SECCON 2014

SECCON 2014 took place last weekend and again part of my CTF was able to participate. For this most part I felt this was a well run CTF. The biggest issue I noticed was with the web challenges.  There were issues with required DLL’s and the like that caused a lot of conversation in the IRC channel. I didnt work on any of those challenges so I cant speak to it first hand. But there was a nice mix of challenges even QR challenges.

 

Challenges :

Welcome to SECCON Start 100 / 100
Easy Cipher Crypto 100 / 100
Decrypt it (Easy) Crypto 0 / 200
Decrypt it (Hard) Crypto 0 / 300
Ms.Fortune? Misfortune. : 4096-bit RSA Crypto 0 / 400
Shuffle Binary 100 / 100
Reverse it Binary 0 / 100
Let’s disassemble Binary 0 / 200
Advanced RISC Machine Exploit 0 / 300
ROP: Impossible Exploit 0 / 500
Holy shellcode Exploit 0 / 400
Japanese super micro-controller Exploit 0 / 500
jspuzzle Web 0 / 100
REA-JUU WATCH Web 200 / 200
Bleeding “Heartbleed” Test Web Web 0 / 300
Binary Karuta Web 0 / 400
XSS Bonsai (aka. Hakoniwa XSS Reloaded) Web 0 / 500
QR (Easy) QR 0 / 200
SECCON Wars: The Flag Awakens QR 0 / 300
BBQR QR 0 / 400
Get the key.txt Forensics 100 / 100
Read it Forensics 0 / 300
UnknownFS Forensics 0 / 400
Confused analyte Forensics 0 / 500
Choose the number Programming 100 / 100
The Golden Gate Programming 0 / 400
Get the key Network 100 / 100
Get from curious “FTP” server Network 0 / 300
version2 Network 0 / 200

 

Here are the notes for some of the challenges I solved.

Get the key  – 100

found web http session in provided PCAP.  Basic authentication

GET /nw100/ HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: ja-JP,en-US;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 133.242.224.21:6809
Authorization: Basic c2VjY29uMjAxNDpZb3VyQmF0dGxlRmllbGQ=
Connection: Keep-Alive
DNT: 1

HTTP/1.1 200 OK
Date: Sat, 29 Nov 2014 13:10:48 GMT
Server: Apache/2.2.22 (Debian)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 450
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 3.2 Final//EN”>
<html>
<head>
<title>Index of /nw100</title>
</head>
<body>
<h1>Index of /nw100</h1>
<table><tr><th><img src=”/icons/blank.gif” alt=”[ICO]”></th><th><a href=”?C=N;O=D”>Name</a></th><th><a href=”?C=M;O=A”>Last modified</a></th><th><a href=”?C=S;O=A”>Size</a></th><th><a href=”?C=D;O=A”>Description</a></th></tr><tr><th colspan=”5″><hr></th></tr>
<tr><td valign=”top”><img src=”/icons/back.gif” alt=”[DIR]”></td><td><a href=”/”>Parent Directory</a></td><td>&nbsp;</td><td align=”right”> – </td><td>&nbsp;</td></tr>
<tr><td valign=”top”><img src=”/icons/text.gif” alt=”[TXT]”></td><td><a href=”key.html”>key.html</a></td><td align=”right”>29-Nov-2014 22:04 </td><td align=”right”> 45 </td><td>&nbsp;</td></tr>
<tr><th colspan=”5″><hr></th></tr>
</table>
<address>Apache/2.2.22 (Debian) Server at 133.242.224.21 Port 6809</address>
</body></html>
take info and decrypt base64 key

seccon2014:YourBattleField
goto web site and enter login

http://133.242.224.21:6809/nw100/key.html

get flag

SECCON{Basic_NW_Challenge_Done!}

————————————————————————————————–

Shuffle – 100
Load into hopper look at main function convert each mov eax to characters

