Friday, February 25, 2011

Nullcon HackIM 2011 CTF Writeup - Levels 5-12

Level 5

Beautiful wave file , made us go mad hearing it again and again with the dial tones. After almost a whole day long of tinkering with the wav file finally decided to decode if its Morse code, still no luck. Attempted to convert this wav into meaninful formats or decimal and tried DTMF. Yes able to get a beautiful long sequence of binary numbers. Tried converting those decimals into binary and got struck at Hmmmm looked so familiar yet the scorer was not accepting it as the answer. Tried reaching the IP address through a browser gives a typical HTTP error about a mis-configured server.Hmmm sooo sad. One last hint was to try to resolve this IP and it was . How simple it seemed , yet it was a tough nut to crack during the CTF. Tried entering in the Answer field ..yes finally we made it :)

Hint : Everything isn't always the way it seems to be | Listen it, use your imagination you can't imagine anything else being a hacker

Level 6

Level says simple and nonsense.Tried strings command as mentioned below :

root@deva-desktop:/home/deva# strings  helllo_world.exe  |less

abracadabra:Jai Ho Mark stands out pretty much different from the rest of the found strings.Yes level 6 was cleared with Jai Ho.It reminds me sometimes hackers are also so lazy, similar to DefCon prequals;P

Level 7

Big Brother is Watching You: 

The provided attachment file contained an event log from windows. Tried opening it with the classic Windows event manager, got an error and aborted. 

Tried using a simple utility and yes we are able to view the complete list of events. As the input field was waiting for the name of the faulting application, simple filters on the event brought me straight to this line given below showing us the answer for this level :)

Level 8 

The provided raw dump made us go crazier.Nothing was found. No hints available, still burning through the midnight oil, we were able to identify 4-5 packets showing a different AuthData and AuthType in WireShark. 

After analysing the values, it was found that 55 packets with OSPF and OSPF Hello packets are high in this capture.Packet 128 showed the AuthType as simple password and AuthData as prince.Sure this prince is a sign of trouble and hint and we analysed the other values:

The next packets started showing the AuthType as Cryptographic and by the time the second clue was released leading us straight to the implementation of date/time of the device by Cisco. A simple conversion of hex to decimal gave us  0x2b915353-->730944339. Another epoch conversion of 730944339 gave us 01 Mar 1993.

Finally we hit on the target with the value and yes.. we were allowed to level 9.
I have to certainly agree with everyone who played this CTF and this was the level which took most of our time  in a good way :p
Hint 1 : And I will Reply great vengeance upon them with furious Attack; and they shall know that I am the lorD, when I shall lay my vengeance upon three. Ezekiel 23:28 

Hint 2 : RFC 2328 Section D.3 Cisco Implementation

Level 9
Web asura web asura who is the worst asura of all !

Started trying out with default passwords and it promptly said You are not an administrator.Made us realise it is expecting only Administrator and tried sending Administrator/password, still no luck.Tried with adminsitraator/blank password and blind SQL attacks proved futile.

Leechers will be banned,seeders welcome made us also think that it might got to do with something other than POST/GET.So tried sending the value of password as blank again through Firefox addons Tamperdata drove us straight to another screen identifying the attack. No luck again, made us search again on the source code and oh yes there was a hidden clue, a BASE64 decoded text. 

With much relief extracted the values and passed it to a base64decoder and it spit out a image attached herewith which contained the password for this level


Hint :  Leechers will be banned. Seeders welcome | Bhavnao ko samjho sabdo mey kya rakha hai... | Developers are bound to make mistake that why hackers exist...

Level 10: 

root@deva-desktop:/home/deva# unrar x windump.rar

UNRAR 3.93 freeware      Copyright (c) 1993-2010 Alexander Roshal
Extracting from windump.rar
Extracting  nullconnew.dmp                                            OK
All OK


root@deva-desktop:/home/deva/vol# python volatility hivelist -f  ../nullconnew.dmp -o 0x1609ad0
/home/deva/vol/forensics/win32/ DeprecationWarning: the sha module is deprecated; use the hashlib module instead  import sha
Address      Name
0xe1696008   \Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1672358   \Documents and Settings\Administrator\ntuser.dat
0xe1cd46b8   \Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1cd4b60   \Documents and Settings\LocalService\NTUSER.DAT
0xe1cbb7b0   \Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
0xe1cb5008   \Documents and Settings\NetworkService\NTUSER.DAT
0xe15e2b60   \WINDOWS\system32\config\software
0xe15eb758   \WINDOWS\system32\config\default
0xe15d9a58   \WINDOWS\system32\config\SECURITY
0xe1607b60   \WINDOWS\system32\config\SAM
0xe13de530   [no name]
0xe101b008   \WINDOWS\system32\config\system
0xe1008ad0   [no name]

root@deva-desktop:/home/deva/vol#  python volatility hashdump -f  ../nullconnew.dmp  -y 0xe101b008 -s 0xe1607b60
/home/deva/vol/forensics/win32/ DeprecationWarning: the sha module is deprecated; use the hashlib module instead  import sha

A simple crack on the lovely Ophcrack with small dictionary gave us the username and password for two acccounts to clear this level.

Hint : Open the doors of the Windows, & take a trip down the memory lane

Level 11 :

Solution : copyingallorpartsofaprogramisasnaturaltoaprogrammerasbreathingandasproductiveitoughttobeasfree

Hint : After stumbling upon love ... don't stop there my dear, there is still lots to be done | Don't just accelerate your mind's meter my dear, peep into my heart, for you'll see, safely concealed in it, is a golden key, but if u're at loss bumblebee, take some free help openly from Linus's pet Geeko Mascot Lizard | If geeko don't help ask from his good brother CAMOU.....

Level 12:


Lovely text , isnt it ;).This is the content provided in the final round.

Hint was released around 10:00PM on the IRC and madness scrambled upon. As we have already lost more than 4-5 days of rest, I hit the bed and off went to rest. Woke up at around 4 am and the scoreboard showed Anant has already succeeded. Still not losing hope started working on the problem keeping in mind the hint.
!=w @=e w=d. It was a simple substitution cipher and finally got the answer to clear this level.

the open security community registered non profit society is back with nullcon nullcon goa dwitiya international hacking conference.we have some smashing talks lined up this time around that will surely change your perspective of security in the future.we thank the community for supporting us,it is your $tq$ we have grown and are able to serve the community in better way;you are our hero 

Hint: Queen of Witches EnteRed mY hearT, but I did the right thing and let down the f/tart


Anant Shrivastava said...

Good post buddy.... Very good writeup...

Would like to meetup sometime

Deva said...

@Ananth , Thanks :)