{"id":21321,"date":"2023-11-07T14:29:14","date_gmt":"2023-11-07T13:29:14","guid":{"rendered":"https:\/\/herolab.usd.de\/?p=21321"},"modified":"2023-11-09T08:41:21","modified_gmt":"2023-11-09T07:41:21","slug":"write-up-hacker-contest-challenge-winter-23-24","status":"publish","type":"post","link":"https:\/\/herolab.usd.de\/en\/write-up-hacker-contest-challenge-winter-23-24\/","title":{"rendered":"Write-Up Registration Challenge Hacker Contest Winter 2023\/24"},"content":{"rendered":"\n<p><br>In the winter semester of 2023, our \"Hacker Contest\" will be held again at Technical University of Darmstadt (<a href=\"https:\/\/www.tu-darmstadt.de\/\" target=\"_blank\" rel=\"noopener\">TU<\/a>). In the popular course, students get real insights into IT security and gain hands-on experience with tools and methods to search for vulnerabilities in networks and systems within our <a href=\"https:\/\/herolab.usd.de\/en\/our-pentestlab\/\">PentestLab<\/a>.<br>As in every semester, prospective participants took on the Hacker Contest Challenge to qualify for participation.<br>If you are curious to know what a Hacker Contest Challenge looks like, or which flags you might have missed this time: This is our sample solution for the winter semester Hacker Contest Challenge.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Table of Contents<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li><a href=\"#scenario\">Scenario<\/a><\/li>\n\n\n\n<li><a href=\"#challenge\">Challenge<\/a><\/li>\n\n\n\n<li><a href=\"#disclaimer\">Disclaimer<\/a><\/li>\n\n\n\n<li><a href=\"#tokens\">Tokens<\/a>\n<ul class=\"wp-block-list\">\n<li><a href=\"#usb_image\">USB_IMAGE<\/a><\/li>\n\n\n\n<li><a href=\"#encrypted-pdf\">Encrypted PDF<\/a><\/li>\n\n\n\n<li><a href=\"#polyglot\">Polyglot<\/a><\/li>\n\n\n\n<li><a href=\"#encrypted-pdf-2\">Encrypted PDF 2<\/a><\/li>\n\n\n\n<li><a href=\"#find-the-hidden-program\">Find the hidden program<\/a><\/li>\n\n\n\n<li><a href=\"#reverse-engineer-binary\">Reverse engineer binary<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"scenario\">Scenario<\/h2>\n\n\n\n<p>Your friend found an old hard drive in his drawer that contains his old operating system. He can still remember his passwords, but lost six very important access tokens for his Bitcoin-Wallet from 2017. They are hidden somewhere on the hard drive, but he doesn't remember where and doesn't know how to regain access. This is a welcome change from the usual printer issues by family members, and since he is a very good friend, you agree to help him.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"challenge\">Challenge<\/h2>\n\n\n\n<p>You are provided with a virtual disk image. It is your task to find all six tokens hidden somewhere on it.<br>All tokens are in the format of <strong>usd{$32_digit_hex_number}<\/strong>.<br>Since we already have passwords for both users, logging in is not a problem:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"monokai\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">user: asdf\nroot: usdsuperhero<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"disclaimer\">Disclaimer<\/h2>\n\n\n\n<p>This challenge is a fairly artificial one, more akin to a CTF challenge than anything one would encounter in a real-world scenario. However, having a local disc image provides an opportunity to test for weaknesses that usually are not part of remotely hosted CTF challenges, such as offline brute-forcing.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"tokens\">Tokens<\/h2>\n\n\n\n<p>By examining the file system, we initially find some files not usually present in the user's home directory. Those files are worthy of further investigation but finding all six tokens requires a bit more digging. In the following, we go through each token on the machine in no particular order.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"usb_image\">USB_IMAGE<\/h3>\n\n\n\n<p>The token is located in <strong>\/home\/user\/Desktop\/USB_IMAGE.img<\/strong>.<br>As we might suspect from the filename, the file contains a USB image. We can try to mount the USB image, but we are not able to find anything on it, since its contents were deleted. We could use elaborate forensic tools in order to recover the deleted contents, but the easiest solution merely requires running <strong>strings<\/strong> on the image in order to recover the token:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"monokai\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">strings \/home\/user\/Desktop\/USB_IMAGE.img<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"encrypted-pdf\">Encrypted PDF<\/h3>\n\n\n\n<p>A hidden file is located in <strong>\/home\/user\/.secret.pdf<\/strong>, which can be revealed using <strong>ls -la \/home\/user<\/strong>.<br>Since it is encrypted, we have to first extract the PDFs hash using <strong>John the Ripper<\/strong>:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"monokai\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">pdf2john .secret.pdf &gt;&gt; hash<\/pre>\n\n\n\n<p>This makes it possible to view the hash separately from its original file and brute-force the password.<br>The password is part of the popular <strong>rockyou<\/strong> wordlist and can therefore be easily found.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"monokai\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">john hash --wordlist=\/usr\/share\/wordlists\/rockyou.txt<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"polyglot\">Polyglot<\/h3>\n\n\n\n<p>The next token we will look at is located in <strong>\/home\/user\/Picures\/sloth.jpg<\/strong>.<br>We cannot open the file using an image viewer because contrary to its file extension sloth.jpg is a zip file.<br>We therefore can rename it to avoid further confusion.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"monokai\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">mv sloth.jpg token.zip<\/pre>\n\n\n\n<p>We then have to repair its offset with <\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"monokai\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">zip -FF token.zip --out fixed_token.zip<\/pre>\n\n\n\n<p>After that, we can unzip the repaired file, but it still has password protection. Therefore, we have to crack the zip's encryption. Again, we can use <strong>John the Ripper<\/strong> to do so.