RSS
 

Archive for the ‘Hacking Lab’ Category

Hackvent 2019: Day 23

24 Dec 2019
CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com
Date Completed: 23 December 2019

Challenge

HV19.23 Internet Data Archive

Solution

We are presented with the following website:

We are allowed to enter a username and select some data to download except the flag which is classified. Upon doing this a unique zip file is generated for us containing our files and we are also provided with a password that allows us to open the encrypted zip file.

By playing around with the website we learn the following things:

  • Usernames are truncated to be at most 12 characters long (alphanumberis)
  • Passwords are always 12 digits (alphanumeric) and look like this: BxxRGJAMpmbJ
  • All links to download files contain the input username with -data appended. Example for username of mohttp://whale.hacking-lab.com:23023/tmp/mo-data.zip
  • Can pass in req instead of req[] as PHP post argument to trigger PHP error:
  • Can pass in username[] instead of username as PHP post argument to make name be parsed as Array: http://whale.hacking-lab.com:23023/tmp/Array-data.zip
  • We cannot use the username Santa (it is explicitly disallowed!)

We shortly find out that the tmp directory where files are hosted has indexing on and we can see all the files that are being created. By sorting by oldest files first we discover two interesting files:

We download Santa-data.zip and discover that it contains a file called flag.txt! However, we do not know the password for this archive.
Assuming alphanumerics are used as the charset for the password our bruteforce complexity is 62^12 which not feasible.

Next, we inspect the phpinfo for any valuable information, we take note of the PHP version 7.4.1 and that the sodium module is loaded (although this doesn’t matter).

Next we write a password generator script to generate a lot of tokens:

After generating 1000 passwords we run frequency analysis on the payload and discover that certain characters never appear. These characters are 0, 1, l, I, N, n, O, o. Perhaps these characters are committed as they look similar to other characters. Eliminating this characters from our charset brings down our bruteforce complexity to 54^12 which is still not feasible.

We note the title of the challenge page IDA Pro and after researching for IDA Pro PRNG we come across this interesting article:
https://devco.re/blog/2019/06/21/operation-crack-hacking-IDA-Pro-installer-PRNG-from-an-unusual-way-en/

The author describes the same exact charset that is in use here so we try to use the same approach to break the PRNG used to encrypt the Santa-data.zip file. We decide to use PHP for this with the same version 7.4.1 as the challenge website to ensure consistency.

We make the following bruteforce.php script:

This script simply generates a random 12 length password using the first 12 bytes of randomness generated by the RNG for each seed between 0 to 2^32. However, we cannot save this data to disk easily so we will instead stream the data to a ZIP cracking utility like John the Ripper to attempt to crack the file on the fly.

We run:

After about 2 minutes we have a successful crack:

Thus our password is Kwmq3Sqmc5sA and the original seed used was 4333287.
We open flag.txt to get our daily flag!

Flag:  HV19{Cr4ckin_Passw0rdz_like_IDA_Pr0}

 
No Comments

Posted in Hackvent 2019

 

Hackvent 2019: Day 22

23 Dec 2019
CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com
Date Completed: 22 December 2019

Challenge

HV19.22 The command … is lost

Resource mirror: thecommand7.data

Solution

We inspect our data file and Google some of the hex sequences inside like :100000000C9435000C945D000C945D000C945D0024 and :00000001FF . We soon realise its the hex dump (or machine code) for a program for an AVR micro controller. Based on our search it seems like the dump came from the Atmel ATmega128. We decide to try and use run this hex file in some AVR emulator. As we are on windows we will try using Atmel studio which we have used before for other projects. First we replace spaces with newlines in our hex dump as this seems to allow third party tools to read the file easier.

Next we generate some Atmel ASM code from our hex file using the third party tool ReAVR:

This generates some Atmel compatible ASM code which we try to run directly in Atmel Studio in an empty ASM assembler project.

We receive one error which tells us that  rcall 0x0F78 has a relative jump which is out of reach. We comment it out for now to attempt to run the program.
We let the program run in our debugger and then pause it after some time and inspect our registers in the data segment:

Thankfully, it contains our daily flag!

