Hi all!. Last february i have participated on Security BSides Challenges, here:

Yesterday @AlecRWaters contacts me to confirm that we get second position on both challenges. So got a ticket to this  infosec conference.

"Hi ,
I’m delighted to announce that you’ve won second prize in both Challenge 1 and Challenge 2! The prize for both is a BSides ticket"

Mission 1: The Bot Hunter – by Gareth Owen, University of Portsmouth

… And automatization ‘ugly-solver’ :)

  #!/usr/bin/python

from math import * 
import sys 
import struct
import socket
import string
import time 

#challenge 
channel='#malfor-russia'
channel_key = 'bubblegum' 
nickname = sys.argv[1]
key = 'iamborg'
password=''

#bot irc 
HOST="irc.swepipe.se"
PORT=6667
IDENT='tunelko'
REALNAME='Dummy'

# Limit size of nickname due key len. Only 7 chars, enough. 
if (len(nickname)<7): 	print 'Error: Nickname must be greater than %i chars' %(len(nickname)) 	exit(0) if (len(nickname)>7):
	print 'Error: Nickname must be lower than %i chars'%(len(nickname))
	exit(0)

for posx, nickchar in enumerate(nickname):
	n = ord(nickchar)	
	#print 'We need pos #',posx, nickchar

	for posy, keychar in enumerate(key):
		k = ord(keychar)
		x = ((k+n) % 26) + 0x41 

		if(posx==0):
			if(keychar=='i'):
				password +=chr(x)
		elif(posx==1):
			if(keychar=='a'):
				password +=chr(x)
		elif(posx==2):
			if(keychar=='m'):
				password +=chr(x)
		elif(posx==3):
			if(keychar=='b'):
				password +=chr(x)
		elif(posx==4):
			if(keychar=='o'):
				password +=chr(x)
		elif(posx==5):
			if(keychar=='r'):
				password +=chr(x)
		elif(posx==6):
			if(keychar=='g'):
				password +=chr(x)
		else:
			print ''

print 'Connecting ... SHUTDOWN' , password
message = 'SHUTDOWN '
message += password

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((HOST, PORT))
s.send("NICK %s\r\n" % nickname)
s.send("USER %s %s Imborg for the real work:%s\r\n" % (IDENT, HOST, REALNAME))

while 1:

	buff=s.recv(1024)

	print buff

	if buff.find('PING') != -1:
    	    s.send('PONG ' + buff.split()[1] + '\r\n')

        s.send("JOIN %s %s \r\n" % (channel, channel_key))
        s.send("PRIVMSG %s :%s \r\n" % (channel,message))
        s.send ("PART %s\r\n" %(channel))        
    #s.send('QUIT bye\r\n')

 

Mission 2: Cipher-Decipher-Recipher by Anthony Cox, KPMG

== Misson 2 
== https://www.securitybsides.org.uk/challenge2.html 

1. 1stage.pdf 

Open file with Adobe Illustrator and see hidden text with any technique or applying effects. See attached image. 
Flag 1: KPMG 

2: 2bsides.exe 

This binary connects to 2222 port when running and ask us for a password. 

$ /home/tunelko/SECBsides_Missions# wine32 2bsides.exe 
fixme:heap:HeapSetInformation (nil) 1 (nil) 0

$ /home/tunelko/SECBsides_Missions# netstat -putan 
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:2222            0.0.0.0:*               LISTEN      9628/wineserver 
... 

Really easy do a strings to find unobfuscate flag as: 

$ home/tunelko/SECBsides_Missions# strings 2bsides.exe |grep flag
Local\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag
Welcome BSider.    Today's flag is: befd188c4e4002048a9534a82d38c5ea 

Another method to get flag is  running normally and netcat to port 2222, as password 'Bsides' is plaintext found on strings: 

$ /home/tunelko/SECBsides_Missions# nc localhost 2222 
Hello BSider, welcome to your next challenge.  Please provider a password: .
> Bsides
Welcome BSider.    Today's flag is: befd188c4e4002048a9534a82d38c5ea   

