Merge branch 'master' of https://github.com/ctfs/write-ups-2015

Author: YASME-Tim

cyber-security-challenge-2015/README.md

@@ -36,13 +36,13 @@
 * [NSA](web-application-security/nsa)
 * [Security Terminology v2](general-security-knowledge/security-terminology-v2)
 * [Espionage](digital-forensics/espionage)
+* [Data Extraction](digital-forensics/data-extraction)
 
 ## External write-ups only
 
 * none yet
 
 ## Missing write-ups
 
-* [Data Extraction](digital-forensics/data-extraction)
 * [0day Hunting](web-application-security/0day-hunting)
 * [NVISO File Host](web-application-security/nviso-file-host)

cyber-security-challenge-2015/digital-forensics/data-extraction/README.md

@@ -8,7 +8,109 @@
 
 ## Write-up
 
-(TODO)
+For once, it payed off if you were paying attention in your highschool biology classes. When you learned about the birds and the bees, you also learned about DNA and RNA. That's exactly what this is.
+
+![DNA](images/dnarna.gif)
+( Taken from http://www.sophia.org/tutorials/video-material-10-dna-rna )
+
+So let's convert the image to the corresponding DNA (or RNA) characters:
+
+```python
+from PIL import Image
+ 
+im = Image.open("output2.jpg")
+print im.format, im.size, im.mode
+
+width = im.size[0]
+height = im.size[1]
+
+startX = 9
+startY = 14
+
+spacingX = 19
+spacingY = 28
+
+""""
+# blue = 224 = C
+# red = 228 = T
+# yellow = 103 = G
+# green = 2 = A
+"""
+
+# T
+def blue(r, g, b):
+	return abs(r-5) < 15 and abs(g-161) < 15 and abs(b-225) < 15 
+
+# T
+def red(r, g, b):
+	return abs(r-237) < 15 and abs(g-28) < 15 and abs(b-34) < 15 
+	
+# A
+def green(r, g, b):
+	return abs(r-35) < 15 and abs(g-178) < 15 and abs(b-73) < 15
+# C	 
+def yellow(r, g, b):
+	return abs(r-254) < 15 and abs(g-240) < 15 and abs(b-11) < 15 
+ 
+sol = ""
+y = startY
+while y < height:
+	x = startX
+	while x < width:
+		r, g, b = im.getpixel((x, y))
+		print r, g, b
+	
+		if blue(r, g, b):
+			sol += "C"
+		if red(r, g, b):
+			sol += "U"
+		if green(r, g, b):
+			sol += "A"
+		if yellow(r, g, b):
+			sol += "G"
+           
+		
+		x += spacingX
+	y += spacingY
+	
+print sol
+```
+Which gives us:
+```
+GACAUUUAAUGGGGUCAAUCUAUGUUCUCGGGAAUAGAAGAGCACUUCAGCGGGACUCUUUUAGACCCACGAGUAGCCGGCAAGCAGCUAGAUAAGCUAGUAGAUGGAGACCGCACCGCACUAUAGCAUAUGCUAGCUUAUAGGUCACACCUAUGAGGCAAGGAGCUAGUAGUAUAUCACCUCACUUCGCUGGGGGUGGUUUUAGUAUUGCCAUUUCCCAUACCGUAUGUGAAGACGUCGAGACAUUCCAUGGGCGUUUUAAGGCGCGGCGUUCUCUCCGCCCUGGUUCACGGGAUUCUGUCGAGAUUGCCGUUUAAAAAGAUUGUCUUGCUCACUUUGGCUCUUUCAGUCCGGCGCUUAAGCGCCUUGCAUAAACUUCGUAGCGCAGGUUUUGCGGCGAUGGCCAACCCAGGAUACCGCUGUUCAACAUUUGUCAGAUCCUCAUGUGACGGGACACCCAAAGCAGGAUGGCGCGCUGUCUCUCAGUAUAUAGAUUUAGUUUUAGUGUGAAGUGCACGCGGCCUAGAGCGGUCACGUCAUGUAUUAGAUCGUAUUGUAGUAACAUCUACCAGCUGCGACUUUUGAACCCGGAGGAGUCCAGGCAACGUAAAAGUAUGGCGUACCACGCGACCAAAUCCCUCAUCUUACGUGUACGAAGGAAGAUACCGCAUUUUAUCGCUUAUCACUAACGCGAGCGUCUAAGCGAACAUUACUAUCCUCUAUAAAAGUUAUACGUGGCUGCUACGGUGACGUAAAGCUUUCUGUUUAAAUGCGCGCCUAAUUCCUUACUGCUAUAACAUACAUCCACCCUACCUGCCACAGUUUCCUACGACCUGGAGAAAAAUUUAAAUGGCCGAUGAUGUGUCGCCACAUACGUGAGCUGAUAGCGGAAGUGUAAA
+```
+When your cells process the DNA strip, triplets are converted to Amino Acids. This is done using the following chart:
+
+![DNA](images/amino.png)
+( Taken from http://biobook.nerinxhs.org/bb/genetics/dna.htm )
+
+We can do this ourselves (which I did the first time), but we can also use the power of the internet:
+http://web.expasy.org/translate/
+
+Which gives the following output:
+```
+5'3' Frame 1
+DI-WGQSMFSGIEEHFSGTLLDPRVAGKQLDKLVDGDRTAL-HMLAYRSHL-GKELVVYH
+LTSLGVVLVLPFPIPYVKTSRHSMGVLRRGVLSALVHGILSRLPFKKIVLLTLALSVRRL
+SALHKLRSAGFAAMANPGYRCSTFVRSSCDGTPKAGWRAVSQYIDLVLV-SARGLERSRH
+VLDRIVVTSTSCDF-TRRSPGNVKVWRTTRPNPSSYVYEGRYRILSLITNASV-ANITIL
+YKSYTWLLR-RKAFCLNARLIPYCYNIHPPYLPQFPTTWRKI-MADDVSPHT-ADSGSV
+5'3' Frame 2
+TFNGVNLCSRE-KSTSAGLF-THE-PASS-IS--METAPHYSIC-LIGHTYEARS--YIT
+SLRWGWF-YCHFPYRM-RRRDIPWAF-GAAFSPPWFTGFCRDCRLKRLSCSLWLFQSGA-
+APCINFVAQVLRRWPTQDTAVQHLSDPHVTGHPKQDGALSLSI-I-F-CEVHAA-SGHVM
+Y-IVL--HLPAATFEPGGVQAT-KYGVPRDQIPHLTCTKEDTAFYRLSLTRASKRTLLSS
+IKVIRGCYGDVKLSV-MRA-FLTAITYIHPTCHSFLRPGEKFKWPMMCRHIRELIAEV-
+5'3' Frame 3
+HLMGSIYVLGNRRALQRDSFRPTSSRQAAR-ASRWRPHRTIAYASL-VTPMRQGASSISP
+HFAGGGFSIAISHTVCEDVETFHGRFKARRSLRPGSRDSVEIAV-KDCLAHFGSFSPALK
+RLA-TS-RRFCGDGQPRIPLFNICQILM-RDTQSRMARCLSVYRFSFSVKCTRPRAVTSC
+IRSYCSNIYQLRLLNPEESRQRKSMAYHATKSLILRVRRKIPHFIAYH-RERLSEHYYPL
+-KLYVAATVT-SFLFKCAPNSLLL-HTSTLPATVSYDLEKNLNGR-CVATYVS--RKCK
+```
+If you look clearly, you can see the password, which is "METAPHYSIC LIGHTYEARS". This website also solved the final hurdle: You don't have to start decoding at the first character, but at the second.
+
+Pass: `METAPHYSIC LIGHTYEARS`
 
 ## Other write-ups and resources
 

cyber-security-challenge-2015/digital-forensics/data-extraction/images/amino.png

@@ -17,4 +17,5 @@ So the flag is _batman_
 
 ## Other write-ups and resources
 
-* none yet
+* [`Cyber Security Challenge 2015: Espionage by Glenn Vandamme`](http://glennvandam.me/2015/03/cyber-security-challenge-2015-espionage/)
+

cyber-security-challenge-2015/digital-forensics/data-extraction/images/dnarna.gif