Flag:  HV19{H3y_Sl3dg3_m33t_m3_at_th3_n3xt_c0rn3r}

 
No Comments

Posted in Hackvent 2019

 

Hackvent 2019: Day 21

21 Dec 2019
CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com
Date Completed: 21 December 2019

Challenge

HV19.21 Happy Christmas 256

Solution

We review the clues the elves gave us and first start by trying to find Santa password that was leaked 10 years ago. We are looking for data breaches in 2009 so we look at a list of data breaches. We find that the rockyou breach was the biggest breach that year and that is password dumps are readily available (with usernames stripped out) so we download this dump. We also know that Santa’s password is of length sqrt(256) = 16. There are roughly 118k passwords in the dump that meet the length requirement. Another clue tells us that the AES256 key can be derived with pbkdf2_hmac with the salt TwoHundredFiftySix and with 256*256*256 iterations. We also know that Santa’s password is of length sqrt(256) = 16. We attempt to bruteforce the AES key but realise very quickly this is very slow and would take a long time. To be clear, it is quite feasible to crack the AES key this way over the course of say 48 hours but we want a faster solution. We also tried to guess that the password would contain the text 256 and used this to limit our bruteforce space for AES key cracking. This unfortunately failed but was a cool idea! (If only we used the word santa instead).

Instead, we look at Santa’s private keys and notice how the corresponding private key is his password with SHA256 encryption. This is much, much faster to bruteforce as we can generate potential private keys and attempt to sign and verify a test message. If our verification is successful, we will have our original password which we can then use to decrypt the AES cipertext directly.

Putting all of this together we write our Python script:

Running the above gives us Santa’s password and our flag after 30 seconds:

Flag:  HV19{sry_n0_crypt0mat_th1s_year}

 
No Comments

Posted in Hackvent 2019

 

Hackvent 2019: Day 20

20 Dec 2019
CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com
Date Completed: 20 December 2019

Challenge

HV19.20 i want to play a game

Resource mirror: HV19-game.zip

Solution

We are given a binary and told it is something obscure we have to reverse. We download the binary and open it in IDA. After some digging around we realise the file has something to do with the PS4 and this is consistent with the hint in the zip file name too.

We dig around in IDA where we find a single main()  method. We see that we seem to read in a file called  /mnt/usb0/PS4UPDATE.PUP and then take the MD5 hash of this file and compare it to f86d4f9d2c049547bd61f942151ffb55. After googling this hash we find the file in question is the PS4 5.05 firmware.

We decide to decompile the code to C and are presented with the following:

The above decompilation is not perfect but we see the general structure of the program. First we initialise an array of 32 bytes with some data from byte_300 and store this as our flag data. Next we open our  /mnt/usb0/PS4UPDATE.PUP file. We initialise our file pointer value to  0x1337 and start looping, adding  0x1337 to our seek pointer each iteration. Finally, we read 26 bytes from the file and xor this with the current flag dataAt the end, we should our flag in our array.

We translate this to python code and get the following:

Running this gives us our flag!

Flag:  HV19{C0nsole_H0mebr3w_FTW}

 
No Comments

Posted in Hackvent 2019

 

Hackvent 2019: Day 19

20 Dec 2019
CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com
Date Completed: 19 December 2019

Challenge

HV19.19 ?

Solution

We see a bunch of emoji and immediately think its EmojiCode!
Initially we want to play around with the code so we go tio.run/#emojicode6 and enter in our code.

Upon running our code we get a prompt and entering random input crashes our program to panick and crash:

Amazingly, based on the prompt alone of Santa being confused around a lock emoji (?) , I decide to try the key emoji (?) as input.
This actually gave me the flag making the time to completion only 8 minutes!
Unintended but I’ll take it.

Flag:  HV19{*<|:-)____\o/____;-D}

 
No Comments

Posted in Hackvent 2019

 

Hackvent 2019: Day 18

20 Dec 2019
CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com
Date Completed: 19 December 2019

Challenge

HV19.18 Dance with me

Resource mirror: HV19-dance.zip

Solution

In our zip file we get a dance binary that we discover is an arm binary. After some digging around we find out that it is in fact a DEB and written for iOS. We attempt to run the code in an emulator like QEMU but unfortunately don’t have much luck with getting the emulator to work. Instead we rely on static analysis.

