tag:blogger.com,1999:blog-75065645789927033572024-03-18T03:03:51.634+00:00Everlasting WandererSetting out on a new journey to find the meaning of life...quangntenemyhttp://www.blogger.com/profile/06889040235572873334noreply@blogger.comBlogger109125tag:blogger.com,1999:blog-7506564578992703357.post-32277924331677989832021-07-02T06:58:00.002+01:002021-07-03T12:33:49.947+01:00Little red riding Tux<p>Once upon a time, in a land not too far away, and not as distant as you might think in time, as well, there was a little penguin 🐧. And, that penguin went to /etc/secret in Deutschland wearing his little red riding hood, there he met the bad black horned creature and his (maybe bad) friends.</p><p>Bad black horned creature and his friends told the little penguin that they were actually good, M$ was the evil one.</p><p>(Maybe) good black horned creature and his friends taught little penguin to treasure what he had, especially his smileys.</p><p>Good black horned creature and his friends helped little penguin realize that XOR is reversible, and RSA is not the solution to all problems.</p><p>Little penguin made a lot of friends, one of them was very talented at hiding stuff inside other stuff, which people call the art of steganography. Little penguin had fun solving those steganography challs, his observation and analysis skills greatly improved. He even created a <a href="https://github.com/quangntenemy/Steganabara">tool which helps with steganalysis</a>.</p><p>Many years have passed, little penguin had grown up to become big penguin. Although busy catching fish and taking care of his kids, big penguin still spent some of his free time catching the flags to relive the great moments of the good old days.</p><p>One day big penguin found a strange bottle drifting from the <a href="https://ctftime.org/event/1298">land of the Blue Hens</a> to his island. Actually, many other penguins saw that bottle and tried to read its contents, but all they found was gibberish.</p><p>To the big penguin, however, the bottle was like a message from the good old days. He easily figured out the important part and recovered the hidden message.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://github.com/CTF-STeam/ctf-writeups/raw/master/2021/BlueHensCTF/Rise-and-Shine/breakfast.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="476" data-original-width="800" height="238" src="https://github.com/CTF-STeam/ctf-writeups/raw/master/2021/BlueHensCTF/Rise-and-Shine/breakfast.png" width="400" /></a></div><br /><p><br /></p>quangntenemyhttp://www.blogger.com/profile/06889040235572873334noreply@blogger.com2tag:blogger.com,1999:blog-7506564578992703357.post-77127526163899235752020-12-20T16:57:00.011+00:002021-07-03T12:33:23.781+01:00Still alive & new chall<p>Just a quick update to let everyone know that I'm still alive and kicking.</p><p>Recently, I've been solving some challs (not as much as before) and playing CTFs with a Vietnamese team (we're currently <a href="https://ctftime.org/stats/2020/VN" target="_blank">ranked 4 in the country ranking</a>).</p><p>I also gathered some more ideas for a new version of Steganabara (hopefully will be released in a few months - amazing to see the current version already 7 years old :P) <br /></p><p>Finally, I have spent some time to create a <a href="https://www.wechall.net/challenge/quangntenemy/2020_Christmas_Special/index.php" target="_blank">new beautiful challenge</a>. Hope everyone will enjoy it!</p><div class="separator" style="clear: both; text-align: center;"><a href="https://www.wechall.net/challenge/quangntenemy/2020_Christmas_Special/wechall-newyear.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="409" data-original-width="722" height="226" src="https://www.wechall.net/challenge/quangntenemy/2020_Christmas_Special/wechall-newyear.png" width="400" /></a></div><br /><p><br /></p>quangntenemyhttp://www.blogger.com/profile/06889040235572873334noreply@blogger.com0tag:blogger.com,1999:blog-7506564578992703357.post-50303671235031019322018-08-18T01:06:00.002+01:002021-07-03T12:30:43.881+01:00New lifeYo guys, it’s been a long time!<div><br /><div>So many things have happened, but to make story short: I got married, had a baby boy, met 2 great Singaporeans last month, and now I’m in Thailand.</div><div><br /></div><div>The “garlic snow pizza” was awesome, and so was the beer (pictures to be added later)</div></div><div><br /></div><div>And SOAP is probably the biggest invention of all time, if you know what I mean ;-)</div><div> </div><div>Update: finally found the pictures of the pizza and the beer!</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAcPo-ZHuuOelPkyDvBnQRfco96IWhvhCmXg36eX7a1sNAQwgFiocEVxQ9Hnnq9StRUn98IIYb0hDDnilvEDJYVVv6FsfaKGzJzvTdNHEOY3JYzYUgF9GVT8lbGdbbbTO_vqkV8NrT3gW2/s2048/IMG-1032.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1536" data-original-width="2048" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAcPo-ZHuuOelPkyDvBnQRfco96IWhvhCmXg36eX7a1sNAQwgFiocEVxQ9Hnnq9StRUn98IIYb0hDDnilvEDJYVVv6FsfaKGzJzvTdNHEOY3JYzYUgF9GVT8lbGdbbbTO_vqkV8NrT3gW2/s320/IMG-1032.JPG" width="320" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQ8elgbcu_eG6Pq0l8WrTZaDetSxyOzycQdLlgBdrRRA4gc8R9jwfpe_AYcXjESh5wb0p5-js80GPo9RhDIfCM1fc7NQMh-ApsMixR_ukbET9yvN2jJM7A-ADCnUNc_TkAQTKgg_imi7oV/s2048/IMG-1044.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="2048" data-original-width="1536" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQ8elgbcu_eG6Pq0l8WrTZaDetSxyOzycQdLlgBdrRRA4gc8R9jwfpe_AYcXjESh5wb0p5-js80GPo9RhDIfCM1fc7NQMh-ApsMixR_ukbET9yvN2jJM7A-ADCnUNc_TkAQTKgg_imi7oV/s320/IMG-1044.JPG" /></a></div><br /><div><br /></div>quangntenemyhttp://www.blogger.com/profile/06889040235572873334noreply@blogger.com2tag:blogger.com,1999:blog-7506564578992703357.post-57500354750443632112016-12-26T16:54:00.001+00:002018-05-05T16:55:40.183+01:003DS CTF 2016<a href="https://3dsctf.win/">3DS CTF</a> was an interesting CTF, which unlike normal CTFs, went on for a whole week. I had plenty of time to enjoy the challenges. Below are write-ups for some of them.<br />
<br />
<b>Stego 100: Excaliflag</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
The file is a png image with nothing hidden in the binary data. Quick analysis with <a href="https://github.com/quangntenemy/Steganabara">Steganabara</a> shows that there's not much distortion with the RGB values, this means the flag is either hidden in the LSB values, or an advanced method is used. For only 100 points, of course the former is true.<br />
<br />
Playing with the blue bits in Steganabara's Bit Mask Filter and you'll get the flag:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjE42dHyF-7Bd1DWq__c8H_xo5cHqbutDLZcVLlbSZJl0BQMdKFrGYXTkpwLqTtiopV3aAq5tl6MYbJlIttjZGGQPc_aCHKt810w1bmz_g_CkrH26d_CC93x94si7TUfJHhjlmq6HGmWkfm/s1600/Screenshot+from+2016-12-26+22-26-00.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="249" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjE42dHyF-7Bd1DWq__c8H_xo5cHqbutDLZcVLlbSZJl0BQMdKFrGYXTkpwLqTtiopV3aAq5tl6MYbJlIttjZGGQPc_aCHKt810w1bmz_g_CkrH26d_CC93x94si7TUfJHhjlmq6HGmWkfm/s320/Screenshot+from+2016-12-26+22-26-00.png" width="320" /></a></div>
<br />
<b>Stego 300: 0liver "Imaged"</b><br />
<br />
By looking at the magic bytes in the binary data, it's easy to see that there is a png image appended at the end of the jpg image. Looking at the png image, it's clear that the flag is hidden in the R and G values of the first few lines. Extract the R and G values and you'll get an ELF file that prints out the flag.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMsSKgu0dyqXGIwSIigspk065vhBMn1sxyU31ec7MyugiVp3hIL-bVqD17Yh-68L70OaFLuZT8X_VjHkcmJB2bq2LrOiDWMW6F5DWjtZmrrL3jsJGPbkSLgHEICCSi4bK5cEv18M3mzPSJ/s1600/Flags2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMsSKgu0dyqXGIwSIigspk065vhBMn1sxyU31ec7MyugiVp3hIL-bVqD17Yh-68L70OaFLuZT8X_VjHkcmJB2bq2LrOiDWMW6F5DWjtZmrrL3jsJGPbkSLgHEICCSi4bK5cEv18M3mzPSJ/s320/Flags2.png" width="320" /></a></div>
<br />
<b>Stego 300: We also have memes!</b><br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAXyvnc7OJa6WcHXiYrmxJZ9oHqOZuvyMFO4Tih0b8MjxCiVXY7hlFYfraDptB-09Vhbyv3E8F0GrKlbiV5sd5JNPVPTmVRZ7cfDPRTIIhl5Le_Sqolg_wgWM-NMF-rdWbPhqrN1EzQJcO/s1600/output.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAXyvnc7OJa6WcHXiYrmxJZ9oHqOZuvyMFO4Tih0b8MjxCiVXY7hlFYfraDptB-09Vhbyv3E8F0GrKlbiV5sd5JNPVPTmVRZ7cfDPRTIIhl5Le_Sqolg_wgWM-NMF-rdWbPhqrN1EzQJcO/s200/output.png" width="200" /></a></div>