Dump of assembler code for function main:
0x0804852d <+0>: push ebp
0x0804852e <+1>: mov ebp,esp
0x08048530 <+3>: push esi
0x08048531 <+4>: push ebx
0x08048532 <+5>: and esp,0xfffffff0
0x08048535 <+8>: sub esp,0x50
0x08048538 <+11>: mov eax,DWORD PTR [ebp+0xc]
0x0804853b <+14>: mov DWORD PTR [esp+0xc],eax
0x0804853f <+18>: mov eax,gs:0x14
0x08048545 <+24>: mov DWORD PTR [esp+0x4c],eax
0x08048549 <+28>: xor eax,eax
0x0804854b <+30>: mov eax,0x53
0x08048550 <+35>: mov BYTE PTR [esp+0x24],al
0x08048554 <+39>: mov eax,0x45
0x08048559 <+44>: mov BYTE PTR [esp+0x25],al
0x0804855d <+48>: mov eax,0x43
0x08048562 <+53>: mov BYTE PTR [esp+0x26],al
0x08048566 <+57>: mov eax,0x43
0x0804856b <+62>: mov BYTE PTR [esp+0x27],al
0x0804856f <+66>: mov eax,0x4f
0x08048574 <+71>: mov BYTE PTR [esp+0x28],al
0x08048578 <+75>: mov eax,0x4e
0x0804857d <+80>: mov BYTE PTR [esp+0x29],al
0x08048581 <+84>: mov eax,0x7b
0x08048586 <+89>: mov BYTE PTR [esp+0x2a],al
0x0804858a <+93>: mov eax,0x57
0x0804858f <+98>: mov BYTE PTR [esp+0x2b],al
0x08048593 <+102>: mov eax,0x65
0x08048598 <+107>: mov BYTE PTR [esp+0x2c],al
0x0804859c <+111>: mov eax,0x6c
0x080485a1 <+116>: mov BYTE PTR [esp+0x2d],al
0x080485a5 <+120>: mov eax,0x63
0x080485aa <+125>: mov BYTE PTR [esp+0x2e],al
0x080485ae <+129>: mov eax,0x6f
0x080485b3 <+134>: mov BYTE PTR [esp+0x2f],al
0x080485b7 <+138>: mov eax,0x6d
0x080485bc <+143>: mov BYTE PTR [esp+0x30],al
0x080485c0 <+147>: mov eax,0x65
0x080485c5 <+152>: mov BYTE PTR [esp+0x31],al
0x080485c9 <+156>: mov eax,0x20
0x080485ce <+161>: mov BYTE PTR [esp+0x32],al
0x080485d2 <+165>: mov eax,0x74
0x080485d7 <+170>: mov BYTE PTR [esp+0x33],al
0x080485db <+174>: mov eax,0x6f
0x080485e0 <+179>: mov BYTE PTR [esp+0x34],al
0x080485e4 <+183>: mov eax,0x20
0x080485e9 <+188>: mov BYTE PTR [esp+0x35],al
0x080485ed <+192>: mov eax,0x74
0x080485f2 <+197>: mov BYTE PTR [esp+0x36],al
0x080485f6 <+201>: mov eax,0x68
0x080485fb <+206>: mov BYTE PTR [esp+0x37],al
0x080485ff <+210>: mov eax,0x65
0x08048604 <+215>: mov BYTE PTR [esp+0x38],al
0x08048608 <+219>: mov eax,0x20
0x0804860d <+224>: mov BYTE PTR [esp+0x39],al
0x08048611 <+228>: mov eax,0x53
0x08048616 <+233>: mov BYTE PTR [esp+0x3a],al
0x0804861a <+237>: mov eax,0x45
0x0804861f <+242>: mov BYTE PTR [esp+0x3b],al
0x08048623 <+246>: mov eax,0x43
0x08048628 <+251>: mov BYTE PTR [esp+0x3c],al
0x0804862c <+255>: mov eax,0x43
0x08048631 <+260>: mov BYTE PTR [esp+0x3d],al
0x08048635 <+264>: mov eax,0x4f
0x0804863a <+269>: mov BYTE PTR [esp+0x3e],al
0x0804863e <+273>: mov eax,0x4e
0x08048643 <+278>: mov BYTE PTR [esp+0x3f],al
0x08048647 <+282>: mov eax,0x20
0x0804864c <+287>: mov BYTE PTR [esp+0x40],al
0x08048650 <+291>: mov eax,0x32
0x08048655 <+296>: mov BYTE PTR [esp+0x41],al
0x08048659 <+300>: mov eax,0x30
0x0804865e <+305>: mov BYTE PTR [esp+0x42],al
0x08048662 <+309>: mov eax,0x31
0x08048667 <+314>: mov BYTE PTR [esp+0x43],al
0x0804866b <+318>: mov eax,0x34
0x08048670 <+323>: mov BYTE PTR [esp+0x44],al
0x08048674 <+327>: mov eax,0x20
0x08048679 <+332>: mov BYTE PTR [esp+0x45],al
0x0804867d <+336>: mov eax,0x43
