NDH2k11 nuit du hack 2011

NDH2k11 RCE 200

Submitted by jiva on Mon, 04/04/2011 - 22:31

This challenge was surprisingly simple. We were given an android .apk file. After converting the apk to a jar using dex2jar, we opening the jar with java decompiler JD. We immediately came across the following chunk of code.

ArrayList localArrayList = paramIntent.getStringArrayListExtra("android.speech.extra.RESULTS");
if ((!localArrayList.isEmpty()) && (a.b((String)localArrayList.get(0))))
	TextView localTextView = this.b;
	String str = a.a((String)localArrayList.get(0));

NDH2k11 Crypto 300

Submitted by jiva on Mon, 04/04/2011 - 21:42

"Python source code is very clear and concise, and could sometimes bring out lots of clues. This is particularly true for this challenge."

This challenge proved to be rather interesting because it validated our incessant desire to run a brute force while we look for other solutions.

The python code is very clean, but after a while the inheritance duplicity in the classes and quantity of the code becomes rather dizzying. After reading through all the code, it can really be distilled down to the following important sections:

1. (server side) network.py

NDH2k11 Web 200

Submitted by jiva on Mon, 04/04/2011 - 15:05

We were presented with a website resembling a French DMV website where we were allowed to upload images of license plates. After taking the upload, the site would then OCR the image and look up any existing infractions for the license plate.

We got extremely lucky when one of us was guessing filenames in the /upload directory and stumbled upon regplate.jpg when it contained an image of SQL injection. We re-uploaded the image and got the key.

Key: php/mysql=>el33T

NDH2k11 Web 100

Submitted by jiva on Mon, 04/04/2011 - 14:48

We were presented with a login page along with a registration page. Poking at the inputs for these pages, we weren't able to find a vulnerability. However, one of us noticed that when "Remember me" was selected, the server set a cookie user_cookies with the value containing base64'ed serialized PHP. We found that this serialized value contained an array with two elements, one for the username and the other for the password. We found that we could inject SQL into the username element of the array, so we crafted a SQL statement to see what privileges were available.


NDH2k11 Forensics 100

Submitted by jiva on Mon, 04/04/2011 - 13:24

"We have dumped the RAM of a Machine on which was running a VNC server.
The goal is to get the password of that VNC server."

Using volatility 1.3 with the registry plugins by Moyix (http://moyix.blogspot.com/2009/01/memory-registry-tools.html), it is simple enough to do a scan for registry hives and dump the registry hives to csv files:

[solo@macintosh:~/Desktop/tools/volatility]$ python2.6 volatility hivescan -f ~/Desktop/forensic100/Desktop/dump.raw 
Offset          (hex)          
44759904        0x2aafb60

NDH2k11 Forensics 200

Submitted by jiva on Mon, 04/04/2011 - 13:11

On a dumpe le fichier ntdis.dit d une machine executant un Active Directory
Il faut recuperer le mot de passe du compte john.
                     * * *
We have dumped the ntdis.dit file of a machine running Active Directory.
You must get the password associated with john's account.

NDH2k11 Forensics 300

Submitted by jiva on Mon, 04/04/2011 - 12:36

We were given a physical memory dump file DumpRAM_CTF.vmem and used Volatility to analyze this image.

After running a netscan on the image, we observed the following:

jiva@h4ckb0x:~/ctf/nuitduhack2011/fore300$ vol.py netscan --profile=Win7SP1x86 -f DumpRAM_CTF.vmem 
Volatile Systems Volatility Framework 1.4_rc1
Offset     Proto    Local Address                  Foreign Address      State            Pid      Owner          Created
WARNING : volatility.obj      : Unable to find a type for pointer64, assuming int

NDH2k11 Crypto 100

Submitted by jiva on Sun, 04/03/2011 - 20:06

We were given a text file called lorem.txt.

Syndicate content
© 2010-2014 disekt - Hosted by inetric. Drupal theme by Kiwi Themes.