hackyoutoo ctf bin 300 writeup

Posted by Arani Adhikari on Monday, 24 December 2012
/ Comments: (0)

The executable is a classic example of a standard “keygen me”. There is a text box and a button which on click checks the serial. We need to figure out the text that will lead to the “good boy message”. 

Before running the executable, a quick summary of the import table using PEiD helps getting an overview of the layout of the exe. There is a call to GetDlgItemTextA which is used to retrieve contents of a dialog box.


Read more »

hackyoutoo ctf bin 200 writeup

Posted by Rohit Kumar
Labels: , / Comments: (0)
String analysis shows whats expected by the binary, usage format, two text files [file.txt and hobbit.txt]



Read more »

Honeynet Project Challenge - Jan Forensic Challenge 2010

Posted by Arani Adhikari
Labels: , / Comments: (0)

This is one of the first of many challenges that was released by Project Honeynet in 2010. The challenge consisted of a packet capture file and some questions related to attack. This post is going to demonstrate analyze the pcap, recognize shellcodes and extract artifacts from evidence logs. 

We are provided with a single pcap file. Let’s analyze the file with wireshark. The wireshark conversations summary states that there are 6 TCP streams. TCP stream represents communication between two IP addresses and on two TCP ports. (http://stackoverflow.com/questions/6076897/follow-tcp-stream-where-does-field-stream-index-come-from).


Read more »

hackyoutoo ctf crypto 300 writeup

Posted by Rohit Kumar
Labels: , , / Comments: (0)

Crypto 300 - Everybody Lies


  


 download algorithm.py 


Most xor operations cancel out each other especially the token[0-6] except token[7]. As 'token' is reset in the last line of the encoding loop with the 7th character of the sha1 hash of the previous char, we can decrypt all but the first character of the cipher text starting from the end.

We can combine all xor operations
0xfe ^ 0xc3 ^ 0x42 ^ 0x21 ^ 0xc2 ^ 0xf3 ^ 0x27 ^ 0x4c ^ 0x21 ^ 0xfe ^ 0xa3 ^ 0xf0 ^ 0x11 ^ 0x54 ^ 0xca ^ 0x3c ^ 0x20 ^ 0xd1 ^ 0xf2 == 0x38

Here is a ruby script to accomplish the same.


$ ruby everybody_lies.rb
_lied_no_flag_for_you!

With a little guessing game the first character turns out to be 'i'
so the flag is 'i_lied_no_flag_for_you!'

hackyoutoo ctf forensic 200 and crypto 200 writeup

Posted by Rohit Kumar on Sunday, 23 December 2012
Labels: , , / Comments: (1)
Forensics 200

Size and string references points to the presence of an embedded rar file.



foremost can be used to extract embedded files. The extracted rar file contains a text file with base64 encoded data. After decoding it 4 times we get a http link to the following link

Read more »