Category: Hacking Lab

RSS

Archive for the ‘Hacking Lab’ Category

Hackvent 2019: Day 14

14 Dec 2019

CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com

Date Completed: 14 December 2019

Challenge

HV19.14 Achtung das Flag

Introduction
Let's play another little game this year. Once again, I promise it is hardly obfuscated.
Resources

Introduction

Let's play another little game this year. Once again, I promise it is hardly obfuscated.

Resources

use Tk;use MIME::Base64;chomp(($a,$a,$b,$c,$f,$u,$z,$y,$r,$r,$u)=<DATA>);sub M{$M=shift;##
@m=keys %::;(grep{(unpack("%32W*",$_).length($_))eq$M}@m)[0]};$zvYPxUpXMSsw=0x1337C0DE;###
/_help_me_/;$PMMtQJOcHm8eFQfdsdNAS20=sub{$zvYPxUpXMSsw=($zvYPxUpXMSsw*16807)&0xFFFFFFFF;};
($a1Ivn0ECw49I5I0oE0='07&3-"11*/(')=~y$!-=$`-~$;($Sk61A7pO='K&:P3&44')=~y$!-=$`-~$;m/Mm/g;
($sk6i47pO='K&:R&-&"4&')=~y$!-=$`-~$;;;;$d28Vt03MEbdY0=sub{pack('n',$fff[$S9cXJIGB0BWce++]
^($PMMtQJOcHm8eFQfdsdNAS20->()&0xDEAD));};'42';($vgOjwRk4wIo7_=MainWindow->new)->title($r)
;($vMnyQdAkfgIIik=$vgOjwRk4wIo7_->Canvas("-$a"=>640,"-$b"=>480,"-$u"=>$f))->pack;@p=(42,42
);$cqI=$vMnyQdAkfgIIik->createLine(@p,@p,"-$y"=>$c,"-$a"=>3);;;$S9cXJIGB0BWce=0;$_2kY10=0;
$_8NZQooI5K4b=0;$Sk6lA7p0=0;$MMM__;$_=M(120812).'/'.M(191323).M(133418).M(98813).M(121913)
.M(134214).M(101213).'/'.M(97312).M(6328).M(2853).'+'.M(4386);s|_||gi;@fff=map{unpack('n',
$::{M(122413)}->($_))}m:...:g;($T=sub{$vMnyQdAkfgIIik->delete($t);$t=$vMnyQdAkfgIIik->#FOO
createText($PMMtQJOcHm8eFQfdsdNAS20->()%600+20,$PMMtQJOcHm8eFQfdsdNAS20->()%440+20,#Perl!!
"-text"=>$d28Vt03MEbdY0->(),"-$y"=>$z);})->();$HACK;$i=$vMnyQdAkfgIIik->repeat(25,sub{$_=(
$_8NZQooI5K4b+=0.1*$Sk6lA7p0);;$p[0]+=3.0*cos;$p[1]-=3*sin;;($p[0]>1&&$p[1]>1&&$p[0]<639&&
$p[1]<479)||$i->cancel();00;$q=($vMnyQdAkfgIIik->find($a1Ivn0ECw49I5I0oE0,$p[0]-1,$p[1]-1,
$p[0]+1,$p[1]+1)||[])->[0];$q==$t&&$T->();$vMnyQdAkfgIIik->insert($cqI,'end',\@p);($q==###
$cqI||$S9cXJIGB0BWce>44)&&$i->cancel();});$KE=5;$vgOjwRk4wIo7_->bind("<$Sk61A7pO-n>"=>sub{
$Sk6lA7p0=1;});$vgOjwRk4wIo7_->bind("<$Sk61A7pO-m>"=>sub{$Sk6lA7p0=-1;});$vgOjwRk4wIo7_#%"
->bind("<$sk6i47pO-n>"=>sub{$Sk6lA7p0=0 if$Sk6lA7p0>0;});$vgOjwRk4wIo7_->bind("<$sk6i47pO"
."-m>"=>sub{$Sk6lA7p0=0 if $Sk6lA7p0<0;});$::{M(7998)}->();$M_decrypt=sub{'HACKVENT2019'};
__DATA__
The cake is a lie!
width
height
orange
black
green
cyan
fill
Only perl can parse Perl!
Achtung das Flag! --> Use N and M
background
M'); DROP TABLE flags; -- 
Run me in Perl!
__DATA__

use Tk;use MIME::Base64;chomp(($a,$a,$b,$c,$f,$u,$z,$y,$r,$r,$u)=<DATA>);sub M{$M=shift;##

@m=keys %::;(grep{(unpack("%32W*",$_).length($_))eq$M}@m)[0]};$zvYPxUpXMSsw=0x1337C0DE;###

/_help_me_/;$PMMtQJOcHm8eFQfdsdNAS20=sub{$zvYPxUpXMSsw=($zvYPxUpXMSsw*16807)&0xFFFFFFFF;};

($a1Ivn0ECw49I5I0oE0='07&3-"11*/(')=~y$!-=$`-~$;($Sk61A7pO='K&:P3&44')=~y$!-=$`-~$;m/Mm/g;

($sk6i47pO='K&:R&-&"4&')=~y$!-=$`-~$;;;;$d28Vt03MEbdY0=sub{pack('n',$fff[$S9cXJIGB0BWce++]

^($PMMtQJOcHm8eFQfdsdNAS20->()&0xDEAD));};'42';($vgOjwRk4wIo7_=MainWindow->new)->title($r)

