SlideShare une entreprise Scribd logo

C0c0n 2011 CTF Walkthrough

Riyaz Walikar
Riyaz Walikar

This is the walk-through for the C0C0n 2011 CTF.

Technologie
1  sur  22
Télécharger pour lire hors ligne
C0C0N 2011 – CTF Walkthrough Riyaz Walikar a.k.a karniv0re http://www.riyazwalikar.com Greetings fellow readers!! As usual another great CTF has ended and most of us who played this have lost some hair from their heads with the collective effort of yanking it out or banging our heads on the nearest walls . On a more serious note, people who thought only 'corrupt' could be nightmarishly creepy, you can now go ahead and add Anant a.k.a infinity to the list! Great job guys, to the team who made this possible!! This was all in all, an enjoyable event, with the levels being fairly designed to supposedly increase in order of complexity, frustration and technical incoherence as you progressed up. I managed to finish all except one level, to which I will come to in a bit. The CTF was divided into multiple sections as listed below and each section had 3 levels. 1. Crypto Levels – Mostly to do with some sort of cipher/obfuscation/symbol substitution. 2. Programming Levels – Programming related questions. People actually had to write programs!! 3. Reverse Engineering Levels – Reverse engineering binaries, PYCs and APKs. 4. Log Analysis Levels – Analysis of Apache logs, PMLs and Wireshark Pcap dumps. As is with all CTFs, different people would have different approaches which may lead to the same answer that enables you to complete a level and unlock the next. This is my approach and I agree it is not the best, not the most elegant or the most uber out there, but hell it worked . I have also tried to tag the levels based on their difficulty as Easy, Average, Hard and WTF! This categorization/classification is entirely based on my experience with the CTF and is entirely my opinion. Your opinion may differ so don’t take it too seriously. Page | 1
Crypto Levels Crypto Level 1 URL: http://nullcon.net/challenge/c0c0n/clevel-1.php Difficulty: Average Solution: The source code of the page shows two HTML comments. The first one appears to be an obfuscated/encoded string. The '==' at the end points us to the string being base64 encoded. However a subsequent decoding does not provide anything conclusive. The second HTML comment is an apparent clue to the use of ROT-13 before you decode the string using Base 64. Page | 2
Having played a similar level at last year’s nullcon HackIM challenge, this wasn’t very hard. Using the ROT-13 decoder at http://web.forret.com/tools/rot13.asp, I obtained the following: Base 64 decoding this, after adding the necessary padding gives: Call it intuition or just the way the characters were arranged, this had to be re-Base64 decoded!! Page | 3
A quick Google search for "Google Beer" gives "URKontinent". Converting this to title case gives "Urkontinent" which is the flag. Crypto Level 2 URL: http://nullcon.net/challenge/c0c0n/clevel-2.php Difficulty: Easy Solution: This was one easy because I had recently finished reading The Code Book by Simon Singh. The book’s appendix contains an explanation of the symbol substitution. This has also been depicted in the Dan Brown book, The Lost Symbol. This is a mono-alphabetic simple geometric substitution cipher called Pigpen Cipher (also called the Masonic Cipher). Page | 4
For people who have never heard of this before, a quick Google search for "Image Ciphers" also provides obvious clues to this being the Pigpen Cipher substituted string. Decoding this is straight forward with the help of the following key. The code then translates to the string "FLAGISTHENAMEGIVENTOTHEENLIGHTENEDGROUP". A quick Google search for "name given to the enlightened group" gives "Illuminati" as the first result which also happens to be the flag!! Crypto Level 3 URL: http://nullcon.net/challenge/c0c0n/clevel-3.php Difficulty: Average Solution: The level description was the hint. This is written in the Braille system which is a method that is widely used by blind people to read and write, and was the first digital form of writing (source: Wikipedia). Using a Braille Character Chart, the above text can be decoded to: I devised Braille in 1825 based on a method of communication originally developed by Charles Barbier. Who am I? Google and general knowledge tells you the answer is Louis Braille which also happens to be the flag! Page | 5
Programming Levels Programming Level 1 URL: http://nullcon.net/challenge/c0c0n/plevel-1.php Difficulty: Hard Solution: This level was one of the crappiest. Finally wrote a python script to generate the necessary number. The pseudocode is as below: a=0 b=a+1 for (x = 0 to 31334) c = a+b a = b b = c a = hex(c) for (x = 0 to len(a)) if (x mod 3 == 0) p = a.position(x-1) b = b + todecimal(p) print b The final answer that the script would generate is 13590 which is the flag for this level. Page | 6
Programming Level 2 URL: http://nullcon.net/challenge/c0c0n/plevel-2.php Difficulty: Average Solution: A quick Google search for "Goldbach Partition" or "Goldbach’s Conjecture" generates a lot of helpful results. Basically, it states that Every even integer greater than 2 can be expressed as the sum of two primes. There are two ways of doing this: Method 1 is to write a program to identify all primes smaller than 13590 and then all combinations of their sums can be checked if they equal 13590. A comma separated list of the result would be the answer. Method 2 is for the lazy types like me. Google for an online generator, which although sounds like a straight forward job requires some special Googling skills. Format the output in CSV format and paste it in the flag box. The flag is the following string of numbers: 13,13577,23,13567,37,13553,53,13537,67,13523,103,13487,113,13477,127,13463,139,13451,149,13441 ,173,13417,179,13411,191,13399,193,13397,223,13367,251,13339,263,13327,277,13313,281,13309,293 ,13297,331,13259,349,13241,373,13217,419,13171,431,13159,439,13151,443,13147,463,13127,487,131 03,491,13099,541,13049,547,13043,557,13033,587,13003,607,12983,617,12973,631,12959,673,12917,6 83,12907,691,12899,701,12889,761,12829,769,12821,809,12781,827,12763,877,12713,887,12703,919,1 2671,937,12653,953,12637,971,12619,977,12613,1013,12577,1021,12569,1049,12541,1051,12539,1063 ,12527,1087,12503,1093,12497,1103,12487,1117,12473,1153,12437,1181,12409,1213,12377,1217,1237 3,1289,12301,1301,12289,1321,12269,1327,12263,1427,12163,1429,12161,1433,12157,1447,12143,147 1,12119,1481,12109,1483,12107,1489,12101,1493,12097,1549,12041,1553,12037,1579,12011,1583,120 07,1609,11981,1619,11971,1621,11969,1637,11953,1657,11933,1663,11927,1667,11923,1693,11897,17 23,11867,1759,11831,1777,11813,1783,11807,1789,11801,1801,11789,1811,11779,1847,11743,1871,11 719,1873,11717,1889,11701,1901,11689,1913,11677,1933,11657,1973,11617,1993,11597,1997,11593,2 003,11587,2011,11579,2039,11551,2063,11527,2087,11503,2099,11491,2143,11447,2153,11437,2179,1 Page | 7
