:
http://esec-lab.sogeti.com/post/Hack.lu-CTF-2011-Write-up-:-FluxScience
http://gu1.aeroxteam.fr/2011/09/26/hacklu-csaw-2011-writeup-crackjack/
http://k3ys3c.blogspot.com/2011/09/ctf-quals-csaw-2011-reversing-net.html
http://www.int3pids.com/2011/09/csaw-2011-ctf-quals-reversing-net1-200.html

Python 200
http://blog.beford.org/2011/09/26/csaw-2011-reversing-python-200/

Write up collections :
http://rogunix.com/ctf/hacklu2011.html

Friday, June 10, 2011

Defcon 19 - Quals Writeup Collection

http://lownoisehg.blogspot.com/

Saturday, May 07, 2011

Winner : Forensic Challenge 7 - Honeynet Project

Today received communication from Honeynet Project declaring the results of Forensic Challenge 7 and happy to see that my submission was acccepted.

Reference URI : http://honeynet.org/node/667

Saturday, April 16, 2011

Review of Inside Cyber Warfare

I would like to start off thanking Jeff Carr for his valuable insights and deep thought provoking information in Inside Cyber Warfare (ICW). Though I bought this book based only on the catchy title(ICW), this book has provided me with more than just information, it has showcased the depth at which we need to take active notice in the field of Information Security.

Recent incidents starting from RSA , Epsilon , Comodo and Wordpress to the older incidents of Titan Rain & GhostNet has clearly shown that attacks happen not just on individual resources or infrastructures, rather it can be co-ordinated and the impact of such incidents might be large enough to impact the lives of common people including civilians.

The author has provided notable references on the cyber offensive capabilities of Russia and China in Chapter 11.In the chapter 2, "The Rise of Non state Hacker" Jeff has quoted so much on the hacker profiles which has to be highly appreciated, considering the amount and depth and reliability he brings in with his experience in cyber intelligence.

One another point I would like to highlight here is the offensive capabilities of China have not been generally seen in defacing websites, how ever the same has been the opposite in the case of Russia. The two powers who have established systems for Cyber Warfare the idealisms and the goals of the two countries are found to be too different. Titan rain and GhostNet kind of attacks are focussed more on the information and not visible outside, though their impact on the attacked parties are high.

With no proper international rules/laws on cyber engagements and cyber war, this book provides some thoughts on the nature and task at hand. Awaiting eagerly to see the international community and their response on Cyber warfare and cyber response methodologies/protocols.

Good & informative reading for sure. I would encourage security folks to have a look at this book.

Tuesday, March 01, 2011

Lessons learnt - CTF

After completing Nullcon 2011 CTF , it made me realize the importance and usefulness of such exercises. The brainstorming, the thought provoking questions, alternative means/ways of finding solutions, faster resolution to a given problem are all part of any normal CTF and most of the scoring mechanisms these days are based on timelines. The faster we solve it, the better the scores J

All that being said it also made me think a lot of how best can we use those skills in our daily day-to-day operations. As a security professional, incident management/response, malware analysis, identifying and containing an intrusion, hardening guidelines and updates to such procedures are all part and parcel of our life.

Back to the skills and knowledge gained by the use of completing CTF, we come across faster means of solving problems, new tools/technologies learnt which can be put to best use inside organizations and enterprises for enhancing the security posture to higher levels.

Let me take some time to share my learning on this CTF. To name the technologies, starting from basic web injection to memory analysis, from googling to scripting , password hash extraction and cracking, log analysis, steganography & not to mention the new friends (Anant/Karn/Rahul/the_empty) and the network, it was a fascinating week at large.

I started off with Backtrack 4 R2 as my base station and listed below are few of the tools used/touched by me during the week of CTF:

strings
wireshark
Firefox addons(Tamperdata/WebDeveloper)
Volatility
Google (I'm sure you know how to reach this one ;)
Python
Ophcrack

Finally some gray matter to mix them all for this nice cocktail called CTF .Adding to all the tools it also clearly showed evidence that common utilities like strings/wireshark/python and their impact and usefulness in incident response/incident handling, gave me more ideas on how best we can polish our IR process.

Thanks again to the nullcon team for enlightening and refreshing our brain matter with their CTF.

