Tuesday, January 28, 2014

Nullcon HackIM 2014 :: Reverse 1

For this particular challenge, we were given a file (which i've re-uploaded here) and the following clues.
"Find the flag hidden not so deep inside."

After opening up the .zip file, there is an easy.exe file within.
My initials gut feel is to simply step-debug this .exe file but realise that it's not doing anything interesting so i loaded it up into IDA Pro and found this interesting function that is never being called.


Let's extract out this function and form it back to C code like this here.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char* argv[]){
  int v0 = strlen(")T(+,*'))$&T(Y)*#(+&#+)$%'T+&#(T");
  int v3 = v0 + 32;
  char *result = (char *)malloc(v0 + 32);
  char wtf[] = {")T(+,*'))$&T(Y)*#(+&#+)$%'T+&#(T"};
  int i;
  if ( result ){
 int v2 = 0;
 memset(result, 0, v3);
 
 for ( i = 0; i<strlen(")T(+,*'))$&T(Y)*#(+&#+)$%'T+&#(T"); ++i )
 *(result + i) = wtf[i] + 13;
 *(result + i) = 95;
 v2 = i + 1;
 *(result + v2++) = 65;
 *(result + v2++) = 78;
 *(result + v2++) = 68;
 *(result + v2++) = 95;
 *(result + v2++) = 77;
 *(result + v2++) = 79;
 *(result + v2++) = 79;
 *(result + v2) = 79;
 *(result + v2 + 1) = 79;
  }
  printf("%s", result);
  return 0;
}

We should have something like the file that i've attached here.

If you compile and run the program, you will get the key.
6a589746613a5f670583086124a8305a_AND_MOOOO


Have Phun
0x4a61636f62

Monday, January 27, 2014

Nullcon HackIM 2014 :: Misc 3

We were given only the following clues
"Find the flag hidden not so deep inside."
and a file which i've re-uploaded here

For music files, usually i will use Audacity to see whether there are hidden clues within.


From the above screenshot, we can see there seems to be 2 audio tracks within 1 .mp3 file.
The 2nd audio track when you zoom in seems like "-" & ".".
Could it be morse code?
Let's extract out and try decoding it.
After extraction of the morse code, it will look like this.

--.-.- --.-.- . -- --- ... . --. -. ...
.. -.... ----. ----- ---.. .- --- .-.- ..-. ..-.
-.. .- --.-.- -. --- .-- . -... --- ..-. ..
However after using the Morse Code translator from http://morsecode.scphillips.com/jtranslator.html

We were given back ??EMOSEGNSI6908AO?FFDA?NOWEBOFI
Doesn't seems like it.
Then i listened to the other track and the music sounded strange as if it's music played backwards.
So i used one of the features in Audacity to reverse the .mp3 file and track 1 sounds better now.

So probably the morse code from track 2 should be read from back to front too.
After reversing the morse code, we got back

--.-.- --.-.- . -- --- ... . --. -. ...
.. -.... ----. ----- ---.. .- --- .-.- ..-. ..-.
-.. .- --.-.- -. --- .-- . -... --- ..-. ..
After using the morse code to text translator, we got back the following.
ILOVEGOA?NULLCON2014ISAWESOME??

So we got a character that are not properly translated
-.-.--
But checking with Wiki, that is equal to !
Therefore, the final answer to this challenge is the following.
 ILOVEGOA!NULLCON2014ISAWESOME!!

cheers
0x4a61636f62

Nullcon HackIM 2014 :: Misc 1

The clues given to us are
 "Sam has parked his car in front of a store. Find the name of the store."

and we were also given a .pcap file I've uploaded a copy of the .pcap file here First thing i did was load the .pcap file into Wireshark and check whether there are any file objects and i saw just 1 image.

As the question was "Find the name of the store" So i extracted the image and try to see whether there are any GPS information in the file. So i use http://regex.info/exif.cgi to check for GPS information. Surprisingly there is indeed GPS information and Google Maps as shown below


Making use of Google Maps's Street View, i found this.


