Here are the write ups of the challenges I passed during DEFCON CTF with my team: little nuns.
Namely this is the GB100 GB300, GB400 and BL100 challenges.
GB100 the answer is the missing character in Hack the world_ a bang: ! This is the name of the TV program the protagonists in the Hackers movie followed IRC. And common quote in the hacking world.
BL100 the frequency distribution showed a substitution cipher (which seemed polyalphabetic at the beginning) was used on the mac.h file. Although the tests suggested a 63 byte password further analysis of the resulting frequency tables showed it was a repeating 1 byte password, the cipher was an xor with the FF or what is the same: the inverse of the actual text which showed the passwords used during login attempts and successful logins. The correct one was supr3m3p0w3r
GB300 I made a small sed based parser to remove the color codes and a haskell program to generate the answer all that wrapped through a nice script, you can download the code to solve GB300. Basically the system showed the user input of three previous challenges, what soon became obvious is that the input was the cipher of a particular position of the square of a particular color (the positions varied randomly with each connection) for example the first digit could be the number at x=2y=3 in the green square, the second the number at x=1y=3 on the red one etc. The other problem is you needed to automate the input since the more answers you gave the faster you should answer the next challenge. In the end after 4 successful guesses (had to run the code a few times since at times the answer was in two or more squares) you got the screen in the aout file. The answer then was the balance: 9238740982570237012935.32
GB400 This was the classical SQL injection challenge, the injectable code was the branch search formulary by ZIP code. I used a slightly modified version of sqlmap (will send the patches to the devs later) since the tool couldn’t work well with servers requiring authentication when the port was different than 80 (the reason is that the password manager is URI based and sqlmap ignored this fact when adding the password). After dumping all the DB you’ll notice there was no Jeff Moss in the DB but that all the accounts balance was $0.00 which was indeed the flag.
Final random thoughts the things involving a conflict with ddtek were discussed privately and the conclusions gotten out of it will also be sent to them privately. Unless they agree in doing so I won’t make any other comments regarding that.
As some of the readers may know I’m looking forward to start a small company providing secure hosting, indeed we had a working prototype of the system during Campus Party used to host amongst other things the Direct Connect server, many ideas crossed my mind, namely:
- Create our own CTF hosted in one of our servers.
- Try to sponsor DDTEK (and maybe other CTF organizers) by providing the infrastructure for hosting the competition with the technologies we are developing.
- Pay DDTEK (or others) to create a CTF as a way to publicize the company and get aspirants to be hired in the company.
Which one will happen, if any, it is yet to be seen and only time will tell.