nullcon hack im 2011 walk through

HackIM Walk-Through Created by Anant Shrivastava for Null

HACKIM 2011

WALKTHROUGH


HackIM 2011 Walk Through

Contents Prelude .......................................................................................................................................................... 3

Introduction .................................................................................................................................................. 3

Level 0 ........................................................................................................................................................... 4

Level 1 ........................................................................................................................................................... 5

Level 2 ........................................................................................................................................................... 6

Level 3 ........................................................................................................................................................... 8

Level 4 ........................................................................................................................................................... 9

Level 5 ......................................................................................................................................................... 11

Level 6 ......................................................................................................................................................... 12

Level 7 ......................................................................................................................................................... 13

Level 8 ......................................................................................................................................................... 15

Level 9 ......................................................................................................................................................... 17

Level 10 ....................................................................................................................................................... 19

Level 11 ....................................................................................................................................................... 20

Level 12 ....................................................................................................................................................... 24

List of tools used. ........................................................................................................................................ 28


Prelude

Before I begin I would like to thank the organizers of nullcon and specially the nullcon HackIM Contest. I

have enjoyed 5-6 days during the challenge and have also got to meet a lot of new people.

Besides all the stuff that’s listed below there were a large number of discussions that took place at IRC

both on the main channel and on private one to one chat, that helped one and all in solving the

problems. For this special thank goes to FB1H2S - Rahul Sasi and karniv0re. All three of us were teamed

together to compete against each other in the battle.

Introduction I am presenting a walkthrough of all 12 levels of HackIM 2011.

I have designed the walkthrough in below points for each level.

1. Description and hints of level. (Optional)

2. Screenshots as required.

3. Steps how that level could be cracked.

4. Pitfalls / Diversion points: places which can distract you from the actual solution.

Note: I have intentionally not provided password for each level.

http://www.fb1h2s.com/

http://garage4hackers.com/

Level 0 Description : This was truly an Idiot’s Test. This was just checking whether we know how to look at the

source-code or not.

Hint : L0 == I just wanna say one word to you.. just one word.firebug .or you could just mind your 'action'

Clue was evident in the source code.



This specified that password value is “” null zero nothing.

All that is needed to crack this level was a blank password. However a quicker way is by just visiting the

action url.

i.e. level-0-proc.php

Once you are through with level o you get


Lets see what we have next.

Level 1 Description : Not exactly an idiot’s test however it does check’s how attentive you are to various details.

Hint : L1 == Dig Deep to find the Treasure

Lets look at the source code again.

We are unable to find any clue and yet we reached the end of html document marked by </html>

However if we look closely we have not reached the end of page.

So that’s the hint, lets see what we find at the bottom.



So we found some text. However one glance will tell its not password, it can be confirmed by testing it

on page itself. Now the architect is bad he don’t want us to get things directly.

So lets try some basic cipher’s on this. One of the very basic cipher is Caesar cipher. We could use online

tools for such conversion.One example : http://www.purplehell.com/cgi-bin/riddles/rot.pl

This tool gives you all type of rot ciphers. So giving the above text as input and checking output at Rot 13

we will get our password.

Pitfall: The pitfall is that no specific text specifies that its Rot it’s just assumption.

Level 2 Description : This was the start of good tricks on the HackIM challenge.

Hint : L2 == elePHPant arriveS - Courtesy PHPCamp Pune'11

http://www.purplehell.com/cgi-bin/riddles/rot.pl

After checking that an image is specified, first thought goes in for stegnography. However looking in the

source code we get reference to original image.



So a quick md5 based check on original and new image can be done to check that file is tampered or

not.

Result is negative here means that the file is not altered.

So lets look in more details then. We also have one more comment in source pages.



Lets see what this is, a quick google search will lead to following page :

http://serverfault.com/questions/180104/what-is-addtype-application-x-httpd-php-source

This clearly tells everyone that this directive is given in apache server when admin wants to provide

access to certain files to show the source code without getting executed.

The most common such extension is php. Trying this on both the url level-2.phps and level-2-proc.phps

reveals the password now all it needs is copy paste.

Note : hint was released towards the end of game hence I didn’t used the hint. Otherwise hint specified

the file extension in the capitalization.

Pitfall : we might spend a lot of time with the image thinking it’s a a clue or it’s a direction. However it’s

a decoy.

http://serverfault.com/questions/180104/what-is-addtype-application-x-httpd-php-source

Level 3 Description : This was more of a word play.

Hint : L3 == Read Between the Lines

Clue : 

So now we don’t have much to work on in terms of hints. So lets look at the clues then.

If we look in parts online the above two sentences, we get multiple references to simpson’s.

However the details comes out if we start looking at some specific words.“My lisa, worm, simpson.”