Thinking about next post .... more tools or CTF writeups... Keep watching....

Friday, February 25, 2011

Nullcon HackIM 2011 CTF Writeup - Levels 5-12

Level 5

Beautiful wave file , made us go mad hearing it again and again with the dial tones. After almost a whole day long of tinkering with the wav file finally decided to decode if its Morse code, still no luck. Attempted to convert this wav into meaninful formats or decimal and tried DTMF. Yes able to get a beautiful long sequence of binary numbers. Tried converting those decimals into binary and got struck at 69.163.136.179. Hmmmm looked so familiar yet the scorer was not accepting it as the answer. Tried reaching the IP address through a browser gives a typical HTTP error about a mis-configured server.Hmmm sooo sad. One last hint was to try to resolve this IP and it was nullcon.net . How simple it seemed , yet it was a tough nut to crack during the CTF. Tried entering nullcon.net in the Answer field ..yes finally we made it :)

Hint : Everything isn't always the way it seems to be | Listen it, use your imagination you can't imagine anything else being a hacker

Level 6

Level says simple and nonsense.Tried strings command as mentioned below :

root@deva-desktop:/home/deva# strings helllo_world.exe |less

abracadabra:Jai Ho Mark stands out pretty much different from the rest of the found strings.Yes level 6 was cleared with Jai Ho.It reminds me sometimes hackers are also so lazy, similar to DefCon prequals;P

Level 7

Big Brother is Watching You:

The provided attachment file contained an event log from windows. Tried opening it with the classic Windows event manager, got an error and aborted.

Tried using a simple utility and yes we are able to view the complete list of events. As the input field was waiting for the name of the faulting application, simple filters on the event brought me straight to this line given below showing us the answer for this level :)

Level 8

The provided raw dump made us go crazier.Nothing was found. No hints available, still burning through the midnight oil, we were able to identify 4-5 packets showing a different AuthData and AuthType in WireShark.

After analysing the values, it was found that 55 packets with OSPF and OSPF Hello packets are high in this capture.Packet 128 showed the AuthType as simple password and AuthData as prince.Sure this prince is a sign of trouble and hint and we analysed the other values:

The next packets started showing the AuthType as Cryptographic and by the time the second clue was released leading us straight to the implementation of date/time of the device by Cisco. A simple conversion of hex to decimal gave us 0x2b915353-->730944339. Another epoch conversion of 730944339 gave us 01 Mar 1993.

Finally we hit on the target with the value and yes.. we were allowed to level 9.
I have to certainly agree with everyone who played this CTF and this was the level which took most of our time in a good way :p
Hint 1 : And I will Reply great vengeance upon them with furious Attack; and they shall know that I am the lorD, when I shall lay my vengeance upon three. Ezekiel 23:28

Hint 2 : RFC 2328 Section D.3 Cisco Implementation

Level 9

Web asura web asura who is the worst asura of all !

Started trying out with default passwords and it promptly said You are not an administrator.Made us realise it is expecting only Administrator and tried sending Administrator/password, still no luck.Tried with adminsitraator/blank password and blind SQL attacks proved futile.

Leechers will be banned,seeders welcome made us also think that it might got to do with something other than POST/GET.So tried sending the value of password as blank again through Firefox addons Tamperdata drove us straight to another screen identifying the attack. No luck again, made us search again on the source code and oh yes there was a hidden clue, a BASE64 decoded text.

With much relief extracted the values and passed it to a base64decoder and it spit out a image attached herewith which contained the password for this level

1337'5BringRevolution

Hint : Leechers will be banned. Seeders welcome | Bhavnao ko samjho sabdo mey kya rakha hai... | Developers are bound to make mistake that why hackers exist...

