There were 5 trivia questions, each flag gives 50 points:
#1 - Drink all the booze, ____ all the things!
Flag: hack
#2 - What is the abbreviation of the research published in the Hackin9 issue on nmap by Jon Oberheide, Nico Waisman, Matthieu Suiche, Chris Valasek, Yarochkin Fyodor, the Grugq, Jonathan Brossard, and Mark Dowd?
Flag: DICKS
#3 - What is the common name for a single grouping of instructions used in a Return Oriented Programming payload, typically ending in a return (ret) instruction?
Flag: gadget
#4 - What is the new web technology that provides a web browser full-duplex communication to a web server over a single connection?
Flag: websocket
#5 - What is the x86 processor operating mode for running 64-bit code?
Flag: long mode
Monday, September 23, 2013
Saturday, April 20, 2013
iHack2013 Forensic Challenge #11 WriteUp - Lets Cool Your Mind with Cartoon First :D
In this challenge, we are given this clue and a file.
Running file on the file given tells us this is a video file.
Some weird noise that resembles morse code is noticeable at 02:48 mark. We rip the audio out from the ASF file and load it in Audacity, and we see something in the audio stream.
Running file on the file given tells us this is a video file.
Some weird noise that resembles morse code is noticeable at 02:48 mark. We rip the audio out from the ASF file and load it in Audacity, and we see something in the audio stream.
Snip the part that we want and this is what we get:
Morse code! Decoding it gives this:
SKUCSKUCACGTZYLRGMUDXUREVUREXUREXUREVUREOFZKNLRGM
Based on the clue, we guess it's encoded with Caesarian cipher (ROT13, "the 13th time"), with 6 alphabet shifts (6am).
Decoded:
MEOWMEOWUWANTSFLAGOXROLYPOLYROLYROLYPOLYIZTEHFLAG
Flag: ROLYPOLYROLYROLYPOLY
Tuesday, October 2, 2012
CSAW 2012 Writeup - Forensic 500
Strange enough, this is easier than the other forensics challenges. Just run strings against the file given:
Key: this_should_be_pretty_hard_unless_you_use_grep
Key: this_should_be_pretty_hard_unless_you_use_grep
CSAW 2012 Writeup - Networking 100
Open the pcap file in wireshark -> Follow TCP stream -> the key is the telnet login password.
Key: welcome to 1969
Key: welcome to 1969
Monday, October 1, 2012
CSAW 2012 Writeup - Reversing 200
Run the binary to see if there are any messages:
This is a .net binary, so we load it up in a .net decompiler.
Here are the encrypted key bytes:
This is a .net binary, so we load it up in a .net decompiler.
Here are the encrypted key bytes:
Found the decryption routine upon further inspection:
Wrote a shell script to xor each byte with 255, decrypted message is The key is 9c09f8416a2206221e50b98e346047b7
Key: 9c09f8416a2206221e50b98e346047b7
CSAW 2012 Writeup - Reversing 100
Run the binary, and see the output:
So what we want to do is to obtain the decrypted key. Load the binary in a debugger:
From the debugger, it is shown that the program exits prematurely before it shows the decrypted key. That's easy, just put a breakpoint at the call to exit() at 0x401106, patch it with nops, and voila!
Key: welcome_to_csaw!
Another way is to load the binary in a disassembler:
Key bytes are being loaded into the buffer.
The decryption routine:
Xor the key bytes with 0xff, and we get welcome_to_csaw!
CSAW 2012 Writeup - Trivia Challenges
There were five challenges in the Trivia category, each weighs 100 points:
1) What is the first step of owning a target?
2) What is the name of the Google’s dynamic malware analysis tool for Android applications?
3) What is the x86 opcode for and al, 0×24? Put your answer in the form 0xFFFF.
4) Who was the first security researcher to publish the DEP bypass that utilized WriteProcessMemory()?
5) What is the name of Microsoft’s sophisticated distributed fuzzing system that utilizes automated debugging, taint analysis, model building, and constaint solving?
1) What is the first step of owning a target?
Key: recon
2) What is the name of the Google’s dynamic malware analysis tool for Android applications?
Refer: http://siliconangle.com/blog/2012/07/23/google-bouncer-researchers-fingerprint-androids-anti-malware-tool/
Key: bouncer
3) What is the x86 opcode for and al, 0×24? Put your answer in the form 0xFFFF.
I used msf's nasm_shell.rb to get the opcode.
Key: 0x2424
4) Who was the first security researcher to publish the DEP bypass that utilized WriteProcessMemory()?
Refer: http://seclists.org/fulldisclosure/2010/Mar/att-553/Windows-DEP-WPM.txt
Key: Spencer Pratt
5) What is the name of Microsoft’s sophisticated distributed fuzzing system that utilizes automated debugging, taint analysis, model building, and constaint solving?
Refer: http://research.microsoft.com/en-us/projects/atg/ndss2008.pdf
Key: SAGE
1) What is the first step of owning a target?
2) What is the name of the Google’s dynamic malware analysis tool for Android applications?
3) What is the x86 opcode for and al, 0×24? Put your answer in the form 0xFFFF.
4) Who was the first security researcher to publish the DEP bypass that utilized WriteProcessMemory()?
5) What is the name of Microsoft’s sophisticated distributed fuzzing system that utilizes automated debugging, taint analysis, model building, and constaint solving?
1) What is the first step of owning a target?
Key: recon
2) What is the name of the Google’s dynamic malware analysis tool for Android applications?
Refer: http://siliconangle.com/blog/2012/07/23/google-bouncer-researchers-fingerprint-androids-anti-malware-tool/
Key: bouncer
3) What is the x86 opcode for and al, 0×24? Put your answer in the form 0xFFFF.
I used msf's nasm_shell.rb to get the opcode.
Key: 0x2424
4) Who was the first security researcher to publish the DEP bypass that utilized WriteProcessMemory()?
Refer: http://seclists.org/fulldisclosure/2010/Mar/att-553/Windows-DEP-WPM.txt
Key: Spencer Pratt
5) What is the name of Microsoft’s sophisticated distributed fuzzing system that utilizes automated debugging, taint analysis, model building, and constaint solving?
Refer: http://research.microsoft.com/en-us/projects/atg/ndss2008.pdf
Key: SAGE
Subscribe to:
Posts (Atom)