With my lisa a reference comes in mind of Melissa, this leads us to the wiki page of Melissa wom.


So we can be sure of the correct way coz one of the name is simpson’s. so just a look at each name tells

us that

So we know the answer now.

Level 4 Description: This was much of a straight forward programming contest.

Hint : L4 == http://tinyurl.com/6g37s39 : LMGTFY

The question was very clear with just one twist. The previous answer that we need as first iteration is

not available to us.

Lets check the source code for any hint we can find.

http://tinyurl.com/6g37s39

This looks more like a base64 encoded string. Let’s check it here,

http://ostermiller.org/calc/encode.html

This gives us the answer to the previous answer. Which is marked as F1. However we need a decimal

number for alphanumeric. So we can go for hexadecimal to decimal conversion.

Now all is left to write a simple code to perform the calculation or you could try by hand if you wish to.

I wrote a simple javscript function to do the task, you could use your programming language of choice

Attaching my code for reference.

function calc() { var first_no = 0; var second_no = 0; var previous_ans=241; var i; for (i=0;i<=31337;i++) { ans = first_no + second_no + previous_ans + (first_no * second_no); first_no = first_no+ 1; second_no = second_no + 2; previous_ans = ans; } document.write("Answer :: " + ans + "</BR>"); } Once you run this code you get the answer.

http://ostermiller.org/calc/encode.html

Pitfall :

1. F1 could be confused by F1 key, I even tried placing the F1 key ascii conversion as previous

answer.

2. Second pitfall is shortsightedness in variable type. If you take int or long in c the output is

incorrect. You need to take long double.

Level 5 Description : this level marked the beginning of craziness in HackIM. First level asking for downloading

file.

Hint: L5 == Everything isn't always the way it seems to be | Listen it, use your imagination you can't

imagine anything else being a hacker

Code Hint : 

Just a quick look @ the wave file reveals that the file consist of zero’s and one’s. that directs in two

ways, morse code and DTMF tone’s.

However morse code could be ruled out as the file doesn’t have any specific spacing between dots and

dashes to denote word / character ending.


DTMF decoder used : http://www.dialabc.com/sound/detect/index.html

This gives us the output as 32 bits of data. Now 32 bits of data could mean many things however from a

network and security point of view most direct reference comes out to be IP Address.

So 32 bit converted to IP address and now this IP address to be converted back to hostname, here we

can use reverse ip lookup : it shows that this ip contains total of 24 websites hosted. However the

answer was a bit of surprise coz this level didn’t define when to stop.

Answer is one of the domain names specifically domain name related to this website.

Level 6 Description: a executable decoding based round.

Hint: L6 == The world would be incomplete without Voodoo

This level required an exe to be downloaded. This exe is a program that repeats whatever your wrote on

to the mail id. Also without any options this yielded a lot of information. At that point its clear that

password is inside the exe so let’s open it. And then inside file I started with the message I can see in

case of no option on command-line.


Pitfall : people may start sniffing or debugging the exe. Some may even try to decompile it. However the

answer was very straight forward.

Level 7 Description : This level asked you to download .evt file and give out name of faulting application.

Hint : L7 == Lets note it down first - Courtesy anant


This event was more of a straight forward one if you just know what needs to be used.

This file extension belongs to log viewer for windows. Those working on windows tried opening the file

on log viewer and received an error. So the next best alternative that anyone can foresee as well as

evident from the Hint (). Lets try using notepad / notepad++ / gedit / vim.

Now we can see the file all what we need is to find the correct application.

This is where the trick comes in picture.

Pitfall : we may get confused with various application/service names that are listed.


However if we look closely at the question the question asks us the name of application. So lets search

.exe in the file and lo and behold we got the answer in just one click.

Note : big brother per my understanding refers to log viewer.

Level 8 Description : This was a tricky one. This was a tcp dump. And we needed to find out time @ routers with

111.* series ip.

Hint : L8 == And I will Reply great vengeance upon them with furious Attack; and they shall know that I

am the lorD, when I shall lay my vengeance upon three. Ezekiel23:28 | RFC 2328 Section D.3 Cisco

Implementation

Before the hint was released which was one day after people reached this level, the first task was to

identify which protocol can contain the information related to time stamp. Prominent protocols in the

dump were : ICMP, SMB and OSPF. Just a quick glance at ICMP do not contain timestamp from machine

and smb is not from router.

That leaves OSPF protocol. By the time hint started pouring in, RFC 2328 is for OSPF protocol, while the

document in itself is a good readout however the document is quite a lot to read and has a lot many

things to deviate from the path. Second part of hint helped in pin pointing the value: Section D.3 which

talks about the cryptographic implementation.

