Miscellaneous Solutions

Size: px

Start display at page:

Download "Miscellaneous Solutions"

Millicent Corey Fitzgerald
6 years ago
Views:

1 2017 Miscellaneous Solutions Sponsored By 2017 Cyber Security Challenge Australia CySCA 2017 Miscellaneous Solutions

2 Table of Contents Challenge 1: Python In a Pickle Challenge 2: Python - Abstract Syntax Treat Challenge 3: Web - Ninja Belts Challenge 4: Web - Guestbook Challenge 5: Follow the Traffic Challenge 6: Caesar's Enigma Challenge 7: Lets Play a Game Challenge 8: Protoverse Challenge 9: Strings - Reversing password Challenge 10: Reversing needle Cyber Security Challenge Australia CySCA 2017 Miscellaneous Solutions 1 P a g e

3 Challenge 1: Python In a Pickle Python's standard library includes a serialization format called pickle. In this challenge, your task is to provide a pickled payload that will end in a particular result (and thus earn you a flag). The pickle protocol normally uses a variety of opcodes to perform standard Python operations, like importing modules and calling functions. Some of these operations can be dangerous, so this program filters input before unpickling it. In particular, it limits you to four relatively simple opcodes. To solve this challenge, you will need to read its source code. The following standard library modules might also help: - pickle (to understand your available opcodes) - pickletools (if you want to dig deeper into working with the pickle protocol) - struct (to create pickle.binint2 values) The challenge wants a list of numbers that, when converted to the equivalent ASCII characters, reads "Green and delicious!". The trick is that we only have four pickle opcodes available: BININT2 (opcode M): create an integer from \x00\x00 to \xff\xff LIST (opcode l): create a list from stack items (backtracking to a MARK) MARK (opcode (): in this case, note where the list ends (once you call l) STOP (opcode.): declare the end of pickled data Our favorite opcodes, such as REDUCE (R, run a function) and GLOBAL (c, import a top-level function), have been banned. So, the basic structure of our pickled data should look something like this: MARK BININT2, BININT2,...more BININT2 for awhile, LIST, STOP When Python unpickles this data, it will create a list of integers. The rest of the challenge code will then convert these integers to ASCII characters, and check if the resulting string matches the desired value. Code Once we understand the above ideas, the solution code should be fairly straightforward. Python's struct.pack('h', num) gives us a BININT2-formatted value. We need to prepend the M pickle opcode to each of those values, so Python knows how to interpret the bytes that follow. We build a string that starts with ( (MARK), ends with l. (build LIST and then STOP), and has a bunch of BININT2 values in the middle. Then, we're done! Challenge 2: Python - Abstract Syntax Treat Your task is to understand a text dump of a Python abstract syntax tree (AST). The program that runs this AST will give you its flag if you provide the right input. The dumped AST is essentially pseudocode. You can reconstruct the original program piece-by-piece, at which point you can figure out what it wants. For details on ASTs in Python, please see The convert function is a way to put strings in the program without having them directly show up in the AST. It just converts the numbers to their ASCII equivalents. The key thing to notice in the AST dump is the string towards the bottom. This is created by doing hashlib.md5(secret).digest()[::-1] Cyber Security Challenge Australia CySCA 2017 Miscellaneous Solutions 2 P a g e

4 Pretty much everything else is just noise and obfuscation. Once you know that you have a backwards MD5 sum, you can reverse it and either crack the MD5 or just Google the hex digest. In Python, you can run binascii.hexlify() to convert a string to hex. You can also just brute-force the solution without doing any reversing, but hopefully no one does that! CN\x9f\x1e\xa0\x0e{\x8a\x86\xc4\x8f\xf7\xe6\xf5d\x1d 1d5de6f78fc4868a0ea01e9f!= 'CN\x9f\x1e\xa0\x0e{\x8a\x86\xc4\x8f\xf7\xe6\xf5d\x1d'): CN\x9f\x1e\xa0\x0e{\x8a\x86\xc4\x8f\xf7\xe6\xf5d\x1d \x1d\xf5d\xe6\xf7\x8f\xc4\x86\x8a\x0e{\xa0\x1e\x9f schaakmat Challenge 3: Web - Ninja Belts Last year's ninja belt search engine has been upgraded. Can you extract the flag from its database? This Python web app creates an in-memory database SQLite database of belt names, on each connection. The database uses a simple LIKE query to return belts, so simply putting in % returns the flag via a wildcard query: echo 'GET /?belt_color=% HTTP/1.1' nc Challenge 4: Web - Guestbook Everybody enjoys signing online guestbooks, and webmasters love to read them. Your task is to use an XSS bug to set the XSS JavaScript variable. A bot monitors this value, and will give you the flag if you succeed. As a security measure, you have a very limited set of characters available. Specifically, you can use <, >, A-Z, =, /, and -. This challenge uses PhantomJS (a headless WebKit browser) to check for XSS exploits when a user-supplied payload is injected into a web page. The goal of the challenge is to set the global XSS variable. There are a few tricks here. First is the input validation, which limits the input to a fairly strict regular expression. No lowercase letters are allowed, to prevent things like infinite loops. We need to set XSS = something. There are not a lot of JavaScript built-ins that have all-uppercase names, but JSON will work. The obvious approach is, but that does not work. One thing to notice is that the regex allows the dash: -. This is a hint that we need to break out of an HTML comment with -->. Going through the progression of trying <SCRIPT>, >'>"><SCRIPT>, etc., and eventually figure out were in a comment. So, the solution is: --><SCRIPT>XSS=JSON</SCRIPT> 2017 Cyber Security Challenge Australia CySCA 2017 Miscellaneous Solutions 3 P a g e