@@ -4,10 +4,10 @@
 **Points:** 150
 **Solves:** 14
 **Author:** Eriner
-**Description:** 
+**Description:**
 
 > It seems someone got a hold of my phone and deleted some important files, and now my phone won't boot! I had an important app on there, maybe you can get it working! Here is an image of my phone...
-> 
+>
 > [http://public.givemesecurity.info/16b11191c1410cb0184a6edd08e9105a.tar.gz](http://public.givemesecurity.info/OTACTF-2015/16b11191c1410cb0184a6edd08e9105a.tar.gz)
 >
 > Hint: I've encrypted my custom app so no one can find the secretz! Thankfully, I uninstalled it before someone hacked my phone! Trouble is, I can't install it on my new phone! Can you help?
@@ -18,28 +18,38 @@ This challenge revolves around finding an encrypted apk, and then decrypting it
 The app found here is titled: `net.opentoall.flag.flag-1.apk`. This app is a red herring, and upon opening the app, it shows a picture of a red fish and says "I'm here to distract you".
 This app was to be ignored, and had no useful information. It wasn't the encrypted app the challenge described.
 <br>
-<br>
 In the user storage directory, `mnt/android-4.4-r2/data/media/0` the file
  `encrypted.nothingtoseehere.apk` can be found.
- 
 <br>
+
+A shortcut, in this case, would be to use `find` to remove the burden of manual search:
+> ```
+> shell@android ~/ # find mnt/ -type f -iname "*.apk"
+> mnt/android-4.4-r2/data/data/com.google.android.gms/app_dg_cache/1B1C47D6957F9C3F15E0130296C46C62216574DA/the.apk
+> mnt/android-4.4-r2/data/app/net.opentoall.flag.flag-1.apk
+> mnt/android-4.4-r2/data/media/0/encrypted.nothingtoseehere.apk
+> mnt/android-4.4-r2/data/media/0/Download/flag.apk
+> ```
+
+Or,
+
 ```
-m/a/d/m/0 ❯❯❯ file encrypted.nothingtoseehere.apk
+shell@android ~/mnt/android-4.4-r2/data/media/0 # file encrypted.nothingtoseehere.apk
 encrypted.nothingtoseehere.apk: data
 ```
 <br>
 It showing 'data' likely means that it is encrypted, as no known headers or magic numbers were found. Doing some searches, you may have found this:
 http://nelenkov.blogspot.com/2012/07/using-app-encryption-in-jelly-bean.html
-There is also a book on the topic, but I cannot find it at the time of creating this writeup.
+There are a few books about Android JB app encryption (i.e. "Android Security Internals") worth checking out.
 
 <br>
-There are also a few books that cover Android JB app encryption. The most important piece of information to glean from this page is:
+The most important piece of information to glean from this page is:
 <br>
 
 > The --algo, --key and --iv parameters obviously have to do with encrypted apps, so before going into details lets first try to install an encrypted APK. Encrypting a file is quite easy to do using the enc OpenSSL commands, usually already installed on most Linux systems. We'll use AES in CBC mode with a 128 bit key (a not very secure one, as you can see below), and specify an initialization vector (IV) which is the same as the key to make things simpler:
 
 > ` $ openssl enc -aes-128-cbc -K 000102030405060708090A0B0C0D0E0F -iv 000102030405060708090A0B0C0D0E0F -in my-app.apk -out my-app-enc.apk `
-> 
+>
 
 Basically, this particular APK has been encrypted _manually_ and doesn't follow the twofish encryption Google Play uses when it encrypts the dmcrypt app-asec files. But you need a key! In the same blog post,
 
@@ -55,7 +65,15 @@ Basically, this particular APK has been encrypted _manually_ and doesn't follow
 > 0000020
 > ```
 
