Added NDH 2014 quals writeups

Author: Andrew Buss

Diff for: nuitduhack2014/index.html

@@ -0,0 +1,158 @@
+<p><link rel='stylesheet' href='markdown8.css'/></p>
+
+<h1>Nuit Du Hack Quals 2014 Writeups</h1>
+
+<p><a id="carbonara"></a></p>
+
+<h2>Carbonara</h2>
+
+<p>We're provided the following cryptic string:</p>
+
+<pre><code>%96 7=28 7@C E9:D 492= :D iQx&gt;A6C2E@C xF=:FD r26D2C s:GFDQ]
+</code></pre>
+
+<p>Googling a few of these fragments turns up a multitude of news articles using a "tncms" package. <a href="http://www.timesdispatch.com/news/local/central-virginia/a-pow-son-s--year-quest-finally-unfurls/article_3693659c-4788-516c-8c73-1c8defc13efa.html?mode=jqm">This</a> is one such page. Examining the source we find similar gibberish in the body of the article:</p>
+
+<pre><code> &lt;div class="encrypted-content" style="display: none"&gt;
+   &lt;span class="paragraph4"&gt;
+       kAm{2?5CF&amp;gt; 6G6?EF2==J &amp;gt;256 :E 9@&amp;gt;6] qFE E96 7=28 96 96=A65 E@ D64C6E=J 4C62E6 2?5 =2E6C H2G65 :? 2? :4@?:4 A9@E@8C2A9 E2&amp;lt;6? 2D 96 2?5 9:D 76==@H !~(D H6C6 =:36C2E65 @? pF8] ah[ `hcd[ G2?:D965 @G6C E:&amp;gt;6]k^Am
+   &lt;/span&gt;
+ &lt;/div&gt;
+</code></pre>
+
+<p>We also find a link to a <code>decrypt.js</code> link in the body of the article. Near the bottom is the following function:</p>
+
+<pre><code>tncms.unscramble = function (sInput) {
+    var sOutput = '';
+    for (var i = 0, c = sInput.length; i &lt; c; i++) {
+        var nChar = sInput.charCodeAt(i);
+        if (nChar &gt;= 33 &amp;&amp; nChar &lt;= 126) {
+            sTmp = String.fromCharCode(33 + (((nChar - 33) + 47) % 94));
+            sOutput += sTmp
+        } else {
+            sOutput += sInput.charAt(i)
+        }
+    }
+    return sOutput
+};
+</code></pre>
+
+<p>No need to reverse-engineer this; we can simply use it in the javascript console to unscramble our string:</p>
+
+<pre><code>tncms.unscramble('%96 7=28 7@C E9:D 492= :D iQx&gt;A6C2E@C xF=:FD r26D2C s:GFDQ]')
+"The flag for this chal is :"Imperator Iulius Caesar Divus"."
+</code></pre>
+
+<p><a id="onionrings"></a></p>
+
+<h2>Onion Rings</h2>
+
+<p>The hidden service accepts a profile picture upload, and includes the option to load from a non-TOR URL. So, we can ask it to load from our server, and capture the IP of the requestor. </p>
+
+<p>As <a href="http://sigint.ru/backdoor2014/backdoor2014.html#web100-1">before</a>, we can listen on port 80 on a server and submit our server's URL.</p>
+
+<p>The server's IP was 212.83.153.197. Visiting <a href="http://212.83.153.197/">http://212.83.153.197/</a> and searching for <code>flag</code>, we find:</p>
+
+<pre><code>The flag.. It is '0hSh1t1r4n0ut0fn00dl35'
+</code></pre>
+
+<p><a id="windowsforensics"></a></p>
+
+<h2>Windows Forensics</h2>
+
+<p>We are given a 400MB Windows pagefile. A few initial attempts along the lines of <code>strings pagefile.sys | grep flag</code> turned up quite a lot of results, but no interesting ones. Noticing several Chrome-related strings, we searched the file for URLs. Still, we found nothing interesting. </p>
+
+<p>Then, we reread the problem more carefully and saw that our task was to recover a command prompt session. Searching for command prompt pagefile.sys forensics yielded <a href="http://blog.roberthaist.com/2013/12/restoring-windows-cmd-sessions-from-pagefile-sys-2/">this excellent guide</a>. He uses <code>page_brute</code>, which splits the pagefile into 4096-byte pages and processes each with YARA. Installation of YARA proved the most difficult part of this challenge. Once YARA was installed, I added the following rule to page<em>brute's default</em>signatures.yar:</p>