<br />
The flag is hidden in the image using an algorithm in which p and offset are unknown. However, they are small enough to be brute-forced. The flag format is 3DS{}, so this is more like a known plain-text attack with the image as the ciphertext.<br />
<br />
(to be continued)<br />
<br />
Update: not continued because it's been a long time and I don't remember the continuation. Also, I'm busy (and lazy :P)quangntenemyhttp://www.blogger.com/profile/06889040235572873334noreply@blogger.com2tag:blogger.com,1999:blog-7506564578992703357.post-6342243080984624982016-12-18T13:41:00.000+00:002016-12-26T16:55:11.871+00:00WhiteHat Grandprix 2016<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggYvrRLEvdG2ykwlmdnH6I3OYzrGTGiuswqRFggdCj1WrXS2W_1nH4RtiiV-YIcnx8x7GoaJE5-D16efq11b5pwhSQrGF3PGhoXrDxy3_DxIpSKEbO3eLuVCdegxWKMpVtqciwDieydi8F/s1600/whitehat.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="181" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggYvrRLEvdG2ykwlmdnH6I3OYzrGTGiuswqRFggdCj1WrXS2W_1nH4RtiiV-YIcnx8x7GoaJE5-D16efq11b5pwhSQrGF3PGhoXrDxy3_DxIpSKEbO3eLuVCdegxWKMpVtqciwDieydi8F/s320/whitehat.png" width="320" /></a></div>
<br />
This is probably the worst CTF I've played. Server was always overloading (probably DDoS'ed and/or pwned). Also the anti-bruteforce mechanism made sure that you couldn't login when someone else was brute-forcing your account (It's very possible that the hackers already got access to your profile data - hope you didn't use the CTF password anywhere else). There were other problems, but they don't bother me anymore.<br />
<br />
Below are some write-ups if you're interested. I don't quite remember the names and because some teams were able to submit flags after the contest ended they took everything down.<br />
<br />
<b>Web 100</b><b>: Bánh bột lọc</b><br />
<br />
If you look at the source you'll see the backed-up page. From there, you need to find a pair of username/password that meets the condition: $username.'1337' = md5($password). Some coding and the job is done (probably Linux experts can do faster than me).<br />
<br />
The ones I used were 234417335475b7eb761e5f8accae1337 - huna12<br />
<br />
<b>Web 100: Bánh căn</b><br />
<br />
For some stupid reason the page allows you to execute arbitrary php functions using get query. However, many important functions are blacklisted (from the hint). In the end, this query did the job: ?assert=require('php://filter/convert.base64-encode/resource=index.php')<br />
<br />
<b>Crypto 100</b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMW1gmaSMKKuLtN5rdDhr6v5RuMgw2bFyaS5ANeS5N8Tfpd6JhDkphrVkUYbZYC-lZDsigK4j58UlD3b2WiJYaDqNzCvhm9GbGLrLwASs-flaUnYXsu-ks4p4ex2CQhzfjEHOCncwPrYEG/s1600/table.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="105" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMW1gmaSMKKuLtN5rdDhr6v5RuMgw2bFyaS5ANeS5N8Tfpd6JhDkphrVkUYbZYC-lZDsigK4j58UlD3b2WiJYaDqNzCvhm9GbGLrLwASs-flaUnYXsu-ks4p4ex2CQhzfjEHOCncwPrYEG/s320/table.png" width="320" /></a></div>
This is basically a substitution cipher. You lookup the characters corresponding to your numbers using the table. For some numbers that are multiplication of 2 other numbers, use them as row/column indices.<br />
<br />
I solved this one by replacing the high-frequency numbers with characters and used <a href="http://www.secretcodebreaker.com/scbsolvr.html">SCBSolvr</a> to do the rest.<br />
<br />
<b>Crypto 300</b><br />
<br />
The key is generated from a 8-byte seed so it has a very big weakness: it's repeating after every 72 bytes. Using known plain-text attack you can recover the key and decrypt the text.<br />
<br />
<b>Reverse 100: Nem rán</b><br />
<br />
After decompiling you get the python code. It's basically ROR so just ROL and it's done. Because it's rotation, you can quickly define ROL as ROR(bitsize - shifted_bits)<br />
<br />
<b>Forensics 100: Bánh giầy</b><br />
<br />
Using Wireshark you can recover the secret file, which is a zip archive. Crack the zip using brute-force attack (password is 4-char long) and you'll get the flag.<br />
<br />
<b>Misc 100: Bánh đa kê</b><br />
<br />
The flags are hidden in 32 files among 10000 folders. The server allows you to execute some Linux commands, and of course some important commands are blacklisted. In the end, the command I used was <b>egrep -r '.' . | sort</b>quangntenemyhttp://www.blogger.com/profile/06889040235572873334noreply@blogger.com3tag:blogger.com,1999:blog-7506564578992703357.post-50888730915468896122016-12-06T11:33:00.002+00:002016-12-06T11:33:33.603+00:00TadaimaI'm back, somehow.<br />
<br />
Been busy, hard disk crashed, bad things happened, etc.<br />
<br />
Restarting things from scratch, somehow.quangntenemyhttp://www.blogger.com/profile/06889040235572873334noreply@blogger.com0tag:blogger.com,1999:blog-7506564578992703357.post-1647859004381387732014-05-13T17:33:00.003+01:002014-05-13T17:35:39.582+01:00ASIS CTF Quals 2014A <a href="http://asis-ctf.ir/">great CTF</a> with a lot of interesting steganos has ended. Too bad the event took place on workdays, so our team didn't have much time for it (probably many other teams shared the same problem). We ended up at #10, which wasn't too bad :P Below you can find write-ups for a few challs I solved.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZo9a1c7SPEOn0d98Fqr_96MXHBLWcS4b1FsoU0TEUM8gnOUF_SN0zliWAiN9FYBgT6yEJh-LR2id0j2loENVwc40ZeADEIwfVOISHZR2yUsN_1vul6SPQchtxatJ2I55ZzXhkE8hEOH2p/s1600/Screenshot+from+2014-05-13+22:32:23.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZo9a1c7SPEOn0d98Fqr_96MXHBLWcS4b1FsoU0TEUM8gnOUF_SN0zliWAiN9FYBgT6yEJh-LR2id0j2loENVwc40ZeADEIwfVOISHZR2yUsN_1vul6SPQchtxatJ2I55ZzXhkE8hEOH2p/s1600/Screenshot+from+2014-05-13+22:32:23.png" height="179" width="320" /></a></div>
<br />
<b>Trivia 50: Image</b><br />
<br />
The file was actually an amazing image of the once popular NES game <a href="http://en.wikipedia.org/wiki/Battle_City_%28video_game%29">Battle City</a>, and as a fan of Nintendo I had the emulator ready to play it :P Just complete the first stage and you'll get the flag: 8BIT_RULEZ (although it is a bit different from what is written and caused a lot of confusions for everyone :P)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsth1SkUeAPjXYUIIEHIUEnBsNA6kXNctLO-3IGWLLIfe3nMpjXcFUQO-Nc4viAGgdbk4hy-E7iMoVMD5pYWNEVr8vZMcRd_Mif9BLgWGPUDb6lHBAl_u4A-qOU0hjYVW6vM7hae5mVfoh/s1600/Screenshot+from+2014-05-08+22:29:152.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsth1SkUeAPjXYUIIEHIUEnBsNA6kXNctLO-3IGWLLIfe3nMpjXcFUQO-Nc4viAGgdbk4hy-E7iMoVMD5pYWNEVr8vZMcRd_Mif9BLgWGPUDb6lHBAl_u4A-qOU0hjYVW6vM7hae5mVfoh/s1600/Screenshot+from+2014-05-08+22:29:152.png" height="305" width="320" /></a></div>
<br />
<br />
<b>Web 75: Hidden flag</b><br />
<br />
A web challenge with barely any description, however the title suggests that the flag should be hidden somewhere. It didn't take us much time to notice the HTTP header named x-flag with the value ASIS_b6b?244608c2?c2e869cb56?67b64?b1. Now obviously the task was to find the full hash. My first thought was using a dictionary attack to find a string that generates a hash with the same pattern, but because of work I didn't really have any time to try it :P<br />
<br />
At one point, some members in our team noticed that when a wrong solution was submitted, the response was almost instant. This suggested that there should be a javascript check somewhere. From here it didn't take much time for us to find the sha256 hash and recover the full flag: ASIS_b6be244608c27c2e869cb56167b649b1<br />
<br />
<b>Stego 100: Spy Paper</b><br />
<br />
The image was quite big and it was quite easy for me to overlook every detail :P Fortunately redoc found anomalies in the blue channels and these dots reminded me of <a href="http://en.wikipedia.org/wiki/Punched_tape">punched tape</a>, which was very close to the final solution. We were able to quickly figure out the parity bits and decrypt the second part, however we could not find anything meaningful from the first part:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYSoCIHa_KwX8tgaSU6vg1cHOZwqMscZ82uLSsrfQ8P3QShR5kkVqaT6Y6lHgBX6I1i3ESWc7ZIo6Wnchcs509tmfTc7nsxJThFucUs7fcaXPmpG9heKJeCNVpDPuAQe-5SkEy0qSOcKqC/s1600/10247456_4250780603831_9190623956873079927_n.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYSoCIHa_KwX8tgaSU6vg1cHOZwqMscZ82uLSsrfQ8P3QShR5kkVqaT6Y6lHgBX6I1i3ESWc7ZIo6Wnchcs509tmfTc7nsxJThFucUs7fcaXPmpG9heKJeCNVpDPuAQe-5SkEy0qSOcKqC/s1600/10247456_4250780603831_9190623956873079927_n.jpg" height="251" width="320" /></a></div>