1411,2207,11383,2221,11369,2237,11353,2239,11351,2269,11321,2273,11317,2311,11279,2333,11257, 2339,11251,2347,11243,2351,11239,2377,11213,2393,11197,2417,11173,2441,11149,2459,11131,2473, 11117,2477,11113,2503,11087,2521,11069,2531,11059,2543,11047,2617,10973,2633,10957,2687,1090 3,2699,10891,2707,10883,2729,10861,2731,10859,2753,10837,2791,10799,2801,10789,2819,10771,283 7,10753,2851,10739,2857,10733,2861,10729,2879,10711,2903,10687,2927,10663,2939,10651,2963,106 27,3001,10589,3023,10567,3061,10529,3089,10501,3137,10453,3163,10427,3191,10399,3221,10369,32 53,10337,3257,10333,3259,10331,3301,10289,3319,10271,3323,10267,3331,10259,3343,10247,3347,10 243,3413,10177,3449,10141,3457,10133,3491,10099,3499,10091,3511,10079,3529,10061,3581,10009,3 583,10007,3617,9973,3623,9967,3659,9931,3719,9871,3733,9857,3739,9851,3761,9829,3779,9811,380 3,9787,3821,9769,3823,9767,3847,9743,3851,9739,3911,9679,3929,9661,3947,9643,3967,9623,3989,96 01,4003,9587,4051,9539,4057,9533,4079,9511,4093,9497,4099,9491,4111,9479,4127,9463,4129,9461,4 153,9437,4157,9433,4159,9431,4177,9413,4219,9371,4241,9349,4253,9337,4271,9319,4297,9293,4349, 9241,4363,9227,4391,9199,4409,9181,4457,9133,4463,9127,4481,9109,4523,9067,4547,9043,4549,904 1,4561,9029,4583,9007,4591,8999,4621,8969,4639,8951,4649,8941,4657,8933,4703,8887,4723,8867,47 29,8861,4751,8839,4759,8831,4783,8807,4787,8803,4871,8719,4877,8713,4909,8681,4943,8647,4967,8 623,4993,8597,5009,8581,5051,8539,5077,8513,5147,8443,5167,8423,5171,8419,5227,8363,5237,8353, 5261,8329,5273,8317,5279,8311,5297,8293,5303,8287,5347,8243,5381,8209,5399,8191,5419,8171,544 3,8147,5479,8111,5501,8089,5503,8087,5521,8069,5531,8059,5573,8017,5581,8009,5639,7951,5641,79 49,5653,7937,5657,7933,5683,7907,5689,7901,5711,7879,5717,7873,5737,7853,5749,7841,5801,7789,5 849,7741,5867,7723,5903,7687,5987,7603,6007,7583,6029,7561,6043,7547,6053,7537,6067,7523,6073, 7517,6091,7499,6101,7489,6113,7477,6131,7459,6133,7457,6173,7417,6197,7393,6221,7369,6257,733 3,6269,7321,6337,7253,6343,7247,6353,7237,6361,7229,6379,7211,6397,7193,6469,7121,6481,7109,65 21,7069,6547,7043,6551,7039,6563,7027,6571,7019,6577,7013,6599,6991,6607,6983,6619,6971,6673,6 917,6679,6911,6691,6899,6719,6871,6733,6857,6761,6829,6763,6827 Programming Level 3 - Unsolved URL: http://nullcon.net/challenge/c0c0n/plevel-3.php Difficulty: Double WTF! Page | 8
Solution: The guys who thought of this level get some extra credit. The level description presents an MD5 hash that supposedly is the MD5 of the password (flag) for this level. However a quick look at the page source code shows the following HTML comment. The server code logic, if it uses this pseudo code, takes the input value from the user submitted form, MD5 hashes it and then compares only the first 8 characters with an internal hash (which happens to be the MD5 hash printed on the page). In simpler words, you would need to input a string whose MD5 hashes first 4 bytes (8 characters) match "a180ce8a". This sounds awfully easy and looks possible since there exist multiple strings whose MD5 hashes’ first 8 characters match. How wrong I was!! Since the MD5 algorithm has been developed in such a way that minimum change (even a single bit) would result in a completely different hash. However MD5 is now known to have collisions, which means that 2 unique data sets can be created with identical MD5 hashes. However generating a plain text with a predefined hash, also called a pre-image collision, still remains nearly impossible. The best we can do is brute force by generating multiple possible combinations of data and attempt to match hashes. It is true that there are multiple strings whose MD5 hashes have common first 8 characters, however it was not true in this case. Or maybe I should have attempted a comparison with a larger data set. I generated over 3 miillion unique character combination and attempted to match the first 8 characters of the hashes, but after several hours of full CPU utilization I still had no luck. I am sure this is achievable but requires a larger data set and a faster processor. For the adventurous, here’s my python code: I ran it for a little over 8 hours and was not able to find any string which satisfied the script. I am currently running a more complex version of this script on a more powerful server back in office for the past 3 days, hoping to see something before the end of this week. Page | 9
Reverse Engineering Levels Reversing Level 1 URL: http://nullcon.net/challenge/c0c0n/rlevel-1.php Difficulty: Average Solution: This level is straight forward if you know the right tools. APK files are compressed archives of xml and dex files. A tool like Dex2jar can be used to extract the jar file from the cocon_apk.apk and jd- gui can be used to decompile the jar file. The jar contained a public function called show_key that returned a string. The function, if carefully analyzed produces the MD5 of the string "Key:Value;Challange:cocon;Date:” and the system date. The system date is found in the HTML source code of the page. The flag for this level would then be MD5(Key:Value;Challange:cocon;Date:2011-10-16) which is f5d2fe1f612f022ee9033667963f5ae6 Page | 10
Reversing Level 2 URL: http://nullcon.net/challenge/c0c0n/rlevel-2.php Difficulty: Easy Solution: The level description gives the hint regarding this having something to do with .NET. In any case, when you download the program you can run it through strings to find the following output. Since this was a .Net application, I opened it using .Net Reflector to do an analysis. The button1_click event contained some promising code. Page | 11
The hex encoded text decodes to CeCmmUxzvPAIAVA9Udiv5ab07Q which is the flag for this level. Reversing Level 3 URL: http://nullcon.net/challenge/c0c0n/rlevel-3.php Difficulty: Hard Solution: The cookpie.zip file contains a cookiepie.pyc file which is a compiled executable python file. What makes this level difficult is that there are very few python decompilers available. Depython, an online python decompilation service does not decompile version 2.6 compiled python files which was the version in which cookpie was compiled in. I used a decompiler called Decompyle on Ubuntu and was provided with a pseudo bytecode/assembly style output. The de-compiled output contained references to 3 variables: C0C09CTF, PIEKING and DUMPMENOT. The final flag was the MD5 output of a combination of the username and the 3 variables. Here’s the decompiled output of the pyc file. The interesting stuff happens in section 16 of the following decompiled code. Page | 12
magic d1f20d0a moddate ead78c4e (Wed Oct 5 22:19:22 2011) 2 0 LOAD_CONST 0 (-1) 3 LOAD_CONST 1 (None) 6 IMPORT_NAME 0 (re) 9 STORE_NAME 0 (re) 3 12 LOAD_CONST 0 (-1) 15 LOAD_CONST 1 (None) 18 IMPORT_NAME 1 (os) 21 STORE_NAME 1 (os) 4 24 LOAD_CONST 0 (-1) 27 LOAD_CONST 1 (None) 30 IMPORT_NAME 2 (hashlib) 33 STORE_NAME 2 (hashlib) 5 36 LOAD_CONST 2 ('welcome to COCON CTF') 39 PRINT_ITEM 40 PRINT_NEWLINE 6 41 LOAD_CONST 3 ('C0C09CTF') 44 STORE_NAME 3 (val) 7 47 LOAD_CONST 4 ('PIEKING') 50 STORE_NAME 4 (val243) 8 53 LOAD_NAME 5 (raw_input) 56 LOAD_CONST 5 ('Please enter your userid :') 59 CALL_FUNCTION 1 62 STORE_NAME 6 (nm) 9 65 LOAD_CONST 6 ('DUMPMENOT') 68 STORE_NAME 7 (val542) 10 71 LOAD_NAME 5 (raw_input) 74 LOAD_CONST 7 ('Please enter your key : ') 77 CALL_FUNCTION 1 80 STORE_NAME 8 (key) 11 83 LOAD_NAME 2 (hashlib) 86 LOAD_ATTR 9 (md5) 89 LOAD_NAME 6 (nm) 92 CALL_FUNCTION 1 95 LOAD_ATTR 10 (hexdigest) 98 CALL_FUNCTION 0 101 LOAD_ATTR 11 (upper) 104 CALL_FUNCTION 0 107 STORE_NAME 12 (md) Page | 13
