26
Jan
2012

MozillaCTF 2012 – Text Transformation Puzzle (50)

In this challenge we received the first paragraph of the book Flatland and the the key 49665857477f4b40304276. There are two interesting things about this; the paragraph was full of spelling errors and the key translates to mostly ASCII:

[dutchy@azer ~]$ echo "49665857477f4b40304276" | xxd -p -r -
IfXWGK@0Bv

The spelling errors in the text result in this string: pTldwFsySqD. Same length as the key in ASCII, could this be related? Let’s find out!
The usual approach of finding an answer which requires a key is xor, so let’s try that:
{Read More}

26
Jan
2012

MozillaCTF 2012 – Dory’s language school (300)

The challenge is simple:

Find a Cross-Site Scripting hole in Dory’s Language School and steal her cookie. Links will be accepted at Twitter. Send a private message to @MozillaCTF with hashtag #Dory. Private, because you do not want to give away your exploit to the public.

The sites makes the common mistake of including user input within javascript without the proper escaping: the backslash is not escaped. This means https://challenge20.mozillactf.org/?language=a;alert(1);//\ contains the following HTML code:

<!doctype html>
<html>
<head>
    <title>Dory's Language School</title>
    
        <script>	
	_=eval,_(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d=k||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k)}}return p}('e c(){2=b.9("2");6=/5 a = \'([^\']*)\';/.4(2[0].7);3=/5 3 = \'([^\']*)\';/.4(2[0].7);h(!/^[\\d]*$/.8(6[1])||!/^[\\d]*$/.8(3[1]))g("f i")}',19,19,'||script|country|exec|var|lan|innerHTML|test|getElementsByTagName|lang|document|protect||function|attack|alert|if|detected'.split('|'),0,{}))
       
        var lang = ';alert(1);//\'; var country = ';alert(1);//\';

{Read More}

26
Jan
2012

MozillaCTF 2012 – Sharkpedia (400)

Sharkpedia was a webchallenge that frustrated us at first. But like anything, it’s easy once you know how πŸ™‚

The code for Sharkpedia (which we grabbed atfer we solved it, no way around that):

<?php
$param = @$_GET['p'];

$mode = preg_replace('/[^\w]/', '', $param);

include('textcontainer.php'); // actual content

$functions = array(
	'a' => @create_function('', "return '<h2>$param: $textcontainer[0]';"),
	'b' => @create_function('', "return '<h2>$param: $textcontainer[1]';"),
	'c' => @create_function('', "return '<h2>$param: $textcontainer[2]';")
);
$links = '';
foreach($functions as $char=>$code)
	$links.= "<a href=\"?p=$char\">$char</a>, ";
$links = substr($links, 0, -2);

if(empty($mode) || !isset($functions[$mode]))
{
	echo "<p>The following functions are available: " . $links;
    echo "</p>";
	exit;
}

echo "<h2>Result</h2>";
echo $functions[$mode]();
echo "<p><a href=\"?p=\">back</a></p>";

?>

{Read More}

17
Jan
2012

Protected: NullCon HackIM 2012

This content is password protected. To view it please enter your password below:

09
Jan
2012

GitS teaser 2012 – AL’s revenge

AL’s revenge was basically a crypto/math challenge with some file format puzzling at the start. The given file is an XZ archive which contains a program in LLVM bytecode. Since the unix ‘file’ utility knows about both these fileformats this wasn’t really hard to figure out. After that, the trick is to compile the LLVM bytecode to an ELF binary using the ‘llvmc’ tool, after which you can use your favorite disassembler/decompiler to reverse engineer the binary.

After having reversed the program and converting the important code to python it gets interesting!

{Read More}

09
Jan
2012

GitS teaser 2012 – hackquest

This challenge is a remote exploitation challenge in a text-based adventure game. The game binary is quite complicated for a C program, using a bunch of structs and unions to store the game data. The bug which can be exploited is not one of the standard memory corruption bugs, but is instead an error in the way the game logic deals with these structures.

Here’s how we found the bug, and how we exploited it.

{Read More}

09
Jan
2012

GitS teaser 2012 – TeL aViv+

We have a file and the assignment to “get the password”. Ok, let’s see what kind of file it is:

$ file 7139a4ea239dcac655f7c38ca6a77b61.bin 
7139a4ea239dcac655f7c38ca6a77b61.bin: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535)

Looks like a packet forensics challenge!

{Read More}