Showing posts with label bostonkeyparty. Show all posts
Showing posts with label bostonkeyparty. Show all posts

Wednesday, June 12, 2013

Randy - 200 - bkpCTF 2013

This was a very interesting challenge. To start we downloaded and ran the executable on my Ubnutu VM.

After running the executable we assumed that the challenge was to find the password that would output a ": )".The next step was inspect the program in IdaPro and see if our assumptions were true. Some findings from examining the executable in IdaPro included:
The program fires up prints “Password” to the screen, then waits for user input. Once the user has entered the password the first check the executable does is to verify that the length of the password is 28 characters long.

Then the executable makes a second call to _strlen once again to verify that the length of the password is 28 characters long.


The program then calls the keygen function and falls into the call to the wrong function if keygen returns zero and the call to the valid function if keygen returns one. It looks like the function that will need to be reversed is the keygen function.


After some inspection and remote debugging we were able to figure out some important information about the keygen function. The keygen function works as follows:

  1. Pull eight bytes from the user input and store the result in RAX
  2. Use the bottom four bytes of RAX as input to _srandom
  3. Call the _random function, and compare the return value to a number
  4. Increment r12 to grab the next four bytes of the user input

This entire algorithm is repeated a total of seven times. The first seven numbers that are compared after each reseeding of the random function were:

1. 0x7358837a
2. 0x34d8c3b53. 0x1f49456c
4. 0x1fea6614
5. 0x4e81abc76. 0x683d3f5d
7. 0x28c9a8feTherefore to find the key all we need to do is write a program that generates all possible four character printable ASCII values. Use those values as input to srandom, call random, and finally compare the result to each of the previous seven numbers to find a match. This will tell us what four characters were used as the seed at that particular point in the program. Once all seven seeds are found we should have the flag:). The solution program that we used is as follows:


Link to solution code: https://github.com/IAryan/CTFSolutions/blob/master/randySolution.c



The output of the bruteforce program reveals the flag: n0t s0 r4nd0m0 4ft3r a11!!!! 

Solution write-up by Ryan
Posted by at No comments:
Tags: , , , ,

Monday, June 10, 2013

Wolfram Beta - Misc 100 BkP 2013

This challenge had us connect to a server running a "Wolfram Beta" calculator.

 The calculator asked the user for a number, then an operator, and another number.  It would then calculate the solution:
Wolfram Beta - BkP CTF 2013 Team
Wolfram Beta is a great calculator.
just put in a number at the prompt
then put in the operator
then finally the second number
and the calculation will be done INSTANTLY
no accounts necessacary, unlike some of our competition!
first num: 1
operator: +
second num: 1
Thinking...
......
Done Thinking!
2

We immediately assumed that the operator field was the vulnerable.  After several attempts, we found a way to inject code:
operator: +1; [code]; 1+

 Since the server would kindly display program errors to us,  we knew it was a C# program.  After learning some C# code, we figured out how to read an entire file and print it out to the console.



key is:  at_least_its_not_a_python_jail
Posted by at No comments:
Tags: , , , ,

Mystery-100 BostonKeyParty 2013

This was your typical trivia recon challenge (what's a CTF without some movie references?). You just had to either Google keywords from the pictures or know generally about the movie.

Begin challenge --
My favorite movies!

=========================

http://imgur.com/vaEMaRU

third word, fourth letter (The Social Network)

=========================

$ bin/LLLSDLLaserControl -ok 1

second word, fourth letter (Tron Legacy)

=========================

Discovered open port 22/tcp on 205.217.153.53
Discovered open port 22/tcp on 205.217.153.62
Discovered open port 22/tcp on 205.217.153.53
Discovered open port 22/tcp on 205.217.153.62
Discovered open port 22/tcp on 205.217.153.53
Discovered open port 22/tcp on 205.217.153.62
Complete SYN Stealth Scan against 205.217.153.53 in 25.94s (1 host left)
Complete SYN Stealth Scan at 13:30, 25.94s elapsed (3380 total ports)

second word, second letter (Live Free or die hard)

=========================

mysql> use Police06_Varmland

second word, first letter (The girl with the dragon tattoo)

=========================

MPW
---
h := NewHandle(GetHandleSize(params[1]));
IF h = NIL THEN EXIT(EntryPoint);
p := params[1]^;
q := h^;

first word, fourth letter

=========================

http://goo.gl/SMWCl

first word, first letter

=========================

http://imgur.com/qEmNke2

first word, third letter

=========================

http://imgur.com/wCtboQv

first word, seventh letter (Hackers)

We didn't seem to find letters 5, 6, 7, but we had enough to spell wargXXXs so we just guessed the first thing we thought of, which of course was wargames. Thus, 100 points.

key={wargames}
Posted by at No comments:
Tags: , , , , ,
Subscribe to: Posts (Atom)