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"monokai\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">zip2john fixed_token.zip &gt;&gt; hash2\njohn hash2 --wordlist=\/usr\/share\/wordlists\/rockyou.txt<\/pre>\n\n\n\n<p>Now we can unzip the file, using the revealed password.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"monokai\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">unzip fixed_token.zip<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"encrypted-pdf-2\">Encrypted PDF 2<\/h3>\n\n\n\n<p>Two interesting files are located in the users Documents directory, <strong>important.enc.pdf<\/strong> and <strong>encryption_guidelines.txt<\/strong>.<\/p>\n\n\n\n<p>We can use the hint in <strong>encryption_guidelines.txt<\/strong> in order to generate our own password wordlist. There are many different ways to do so. We could write a simple script, but there is also a useful and easy-to-use <a href=\"https:\/\/github.com\/Septimus4\/dateGenerator\" target=\"_blank\" rel=\"noopener\">GitHub project<\/a> we can use to generate the dates. We still have to prepend the username, which in our case is <strong>user<\/strong>.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"monokai\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">python3 date_generator.py 1900 2030 0 &gt; custom_date_wordlist\nsed -e 's\/^\/user\/' custom_date_wordlist &gt; accurate_list<\/pre>\n\n\n\n<p>Then we can use <strong>John the Ripper<\/strong> again to crack the PDF.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"monokai\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">pdf2john important.enc.pdf &gt; pdf_hash\njohn pdf_hash --wordlist accurate_list<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"find-the-hidden-program\">Find the hidden program<\/h3>\n\n\n\n<p>There is another hidden program with an interesting name, located in <strong>\/usr\/bin\/thide<\/strong> .<\/p>\n\n\n\n<p>This program is hidden by some shared library for tools like ps.<br>After locating the binary, we could reverse-engineer it with tools like <strong>ghidra<\/strong> in order to find out that it opens a connection to a socket and sends some data. We can then run <strong>ps -ef | grep thide<\/strong> which reveals that the program is running, as well as its process ID. Using <strong>wireshark<\/strong>, we can observe the local network traffic and see that there are several connection attempts to port 63333 being made. We now can listen on port 63333 and get the token.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"bash\" data-enlighter-theme=\"monokai\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">nc -lvp 63333<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"reverse-engineer-binary\">Reverse engineer binary<\/h3>\n\n\n\n<p>The last token we look for can be found in the executable located at <strong>\/home\/user\/bin\/token<\/strong>.<br>It is necessary to run <strong>chmod -R 777 \/home\/user\/bin<\/strong> which gives 'user' access to the directory.<br>We can use ghidra to reverse engineer the program. There are many different ways to solve this challenge. The following code serves as an example for one possible solution to the problem.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"monokai\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#!\/usr\/bin\/env python3\n\n# $ python3 cobb_solver.py \/home\/user\/bin\/token\n\nimport os\nimport re\nimport sys\n\nif len(sys.argv) != 2:\n    print(\"usage: {} &lt;path to cobb&gt;\".format(sys.argv[0]))\n    sys.exit()\n\n#call cobb to get the character count\ncobb_stream = os.popen(sys.argv[1])\nchar_count = int(re.search('&lt;(.*) character', cobb_stream.read()).group(1))\nprint(\"app has a {} byte key\".format(char_count))\n\nbyte_array = []\n\nfor i in range(0, char_count * 8):\n    byte_array.append(False)\n\nobjdump_stream = os.popen(\"objdump -d {}\".format(sys.argv[1]))\nprev_func_number = None\n\nfor line in objdump_stream:\n    #0000000000001273 &lt;check_2&gt;:\n    function_def_match = re.search('^00000.* &lt;check_(.*)&gt;:$', line)\n\n    #1291:    0f 95 c0                setne  %al\n    bit_set_match = re.search('setne  \\%al', line)\n    if bit_set_match and prev_func_number is not None:\n        byte_array[int(prev_func_number)] = True\n        prev_func_number = None\n    if function_def_match:\n        prev_func_number = int(function_def_match.group(1))\n\nsys.stdout.write(\"The key is \\\"\")\ncharacter = 0\nfor idx,elem in enumerate(byte_array):\n    if elem:\n        character = character | (1 &lt;&lt; idx % 8)\n    if idx % 8 == 7:\n        sys.stdout.write(chr(character))\n        character = 0\nsys.stdout.write(\"\\\"\\n\")<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>In the winter semester of 2023, our \"Hacker Contest\" will be held again at Technical University of Darmstadt (TU). In the popular course, students get real insights into IT security and gain hands-on experience with tools and methods to search for vulnerabilities in networks and systems within our PentestLab.As in every semester, prospective participants took [&hellip;]<\/p>\n","protected":false},"author":114,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"off","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"categories":[76],"tags":[193,88,128,86,227],"class_list":["post-21321","post","type-post","status-publish","format-standard","hentry","category-news","tag-hacker-contest-en","tag-pentest-en","tag-security-analysis-en","tag-security-research-en","tag-tu-darmstadt-en"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/posts\/21321","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/114"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=21321"}],"version-history":[{"count":1,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/posts\/21321\/revisions"}],"predecessor-version":[{"id":21322,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/posts\/21321\/revisions\/21322"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=21321"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/categories?post=21321"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/tags?post=21321"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}