The point to be referred here was: However, it is expected that many implementations will use "seconds

since reboot" (or "seconds since 1960", etc.) as the cryptographic sequence number. Such a choice will

essentially prevent rollover, since the cryptographic sequence number field is 32 bits in length.

Now this is where we got the idea about the time stamp. So just a quick conversion of cryptographic seq

no from hex to decimal and a date conversion give us a number which to our horror is not the correct

answer.

Now the third part of hint is what needs to be checked. : Cisco implementation. However

http://ciscorambling.blogspot.com/2008/11/what-is-epoch-time.html is all that is needed for the level.

For epoch conversion we can use any online tool Ex : http://www.epochconverter.com/

Now the problem is left to enter the date in proper format. This is where the clue hidden inside the

source comes into the picture.



Pitfall :

1. The pitfall is not checking the Cisco implementation properly.

2. Second pitfall could be entering the date in improper format.

http://ciscorambling.blogspot.com/2008/11/what-is-epoch-time.html

http://www.epochconverter.com/


Level 9 Description : this was a play around on the web form and its methods.

Hint : L9 == Leechers will be banned. Seeders welcome :) | Bhavnao ko samjho sabdo mey kya rakha

hai... | Developers are bound to make mistake that why hackers exist...

This level was a two part challenge. Only Post method was allowed and not GET (Leechers get data and

seeders Post the data). So setting user id as administrator and password as blank, and method set as

post requires JavaScript to be disabled as the validation is at client side.


Now looking at the source code of this web page gives us the required details.

A Quick search of this comment’s first few characters of the string (/9j/) points to one of many links :

http://support.microsoft.com/kb/836555

This is about various MIME types and this comes out to be an image format in binary format which is

base64 encoded. To decode this we can use:

http://www.opinionatedgeek.com/dotnet/tools/base64decode/

This helps decoding the image back to jpg format however the download comes out as .bin just we need

to rename it.

http://support.microsoft.com/kb/836555

http://www.opinionatedgeek.com/dotnet/tools/base64decode/


So all that is needed now is to zoom in the file and get the password.

Level 10 Description : This was a windump or rather a windows memory dump,

Hint : L10 == Open the doors of the Windows, & take a trip down the memory lane

This level contains a memory dump taken from windows machine , instead of me explaining it would be

better if I point you to the correct direction.

http://carnal0wnage.blogspot.com/2009/03/dumping-memory-to-extract-password.html

also you will need updates from : http://moyix.blogspot.com/2009/01/registry-code-updates.html

Note: backtrack has this utility preinstalled except the updates.

http://carnal0wnage.blogspot.com/2009/03/dumping-memory-to-extract-password.html

http://moyix.blogspot.com/2009/01/registry-code-updates.html


Once you have the SAM file dump all you need is to crack / decode / decrypt the password. You can use

online rainbow tables or if you have a local copy then you can use that too.

NOTE: you might need to disable the JavaScript in this page to allow you to enter correct password.

Level 11 Description : One of the most complex levels of the contest.

Hint : L11 == After stumbling upon love ... don't stop there my dear, there is still lots to be done | Don't

just accelerate your mind's meter my dear, peep into my heart, for you'll see, safely concealed in it, is a

golden key, but if u're at loss bumblebee, take some free help openly from Linus's pet Geeko Mascot

Lizard | If geeko don't help ask from his good brother CAMOU.....

The first confusion comes from the file extension, ulti.toppi. However the hint comes in the form of link.

CAP. However there is a easy solution, in linux you have a simple utility called file.

#file ulti.toppi


Output :

Now we know that file is a tcpdump and we can use wireshark to view the data. However to our surprise

the file is a wifi sniffed data which is wpa protected.

Aircrack comes to the rescue to crack the wpa key, however the problem with aircrack is that it requires

a dictionary to work on a dump. Luckily Backtrack has one of the best dictionaries. So a simple aircrack

attack with wpa dictionary reveals the password. Once the password is found it could be used to

decrypt the password using airodump. Now we can load back the decrypted dump into wireshark. Now

wireshark reveals a plain text ftp transmission and a file exchange, file names meter.jpg.


Another good tool that can be used in this analysis is network miner which has recently reached version

1. It has only one limitation it needs the file to have .cap extension.


Once you have extracted the image you completed ¾ part of the challenge.

Now with image all we can think of is stegnograph and one of the best tools in regards with this stego

toolkit.

$ Stegodetect meter.jpg

However usage of this tool proves to be the first diversion.

As suggested by stego I spent nearly 5 hrs with all three wordlist’s on jphide decoding.

When all failed, we have to revert back to the hint.

“but if u're at loss bumblebee, take some free help openly from Linus's pet Geeko Mascot Lizard | If

geeko don't help ask from his good brother CAMOU.....”

