Hackvent 2019: Day 22
Challenge HV19.22 The command … is lost
|
1 2 3 4 |
Introduction Santa bought this gadget when it was released in 2010. He did his own DYI project to control his sledge by serial communication over IR. Unfortunately Santa lost the source code for it and doesn't remember the command needed to send to the sledge. The only thing left is this file: thecommand7.data Santa likes to start a new DYI project with more commands in January, but first he needs to know the old command. So, now it's on you to help out Santa. |
Resource mirror: thecommand7.data Solution We inspect our data file and Google some of the hex sequences inside like :100000000C9435000C945D000C945D000C945D0024 and :00000001FF . We soon realise its the hex dump (or machine code) for a program for an AVR micro controller. Based on our search it seems like the dump…read more.
Hackvent 2019: Day 21
Challenge HV19.21 Happy Christmas 256
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
Introduction Santa has improved since the last Cryptmas and now he uses harder algorithms to secure the flag. This is his public key: X: 0xc58966d17da18c7f019c881e187c608fcb5010ef36fba4a199e7b382a088072f Y: 0xd91b949eaf992c464d3e0d09c45b173b121d53097a9d47c25220c0b4beb943c To make sure this is safe, he used the NIST P-256 standard. But we are lucky and an Elve is our friend. We were able to gather some details from our whistleblower: - Santa used a password and SHA256 for the private key (d) - His password was leaked 10 years ago - The password is length is the square root of 256 - The flag is encrypted with AES256 - The key for AES is derived with pbkdf2_hmac, salt: "TwoHundredFiftySix", iterations: 256*256*256 Phew - Santa seems to know his business - or can you still recover this flag? Hy97Xwv97vpwGn21finVvZj5pK/BvBjscf6vffm1po0= |
Solution We review the clues the elves gave us and first start by trying to find Santa password that was leaked 10 years ago. We are looking for data breaches in 2009 so we look at a list of data breaches. We find that the rockyou breach was the biggest…read more.
Hackvent 2019: Day 20
Challenge HV19.20 i want to play a game
|
1 2 3 4 5 6 7 |
Introduction Santa was spying you on Discord and saw that you want something weird and obscure to reverse? your wish is my command. Resources HV19-game.zip |
Resource mirror: HV19-game.zip Solution We are given a binary and told it is something obscure we have to reverse. We download the binary and open it in IDA. After some digging around we realise the file has something to do with the PS4 and this is consistent…read more.
Hackvent 2019: Day 19
Challenge HV19.19 ?
|
1 |
Introduction |
|
1 |
???????????????⛺❗️??????️?????????????????⁉️????????????????????⛪???????????❤️????????????????????????????????????????????⛴???????????????????⛄??⏳?????????????????????????????????????????????????????????????????????????????✨???????????⛲??????????⛵?????????????????? ❗️➡️ ㉓ ??????❗️➡️ ??㊷ ? ⌘ ?⏩⏩ ???❗️ ?㉓❗️❗️ ? ⌘ ➡️? ㊷ ? ㉓ ⌘❗️❗️? ?????????????❤️??❤️???????⛪???? ❗️➡️ ? ??????????? ❗️➡️ ? ? ? ? ➡️ ??⁉️ ➡️ ?? ?❗️?? ? ? ??❗️???❗️????❗️❗️❗️ ➡️ ? ↪️??❗️? ???❗️???????❗️? ☣️??????❗️❗️➡️ ✓? ⌘ ?⏩⏩???❗️??❗️❗️?? ㊷ ? ? ⌘❗️❗️ ➡️ ⌃? ? ⌘ ???❗️❗️➡️ ^??⌃➖?㉓❗️➗?????❗️❗️❌^❌?⌘❗️➡️ ⎈ ↪️ ⌘ ◀ ??❗️?❎?? ㊷ ? ? ⌘❗️❗️➖ ?? ??❗️➕??❗️➖??❗️➖??❗️➕????❗️?✖??????❗️? ? ?⎈❗️❗️? ??????❗️?✍✓ ⎈ ⌘ ????❗️❗️?????✓ ??❗️❗️❗️➡️ ⌘↪️⌘ ? ?♀️???????❗️???⌘❗️? ? |
Solution We see a bunch of emoji and immediately think its EmojiCode! Initially we want to play around with the code so we go tio.run/#emojicode6 and enter in our code. Upon running our code we get a prompt and entering random input crashes our program to panick and crash:…read more.