;($vMnyQdAkfgIIik=$vgOjwRk4wIo7_->Canvas("-$a"=>640,"-$b"=>480,"-$u"=>$f))->pack;@p=(42,42

);$cqI=$vMnyQdAkfgIIik->createLine(@p,@p,"-$y"=>$c,"-$a"=>3);;;$S9cXJIGB0BWce=0;$_2kY10=0;

$_8NZQooI5K4b=0;$Sk6lA7p0=0;$MMM__;$_=M(120812).'/'.M(191323).M(133418).M(98813).M(121913)

.M(134214).M(101213).'/'.M(97312).M(6328).M(2853).'+'.M(4386);s|_||gi;@fff=map{unpack('n',

$::{M(122413)}->($_))}m:...:g;($T=sub{$vMnyQdAkfgIIik->delete($t);$t=$vMnyQdAkfgIIik->#FOO

createText($PMMtQJOcHm8eFQfdsdNAS20->()%600+20,$PMMtQJOcHm8eFQfdsdNAS20->()%440+20,#Perl!!

"-text"=>$d28Vt03MEbdY0->(),"-$y"=>$z);})->();$HACK;$i=$vMnyQdAkfgIIik->repeat(25,sub{$_=(

$_8NZQooI5K4b+=0.1*$Sk6lA7p0);;$p[0]+=3.0*cos;$p[1]-=3*sin;;($p[0]>1&&$p[1]>1&&$p[0]<639&&

$p[1]<479)||$i->cancel();00;$q=($vMnyQdAkfgIIik->find($a1Ivn0ECw49I5I0oE0,$p[0]-1,$p[1]-1,

$p[0]+1,$p[1]+1)||[])->[0];$q==$t&&$T->();$vMnyQdAkfgIIik->insert($cqI,'end',\@p);($q==###

$cqI||$S9cXJIGB0BWce>44)&&$i->cancel();});$KE=5;$vgOjwRk4wIo7_->bind("<$Sk61A7pO-n>"=>sub{

$Sk6lA7p0=1;});$vgOjwRk4wIo7_->bind("<$Sk61A7pO-m>"=>sub{$Sk6lA7p0=-1;});$vgOjwRk4wIo7_#%"

->bind("<$sk6i47pO-n>"=>sub{$Sk6lA7p0=0 if$Sk6lA7p0>0;});$vgOjwRk4wIo7_->bind("<$sk6i47pO"

."-m>"=>sub{$Sk6lA7p0=0 if $Sk6lA7p0<0;});$::{M(7998)}->();$M_decrypt=sub{'HACKVENT2019'};

__DATA__

The cake is a lie!

width

height

orange

black

green

cyan

fill

Only perl can parse Perl!

Achtung das Flag! --> Use N and M

background

M'); DROP TABLE flags; --

Run me in Perl!

__DATA__

Solution

We are provided with some Perl code so we decide to run it. We realise we need the Tk module which seems to be some GUI library for Perl.
After running the code we are presented with a game which allows us to control the direction of a line with the letters N and M. We also see letters on the screen which look like parts of the flag!

So we start playing this game for fun but realise its very difficult to win the game ends when we hit the line or borders. Therefore, we give ourselves godmode by replacing $i->cancel(); with 1. However, even if we cheat at the game there are just too many characters and it all gets too messy so we don’t peruse this avenue any further:

Instead, we try to manually deobfustrate the perl code. We don’t need to deobfustrate the whole program, only the parts that spit the cyan coloured text.
Before we do this we use PerlTidy to clean up our code a little.

We follow the word cyan in the __DATA__ segment which we discover is tied to the $z variable. In the call to createText , we see that $d28Vt03MEbdY0 is variable holding the code reference with the flag text components. We’ll use built in B::Deparse to deparse this. However, it seems like the code actually mutates data so we cannot simply evaluate $d28Vt03MEbdY0 code twice. Therefore, we replace it with an empty string in the actual text to be displayed and print the text to the console instead. We also replace $q==$t&&$T->() with $T->() to ensure that the next component is displayed each frame regardless of any checks (i.e. interception check). Finally, we change the FPS in the repeat loop to 1 so the program executes and ends quickly.

Our new code looks like this (with modified lines highlighted):