+
+<pre><code>rule CMDscan_Optimistic_Blanklines
+{
+    meta:
+        author="Robert Haist | @SleuthKid"
+        description="Searching for blank lines and magic bytes that occur with paged cmd usage"
+    strings:
+        $m1 = { 63 3A 79 26 7B }
+        $m2 = { 77 00 27 00 57 00 27 00 77 00 }
+        $m3 = { 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 }
+    condition:
+        any of them
+}
+</code></pre>
+
+<p>Then, ran page_brute on pagefile.sys and reviewed the results using <code>strings -el CMDscan_Optimistic_Blanklines/*| sed -e "s/\s\{4,\}/\\n/g"</code>. Inside, we find:</p>
+
+<pre><code>  Microsoft Windows XP [version 5.1.2600]
+  (C) Copyright 1985-2001 Microsoft Corp.
+  C:\Documents and Settings\Administrateur&gt;ncat 192.168.130.105 1234
+  Username : JackTheRipper
+  Password : 200020012002
+  1337 - USER VALID
+  1338 - 04c0f778e6dd6c0a
+  1338 - 025e48c9f5f22f87
+  close: No error
+</code></pre>
+
+<p>Neither the password nor either of the two hex strings were the flag, so we tried concatenating the two hex strings. <code>04c0f778e6dd6c0a025e48c9f5f22f87</code> was the flag. The lowercase flag format gave us a hint for Here Kitty Kitty.</p>
+
+<p><a id="herekittykitty"></a></p>
+
+<h2>Here Kitty Kitty</h2>
+
+<p>In lieu of a writeup, we offer the following two images, and leave the solution as an exercise to the reader:</p>
+
+<p><img src="kitty-waveform.png" alt="waveform" title="" /></p>
+
+<p><img src="morse.png" alt="morse code" title="" /></p>
+
+<p>Unfortunately, <code>5BC925649CB0188F52E617D70929191C</code> was not accepted. We tried HashCat dictionary and bruteforce attacks without success. After solving Windows Forensics, we tried submitting as lowercase, which was successful. Case-sensitivity isn't fun!</p>
+
+<h2>BigMomma</h2>
+
+<p>Though we had the server binary, and briefly attempted to reverse it, we were able to identify how it worked by playing around with it for a few minutes.</p>
+
+<pre><code>   Please enter your username:
+   a
+   Nope (45)
+
+
+   Please enter your username:
+   b
+   Nope (46)
+</code></pre>
+
+<p>So, if <code>a</code> returns 45 and <code>b</code> returns 46, what returns 0? </p>
+
+<pre><code>&gt;&gt;&gt; chr(ord('a')-45)
+'4'
+</code></pre>
+
+<p>Let's try that:</p>
+
+<pre><code> Please enter your username:
+ 4
+ Nope (-100)
+
+
+ Please enter your username:
+ 4a
+ Nope (-3)
+
+
+ Please enter your username:
+ 4d
+ Nope (-77)
+</code></pre>
+
+<p>Apparently, we are provided the return value of the <code>strcmp</code> between our input and the correct username. So, we can derive the correct username one character at a time by converting the return value of the comparison between the terminating zero of our string, and the nonzero character of theirs. For example,</p>
+
+<pre><code> a = "4d\0"
+ b = "4dABCDEFGH"
+ strcmp(a, b) == ord('\0')-ord('A')
+</code></pre>
+
+<p>Though a script ultimately would have been a better idea, we figured at this point that the username wasn't very long. So, we persevered manually with netcat and a Python interpreter. By this method, we discovered that the username was <code>4dM1N15TR4T0R</code>. Then, we had to find the password, for which we received the same feedback as before. In the end, we determined that the password was <code>THEpasswordISreallyLONGbutYOUllGETtoTHEendOFitEVENTUALLY</code>. </p>
+
+<pre><code>Please enter your username:
+4dM1N15TR4T0R
+Username correct, what is the password?THEpasswordISreallyLONGbutYOUllGETtoTHEendOFitEVENTUALLY
+Well done! Here is the flag: YoMamaIsLikeHTML,SmallHeadAndHugeBody
+</code></pre>