5 Challenge 5: Follow the Traffic Found this pcap from a bank. I wonder if you can figure out where transfers are going. 1. Find traffic containing auth data. (uname/pass in plaintext, have to rebuild image) 2. (Credentials): (Username) user54429, (Password) E56rc4hMlv3xp, (Image Verification) Grumpy Cat 3. Response from valid auth gives second port (61702) and hints to look at port (8080) 4. Traffic at port 8080 contains caesar cipher'd DES-ECB key 5. Use DES-ECB key to decrypt hex-encoded bank info Flag (Bank account data): sendfrom: ::sendto: :sendamount:9001:::: Challenge 6: Caesar's Enigma Somehow Caesar got his hands on an Enigma machine. He has used standard methods to put the cylinder settings in ciphertext-a file and the switchboard settings have been encoded in to ciphertext-b. Ultimately, you will need to break the file ciphertext. plaintext-a Flag: VII IV V Reflect B RING AIE NEO ZZQ Solution: Ceasar Cipher (ROT 15) plaintext-b Flag: 8/5 14/22 3/9?/? 10/11 6/4 13/2 15/18 17/1?/? 382f f f f2f 3f f f f f f f2f 3f0a Solution: Hex encoded, then substitution cipher POC Code: key = { 'a': '5', 'b': 'c', 'c': 'f', 'd': '4', 'e': '1', 'f': 'a', '1': '3', '2': '8', '3': 'b', '4': '9', '5': 'e', '6': 'd', '7': '0', '8': '6', '9': '7', '0': '2', }; plaintext = '382f f f f2f 3f f f f f f f2f 3f0a'.replace(' ', '') ciphertext = '' for c in plaintext: ciphertext += key[c] print(ciphertext) decrypt_key = {} for c in key: decrypt_key[key[c]] = c new_plaintext = '' for c in ciphertext: new_plaintext += decrypt_key[c] print(new_plaintext) 2017 Cyber Security Challenge Australia CySCA 2017 Miscellaneous Solutions 4 P a g e

6 plaintext: Flag: 'MYXNAMEXISXMAXIMUSXDECIMUSXMERIDIUSXCMDRXARMIESXNORTHXXXGENXOFXFELIXXLEGXANDXLOYALXSRVNTXTOXTRUEXEMPERORXMXAU RELIUSXXXFATHERXTOXMDRXSONXHUSBANDXTOXMRDRXWIFEXXXANDXIX or 'My Name is Maximus Decimus Meridius... quote from the movie Gladiator' WILLXHAVEXVNGNCEXINXTHISXLIVEXORXNEXT' Solution: Break Enigma. Plaintext-a is the cylinder settings, plaintext-b is the switchboard settings. POC Code: from enigma.machine import EnigmaMachine machine = EnigmaMachine.from_key_sheet(rotors='VII IV V', reflector='b', ring_settings='a I E', plugboard_settings='8/5 14/22 3/9 19/25 10/11 6/4 13/2 15/18 17/1 21/20') machine.set_display('neo') enc_key = machine.process_text('css') machine.set_display('css') ciphertext = machine.process_text( 'MYXNAMEXISXMAXIMUSXDECIMUSXMERIDIUSXCMDRXARMIESXNORTHXXXGENXOFXFELIXXLEGXANDXLOYALXSRVNTX TOXTRUEXEMPERORXMXAURELIUSXXXFATHERXTOXMDRXSONXHUSBANDXTOXMRDRXWIFEXXXANDXIXWILLXHAVEXVNGN CEXINXTHISXLIVEXORXNEXT') print(enc_key) print(ciphertext) # Onto Decoding machine.set_display('neo') msg_key = machine.process_text(enc_key) print(msg_key) machine.set_display(msg_key) plaintext = machine.process_text(ciphertext) print(plaintext) Challenge 7: Lets Play a Game This executable was found lying around in a lab. See what you can do with it. Challenge 8: Protoverse I want to talk to this server. Need to learn its language first. Challenge 9: Strings - Reversing password Someone gave me this file. Apparently, there is a secret in it. You need the password to get the secret. Can you help me crack it? 2017 Cyber Security Challenge Australia CySCA 2017 Miscellaneous Solutions 5 P a g e

7 Challenge 10: Reversing needle We captured a program being used to exfiltrate data and its output. It's unknown what arguments were given to it. Can you find the flag in it? With a little bit of reverse engineering, it should be clear that the format consists of 16 word blocks, each block being seed, a verification number, the hash of the verification+secret, and 13 encrypted words of data. The encryption is done via xoring with the output of a linear congruential generator, seeded with the seed for each block. One twist is the algorithm also generates extra blocks using the same prng scheme. Given the secret, it's straightforward to verify which blocks belong and which don't. However, the participants aren't given the secret, so another way to identify the real data needs to be found. One way is to observe that the parameters chosen for the prng cause it to always produce even numbers. Blocks that contain odd numbers must be from the interesting data. The decryption should be straightforward: simply xor with the prng just like the encryption. The decrypted file should be a gziped file. Extracting it is a text files with a bunch of random numbers with the flag in plaintext in the middle of it Cyber Security Challenge Australia CySCA 2017 Miscellaneous Solutions 6 P a g e

Worksheet - Reading Guide for Keys and Passwords

Unit 2 Lesson 15 Name(s) Period Date Worksheet - Reading Guide for Keys and Passwords Background Algorithms vs. Keys. An algorithm is how to execute the encryption and decryption and key is the secret