Monday, January 27, 2014

PHDays CTF Quals 2014

The qualification round just ended today. Our team finished at rank #9. Chinese new year is coming soon so I only managed to catch up with the guys for just a little more than one hour. During that short period of time our team impressed even ourselves by solving 3 challenges and jumped back to top 10. I was involved in 1 of the challs: a ucucuga challenge titled "mp3 me".

The challenge is basically an mp3 stegano. After examining the file we came to a conclusion that there was no where else to hide the flag other than in the id3 part of the file.

Now this is the part where losers are separated from winners. The RGB tags and the presentation of values in triplets make most people try to find a way to get an image, but they are actually just red herrings. The real clue here is the occurrence of NULL. It suggests the end of a message. After trying some conversion, I found out that "78-9c" (hex values of 120-156) was the signature of zlib compressed data, and with that dloser was able to quickly recover the precious flag.

<dloser> >>> zlib.decompress('789ccb8ccf482c498d2f4d06c2f444002a9f05b7'.decode('hex'))
<dloser> 'i_hate_ucucuga'

Solving challenges is fun, and it's even more thrilling when there is a time limit. Oh, it is also good to be able to let everyone know how you solved them, not just limited to the solvers as on normal challenge sites.

Monday, January 20, 2014

Ghost in the Shellcode 2014

Recently, I have been invited to join team penthackon, a team full of veterans, to participate in CTF events.

As someone who only plays for fun, I find the recent Ghost in the Shellcode 2014 CTF quite an enjoyable experience. It's really amazing to see the creators spending a lot of efforts to put up an MMORPG named "Choose Your Pwn Adventure 2", just to be hacked by the players :P

As an uber cheater, I was involved in 2 of the quests: A Boaring Quest and Unbearable. The first quest requires killing over 9000 boars, something not easily done and most cheaters don't want to do it the normal way. jjk was the one who solved it for our team, but his method involved capturing and replaying the kill packet, and it was hard for everyone else to follow the same method.

Because the logic of the game was implemented in .NET, using .NET Reflector with Reflexil plugin I was able to patch the game to send 1001 kills to the server. So only 10 kills were needed to finish the quest (Actually it was possible to send 10000 kills in 1 go but we did it this way to be "nice" to the server :P)

The second quest was a little bit trickier: the treasure chest was protected by a shitload of bears, and after opening it you had to survive for 5 minutes before getting the flag. To make it even more impossible, the bears were armed with guns and they would all shoot you to death. This was actually a fun experience, everyone tried to avoid being hit, killing bears with uber weapons, changing the bear's AI... with no success. In the end, the solution was quite simple and logical. There was this holy item called wine that gave you 10-20% damage protection, however that protection can be patched from the client. I patched it to 100% to become invincible (also because each wine only last for 1 minute, I needed to drink 6 of them :P)

Below is the screenshot of my character after winning both flags

Sunday, January 12, 2014

Ubuntu 14.04 Trusty Tahr

My box was running Ubuntu 12.10 Quantal Quetzal for quite a long time because I was too lazy to upgrade it so recently I had to go through hella lot of upgrades to catch up with the latest technologies :P

The upgrade to 13.04 Raring Ringtail was quite smooth but while I was upgrading to 13.10 Saucy Salamander my laptop was overheating and shut down without a warning (they seriously should give us like 10 seconds to do something first). And that marked the beginning of hell :P

After powering on, Ubuntu couldn't start because of broken packages, but luckily there was no problem with the kernel and it only took me a bit to play around with the recovery menu to get the packages rebuilt.

However because the installation was incomplete there were many features missing and since there was no easy way to get them installed I decided to go a bit further to upgrade to the development version 14.04 Trusty Tahr.

Unsurprisingly, I was caught up in a serious sendmail bug - the installation went into an infinite loop. The bug was said to have been fixed a few months ago, but I don't know for which reason the fix hasn't made it to the Ubuntu repository yet. There was a workaround mentioned in the bug report, but the whole thing was a mess, and someone even suggested something as complicated as modifying the installation package. After some time reading all the available solutions, I got it done in a simple way. Just look for update_db in /usr/share/sendmail/ and replace the following lines:

str=$(echo "$line" | cut -d " " -f 1);
line=$(echo "$line" | cut -d " " -f 2-);


str=$(echo "$line" | head -n 1);
line=$(echo "$line" | tail -n +2);

and after that do a

sudo dpkg --configure -a

to reconfigure the packages :P

The Ubuntu team name their releases after the letters of the alphabet, and they already reached T. I wonder what will happen in a few years when all are used up :P