We use IDA’s ARM decompiler to give us the Objective C code belonging to the binary. As I didn’t have the required IDA plugin I go this from BlindHero (thanks!).

This was the code:

It takes a while to analyse this code to learn what cipher is actually being used.
Through many clues we learn its a stream cipher and the appropriately named Salsa20 cipher.
At this point its reasonable to assume we need to decrypt our encrypted flag  096CD446EBC8E04D2FDE299BE44F322863F7A37C18763554EEE4C99C3FAD15 which is just hex data using the Salsa20 algorithm and some key and nonce. We are looking for a 128 bit or 256 bit key and 64 bit nonce. We can see four arguments passed to the dance method. The first is the result and the second is simply the input length used to check against loop guards. The last two arguments are our key and nonce. We take the longer length argument &v11 as our nonce.

We use IDA to easily fetch the key as raw data:

As it turns out only the upper (first) 32 bytes of this key are used.
Our nonce is the number  -5678246756302764783 which we convert to hex as  \xB1\x32\xD0\xA8\xE7\x8F\x45\x11.  However, we are using little endian ordering so we reverse the order of bytes to  \x11\x45\x8F\xE7\xA8\xD0\x32\xB1.

Finally we can write a python script to decode our Salsa20 encoded string. We simply use a template from online:

Running this prints out our daily flag!

Flag:  HV19{Danc1ng_Salsa_in_ass3mbly}

 
No Comments

Posted in Hackvent 2019

 

Hackvent 2019: Day 17

17 Dec 2019
CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com
Date Completed: 17 December 2019

Challenge

HV19.17 Unicode Portal

Solution

We visit the unicode portal and are presented with a very cool website:

We have to login before we can view the symbols, source or admin page. We register an account (only username and password is needed). Upon logging in we see a symbols page, a source page and an admin page. Upon accessing the admin page we are told You need to be an admin in order to access this area!. The source page is very unique and shows us the source code of the  user.php page.

The source code is:

From the source code we can exploit the register functionality! We decide to work backwards from the isAdmin function.

The === comparison is very strong and thus won’t be broken. The verifyCreds function sanitises input and simply selects a password from the database matching the username.
Therefore in the end we know we must login with the santa username but we do not know its password.

However, in the registerUser method we see that  ON DUPLICATE KEY the password is updated! Great. However, the isUsernameAvailable check is called before this to stop us from just registering the username santa again and updating the password.

The key to this exploit is the usage of the LOWER and UPPER methods. We need to find some username input where LOWER("SANTA") = BINARY LOWER(username) and  UPPER(username) = "SANTA".
We write a quick SQL query to test some inputs:

We run the following javascript in our browser to do some quick checks to see if any character to map to a letter in santa when transformed to upper case. We luckily start with the letter S:

We get the following output:

Interestingly, the lowercase ſ character (U+017F : LATIN SMALL LETTER LONG S) is mapped to converted to an uppercase S (U+0053 : LATIN CAPITAL LETTER S).
Protip: Use this useful website to check unicode input easily.

Therefore, we try the input ſanta with out local query and the test passed! It bypasses the  isUsernameAvailable check and then in the  registerUser method it triggers a  ON DUPLICATE KEY on UPPER("ſanta") which equals SANTA. Thus, we have overridden the password for the santa user. Finally, we login using santa as the username and the pass we used before and are authenticated!

We visit the admin page and get our daily flag:

Flag:  HV19{h4v1ng_fun_w1th_un1c0d3}

 
1 Comment

Posted in Hackvent 2019

 

Hackvent 2019: Day 16

16 Dec 2019
CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com
Date Completed: 16 December 2019

Challenge

HV19.16 B0rked Calculator

Resources: HV19.16-b0rked.zip

Solution

We are presented with a x86 Windows binary file. Upon inspection it looks to be a simple calculator but unfortunately its borked!