<br />
After a lot of time spending on it, we came to realize that this could be <a href="http://en.wikipedia.org/wiki/Printer_steganography">printer steganography</a>, and the first part could be date and time. With that we were able to fully decrypt the flag: 9/6/19 13:22:44 E4sy_0n3.<br />
<br />
<b>Crypto 150: Random Image</b><br />
<br />
This isn't a hard chall, the code seems to randomly create a new image based on the flag but in fact there is quite a big correlation between the "random" result and the original one. Specifically, if the value of the pixel is less than 250, the resulting pixel is the result of some operation on the coordinates xored with a random value which is the same for all pixels. We do not know the random value however we know the result of the operation on the coordinates and by xoring the encrypted image with this value all pixels with values less than 250 should stand out. Here is the final result of the decryption:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwn_vPWFqMI6bUi8iGN2HDdb2MJHZs-3BIWkReDcTHsIKjAm2uLpjBGDN7KAOpfxgThqkb-9VJO8TW3V18HP6QHjICw2lk6lhOZrIeytB1z_ZkDPEr_NfryGIXQHf37sUiqN9hv8VXDOdN/s1600/flag.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwn_vPWFqMI6bUi8iGN2HDdb2MJHZs-3BIWkReDcTHsIKjAm2uLpjBGDN7KAOpfxgThqkb-9VJO8TW3V18HP6QHjICw2lk6lhOZrIeytB1z_ZkDPEr_NfryGIXQHf37sUiqN9hv8VXDOdN/s1600/flag.png" height="20" width="320" /></a></div>
<br />
<b>Stego 175: White noise</b><br />
<br />
This is an easy prey for my powerful <a href="http://www.freewebs.com/quangntenemy/steganabara/index.html">Steganabara</a>, and that was the reason why our team quickly became the first solver. A quick histogram analysis shows that the values in the green and blue channels are evenly distributed, and the reason behind this is that they were made to be used as coordinates to rearrange the pixels.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0yKope6acLNeisd7Y0_yl4kyCw8cmWXmixHJqGAF9stsnVWHtuDvveZ65uYFN_W13w3_9K2ClLDWU_081CN8jbbd5tp63hRQjs2G-QSCfdf9DDGj0GmR-yX0m-2kB8WKX2qRuSAxVnTXS/s1600/Screenshot+from+2014-05-13+23:22:04.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0yKope6acLNeisd7Y0_yl4kyCw8cmWXmixHJqGAF9stsnVWHtuDvveZ65uYFN_W13w3_9K2ClLDWU_081CN8jbbd5tp63hRQjs2G-QSCfdf9DDGj0GmR-yX0m-2kB8WKX2qRuSAxVnTXS/s1600/Screenshot+from+2014-05-13+23:22:04.png" height="161" width="320" /></a></div>
<br />
However, the red channel only has 1 value: 128, so it is pointless if you rearrange the whole image, you'll get just a red square. This got me stumped for a little while, until I realized that the order of arrangement could be important too. With this I only used the first 30 lines of the image for rearrangement, and got the flag:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIhhYgMFrWXupT_zghM_QXdWmWvtzFkKgvj-nH0oBDXoalSjx2kixJnTcypoMwCDCc308ue11RMlbCiTPI22P3x0W9GJ6KmXM8yeq42kTGeH5sKOz23xhIURdvmiargweSp3aFFsGrjs4P/s1600/steg_250_out.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIhhYgMFrWXupT_zghM_QXdWmWvtzFkKgvj-nH0oBDXoalSjx2kixJnTcypoMwCDCc308ue11RMlbCiTPI22P3x0W9GJ6KmXM8yeq42kTGeH5sKOz23xhIURdvmiargweSp3aFFsGrjs4P/s1600/steg_250_out.png" /></a></div>
<br />quangntenemyhttp://www.blogger.com/profile/06889040235572873334noreply@blogger.com4tag:blogger.com,1999:blog-7506564578992703357.post-38131538468650070412014-04-30T09:09:00.001+01:002014-05-01T08:53:46.025+01:000x3004 CTFAnother <a href="http://0x3004.wargame.vn/">great CTF</a> just ended and we were the champion! 0x3004 CTF was a 5-day event to celebrate the Liberation Day 30/04/1975 that ended all the miseries and brought about happiness to everyone. It was a pleasure having solved so many challenges of such great qualities thanks to the administrators.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8mtjVxYop0tOl-OOb21082U8z2_0Vn7nDfoEjUujk4gOkPSA4Oe8Brg2aFXSejTYTM_JjQDGWLoys1ZUKhnxPJdNgSAl9SRZJCir3Mc1PgQazNmwhetOSrrLAj-QEMsoiVG5bD6BBqvY2/s1600/Screenshot+from+2014-04-30+12:35:38.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8mtjVxYop0tOl-OOb21082U8z2_0Vn7nDfoEjUujk4gOkPSA4Oe8Brg2aFXSejTYTM_JjQDGWLoys1ZUKhnxPJdNgSAl9SRZJCir3Mc1PgQazNmwhetOSrrLAj-QEMsoiVG5bD6BBqvY2/s1600/Screenshot+from+2014-04-30+12:35:38.png" height="179" width="320" /></a>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQmFPm7rd2wFCVnYAR0lqphMdLHGDISD43t2t2C7wQHTAp45lLpwHcj2CK1MgzNlz4DArGz5VJsl_EOqDuVECjwNi5HKFKgwvMhdbzQWvKLOfy20HzX2yWE3v6BJ8IMVFXecgSbSnkMfNd/s1600/Screenshot+from+2014-04-30+12:35:55.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQmFPm7rd2wFCVnYAR0lqphMdLHGDISD43t2t2C7wQHTAp45lLpwHcj2CK1MgzNlz4DArGz5VJsl_EOqDuVECjwNi5HKFKgwvMhdbzQWvKLOfy20HzX2yWE3v6BJ8IMVFXecgSbSnkMfNd/s1600/Screenshot+from+2014-04-30+12:35:55.png" height="179" width="320" /></a></div>
<br />
Below you can find a quick write-up of some challs. Because there are so many of them, I'm only writing out the key points, the rest is up to you :P<br />
<br />
<b>Crypto 50: Phú Yên :: No Encryption Here</b><span style="text-decoration: line-through;"><br /></span><br />
<br />
The cipher text: <br />
<pre>TSwnQFMsI2BUPlchTDk2JVM5NV1TPTYpTTo3MT89JkFJPFVdUzoiJVQ3ViVOOSVdRzk3MT8+Nl1V PEVdUic5Nz1BPEYxUz8wYGA=</pre>
<br />
<div>
The = signature at the end makes it fairly easy to identify it as base64 encoded. The decoded text is M,'@S,#`T>W!L96%S95]S=6)M:71?...</div>
<div>
<br />
This text is still encrypted and because it consists of only printable characters it can be guessed that encryption method is <a href="http://en.wikipedia.org/wiki/Uuencoding">uuencode</a>. It can be decrypted using this <a href="http://www.webutils.pl/UUencode">online decryption tool</a> but you have to break it into 2 parts to fully decrypt the flag: 0x3004{please_submit_this_sh!t_and_get_your_rewards}<br />
<br />
<div>
</div>
<b>Crypto 50: Quảng Nam :: Chuyển vận lương thực</b><br />
<div>
</div>
<div>
<br />
The encryption is done in the cookie. Trying with different inputs should bring you to a conclusion that the username and the timestamp are combined, xored with a binary key and then base64 encoded.</div>
<div>
</div>
<div>
The string encrypted in the cookie is something like "username=admin;time=2014-04-27T16:27:24.644158", to solve the challenge you have to append ";admin=true" to it and get the flag: 0x3004{you_control_the_world}<br />
<br /></div>
<div>
</div>
<b>Web 50: Yên Bái :: Injection1</b><br />
<div>
</div>
<div>
<br />
Someone else in our team solved it, basically the session is managed by the serialized data in the cookie and you can exploit the deserialization to do SQL injection and get the flag.<br />
<br /></div>
<div>
</div>
<b>Misc 50: Bạc Liêu :: Hidden1</b><br />
<div>
</div>
<div>
<br />
The flag is hidden somewhere in the source code of the <a href="http://challenges.wargame.vn/">challenge page</a>: 0x3004{_haha_you_found_it_:D}<br />
<br />
<b>Misc 50: Đà Nẵng :: Áo Dài</b></div>
<div>
<br /></div>
<div>
This is a BMP stegano. Analysis with my <a href="http://www.freewebs.com/quangntenemy/steganabara/index.html">Steganabara's</a> Bit Mask Filter (or Caesum's <a href="http://www.caesum.com/handbook/stego.htm">Stegsolve</a>) will reveal that there is data hidden in the LSB of the pixels:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjR1btTtRUxd6ydPMGD797eHUcbKxKVixmsTM3nNXMnlcHj6kMwaoJ6zmSlrPUtSaXtBTH2owBFJ26srrvPxuxrz-GNIgQOTf_jUopo1CN2714o2n8xSHN6kK6rn8D4p4YGPs6eBfJGQ1Is/s1600/Screenshot+from+2014-04-30+21:33:44.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjR1btTtRUxd6ydPMGD797eHUcbKxKVixmsTM3nNXMnlcHj6kMwaoJ6zmSlrPUtSaXtBTH2owBFJ26srrvPxuxrz-GNIgQOTf_jUopo1CN2714o2n8xSHN6kK6rn8D4p4YGPs6eBfJGQ1Is/s1600/Screenshot+from+2014-04-30+21:33:44.png" height="179" width="320" /></a></div>
<div>
<br /></div>
<div>