0x08048682 <+341>: mov BYTE PTR [esp+0x46],al
0x08048686 <+345>: mov eax,0x54
0x0804868b <+350>: mov BYTE PTR [esp+0x47],al
0x0804868f <+354>: mov eax,0x46
0x08048694 <+359>: mov BYTE PTR [esp+0x48],al
0x08048698 <+363>: mov eax,0x21
0x0804869d <+368>: mov BYTE PTR [esp+0x49],al
0x080486a1 <+372>: mov eax,0x7d
0x080486a6 <+377>: mov BYTE PTR [esp+0x4a],al
0x080486aa <+381>: mov eax,0x0
0x080486af <+386>: mov BYTE PTR [esp+0x4b],al
0x080486b3 <+390>: mov DWORD PTR [esp],0x0
0x080486ba <+397>: call 0x80483b0 <time@plt>
0x080486bf <+402>: mov ebx,eax
0x080486c1 <+404>: call 0x80483d0 <getpid@plt>
0x080486c6 <+409>: add eax,ebx
0x080486c8 <+411>: mov DWORD PTR [esp],eax
0x080486cb <+414>: call 0x8048400 <srand@plt>
0x080486d0 <+419>: mov DWORD PTR [esp+0x14],0x0
0x080486d8 <+427>: jmp 0x8048769 <main+572>
0x080486dd <+432>: call 0x8048420 <rand@plt>
0x080486e2 <+437>: mov ecx,eax
0x080486e4 <+439>: mov edx,0xcccccccd
0x080486e9 <+444>: mov eax,ecx
0x080486eb <+446>: mul edx
0x080486ed <+448>: shr edx,0x5
0x080486f0 <+451>: mov eax,edx
0x080486f2 <+453>: shl eax,0x2
0x080486f5 <+456>: add eax,edx
0x080486f7 <+458>: shl eax,0x3
0x080486fa <+461>: sub ecx,eax
0x080486fc <+463>: mov edx,ecx
0x080486fe <+465>: mov DWORD PTR [esp+0x18],edx
0x08048702 <+469>: call 0x8048420 <rand@plt>
0x08048707 <+474>: mov ecx,eax
0x08048709 <+476>: mov edx,0xcccccccd
0x0804870e <+481>: mov eax,ecx
0x08048710 <+483>: mul edx
0x08048712 <+485>: shr edx,0x5
0x08048715 <+488>: mov eax,edx
0x08048717 <+490>: shl eax,0x2
0x0804871a <+493>: add eax,edx
0x0804871c <+495>: shl eax,0x3
0x0804871f <+498>: sub ecx,eax
0x08048721 <+500>: mov edx,ecx
0x08048723 <+502>: mov DWORD PTR [esp+0x1c],edx
0x08048727 <+506>: lea edx,[esp+0x24]
0x0804872b <+510>: mov eax,DWORD PTR [esp+0x18]
0x0804872f <+514>: add eax,edx
0x08048731 <+516>: movzx eax,BYTE PTR [eax]
0x08048734 <+519>: movsx eax,al
0x08048737 <+522>: mov DWORD PTR [esp+0x20],eax
0x0804873b <+526>: lea edx,[esp+0x24]
0x0804873f <+530>: mov eax,DWORD PTR [esp+0x1c]
0x08048743 <+534>: add eax,edx
0x08048745 <+536>: movzx eax,BYTE PTR [eax]
0x08048748 <+539>: lea ecx,[esp+0x24]
0x0804874c <+543>: mov edx,DWORD PTR [esp+0x18]
0x08048750 <+547>: add edx,ecx
0x08048752 <+549>: mov BYTE PTR [edx],al
0x08048754 <+551>: mov eax,DWORD PTR [esp+0x20]
0x08048758 <+555>: lea ecx,[esp+0x24]
0x0804875c <+559>: mov edx,DWORD PTR [esp+0x1c]
0x08048760 <+563>: add edx,ecx
0x08048762 <+565>: mov BYTE PTR [edx],al
0x08048764 <+567>: add DWORD PTR [esp+0x14],0x1
0x08048769 <+572>: cmp DWORD PTR [esp+0x14],0x63
0x0804876e <+577>: jle 0x80486dd <main+432>
0x08048774 <+583>: lea eax,[esp+0x24]
0x08048778 <+587>: mov DWORD PTR [esp],eax
0x0804877b <+590>: call 0x80483e0 <puts@plt>
0x08048780 <+595>: mov eax,0x0
0x08048785 <+600>: mov esi,DWORD PTR [esp+0x4c]
0x08048789 <+604>: xor esi,DWORD PTR gs:0x14
0x08048790 <+611>: je 0x8048797 <main+618>
0x08048792 <+613>: call 0x80483c0 <__stack_chk_fail@plt>
0x08048797 <+618>: lea esp,[ebp-0x8]
0x0804879a <+621>: pop ebx
0x0804879b <+622>: pop esi
0x0804879c <+623>: pop ebp
0x0804879d <+624>: ret