-As it says, the original android app encryption/decryption process uses twofish, but there is more than one way to encrypt and install apps on android. The keyfile mentioned above is also the keyfile needed to solve this challenge. Using that file as a key, you are able to decrypt the encrypted apk with openssl and grep/install to get the flag.
+As it says, the original android app encryption/decryption process uses twofish, but there is more than one way to encrypt and install apps on android. In this challenge, the encryption is done manually using openssl.
+
+Using the keyfile mentioned above (without spaces), decrypt the `encrypted.nothingtoseehere.apk`:
+
+> ```
+> shell@android # openssl aes-128-cbc -d -K aa7db8864627354c7a4b0fbd81f2f399 -iv 000102030405060708090A0B0C0D0E0F -in encrypted.nothingtoseehere.apk -out decrypted.nothingtoseehere.apk
+> ```
+
+From here, grep/install to get the flag.
 <br>
 ## Notes from the author:
 <br>

cyber-security-challenge-2015/digital-forensics/espionage/README.md

@@ -23,12 +23,12 @@ We find that the string is used in sub\_401ECE.
 
 ![function sub\_401ece](ida_sub_401ece.jpg)
 
-At *0x401EF2* we have the instruction `test eax, eax` which checks if eax is equal
-to zero.
+At *0x401EF2* we have the instruction `test eax, eax` which checks if eax is greater or less than, or equal to 0.
+
 If `eax` equals zero the program opens a MessageBox to tell us that the
-password is correct.
+password is correct. If not, then the program makes a simple jump to address `loc_401F07` and exits.
 
-How to make `eax` equals to zero ?
+So, our goal is clear: how to make `eax` equals to zero?
 `eax` contains the return value of the function called two instructions before.
 
 `0x401EEF: call eax`
@@ -48,7 +48,7 @@ IDA and find that each byte of argv[1] is compared to a 14 chars buffer
 
 It it matches, the function returns 0.
 
-The flag is `0p3n-t0_alL___`
+The flag is `flag{0p3n-t0_alL___}`
 
 ## Other write-ups and resources
 

opentoall-ctf-2015/misc/android-oh-no/README.md

@@ -10,7 +10,7 @@
 
 ## Write-up
 
-Opening the binary in IDA, we can see 3 particular parts in the `main` function:
+Opening the binary in IDA, we can see 3 particular assembly parts in the `main` function:
 
 * The red one which is the prologue. Basically it saves the frame pointer, changes the stack pointer and allocates some space for the function.
 * The green one which is in fact doing the same thing as the blue part but in a different way.
@@ -22,18 +22,18 @@ Let’s focus on what the green block is doing. Here I highlighted the parts whi
 
 ![IDA View 2](idaview2.png)
 
-While second and third ones are just saving values which are never reused, the first one is a lot more interesting since it moves to `ecx` some data which is then moved on the stack on the next instruction. We’ll come back in these data later.
+While second and third ones are just saving values which are never reused, the first one is a lot more interesting since some data contained as an immediate double word moves to `ecx` register, which is then moved on the stack on the next instruction. We’ll come back to these data later.
 
-We can see that a function, `sub_8048470` is then called and probably taking as argument the datas previously moved on the stack.
+We can see that function, `sub_8048470`, is then called and probably takes the data previously moved onto the stack as argument.
 
-The remaining instructions of the block is just printing the result of the previously called function as a character on stdout and then flush stdout. The blue block is as a result equivalent to the following C code.
+The remaining instructions of the block (post-`lea`) just prints the result of the previously called function as a character on stdout and then flushes stdout. The blue block is as a result equivalent to the following C code.
 