3. Cryptic hashword 

This time we find final flag solving the across & down cryptic hashword with help of online hash password crackers. 
Final 3: NUOFNFFFCEOTPMT 

ACROSS 

1. 3a52b599a21b2990b28930141016c5a71afa184e3ef94958d882f519e1ddf5f2fa8f9d653eb0dc0de2307087cee6f8f5: sha384('FORTIFIED') 
4. 0a7b77e1bff2cdf175f16e6d7ba96ce707ec6d1f: sha1('SECURITY') 
5. fd9de800564763ece59368d35b281690: md5('ENCRYPTION') 
8. 7f5217333bb19cb9ac50829635cc398601d1e505: sha1('CIPHER') 
9. bfd82eb21826f62d7a9bbbd3fd0311e6a273a1d8: sha1('MULTIPLE') 

DOWN 

1. sha512 ('FALSIFIED')
2. b9e14d9b2886bcff408b85aefa780419: md5('FAILED') 
3. 5de71b2143c86cd2e0c801830ed729e7ef2f8f478b454d7d3e9dd5a86a92b255: sha256('TESTING') 
6. 782bf2d07aad4de9deeee61424ecb71581f2a44b183420e8b01fe5c8: sha224('PERMUTATE')
7. 05e5aaf0f4c97d227a5653c3187747ea93e31d7e: sha1('ORIGINAL')
10. 7e0dea93ce606f7b88f6af965d37e83a: md5('ENTROPY')

4. 4giraffe.jpg 

Found text in comment section:
$ ~/SECBsides# file 4giraffe.jpg 
4giraffe.jpg: JPEG image data, JFIF standard 1.01, comment: "It is a little known fact that giraffes are extremely camera/s\251"

;It is a little known fact that giraffes are extremely camera/shy.  The famous game keeper John Hiderman spent years observing their behaviour and after years of evolution they have developed a number of interesting camouflage techniques.  This specimen is called Gemma - John thinks she is the key to the mystery!

So key is "Gemma" to unhide the flag, let's know which kind of stego application is used to hide it. 

$ stegdetect 4giraffe.jpg 
camouflage(960)<[nonrandom][data][................]> 

Seems old camouflage application is used to hide files. Let's extract:

$ .wine/dosdevices/c:/Program Files/Camouflage# cat flag4.txt 
Congratulations on finding the flag for this stage, told you Gemma was the key!

Flag 4: GLNIGILTHNWEAAI

5. 5testcard.png 

First zsteg -a with no positive results.  

$~/SECBsides# zsteg -a 5testcard.png 
b2,b,lsb,yx,prime   .. text: "}UUAUUUUUUj"
b4,r,lsb,yx,prime   .. text: "#3ffffff`"
b8,r,lsb,yx,prime   .. text: ",+-024RY_i"
b8,g,lsb,yx,prime   .. text: "}ukgfc^XVTQHBB>><"
b8,b,lsb,yx,prime   .. text: "}}}}}}}}}}}}}}}}~~~~~~~~~~~$ %,6=AHRVafw}"
b8,b,msb,yx,prime   .. text: "~~~~~~~~~~~$"
b2,g,msb,YX,prime   .. text: "}/mWUEUUUU"
b2,g,msb,yX,prime   .. text: "\tUUEUUUEp"
b2,r,msb,Yx,prime   .. text: "8FUUAUUu"
b2,b,lsb,Yx,prime   .. text: "UUUUUUAUUU"
b8,r,lsb,Yx,prime   .. text: "~~}}||||||{{{{{{{{{&"
b8,g,lsb,Yx,prime   .. text: "^__cddqrux~"
b8,g,msb,Yx,prime   .. text: "Q1qq\tI))"
b8,b,lsb,Yx,prime   .. text: "|n\\WUQIA<:5)#\" "

Using Stegosolve.jar to extract data from bit planes r,b,g,a found: 
@attached images 

Flag 5: RASNTNAHAGWININ

 

Attached files

More information:

 

No hay contenido relacionado



Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *

Este sitio usa Akismet para reducir el spam. Conoce cómo se procesan los datos de tus comentarios.