hackyoutoo ctf bin 300 writeup

Posted by Arani Adhikari on Monday, 24 December 2012
/ Comments: (0)

The executable is a classic example of a standard “keygen me”. There is a text box and a button which on click checks the serial. We need to figure out the text that will lead to the “good boy message”. 

Before running the executable, a quick summary of the import table using PEiD helps getting an overview of the layout of the exe. There is a call to GetDlgItemTextA which is used to retrieve contents of a dialog box.


Read more »

hackyoutoo ctf bin 200 writeup

Posted by Rohit Kumar
Labels: , / Comments: (0)
String analysis shows whats expected by the binary, usage format, two text files [file.txt and hobbit.txt]



Read more »

Honeynet Project Challenge - Jan Forensic Challenge 2010

Posted by Arani Adhikari
Labels: , / Comments: (0)

This is one of the first of many challenges that was released by Project Honeynet in 2010. The challenge consisted of a packet capture file and some questions related to attack. This post is going to demonstrate analyze the pcap, recognize shellcodes and extract artifacts from evidence logs. 

We are provided with a single pcap file. Let’s analyze the file with wireshark. The wireshark conversations summary states that there are 6 TCP streams. TCP stream represents communication between two IP addresses and on two TCP ports. (http://stackoverflow.com/questions/6076897/follow-tcp-stream-where-does-field-stream-index-come-from).


Read more »

hackyoutoo ctf crypto 300 writeup

Posted by Rohit Kumar
Labels: , , / Comments: (0)

Crypto 300 - Everybody Lies


  


 download algorithm.py 


Most xor operations cancel out each other especially the token[0-6] except token[7]. As 'token' is reset in the last line of the encoding loop with the 7th character of the sha1 hash of the previous char, we can decrypt all but the first character of the cipher text starting from the end.

We can combine all xor operations
0xfe ^ 0xc3 ^ 0x42 ^ 0x21 ^ 0xc2 ^ 0xf3 ^ 0x27 ^ 0x4c ^ 0x21 ^ 0xfe ^ 0xa3 ^ 0xf0 ^ 0x11 ^ 0x54 ^ 0xca ^ 0x3c ^ 0x20 ^ 0xd1 ^ 0xf2 == 0x38

Here is a ruby script to accomplish the same.


$ ruby everybody_lies.rb
_lied_no_flag_for_you!

With a little guessing game the first character turns out to be 'i'
so the flag is 'i_lied_no_flag_for_you!'

hackyoutoo ctf forensic 200 and crypto 200 writeup

Posted by Rohit Kumar on Sunday, 23 December 2012
Labels: , , / Comments: (1)
Forensics 200

Size and string references points to the presence of an embedded rar file.



foremost can be used to extract embedded files. The extracted rar file contains a text file with base64 encoded data. After decoding it 4 times we get a http link to the following link

Read more »

SQL injection with JSON

Posted by Arani Adhikari on Wednesday, 28 November 2012
Labels: , , , / Comments: (2)

A few days back while doing an assessment, I came across an application that used JSON based HTTP POST requests to retrieve data from their backend database. The application itself issued these requests using AJAX. JSON (JavaScript Object Notation) is used for serializing data over HTTP being transmitted between an application and server. Here is quick guide to JSON.

Now, in this particular application when certain fields are modified with some bad characters like single quote () or double dash (--) it results in a stack trace which refers to some form of SQL error. From the looks and feel of the trace it’s probably a Microsoft IIS backend. 

Read more »

Burp and SSH Tunneling

Posted by Arani Adhikari on Tuesday, 13 November 2012
Labels: , / Comments: (1)
Imagine a situation where a web application that is being assessed has white listed the IP addresses that can access it and the IP address belongs to a remote network. In these scenarios, there is a need for our trusty BURP proxy's traffic to be tunneled through the remote machine.

BURP has a handy feature for tunneling all the traffic through a SOCKS proxy. SOCKS (SOCKet Secure) is a protocol used for tunneling packets through a proxy server. Many SSH clients like PUTTY supports creation of a local SOCKS proxy that will tunnel all traffic through remote SSH server. In putty, there is a Tunnels option under Connection->SSH->Tunnel. The local SOCKS proxy port is to be added there as shown below.

Read more »

cscamp ctf 2012 - crypto 100

Posted by Rohit Kumar on Monday, 12 November 2012
Labels: , , / Comments: (0)
Crypto 100 challenge requires decryption of a given ciphertext.


There is also an input field that takes in a plain text and responds with a ciphertext. By encrypting 'a' and 'A' we see that it provides the same output. Hence the cipher is case insensitive. The following code solves the challenge by generating a table of cipher text for a-z and then decrypts the given ciphertext using the mapping.

Read more »

cscamp ctf 2012 - web 200

Posted by Arani Adhikari
Labels: , / Comments: (0)
The web200 challenge requires an input which is a solution to an equation.


Also, submitting the answer after sometime results in a "too late" response. Inspecting the HTTP headers, there is a "Set-Cookie" and "EQ" header.


Read more »

Hello World

Posted by Arani Adhikari on Sunday, 11 November 2012
/ Comments: (0)
Traditional blog inauguration