12 110 LOAD_CONST 8 ('') 113 STORE_NAME 13 (y) 13 116 SETUP_LOOP 44 (to 163) 119 LOAD_NAME 12 (md) 122 GET_ITER >> 123 FOR_ITER 36 (to 162) 126 STORE_NAME 14 (x) 14 129 LOAD_NAME 13 (y) 132 LOAD_NAME 15 (str) 135 LOAD_NAME 16 (ord) 138 LOAD_NAME 14 (x) 141 CALL_FUNCTION 1 144 LOAD_CONST 9 (2) 147 BINARY_XOR 148 LOAD_CONST 10 (10) 151 BINARY_MODULO 152 CALL_FUNCTION 1 155 BINARY_ADD 156 STORE_NAME 13 (y) 159 JUMP_ABSOLUTE 123 >> 162 POP_BLOCK 15 >> 163 LOAD_NAME 13 (y) 166 LOAD_NAME 8 (key) 169 COMPARE_OP 2 (==) 172 JUMP_IF_FALSE 63 (to 238) 175 POP_TOP 16 176 LOAD_CONST 11 ('key is ') 179 LOAD_NAME 2 (hashlib) 182 LOAD_ATTR 9 (md5) 185 LOAD_NAME 3 (val) 188 LOAD_NAME 6 (nm) 191 LOAD_CONST 1 (None) 194 LOAD_CONST 1 (None) 197 LOAD_CONST 0 (-1) 200 BUILD_SLICE 3 203 BINARY_SUBSCR 204 BINARY_ADD 205 LOAD_NAME 6 (nm) 208 BINARY_ADD 209 LOAD_NAME 4 (val243) 212 BINARY_ADD 213 LOAD_NAME 7 (val542) 216 BINARY_ADD 217 CALL_FUNCTION 1 Page | 14
220 LOAD_ATTR 10 (hexdigest) 223 CALL_FUNCTION 0 226 LOAD_ATTR 11 (upper) 229 CALL_FUNCTION 0 232 BINARY_ADD 233 PRINT_ITEM 234 PRINT_NEWLINE 235 JUMP_FORWARD 11 (to 249) >> 238 POP_TOP 18 239 LOAD_CONST 12 ('Key is to try harder, not everything is found by executing files') 242 PRINT_ITEM 243 PRINT_NEWLINE 19 244 LOAD_CONST 13 ('BTW i forgot to code the data stealer in this, although would have loved to') 247 PRINT_ITEM 248 PRINT_NEWLINE >> 249 LOAD_CONST 1 (None) 252 RETURN_VALUE consts -1 None 'welcome to COCON CTF' 'C0C09CTF' 'PIEKING' 'Please enter your userid :' 'DUMPMENOT' 'Please enter your key : ' '' 2 10 'key is ' 'Key is to try harder, not everything is found by executing files' 'BTW i forgot to code the data stealer in this, although would have loved to' names ('re', 'os', 'hashlib', 'val', 'val243', 'raw_input', 'nm', 'val542', 'key', 'md5', 'hexdigest', 'upper', 'md', 'y', 'x', 'str', 'ord') varnames () freevars () cellvars () filename '/home/anant/Desktop/CTF work/cookpie.py' name '<module>' firstlineno 2 lnotab 0c010c010c010501060106010c0106010c011b0106010700060122010d01 3f020501 Page | 15
The flag can deduced from the decompiled code and was the MD5 of the following combination: C0C09CTF + <username_in_reverse> + <username> + PIEKING + DUMPMENOT. The flag is obviously different for every user, or for atleast the username that is provided in the text box on the flag submission page. Log Analysis Levels Log Analysis Level 1 URL: http://nullcon.net/challenge/c0c0n/llevel-1.php Difficulty: Easy Solution: This was pretty easy, mostly because of the amount of attention this had got on Full Disclosure a few weeks ago. Anyways, the dump.zip contained a packet capture, and thanks to the creators contained a LOT of redundant data. Opening this file with Wireshark showed standard HTTP traffic, but what was noticeable was a number of HTTP Head requests. A quick look at the Header information via the Follow TCP Stream option in Wireshark showed a long string of numbers being sent in the range header. Since I had already worked on this Denial of Service exploit before, the data appeared familiar. In any case, a Google search for Range Bytes vulnerability produces several promising results. The CVE-ID for this vulnerability was CVE-2011-3192 and the attacker’s IP clearly was 192.168.0.105. Page | 16
Page | 17
Page | 18
Log Analysis Level 2 URL: http://nullcon.net/challenge/c0c0n/llevel-2.php Difficulty: Average Solution: This level involved reading an Apache log to identify the name of the database and the table that was accessed by the attacker. As usual the creators of this level, used whatever means possible to bury this information as deep as possible since the log contained a LOT of redundant GET requests to the server, including requests caused by running Grendel Scan! If you scroll down slowly through the file, you will see that SQLMAP was used to exploit a SQL Injection vulnerability and a LOT of requests show that database and table name enumeration was performed. The following image shows the database name encoded in one of the requests. Note that the file was first grepped for sqlmap and then parsed through a URL decoder to clean the output a bit. The 67,84,70,95,67,48,67,48,57 can be quickly ASCII equated to CTF_C0C09 and the table name can be obtained by constructing the characters from each log entry that reads table_schema=CTF_C0C09. Database name: CTF_C0C09 Table name: key_efd231b97af472e52f2a5413bde54b3f Page | 19
Log Analysis Level 3 URL: http://nullcon.net/challenge/c0c0n/llevel-3.php Difficulty: Easy Solution: This was an interesting level mostly because I work a lot with Process Monitor. I finished this level in less than 5 minutes, making it the fastest level that I had played in the entire CTF. And coincidentally, I had analyzed the same malware a few weeks ago hence I knew the answers as soon as I found a single reference to it in the PML file. The infectedlog.zip contained a .pml file which is basically a Process Monitor saved session. To find unwanted process activity in Process Monitor, you can eliminate known Windows processes till you hit an unwanted/unknown application, as I did till I stopped at mluchaby.exe The process image had all the properties that most common Windows malware possess; located in the Windows folder, description that made it sound important, no company description etc. Page | 20
The Chinese characters in the description of the process translate to Foundation Classes Application which meant that it was a Windows MFC application. A quick Google search for mluchaby.exe shows that it is part of the Rustock Botnet malware family. Finding the parent process was trivial since we could obtain the Parent Process ID using the properties page of the mluchaby.exe process which was 1956. Removing all applied filters and quickly applying a Include Process PID = 1956 filter gave Explorer.exe as the result. Page | 21
There was however some confusion with the malware family name since Rustock is also known with several other names. However, the answer to the malware family was TDSS/TDL/Alureon family and not Rustock, which I still believe to be an error on the part of the level developers. However, considering how this is such a rare oversight and in the spirit of the CTF, its alright . The final answers are as follows: Malware family: TDL/TDSS/Alureon Service: mluchaby Parent Executable: Explorer.exe Last words It was a brilliant CTF (mostly because I won  ), considering the variation in all the levels and the number of people who worked on this, I must commend them on the awesome stuff. Greetz to corrupt, Anant, Pushkar and all the others who worked on this! - Riyaz Walikar a.k.a karniv0re - http://www.riyazwalikar.com - End of File - Page | 22

