Hi all!. Last february i have participated on Security BSides Challenges, here:
Yesterday @AlecRWaters contacts me to confirm that we get second position on both challenges. So got a ticket to this infosec conference.
"Hi , I’m delighted to announce that you’ve won second prize in both Challenge 1 and Challenge 2! The prize for both is a BSides ticket"
Mission 1: The Bot Hunter – by Gareth Owen, University of Portsmouth
… And automatization ‘ugly-solver’ :)
#!/usr/bin/python
from math import *
import sys
import struct
import socket
import string
import time
#challenge
channel='#malfor-russia'
channel_key = 'bubblegum'
nickname = sys.argv[1]
key = 'iamborg'
password=''
#bot irc
HOST="irc.swepipe.se"
PORT=6667
IDENT='tunelko'
REALNAME='Dummy'
# Limit size of nickname due key len. Only 7 chars, enough.
if (len(nickname)<7): print 'Error: Nickname must be greater than %i chars' %(len(nickname)) exit(0) if (len(nickname)>7):
print 'Error: Nickname must be lower than %i chars'%(len(nickname))
exit(0)
for posx, nickchar in enumerate(nickname):
n = ord(nickchar)
#print 'We need pos #',posx, nickchar
for posy, keychar in enumerate(key):
k = ord(keychar)
x = ((k+n) % 26) + 0x41
if(posx==0):
if(keychar=='i'):
password +=chr(x)
elif(posx==1):
if(keychar=='a'):
password +=chr(x)
elif(posx==2):
if(keychar=='m'):
password +=chr(x)
elif(posx==3):
if(keychar=='b'):
password +=chr(x)
elif(posx==4):
if(keychar=='o'):
password +=chr(x)
elif(posx==5):
if(keychar=='r'):
password +=chr(x)
elif(posx==6):
if(keychar=='g'):
password +=chr(x)
else:
print ''
print 'Connecting ... SHUTDOWN' , password
message = 'SHUTDOWN '
message += password
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((HOST, PORT))
s.send("NICK %s\r\n" % nickname)
s.send("USER %s %s Imborg for the real work:%s\r\n" % (IDENT, HOST, REALNAME))
while 1:
buff=s.recv(1024)
print buff
if buff.find('PING') != -1:
s.send('PONG ' + buff.split()[1] + '\r\n')
s.send("JOIN %s %s \r\n" % (channel, channel_key))
s.send("PRIVMSG %s :%s \r\n" % (channel,message))
s.send ("PART %s\r\n" %(channel))
#s.send('QUIT bye\r\n')
Mission 2: Cipher-Decipher-Recipher by Anthony Cox, KPMG
== Misson 2
== https://www.securitybsides.org.uk/challenge2.html
1. 1stage.pdf
Open file with Adobe Illustrator and see hidden text with any technique or applying effects. See attached image.
Flag 1: KPMG
2: 2bsides.exe
This binary connects to 2222 port when running and ask us for a password.
$ /home/tunelko/SECBsides_Missions# wine32 2bsides.exe
fixme:heap:HeapSetInformation (nil) 1 (nil) 0
$ /home/tunelko/SECBsides_Missions# netstat -putan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN 9628/wineserver
...
Really easy do a strings to find unobfuscate flag as:
$ home/tunelko/SECBsides_Missions# strings 2bsides.exe |grep flag
Local\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag
Welcome BSider. Today's flag is: befd188c4e4002048a9534a82d38c5ea
Another method to get flag is running normally and netcat to port 2222, as password 'Bsides' is plaintext found on strings:
$ /home/tunelko/SECBsides_Missions# nc localhost 2222
Hello BSider, welcome to your next challenge. Please provider a password: .
> Bsides
Welcome BSider. Today's flag is: befd188c4e4002048a9534a82d38c5ea
3. Cryptic hashword
This time we find final flag solving the across & down cryptic hashword with help of online hash password crackers.
Final 3: NUOFNFFFCEOTPMT
ACROSS
1. 3a52b599a21b2990b28930141016c5a71afa184e3ef94958d882f519e1ddf5f2fa8f9d653eb0dc0de2307087cee6f8f5: sha384('FORTIFIED')
4. 0a7b77e1bff2cdf175f16e6d7ba96ce707ec6d1f: sha1('SECURITY')
5. fd9de800564763ece59368d35b281690: md5('ENCRYPTION')
8. 7f5217333bb19cb9ac50829635cc398601d1e505: sha1('CIPHER')
9. bfd82eb21826f62d7a9bbbd3fd0311e6a273a1d8: sha1('MULTIPLE')
DOWN
1. sha512 ('FALSIFIED')
2. b9e14d9b2886bcff408b85aefa780419: md5('FAILED')
3. 5de71b2143c86cd2e0c801830ed729e7ef2f8f478b454d7d3e9dd5a86a92b255: sha256('TESTING')
6. 782bf2d07aad4de9deeee61424ecb71581f2a44b183420e8b01fe5c8: sha224('PERMUTATE')
7. 05e5aaf0f4c97d227a5653c3187747ea93e31d7e: sha1('ORIGINAL')
10. 7e0dea93ce606f7b88f6af965d37e83a: md5('ENTROPY')
4. 4giraffe.jpg
Found text in comment section:
$ ~/SECBsides# file 4giraffe.jpg
4giraffe.jpg: JPEG image data, JFIF standard 1.01, comment: "It is a little known fact that giraffes are extremely camera/s\251"
;It is a little known fact that giraffes are extremely camera/shy. The famous game keeper John Hiderman spent years observing their behaviour and after years of evolution they have developed a number of interesting camouflage techniques. This specimen is called Gemma - John thinks she is the key to the mystery!
So key is "Gemma" to unhide the flag, let's know which kind of stego application is used to hide it.
$ stegdetect 4giraffe.jpg
camouflage(960)<[nonrandom][data][................]>
Seems old camouflage application is used to hide files. Let's extract:
$ .wine/dosdevices/c:/Program Files/Camouflage# cat flag4.txt
Congratulations on finding the flag for this stage, told you Gemma was the key!
Flag 4: GLNIGILTHNWEAAI
5. 5testcard.png
First zsteg -a with no positive results.
$~/SECBsides# zsteg -a 5testcard.png
b2,b,lsb,yx,prime .. text: "}UUAUUUUUUj"
b4,r,lsb,yx,prime .. text: "#3ffffff`"
b8,r,lsb,yx,prime .. text: ",+-024RY_i"
b8,g,lsb,yx,prime .. text: "}ukgfc^XVTQHBB>><"
b8,b,lsb,yx,prime .. text: "}}}}}}}}}}}}}}}}~~~~~~~~~~~$ %,6=AHRVafw}"
b8,b,msb,yx,prime .. text: "~~~~~~~~~~~$"
b2,g,msb,YX,prime .. text: "}/mWUEUUUU"
b2,g,msb,yX,prime .. text: "\tUUEUUUEp"
b2,r,msb,Yx,prime .. text: "8FUUAUUu"
b2,b,lsb,Yx,prime .. text: "UUUUUUAUUU"
b8,r,lsb,Yx,prime .. text: "~~}}||||||{{{{{{{{{&"
b8,g,lsb,Yx,prime .. text: "^__cddqrux~"
b8,g,msb,Yx,prime .. text: "Q1qq\tI))"
b8,b,lsb,Yx,prime .. text: "|n\\WUQIA<:5)#\" "
Using Stegosolve.jar to extract data from bit planes r,b,g,a found:
@attached images
Flag 5: RASNTNAHAGWININ
More information:
