South African hacking challenge

[Kevin Lancaster]

South African hacking challenge

MWR InfoSecurity’s annual HackFu challenge has kicked off, which gives you the chance to test your hacking skills

 

[MagicDude4Eva]

That's for script kiddies - openssl enc -aes-256-cbc -d -a -in intro.enc -out file.txt

Ah, good, at least we know you can decrypt stuff. If you would like to register for HackFu challenge 2015 now, you can do so. Please send us an email with the following:

The password for the container is "itissometimesanappropriateresponsetorealitytogoinsane"

Subject: Hackfu Challenge 2015 - Codename - Registration
Email address: [email protected]
Body: Tell us who you are and where you are from (country). Also tell us what you are doing currently (Student/Developer/Scientist/Lab Rat/Dictator/Dr Evil etc.)

We will post occasional hints where necessary here, at our own discretion }:-]
https://twitter.com/mwrlabs

GNaschenweng@MacMuffin hackfu2015]$ unzip -t container.zip
Archive:  container.zip
    testing: Challenge1/              OK
    testing: Challenge1/solution-informant.txt.aes   OK
    testing: Challenge1/orders.txt    OK
    testing: Challenge2/              OK
    testing: Challenge2/solution-tournament.txt.aes   OK
    testing: Challenge2/orders.txt    OK
    testing: Challenge2/galactic.txt   OK
    testing: Challenge2/galactic.bmp   OK
    testing: Challenge3/              OK
    testing: Challenge3/solution-depositbox.txt.aes   OK
    testing: Challenge3/orders.txt    OK
    testing: Challenge4/              OK
    testing: Challenge4/solution-android.txt.aes   OK
    testing: Challenge4/orders.txt    OK
    testing: Challenge4/communicatorV1.apk   OK
    testing: Challenge4/communicatorBeta.apk   OK
    testing: Challenge4/authenticator.apk   OK
    testing: Challenge5/              OK
    testing: Challenge5/solution-signal.txt.aes   OK
    testing: Challenge5/shipsignal    OK
    testing: Challenge5/orders.txt    OK
    testing: Challenge6/              OK
    testing: Challenge6/solution-circuit.txt.aes   OK
    testing: Challenge6/powermachine.png   OK
    testing: Challenge6/orders.txt    OK
    testing: Challenge7/              OK
    testing: Challenge7/solution-binary.txt.aes   OK
    testing: Challenge7/shipbinary    OK
    testing: Challenge7/orders.txt    OK
    testing: epilogue.txt.aes         OK
No errors detected in compressed data of container.zip.

 

[MagicDude4Eva]

No one? - Challenge7:

testing: Challenge7/ OK
testing: Challenge7/solution-binary.txt.aes OK
testing: Challenge7/shipbinary OK
testing: Challenge7/orders.txt OK
testing: epilogue.txt.aes OK

"Crack" the binary to reveal the password. Really?

$ strings shipbinary

... snip ...
tcsetattr(): Cannot revert terminal setting
tcgetattr(): Cannot retrieve the current terminal setting
sigaction()
tcsetattr(): Cannot update terminal setting
Enter Decryption Code: 
burnthelandandboilthesea <<<<<< THE PASSWORD
Code Accepted.


... snip ...

Really not difficult

@MacMuffin Challenge7]$  openssl enc -aes-256-cbc -d -a -in solution-binary.txt.aes 
enter aes-256-cbc decryption password:
You enter the access code into the central server and you catch a shell with the prompt "root@*DSTRYR12$".

Orders:
-------
Congratulations on completing the challenge Agent! Your proceeding orders are as follows:
* Send an email to [email protected]
* In the subject line, please put "Hackfu Challenge 2015 - Codename - FIREBLASTER"
* In the body, let us know what your approach was to solving the problem, perhaps what you tried that didn't work and also attach any code that you used to solve the challenge

 

[herbertk]

Will give it a bash at home

Not sure they are going to be too impressed with the super secret results being posted in a public forum haha

 

[MagicDude4Eva]

Will give it a bash at home

Not sure they are going to be too impressed with the super secret results being posted in a public forum haha

I have done it all in about 2 hours. Not really that difficult and the ones I posted should be solved by anyone with 2 years of IT exposure. I guess most fun was (although it only lasted 15 minutes) decompiling the APKs, pulling out the hashes and getting the .... uh never mind....

I am wondering if people doing computer science nowadays will immediately see how to solve the problem. It is really always the same outcome - passcode to decrypt the aes file. In most cases it is very obvious if you are familiar with algorithms, development, a bit of linux - didn't need any special tools running on a Mac - I would for example have no clue what the Windows equivalent to a "strings" command is (anyone?)

FWIW: The organisers put a decent enough amount of effort into the challenge - so congrats if you are reading this. For me none of this was really difficult and I think most guys with deep enough Linux/OSS/development skills would have no problem (I would have been really lost if they had dropped a Windows executable as part of the challenges - lol)

 

[Batista]

 

[MBruce]

@MagicDude4Eva

Standard procedure with these types of challenges, is to only post your method and solutions once the challenge completion date has passed.

This is so the challenge is not ruined for everyone else. Just saying...

 

[MagicDude4Eva]

@MagicDude4Eva

Standard procedure with these types of challenges, is to only post your method and solutions once the challenge completion date has passed.

This is so the challenge is not ruined for everyone else. Just saying...

I posted the easiest ones, which anyone can even solve with simple online base64 decoder (base64decode.org). So not much fun in those any way. The others are more interesting, and there I did not want to spoil it. The serious participants of the hackathon will laugh those two off as well, but I think guys who have never done something like this can at least go to the site, download the zip and then run through the two examples I posted. It will not take a way anyone's fun.

BTW: I fail to see how it's "ruining it for everyone" if the one challenge is a base64decode and the other is a simple string-dump of an executable - both of which takes no more than a few minutes to solve.(

 

[MBruce]

I posted the easiest ones, which anyone can even solve with simple online base64 decoder (base64decode.org). So not much fun in those any way. The others are more interesting, and there I did not want to spoil it. The serious participants of the hackathon will laugh those two off as well, but I think guys who have never done something like this can at least go to the site, download the zip and then run through the two examples I posted. It will not take a way anyone's fun.

BTW: I fail to see how it's "ruining it for everyone" if the one challenge is a base64decode and the other is a simple string-dump of an executable - both of which takes no more than a few minutes to solve.(

Sure those ones are simple, but the fun part of these is figuring them out for yourself. And for those that have never heard about base64 will learn alot by trying to figure it out vs just copy pasting a solution.

BTW: I fail to see how it's "ruining it for everyone" (

As prizes are involved, if everyone had access to the solutions and submitted them, and received a limited prize, then the people that completed them on their own could end up note receiving a prize.

 

[MagicDude4Eva]

Sure those ones are simple, but the fun part of these is figuring them out for yourself. And for those that have never heard about base64 will learn alot by trying to figure it out vs just copy pasting a solution.

As prizes are involved, if everyone had access to the solutions and submitted them, and received a limited prize, then the people that completed them on their own could end up note receiving a prize.

I get what you are saying. I think the two I mentioned are so obvious that if you can not figure them out, you will actually seriously struggle with any of the other ones. In any case, I think I am spoilt then - the prize is the ticket to the event and some accommodation (the "(please bring something to sleep on)" makes me say "WHAT?") ONLY. The event is in the UK and travel is excluded (there is mention of "For exceptional entries the judges may also include travel in the event prize.").

Not going to spoil the fun for everyone else.... Good luck.