use Tk;
use MIME::Base64;
use B::Deparse ();
my $deparse = B::Deparse->new;
chomp( ( $a, $a, $b, $c, $f, $u, $z, $y, $r, $r, $u ) = <DATA> );
sub M {
$M = shift;      ##
@m = keys %::;
( grep { ( unpack( "%32W*", $_ ) . length($_) ) eq $M } @m )[0];
}
$zvYPxUpXMSsw = 0x1337C0DE;    ###
/_help_me_/;
$PMMtQJOcHm8eFQfdsdNAS20 =
sub { $zvYPxUpXMSsw = ( $zvYPxUpXMSsw * 16807 ) & 0xFFFFFFFF; };
( $a1Ivn0ECw49I5I0oE0 = '07&3-"11*/(' ) =~ y$!-=$`-~$;
( $Sk61A7pO           = 'K&:P3&44' )    =~ y$!-=$`-~$;
m/Mm/g;
( $sk6i47pO = 'K&:R&-&"4&' ) =~ y$!-=$`-~$;
$d28Vt03MEbdY0 = sub {
pack( 'n',
$fff[ $S9cXJIGB0BWce++ ] ^ ( $PMMtQJOcHm8eFQfdsdNAS20->() & 0xDEAD ) );
};
'42';
( $vgOjwRk4wIo7_ = MainWindow->new )->title($r);
( $vMnyQdAkfgIIik =
$vgOjwRk4wIo7_->Canvas( "-$a" => 640, "-$b" => 480, "-$u" => $f ) )->pack;
@p             = ( 42, 42 );
$cqI           = $vMnyQdAkfgIIik->createLine( @p, @p, "-$y" => $c, "-$a" => 3 );
$S9cXJIGB0BWce = 0;
$_2kY10        = 0;
$_8NZQooI5K4b  = 0;
$Sk6lA7p0      = 0;
$MMM__;
$_ =
M(120812) . '/'
. M(191323)
. M(133418)
. M(98813)
. M(121913)
. M(134214)
. M(101213) . '/'
. M(97312)
. M(6328)
. M(2853) . '+'
. M(4386);
s|_||gi;
@fff = map { unpack( 'n', $::{ M(122413) }->($_) ) } m:...:g;
(
$T = sub {
$vMnyQdAkfgIIik->delete($t);
$t = $vMnyQdAkfgIIik->    #FOO
createText(
$PMMtQJOcHm8eFQfdsdNAS20->() % 600 + 20,
$PMMtQJOcHm8eFQfdsdNAS20->() % 440 + 20,    #Perl!!
"-text" => "",
"-$y"   => $z
);
print eval( $deparse->coderef2text($d28Vt03MEbdY0) );
}
)->();
$HACK;
$i = $vMnyQdAkfgIIik->repeat(
1,
sub {
$_ = ( $_8NZQooI5K4b += 0.1 * $Sk6lA7p0 );
$p[0] += 3.0 * cos;
$p[1] -= 3 * sin;
( $p[0] > 1 && $p[1] > 1 && $p[0] < 639 && $p[1] < 479 )
|| $i->cancel();
00;
$q = (
$vMnyQdAkfgIIik->find(
$a1Ivn0ECw49I5I0oE0,
$p[0] - 1,
$p[1] - 1,
$p[0] + 1,
$p[1] + 1
)
|| []
)->[0];
$T->();
$vMnyQdAkfgIIik->insert( $cqI, 'end', \@p );
(
$q ==    ###
$cqI || $S9cXJIGB0BWce > 44
) && $i->cancel();
}
);
$KE = 5;
$vgOjwRk4wIo7_->bind(
"<$Sk61A7pO-n>" => sub {
$Sk6lA7p0 = 1;
}
);
$vgOjwRk4wIo7_->bind( "<$Sk61A7pO-m>" => sub { $Sk6lA7p0 = -1; } );
$vgOjwRk4wIo7_       #%"
->bind( "<$sk6i47pO-n>" => sub { $Sk6lA7p0 = 0 if $Sk6lA7p0 > 0; } );
$vgOjwRk4wIo7_->bind(
"<$sk6i47pO" . "-m>" => sub { $Sk6lA7p0 = 0 if $Sk6lA7p0 < 0; } );
$::{ M(7998) }->();
$M_decrypt = sub { 'HACKVENT2019' };
__DATA__
The cake is a lie!
width
height
orange
black
green
cyan
fill
Only perl can parse Perl!
Achtung das Flag! --> Use N and M
background
M'); DROP TABLE flags; -- 
Run me in Perl!
__DATA__

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

use Tk;

use MIME::Base64;

use B::Deparse ();

my $deparse = B::Deparse->new;

chomp( ( $a, $a, $b, $c, $f, $u, $z, $y, $r, $r, $u ) = <DATA> );

sub M {

$M = shift; ##

@m = keys %::;

( grep { ( unpack( "%32W*", $_ ) . length($_) ) eq $M } @m )[0];

}

$zvYPxUpXMSsw = 0x1337C0DE; ###

/_help_me_/;

$PMMtQJOcHm8eFQfdsdNAS20 =

sub { $zvYPxUpXMSsw = ( $zvYPxUpXMSsw * 16807 ) & 0xFFFFFFFF; };

( $a1Ivn0ECw49I5I0oE0 = '07&3-"11*/(' ) =~ y$!-=$`-~$;

( $Sk61A7pO = 'K&:P3&44' ) =~ y$!-=$`-~$;

m/Mm/g;

( $sk6i47pO = 'K&:R&-&"4&' ) =~ y$!-=$`-~$;

$d28Vt03MEbdY0 = sub {

pack( 'n',

$fff[ $S9cXJIGB0BWce++ ] ^ ( $PMMtQJOcHm8eFQfdsdNAS20->() & 0xDEAD ) );

};

'42';

( $vgOjwRk4wIo7_ = MainWindow->new )->title($r);

( $vMnyQdAkfgIIik =

$vgOjwRk4wIo7_->Canvas( "-$a" => 640, "-$b" => 480, "-$u" => $f ) )->pack;

@p = ( 42, 42 );

$cqI = $vMnyQdAkfgIIik->createLine( @p, @p, "-$y" => $c, "-$a" => 3 );

$S9cXJIGB0BWce = 0;

$_2kY10 = 0;

$_8NZQooI5K4b = 0;

$Sk6lA7p0 = 0;

$MMM__;

$_ =

M(120812) . '/'

. M(191323)

. M(133418)

. M(98813)

. M(121913)

. M(134214)

. M(101213) . '/'

. M(97312)

. M(6328)

. M(2853) . '+'

. M(4386);

s|_||gi;

@fff = map { unpack( 'n', $::{ M(122413) }->($_) ) } m:...:g;

(

$T = sub {

$vMnyQdAkfgIIik->delete($t);

$t = $vMnyQdAkfgIIik-> #FOO

createText(

$PMMtQJOcHm8eFQfdsdNAS20->() % 600 + 20,

$PMMtQJOcHm8eFQfdsdNAS20->() % 440 + 20, #Perl!!

"-text" => "",

"-$y" => $z

);

print eval( $deparse->coderef2text($d28Vt03MEbdY0) );

}

)->();

$HACK;

$i = $vMnyQdAkfgIIik->repeat(

sub {

$_ = ( $_8NZQooI5K4b += 0.1 * $Sk6lA7p0 );

$p[0] += 3.0 * cos;

$p[1] -= 3 * sin;

( $p[0] > 1 && $p[1] > 1 && $p[0] < 639 && $p[1] < 479 )

|| $i->cancel();

00;

$q = (

$vMnyQdAkfgIIik->find(

$a1Ivn0ECw49I5I0oE0,

$p[0] - 1,

$p[1] - 1,

$p[0] + 1,

$p[1] + 1

)

|| []

)->[0];

$T->();

$vMnyQdAkfgIIik->insert( $cqI, 'end', \@p );

(

$q == ###

$cqI || $S9cXJIGB0BWce > 44

) && $i->cancel();

}

);

$KE = 5;

$vgOjwRk4wIo7_->bind(

"<$Sk61A7pO-n>" => sub {

$Sk6lA7p0 = 1;

}

);

$vgOjwRk4wIo7_->bind( "<$Sk61A7pO-m>" => sub { $Sk6lA7p0 = -1; } );

$vgOjwRk4wIo7_ #%"

->bind( "<$sk6i47pO-n>" => sub { $Sk6lA7p0 = 0 if $Sk6lA7p0 > 0; } );

$vgOjwRk4wIo7_->bind(

"<$sk6i47pO" . "-m>" => sub { $Sk6lA7p0 = 0 if $Sk6lA7p0 < 0; } );

$::{ M(7998) }->();

$M_decrypt = sub { 'HACKVENT2019' };

__DATA__

The cake is a lie!

width

height

orange

black

green

cyan

fill

Only perl can parse Perl!

Achtung das Flag! --> Use N and M

background

M'); DROP TABLE flags; --

Run me in Perl!

__DATA__

We run the perl program again and it prints out an interesting but working flag!

PS C:\Users\Mo\Desktop> perl .\day14.pl.tdy
HV19{s@@jSfx4gPcvtiwxPCagrtQ@,y^p-za-oPQ^a-z\x20\n^&&s[(.)(..)][\2\1]g;s%4(...)%"p$1t"%ee}

1 2	PS C:\Users\Mo\Desktop> perl .\day14.pl.tdy HV19{s@@jSfx4gPcvtiwxPCagrtQ@,y^p-za-oPQ^a-z\x20\n^&&s[(.)(..)][\2\1]g;s%4(...)%"p$1t"%ee}

Flag: HV19{s@@jSfx4gPcvtiwxPCagrtQ@,y^p-za-oPQ^a-z\x20\n^&&s[(.)(..)][\2\1]g;s%4(...)%"p$1t"%ee}

Bonus

This challenge also contained the solution to HV19.H4 Hidden Four.

No Comments

Posted Mo BeigiPersianMG in Hackvent 2019

Hackvent 2019: Day 13

13 Dec 2019

CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com

Date Completed: 13 December 2019

Challenge

HV19.13 TrieMe

Introduction
Switzerland's national security is at risk. As you try to infiltrate a secret spy facility to save the nation you stumble upon an interesting looking login portal.
Can you break it and retrieve the critical information?

Introduction

Switzerland's national security is at risk. As you try to infiltrate a secret spy facility to save the nation you stumble upon an interesting looking login portal.

Can you break it and retrieve the critical information?

Resources:

Facility: http://whale.hacking-lab.com:8888/trieme/
HV19.13-NotesBean.java.zip

Solution

We are given a webpage with a form and the java source to the bean that serves that page.

Java source:

package com.jwt.jsf.bean;
import org.apache.commons.collections4.trie.PatriciaTrie;
import java.io.IOException;
import java.io.InputStream;
import java.io.Serializable;
import java.io.StringWriter;
import javax.faces.bean.ManagedBean;
import javax.faces.bean.SessionScoped;
import static org.apache.commons.lang3.StringEscapeUtils.unescapeJava;
import org.apache.commons.io.IOUtils;
@ManagedBean(name="notesBean")
@SessionScoped
public class NotesBean implements Serializable {
/**
*
*/
private PatriciaTrie<Integer> trie = init();
private static final long serialVersionUID = 1L;
private static final String securitytoken = "auth_token_4835989";
public NotesBean() {
super();
init();
}
public String getTrie() throws IOException {
if(isAdmin(trie)) {
InputStream in=getStreamFromResourcesFolder("data/flag.txt");
StringWriter writer = new StringWriter();
IOUtils.copy(in, writer, "UTF-8");
String flag = writer.toString();
return flag;
}
return "INTRUSION WILL BE REPORTED!";
}
public void setTrie(String note) {
trie.put(unescapeJava(note), 0);
}
private static PatriciaTrie<Integer> init(){
PatriciaTrie<Integer> trie = new PatriciaTrie<Integer>();
trie.put(securitytoken,0);
return trie;
}
private static boolean isAdmin(PatriciaTrie<Integer> trie){
return !trie.containsKey(securitytoken);
}
private static InputStream getStreamFromResourcesFolder(String filePath) {
return Thread.currentThread().getContextClassLoader().getResourceAsStream(filePath);
}
}

package com.jwt.jsf.bean;

import org.apache.commons.collections4.trie.PatriciaTrie;

import java.io.IOException;

import java.io.InputStream;

import java.io.Serializable;

import java.io.StringWriter;

import javax.faces.bean.ManagedBean;

import javax.faces.bean.SessionScoped;

import static org.apache.commons.lang3.StringEscapeUtils.unescapeJava;

import org.apache.commons.io.IOUtils;

@ManagedBean(name="notesBean")

@SessionScoped

public class NotesBean implements Serializable {

/**

private PatriciaTrie<Integer> trie = init();

private static final long serialVersionUID = 1L;

private static final String securitytoken = "auth_token_4835989";

public NotesBean() {

super();

init();

}

public String getTrie() throws IOException {

if(isAdmin(trie)) {

InputStream in=getStreamFromResourcesFolder("data/flag.txt");

StringWriter writer = new StringWriter();

IOUtils.copy(in, writer, "UTF-8");

String flag = writer.toString();

return flag;

}

return "INTRUSION WILL BE REPORTED!";

}

public void setTrie(String note) {

trie.put(unescapeJava(note), 0);

}

private static PatriciaTrie<Integer> init(){

PatriciaTrie<Integer> trie = new PatriciaTrie<Integer>();

trie.put(securitytoken,0);

return trie;

}

private static boolean isAdmin(PatriciaTrie<Integer> trie){

return !trie.containsKey(securitytoken);

}

private static InputStream getStreamFromResourcesFolder(String filePath) {

return Thread.currentThread().getContextClassLoader().getResourceAsStream(filePath);

}

Initially, we try a few different approached to get our flag. We try to exploit the JSF Viewstate assuming that the state is stored client side which it is not. This post is a good read on the topic.

We also try to navigate to our flag located in the file /data/flag.txt but this also fails. However, we do manage to access the WEB-INF/web.xml file here:
http://whale.hacking-lab.com:8888/trieme/javax.faces.resource…/WEB-INF/web.xml.jsf

Finally, we notice that the default value for the input text field in the form has the value of getTrie() there which returns “INTRUSION WILL BE REPORTED!” for now. Thus, we correctly assume the value of this text is used as an argument to setTrie() which is otherwise unused. Here we do some digging into the Apache commons library methods being used. In particular the PatriciaTrie data structure. We have a limited attack vector in the name POST parameter to the form. The only thing we can really do is add more values to the trie and it will always contain the initial value of auth_token_4835989. However, how can we use a PatriciaTrie.put() call to remove an entry?

After some local debugging and static analysis we discover that the PatriciaTrie.put() method does not properly compare strings that end with a null terminator character or \x00 with their null free counterpart while the PatriciaTrie.containsKey() method does correctly distinguish them. That means we can simply pass in auth_token_4835989\0 to our setTrie() method and have it overwrite the initial value already in the trie while changing the outcome of the !trie.containsKey(securitytoken) check and thus the isAdmin(trie) check.

This piece of java code demonstrates the issue:

PatriciaTrie<Integer> trie = new PatriciaTrie<Integer>();
// Put can't distinguish between strings with null terminators at end
trie.put("A", 0);
trie.put("A\0", 0);
System.out.println(trie.size()); // Should be 2 but is only 1
// containsKey works as expected
System.out.println("trie.containsKey(\"A\") = " + trie.containsKey("A"));
System.out.println("trie.containsKey(\"A\0\") = " + trie.containsKey("A\0"));

PatriciaTrie<Integer> trie = new PatriciaTrie<Integer>();

// Put can't distinguish between strings with null terminators at end

trie.put("A", 0);

trie.put("A\0", 0);

System.out.println(trie.size()); // Should be 2 but is only 1

// containsKey works as expected

System.out.println("trie.containsKey(\"A\") = " + trie.containsKey("A"));

System.out.println("trie.containsKey(\"A\0\") = " + trie.containsKey("A\0"));

We pass in the string auth_token_4835989\0 to our form which gives us a message with the daily flag!

STATUS: We will steal all the national chocolate supplies at christmas, 3pm: Here's the building codes: HV19{get_th3_chocolateZ} !

1	STATUS: We will steal all the national chocolate supplies at christmas, 3pm: Here's the building codes: HV19{get_th3_chocolateZ} !

Flag: HV19{get_th3_chocolateZ}

No Comments

Posted Mo BeigiPersianMG in Hackvent 2019

Hackvent 2019: Day 12

13 Dec 2019

CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com

Date Completed: 12 December 2019

Challenge

HV19.12 back to basic

Introduction
Santa used his time machine to get a present from the past. get your rusty tools out of your cellar and solve this one!
Resources
HV19.12-BackToBasic.zip

Introduction

Santa used his time machine to get a present from the past. get your rusty tools out of your cellar and solve this one!

Resources

HV19.12-BackToBasic.zip

Resources: HV19.12-BackToBasic.zip

Solution

We download the above zip file and find a Windows PE executable called BackToBasic.exe.
Upon opening the file we are prompted for some input but our input is always wrong.

Initially, we open this file in IDA Pro and inspect it. Its a smallish executable that was originally written in Visual Basic.
We decide to complete this challenge using only static analysis. We use a combination of IDA Pro and another tool called VB Decompiler.
This decompiler was specifically designed to decompile Visual Basic code so its a good bet!