flag is SECCON{Welcome to the SECCON 2014 CTF!}

 

——————————————————–

Easy Cipher – 100

Pulled out the extended ASCII chart to decrypt. This was a mix of dec hex and oct.

87 101 108 1100011 0157 6d 0145 040 116 0157 100000 0164 104 1100101 32 0123 69 67 0103 1001111
w   e   l    c     o    m   e        t   o            t   h     e        S    E  C   C    O
1001110 040 062 060 49 064 100000 0157 110 6c 0151 1101110 101 040 0103 1010100 70 101110 0124
N          2   0   1  4           o   n   l   i     e
1101000 101 100000 1010011 1000101 67 0103 4f 4e 100000 105 1110011 040 116 1101000 0145 040 1100010 0151 103 103 0145 1110011 0164 100000 1101000 0141 99 6b 1100101 0162 32 0143 111 1101110 1110100 101 0163 0164 040 0151 0156 040 74 0141 1110000 1100001 0156 056 4f 0157 0160 115 44 040 0171 1101111 117 100000 1110111 0141 0156 1110100 32 0164 6f 32 6b 1101110 1101111 1110111 100000 0164 1101000 0145 040 0146 6c 97 1100111 2c 100000 0144 111 110 100111 116 100000 1111001 6f 117 63 0110 1100101 0162 0145 100000 1111001 111 117 100000 97 114 0145 46 1010011 0105 0103 67 79 1001110 123 87 110011 110001 67 110000 1001101 32 55 060 100000 110111 0110 110011 32 53 51 0103
N     {   W   3      1     C   0       M        7  0            7    H       3      5  3  C
0103 060 0116 040 5a 0117 73 0101 7d 1001000 0141 1110110 1100101 100000 102 0165 0156 33
C   0    N       Z   O   I   A   }

 

SECCON{W31C0M 70 7H3 53CC0N ZOIA}

 