Level 10:

root@deva-desktop:/home/deva# unrar x windump.rar

UNRAR 3.93 freeware      Copyright (c) 1993-2010 Alexander Roshal
Extracting from windump.rar
Extracting nullconnew.dmp                                            OK
All OK

wget https://www.volatilesystems.com/volatility/1.3/Volatility-1.3_Beta.tar.gz
wget http://kurtz.cs.wesleyan.edu/~bdolangavitt/memory/volreg-0.2.zip

root@deva-desktop:/home/deva/vol# python volatility hivelist -f ../nullconnew.dmp -o 0x1609ad0
/home/deva/vol/forensics/win32/crashdump.py:31: DeprecationWarning: the sha module is deprecated; use the hashlib module instead import sha
Address      Name
0xe1696008   \Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1672358   \Documents and Settings\Administrator\ntuser.dat
0xe1cd46b8   \Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1cd4b60   \Documents and Settings\LocalService\NTUSER.DAT
0xe1cbb7b0   \Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1cb5008   \Documents and Settings\NetworkService\NTUSER.DAT
0xe15e2b60   \WINDOWS\system32\config\software
0xe15eb758   \WINDOWS\system32\config\default
0xe15d9a58   \WINDOWS\system32\config\SECURITY
0xe1607b60   \WINDOWS\system32\config\SAM
0xe13de530   [no name]
0xe101b008   \WINDOWS\system32\config\system
0xe1008ad0   [no name]

root@deva-desktop:/home/deva/vol# python volatility hashdump -f ../nullconnew.dmp -y 0xe101b008 -s 0xe1607b60
/home/deva/vol/forensics/win32/crashdump.py:31: DeprecationWarning: the sha module is deprecated; use the hashlib module instead import sha
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:aad3b435b51404eeaad3b435b51404ee:06bc4bdaefab2b3c5909250e53f04428:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:9ecf4ed3de9812827ced31010372159b:::
prince:1004:f0ddd2c68d6f684e7bb1d8438f805b5c:426a040f2c48e605a005a3e304afe1ac:::

A simple crack on the lovely Ophcrack with small dictionary gave us the username and password for two acccounts to clear this level.

Hint : Open the doors of the Windows, & take a trip down the memory lane

Level 11 :

Solution : copyingallorpartsofaprogramisasnaturaltoaprogrammerasbreathingandasproductiveitoughttobeasfree

Hint : After stumbling upon love ... don't stop there my dear, there is still lots to be done | Don't just accelerate your mind's meter my dear, peep into my heart, for you'll see, safely concealed in it, is a golden key, but if u're at loss bumblebee, take some free help openly from Linus's pet Geeko Mascot Lizard | If geeko don't help ask from his good brother CAMOU.....

Level 12:

$t@c*(@gcq@s^#&$%cs*hh^g&$%c#@r&q$@#@wcg*gc(#*e&$cq*s&@$%c&qcfqsuc!&$tcg^iis*gcg^iis*gcr*qcw!&$&%qc&g$@#gq$&*gqictqsu&grcs*ge@#@gs@kc!@ctqd@cq*h@cqhqa&grc$qiuqci&g@wc^*c$t&qc$&h@cq#*^gwc$tq$c!&iicq^#@i%cstqgr@c%*^#c(@#q(@s$&d@c*ecq@s^#&$%cugc$t@ce^$^#@kc!@c$tqguc$t@cs*hh^g&$%ce*#cq^((*#$&grc^qjc&$c&qc%*^#cq^((*#$c$tq$c!@ctqd@cr#*!gcqgwcq#@cqfi@c$*cq@#d@c$t@cs*hh^g$%c&gcqcf@$$@#c!q%keiqroc%*^cq#@c*^#ct@#*

Lovely text , isnt it ;).This is the content provided in the final round.

Hint was released around 10:00PM on the IRC and madness scrambled upon. As we have already lost more than 4-5 days of rest, I hit the bed and off went to rest. Woke up at around 4 am and the scoreboard showed Anant has already succeeded. Still not losing hope started working on the problem keeping in mind the hint.

!=w @=e w=d. It was a simple substitution cipher and finally got the answer to clear this level.

the open security community registered non profit society is back with nullcon nullcon goa dwitiya international hacking conference.we have some smashing talks lined up this time around that will surely change your perspective of security in the future.we thank the community for supporting us,it is your $tq$ we have grown and are able to serve the community in better way;you are our hero

Hint: Queen of Witches EnteRed mY hearT, but I did the right thing and let down the f/tart

Nullcon HackIM 2011 CTF Writeup - Levels 0-4

Level 0 :

Initially no hints were provided for level 0 to level 2.