Ok and the answer to this challenge is..... "Wells Fargo" :D

cheers
0x4a61636f62

Nullcon HackIM 2014 :: Programming 1

For this particular challenge, we were given with the following clues.

One evening Holmes visits Watson looking thinner and paler than usual and with the knuckles of one hand burst and bleeding. Holmes asks Watson if he has ever heard of Professor Moriarty and Watson replies that he has not. Holmes explains that Professor Moriarty is the central organizational force of a large portion of criminal activity in the city of London. Holmes also describes Moriarty as his intellectual equal and the Napoleon of Crime.

To find out the extent of Moriaty’s criminal network, Holmes decided the break the encrypted communication happening in Moriaty’s criminal network. To make the communication secure and at the same time easy, Moriaty devised an algorithm to generate passwords (consisting only lowercase alphabets) that are easy to remember.

Holmes has got access to one of the communication, Holmes challenge is to gather passwords as many as possible.

Holmes requires you help!!!

Connect to 23.23.190.204:2002

Based on the clues, i guess we are supposed to write a Client application to connect to the server, 23.23.190.204:2002, and passed in the correct parameters.
After playing around with the server, we need to send in 20 words that are commonly used in SPAM mails.
Thus, i developed this simple script.
https://gist.github.com/anonymous/8661737

Using the Python script, we will eventually get the flag.

The flag is "f94b50f9972398811e7d76928d2e87d4"

cheers
0x4a61636f62

Nullcon HackIM 2014 :: Trivia 1-5

Trivia 1 :
This esoteric programming language uses AWSUM THX and O NOES as error handling.
Searching for "AWSUM THX" and the top entry is en.wikipedia.org/wiki/LOLCODE
So the answer is "LOLCODE"

Trivia 2 :
What software is used to hack into ENCOM's computer system?
If you had watched the movie "Tron", you might remember names like MCP but the actual software used to hack into ENCOM is "CLU"
http://tron.wikia.com/wiki/Clu

Trivia 3 :
Outcome of Stealth Project to make coffee.
"Java" :D

Trivia 4 :
Successor of the DEAD persistent object format
DEAD persistent object format basically refers to Java Class file. It has been eventually replaced by RMI. :D

Trivia 5 :
Oheebhtuf O6700 "havavgvnyvmrq" zrzbel (48-ovg)
If you do a quick google for "havavgvnyvmrq", the top hit might be http://easyciphers.com/uninitialized
Looking at the page, you will realised it's a Caesar Cipher shift or simply ROT13.
You will get "Burroughs B6700 "uninitialized" memory (48-bit)"

Using the new found clues, "Burroughs B6700 "uninitialized" memory (48-bit)"
You will find the following page.
http://www.retrocomputingtasmania.com/home/projects/burroughs-b6700-mainframe/tidbits
The "uninitialised" memory is actually "0xBADBADBADBAD" which is the answer. :D

Have Phun
0x4a61636f62

Sunday, January 19, 2014

Ghost in the Shellcode 2014 :: Pwn Adventure 2 :: Boaring Music (50 points)

For this challenge, a key is required to be obtain from the given file.

The  file (I re-hosted the file on MediaFire) can either be obtain from the website


or from the game folder of pwnadventure2_Data.




The next paragraph explain the steps need to be taken if file is obtain from the website. Skip the next paragraph if its obtain from the game folder.

If the file is obtain from the website, the file extension will need to be identify. The file is identified to be an .xz file using TRid online. Opening the .xz file with 7zip, it contain another file without a file extension. After identifying the file, it is the same .ogg file that can be obtain from the game folder.

The .ogg audio file can be played and analyse using audacity. After listening to the audio file, I notice that there is a constant beeping sound in the music that have resemblance to the beeping of Morse code.

Waveform of a beep:


Waveform of a dash:





The first beep starts around 18.10s .

After listening to the entire audio file, the Morse code is obtained:

.- ... - .- .-. .. ... -... --- .- .-. -.

Converting the Morse code...

ASTARISBOARN 

entering the key and 50 points =D

whit3sn0w^_^