—————————–
find the key.txt  – 100

# mount -o loop forensic100 /media/test/
# ls /media/test/
1 109 119 129 139 149 159 169 179 189 199 208 218 228 238 28 38 48 58 68 78 88 98
10 11 12 13 14 15 16 17 18 19 2 209 219 229 239 29 39 49 59 69 79 89 99
100 110 120 130 140 150 160 170 180 190 20 21 22 23 24 3 4 5 6 7 8 9 lost+found
101 111 121 131 141 151 161 171 181 191 200 210 220 230 240 30 40 50 60 70 80 90
102 112 122 132 142 152 162 172 182 192 201 211 221 231 241 31 41 51 61 71 81 91
103 113 123 133 143 153 163 173 183 193 202 212 222 232 242 32 42 52 62 72 82 92
104 114 124 134 144 154 164 174 184 194 203 213 223 233 243 33 43 53 63 73 83 93
105 115 125 135 145 155 165 175 185 195 204 214 224 234 244 34 44 54 64 74 84 94
106 116 126 136 146 156 166 176 186 196 205 215 225 235 25 35 45 55 65 75 85 95
107 117 127 137 147 157 167 177 187 197 206 216 226 236 26 36 46 56 66 76 86 96
108 118 128 138 148 158 168 178 188 198 207 217 227 237 27 37 47 57 67 77 87 97

# file 1
1: gzip compressed data, was “key.txt”, from Unix, last modified: Wed Oct 1 01:00:52 2014

# file 10
10: gzip compressed data, was “key106.txt”, from Unix, last modified: Wed Oct 1 00:59:41 2014
root@kali:/media/test# gunzip 1
gzip: 1: unknown suffix — ignored
# mv 1 1.gz
# ls
10 11 12 13 14 15 16 17 18 19 1.gz 208 218 228 238 28 38 48 58 68 78 88 98
100 110 120 130 140 150 160 170 180 190 2 209 219 229 239 29 39 49 59 69 79 89 99
101 111 121 131 141 151 161 171 181 191 20 21 22 23 24 3 4 5 6 7 8 9 lost+found
102 112 122 132 142 152 162 172 182 192 200 210 220 230 240 30 40 50 60 70 80 90
103 113 123 133 143 153 163 173 183 193 201 211 221 231 241 31 41 51 61 71 81 91
104 114 124 134 144 154 164 174 184 194 202 212 222 232 242 32 42 52 62 72 82 92
105 115 125 135 145 155 165 175 185 195 203 213 223 233 243 33 43 53 63 73 83 93
106 116 126 136 146 156 166 176 186 196 204 214 224 234 244 34 44 54 64 74 84 94
107 117 127 137 147 157 167 177 187 197 205 215 225 235 25 35 45 55 65 75 85 95
108 118 128 138 148 158 168 178 188 198 206 216 226 236 26 36 46 56 66 76 86 96
109 119 129 139 149 159 169 179 189 199 207 217 227 237 27 37 47 57 67 77 87 97
# file 1.gz
1.gz: gzip compressed data, was “key.txt”, from Unix, last modified: Wed Oct 1 01:00:52 2014
# gunzip 1.gz
# ls
1 109 119 129 139 149 159 169 179 189 199 208 218 228 238 28 38 48 58 68 78 88 98
10 11 12 13 14 15 16 17 18 19 2 209 219 229 239 29 39 49 59 69 79 89 99
100 110 120 130 140 150 160 170 180 190 20 21 22 23 24 3 4 5 6 7 8 9 lost+found
101 111 121 131 141 151 161 171 181 191 200 210 220 230 240 30 40 50 60 70 80 90
102 112 122 132 142 152 162 172 182 192 201 211 221 231 241 31 41 51 61 71 81 91
103 113 123 133 143 153 163 173 183 193 202 212 222 232 242 32 42 52 62 72 82 92
104 114 124 134 144 154 164 174 184 194 203 213 223 233 243 33 43 53 63 73 83 93
105 115 125 135 145 155 165 175 185 195 204 214 224 234 244 34 44 54 64 74 84 94
106 116 126 136 146 156 166 176 186 196 205 215 225 235 25 35 45 55 65 75 85 95
107 117 127 137 147 157 167 177 187 197 206 216 226 236 26 36 46 56 66 76 86 96
108 118 128 138 148 158 168 178 188 198 207 217 227 237 27 37 47 57 67 77 87 97
# file 1
1: ASCII text
# cat 1
SECCON{@]NL7n+-s75FrET]vU=7Z}

 

 

 

Leave a Reply