Recommandé

Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege EscalationRiyaz Walikar
 
Nullcon Hack IM 2011 walk through
Nullcon Hack IM 2011 walk throughNullcon Hack IM 2011 walk through
Nullcon Hack IM 2011 walk throughAnant Shrivastava
 
My solution to malware.lu HackGyver's challenges.
My solution to malware.lu HackGyver's challenges.My solution to malware.lu HackGyver's challenges.
My solution to malware.lu HackGyver's challenges.Aodrulez
 
writing self-modifying code and utilizing advanced assembly techniques
writing self-modifying code and utilizing advanced assembly techniqueswriting self-modifying code and utilizing advanced assembly techniques
writing self-modifying code and utilizing advanced assembly techniquesRussell Sanford
 
Reverse-engineering: Using GDB on Linux
Reverse-engineering: Using GDB on LinuxReverse-engineering: Using GDB on Linux
Reverse-engineering: Using GDB on LinuxRick Harris
 
I just had to check ICQ project
I just had to check ICQ projectI just had to check ICQ project
I just had to check ICQ projectPVS-Studio
 
HackIM 2012 CTF Walkthrough
HackIM 2012 CTF WalkthroughHackIM 2012 CTF Walkthrough
HackIM 2012 CTF WalkthroughHimanshu Kumar Das
 
Archeology for Entertainment, or Checking Microsoft Word 1.1a with PVS-Studio
Archeology for Entertainment, or Checking Microsoft Word 1.1a with PVS-StudioArcheology for Entertainment, or Checking Microsoft Word 1.1a with PVS-Studio
Archeology for Entertainment, or Checking Microsoft Word 1.1a with PVS-StudioAndrey Karpov
 

Recommandé

Windows Privilege Escalation
Windows Privilege EscalationWindows Privilege Escalation
Windows Privilege EscalationRiyaz Walikar
 
Nullcon Hack IM 2011 walk through
Nullcon Hack IM 2011 walk throughNullcon Hack IM 2011 walk through
Nullcon Hack IM 2011 walk throughAnant Shrivastava
 
My solution to malware.lu HackGyver's challenges.
My solution to malware.lu HackGyver's challenges.My solution to malware.lu HackGyver's challenges.
My solution to malware.lu HackGyver's challenges.Aodrulez
 
writing self-modifying code and utilizing advanced assembly techniques
writing self-modifying code and utilizing advanced assembly techniqueswriting self-modifying code and utilizing advanced assembly techniques
writing self-modifying code and utilizing advanced assembly techniquesRussell Sanford
 
Reverse-engineering: Using GDB on Linux
Reverse-engineering: Using GDB on LinuxReverse-engineering: Using GDB on Linux
Reverse-engineering: Using GDB on LinuxRick Harris
 
I just had to check ICQ project
I just had to check ICQ projectI just had to check ICQ project
I just had to check ICQ projectPVS-Studio
 
HackIM 2012 CTF Walkthrough
HackIM 2012 CTF WalkthroughHackIM 2012 CTF Walkthrough
HackIM 2012 CTF WalkthroughHimanshu Kumar Das
 
Archeology for Entertainment, or Checking Microsoft Word 1.1a with PVS-Studio
Archeology for Entertainment, or Checking Microsoft Word 1.1a with PVS-StudioArcheology for Entertainment, or Checking Microsoft Word 1.1a with PVS-Studio
Archeology for Entertainment, or Checking Microsoft Word 1.1a with PVS-StudioAndrey Karpov
 
Cyclomatic complexity
Cyclomatic complexityCyclomatic complexity
Cyclomatic complexityAngelo Trozzo
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
MAKING OF LINE FOLLOWER ROBOT
MAKING OF LINE FOLLOWER ROBOTMAKING OF LINE FOLLOWER ROBOT
MAKING OF LINE FOLLOWER ROBOTPRABHAHARAN429
 
Grounded Pointers
Grounded PointersGrounded Pointers
Grounded PointersAndrey Karpov
 
Performance #5 cpu and battery
Performance #5 cpu and batteryPerformance #5 cpu and battery
Performance #5 cpu and batteryVitali Pekelis
 
Finding bugs in the code of LLVM project with the help of PVS-Studio
Finding bugs in the code of LLVM project with the help of PVS-StudioFinding bugs in the code of LLVM project with the help of PVS-Studio
Finding bugs in the code of LLVM project with the help of PVS-StudioPVS-Studio
 
Productive Use of the Apache Spark Prompt with Sam Penrose
Productive Use of the Apache Spark Prompt with Sam PenroseProductive Use of the Apache Spark Prompt with Sam Penrose
Productive Use of the Apache Spark Prompt with Sam PenroseDatabricks
 
The Ultimate Question of Programming, Refactoring, and Everything
The Ultimate Question of Programming, Refactoring, and EverythingThe Ultimate Question of Programming, Refactoring, and Everything
The Ultimate Question of Programming, Refactoring, and EverythingAndrey Karpov
 
The Ultimate Question of Programming, Refactoring, and Everything
The Ultimate Question of Programming, Refactoring, and EverythingThe Ultimate Question of Programming, Refactoring, and Everything
The Ultimate Question of Programming, Refactoring, and EverythingPVS-Studio
 
DL (v2).pptx
DL (v2).pptxDL (v2).pptx
DL (v2).pptxFKKBWITTAINAN
 
mblock_extension_guide.pdf
mblock_extension_guide.pdfmblock_extension_guide.pdf
mblock_extension_guide.pdfDogoMaker
 
Analyzing the Blender project with PVS-Studio
Analyzing the Blender project with PVS-StudioAnalyzing the Blender project with PVS-Studio
Analyzing the Blender project with PVS-StudioPVS-Studio
 
Beijing Perl Workshop 2008 Hiveminder Secret Sauce
Beijing Perl Workshop 2008 Hiveminder Secret SauceBeijing Perl Workshop 2008 Hiveminder Secret Sauce
Beijing Perl Workshop 2008 Hiveminder Secret SauceJesse Vincent
 
A Life of breakpoint
A Life of breakpointA Life of breakpoint
A Life of breakpointHajime Morrita
 
Boo Manifesto
Boo ManifestoBoo Manifesto
Boo Manifestohu hans
 
Scaling Rails with Ruby-prof -- Ruby Conf Kenya 2017 by Ben Hughes
Scaling Rails with Ruby-prof -- Ruby Conf Kenya 2017 by Ben Hughes Scaling Rails with Ruby-prof -- Ruby Conf Kenya 2017 by Ben Hughes
Scaling Rails with Ruby-prof -- Ruby Conf Kenya 2017 by Ben Hughes Michael Kimathi
 
When Good Code Goes Bad: Tools and Techniques for Troubleshooting Plone
When Good Code Goes Bad: Tools and Techniques for Troubleshooting PloneWhen Good Code Goes Bad: Tools and Techniques for Troubleshooting Plone
When Good Code Goes Bad: Tools and Techniques for Troubleshooting PloneDavid Glick
 
Hiveminder - Everything but the Secret Sauce
Hiveminder - Everything but the Secret SauceHiveminder - Everything but the Secret Sauce
Hiveminder - Everything but the Secret SauceJesse Vincent
 
Seven Reasons for Code Bloat
Seven Reasons for Code BloatSeven Reasons for Code Bloat
Seven Reasons for Code BloatChristian Heilmann
 