Now this hint was released in parts. So after spending a lot of time and especially after release of last

part you will get following.

1) chameleon Stegnography suite. : http://chameleon-stego.tripod.com/home.html

2) Camouflage Stegnography suite. : http://camouflage.unfiction.com/

Out of all this Camouflage stegnography is what is referred to in the hints section. However we still are

short of the password, so our search starts again and we again head back to google.

And we arrive @ http://dl.packetstormsecurity.net/0701-exploits/camouflage-crack.txt

Now all we need is to apply the details as provided. What I did was to overwrite the password

keeping first character as 63 which represents “a”. so now I can use the standard comuflage

application to uncomouflage the file with password as a. and we got the secret file out which

contains the password.

http://chameleon-stego.tripod.com/home.html

http://camouflage.unfiction.com/

http://dl.packetstormsecurity.net/0701-exploits/camouflage-crack.txt

http://dl.packetstormsecurity.net/0701-exploits/camouflage-crack.txt


And so we reach the penultimate level of The Challenge.

Level 12 Description : This is a final challenge, this means the challenge looks easy but not easy.

Hint : L12 == Queen of Witches EnteRed mY hearT, but I did the right thing and let down the f/tart

Now if we look at the file we find that file contains very random set of characters.

Lets try to analyze the file.


This tells us that we have 26 characters in the character set, and if we look closely we will find the

occurrence or absence of characters.

Now if we look at the hint once again and then look closely to the most used part of the computer

our keyboard and encoding is staring right in the face.

The encoding – decoding set that was used is .

! = W

@ = E

# = R

$ = T

% = Y

^ = U

& = I

* = O

( = P

Q = S = A

W = D = S

E = F = D

R = G = F

T = H = G

Y = J = H

U = K = J

I = L = K


O = ; = L

P

A = X = Z

S = C = X

D = V = C

F = B = V

G = N = B

H = M = N

J = , = M

K = ,

L

Z

X

C SAPACE

V

B

N

M

This conversion can be done manually or programmatically.

JavaScript based program is listed below.

Note : The program gives two sentences due to an error in coding of the words as at places Q is

interpreted as S and at others its treated as A. similarly for few more characters.

function ev() { var inp = "$t@c*(@gcq@s^#&$%cs*hh^g&$%c#@r&q$@#@wcg*gc(#*e&$cq*s&@$%c&qcfqsuc!&$tcg^iis*gcg^iis*gcr*qcw!&$&%qc&g$@#gq$&*gqictqsu&grcs*ge@#@gs@kc!@ctqd@cq*h@cqhqa&grc$qiuqci&g@wc^*c$t&qc$&h@cq#*^gwc$tq$c!&iicq^#@i%cstqgr@c%*^#c(@#q(@s$&d@c*ecq@s^#&$%cugc$t@ce^$^#@kc!@c$tqguc$t@cs*hh^g&$%ce*#cq^((*#$&grc^qjc&$c&qc%*^#cq^((*#$c$tq$c!@ctqd@cr#*!gcqgwcq#@cqfi@c$*cq@#d@c$t@cs*hh^g$%c&gcqcf@$$@#c!q%keiqroc%*^cq#@c*^#ct@#*"; var coder_array = "!@#$%^&*(QWERTYUIOASDFGHJKC"; var decode_array = "WERTYUIOPSDFGHJKL;XCVBNM, "; var decode_array2 = "WERTYUIOPADFGHJKL;XCVBNM, "; for (i=0;i<inp.length;i++) { document.write(decode_array[coder_array.indexOf(inp[i].toUpperCase())]); } document.write("<br />"); for (i=0;i<inp.length;i++) { document.write(decode_array2[coder_array.indexOf(inp[i].toUpperCase())]); } }


Level 13

Description: This level was the worst part. I am still working on it.

Hint : L13 == Bas ab kitna kheloge :P (no hint could help you here.)

This required a document to be prepared explaining how each level was crossed.

This document you are reading is an extended exercise to the challenge to document the challenge

in a batter way.


Thanks for Reading it so far.

So atlast a brief introduction about myself (Shameless self promotion)

Anant Shrivastava

CEH | RHCE

http://anantshri.info

http://blog.anantshri.info

[email protected]

List of tools used. 1) Notepad / Notepad++ / Gedit / Vim

2) Calc

3) BackTrack

a. WireShark

b. Aircrack-ng suite.

c. Stego suite

d. Volatility

e. Md5sum

4) Cryptoanalysis.net

5) Network miner

6) Firefox

a. Web Developer Toolbar.

b.

http://anantshri.info/

http://blog.anantshri.info/

mailto:[email protected]

nullcon hack im 2011 walk through

Technology