Reverse-Engineering Android APK 1[binary][100]

SECCON 2015 – CTF [Jeopardy]

Reverse-Engineering Android APK 1 [binary] – 100 pts

Description of the challenge

Please win 1000 times in rock-paper-scissors
rps.apk

How do we solve it?

We download the apk and extract it :

~/Bureau/resapk » ls
AndroidManifest.xml  META-INF  classes.dex  lib  res  resources.arsc

Then we open the jar file with JD-GUI and open the MainActivity source code :

private final Runnable showMessageTask = new Runnable()
{
public void run()
{
TextView localTextView = (TextView)MainActivity.this.findViewById(2131492946);
MainActivity localMainActivity;
if (MainActivity.this.n – MainActivity.this.m == 1)
{
localMainActivity = MainActivity.this;
localMainActivity.cnt += 1;
localTextView.setText(“WIN! +” + String.valueOf(MainActivity.this.cnt));
}
while (true)
{
if (1000 == MainActivity.this.cnt)
localTextView.setText(“SECCON{” + String.valueOf((MainActivity.this.cnt + MainActivity.this.calc()) * 107) + “}”);
MainActivity.this.flag = 0;
return;
if (MainActivity.this.m – MainActivity.this.n == 1)
{
MainActivity.this.cnt = 0;
localTextView.setText(“LOSE +0”);
}
else if (MainActivity.this.m == MainActivity.this.n)
{
localTextView.setText(“DRAW +” + String.valueOf(MainActivity.this.cnt));
}
else if (MainActivity.this.m < MainActivity.this.n)
{
MainActivity.this.cnt = 0;
localTextView.setText(“LOSE +0”);
}
else
{
localMainActivity = MainActivity.this;
localMainActivity.cnt += 1;
localTextView.setText(“WIN! +” + String.valueOf(MainActivity.this.cnt));
}
}
}
};

static
{
System.loadLibrary(“calc”);
}

The interesting part is when the player won 1000 times :

  if (1000 == MainActivity.this.cnt)
localTextView.setText(“SECCON{” + String.valueOf((MainActivity.this.cnt + MainActivity.this.calc()) * 107) + “}”);

The flag is “SECCON{ “+ (cnt(=1000)+(calc())*107 + “}”

We just have to find the result of the calc() function.

In the source code we can see :

  static
{
System.loadLibrary(“calc”);
}

so the calc is in a external library lets open “libcalc.so” in the “lib” folder with IDA … We’ve found the “Java_com_example_seccon2015_rock_1paper_1scissors_MainActivity_calc” function :

screenshot

The calc function return the integer 7.

So the flag is : The flag is “SECCON{ “+ (ctn+calc())*107 + “}”

cnt=1000 , calc() = 7

(1000+7)*107=107749

The flag is “SECCON{107749}

[SECCON2015]Connect the server[web/network][100]

SECCON 2015 – CTF [Jeopardy]

Connect the server [Web/Network] – 100 pts

Description of the challenge

login.pwn.seccon.jp:10000

How do we solve it?

We try with to connect to the server with netcat

~ » nc login.pwn.seccon.jp 10000                          
CONNECT 300

Welcome to SECCON server.

The server is connected via slow dial-up connection.
Please be patient, and do not brute-force.
 
login: root

Sorry, the account is unavailable.

Good bye.

Then we try to open the server in the browser at http://login.pwn.seccon.jp:10000 , we wait a few seconds then the webpage appear :

screenshot

Done , the flag is : SECCON{Sometimes_what_you_see_is_NOT_what_you_get}

[SECCON2015]Start SECCON CTF[Exercises][50]

SECCON 2015 – CTF [Jeopardy]

Start SECCON CTF [Unknown] – 50 pts

Description of the challenge

ex1
Cipher:PXFR}QIVTMSZCNDKUWAGJB{LHYEO
Plain: ABCDEFGHIJKLMNOPQRSTUVWXYZ{}

ex2
Cipher:EV}ZZD{DWZRA}FFDNFGQO
Plain: {HELLOWORLDSECCONCTF}

quiz
Cipher:A}FFDNEVPFSGV}KZPN}GO
Plain: ?????????????????????

There is no bonus in this question

How do we solve it?

Well, just matching the sequence.

Cipher:A}FFDNEA}}HDJN}LGH}PWO
 Plain:SECCON{HACKTHEPLANET}

[SECCON2015][Last Challenge (Thank you for playing)][Exercises][50]

SECCON 2015 – CTF [Jeopardy]

Last Challenge (Thank you for playing) [Unknown] – 50 pts

Description of the challenge

ex1
Cipher:PXFR}QIVTMSZCNDKUWAGJB{LHYEO
Plain:ABCDEFGHIJKLMNOPQRSTUVWXYZ{}

ex2
Cipher:EV}ZZD{DWZRA}FFDNFGQO
Plain:{HELLOWORLDSECCONCTF}

quiz
Cipher:A}FFDNEA}}HDJN}LGH}PWO
Plain:??????????????????????

There is no bonus in this question

How do we solve it?

Well, just matching the sequence.

Cipher:A}FFDNEA}}HDJN}LGH}PWO
 Plain:SECCON{SEEYOUNEXTYEAR}

[SECCON2015][Command-Line Quiz][Unknown][100]

SECCON 2015 – CTF [Jeopardy]

Command-Line Quiz [Unknown] – 100 pts

Description of the challenge

telnet caitsith.pwn.seccon.jp
User:root
Password:seccon
The goal is to find the flag word by “somehow” reading all *.txt files.

How do we solve it?
  1. Log in using the credentials given in the description.
  2. Type the ” ls ” command to discover which file or directory are there.
  3. Answer fives quiz (stage1 to stage4 and flags.txt) (See below)
Open your favorite terminal and type : telnet caitsith.pwn.seccon.jp
Trying 153.120.171.19...­
Connected to caitsith.pwn.seccon.jp.
Escape character is '^]'.