Hackvent 2019: Day 18
Challenge HV19.18 Dance with me
|
1 2 3 4 5 6 7 8 |
Introduction Santa had some fun and created todays present with a special dance. this is what he made up for you: 096CD446EBC8E04D2FDE299BE44F322863F7A37C18763554EEE4C99C3FAD15 Dance with him to recover the flag. Resources HV19-dance.zip |
Resource mirror: HV19-dance.zip Solution In our zip file we get a dance binary that we discover is an arm binary. After some digging around we find out that it is in fact a DEB and written for iOS. We attempt to run the code in an emulator like…read more.
Hackvent 2019: Day 17
Challenge HV19.17 Unicode Portal
|
1 2 3 4 5 |
Introduction Buy your special gifts online, but for the ultimative gift you have to become admin. Resources http://whale.hacking-lab.com:8881/ |
Solution We visit the unicode portal and are presented with a very cool website: We have to login before we can view the symbols, source or admin page. We register an account (only username and password is needed). Upon logging in we see a symbols page, a source page and…read more.
Hackvent 2019: Day 16
Challenge HV19.16 B0rked Calculator
|
1 2 3 4 5 6 |
Introduction Santa has coded a simple project for you, but sadly he removed all the operations. But when you restore them it will print the flag! Resources HV19.16-b0rked.zip |
Resources: HV19.16-b0rked.zip Solution We are presented with a x86 Windows binary file. Upon inspection it looks to be a simple calculator but unfortunately its borked! It supports the following operations: + - * and /. However, it seems like it either ignores the left or right operand in calculations. In…read more.
Hackvent 2019: Day 15
Challenge HV19.15 Santa’s Workshop
|
1 2 3 |
Introduction The Elves are working very hard. Look at to see how busy they are. |
Page snapshot:
|
1 |
<img class="alignnone size-full wp-image-1097" src="https://mobeigi.com/blog/uploads/chrome_1ZfClccQZP.png" alt="" width="1743" height="944" /> |
Solution NOTE: Unfortunately, the server for this challenge was broken for a long time and caused a lot of pain and suffering. In the end it took 6 hours longer than it needed to. We land on a nice landing page with a counter which counts upwards.…read more.
Hackvent 2019: Hidden 4
Challenge HV19.H4 Hidden Four Solution During the Day 14 challenge HV19.14 Achtung das Flag, our final flag looks quite interesting: HV19{s@@jSfx4gPcvtiwxPCagrtQ@,y^p-za-oPQ^a-z\x20\n^&&s[(.)(..)][\2\1]g;s%4(...)%"p$1t"%ee} The hints in the __DATA__ segment point us in the right direction:
|
1 2 |
Only perl can parse Perl! Run me in Perl! |
So we evaluate the string as Perl code like so:
|
1 2 3 4 |
# Hackvent 2019 - Hidden 4 # Mo Beigi (https://mobeigi.com) eval 's@@jSfx4gPcvtiwxPCagrtQ@,y^p-za-oPQ^a-z\x20\n^&&s[(.)(..)][\2\1]g;s%4(...)%"p$1t"%ee'; |
This prints out the content of our hidden flag:…read more.