In fact the authors herd you like BMP so they put a BMP in your BMP so you can extract while you extract :P <a href="http://www.wechall.net/profile/xp45g">xp45g</a> did this with a "murderous unreadable 1-liner", and here's the final result:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4cEh8woLADhXIW9dkYGaj7raOBcl6P1dGT3fTj81-rwa4joezMaC041_-_w4pGvcgsQa97nivNFq73zFU-YtbkzSZ_Y9dlI3dqazK5_zO7u0el60o-oQYX5T9CsHA6poewl7m3pS5UTpO/s1600/aodai-out.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4cEh8woLADhXIW9dkYGaj7raOBcl6P1dGT3fTj81-rwa4joezMaC041_-_w4pGvcgsQa97nivNFq73zFU-YtbkzSZ_Y9dlI3dqazK5_zO7u0el60o-oQYX5T9CsHA6poewl7m3pS5UTpO/s1600/aodai-out.png" height="58" width="320" /></a></div>
<div>
<br /></div>
<div>
</div>
<b>Misc 50: Vĩnh Long :: HeartBeat</b><br />
<div>
</div>
<div>
<br />
This is similar to the famous <a href="http://heartbleed.com/">HeartBleed bug in OpenSSL</a>. It is even easier because you can input the length directly into the URL. If you input a bigger length than the actual string the rest of the memory will be printed out. We used a length of -1 to dump out everything and after some tries we were able to get the flag: 0x3004{He4rtBle3d_works_this_way}<br />
<br /></div>
<div>
</div>
<b>Misc 50: Lâm Đồng :: Hidden2</b><br />
<div>
</div>
<div>
<br />
The flag is again hidden in the source code of the <a href="http://0x3004.wargame.vn/">home page</a>: 0x3004{hidden2_hidden_everywhere}<br />
<br /></div>
<div>
</div>
<b>Web 100: Hải Dương :: CRYPOT</b>
<span class="badge"></span><br />
<div>
</div>
<div>
<br />
The encryption can be broken using <a href="http://en.wikipedia.org/wiki/Differential_cryptanalysis">differential attack</a>. In each loop the ciphertext is xored with a hash created from a character in the input and a character in the flag so you can use 2 inputs with the same length as the flag (31) but with different characters at the end, xor the results (which is also the xored result of 2 hashes in the last loop) and from there work out the last character in the flag. Continuing backwards and you can recover the flag: 0x3004{p_to_the_h_to_the_p_yo!}<br />
<br /></div>
<div>
</div>
<b>Web 100: Tuyên Quang :: Injection2</b>
<br />
<div>
</div>
<div>
<br />
You can still exploit the deserialization to inject SQL code. Below was how <a href="http://www.wechall.net/profile/xp45g">xp45g</a> solved it :P<br />
<br /></div>
<div>
</div>
<div>
<div>
10:54:36: <xp45g> $ phpsessid="$(tr -cd a-zA-Z0-9 < /dev/urandom | head -c 32)" ; curl -s http://challenges.wargame.vn/100-Injection2_00cda8c5d1f13e0e2cb2825c0e9e6618/ -H "Cookie: PHPSESSID=$phpsessid;login=$(./ser.php "wtf',''),(null,(select flag from web100_flag), '$phpsessid') #")" | html2text</xp45g></div>
<div>
10:54:38: <xp45g> Welcome you back. This time, we made it more secure!</xp45g></div>
<div>
10:54:40: <xp45g> Your action has been logged to our DB.</xp45g></div>
<div>
10:54:42: <xp45g> You are logged in as guest.</xp45g></div>
<div>
10:54:44: <xp45g> Your action has been logged to our DB.</xp45g></div>
<div>
10:54:46: <xp45g> Your last logged in time: 0x3004{php_0bj3ct_m4k35_1t_3a5y}.</xp45g></div>
<div>
10:54:48: <xp45g> win \o/</xp45g><br />
<xp45g><br /></xp45g></div>
</div>
<div>
</div>
<b>Web 100: Quảng Ninh :: PATH TO PRO</b><br />
<div>
</div>
<div>
<br />
This was quite an annoying chall. At first we found the blind SQL injection with double quotes and substring function and used it to get the admin password YOUWONTBEABLETOGUESSTHISPASS__@#!@(#*!@(#*!@(#*)(!@*# but that wasn't enough to get the flag.</div>
<div>
</div>
<div>
<br />
We were having troubles identifying the DBMS because of so many abnormalities and in the end it turned out the challenge was about <a href="https://www.owasp.org/index.php/XPATH_Injection">XPATH injection</a>, something similar to SQL injection in theory but not as popular in practice. The flag was 0x3004{XXXpath}<br />
<br /></div>
<div>
</div>
<b>RE 100: Nghệ An :: PHPVLD</b><br />
<div>
</div>
<div>
<br />
Our team had some troubles with this chall because of misinterpreting the code but it was basically just hash collision. Just generate 2 strings with the same MD5 hashes and the chall is solved.<br />
<br /></div>
<div>
</div>
<b>Crypto 100: Bình Định :: SERICRYPT</b>
<span class="badge"></span><br />
<div>
</div>
<div>
<br />
The method to solve this chall is similar to the one described in the <a href="http://en.wikipedia.org/wiki/RSA_%28cryptosystem%29">RSA page</a>: you factorize n, calculate phi(n), then calculate modulus multiplication inverse and decrypt the message. The result is: 6396138900968155672706619512005662088160241943837385041483898733707420105484519573719621312884.<br />
<br /></div>
<div>
</div>
<b>Misc 100: Gia Lai :: Wireshark</b><br />
<div>
</div>
<div>
<br />
This was an easy chall. At first glance we thought the traffic was encrypted using SSL but in the end the flag was transferred in just plain text and you can see it by searching for 0x3004 in a text editor: 0x3004{I_l0v3_wir35h4rk_S0_MUCH!}<br />
<br /></div>
<div>
</div>
<b>Misc 100: Trà Vinh :: f_x</b><br />
<div>
</div>
<div>
<br />
Our analysis was like this: f(12)/f(11) ~= 2.8, f(11)/f(10) ~= 3.1, (12/11)^12 = 2.84094437661548, (11/10)^12 = 3.138428376721 so the function should be a polynomial with the degree of 12. With this the problem becomes solving a system of 13 equations and even though I only had to modify my old program a little I was still a lot slower than xp45g's <a href="http://rise4fun.com/z3py">z3</a>. The flag was 0x3004{M4thz1g}<br />
<br /></div>
<div>
</div>
<b>Crypto 150: Thừa Thiên Huế :: Tàng hình</b><br />
<div>
</div>
<div>
<br />
This is basically a stegano, the flag was hidden insite the KingthingsTrypewriter2 font file. Opening it using a font editor like <a href="http://sourceforge.net/projects/ttfedit/">ttfedit</a> and you'll get the flag: 0x3004{H4Ppy_huNt1Ng} - it was changed later but someone else in our team solved it and I'm too lazy to solve it again :P<br />
<br /></div>
<div>
</div>
<b>Web 150: Lạng Sơn :: XYZ Bank</b><br />
<div>
</div>
<div>
<br />
If you use the default login suggested by the page you'll get a cookie that decrypts to something like ["guest","guest",1234]. Using a python mysql bug you can use ["guest",0,1234] and the session is still valid. Changing the username to admin and brute-forcing the pin you can get the flag: 0x3004{goooo_home_homie}<br />
<br /></div>
<div>
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXGmcReCtjW_q0U23c1z2T_4Rx9YkV3VbDR1DCO-1ls_0W59uALjwWYVxAnajXKFXegvX0gTOMNvUFdx8CQePCE8Hu5MEowtzGlGiCEyDnD2VbKQT2DLMGGMOjlg_vit41WM7HLBiHLMhP/s1600/Screenshot+from+2014-04-30+15:02:192.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXGmcReCtjW_q0U23c1z2T_4Rx9YkV3VbDR1DCO-1ls_0W59uALjwWYVxAnajXKFXegvX0gTOMNvUFdx8CQePCE8Hu5MEowtzGlGiCEyDnD2VbKQT2DLMGGMOjlg_vit41WM7HLBiHLMhP/s1600/Screenshot+from+2014-04-30+15:02:192.png" height="262" width="320" /></a></div>
<div>
</div>
<div>
<b>Crypto 200: An Giang :: Super RSA</b></div>
<div>
</div>
<div>
<br />
Your job is to break an RSA encryption knowing just the public key. However with the source code available you can see that there is a weakness in the encryption: the private key is small (only 1024 bits) while the public key is big (6144 bits). Now the encryption can be broken using <a href="http://en.wikipedia.org/wiki/Wiener%27s_attack">Wiener's attack</a>.<br />
<br /></div>
<div>
</div>
<b>Crypto 250: Lai Châu :: CRYPTOWWW</b><br />
<div>
</div>
<div>
<br />
In this chall you need to bypass the hash check to do SQL injection. This can be done using <a href="https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks">hash length extension attack</a>. At first we were getting no result because of assuming the secret length of 6 but in the end we wrote a program to brute-force the length (which turned out to be more than 20) and got the flag: 0x3004{www_mix_crypto_ftw}<br />
<br /></div>
<div>
</div>
<b>Bonus: Pwn 300: Hà Nội :: Vượt Ngục 2</b><br />
<div>
</div>
<div>
<br />
The nerd term for this type of challenge is "golfing". Below is the result of our python experts' teamwork. Don't ask me for the code explaination :P In fact after the CTF ended they managed to golf it down even more :P<br />
<br /></div>
<div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxpLLS1JT1R_kM3vs4fEWVDg-X_jhTlxkHSRAZVPfWGigM5ADIoTwGw_eqpDlSGU26FTRo1q_LKayiMkkzl85oLA2eEWduDsEOaQuvkLfjAgKS25XJFXUAx9xBnutQLOqxQz2T8OB8FZSS/s1600/Screenshot+from+2014-04-30+15:06:31.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxpLLS1JT1R_kM3vs4fEWVDg-X_jhTlxkHSRAZVPfWGigM5ADIoTwGw_eqpDlSGU26FTRo1q_LKayiMkkzl85oLA2eEWduDsEOaQuvkLfjAgKS25XJFXUAx9xBnutQLOqxQz2T8OB8FZSS/s1600/Screenshot+from+2014-04-30+15:06:31.png" height="179" width="320" /></a></div>