IntroML_2.
IntroML_2.IntroML_2.
IntroML_2.Elio Laureano
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 

Contenu connexe

Similaire à C0c0n 2011 CTF Walkthrough

Cyclomatic complexity
Cyclomatic complexityCyclomatic complexity
Cyclomatic complexityAngelo Trozzo
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
MAKING OF LINE FOLLOWER ROBOT
MAKING OF LINE FOLLOWER ROBOTMAKING OF LINE FOLLOWER ROBOT
MAKING OF LINE FOLLOWER ROBOTPRABHAHARAN429
 
Performance #5 cpu and battery
Performance #5 cpu and batteryPerformance #5 cpu and battery
Performance #5 cpu and batteryVitali Pekelis
 
Finding bugs in the code of LLVM project with the help of PVS-Studio
Finding bugs in the code of LLVM project with the help of PVS-StudioFinding bugs in the code of LLVM project with the help of PVS-Studio
Finding bugs in the code of LLVM project with the help of PVS-StudioPVS-Studio
 
Productive Use of the Apache Spark Prompt with Sam Penrose
Productive Use of the Apache Spark Prompt with Sam PenroseProductive Use of the Apache Spark Prompt with Sam Penrose
Productive Use of the Apache Spark Prompt with Sam PenroseDatabricks
 
The Ultimate Question of Programming, Refactoring, and Everything
The Ultimate Question of Programming, Refactoring, and EverythingThe Ultimate Question of Programming, Refactoring, and Everything
The Ultimate Question of Programming, Refactoring, and EverythingAndrey Karpov
 
The Ultimate Question of Programming, Refactoring, and Everything
The Ultimate Question of Programming, Refactoring, and EverythingThe Ultimate Question of Programming, Refactoring, and Everything
The Ultimate Question of Programming, Refactoring, and EverythingPVS-Studio
 
mblock_extension_guide.pdf
mblock_extension_guide.pdfmblock_extension_guide.pdf
mblock_extension_guide.pdfDogoMaker
 
Analyzing the Blender project with PVS-Studio
Analyzing the Blender project with PVS-StudioAnalyzing the Blender project with PVS-Studio
Analyzing the Blender project with PVS-StudioPVS-Studio
 
Beijing Perl Workshop 2008 Hiveminder Secret Sauce
Beijing Perl Workshop 2008 Hiveminder Secret SauceBeijing Perl Workshop 2008 Hiveminder Secret Sauce
Beijing Perl Workshop 2008 Hiveminder Secret SauceJesse Vincent
 
Boo Manifesto
Boo ManifestoBoo Manifesto
Boo Manifestohu hans
 
Scaling Rails with Ruby-prof -- Ruby Conf Kenya 2017 by Ben Hughes
Scaling Rails with Ruby-prof -- Ruby Conf Kenya 2017 by Ben Hughes Scaling Rails with Ruby-prof -- Ruby Conf Kenya 2017 by Ben Hughes
Scaling Rails with Ruby-prof -- Ruby Conf Kenya 2017 by Ben Hughes Michael Kimathi
 
When Good Code Goes Bad: Tools and Techniques for Troubleshooting Plone
When Good Code Goes Bad: Tools and Techniques for Troubleshooting PloneWhen Good Code Goes Bad: Tools and Techniques for Troubleshooting Plone
When Good Code Goes Bad: Tools and Techniques for Troubleshooting PloneDavid Glick
 
Hiveminder - Everything but the Secret Sauce
Hiveminder - Everything but the Secret SauceHiveminder - Everything but the Secret Sauce
Hiveminder - Everything but the Secret SauceJesse Vincent
 

Similaire à C0c0n 2011 CTF Walkthrough (20)

Cyclomatic complexity
Cyclomatic complexityCyclomatic complexity
Cyclomatic complexity
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
 
MAKING OF LINE FOLLOWER ROBOT
MAKING OF LINE FOLLOWER ROBOTMAKING OF LINE FOLLOWER ROBOT
MAKING OF LINE FOLLOWER ROBOT
 
Grounded Pointers
Grounded PointersGrounded Pointers
Grounded Pointers
 
Performance #5 cpu and battery
Performance #5 cpu and batteryPerformance #5 cpu and battery
Performance #5 cpu and battery
 
Finding bugs in the code of LLVM project with the help of PVS-Studio
Finding bugs in the code of LLVM project with the help of PVS-StudioFinding bugs in the code of LLVM project with the help of PVS-Studio
Finding bugs in the code of LLVM project with the help of PVS-Studio
 
Productive Use of the Apache Spark Prompt with Sam Penrose
Productive Use of the Apache Spark Prompt with Sam PenroseProductive Use of the Apache Spark Prompt with Sam Penrose
Productive Use of the Apache Spark Prompt with Sam Penrose
 
The Ultimate Question of Programming, Refactoring, and Everything
The Ultimate Question of Programming, Refactoring, and EverythingThe Ultimate Question of Programming, Refactoring, and Everything
The Ultimate Question of Programming, Refactoring, and Everything
 
The Ultimate Question of Programming, Refactoring, and Everything
The Ultimate Question of Programming, Refactoring, and EverythingThe Ultimate Question of Programming, Refactoring, and Everything
The Ultimate Question of Programming, Refactoring, and Everything
 
DL (v2).pptx
DL (v2).pptxDL (v2).pptx
DL (v2).pptx
 
mblock_extension_guide.pdf
mblock_extension_guide.pdfmblock_extension_guide.pdf
mblock_extension_guide.pdf
 
Analyzing the Blender project with PVS-Studio
Analyzing the Blender project with PVS-StudioAnalyzing the Blender project with PVS-Studio
Analyzing the Blender project with PVS-Studio
 
Beijing Perl Workshop 2008 Hiveminder Secret Sauce
Beijing Perl Workshop 2008 Hiveminder Secret SauceBeijing Perl Workshop 2008 Hiveminder Secret Sauce
Beijing Perl Workshop 2008 Hiveminder Secret Sauce
 
A Life of breakpoint
A Life of breakpointA Life of breakpoint
A Life of breakpoint
 
Boo Manifesto
Boo ManifestoBoo Manifesto
Boo Manifesto
 
Scaling Rails with Ruby-prof -- Ruby Conf Kenya 2017 by Ben Hughes
Scaling Rails with Ruby-prof -- Ruby Conf Kenya 2017 by Ben Hughes Scaling Rails with Ruby-prof -- Ruby Conf Kenya 2017 by Ben Hughes
Scaling Rails with Ruby-prof -- Ruby Conf Kenya 2017 by Ben Hughes
 
When Good Code Goes Bad: Tools and Techniques for Troubleshooting Plone
When Good Code Goes Bad: Tools and Techniques for Troubleshooting PloneWhen Good Code Goes Bad: Tools and Techniques for Troubleshooting Plone
When Good Code Goes Bad: Tools and Techniques for Troubleshooting Plone
 
Hiveminder - Everything but the Secret Sauce
Hiveminder - Everything but the Secret SauceHiveminder - Everything but the Secret Sauce
Hiveminder - Everything but the Secret Sauce
 
Seven Reasons for Code Bloat
Seven Reasons for Code BloatSeven Reasons for Code Bloat
Seven Reasons for Code Bloat
 
IntroML_2.
IntroML_2.IntroML_2.
IntroML_2.
 