CaitSith login: root
Password: 
$ ls
bin         flags.txt   linuxrc     stage1.txt  stage4.txt  usr
dev         init        proc        stage2.txt  stage5.txt
etc         lib         sbin        stage3.txt  tmp

$ strings stage1.txt
What command do you use when you want to read only top lines of a text file? Set your answer to environment variable named stage1 and execute a shell.
  $ stage1=$your_answer_here sh
If your answer is what I meant, you will be able to access stage2.txt file.

$ stage1=head sh

$ strings stage2.txt
What command do you use when you want to read only bottom lines of a text file? Set your answer to environment variable named stage2 and execute a shell.
  $ stage2=$your_answer_here sh
If your answer is what I meant, you will be able to access stage3.txt file.

$ stage2=tail sh

$ strings stage3.txt
What command do you use when you want to pick up lines that match specific patterns? Set your answer to environment variable named stage3 and execute a shell.
  $ stage3=$your_answer_here sh
If your answer is what I meant, you will be able to access stage4.txt file.

$ stage3=grep sh

$ strings stage4.txt
What command do you use when you want to process a text file? Set your answer to environment variable named stage4 and execute a shell.
  $ stage4=$your_answer_here sh
If your answer is what I meant, you will be able to access stage5.txt file.

$ stage4=awk sh

$ strings stage5.txt
OK. You reached the final stage. The flag word is in flags.txt file. flags.txt can be read by only one specific program which is available in this server. The program for reading flags.txt is one of commands you can use for processing a text file. Please find it. Good luck. 😉

$ awk 'NR>=0&&NR<=10' "flags.txt"
awk: flags.txt: Operation not permitted
$ sed -n '10,20p' flags.txt
$ sed -n '0,10p' flags.txt 
$ sed -n '0,1000000p' flags.txt
$ sed 'somehow' flags.txt
sed: unmatched 'o'
$ sed 's' flags.txt      
sed: bad format in substitution expression

$ sed '/(somehow)+/g' flags.txt
OK. You have read all .txt files. The flag word is shown below.

SECCON{CaitSith@AQUA}

[HackDatKiwiCtf]Phone lock 1[web][50]

Ce challenge fait partie de la catégorie web du CTF hack-dat-kiwi.

Voici la page affichée lorsque l’on selectionne le challenge :

screenshot

Il faut donc trouver le code à entrer pour débloquer le téléphone.

Je regarde le code source et voit qu’il y a un script en javascript :

<script>
result="";
tries=0;
locked=false;
salt="f0bc0d06f79595c0e0e1a0419ade8e3c";
valid="ab575fb21e68d5321b259fd48c52dc66";
//md5(salt+answer)

function buttonClick(e)
{
	if (locked) return false;
	var t=$("#result");
	t.val(t.val()+"X");
	result+=e.target.text;
	if (t.val().length>=4)
	{
	    if (md5(salt+result)==valid)
	    {
		alert("Flag is: "+md5(salt+result+result));
	     }
	     else
	     {
	        locked=true;
	        $("#resultHolder").effect("shake", 
               { times:tries }, tries*100,function(){
		t.val("");
		result="";
		tries++;
		locked=false;
	        });
	   }
        }
}
$(function(){
	document.onclick = function(evt) {
    if (window.getSelection)
        window.getSelection().removeAllRanges();
    else if (document.selection)
        document.selection.empty();
	}

	$("#pad .button").bind("click",buttonClick);
});

</script>

Je decide donc de créer un script en python qui brute force
entre le code 1000 et 9999 puisqu’il ne contient que 4 chiffres

#!/usr/bin/env python2
import md5;
salt = "f0bc0d06f79595c0e0e1a0419ade8e3c"
valid = "ab575fb21e68d5321b259fd48c52dc66"
for i in xrange(1000,9999):
      md = md5.new(salt+str(i)).hexdigest()
      if(md==valid):
             print("ok : "+str(i))

Je lance ce script et j’obtiens “ok : 8423 ”

Il ne reste plus qu’à le taper sur le téléphone de la page web et on recupère le flag.

 

[HackDatKiwiCTF]Vigenere[crypto][100]

[write-up][CRYPTO] Vigenere 100

Ce challenge faisait partie du CTF Hack-Dat-Kiwi , il faisait partie de la catégorie cryptographie et valait 100 points.

lorsqu’on clique sur ce challenge une page apparaît , elle nous permets de chiffrer un texte choisi sans en connaître la clé .

Le flag à trouver est simplement la clé utilisée par la page Web pour chiffrer notre texte.

Je décide de chiffrer “ASCOPECTF” et j’obtiens “KAYWZMMBB”

pour chiffrer un caractère avec le chiffrement vigenere on utilise la formule suivante :

CnPn+Kn %26

Avec Cn le caractère chiffré , Pn le caractère non chiffré et Kn le caractère de la clé.

Donc pour retrouver le caractère n de la clé on utilise la formule suivante :

Kn=CnPn%26

Je décide donc d’écrire un script python pour retrouver la clé à partir du texte clair et chiffrer récupéré plus haut :

#!/usr/bin/env python2

def findkey(cyphertext,plaintext):
key=[]
for i in range(len(plaintext)):
key.append((ord(cyphertext[i])-(ord(plaintext[i])))%26)
key[i]=unichr(key[i]+ord(‘A’))
print(“”.join(key))

findkey(“KAYWZMMBB”,”ASCOPECTF”)

J’obtiens “KIWIKIW” puisque la clé se répète avec le chiffrement vigenere la clé est donc “KIWIKI”.