We were presented with a web-page containing a number of functions. After clicking around for a bit it was clear the goal is to login to the board as ‘Baron zzingzzing’.
The access to the board is protected using a ‘certificate’. The site offers the possibility to obtain a certificate for ‘citizen’ but will only allow access to the board as baron, king or queen.
Alice wants to send a message to Bob in secure way. Alice encrypted a plaintext PA = ¡°IMISSYOU¡± = 0x494D495353594F55 by using DES and obtained ciphertext CA = 0xFA26ED1833264435.
Alice sent the ciphertext CA and the secret key to Bob. The secret key was encrypted by converting each of its letters to a pair of digits giving its position in the typewriter keyboard.
What is Administrator listening to the music?
This web based challenge was an online music player service that allowed us to upload music, and listen the to the tracks we uploaded using a fancy web based audio player.
The service stated that you could only play tracks that are uploaded from your own IP.
That made us curious.. how would that check be implemented and are we able to bypass it?
This file is Forensic file format which is generally used.
Check the information of imaged DISK, find the GUIDs of every partition.
Answer: strupr((part1_GUID) XOR (part2_GUID) XOR …)
Download : B704361ACF90390C17F6103DF4811E2D
The file seems to be a Expert Witness File (EWF) which is a container file for forensic images. The file header shows the string EVF.
The file seems to be 1 MB of a full forensic image, because of all the missing information this file can not be processed by the standard forensic tools such as Encase and FTK. Also parsing the file with libewf did not seem to work.
The EWF file seems to contain multiple pieces of zlib compressed data, all these streams start with 48 0D.
Because of vulnerability of site in Company A, database which contains user’s information was leaked. The file is dumped packet at the moment of attacking.
Find the administrator’s account information which was leaked from the site.
For reference, some parts of the packet was blind to XXXX.
Answer : strupr(md5(database_name|table_name|decode(password_of_admin)))
So, we got a PCAP file with a nice SQL Injection attack on some web application. As it turns out this is a blind/boolean based injection, so we can’t easily tell what data got extracted. Time to write a little tool..
In the challenge’s zipfile we find two files:
– vm2x.exe, a simple Win32 GUI program with a handful of buttons
– vm2x.dat, python bytecode wrapped in a regular python script
The python file (vm2x.dat) loads a chunk of embedded python bytecode (in variable __code) and executes it. Let’s disassemble it, for which we first need to strip the last two lines (which execute and subsequently delete the embedded bytecode object).
The NET300 challenge was actually a fun challenge which we solved pretty fast.
One day, attacker A hacked into B company¡¯s internal system and then stole backup data.
This backup data was made by attacker A himself.
Attacker A used his specifically configured network to detour B company¡¯s security system.
Now you(B’company’s an employee) detected it late.
You have to analyze the traffic by using WireShark and have to find which data was leaked from which internal system.
A stolen data by Attacker A will be an important hint to find the answer.
Answer : strupr(md5(Hint in the leaked data | Hacked internal system address)) (‘|’is just a character)
The first Misc challenge was worth 100 points, so as expected it’s no rocket science. We’re given an encrypted message:
Az hrb eix mcc gyam mcxgixec rokaxioaqh hrb mrqpck gyam lbamgarx oatygqh Erxtoigbqigarx Gidc hrbg gasc gr koaxd erzzcc zro i jyaqc Kr hrb ocqh rx Ockubqq ro Yrg man? Gyc ixmjco am dccqihrbgm
Turns out this is a simple substitution cipher; by analyzing the ciphertext’s character frequency distribution and some guesswork, we manage to obtain the plaintext:
In Energy corporate X which is located in Seoul, APT(Advanced Persistent Threat) was occurred.
For 6 months, Attacker A has stolen critical information with an elaborate attack.
Attacker A exerted great effort to remove his all traces such as malicious file, prefetch, registry and event logs for the period of attacking, so it was hard for Energy Corporate X to find an attacking path. However IU who is Forensic expert can find the traces of the malicious files Attacker A used by analyzing MFT(Master File Table).
What time malicious file was created? The time is based on Korea Standard Time(UTC +09:00)
(TZD : +hh:mm or -hh:mm). Calculate down to seven decimal points.