Dernier

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 

Dernier (20)

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 

C0c0n 2011 CTF Walkthrough

  • 1. C0C0N 2011 – CTF Walkthrough Riyaz Walikar a.k.a karniv0re http://www.riyazwalikar.com Greetings fellow readers!! As usual another great CTF has ended and most of us who played this have lost some hair from their heads with the collective effort of yanking it out or banging our heads on the nearest walls . On a more serious note, people who thought only 'corrupt' could be nightmarishly creepy, you can now go ahead and add Anant a.k.a infinity to the list! Great job guys, to the team who made this possible!! This was all in all, an enjoyable event, with the levels being fairly designed to supposedly increase in order of complexity, frustration and technical incoherence as you progressed up. I managed to finish all except one level, to which I will come to in a bit. The CTF was divided into multiple sections as listed below and each section had 3 levels. 1. Crypto Levels – Mostly to do with some sort of cipher/obfuscation/symbol substitution. 2. Programming Levels – Programming related questions. People actually had to write programs!! 3. Reverse Engineering Levels – Reverse engineering binaries, PYCs and APKs. 4. Log Analysis Levels – Analysis of Apache logs, PMLs and Wireshark Pcap dumps. As is with all CTFs, different people would have different approaches which may lead to the same answer that enables you to complete a level and unlock the next. This is my approach and I agree it is not the best, not the most elegant or the most uber out there, but hell it worked . I have also tried to tag the levels based on their difficulty as Easy, Average, Hard and WTF! This categorization/classification is entirely based on my experience with the CTF and is entirely my opinion. Your opinion may differ so don’t take it too seriously. Page | 1
  • 2. Crypto Levels Crypto Level 1 URL: http://nullcon.net/challenge/c0c0n/clevel-1.php Difficulty: Average Solution: The source code of the page shows two HTML comments. The first one appears to be an obfuscated/encoded string. The '==' at the end points us to the string being base64 encoded. However a subsequent decoding does not provide anything conclusive. The second HTML comment is an apparent clue to the use of ROT-13 before you decode the string using Base 64. Page | 2
  • 3. Having played a similar level at last year’s nullcon HackIM challenge, this wasn’t very hard. Using the ROT-13 decoder at http://web.forret.com/tools/rot13.asp, I obtained the following: Base 64 decoding this, after adding the necessary padding gives: Call it intuition or just the way the characters were arranged, this had to be re-Base64 decoded!! Page | 3
  • 4. A quick Google search for "Google Beer" gives "URKontinent". Converting this to title case gives "Urkontinent" which is the flag. Crypto Level 2 URL: http://nullcon.net/challenge/c0c0n/clevel-2.php Difficulty: Easy Solution: This was one easy because I had recently finished reading The Code Book by Simon Singh. The book’s appendix contains an explanation of the symbol substitution. This has also been depicted in the Dan Brown book, The Lost Symbol. This is a mono-alphabetic simple geometric substitution cipher called Pigpen Cipher (also called the Masonic Cipher). Page | 4
  • 5. For people who have never heard of this before, a quick Google search for "Image Ciphers" also provides obvious clues to this being the Pigpen Cipher substituted string. Decoding this is straight forward with the help of the following key. The code then translates to the string "FLAGISTHENAMEGIVENTOTHEENLIGHTENEDGROUP". A quick Google search for "name given to the enlightened group" gives "Illuminati" as the first result which also happens to be the flag!! Crypto Level 3 URL: http://nullcon.net/challenge/c0c0n/clevel-3.php Difficulty: Average Solution: The level description was the hint. This is written in the Braille system which is a method that is widely used by blind people to read and write, and was the first digital form of writing (source: Wikipedia). Using a Braille Character Chart, the above text can be decoded to: I devised Braille in 1825 based on a method of communication originally developed by Charles Barbier. Who am I? Google and general knowledge tells you the answer is Louis Braille which also happens to be the flag! Page | 5
  • 6. Programming Levels Programming Level 1 URL: http://nullcon.net/challenge/c0c0n/plevel-1.php Difficulty: Hard Solution: This level was one of the crappiest. Finally wrote a python script to generate the necessary number. The pseudocode is as below: a=0 b=a+1 for (x = 0 to 31334) c = a+b a = b b = c a = hex(c) for (x = 0 to len(a)) if (x mod 3 == 0) p = a.position(x-1) b = b + todecimal(p) print b The final answer that the script would generate is 13590 which is the flag for this level. Page | 6
  • 7. Programming Level 2 URL: http://nullcon.net/challenge/c0c0n/plevel-2.php Difficulty: Average Solution: A quick Google search for "Goldbach Partition" or "Goldbach’s Conjecture" generates a lot of helpful results. Basically, it states that Every even integer greater than 2 can be expressed as the sum of two primes. There are two ways of doing this: Method 1 is to write a program to identify all primes smaller than 13590 and then all combinations of their sums can be checked if they equal 13590. A comma separated list of the result would be the answer. Method 2 is for the lazy types like me. Google for an online generator, which although sounds like a straight forward job requires some special Googling skills. Format the output in CSV format and paste it in the flag box. The flag is the following string of numbers: 13,13577,23,13567,37,13553,53,13537,67,13523,103,13487,113,13477,127,13463,139,13451,149,13441 ,173,13417,179,13411,191,13399,193,13397,223,13367,251,13339,263,13327,277,13313,281,13309,293 ,13297,331,13259,349,13241,373,13217,419,13171,431,13159,439,13151,443,13147,463,13127,487,131 03,491,13099,541,13049,547,13043,557,13033,587,13003,607,12983,617,12973,631,12959,673,12917,6 83,12907,691,12899,701,12889,761,12829,769,12821,809,12781,827,12763,877,12713,887,12703,919,1 2671,937,12653,953,12637,971,12619,977,12613,1013,12577,1021,12569,1049,12541,1051,12539,1063 ,12527,1087,12503,1093,12497,1103,12487,1117,12473,1153,12437,1181,12409,1213,12377,1217,1237 3,1289,12301,1301,12289,1321,12269,1327,12263,1427,12163,1429,12161,1433,12157,1447,12143,147 1,12119,1481,12109,1483,12107,1489,12101,1493,12097,1549,12041,1553,12037,1579,12011,1583,120 07,1609,11981,1619,11971,1621,11969,1637,11953,1657,11933,1663,11927,1667,11923,1693,11897,17 23,11867,1759,11831,1777,11813,1783,11807,1789,11801,1801,11789,1811,11779,1847,11743,1871,11 719,1873,11717,1889,11701,1901,11689,1913,11677,1933,11657,1973,11617,1993,11597,1997,11593,2 003,11587,2011,11579,2039,11551,2063,11527,2087,11503,2099,11491,2143,11447,2153,11437,2179,1 Page | 7
