Friday, June 17, 2011

Hack in the Box Amsterdam 2011 CTF

May 19th-20th was Hack in the Box Amsterdam 2011 security conference in the Netherlands, also holding a CTF. To participate, you had to qualify to one of the two qualification rounds that involved web security and reverse engineering.

We passed qualifications with team CoP so I went there with teammate sh4ka to play, and we were lucky enough to end in the first place. Congrats to all teams, it was intense! In addition to a nice HITBSecNews jacket, staff generously awarded us two training and conference tickets to HITB Kuala-Lumpur (Malaysia) 2011. So, see you there :)

final scoreboard

Since HITB AMS CTF crew (DrWhax, bl4sty, DipSwitch and more) came up with pretty good challenges, I figured I should mirror them and give a little summary.

Challenges were opened little by little, and in the end this is how our board looked like:

challenges board at the end of the CTF

There were 8 categories: binaries, lock picking (awesome!), quiz (= trivia), server (=get root on a Virtual Machine), stegano, troll forensics, video (which was crypto) and web.


There were four binary challenges:
  1. Faces of LOL (350 pts): linux ELF 32 binary involving a Virtual Machine by blasty. I wrote a disassembler to see what the four stages were doing, then it was easy to deduce the expected inputs to retrieve the flag.
  2. Fun with hashing (200 pts): windows PE32 binary involving a "hashing" function, which appear to be just an invertible encoding. Reverse engineer the program to get the encode function, then write the decode function to get the flag from the given "hash".
  3. Like Floating Points?! (150 pts): linux elf32 binary by DipSwitch. You had to match a few conditions (args, files on disk) to enter a different exit path, nop the unavoidable division by 0 and get the flag.
  4. Hashish (150 pts): linux elf32 binary computing the salted SHA-1 of first argument and expecting a predefined hash. The goal is to find the proper input, flag being the md5 of it. We used hashcat to brute force the salted SHA-1 and quickly got the flag.

Lock picking

The CTF crew had the good idea to come up with a lock picking challenge (200 pts) with the guys from Toool, The Open Organisation Of Lockpickers. We were asked to lock pick two locks, after demonstration by a Toool member and using their powerful tools (doing all the job for us). It was more the opportunity to discover lock picking, practice and discuss with Toool members, than a difficult challenge. Yet, some teams did not take the time to try, thinking it would be too hard because they had no idea how to lock pick. But it was not a problem since they explained everything. Anyway, thanks for the entertainment it was a fun challenge!


There were some quiz/trivia questions, worth few points compared to the other challenges. We spent (wasted!) quite a lot of time of them, but it was very annoying because mostly guessing, google fu, etc. But well, at least when you do not know what to do, you can spend some time on that.

Quiz questions (10):
  1. Newton on a killing spree (50 pts)
  2. To fold or not to fold (50 pts)
  3. Lost in translation (40 pts)
  4. Smells like summer (40 pts)
  5. Catch me if you can (30 pts)
  6. Pope phone home (20 pts)
  7. What are the odds (20 pts)
  8. Let's take a dip! (20 pts)
  9. The bridge (20 pts)
  10. Look at me! I'm in 3D (20 pts)


They also had a few Virtual Machines running we had to root. It starts with classic network recon of available services, then we have to identify a vulnerable service to exploit in order to get a shell, and finally we have to escalate our privileges to get root so that we are able to read the flag in the /root directory.

  1. Know your roots (250 pts): we were supposed to exploit a known vulnerable cacti setup. Unfortunately they had some issues with the setup so they finally gave us a shell account. The server was a FreeBSD 8.0-RELEASE vulnerable to LD_PRELOAD, so we simply used Kingcope's local root to escalate our privileges and read the flag.
  2. 2012 the end is near (250 pts): the server was an Ubuntu and got rooted pretty quickly by sh4ka. I do not remember what it was about.
  3. DrWhax's VM but he set it up 15 minutes before the end so we did not have time to look at it, unfortunately. :(


There was one steganography challenge (300 pts) and I do not think anyone has solved it.

Troll forensics

Three forensics challenges:
  1. Extract me! (150 pts): we were given a 20 MB file based on Russian nesting dolls and involving zip, bzip2, gzip and tar archive formats. A script and 15 minutes later (20 MB initially!) you had the flag.
  2. Damn you clowns (150 pts): an ASCII art of text to decode in order to get the flag.
  3. iClown Numbering System (150 pts): you start with a strange text, which appears to be a special encoding of 1s and 0s. Once decoded, it gives you a 64-bit Mach-O file. Reversing it shows a simple XOR cipher, with message and key both in the binary.

Video (crypto)

A single "video" challenge named they put a man on the moon (300 pts), containing a video stream and a subtitles stream. Subtitles were 6 series of 32 hex bytes, but we were not able to find out what is was about. After the CTF, we learned it was a blowfish ciphertext. I have no idea how we were supposed to guess that nor guess the key, but still some teams managed to get it.


Only one web challenge named kLOWN Identification System (150 pts) with a dynamic web page where you had to copy a number very quickly (< 2 secs) into an input box and send the form. Infeasible manually so the purpose was to reverse the obfuscated javascript, see how it changed depending on the server changing value, and send back the number. Fun thing: once you made the program to solve the challenge, the server would not accept your answer because "you are a computer". The trick was to put a small sleep before sending the answer.


HITB Amsterdam 2011 CTF was real fun. Congrats to all teams, thanks again to the CTF staff and the HITB crew for organizing such a great event. How great? check out the photos!


  1. For the video challenge, you could extract the subtitle track form the mkv file using mkvtools. Then extract from the file just the hex values. There were two indications about the cypher type:
    1. in the description, the word blow was written in capital letters.
    2. if you looked at the hex carefully you could see that there was a repetition which indicated that the cypher was a block cypher and in the plaintext there was repeated text(since you had the same cryptogram for the block).
    The password was relatively easy to find.


  2. Nice writeup guys! Good job on my little VM! I wanted to make the actual vm programs a bit more complicated but I was afraid nobody would pull it off then. I wrote a custom assembler for easily putting these together .. I can share the (icky, PHP) code if anyone is interested.

    Shame on us for not having any CTF material online yet.. :)

    -- blasty

  3. Lockpick is a great sport. Just bought a lockpick set on great stuff