Started off trying with blank and admin/admin, admin/password and other common combinations. Still no luck hence as the next option, decided to look into the source code for hidden clues. The only catching word in the source code which caught my attention is action="level-0-proc.php", hence tried replacing "level-0.php" with "level-0-proc.php"

Voila...... got the congratulations and moved to Level 1.

Hint : I just wanna say one word to you.. just one word.firebug .or you could just mind your 'action'

Level 1 :

Title says Another Idiot Test, hence looked for hidden clues in the source code and found the below mentioned encrypted text down in the source.

A wild guess on checking if ROT 13 might help made me try the below mentioned :

deva@deva-desktop:~$ echo fnirorreqevaxjngre | tr 'a-zA-Z' 'n-za-mN-ZA-M'

savebeerdrinkwater

Well it looked interesting, tried this as the password and yes I got lucky again:)

Hint : Dig Deep to find the Treasure

Level 2:

No hints were provided, no guides available , made me wonder a lot on what was expected. Several searches on Google about the image placed on the page, turned to be of no luck :(

After long moments of searching made me re-look into the code again and found the second comment

application/x-httpd-php-source

So started focusing on x-httpd-php-source and all searches in Google led me to php and phps files. Made me think if phpS could be a clue and tried to
reach level-2-proc.phps. Lucky me again :)

if($_POST['password'] == "microsoftisnteviltheyjustmakereallycrappyoperatingsystems")

Well what more to do other than try the new found level2 password. Time to move to level 3.

Hint :elePHPant arriveS - Courtesy PHPCamp Pune'11(Hint published loooooooong after I cleared off the level, late late hint :D)

Level 3:

my lisa, SmIth and me, Playing a game of words with thee,
Go eat your shorts you worm, as we lost to your fake treachery My lisa, trivia, made me narrow down to melissa since they have also mentioned about a worm and melissa fits in properly. Simple google search made me land on the wikipedia page of melissa and the author name looked interesting.

Kwyjibo. Yes you guessed it right, its the password to level 4

Level 4:

Script It!

First Number = 0 Second Number = 0

Answer = First Number + Second Number + Previous Answer + Product of First Number and Second Number

After This ==> First Number + 1 & Second Number + 2

Final Answer will be the value of 'Answer' when First Number = 31337

Digging on the source gave me U3RhcnQgd2l0aCBQcmV2aW91cyBBbnN3ZXIgPSBGMQ==

A quick online Hex 64 converter gave me the hint in clear text "Start with Previous Answer = F1". Searching for value of F1 made me search on ASCII values and later landed on the F1 race which gave 241 as the maximum speed reached by McLauren.

So here is the python code which made me move across to Level 5 in ease.

fn=0

sn=0

pr_an=241

ans=0

for i in range(1,31339):

ans=(fn+sn+pr_an)+(fn*sn)

pr_an=ans

fn+=1

sn+=2

print ans

Running the script gave me 20517902536450 which helped me reach Level 5.

Hint : Handicapped, am I?

Time for rest now. Will be back later for Levels 5-12.

Sunday, February 06, 2011

Nullcon HackIM 2011 CTF - Finished 5th

Nullcon Hack IM CTF 2011 part of nullcon International Conference presented a beautiful CTF which left many folks cranking their heads over multiple scenarios and losing almost 7 days of rest.

Kudos to the moderators corrupt/void through IRC , helpful hints(:p) were provided which helped a lot of the competing members to clear the CTF .

The number of members registered for the CTF as on 6th Feb 2011 stands at 490.

A quick summary of the challenges posted below for easy reference.

- Level 0 - HTTP actions - POST/GET
- Level 1 - Hashing algorithm
- Level 2 - PHP scripts
- Level 3 - Computer & Security history
- Level 4 - Custom scripts
- Level 5 - WAV/Binary crack
- Level 6 - EXE file analysis
- Level 7 - Log analysis
- Level 8 - Packet analysis
- Level 9 - CSS/XSS Injection
- Level 10 - Windows Memory analysis
- Level 11 - WPA attack + Tcpdump analysis + Steganography (Added as requested ;)
- Level 12 - Keyboard hack

Thanks to nullcon team. Made us realise and brush up our skills on all facets starting from memory debugging to cracking wireless passwords. Cheers to them.