  • 8. 1411,2207,11383,2221,11369,2237,11353,2239,11351,2269,11321,2273,11317,2311,11279,2333,11257, 2339,11251,2347,11243,2351,11239,2377,11213,2393,11197,2417,11173,2441,11149,2459,11131,2473, 11117,2477,11113,2503,11087,2521,11069,2531,11059,2543,11047,2617,10973,2633,10957,2687,1090 3,2699,10891,2707,10883,2729,10861,2731,10859,2753,10837,2791,10799,2801,10789,2819,10771,283 7,10753,2851,10739,2857,10733,2861,10729,2879,10711,2903,10687,2927,10663,2939,10651,2963,106 27,3001,10589,3023,10567,3061,10529,3089,10501,3137,10453,3163,10427,3191,10399,3221,10369,32 53,10337,3257,10333,3259,10331,3301,10289,3319,10271,3323,10267,3331,10259,3343,10247,3347,10 243,3413,10177,3449,10141,3457,10133,3491,10099,3499,10091,3511,10079,3529,10061,3581,10009,3 583,10007,3617,9973,3623,9967,3659,9931,3719,9871,3733,9857,3739,9851,3761,9829,3779,9811,380 3,9787,3821,9769,3823,9767,3847,9743,3851,9739,3911,9679,3929,9661,3947,9643,3967,9623,3989,96 01,4003,9587,4051,9539,4057,9533,4079,9511,4093,9497,4099,9491,4111,9479,4127,9463,4129,9461,4 153,9437,4157,9433,4159,9431,4177,9413,4219,9371,4241,9349,4253,9337,4271,9319,4297,9293,4349, 9241,4363,9227,4391,9199,4409,9181,4457,9133,4463,9127,4481,9109,4523,9067,4547,9043,4549,904 1,4561,9029,4583,9007,4591,8999,4621,8969,4639,8951,4649,8941,4657,8933,4703,8887,4723,8867,47 29,8861,4751,8839,4759,8831,4783,8807,4787,8803,4871,8719,4877,8713,4909,8681,4943,8647,4967,8 623,4993,8597,5009,8581,5051,8539,5077,8513,5147,8443,5167,8423,5171,8419,5227,8363,5237,8353, 5261,8329,5273,8317,5279,8311,5297,8293,5303,8287,5347,8243,5381,8209,5399,8191,5419,8171,544 3,8147,5479,8111,5501,8089,5503,8087,5521,8069,5531,8059,5573,8017,5581,8009,5639,7951,5641,79 49,5653,7937,5657,7933,5683,7907,5689,7901,5711,7879,5717,7873,5737,7853,5749,7841,5801,7789,5 849,7741,5867,7723,5903,7687,5987,7603,6007,7583,6029,7561,6043,7547,6053,7537,6067,7523,6073, 7517,6091,7499,6101,7489,6113,7477,6131,7459,6133,7457,6173,7417,6197,7393,6221,7369,6257,733 3,6269,7321,6337,7253,6343,7247,6353,7237,6361,7229,6379,7211,6397,7193,6469,7121,6481,7109,65 21,7069,6547,7043,6551,7039,6563,7027,6571,7019,6577,7013,6599,6991,6607,6983,6619,6971,6673,6 917,6679,6911,6691,6899,6719,6871,6733,6857,6761,6829,6763,6827 Programming Level 3 - Unsolved URL: http://nullcon.net/challenge/c0c0n/plevel-3.php Difficulty: Double WTF! Page | 8
  • 9. Solution: The guys who thought of this level get some extra credit. The level description presents an MD5 hash that supposedly is the MD5 of the password (flag) for this level. However a quick look at the page source code shows the following HTML comment. The server code logic, if it uses this pseudo code, takes the input value from the user submitted form, MD5 hashes it and then compares only the first 8 characters with an internal hash (which happens to be the MD5 hash printed on the page). In simpler words, you would need to input a string whose MD5 hashes first 4 bytes (8 characters) match "a180ce8a". This sounds awfully easy and looks possible since there exist multiple strings whose MD5 hashes’ first 8 characters match. How wrong I was!! Since the MD5 algorithm has been developed in such a way that minimum change (even a single bit) would result in a completely different hash. However MD5 is now known to have collisions, which means that 2 unique data sets can be created with identical MD5 hashes. However generating a plain text with a predefined hash, also called a pre-image collision, still remains nearly impossible. The best we can do is brute force by generating multiple possible combinations of data and attempt to match hashes. It is true that there are multiple strings whose MD5 hashes have common first 8 characters, however it was not true in this case. Or maybe I should have attempted a comparison with a larger data set. I generated over 3 miillion unique character combination and attempted to match the first 8 characters of the hashes, but after several hours of full CPU utilization I still had no luck. I am sure this is achievable but requires a larger data set and a faster processor. For the adventurous, here’s my python code: I ran it for a little over 8 hours and was not able to find any string which satisfied the script. I am currently running a more complex version of this script on a more powerful server back in office for the past 3 days, hoping to see something before the end of this week. Page | 9
  • 10. Reverse Engineering Levels Reversing Level 1 URL: http://nullcon.net/challenge/c0c0n/rlevel-1.php Difficulty: Average Solution: This level is straight forward if you know the right tools. APK files are compressed archives of xml and dex files. A tool like Dex2jar can be used to extract the jar file from the cocon_apk.apk and jd- gui can be used to decompile the jar file. The jar contained a public function called show_key that returned a string. The function, if carefully analyzed produces the MD5 of the string "Key:Value;Challange:cocon;Date:” and the system date. The system date is found in the HTML source code of the page. The flag for this level would then be MD5(Key:Value;Challange:cocon;Date:2011-10-16) which is f5d2fe1f612f022ee9033667963f5ae6 Page | 10
  • 11. Reversing Level 2 URL: http://nullcon.net/challenge/c0c0n/rlevel-2.php Difficulty: Easy Solution: The level description gives the hint regarding this having something to do with .NET. In any case, when you download the program you can run it through strings to find the following output. Since this was a .Net application, I opened it using .Net Reflector to do an analysis. The button1_click event contained some promising code. Page | 11
  • 12. The hex encoded text decodes to CeCmmUxzvPAIAVA9Udiv5ab07Q which is the flag for this level. Reversing Level 3 URL: http://nullcon.net/challenge/c0c0n/rlevel-3.php Difficulty: Hard Solution: The cookpie.zip file contains a cookiepie.pyc file which is a compiled executable python file. What makes this level difficult is that there are very few python decompilers available. Depython, an online python decompilation service does not decompile version 2.6 compiled python files which was the version in which cookpie was compiled in. I used a decompiler called Decompyle on Ubuntu and was provided with a pseudo bytecode/assembly style output. The de-compiled output contained references to 3 variables: C0C09CTF, PIEKING and DUMPMENOT. The final flag was the MD5 output of a combination of the username and the 3 variables. Here’s the decompiled output of the pyc file. The interesting stuff happens in section 16 of the following decompiled code. Page | 12
  • 13. magic d1f20d0a moddate ead78c4e (Wed Oct 5 22:19:22 2011) 2 0 LOAD_CONST 0 (-1) 3 LOAD_CONST 1 (None) 6 IMPORT_NAME 0 (re) 9 STORE_NAME 0 (re) 3 12 LOAD_CONST 0 (-1) 15 LOAD_CONST 1 (None) 18 IMPORT_NAME 1 (os) 21 STORE_NAME 1 (os) 4 24 LOAD_CONST 0 (-1) 27 LOAD_CONST 1 (None) 30 IMPORT_NAME 2 (hashlib) 33 STORE_NAME 2 (hashlib) 5 36 LOAD_CONST 2 ('welcome to COCON CTF') 39 PRINT_ITEM 40 PRINT_NEWLINE 6 41 LOAD_CONST 3 ('C0C09CTF') 44 STORE_NAME 3 (val) 7 47 LOAD_CONST 4 ('PIEKING') 50 STORE_NAME 4 (val243) 8 53 LOAD_NAME 5 (raw_input) 56 LOAD_CONST 5 ('Please enter your userid :') 59 CALL_FUNCTION 1 62 STORE_NAME 6 (nm) 9 65 LOAD_CONST 6 ('DUMPMENOT') 68 STORE_NAME 7 (val542) 10 71 LOAD_NAME 5 (raw_input) 74 LOAD_CONST 7 ('Please enter your key : ') 77 CALL_FUNCTION 1 80 STORE_NAME 8 (key) 11 83 LOAD_NAME 2 (hashlib) 86 LOAD_ATTR 9 (md5) 89 LOAD_NAME 6 (nm) 92 CALL_FUNCTION 1 95 LOAD_ATTR 10 (hexdigest) 98 CALL_FUNCTION 0 101 LOAD_ATTR 11 (upper) 104 CALL_FUNCTION 0 107 STORE_NAME 12 (md) Page | 13