<div>
</div>
<div>
<br />
For more information and solutions for other challs, you can visit <a href="http://logic.stypr.com/ctf/2014/">stypr's write-up page</a> :P</div>
</div>
quangntenemyhttp://www.blogger.com/profile/06889040235572873334noreply@blogger.com4tag:blogger.com,1999:blog-7506564578992703357.post-40775251351624036002014-03-10T15:24:00.001+00:002014-03-10T16:52:15.271+00:00RuCTF Quals 2014Another great CTF with many challenges in all categories just ended. Our team was #7. Nana. Not too bad, but it was so annoying that without a network specialist we could not solve admin 200 task "Troubleshooting" which 97 other teams solved with ease.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgl1l6DzAXJVBm4PbcjmkNSBj3hzKa4i1NohmRp6Y8axCZBPMf2PE4PeezAEaP-072NOdlJfPObDlx_HQTdWve5jPT8IB-G3l7I_Q6IYtf2Npa3khyphenhyphen4Zb-0wAXSV7P3zkU9S5iVocE5hiPd/s1600/Screenshot+from+2014-03-10+21:40:292.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgl1l6DzAXJVBm4PbcjmkNSBj3hzKa4i1NohmRp6Y8axCZBPMf2PE4PeezAEaP-072NOdlJfPObDlx_HQTdWve5jPT8IB-G3l7I_Q6IYtf2Npa3khyphenhyphen4Zb-0wAXSV7P3zkU9S5iVocE5hiPd/s1600/Screenshot+from+2014-03-10+21:40:292.png" height="153" width="320" /></a></div>
<br />
Below are some write-ups. Hopefully they can give new players an introduction to steganalysis.<br />
<br />
<b>stegano 100: Cat's eye</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjD9ozhvWXZnTMzrncd1VbEkWDSA1O4xHc6iqSnLZvaVva6I-SEY97ZrHSxGo2pU9V77-EkvEgqTCSv-AhrI9hpQUy2yaLg3l3VTBpC52BEYCQ5vtv6hmeHwYYNZZZnfyfpxJL1IUlYGV1M/s1600/task.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjD9ozhvWXZnTMzrncd1VbEkWDSA1O4xHc6iqSnLZvaVva6I-SEY97ZrHSxGo2pU9V77-EkvEgqTCSv-AhrI9hpQUy2yaLg3l3VTBpC52BEYCQ5vtv6hmeHwYYNZZZnfyfpxJL1IUlYGV1M/s1600/task.gif" height="135" width="200" /></a></div>
<br />
This is an easy GIF stegano, but it took me quite a while analysing the image until I noticed it contained 8 similar frames which wasn't easy to notice in GIMP by default (note to myself: next time check the frames first). It is common sense to combine them and find the differences. The positions of the different pixels are as marked below:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpUX2RgIk4uNQTGuSRHQin-Fra1RUhM0DShs4plBdbxqtv9quwrTFKug-jGGdm_3F332bSIH9CDv9D5ndzWoKHglL_-8yPlS18Yxuv18VsD2bfziUA_OrTP1qxNzJMtaXarNLr5EcdHQaT/s1600/task.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpUX2RgIk4uNQTGuSRHQin-Fra1RUhM0DShs4plBdbxqtv9quwrTFKug-jGGdm_3F332bSIH9CDv9D5ndzWoKHglL_-8yPlS18Yxuv18VsD2bfziUA_OrTP1qxNzJMtaXarNLr5EcdHQaT/s1600/task.png" height="135" width="200" /></a></div>
<br />
It isn't very straightforward, but the flag is hidden here in binary representation. Using black pixels as 0s and green pixels as 1s give you the flag: RUCTF_e4dd9f5cee307b322c3a27abe66e3df9<br />
<br />
<b>stegano 300: Nyan-task</b><br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkhCPm51dVEoSdP-YduKx0dzG9SlkybieNRMthwLSOJBO9atWXaVoIHwifvv90lNKBiVkPKx3PJmeEE7R8RrnM-9dIzoggFgO0aheGWWxZQJj0OF3VZOTngTCof2hVUUDoiWPUgCap4z2Q/s1600/nyan-task.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkhCPm51dVEoSdP-YduKx0dzG9SlkybieNRMthwLSOJBO9atWXaVoIHwifvv90lNKBiVkPKx3PJmeEE7R8RrnM-9dIzoggFgO0aheGWWxZQJj0OF3VZOTngTCof2hVUUDoiWPUgCap4z2Q/s1600/nyan-task.png" height="250" width="400" /></a></div>
<b><br /></b>
This is a very famous image. By finding and comparing it with the original image it can be concluded that there is no information hidden visually. Analysis with <a href="http://www.caesum.com/handbook/stego.htm">Caesum's StegSolve</a> brought me to the conclusion that the only place to hide the flag is inside the palette. It is also suspicious to see only 14 colors used for the image while the palette contains 256 colors with a lot of repetition.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibRztwMhOWXcYOHPqH-rqU_8c1hs-vfAohu_CtKLg3vkNSXOwtOslL2gnZbA-KWK8hwgKLYrby3BB4CeTEy0Z5_W6j8gv6oxTbRYq5djA_w76OmM8MCC_-q05JBktKSpBfxExiEfjsxWxH/s1600/nyan-palette.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibRztwMhOWXcYOHPqH-rqU_8c1hs-vfAohu_CtKLg3vkNSXOwtOslL2gnZbA-KWK8hwgKLYrby3BB4CeTEy0Z5_W6j8gv6oxTbRYq5djA_w76OmM8MCC_-q05JBktKSpBfxExiEfjsxWxH/s1600/nyan-palette.png" /></a></div>
<br />
After extracting the palette I found out that this is actually a <a href="http://en.wikipedia.org/wiki/Data_Matrix">DataMatrix barcode</a> (thanks <a href="http://www.wechall.net/profile/stypr">stypr</a>). The rest is easy. The hidden text is u.to/P4JUBg, which is a link to the flag: RUCTF_ca8250c2b4b50581afc9ffd1f403f3f2<br />
<br />
<b>crypto 200: Mary Queen</b><br />
<br />
The task is to decipher a message written in Chinese characters. The title suggests that this is similar to the cipher used by Mary Queen of Scots, which is a cryptosystem in which simple substitution is used. This cipher is so weak that many tools have been created to solve it automatically, <a href="http://www.secretcodebreaker.com/scbsolvr.html">SCBSolvr</a> is one of them. The decrypted text is chapter I of Alice's Adventures in Wonderlands by Lewis Carroll. The name of the book is also the flag.quangntenemyhttp://www.blogger.com/profile/06889040235572873334noreply@blogger.com0tag:blogger.com,1999:blog-7506564578992703357.post-45372387316780591302014-02-09T16:44:00.000+00:002014-03-10T16:49:23.140+00:00Olympic CTF Sochi 2014The CTF just ended. And by breathtakingly solving a chall at the last minutes we won the silver medals. Banzai!<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgr30SCVG9vYbtzWTqM2JWaCZXqcXKR74TtWcJyiNFkxi6uXVosv0ScjYVUYTrRDPU1S-VQTjcWsf6WeVQcEV1OqaVhtgotbJn9xP8tWmE2U7uXffn-qf7WJvKWZ8fat4heYhZkBKm-rfiE/s1600/Screenshot+from+2014-02-09+23:12:572.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgr30SCVG9vYbtzWTqM2JWaCZXqcXKR74TtWcJyiNFkxi6uXVosv0ScjYVUYTrRDPU1S-VQTjcWsf6WeVQcEV1OqaVhtgotbJn9xP8tWmE2U7uXffn-qf7WJvKWZ8fat4heYhZkBKm-rfiE/s1600/Screenshot+from+2014-02-09+23:12:572.png" height="235" width="400" /></a></div>
I was only involved in some parts of the challenges, so no write up this time :P<br />
<br />
Update: With this achievement our team <a href="http://defcon.org/html/links/dc-news.html#dc22qualifiers">qualified for DEFCON 22 CTF</a>. So awesome, but Las Vegas is so far away :(<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitPXBmzRmNHiBVwA6uyXCYT5cxqgW_CFiy361nCgCdhqhl5mq0ZsM_yvg3ibMnFLgp8du-6IXGTeSGIrxR0D6ip_FfqdbPgCHVMEHHDX02dT3XZLZ5pEl4W4U_5Qe4s5WFbPmy448B9YYB/s1600/Screenshot+from+2014-03-10+23:39:242.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitPXBmzRmNHiBVwA6uyXCYT5cxqgW_CFiy361nCgCdhqhl5mq0ZsM_yvg3ibMnFLgp8du-6IXGTeSGIrxR0D6ip_FfqdbPgCHVMEHHDX02dT3XZLZ5pEl4W4U_5Qe4s5WFbPmy448B9YYB/s1600/Screenshot+from+2014-03-10+23:39:242.png" height="400" width="345" /></a></div>
<br />quangntenemyhttp://www.blogger.com/profile/06889040235572873334noreply@blogger.com0tag:blogger.com,1999:blog-7506564578992703357.post-11820769223943543812014-01-27T15:23:00.001+00:002014-01-28T09:51:15.997+00:00PHDays CTF Quals 2014The qualification round just ended today. Our team finished at rank #9. Chinese new year is coming soon so I only managed to catch up with the guys for just a little more than one hour. During that short period of time our team impressed even ourselves by solving 3 challenges and jumped back to top 10. I was involved in 1 of the challs: a ucucuga challenge titled "mp3 me".<br />
<br />
The challenge is basically an mp3 stegano. After examining the file we came to a conclusion that there was no where else to hide the flag other than in the id3 part of the file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi48WGUp2KcK27n3eRpA1j7G828t-FFG9yWl8YlhvOsLfRMSRJxfjmSmwWq1ztbdVCqNvPHDS9CztJ9qfUsu_Mb-y0kDrQmVxlna61pyXfrHCpF1NaQ4wTrsglLhh6U3O89LhYq5br7qa8q/s1600/Screenshot+from+2014-01-27+21:55:10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi48WGUp2KcK27n3eRpA1j7G828t-FFG9yWl8YlhvOsLfRMSRJxfjmSmwWq1ztbdVCqNvPHDS9CztJ9qfUsu_Mb-y0kDrQmVxlna61pyXfrHCpF1NaQ4wTrsglLhh6U3O89LhYq5br7qa8q/s1600/Screenshot+from+2014-01-27+21:55:10.png" height="180" width="400" /></a></div>
<br />
