Documente Academic
Documente Profesional
Documente Cultură
/ About me
Yaniv Miron aka Lament
Security Researcher and Consultant
Certified Locksmith & CISO Certified
Found 0-days @ IBM, Oracle, Microsoft,
Apache, Facebook (F-U for not giving
me credit & bounty) and more.
HackThisSite.Org
One of the largest sites in this area
Different cool challenges in there
Other sites
http://canyouhack.it
http://www.dareyourmind.net
http://crackmes.de
Many more
The Ranks
Different levels gives
different ranks
Solutions
There are different ways to solve different
tasks, it could be that there are easier
ways than what Im showing here but this
is the path that I took.
Im trying to show how to think rather than
just show the quick way to get a solution.
Sometimes it makes the solution more
complicated.
DEMO Time !
Stego5.bmp #1
Hack The Planet
stego5.bmp
Stego5.bmp #2
First thing first, is it really a BMP file?
Stego5.bmp #3
Looks like it:
Stego5.bmp #4
So whats next? I think I saw something
similar in the past Maybe as a user
avatar? Lets save it
avatar.jpg
Stego5.bmp #5
We have a problem You cant really
compare BMP (The original) and JPG (the
Avatar)
Or can we?
Stego5.bmp #6
Lets just turn the JPG to BMP
Stego5.bmp #7
Stego5.bmp #8
Stego5.bmp #9
LSB?
Stego5.bmp #10
We will take the stego5.bmp hex, turn it
into binary.
Stego5.bmp #11
Lets write a python script cuz were kewl
Stego5.bmp #12
And back to ascii
Looks interesting
maybe its
syn-ack-?
Logic.Binary #1
Q1:
Binary:
2011010013001000003011101113011010
013011011102
Logic.Binary #2
Binary are 1s and 0s isnt it?
Clean the 2s and the 3s
Binary:
0110100100100000011101110110100101
101110
Logic.Binary #3
Put it nicely
Binary: 01101001 00100000 01110111
01101001 01101110
Logic.Binary #4
Binary -> ASCII
Answer is: i win
Logic.Riddle #1
Q2:
I call, but I never talk. I knock, but I never
enter. I feel a bit insecure.
Logic.Riddle #2
Port scanner knocks but never enter,
calling the ports but never talks with them.
Insecure?
A2: nmap
Logic.URL #1
Q3:
Sometimes when you are coding a web
based program you make a mistake with
URL's. Correct this link.
The link we get is:
http://yahoo.com/search?q=hobble%20stic
ks
Logic.URL #2
A3:
It looks like a Google link, as this is the
format Google is using. Lets change it to:
http://google.com/search?q=hobble%20sti
cks
Logic.URL #3
Logic.Num #1
Q4:
Logic.Num #2
1 of 2 = 12
1 of 1 and 1 of 2 = 1112
3 of 1 and 1 of 2 = 3112
1 of 3, 2 of 1 and 1 of 2 = 132112
1 of 1, 1 of 3, 1 of 2, 2 of 1 and 1 of 2 =
1113122112
3 of 1, 1 of 3, 1 of 1, 2 of 2, 2 of 1 and 1 of
2 = 311311222112
A4: 311311222112
Reversing.app7 #1
We get a file called app7win.zip with 2
files inside:
app7win.exe
encrypted.enc
Reversing.app7 #2
So it seems that we need to find a
password here
Lets try to remove the encrypted.enc file
from the folder, maybe it will help:
Reversing.app7 #3
Lets see whats inside this encrypted.enc
file
Doesnt look promising(at least at the
moment)
Reversing.app7 #4
Lets see it with OllyDbg
Reversing.app7 #5
jnz->jz?
Reversing.app7 #6
Oh wellIt didnt worked
Off we go to IDA Pro
Reversing.app7 #7
So we need to get 0DCAh
Reversing.app7 #8
Oh no its not gonna be that easy dude
Reversing.app7 #9
This is the
interesting part
which handles
our buffer and
the .enc file
Reversing.app7 #10
The general thing that is happening in this
block is that it runs 5 times and every time
reads a character from the .enc file.
The characters that were read (in hex) are
"31,4D,39,35,33" or in ascii "1M953". This
is not the password but it will help us get
the password (this is the key from the .enc
file)
Reversing.app7 #11
Reversing.app7 #12
Next, the app takes the user input +
[ENTER=A]
Reversing.app7 #13
Reversing.app7 #14
Adds all of them and place the result in
var_18 which needs to be cmp with
"0DCAh" (3530).
So
31xor8C+4Dxor8C+39xor8C+35xor8C+33
xor8C
=3AB
Is it true??? Nop
Reversing.app7 #15
Reversing.app7 #16
So to solve this problem we need to have:
31xorX+4DxorX+39xorX+35xorX+33xorX=
0DCA
So what is X ???
Reversing.app7 #17
To solve it we can just brute force it. So
we will try first "A" as input, then "AA" then
"AAA" until we will get the right result.
At the end the result was that as long as
our input equal 753 (2F1) it would solve
the problem. Therefore it doesn't really
matter what is the input as long as it's 753
together.
Reversing.app7 #18
I have used: ccccccc2
We need to remember that at the end of
our input there is "enter" which is 10 so our
total should be actually 743.
c(99)+ c(99)+ c(99)+ c(99)+ c(99)+ c(99)+
c(99)+ 2(50)+ENTER(10)=753.
So:
31xor2F1+4Dxor2F1+39xor2F1+35xor2F1
+33xor2F1=0DCA
Reversing.app7 #19
Reversing.app7 #20
Game over!
Reversing.app13 #1
Lets
run it
Reversing.app13 #2
Reversing.app13 #3
So lets skip IDA & Olly and check the
hints
Reversing.app13 #4
We can monitor the time that takes the
app to check every number that we enter
Python script that gets 1-999 and monitor
how much time takes the app to check it
Slowest number is the right one (?)
Reversing.app13 #5
So lets do a quick & dirty BF to this app
Reversing.app13 #6
And run it
Reversing.app13 #7
Reversing.app13 #8
Lets just to it 3 more times, every time
adding the last value instead of the
dummy one that we had
Reversing.app13 #9
Our monitoring worked!
Forensics.1 #1
We get this:
Forensics.1 #2
Forensics.1 #3
So we need to find a password
First thing first, extract the file. We get a
dd file - image.dd
Lets check whats in there real quick
Forensics.1 #4
Looks like we got an NTFS windows
system
Forensics.1 #5
Forensics.1 #6
So its mounted
Forensics.1 #7
3 empty folders
Forensics.1 #8
Well its a forensics challenge So
probably we need to recover some deleted
data.
Lets try to see what kind of deleted files
are there.
Forensics.1 #9
Forensics.1 #10
Forensics.1 #11
Oh boywell lets check the other files
Weve got a media file: Voicemail 1.wav
When played we can hear the Tech
Support guy telling stacy that the
password is her phone number. And what
is her phone number?
Forensics.1 #12
Lets dig some more, we can see that
there is a file called Termination - Allen
Smith.docx
Forensics.1 #13
Using the phone number 5195554783 we
can extract the content of Your new
password is.rar
Inside there is a file called Your new
password is.docx
Inside we got our password
Forensics.1 #14
Weve saved the world again!
To Wrap It Up
Hacking challenges sites are KEWL
It helps you practice your skills & prepare
for CTF games
You have a community to support you
while trying
# E [0] F #
Q? (meet @ the lounge now or)
>>
lament [AT] ilhack [DOT] org
http://www.ilhack.org/lament
Join me @lament1337