We get the following decompilation result:

Private Sub Text1_Change() '401F80
Dim Me As Me
Dim var_4C As Variant
loc_00402072: var_48 = Text1.Text
loc_004020A6: var_34 = var_48
loc_00402228: var_ret_7 = (Mid(var_34, 1, 1) = &H401B20) And (Mid(var_34, 2, 1) = &H401B28) And (Mid(var_34, 3, 1) = &H401B30) And (Mid(var_34, 4, 1) = &H401B38)
loc_00402235: var_1C0 = CBool(var_ret_7)
loc_00402280: If var_1C0 Then
loc_004022A2:   var_5C = Len(var_34)
loc_004022B9:   If (var_5C = 33) Then
loc_0040230D:     var_ret_8 = Len(var_34) - 1
loc_0040232D:     For var_24 = 6 To var_ret_8 Step 1
loc_00402339: 
loc_0040233B:       If var_1D4 Then
loc_00402375:         var_154 = Asc(CStr(Mid(var_34, CLng(var_24), 1)))
loc_00402391:         call Xor(var_7C, var_15C, var_24, var_4C, Me, Me, %S_eax_S = CLng(%StkVar1), %x1 = Mid(%StkVar2, %StkVar3, %StkVar4), 00000002h)
loc_00402398:         var_ret_A = CLng(Xor(var_7C, var_15C, var_24, var_4C, Me, Me, var_ret_A = CLng(%StkVar1), %x1 = Mid(%StkVar2, %StkVar3, %StkVar4), 00000002h))
loc_004023C5:         var_44 = var_44 + Chr(var_ret_A)
loc_00402400:       Next var_24
loc_00402406:       GoTo loc_00402339
loc_0040240B:     End If
loc_00402433:     If (var_44 = "6klzic<=bPBtdvff'yFI Then
loc_00402456:       Label1.Caption = "Status: correct"
loc_00402477:     End If
loc_00402481:     GoTo loc_00402574
loc_00402486:   End If
loc_004024A7:   Label1.Caption = "Status: wrong"
loc_004024AE:   If var_4C < 0 Then
loc_004024B0:     GoTo loc_004024DC
loc_004024B2:   End If
loc_004024D3:   Label1.Caption = "Status: wrong"
loc_004024DA:   If var_4C >= 0 Then GoTo loc_004024EB
loc_004024DC:   'Referenced from: 004024B0
loc_004024E5:   var_4C = CheckObj(var_4C, global_00401B9C, 84)
loc_004024EB: End If
loc_004024F4: GoTo loc_00402479
loc_00402573: Exit Sub
loc_00402574: 'Referenced from: 00402481
End Sub

Private Sub Text1_Change() '401F80

Dim Me As Me

Dim var_4C As Variant

loc_00402072: var_48 = Text1.Text

loc_004020A6: var_34 = var_48

loc_00402228: var_ret_7 = (Mid(var_34, 1, 1) = &H401B20) And (Mid(var_34, 2, 1) = &H401B28) And (Mid(var_34, 3, 1) = &H401B30) And (Mid(var_34, 4, 1) = &H401B38)

loc_00402235: var_1C0 = CBool(var_ret_7)

loc_00402280: If var_1C0 Then

loc_004022A2: var_5C = Len(var_34)

loc_004022B9: If (var_5C = 33) Then

loc_0040230D: var_ret_8 = Len(var_34) - 1

loc_0040232D: For var_24 = 6 To var_ret_8 Step 1

loc_00402339:

loc_0040233B: If var_1D4 Then

loc_00402375: var_154 = Asc(CStr(Mid(var_34, CLng(var_24), 1)))

loc_00402391: call Xor(var_7C, var_15C, var_24, var_4C, Me, Me, %S_eax_S = CLng(%StkVar1), %x1 = Mid(%StkVar2, %StkVar3, %StkVar4), 00000002h)

loc_00402398: var_ret_A = CLng(Xor(var_7C, var_15C, var_24, var_4C, Me, Me, var_ret_A = CLng(%StkVar1), %x1 = Mid(%StkVar2, %StkVar3, %StkVar4), 00000002h))

loc_004023C5: var_44 = var_44 + Chr(var_ret_A)

loc_00402400: Next var_24

loc_00402406: GoTo loc_00402339

loc_0040240B: End If

loc_00402433: If (var_44 = "6klzic<=bPBtdvff'yFI Then

loc_00402456: Label1.Caption = "Status: correct"

loc_00402477: End If

loc_00402481: GoTo loc_00402574

loc_00402486: End If

loc_004024A7: Label1.Caption = "Status: wrong"

loc_004024AE: If var_4C < 0 Then

loc_004024B0: GoTo loc_004024DC

loc_004024B2: End If

loc_004024D3: Label1.Caption = "Status: wrong"

loc_004024DA: If var_4C >= 0 Then GoTo loc_004024EB

loc_004024DC: 'Referenced from: 004024B0

loc_004024E5: var_4C = CheckObj(var_4C, global_00401B9C, 84)

loc_004024EB: End If

loc_004024F4: GoTo loc_00402479

loc_00402573: Exit Sub

loc_00402574: 'Referenced from: 00402481

End Sub

We clean this up a little by working through the variables making sense of it all:

Private Sub Text1_Change() '401F80
Dim Me As Me
Dim var_4C As Variant
loc_00402072: input_text_orig = Text1.Text //Originally HV19
loc_004020A6: input_text = input_text_orig
loc_00402228: first_four_chars = (Mid(input_text, 1, 1) = &H401B20) And (Mid(input_text, 2, 1) = &H401B28) And (Mid(input_text, 3, 1) = &H401B30) And (Mid(input_text, 4, 1) = &H401B38)
loc_00402235: is_bool = CBool(first_four_chars)
loc_00402280: If is_bool Then
loc_004022A2:   input_text_len = Len(input_text)
loc_004022B9:   If (input_text_len = 33) Then
loc_0040230D:     input_text_len_minus_1 = Len(input_text) - 1
loc_0040232D:     For char_counter = 6 To input_text_len_minus_1 Step 1 // From chars 6 to 32 inclusive
loc_00402339: 
loc_0040233B:       If var_1D4 Then
loc_00402375:         var_154 = Asc(CStr(Mid(input_text, CLng(char_counter), 1))) // Give the integer representation of the next character
loc_00402391:         call Xor(var_7C, var_15C, char_counter, var_4C, Me, Me, %S_eax_S = CLng(%StkVar1), %x1 = Mid(%StkVar2, %StkVar3, %StkVar4), 00000002h)
loc_00402398:         var_ret_A = CLng(Xor(var_7C, var_15C, char_counter, var_4C, Me, Me, var_ret_A = CLng(%StkVar1), %x1 = Mid(%StkVar2, %StkVar3, %StkVar4), 00000002h))
loc_004023C5:         flag_content = flag_content + Chr(var_ret_A)
loc_00402400:       Next char_counter // increment counter
loc_00402406:       GoTo loc_00402339
loc_0040240B:     End If
loc_00402433:     If (flag_content = "6klzic<=bPBtdvff'yFI Then
loc_00402456:       Label1.Caption = "Status: correct"
loc_00402477:     End If
loc_00402481:     GoTo loc_00402574
loc_00402486:   End If
loc_004024A7:   Label1.Caption = "Status: wrong"
loc_004024AE:   If var_4C < 0 Then
loc_004024B0:     GoTo loc_004024DC
loc_004024B2:   End If
loc_004024D3:   Label1.Caption = "Status: wrong"
loc_004024DA:   If var_4C >= 0 Then GoTo loc_004024EB
loc_004024DC:   'Referenced from: 004024B0
loc_004024E5:   var_4C = CheckObj(var_4C, global_00401B9C, 84)
loc_004024EB: End If
loc_004024F4: GoTo loc_00402479
loc_00402573: Exit Sub
loc_00402574: 'Referenced from: 00402481
End Sub

Private Sub Text1_Change() '401F80

Dim Me As Me

Dim var_4C As Variant

loc_00402072: input_text_orig = Text1.Text //Originally HV19

loc_004020A6: input_text = input_text_orig

loc_00402228: first_four_chars = (Mid(input_text, 1, 1) = &H401B20) And (Mid(input_text, 2, 1) = &H401B28) And (Mid(input_text, 3, 1) = &H401B30) And (Mid(input_text, 4, 1) = &H401B38)

loc_00402235: is_bool = CBool(first_four_chars)

loc_00402280: If is_bool Then

loc_004022A2: input_text_len = Len(input_text)

loc_004022B9: If (input_text_len = 33) Then

loc_0040230D: input_text_len_minus_1 = Len(input_text) - 1

loc_0040232D: For char_counter = 6 To input_text_len_minus_1 Step 1 // From chars 6 to 32 inclusive

loc_00402339:

loc_0040233B: If var_1D4 Then

loc_00402375: var_154 = Asc(CStr(Mid(input_text, CLng(char_counter), 1))) // Give the integer representation of the next character

loc_00402391: call Xor(var_7C, var_15C, char_counter, var_4C, Me, Me, %S_eax_S = CLng(%StkVar1), %x1 = Mid(%StkVar2, %StkVar3, %StkVar4), 00000002h)

loc_00402398: var_ret_A = CLng(Xor(var_7C, var_15C, char_counter, var_4C, Me, Me, var_ret_A = CLng(%StkVar1), %x1 = Mid(%StkVar2, %StkVar3, %StkVar4), 00000002h))

loc_004023C5: flag_content = flag_content + Chr(var_ret_A)

loc_00402400: Next char_counter // increment counter

loc_00402406: GoTo loc_00402339

loc_0040240B: End If

loc_00402433: If (flag_content = "6klzic<=bPBtdvff'yFI Then

loc_00402456: Label1.Caption = "Status: correct"

loc_00402477: End If

loc_00402481: GoTo loc_00402574

loc_00402486: End If

loc_004024A7: Label1.Caption = "Status: wrong"

loc_004024AE: If var_4C < 0 Then

loc_004024B0: GoTo loc_004024DC

loc_004024B2: End If

loc_004024D3: Label1.Caption = "Status: wrong"

loc_004024DA: If var_4C >= 0 Then GoTo loc_004024EB

loc_004024DC: 'Referenced from: 004024B0

loc_004024E5: var_4C = CheckObj(var_4C, global_00401B9C, 84)

loc_004024EB: End If

loc_004024F4: GoTo loc_00402479

loc_00402573: Exit Sub

loc_00402574: 'Referenced from: 00402481

End Sub

After a while we understand what the code is basically doing.
Our input string is first checked to ensure the first 4 characters equal HV19. If this condition is met, we check that our input string has a length of 33 characters. If this condition is met, we perform a loop from 6 to 32 inclusive. These bounds are interesting as Visual Basic starts indexes at 1 and the first 5 characters of our flag are typically HV19{ and the last character is }. Basically we are looping over the indexes belonging to the flag content. Next, we seem to perform some XOR operation on the ordinal of the character (VB Asc command) and some other unknown value. It took a little time to realise this other value was the current string index (which I named char_counter above). Finally, a check is made with the string 6klzic<=bPBtdvff'yFI~on//N. It is important to note that the string is UTF-16 little endian encoded.