-```c
-printf("%c", sub_8048470(dword_804B058));
-fflush(stdout);
-```
+> ```
+> printf("%c", sub_8048470(dword_804B058));
+> fflush(stdout);
+> ```
 
-Now let's take a look at the **sub_8048470** function:
+Now let's take a look at the `sub_8048470` function:
 
 ![IDA View 3](idaview3.png)
 
@@ -51,42 +51,42 @@ All the offsets in `off_8048F50` lead us to the same pattern:
 
 ![IDA View 6](idaview6.png)
 
-This is basically xoring two values and returning the result. A quick look on the values in the different blocks shows us that only the first values are always ASCII values. By the way, these ASCII values are:
+This is basically xoring two values and returning the result. A quick look on the values in the different blocks shows us that only the first value is always ASCII characters. By the way, these ASCII characters are:
 
-```python
-"o gpcuabefihjmlnstw{}"
-```
+> ```
+> "o gpcuabefihjmlnstw{}"
+> ```
 
 Since we can make `flag{...}` with all these letters, let’s extract them in the same order the program does with a simple IDA Python script.
 
-```python
-from idaapi import get_byte, get_long
-
-# Bytes offsets used as index in main function
-b = [0x804B050, 0x804B058, 0x804B060, 0x804B068, 0x804B070, 0x804B078,
-     0x804B080, 0x804B088, 0x804B090, 0x804B098, 0x804B0A0, 0x804B0A8,
-     0x804B0B0, 0x804B0B8, 0x804B0C0, 0x804B0C8, 0x804B0D0, 0x804B0D8,
-     0x804B168, 0x804B0E4, 0x804B16C, 0x804B0F0, 0x804B0F8, 0x804B170,
-     0x804B104, 0x804B174, 0x804B110, 0x804B118, 0x804B178, 0x804B124,
-     0x804B12C, 0x804B134, 0x804B13C, 0x804B144]
-# Blocks offsets used to xor values
-o = [0x8048499, 0x80484B3, 0x80484CD, 0x80484E7, 0x8048501, 0x804851B,
-     0x8048535, 0x804854F, 0x8048569, 0x8048583, 0x804859D, 0x80485B7,
-     0x80485D1, 0x80485EB, 0x8048605, 0x804861F, 0x8048639, 0x8048653,
-     0x804866D, 0x8048687, 0x80486A1]
-
-# Get index values
-b = [get_long(x) for x in b]
-b = [x if x != 4294967295 else 0 for x in b] # Patch BSS datas values
-# Get bytes
-o = [get_long(x + 3) for x in o]
-# Get corresponding bytes
-f = [get_byte(o[x]) for x in b]
-# Convert to char
-f = [chr(x) for x in f]
-# Print result
-print("".join(f))
-```
+> ```
+> from idaapi import get_byte, get_long
+
+> # Bytes offsets used as index in main function
+> b = [0x804B050, 0x804B058, 0x804B060, 0x804B068, 0x804B070, 0x804B078,
+>      0x804B080, 0x804B088, 0x804B090, 0x804B098, 0x804B0A0, 0x804B0A8,
+>      0x804B0B0, 0x804B0B8, 0x804B0C0, 0x804B0C8, 0x804B0D0, 0x804B0D8,
+>      0x804B168, 0x804B0E4, 0x804B16C, 0x804B0F0, 0x804B0F8, 0x804B170,
+>      0x804B104, 0x804B174, 0x804B110, 0x804B118, 0x804B178, 0x804B124,
+>      0x804B12C, 0x804B134, 0x804B13C, 0x804B144]
+> # Blocks offsets used to xor values
+> o = [0x8048499, 0x80484B3, 0x80484CD, 0x80484E7, 0x8048501, 0x804851B,
+>      0x8048535, 0x804854F, 0x8048569, 0x8048583, 0x804859D, 0x80485B7,
+>      0x80485D1, 0x80485EB, 0x8048605, 0x804861F, 0x8048639, 0x8048653,
+>      0x804866D, 0x8048687, 0x80486A1]
+
+> # Get index values
+> b = [get_long(x) for x in b]
+> b = [x if x != 4294967295 else 0 for x in b] # Patch BSS datas values
+> # Get bytes
+> o = [get_long(x + 3) for x in o]
+> # Get corresponding bytes
+> f = [get_byte(o[x]) for x in b]
+> # Convert to char
+> f = [chr(x) for x in f]
+> # Print result
+> print("".join(f))
+> ```
 
 This way, we get the flag `flag{switch jump pogo pogo bounce}`.