It supports the following operations: + -  *  and /.
However, it seems like it either ignores the left or right operand in calculations. In the example above, it ignored the right operand.
We find the following problems:

We open the binary in IDA Pro and discover that each operation is contained in its own method and is passed two doublewords as arguments:

However, each method was broken in some way:

  • Missing stack variable definitions
  • Now loading arguments into registered
  • Not calling required ASM function to perform operation (add, sub, mul, div)

Each method conveniently was padded with 0x90 NOP opcodes which meant we did not have to change the size of the binary. We patch all these method one by one, running the binary again after each correction to check functionality works.

These were the changes made where white is old binary and green is new binary:

IDA Diff:

Running the binary one more time and clicking on calc showed us our flag on the screen:

Flag:  HV19{B0rked_Flag_Calculat0r}

 
No Comments

Posted in Hackvent 2019

 

Hackvent 2019: Day 15

15 Dec 2019
CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com
Date Completed: 15 December 2019

Challenge

HV19.15 Santa’s Workshop

Page snapshot:

Solution

NOTE: Unfortunately, the server for this challenge was broken for a long time and caused a lot of pain and suffering. In the end it took 6 hours longer than it needed to.

We land on a nice landing page with a counter which counts upwards. We do some snooping around to see what resources are used on the page and come across two javascript files of interest.

config.js

mqtt.js

Basically, we are authenticating with a MQTT messaging service. We subscribe to the topic 'HV19/gifts/'+clientid initially which returns the number of gifts made by the elves so far which increases by 1-3 every second or so:

We see a commented out topic  'HV19/gifts/'+clientid+'/flag-tbd'  but don’t get anything when we subscribe to it. We have our client id which was initially 0395226010678529 in our local storage. We also decide to convert the calls on the page into a python script for ease of testing. After subscribing to the wildcard #  topic we don’t see any extra messages but we do something interesting when subscribing to the $SYS/# topic. We see the version of the MQTT server returned as:

We inspect the CVE-2017-7650 and find the following releases including some commits which patches the issue:
https://mosquitto.org/blog/2017/05/security-advisory-cve-2017-7650/
https://github.com/eclipse/mosquitto/commit/9af3c6958fe1b2c653a7952f6f144bcf6ecfbc0d
https://github.com/eclipse/mosquitto/commit/cd17ca45cd313dc00480091505f708858db73ee9

In short we are told:

From the official patches we see the fix involves checking to see if the client_id or username contains the wildcard #  or +  symbols. If so, the connection is refused.

However, we notice that our  client_id is only rejected if it starts with a  #  or +  symbol. Therefore the elves patch incorrectly used a string startswith check instead of a string contains check. Also we consider the commented out topic in config.js which is  HV19/gifts/'+clientid+'/flag-tbd and guess that the final flag will look something like this  HV19/gifts/0395226010678529/HV19{flag_here}. It seems like our user workshop does not have permissions to read from this topic even though its nested under our client id.

Therefore, we try the client id 0395226010678529/# which should match the flag topic name if we subscribe to all topics (i.e. subscribe to #  topic).

This is the script we ended up using:

Running this spits out the following response which contains our flag as part of the topic name:

Flag:  HV19{N0_1nput_v4l1d4t10n_3qu4ls_d1s4st3r}

 
No Comments

Posted in Hackvent 2019

 

Hackvent 2019: Hidden 4

14 Dec 2019
CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com
Date Completed: 14 December 2019

Challenge

HV19.H4 Hidden Four

Solution

During the Day 14 challenge HV19.14 Achtung das Flag, our final flag looks quite interesting:
HV19{s@@jSfx4gPcvtiwxPCagrtQ@,y^p-za-oPQ^a-z\x20\n^&&s[(.)(..)][\2\1]g;s%4(...)%"p$1t"%ee}

The hints in the __DATA__ segment point us in the right direction:

So we evaluate the string as Perl code like so:

This prints out the content of our hidden flag:
Squ4ring the Circle

Flag:  HV19{Squ4ring the Circle}

 
No Comments

Posted in Hackvent 2019