Defcon 18 CTF quals writeup - Forensics 100

Forensics 100 was simple forensics but still with some traps.

Description: find the key, and they gave us the following file which revealed to be a gzipped raw disk image.

First analysis

After extracting, use the file command to recognize a raw disk image:

$ file f100_6db079ca91c4860f.bin
f100_6db079ca91c4860f.bin:    x86 boot sector; partition 1: ID=0x7, starthead 0,
  startsector 31, 31558 sectors

Defcon 18 CTF quals writeup - Packet 200

Packet Madness 200 was a simple TCP server speaking an uncommon language (at least now).

Description: These folks speak a different language. Join their site and translate the key for us.

We open this file in Wireshark, we see a TCP stream so first thing we do is right-click & "follow TCP stream" to see in a single window contents of the TCP stream.

Defcon 18 CTF quals writeup - Trivial 200

Trivial 200 was an evil blind VIM terminal you had to escape from.

Description: sheep@pwn21.ddtek.biz:6000 sheep go baaAaaA

One could simply SSH to the server with:

ssh -p 6000 sheep@pwn21.ddtek.biz # and use password baaAaaA

However, it appeared that the server was overloaded and most of the time SSH did not work. The solution is to connect to SSH continuously until it works with some shell scripting:

while true; do
  ssh -p6000 sheep@pwn21.ddtek.biz
done

Once connected, you get a black screen with nothing but rapidly discover you are in VIM text editor.

Defcon 18 CTF quals writeup - Packet 100

Packet 100 was just... horrible right? :) However some teams managed to get it, here is my writeup.

Description: sumthing is not like the other... Here are your packets.

We have a capture file of several ICMP echo-request/echo-reply pings. We can ignore echo-reply packets because they carry the same payload (it's a ping).
First, we focused on the only packet to have a 129 bytes payload instead of 256, but achieved nothing, so we focused on the other packets.
We tried so many things: frequency analysis, cesar, xors, consider only ascii, sum things, IP checksum, Ethernet mac, use first packet as a key or initialisation vector. But in fact it appeared to be what was explained in the description "sumthing is not like the other", only consider bytes that only reside in this packet and concatenate (sum) them.

Defcon 18 CTF quals writeups and scoreboard

This week-end was Defcon #18 CTF quals, I played with Nibbles and we managed to get #10! Congrats everyone, and thank you DDTEK, it was an awesome experience.

There are already many great writeups on the challenges available on the internet, if you want links check out my friend @Ivanlef0u he tweets them all. Update: all links are now also on defcon's CTF archive page.

In the following posts I'll give my own writeups, the challenges files being available here.

By the way, the scoreboard was a java applet connecting to DDTEK with some custom SSL. I was sad that no full scoreboard was made public by DDTEK, so at the beginning of the CTF - while waiting for new challenges to open - I decompiled the java applet, and modified it in order to get the scoreboard (only top15 available) regularily and archived all the different scoreboards over time. After extracting the scores, it allowed me to create a top15 graph using flot just like shallweplayaga.me did. The scoreboard archive is here if you want to make your own graphs or else.

CITCTF write-ups, Defcon

As previously mentioned, last week-end was CIT CTF. It was great, thank you! Again, I played with Nibbles and wow.. we managed arrive in 1st place! Nibbles plans to release a document with our write-ups (instead of multiple blog posts), but meanwhile you can find some of my notes in my citctf directory:

• Matryoshka: hundreds of nested passworded archives just like Russian nesting dolls. Questions were answered with google and automated extraction with some shell.
• What is her name: interesting steganography, with embedded files into a picture, and finally the password revealed by diff'ing two pictures. And no, her name was not Darya ;)
• Damned traffic: a weird tcpdump output with pictures, ICMP's, fragmented IP with UDP. I had fun playing with Python and my favourite network packet manipulation tool Scapy but did not find anything, nor any other team, and sadly staff did not release any hint.. I'm wondering if they plan to release the solution or if we will never find out what it was.
• Time bomb: a real time bomb in BASIC code along with the schematics, we had to find the exact time & location of explosion. We thought we had it, but sadly we failed :( I'm looking forward other write-ups to understand what it really was.

Update: very good writeups by @citizen_stig.

And as you probably know this week-end there is another competition: Defcon CTF Quals. First time for me, again playing with Nibbles, we will try to have fun and do our best! Good luck if you are a player too.

Small OpenVZ admin and backup scripts

I am now using OpenVZ for a while, and by the time I created very small scripts to make my sysadmin life easier.

Update 2013-01-14: as this evolve, I put them on github: StalkR/misc/openvz.

Update 2010-06-10: new scripts and updated some of them. Instead of embedding them in the post, scripts are available here.

You'll find:

• vz* for OpenVZ, there are many but my favourite is vzl (a nice vzlist)
• backup-all, to do backups using vzdump (with a powerful backup exclude system), send them to FTP, nice summary output
• backup-purge, to purge old and no longer valid backups on FTP
• ftpbackup*, for all FTP backup stuff using lftp: send files, get disk usage, shortcut to send FTP commands

I have put these scripts in /usr/local/sbin and find them useful. Note that many of these scripts depends on others to work properly.

If you like them too, help yourself!

OpenVZ 2.6.32, soon Proxmox kernel 2.6.32 with KVM & OpenVZ

This is great, I just discovered that OpenVZ has a 2.6.32 branch: kernel 2.6.32-avdeyev.1 is available. As you may now, 2.6.32 will be a major kernel version (like 2.6.18 was) for important distributions such as RedHat 6, Debian squeeze, etc. By the way, squeeze should be released as Debian stable this year.

A good consequence is that Proxmox Kernel 2.6.32 which currently has only KVM will also support OpenVZ, so no longer need to stick with the old 2.6.18. They did not announced a release date for now, but it should come this year too.

UDP scan with ICMP port unreachable and scapy

As you probably now, scanning UDP opened ports is painful because UDP is not connected, so you cannot rely on TCP SYN/SYN-ACK to find opened ports.

The ultimate network scanner nmap knows how to perform an UDP scan:

$ nmap -sU -p1-65535 <target>

You can add useful options such as -sV (probe open ports to determine service/version info). The scan is much longer than a TCP scan, but sometimes it works. Yes, sometimes. Recently I started a simple UDP server (with socat) on a random port and challenged myself to find it within the whole 1-65535 range: I appeared to be unable to find it with nmap (I'm probably misusing nmap).