Diff for: nuitduhack2014/kitty-waveform.png

@@ -0,0 +1,137 @@
+h1, h2, h3, h4, h5, h6, p, blockquote {
+   margin: 0;
+   padding: 0;
+}
+body {
+   font-family: "Helvetica Neue", Helvetica, "Hiragino Sans GB", Arial, sans-serif;
+   font-size: 13px;
+   line-height: 18px;
+   color: #737373;
+   background-color: white;
+   margin: 10px 13px 10px 13px;
+}
+table {
+   margin: 10px 0 15px 0;
+   border-collapse: collapse;
+}
+td,th {	
+   border: 1px solid #ddd;
+   padding: 3px 10px;
+}
+th {
+   padding: 5px 10px;	
+}
+
+a {
+   color: #0069d6;
+}
+a:hover {
+   color: #0050a3;
+   text-decoration: none;
+}
+a img {
+   border: none;
+}
+p {
+   margin-bottom: 9px;
+}
+
+h1, h2, h3, h4, h5, h6 {
+   color: #404040;
+   line-height: 36px;
+}
+h1 {
+   margin-bottom: 18px;
+   font-size: 30px;
+}
+h2 {
+   margin-top: 72px;
+   font-size: 24px;
+}
+h3 {
+   font-size: 18px;
+}
+h4 {
+   font-size: 16px;
+}
+h5 {
+   font-size: 14px;
+}
+h6 {
+   font-size: 13px;
+}
+hr {
+   margin: 0 0 19px;
+   border: 0;
+   border-bottom: 1px solid #ccc;
+}
+blockquote {
+   padding: 13px 13px 21px 15px;
+   margin-bottom: 18px;
+   font-family:georgia,serif;
+   font-style: italic;
+}
+blockquote:before {
+   content:"\201C";
+   font-size:40px;
+   margin-left:-10px;
+   font-family:georgia,serif;
+   color:#eee;
+}
+blockquote p {
+   font-size: 14px;
+   font-weight: 300;
+   line-height: 18px;
+   margin-bottom: 0;
+   font-style: italic;
+}
+code, pre {
+   font-family: Monaco, Andale Mono, Courier New, monospace;
+}
+code {
+   background-color: #fee9cc;
+   color: rgba(0, 0, 0, 0.75);
+   padding: 1px 3px;
+   font-size: 12px;
+   -webkit-border-radius: 3px;
+   -moz-border-radius: 3px;
+   border-radius: 3px;
+}
+pre {
+   display: block;
+   padding: 14px;
+   margin: 0 0 18px;
+   line-height: 16px;
+   font-size: 11px;
+   border: 1px solid #d9d9d9;
+   white-space: pre-wrap;
+   word-wrap: break-word;
+}
+pre code {
+   background-color: #fff;
+   color:#737373;
+   font-size: 11px;
+   padding: 0;
+}
+sup {
+   font-size: 0.83em;
+   vertical-align: super;
+   line-height: 0;
+}
+* {
+   -webkit-print-color-adjust: exact;
+}
+@media screen and (min-width: 914px) {
+   body {
+      width: 640px;
+      margin:10px auto;
+   }
+}
+@media print {
+   body,code,pre code,h1,h2,h3,h4,h5,h6 {
+      color: black;
+   }
+   table, pre {
+      page-break-inside: avoid;
+   }
+}