  • 14. 12 110 LOAD_CONST 8 ('') 113 STORE_NAME 13 (y) 13 116 SETUP_LOOP 44 (to 163) 119 LOAD_NAME 12 (md) 122 GET_ITER >> 123 FOR_ITER 36 (to 162) 126 STORE_NAME 14 (x) 14 129 LOAD_NAME 13 (y) 132 LOAD_NAME 15 (str) 135 LOAD_NAME 16 (ord) 138 LOAD_NAME 14 (x) 141 CALL_FUNCTION 1 144 LOAD_CONST 9 (2) 147 BINARY_XOR 148 LOAD_CONST 10 (10) 151 BINARY_MODULO 152 CALL_FUNCTION 1 155 BINARY_ADD 156 STORE_NAME 13 (y) 159 JUMP_ABSOLUTE 123 >> 162 POP_BLOCK 15 >> 163 LOAD_NAME 13 (y) 166 LOAD_NAME 8 (key) 169 COMPARE_OP 2 (==) 172 JUMP_IF_FALSE 63 (to 238) 175 POP_TOP 16 176 LOAD_CONST 11 ('key is ') 179 LOAD_NAME 2 (hashlib) 182 LOAD_ATTR 9 (md5) 185 LOAD_NAME 3 (val) 188 LOAD_NAME 6 (nm) 191 LOAD_CONST 1 (None) 194 LOAD_CONST 1 (None) 197 LOAD_CONST 0 (-1) 200 BUILD_SLICE 3 203 BINARY_SUBSCR 204 BINARY_ADD 205 LOAD_NAME 6 (nm) 208 BINARY_ADD 209 LOAD_NAME 4 (val243) 212 BINARY_ADD 213 LOAD_NAME 7 (val542) 216 BINARY_ADD 217 CALL_FUNCTION 1 Page | 14
  • 15. 220 LOAD_ATTR 10 (hexdigest) 223 CALL_FUNCTION 0 226 LOAD_ATTR 11 (upper) 229 CALL_FUNCTION 0 232 BINARY_ADD 233 PRINT_ITEM 234 PRINT_NEWLINE 235 JUMP_FORWARD 11 (to 249) >> 238 POP_TOP 18 239 LOAD_CONST 12 ('Key is to try harder, not everything is found by executing files') 242 PRINT_ITEM 243 PRINT_NEWLINE 19 244 LOAD_CONST 13 ('BTW i forgot to code the data stealer in this, although would have loved to') 247 PRINT_ITEM 248 PRINT_NEWLINE >> 249 LOAD_CONST 1 (None) 252 RETURN_VALUE consts -1 None 'welcome to COCON CTF' 'C0C09CTF' 'PIEKING' 'Please enter your userid :' 'DUMPMENOT' 'Please enter your key : ' '' 2 10 'key is ' 'Key is to try harder, not everything is found by executing files' 'BTW i forgot to code the data stealer in this, although would have loved to' names ('re', 'os', 'hashlib', 'val', 'val243', 'raw_input', 'nm', 'val542', 'key', 'md5', 'hexdigest', 'upper', 'md', 'y', 'x', 'str', 'ord') varnames () freevars () cellvars () filename '/home/anant/Desktop/CTF work/cookpie.py' name '<module>' firstlineno 2 lnotab 0c010c010c010501060106010c0106010c011b0106010700060122010d01 3f020501 Page | 15
  • 16. The flag can deduced from the decompiled code and was the MD5 of the following combination: C0C09CTF + <username_in_reverse> + <username> + PIEKING + DUMPMENOT. The flag is obviously different for every user, or for atleast the username that is provided in the text box on the flag submission page. Log Analysis Levels Log Analysis Level 1 URL: http://nullcon.net/challenge/c0c0n/llevel-1.php Difficulty: Easy Solution: This was pretty easy, mostly because of the amount of attention this had got on Full Disclosure a few weeks ago. Anyways, the dump.zip contained a packet capture, and thanks to the creators contained a LOT of redundant data. Opening this file with Wireshark showed standard HTTP traffic, but what was noticeable was a number of HTTP Head requests. A quick look at the Header information via the Follow TCP Stream option in Wireshark showed a long string of numbers being sent in the range header. Since I had already worked on this Denial of Service exploit before, the data appeared familiar. In any case, a Google search for Range Bytes vulnerability produces several promising results. The CVE-ID for this vulnerability was CVE-2011-3192 and the attacker’s IP clearly was 192.168.0.105. Page | 16
  • 19. Log Analysis Level 2 URL: http://nullcon.net/challenge/c0c0n/llevel-2.php Difficulty: Average Solution: This level involved reading an Apache log to identify the name of the database and the table that was accessed by the attacker. As usual the creators of this level, used whatever means possible to bury this information as deep as possible since the log contained a LOT of redundant GET requests to the server, including requests caused by running Grendel Scan! If you scroll down slowly through the file, you will see that SQLMAP was used to exploit a SQL Injection vulnerability and a LOT of requests show that database and table name enumeration was performed. The following image shows the database name encoded in one of the requests. Note that the file was first grepped for sqlmap and then parsed through a URL decoder to clean the output a bit. The 67,84,70,95,67,48,67,48,57 can be quickly ASCII equated to CTF_C0C09 and the table name can be obtained by constructing the characters from each log entry that reads table_schema=CTF_C0C09. Database name: CTF_C0C09 Table name: key_efd231b97af472e52f2a5413bde54b3f Page | 19
  • 20. Log Analysis Level 3 URL: http://nullcon.net/challenge/c0c0n/llevel-3.php Difficulty: Easy Solution: This was an interesting level mostly because I work a lot with Process Monitor. I finished this level in less than 5 minutes, making it the fastest level that I had played in the entire CTF. And coincidentally, I had analyzed the same malware a few weeks ago hence I knew the answers as soon as I found a single reference to it in the PML file. The infectedlog.zip contained a .pml file which is basically a Process Monitor saved session. To find unwanted process activity in Process Monitor, you can eliminate known Windows processes till you hit an unwanted/unknown application, as I did till I stopped at mluchaby.exe The process image had all the properties that most common Windows malware possess; located in the Windows folder, description that made it sound important, no company description etc. Page | 20
  • 21. The Chinese characters in the description of the process translate to Foundation Classes Application which meant that it was a Windows MFC application. A quick Google search for mluchaby.exe shows that it is part of the Rustock Botnet malware family. Finding the parent process was trivial since we could obtain the Parent Process ID using the properties page of the mluchaby.exe process which was 1956. Removing all applied filters and quickly applying a Include Process PID = 1956 filter gave Explorer.exe as the result. Page | 21
  • 22. There was however some confusion with the malware family name since Rustock is also known with several other names. However, the answer to the malware family was TDSS/TDL/Alureon family and not Rustock, which I still believe to be an error on the part of the level developers. However, considering how this is such a rare oversight and in the spirit of the CTF, its alright . The final answers are as follows: Malware family: TDL/TDSS/Alureon Service: mluchaby Parent Executable: Explorer.exe Last words It was a brilliant CTF (mostly because I won  ), considering the variation in all the levels and the number of people who worked on this, I must commend them on the awesome stuff. Greetz to corrupt, Anant, Pushkar and all the others who worked on this! - Riyaz Walikar a.k.a karniv0re - http://www.riyazwalikar.com - End of File - Page | 22