Now this is the part where losers are separated from winners. The RGB tags and the presentation of values in triplets make most people try to find a way to get an image, but they are actually just red herrings. The real clue here is the occurrence of NULL. It suggests the end of a message. After trying some conversion, I found out that "78-9c" (hex values of 120-156) was the signature of zlib compressed data, and with that <a href="http://www.wechall.net/profile/dloser">dloser</a> was able to quickly recover the precious flag.<br />
<br />
<pre><dloser> >>> zlib.decompress('789ccb8ccf482c498d2f4d06c2f444002a9f05b7'.decode('hex'))
<dloser> 'i_hate_ucucuga'
</pre>
<br />
Solving challenges is fun, and it's even more thrilling when there is a time limit. Oh, it is also good to be able to let everyone know how you solved them, not just limited to the solvers as on normal challenge sites.quangntenemyhttp://www.blogger.com/profile/06889040235572873334noreply@blogger.com3tag:blogger.com,1999:blog-7506564578992703357.post-73717583122549098742014-01-20T06:52:00.000+00:002014-01-20T06:52:32.071+00:00Ghost in the Shellcode 2014Recently, I have been invited to join team <a href="https://ctftime.org/team/5348">penthackon</a>, a team full of veterans, to participate in CTF events.<br />
<br />
As someone who only plays for fun, I find the recent <a href="https://2014.ghostintheshellcode.com/">Ghost in the Shellcode 2014</a> CTF quite an enjoyable experience. It's really amazing to see the creators spending a lot of efforts to put up an MMORPG named "Choose Your Pwn Adventure 2", just to be hacked by the players :P<br />
<br />
As an uber cheater, I was involved in 2 of the quests: A Boaring Quest and Unbearable. The first quest requires killing over 9000 boars, something not easily done and most cheaters don't want to do it the normal way. <a href="http://www.wechall.net/profile/jjk">jjk</a> was the one who solved it for our team, but his method involved capturing and replaying the kill packet, and it was hard for everyone else to follow the same method.<br />
<br />
Because the logic of the game was implemented in .NET, using <a href="http://www.red-gate.com/products/dotnet-development/reflector/">.NET Reflector </a>with <a href="http://reflexil.net/">Reflexil</a> plugin I was able to patch the game to send 1001 kills to the server. So only 10 kills were needed to finish the quest (Actually it was possible to send 10000 kills in 1 go but we did it this way to be "nice" to the server :P)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkqh3R1ymaF4_xZtiHMMlxTMOx7Tv8oG7NqqCYr2s6AAVO3OWCvctSOC4ntwhPFOKvgOx9yOVVBdpG9YgLr4mc9UfyjJnmlW4jfaF4Z6PPTVEwLWQOLJmKvD1GxAl78XMarNo9KoQmt5AC/s1600/reflex1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkqh3R1ymaF4_xZtiHMMlxTMOx7Tv8oG7NqqCYr2s6AAVO3OWCvctSOC4ntwhPFOKvgOx9yOVVBdpG9YgLr4mc9UfyjJnmlW4jfaF4Z6PPTVEwLWQOLJmKvD1GxAl78XMarNo9KoQmt5AC/s1600/reflex1.png" height="216" width="400" /></a></div>
<br />
The second quest was a little bit trickier: the treasure chest was protected by a shitload of bears, and after opening it you had to survive for 5 minutes before getting the flag. To make it even more impossible, the bears were armed with guns and they would all shoot you to death. This was actually a fun experience, everyone tried to avoid being hit, killing bears with uber weapons, changing the bear's AI... with no success. In the end, the solution was quite simple and logical. There was this holy item called wine that gave you 10-20% damage protection, however that protection can be patched from the client. I patched it to 100% to become invincible (also because each wine only last for 1 minute, I needed to drink 6 of them :P)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXCDnMnf_c9Bspmcg7sFgJ0yB3q-Why-06224vN2FC7Lg7URGPJgCC47V1QJ4Lb3V7FTB9AVdNxXmPl1nYfvPyWMAdAsb2Ur_JpVY5PrLp2YiYUkYtBtSom1mXuaIYeotmjeYS18QDTS0H/s1600/reflex2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXCDnMnf_c9Bspmcg7sFgJ0yB3q-Why-06224vN2FC7Lg7URGPJgCC47V1QJ4Lb3V7FTB9AVdNxXmPl1nYfvPyWMAdAsb2Ur_JpVY5PrLp2YiYUkYtBtSom1mXuaIYeotmjeYS18QDTS0H/s1600/reflex2.png" height="216" width="400" /></a></div>
<br />
Below is the screenshot of my character after winning both flags<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUcWsULONsDeXDdnwl28KHWGmrnSG9D3eSbTHIf9QwenG29SlEsGg5DMlLyun0SmPBc05SlBEaFHFX1gpACmeAB89aSWkL59mfnIVCEUHzwhV51eSHsT77CQ-c7YiCVlyxTRxmOhTy4sw9/s1600/Screenshot+from+2014-01-19+10:52:01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUcWsULONsDeXDdnwl28KHWGmrnSG9D3eSbTHIf9QwenG29SlEsGg5DMlLyun0SmPBc05SlBEaFHFX1gpACmeAB89aSWkL59mfnIVCEUHzwhV51eSHsT77CQ-c7YiCVlyxTRxmOhTy4sw9/s1600/Screenshot+from+2014-01-19+10:52:01.png" height="223" width="400" /></a></div>
<br />quangntenemyhttp://www.blogger.com/profile/06889040235572873334noreply@blogger.com0tag:blogger.com,1999:blog-7506564578992703357.post-84381845967145990702014-01-12T05:17:00.000+00:002014-01-12T05:20:19.395+00:00Ubuntu 14.04 Trusty TahrMy box was running Ubuntu 12.10 Quantal Quetzal for quite a long time because I was too lazy to upgrade it so recently I had to go through hella lot of upgrades to catch up with the latest technologies :P<br />
<br />
The upgrade to 13.04 Raring Ringtail was quite smooth but while I was upgrading to 13.10 Saucy Salamander my laptop was overheating and shut down without a warning (they seriously should give us like 10 seconds to do something first). And that marked the beginning of hell :P<br />
<br />
After powering on, Ubuntu couldn't start because of broken packages, but luckily there was no problem with the kernel and it only took me a bit to play around with the recovery menu to get the packages rebuilt.<br />
<br />
However because the installation was incomplete there were many features missing and since there was no easy way to get them installed I decided to go a bit further to upgrade to the development version 14.04 Trusty Tahr.<br />
<br />
Unsurprisingly, I was caught up in a serious sendmail bug - the installation went into an infinite loop. The bug was said to have been fixed a few months ago, but I don't know for which reason the fix hasn't made it to the Ubuntu repository yet. There was a workaround mentioned in the <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=717951">bug report</a>, but the whole thing was a mess, and someone even suggested something as complicated as modifying the installation package. After some time reading all the available solutions, I got it done in a simple way. Just look for update_db in /usr/share/sendmail/ and replace the following lines:<br />
<br />
<code>
str=$(echo "$line" | cut -d "
" -f 1);<br />
line=$(echo "$line" | cut -d "
" -f 2-);</code><br />
<br />
with<br />
<br />
<code>
str=$(echo "$line" | head -n 1);<br />
line=$(echo "$line" | tail -n +2);</code><br />
<br />
and after that do a<br />
<br />
<code>
sudo dpkg --configure -a
</code><br />
<br />
to reconfigure the packages :P<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgK47CAecoaVEZVGW6crdbuTWV12trAuqvrLpRi-6IlUa51Zc77UdTajgqbMkUnCyil5DlsIlsgF-WDsU0gVvb1_yzKcRpdU-oG_9kQ555XOaYYs0UZWm4PhvaSnC-YNK-MoKCWMzCOnkhH/s1600/Screenshot+from+2014-01-12+11:09:28.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgK47CAecoaVEZVGW6crdbuTWV12trAuqvrLpRi-6IlUa51Zc77UdTajgqbMkUnCyil5DlsIlsgF-WDsU0gVvb1_yzKcRpdU-oG_9kQ555XOaYYs0UZWm4PhvaSnC-YNK-MoKCWMzCOnkhH/s1600/Screenshot+from+2014-01-12+11:09:28.png" height="222" width="400" /></a></div>
<br />
The Ubuntu team name their releases after the letters of the alphabet, and they already reached T. I wonder what will happen in a few years when all are used up :Pquangntenemyhttp://www.blogger.com/profile/06889040235572873334noreply@blogger.com0tag:blogger.com,1999:blog-7506564578992703357.post-40245565548035879062013-10-27T09:15:00.000+00:002013-10-27T09:16:32.795+00:00Back.. and a new chall!Maybe some of you haven't noticed it, but I've defeated some of my laziness and now officially back and kicking :P<br />
<br />
Recently I've solved many challs on <a href="http://www.wechall.net/">WeChall</a> and <a href="http://www.rankk.org/">Rankk</a>, and got some of my ranks back (although <a class="Z54ADFB" href="http://www.rankk.org/user/horst35" title="Geb. 9^1">horst35</a> is a real monster :P)<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.wechall.net/graph/wc_rank.quangntenemy.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300" src="http://www.wechall.net/graph/wc_rank.quangntenemy.png" width="400" /></a></div>
