13
Oct
2013

ebCTF: NET100 “index.php?-s”

OMG, Eindbazen got hacked. Can you figure out what this evil hacker did?

This was an easy challenge, and pretty straight forward what to do. It was meant to be solved by a lot of teams, and they did, 145 teams managed to solve it. There are a lot of write-ups for this challenge, so I will explain in short what was the intended solution.
{Read More}

26
Feb
2012

CODEGATE 2012 – Network 100

Challenge Description

Someone have leaked very important documents. We couldn’t find any proof without one PCAP file. But this file was damaged.

¡Ø The password of disclosure document is very weakness and based on Time, can be found easily.
Cryptographic algorithm is below.

Msg = ¡°ThisIsNotARealEncryption!SeemToEncoding¡±
Key = 0x20120224 (if date format is 2012/02/24 00:01:01)
Cryto = C(M) = Msg * Key = 0xa92fd3a82cb4eb2ad323d795322c34f2d809f78

{Read More}

26
Feb
2012

CODEGATE 2012 – Misc-3

This challenge contains of a PCAP file with the following assignment:

You spied to find “Secret of Joseon which is previous dynasty of Korea”.
You got all main pages information to manage unrevealed secret of Joseon through network sniffing.
Open the file contained the secret of Joseon.
{Read More}

26
Feb
2012

CODEGATE 2012 – Network 300

The NET300 challenge was actually a fun challenge which we solved pretty fast.

Challenge description:

One day, attacker A hacked into B company¡¯s internal system and then stole backup data.
This backup data was made by attacker A himself.
Attacker A used his specifically configured network to detour B company¡¯s security system.
Now you(B’company’s an employee) detected it late.
You have to analyze the traffic by using WireShark and have to find which data was leaked from which internal system.
A stolen data by Attacker A will be an important hint to find the answer.
Answer : strupr(md5(Hint in the leaked data | Hacked internal system address)) (‘|’is just a character)

{Read More}

26
Feb
2012

CODEGATE 2012 – Network 200

Challenge description

To whom it may concern to DoS attack.

What is the different between attack and normal traffic?
Attached PCAP file is from suspicious client PC which may be infected.
If you find TOP 4 targeting address, let me know exactly information such as below.

Answer: COUNTRY_NAME_TOP1(3)COUNTRY_NAME_TOP2(13)COUNTRY_NAME_TOP3(2)COUNTRY_NAME_TOP4(5)_1.1.1.1_2.2.2.2_3.3.3.3_4.4.4.4

EX)
kind_1.1.1.1_2.2.2.2_3.3.3.3_4.4.4.4
TOP1 1.1.1.1 __k___
TOP2 2.2.2.2 ____________i___
TOP3 3.3.3.3 _n___
TOP4 4.4.4.4 ____d____

{Read More}

26
Feb
2012

CODEGATE 2012 – Network 500

This is part of C&C traffics without any certification.
It has been advanced using auth process.
Find the C&C server address and make a bot command to meet a condition below.

Answer: auth_key|next_attack_time|next_attack_target

We get a PCAP file with a bunch of UDP traffic. There’s also a HTTP GET for a picture showing some disassembly. We OCR’d the image, corrected some OCR mistakes and turned it into a binary. The binary is basically iterating over the string “1.2.3.4:4444” and obfuscating it in a certain way.

{Read More}

09
Jan
2012

GitS teaser 2012 – TeL aViv+

We have a file and the assignment to “get the password”. Ok, let’s see what kind of file it is:

$ file 7139a4ea239dcac655f7c38ca6a77b61.bin 
7139a4ea239dcac655f7c38ca6a77b61.bin: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535)

Looks like a packet forensics challenge!

{Read More}