Hackvent 2019: Day 14
Challenge HV19.14 Achtung das Flag
|
1 2 3 4 |
Introduction Let's play another little game this year. Once again, I promise it is hardly obfuscated. Resources |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
use Tk;use MIME::Base64;chomp(($a,$a,$b,$c,$f,$u,$z,$y,$r,$r,$u)=<DATA>);sub M{$M=shift;## @m=keys %::;(grep{(unpack("%32W*",$_).length($_))eq$M}@m)[0]};$zvYPxUpXMSsw=0x1337C0DE;### /_help_me_/;$PMMtQJOcHm8eFQfdsdNAS20=sub{$zvYPxUpXMSsw=($zvYPxUpXMSsw*16807)&0xFFFFFFFF;}; ($a1Ivn0ECw49I5I0oE0='07&3-"11*/(')=~y$!-=$`-~$;($Sk61A7pO='K&:P3&44')=~y$!-=$`-~$;m/Mm/g; ($sk6i47pO='K&:R&-&"4&')=~y$!-=$`-~$;;;;$d28Vt03MEbdY0=sub{pack('n',$fff[$S9cXJIGB0BWce++] ^($PMMtQJOcHm8eFQfdsdNAS20->()&0xDEAD));};'42';($vgOjwRk4wIo7_=MainWindow->new)->title($r) ;($vMnyQdAkfgIIik=$vgOjwRk4wIo7_->Canvas("-$a"=>640,"-$b"=>480,"-$u"=>$f))->pack;@p=(42,42 );$cqI=$vMnyQdAkfgIIik->createLine(@p,@p,"-$y"=>$c,"-$a"=>3);;;$S9cXJIGB0BWce=0;$_2kY10=0; $_8NZQooI5K4b=0;$Sk6lA7p0=0;$MMM__;$_=M(120812).'/'.M(191323).M(133418).M(98813).M(121913) .M(134214).M(101213).'/'.M(97312).M(6328).M(2853).'+'.M(4386);s|_||gi;@fff=map{unpack('n', $::{M(122413)}->($_))}m:...:g;($T=sub{$vMnyQdAkfgIIik->delete($t);$t=$vMnyQdAkfgIIik->#FOO createText($PMMtQJOcHm8eFQfdsdNAS20->()%600+20,$PMMtQJOcHm8eFQfdsdNAS20->()%440+20,#Perl!! "-text"=>$d28Vt03MEbdY0->(),"-$y"=>$z);})->();$HACK;$i=$vMnyQdAkfgIIik->repeat(25,sub{$_=( $_8NZQooI5K4b+=0.1*$Sk6lA7p0);;$p[0]+=3.0*cos;$p[1]-=3*sin;;($p[0]>1&&$p[1]>1&&$p[0]<639&& $p[1]<479)||$i->cancel();00;$q=($vMnyQdAkfgIIik->find($a1Ivn0ECw49I5I0oE0,$p[0]-1,$p[1]-1, $p[0]+1,$p[1]+1)||[])->[0];$q==$t&&$T->();$vMnyQdAkfgIIik->insert($cqI,'end',\@p);($q==### $cqI||$S9cXJIGB0BWce>44)&&$i->cancel();});$KE=5;$vgOjwRk4wIo7_->bind("<$Sk61A7pO-n>"=>sub{ $Sk6lA7p0=1;});$vgOjwRk4wIo7_->bind("<$Sk61A7pO-m>"=>sub{$Sk6lA7p0=-1;});$vgOjwRk4wIo7_#%" ->bind("<$sk6i47pO-n>"=>sub{$Sk6lA7p0=0 if$Sk6lA7p0>0;});$vgOjwRk4wIo7_->bind("<$sk6i47pO" ."-m>"=>sub{$Sk6lA7p0=0 if $Sk6lA7p0<0;});$::{M(7998)}->();$M_decrypt=sub{'HACKVENT2019'}; __DATA__ The cake is a lie! width height orange black green cyan fill Only perl can parse Perl! Achtung das Flag! --> Use N and M background M'); DROP TABLE flags; -- Run me in Perl! __DATA__ |
Solution We are provided with some Perl code so we decide to run it. We realise we need the Tk module which seems to be some GUI library for Perl. After running the code we are presented with a game which allows us to control the…read more.