Also my new chall is published on WeChall: <a href="http://www.wechall.net/challenge/quangntenemy/QMine/index.php">QMine</a>. It isn't very hard, but so far only <a href="http://www.wechall.net/profile/dloser">dloser</a> has solved it. You should go try it now :P<br />
<br />
Maybe there is a connection between the chall and my crazy version of minesweeper, but probably knowing it will not help much :Pquangntenemyhttp://www.blogger.com/profile/06889040235572873334noreply@blogger.com0tag:blogger.com,1999:blog-7506564578992703357.post-18090162865959357032013-09-15T16:45:00.001+01:002013-09-15T16:45:12.558+01:00JMineI tried to defeat <a href="http://www.freewebs.com/quangntenemy/jmine/index.html">my crazy version of minesweeper</a>.. and failed :D<br />
<br />
Wish I had more time now to create more crazy stuff and change the world in the process :P<br />
<br />
PS. There's a bug with the timer but I'm too lazy to fix it :D<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidka7UtsoCqWDGtE4cdqntSbb6QxTqvVX7FOD1t3ICHL4l8gXEr6WuInbUHT2meOm6HGjglWHQhMwtUcKVl1bO8niJqNPi_5EfokNpgJftBwF9j9mPQSnzVP4FZmpdN32jB0AwnlVEE-eP/s1600/jmine.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="342" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidka7UtsoCqWDGtE4cdqntSbb6QxTqvVX7FOD1t3ICHL4l8gXEr6WuInbUHT2meOm6HGjglWHQhMwtUcKVl1bO8niJqNPi_5EfokNpgJftBwF9j9mPQSnzVP4FZmpdN32jB0AwnlVEE-eP/s400/jmine.png" width="400" /></a></div>
<br />quangntenemyhttp://www.blogger.com/profile/06889040235572873334noreply@blogger.com0tag:blogger.com,1999:blog-7506564578992703357.post-32064457734325452012-02-11T11:28:00.000+00:002012-02-11T11:30:09.274+00:00One blog to rule them allSo apparently I have been creating too many blogs while having no time to keep them updated and today I have decided to merge some of them together. As a result, you can see how my penguin taming business is going on here from now on.<br />
<br />
Recently, I have successfully managed to install BackTract 5 R1 to my hard disk without having to burn the installer to DVD or USB (somehow my Lenovo laptop couldn't boot from USB even though I enabled all the relevant BIOS settings). Since BT is based on Ubuntu, I followed <a href="https://help.ubuntu.com/community/Installation/FromLinux">this guide</a> with some necessary changes and boom! mission accomplished!<br />
<br />
Here's a screenshot:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjU331B5Is-CBp1kIHYG2xRzBuBZzFWqsgKufdH9pZVWPaz_6gA_6XWd71667Ao9O5xm8-KpttROkhNZ4LRe6dFWu5Lmp9bpFceoTEjDnPShwdJcSvBIon3-qFWj-2iwuP3dQ3pbWVZHtUc/s1600/Screenshot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="179" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjU331B5Is-CBp1kIHYG2xRzBuBZzFWqsgKufdH9pZVWPaz_6gA_6XWd71667Ao9O5xm8-KpttROkhNZ4LRe6dFWu5Lmp9bpFceoTEjDnPShwdJcSvBIon3-qFWj-2iwuP3dQ3pbWVZHtUc/s320/Screenshot.png" width="320" /></a></div>
<br />
I even planned to install Solaris 11 on my comp, but in the end couldn't because there was some conflict with Linux swap partition which required changes to the entire partition table.quangntenemyhttp://www.blogger.com/profile/06889040235572873334noreply@blogger.com0tag:blogger.com,1999:blog-7506564578992703357.post-76539708400255895182011-09-26T14:39:00.004+01:002011-09-26T15:06:08.741+01:00FreeRice updatedDo you still remember the <a href="http://www.freewebs.com/quangntenemy/freerice/index.html">FreeRice bot I wrote years ago</a>?<br /><br />I'm not sure if the bot is still working but recently I received an email from the <a href="http://www.wfp.org/">United Nations World Food Programme</a> saying that it "has been highly damaging to Freerice and has serious repercussions for the people we help". Below are the three reasons given:<br /><br /><blockquote>- You overload our servers and crash the site, so that real people cannot play and learn. This means less people want to play, and we raise less rice.<br />- You damage our reputation and discourage sponsors from supporting Freerice, making it impossible for us to pay for the rice you raise. This means we cannot provide rice to those who need it most<br />- At times, the bots raise more rice than we can pay for!</blockquote><br />Apparently, <a href="http://www.google.com/#q=freerice+bot">there have been many bots created since then</a> and I wonder if my bot alone can damage the site that much but for now I have removed the bot from the downloads. If you are a bot author, maybe you should consider doing the same.<br /><br />Statistically, about 40% of the visitors to my site are for the bot. Well, that gotta change now!quangntenemyhttp://www.blogger.com/profile/06889040235572873334noreply@blogger.com1tag:blogger.com,1999:blog-7506564578992703357.post-85296347294165394592010-12-04T12:44:00.003+00:002010-12-04T12:57:45.405+00:00ChessJust a quick update. I haven't been very active in challenge solving during the past few months. However, I just developed some interest in chess. I am doing pretty well on <a href="http://www.chess.com">chess.com</a> with a rating closing 1700.<br /><br />This is one of my favourite games: <a href="http://www.chess.com/echess/game.html?id=42014101">http://www.chess.com/echess/game.html?id=42014101</a><br /><br />You know what, I found some of the geeks there too. <a href="http://www.chess.com/echess/profile/Caesum">Caesum the alien is playing more than 100 games at the same time</a>, while <a href="http://www.chess.com/echess/profile/TheHiveMind">TheHiveMind with his super chess bot has already reached a rating of 2200+</a>.<br /><br /><a href="http://www.chess.com/echess/game.html?id=42095135">I'm having a duel with Caesum atm, and the game is a bit on my side</a>. Wish me luck!quangntenemyhttp://www.blogger.com/profile/06889040235572873334noreply@blogger.com0tag:blogger.com,1999:blog-7506564578992703357.post-23203535450163207762010-07-28T14:20:00.000+01:002012-02-11T10:34:36.954+00:00Ubuntu TweakFinally got rid of the stupid pink login screen using <a href="http://ubuntu-tweak.com/">Ubuntu Tweak</a>. What a pain!quangntenemyhttp://www.blogger.com/profile/06889040235572873334noreply@blogger.com0tag:blogger.com,1999:blog-7506564578992703357.post-24111475836939961322010-07-15T08:23:00.002+01:002010-07-15T09:16:51.674+01:00Hacker skills in actionHave you ever needed to use your 1337 hacker skills in real life as a non-security professional?<br /><br />I was once given the task of writing a Windows library to connect to a Juniper VPN system. All I was given was just the web interface of the system. A task that cannot be completed without reverse-engineering skills.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhslMBI4vu8_99fWUJrXy2yk9jQC3liw6vQFNRG5oER_Pvowtwrjr1xO2Kj2iZEXFg3YhvtfPUHJYgR2oVk0sTAGdPQUqVWXhmYIiIhnwued2ISHiLRT3IychBEi1MUWKnym5ews6x3l6wh/s1600/juniper_login.png"><img style="display: block; margin: 0px auto 10px; text-align: center; cursor: pointer; width: 320px; height: 165px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhslMBI4vu8_99fWUJrXy2yk9jQC3liw6vQFNRG5oER_Pvowtwrjr1xO2Kj2iZEXFg3YhvtfPUHJYgR2oVk0sTAGdPQUqVWXhmYIiIhnwued2ISHiLRT3IychBEi1MUWKnym5ews6x3l6wh/s320/juniper_login.png" alt="" id="BLOGGER_PHOTO_ID_5494034169693308082" border="0" /></a>Some experiments with the system showed me that the VPN system wasn't too complicated. After the user authorizes himself via the login page, an ActiveX or Java applet will be launched, which will subsequently download and run a Windows application that is responsible for the VPN connection.<br /><br />Authenticating via the login page programmatically to retrieve the cookie for the session was a trivial task. For downloading and running the Windows VPN application, with my 1337 Java skills, I decided that reverse-engineering the Java applet was the way to go. After decompiling the applet with Jad, all I needed to do was modifying the code to make it run in a "simulated" applet environment, and everything went on smoothly.