Introducción al Hacking: Introducción, e historias sobre los Juegos CTF.

Pregunta #1

"hack the _________"

DGROMOV --- ST4R-L0RD

Av3ng3rs 1n1t14t1v3

https://ctftime.org/stats/2017/CO

eL ULTIMO JUEGO EN CIENCIAS COMPUTACIONALES

¿Como preparase para defender?

¿Existe una sola clase que cubra todo?

Creando hackers

¿Que es un hacker?

¿Como educar/entrenar hackers?

 

COMPETENCIAS EN DESAROLLO

  • Criptografía 
  • Esteganografía
  • Forense
  • Ingeniería inversa
  • Explotación

Enter defcon

HACK THE BOX

 

pHILOSOPHER

Cripto

Tradución

Carta 1 = 365C997610306888C3CB07B26C7ED39325E4AD1BDC87255B8F5E54B66E253759B306A9BAA01B7D4A

Carta 2 = 5A04DC351E3D7B9CC3CE1DFF5142B08B3AFCA60B9484336B961F54A67319304E8845ABA9B60C734A

Rompiendo one time pad

Rompiendo one time pad

Rompiendo one time pad

Totalmente seguro

Rompiendo one time pad

¿Totalmente seguro?

Rompiendo one time pad

¿Totalmente seguro?

ONE TIME PAD BREAKING

./xorstrings.py 365C997610306888C3CB07B26C7ED39325E4AD1BDC87255B8F5E54B66E253759B306A9BAA01B7D4A 5A04DC351E3D7B9CC3CE1DFF5142B08B3AFCA60B9484336B961F54A67319304E8845ABA9B60C734A

=> 6c5845430e0d131400051a4d3d3c63181f180b1048031630194100101d3c07173b43021316170e00
./cribdrag.py 6c5845430e0d131400051a4d3d3c63181f180b1048031630194100101d3c07173b43021316170e00


Your message is currently:
0 ________________________________________
Your key is currently:
0 ________________________________________
Please enter your crib: punched cards
0: "�-+ fhw4cdh)N"
1: "(0-mevp f{?YO"
2: "56`n{qd%y,OX�"
3: "3{cp|ea:.\Nk"
...
26: "pes_or_cards}"
27: "`hRd�^'"pwejs"
Enter the correct position, 'none' for no match, or 'end' to quit: 26

Is this crib part of the message or key? Please enter 'message' or 'key': message
Your message is currently:
0 __________________________punched cards_
Your key is currently:
0 __________________________pes_or_cards}_

ONE TIME PAD BREAKING

thcon{punched_tapes_or_cards}

BROKENhash

El reto nos dirige hacia una página web. Esta nos dirige a subir dos archivos

touch t.txt
touch t2.txt
if sha1[0] == sha1[1] and md5[0] != md5[1]: get flag # ;)

El sitio web nos da una alerta

BROKENhash

Subimos los dos pdf con el mismo sha1 hechos por Google

El sitio web devuelve => Too Easy.

BROKENhash

Utilizamos un sitio web para realizar dos archivos con el mismo sha

sha1sum a.pdf 
9895a12be3429d4ca69835aad36527664ed952e5  a.pdf

sha1sum b.pdf
9895a12be3429d4ca69835aad36527664ed952e5  b.pdf

BROKENhash

Utilizamos un sitio web para realizar dos archivos con el mismo sha

THCon{ST0P_US1nG_Th0S3_l4m3_H4SH_FuNCTIONz}

AlexCTF 2017 – SC1: Math bot

It is well known that computers can do tedious math faster than human.

nc 195.154.53.62 1337

Creacion de script -- python to the rescue

!/usr/bin/env python

import socket, sys

server ="195.154.53.62"
port = 1337

botMath = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "connecting to:"+server

botMath.connect((server, port))
text = botMath.recv(2040)
print text

while 1:
        while(text =='\n'):
                text = botMath.recv(2040)
        print(text)

        texte = text.split('\n')
        for te in texte:
                if("=" in te):
                        nbre1= te.split(" ")[0]
                        opera= te.split(" ")[1]
                        nbre2= te.split(" ")[2]

        if(opera == "+"):
                reponse = int(nbre1) + int(nbre2)
        elif(opera == "-"):
                reponse = int(nbre1) - int(nbre2)
        elif(opera == "/"):
                reponse = int(nbre1) / int(nbre2)
        elif(opera =="%"):
                reponse = int(nbre1) % int(nbre2)
        else:
                reponse = int(nbre1) * int(nbre2)
        botMath.send(str(reponse)+"\n")
        print(reponse)
        text='\n'

Fore3: USB probing (150)

One of our agents managed to sniff important piece of data transferred transmitted via USB, he told us that this pcap file contains all what we need to recover the data can you find it ? 

fore2.pcap
"Leftover Capture Data" > "Copy" > "...as Hex Dump"
Lanzamos esto a  vim y borrando la primera columna, 
despues %s/ //g; %s/\n//g tenemos un string hex
cat ./raw | xargs python -c 'import sys; print sys.argv[1].decode("hex")'  > out1.png
$ file out1.png
out1.png: PNG image data, 460 x 130, 8-bit/color RGBA, interlaced

$ exiftool out1.png
ExifTool Version Number         : 10.08
File Name                       : out1.png
Directory                       : .
File Size                       : 60 kB

Pregunta #2 Trivia

It lead to memory leakage between servers and clients rending large number of private keys accessible. (one word)

Heartbleed

"The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet."

ingeniería inversa 

file gifted

$file gifted
gifted; ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked 
(uses shared libs), for GNU/Linux 2.6.32, stripped

Hora de IDA!!

