Codegate 2011 Qual
For this challenge we were given an ASF file with a video of someone driving around in Korea. One of our team members was able to recognize the general area by bus-line number and index information on the road, and from there we used a Korean street view service Daum to track the path. Using the coordinates 37.601882, 126.997790, we found the same place in google maps and used the ‘What’s here’ function to get the location’s name. The address was the key.
Key: San 15-3, Seongbuk-ku, Seongbuk-dong, Seoul
In this challenge, we suspected there might be a backdoor in the phone. We obtained a clean copy of android 2.3.3 framework and md5sum compared it to the files on the android image. framework.jar had been modified.
For this challenge, we were given a qrcode image. We tried using several methods of decoding the qr code but did not have any luck. We assumed that the qrcode contained errors of some sort. One of us then, by the off chance, took a screenshot of our desktop displaying the qrcode and uploaded it to http://qrcode.good-survey.com/#recover, which was successfully able to recover it and output “cue@1k0de” as the key.
Key: cue@1k0de
For this challenge, we saw that the string "COD" appeared a few times in the binary. After playing with this value, we found that the file was XOR'd with "CODE". After XORing, the output was a png file that had text on it, "HoyTomoSojuOKerosene?", which was the key.
Key: HoyTomoSojuOKerosene?
Challenge was an MBR dump. We disassembled this and did static analysis with IDA Pro. After rebasing the image to 0x7c00 based on the MBR explanation here, we traced the flow and found the key checking algorithm at 7F68.
We wrote python based on this algorithm:
import random def check(pw): dx = 0 for idx in range(0,16): ax = ord(pw[idx]) ax <<= 8 ax &= 0xFF00 dx ^= ax for i in range(0,8): shift = ((dx & 0x8000) == 0x8000) dx <<= 1 if (shift): dx ^= 0x1975 dx &= 0xFFFF
This was a pcap dump with a lot of sessions in it. We used pcap analysis tool chaosreader to check the traffic. We discovered a file H1A1.exe was being sent. We dumped this file from the dump and md5sum it to produce the key.
Key: 7A5807A5144369965223903CB643C60E
Net200 had two hints about covert channels and XOR. We developed a stream XOR cipher and tried all the strings we saw in Wireshark as the key. ‘127.0.0.1’ ended up being the key and it decrypted the covert channel ICMP reply packets’ data to:
0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0010 00 00 00 00 02 00 00 00 00 00 00 00 52 53 43 0e ............RSC. 0020 1f 7b 43 4b 43 42 1d 59 1e 56 4f 44 4b 1e 42 5d .{CKCB.Y.VODK.B] 0030 5b 58 1e 5a 48 5a 3b [X.ZHZ; 5253430e1f7b434b43421d591e564f444b1e425d5b581e5a485a3b
For this challenge, we noticed that if you visited the site at first, it would output a character. If you refreshed the page in a short amount of time, it would say that you couldn't use the same IP, and if you kept trying it would tell you to slowdown. We noticed that the site set a PHP session cookie, so we moved the cookie to several boxes with different IPs and curl'ed to get all of the characters until the message "Congraturation! You have succeeded, hint:reverse me :" showed up. Altogether, the message was "Msg:wFTeNtyMklGa".
We ran some file carving tools on the image, such as scalpel and foremost, which extracted many files. Among these were PDF files. Inside the PDF file there was a comment containing a base64 encoded png file. The key was displayed in the image.
Key: 1LOVEP4G3S0NM4C
For this challenge we had a large block of filesystem data. Using foremost we found an image of a notepad that said ‘The Key is:’ but the rest of the image was corrupted.
© 2010-2011 disekt - Hosted by inetric. Drupal theme by Kiwi Themes.