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjugjaDzpzdY89vUISiW50bk_cD-BfvY__J2uWtb4dN8t5PUXmv1t338ti2XsguVsHZzrFPr_775qt3fJwkzlHscYuXdQn91d6pTdmMRPSYZC8Xtc8MfhqBWgPriQvw-ird8CYlHBVeig-S/s1600/juniper_vs.png"><img style="display: block; margin: 0px auto 10px; text-align: center; cursor: pointer; width: 400px; height: 312px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjugjaDzpzdY89vUISiW50bk_cD-BfvY__J2uWtb4dN8t5PUXmv1t338ti2XsguVsHZzrFPr_775qt3fJwkzlHscYuXdQn91d6pTdmMRPSYZC8Xtc8MfhqBWgPriQvw-ird8CYlHBVeig-S/s400/juniper_vs.png" alt="" id="BLOGGER_PHOTO_ID_5494034268078078242" border="0" /></a>quangntenemyhttp://www.blogger.com/profile/06889040235572873334noreply@blogger.com0tag:blogger.com,1999:blog-7506564578992703357.post-11530965740574874232010-05-22T05:48:00.006+01:002010-05-22T06:37:51.833+01:00Year 2038 problem - not very far awayMaybe some of you have already heard about the <a href="http://en.wikipedia.org/wiki/Year_2038_problem">year 2038 problem</a>, caused by software and systems storing system time as a signed 32-bit integer. I thought it would be quite a while until I'd have to care about it, but it seems that isn't the case.<br /><br />A little while ago, my yahoo mailbox was hit by a lot of <a href="http://groups.google.com/group/alt.spam/browse_thread/thread/d27cd4e077247723">spammers sending from the future date of 18th Jan 2038</a>. Back then, I thought it was funny. Spammers always want their spam mails to appear on top by setting the date to the farthest in the future. But this is as far as they can go ;)<br /><br />However, recently, I have discovered the bug lying in an authentication server by a well-known security company I'm testing. It appears all certificates signed by the server cannot have an expiry date of later than 19th Jan 2038. If not discovered early, this could cost us a lot of maintenance fee when the time comes close.<br /><br /><div style="text-align: left;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFMFU_bYgolmzs55Ncv-jjmTvzdyGJHTCxyPsD4KljFlPsp_CCIA0siLNu301hV9QhgyWTYsrfL2FgxmKqAWWSgLzVz2WFDxPRVj6xyQSP-WmuNFpIKEN4LllKB1u64eAq-dzzD_pG4Xie/s1600/2038.png"><img style="margin: 0px auto 10px; text-align: center; vertical-align: top; cursor: pointer; width: 320px; height: 97px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFMFU_bYgolmzs55Ncv-jjmTvzdyGJHTCxyPsD4KljFlPsp_CCIA0siLNu301hV9QhgyWTYsrfL2FgxmKqAWWSgLzVz2WFDxPRVj6xyQSP-WmuNFpIKEN4LllKB1u64eAq-dzzD_pG4Xie/s320/2038.png" alt="" id="BLOGGER_PHOTO_ID_5473957306683849394" border="0" /></a> <a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyGckZOHWptrQ5HD9jjogoCPr4lqZPFO4eTspq70v9PgTt8mW63EoejbvSNHJlBqICGByuMT3UweM5t5n2ZxRAwbQZWdTfJt_APR8HHyCd7oDAX93ibANyYPekHbfQGdmRfSOq6Buh1RTd/s1600/2038_2.png"><img style="margin: 0px auto 10px; text-align: center; cursor: pointer; width: 275px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyGckZOHWptrQ5HD9jjogoCPr4lqZPFO4eTspq70v9PgTt8mW63EoejbvSNHJlBqICGByuMT3UweM5t5n2ZxRAwbQZWdTfJt_APR8HHyCd7oDAX93ibANyYPekHbfQGdmRfSOq6Buh1RTd/s320/2038_2.png" alt="" id="BLOGGER_PHOTO_ID_5473957489342186338" border="0" /></a></div>quangntenemyhttp://www.blogger.com/profile/06889040235572873334noreply@blogger.com0tag:blogger.com,1999:blog-7506564578992703357.post-40062078455313630612010-05-09T07:06:00.000+01:002012-02-11T10:34:37.025+00:00Mandriva 2010Although Mandriva 2010 was released a long time ago, I haven't had the time to upgrade until now.<br /><br />Just like the last time, I received the message that "the system could not be safely upgraded to Mandriva Linux 2009" (yes, it did say 2009, probably someone overlooked that trivial bit). Nevertheless, as a professional penguin tamer, I decided to take the risk and continued. This time the estimated upgrade time was 5 hours. But in the end it only took about 1 hour and a half.<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUjYvcJk1y2w-q0v5kM8fMv_uMOav2gDcHJGelhZcHdnbLwBmqZxAIlZVcGo-08Ga6mYGIXP-anUl3hJRbb4i65O-zpoAqU33uvhRmWqXupfAnYt4j8CydU0YDAM4b5uot1tpf9LS73qE/s1600/snapshot1.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 200px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUjYvcJk1y2w-q0v5kM8fMv_uMOav2gDcHJGelhZcHdnbLwBmqZxAIlZVcGo-08Ga6mYGIXP-anUl3hJRbb4i65O-zpoAqU33uvhRmWqXupfAnYt4j8CydU0YDAM4b5uot1tpf9LS73qE/s320/snapshot1.png" alt="" id="BLOGGER_PHOTO_ID_5469149445913241906" border="0" /></a><br />Brilliantly, the new system booted smoothly without any problems. Time to see what this great new system has to offer ;)quangntenemyhttp://www.blogger.com/profile/06889040235572873334noreply@blogger.com0tag:blogger.com,1999:blog-7506564578992703357.post-9859598625432415002010-05-05T17:03:00.000+01:002012-02-11T10:34:37.070+00:00Ubuntu 10.04 LTSUbuntu 10.04 LTS was finally released last week, and I just managed to upgrade it today. Unlike Mandriva, to upgrade Ubuntu, I needed to use the alternate CD image instead of the normal one.<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwChw9yuKURBXwuVcsRhPg-MWO5XCMLAU4kyf6R1Hi3wygTndfMSwA0F5EhanEagyzvgWuX9pE1My7htZC_rWWr8F6VsY4E5xGD4BaAMMjadV8iGpwKVP9LkQFwDSRsTnqissbdNPAYWk/s1600/Screenshot-2.png"><img style="display: block; margin: 0px auto 10px; text-align: center; cursor: pointer; width: 308px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwChw9yuKURBXwuVcsRhPg-MWO5XCMLAU4kyf6R1Hi3wygTndfMSwA0F5EhanEagyzvgWuX9pE1My7htZC_rWWr8F6VsY4E5xGD4BaAMMjadV8iGpwKVP9LkQFwDSRsTnqissbdNPAYWk/s320/Screenshot-2.png" alt="" id="BLOGGER_PHOTO_ID_5467818742071866994" border="0" /></a>The upgrade took about an hour, which was actually quite long for such a newly installed system. However, on the bright side, it could be done while the system was running.<br /><br />The Ubuntu guys boasted about the 10 second startup time. And in fact, my new system booted really fast. I doubt if it's as fast as 10 seconds though :P<br /><br />There's a very annoying problem with the new Gnome button layout: the minimize, maximize, and close button are moved to the top left of the windows, whichever theme you use. A guide to fixing that problem is available here: <a href="http://www.howtogeek.com/howto/13535/move-window-buttons-back-to-the-right-in-ubuntu-10.04/">http://www.howtogeek.com/howto/13535/move-window-buttons-back-to-the-right-in-ubuntu-10.04/</a>quangntenemyhttp://www.blogger.com/profile/06889040235572873334noreply@blogger.com1tag:blogger.com,1999:blog-7506564578992703357.post-45733917577987323762010-03-15T15:36:00.000+00:002012-02-11T10:34:37.105+00:00UbuntuSo I got a new laptop, and of course I installed another Linux distro on it. Ubuntu seems to be a very popular one now, so I decided to give it a try.<br /><br />Gnome seems to have improved a lot since the last time I tried it on Fedora. After some modding it looks quite awesome now ;)<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjFop0NsGI02ylm-vR2JF5Hp3db3OgrrFyNoOnDSPEYi_l-NwIWm0i8zSdgy5a7Wys64Oi2hBjuMswjF9VCCnuFUrlw48yWV9XzD0EREp1K1keMwhaDLjD6Wjf7ny7aO8u179Yfy6P5ys/s1600-h/Screenshot.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 180px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjFop0NsGI02ylm-vR2JF5Hp3db3OgrrFyNoOnDSPEYi_l-NwIWm0i8zSdgy5a7Wys64Oi2hBjuMswjF9VCCnuFUrlw48yWV9XzD0EREp1K1keMwhaDLjD6Wjf7ny7aO8u179Yfy6P5ys/s320/Screenshot.png" alt="" id="BLOGGER_PHOTO_ID_5448886075660103762" border="0" /></a>Another thing I like about Ubuntu is the free 2GB <a href="https://one.ubuntu.com/files">Ubuntu One</a> space I can use to synchronize and share my data.<br /><br />Is cloud computing really the way to go?quangntenemyhttp://www.blogger.com/profile/06889040235572873334noreply@blogger.com0tag:blogger.com,1999:blog-7506564578992703357.post-17945742732619877812009-09-19T08:09:00.000+01:002012-02-11T10:34:37.169+00:00Some updatesSo I updated my kernel to 2.6.29.1, however the computer failed to boot. Probably there were some changes in the system structure. I guess I'll stick with 2.6.27 for a little more.<br /><br />On the bright side, I have finally managed to find a way to connect to vpn from my Linux box. At first I went through the trouble of installing the <a href="http://projects.tuxx-home.at/?id=cisco_vpn_client">Cisco VPN client for Linux</a>, but no matter how hard I tried it couldn't connect to the gateway. Next I tried <a href="http://www.openvpn.net/">OpenVPN</a>, but it didn't seem to be compatible either. In the end I tried <a href="http://www.unix-ag.uni-kl.de/%7Emassar/vpnc/">vpnc</a>. It was impossible to get it to work using certificate authentication, however group authentication worked fine ;)<br /><br />Now probably there'll be no big changes until Mandriva Linux 2010 comes out!quangntenemyhttp://www.blogger.com/profile/06889040235572873334noreply@blogger.com0