.text:08048562                 push    dword ptr [ebp-0Ch]
.text:08048565                 push    offset aS       ; "%s"
.text:0804856A                 call    ___isoc99_scanf
.text:0804856F                 add     esp, 10h
.text:08048572                 sub     esp, 8
.text:08048575                 push    dword ptr [ebp-0Ch]
.text:08048578                 push    offset aAlexctfY0u_h4v ;
.text:0804857D                 call    _strcmp
.text:08048582                 add     esp, 10h
.text:08048585                 test    eax, eax
.text:08048587                 jnz     short loc_80485A3
.text:08048589                 sub     esp, 0Ch
.text:0804858C                 push    offset aYouGotItRightD 
.text:08048591                 call    _puts
Guarda flag en [ebp -0Ch] y la comparamos con aAlexctfY0u_h4v
aAlexctfY0u_h4v = AlexCTF{Y0u_h4v3_45t0n15h1ng_futur3_1n_r3v3r5ing}

Mucho mas simple

 

$ strings gifted
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
exit
...
[^_]
AlexCTF{Y0u_h4v3_45t0n15h1ng_futur3_1n_r3v3r5ing}
Enter the flag:
You got it right dude!
Try harder!
;*2$"
...
The flag is quickly found as a plaintext string in the binary. 
For further investigation, I disassembled the binary in radare2. 
The flag is being pushed as a string onto the stack just before 
the call to strcmp.

unvm me

If I tell you what version of python I used .. where is the fun in that?

unvm_me.pyc

Buscamos un decompilador de python- https://github.com/gstarnberger/uncompyle

mkdir unvm
$ virtualenv unvm
$ source ./unvm/bin/activate
$ pip install uncompyle2
$ ./unvm/bin/uncompyle6 ./unvm_me.pyc > unvms.py
$ cat unvms.py

import md5
md5s = [174282896860968005525213562254350376167L, 137092044126081477479435678296496849608L, 
126300127609096051658061491018211963916L, 314989972419727999226545215739316729360L, 256525866025901597224592941642385934114L, 115141138810151571209618282728408211053L, 
8705973470942652577929336993839061582L, 256697681645515528548061291580728800189L, 
39818552652170274340851144295913091599L, 65313561977812018046200997898904313350L, 
230909080238053318105407334248228870753L, 196125799557195268866757688147870815374L, 
74874145132345503095307276614727915885L]

print 'Can you turn me back to python ? ...'
flag = raw_input('well as you wish.. what is the flag: ')
if len(flag) > 69:
    print 'nice try'
    exit()
if len(flag) % 5 != 0:
    print 'nice try'
    exit()
for i in range(0, len(flag), 5):
    s = flag[i:i + 5]
    if int('0x' + md5.new(s).hexdigest(), 16) != md5s[i / 5]:
        print 'nice try'
        exit()

print 'Congratz now you have the flag'

vamos a romper md5

Añadimos para obtener los md5

for x in md5s: print '{0:032x}'.format(x)
831daa3c843ba8b087c895f0ed305ce7
6722f7a07246c6af20662b855846c2c8
5f04850fec81a27ab5fc98befa4eb40c
ecf8dcac7503e63a6a3667c5fb94f610
c0fd15ae2c3931bc1e140523ae934722
569f606fd6da5d612f10cfb95c0bde6d
068cb5a1cf54c078bf0e7e89584c1a4e
c11e2cd82d1f9fbd7e4d6ee9581ff3bd
1df4c637d625313720f45706a48ff20f
3122ef3a001aaecdb8dd9d843c029e06
adb778a0f729293e7e0b19b96a4c5a61
938c747c6a051b3e163eb802a325148e
38543c5e820dd9403b57beff6020596d

john the ripper to the rescue

$ john --incremental=LowerNum hashes --format=raw-md5
831daa3c843ba8b087c895f0ed305ce7: ALEXC
6722f7a07246c6af20662b855846c2c8: TF{dv
5f04850fec81a27ab5fc98befa4eb40c: 5d4s2
ecf8dcac7503e63a6a3667c5fb94f610: vj8nk
c0fd15ae2c3931bc1e140523ae934722: 43s8d
569f606fd6da5d612f10cfb95c0bde6d: 8l6m1
068cb5a1cf54c078bf0e7e89584c1a4e: n5l67
c11e2cd82d1f9fbd7e4d6ee9581ff3bd: ds9v4
1df4c637d625313720f45706a48ff20f: 1n52n
3122ef3a001aaecdb8dd9d843c029e06: v37j4
adb778a0f729293e7e0b19b96a4c5a61: 81h3d
938c747c6a051b3e163eb802a325148e: 28n4b
38543c5e820dd9403b57beff6020596d: 6v3k}
$ cat solution | sed 's/.*://g' | tr -d '\n '; echo

ALEXCTF{dv5d4s2vj8nk43s8d8l6m1ds9v41n52nv37j481h3d28n4b6v3k}

eNTER THE HACKBOX

RECONOCIMIENTO Y ESCANEO

Made with Slides.com