Therefore, we simply have to reverse the operation to get our original flag. In other words, take our comparison string 6klzic<=bPBtdvff'yFI~on//N and XOR it with the corresponding index (6,7,etc).

Psuedocode:

input = Text1.Text
test = ''
if input[1] = 'H' & input = 'V' & input = '1' & input = '9':
if len(input) = 33:
for i = 6 to i = 33 - 1:
xor_res = ord(input[i]) ^ i
test = test + chr(xor_res)
if test == "6klzic<=bPBtdvff'yFI~on//N":
print("Status: correct")
else:
print("Status: wrong")

input = Text1.Text

test = ''

if input[1] = 'H' & input = 'V' & input = '1' & input = '9':

if len(input) = 33:

for i = 6 to i = 33 - 1:

xor_res = ord(input[i]) ^ i

test = test + chr(xor_res)

if test == "6klzic<=bPBtdvff'yFI~on//N":

print("Status: correct")

else:

print("Status: wrong")

We write a little python script to do this for us which provides us with our flag:

# Hackvent 2019 - Day 12
# Mo Beigi (https://mobeigi.com)
# Hex dump of comparison string UTF-16 little endian encoded
# UTF-16: 6klzic<=bPBtdvff'yFI~on//N
comp_string = b'\x36\x00\x6B\x00\x6C\x00\x7A\x00\x69\x00\x63\x00\x3C\x00\x3D\x00\x62\x00\x50\x00\x42\x00\x74\x00\x64\x00\x76\x00\x66\x00\x66\x00\x27\x00\x79\x00\x7F\x00\x46\x00\x49\x00\x7E\x00\x6F\x00\x6E\x00\x2F\x00\x2F\x00\x4E\x00'
flag_content = ''
for index, val in enumerate(comp_string.decode('utf-16')):
xor_val = ord(val) ^ index + 1 + len('HV19{') # VB indices start at 1
flag_content += chr(xor_val)
# Print final flag
flag = 'HV19{' + flag_content + '}'
print(flag)

# Hackvent 2019 - Day 12

# Mo Beigi (https://mobeigi.com)

# Hex dump of comparison string UTF-16 little endian encoded

# UTF-16: 6klzic<=bPBtdvff'yFI~on//N

comp_string = b'\x36\x00\x6B\x00\x6C\x00\x7A\x00\x69\x00\x63\x00\x3C\x00\x3D\x00\x62\x00\x50\x00\x42\x00\x74\x00\x64\x00\x76\x00\x66\x00\x66\x00\x27\x00\x79\x00\x7F\x00\x46\x00\x49\x00\x7E\x00\x6F\x00\x6E\x00\x2F\x00\x2F\x00\x4E\x00'

flag_content = ''

for index, val in enumerate(comp_string.decode('utf-16')):

xor_val = ord(val) ^ index + 1 + len('HV19{') # VB indices start at 1

flag_content += chr(xor_val)

# Print final flag

flag = 'HV19{' + flag_content + '}'

print(flag)

Flag: HV19{0ldsch00l_Revers1ng_Sess10n}

No Comments

Posted Mo BeigiPersianMG in Hackvent 2019

Hackvent 2019: Hidden 3

13 Dec 2019

CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com

Date Completed: 6 December 2019

Challenge

HV19.H1 Hidden Three

Not each quote is compl

1	Not each quote is compl

Solution

During the Day 11 challenge HV19.11 Frolicsome Santa Jokes API, we decide to do some novice penetration testing on the server whale.hacking-lab.com.

We attempt many things including a port scan with nmap with default settings:

nmap whale.hacking-lab.com

1	nmap whale.hacking-lab.com

We find some open ports:

PORT     STATE  SERVICE
17/tcp   open   qotd
22/tcp   open   ssh
80/tcp   closed http
443/tcp  closed https
2222/tcp closed EtherNet/IP-1
4444/tcp closed krb524
5555/tcp closed freeciv

PORT STATE SERVICE

17/tcp open qotd

22/tcp open ssh

80/tcp closed http

443/tcp closed https

2222/tcp closed EtherNet/IP-1

4444/tcp closed krb524

5555/tcp closed freeciv

Port 17 seems very interesting as it is an uncommon port. We do some research and discover it belongs to the Quote of the Day protocol.

We try to get the quote of the day using this command:

nc whale.hacking-lab.com 17 < /dev/null

1	nc whale.hacking-lab.com 17 < /dev/null

Unfortunately, this spits out a single character r which did not make much sense. However, recall the clue that Not each quote is compl. Thus we have to wait until a new letter is given to us! As it turns out a new letter which belongs to the final flag is given to us every hour. As a result, we write a little cron job which logs the date and QOTD result every 15 minutes (to be safe) and decide to check back on it later.

Cron job:

0,15,30,45 * * * * (date;nc whale.hacking-lab.com 17 < /dev/null) >> /home/mo/hackvent/h3.txt

1	0,15,30,45 * * * * (date;nc whale.hacking-lab.com 17 < /dev/null) >> /home/mo/hackvent/h3.txt

After waiting a full day and checking back our log file looks like this:

Wed Dec 11 22:45:00 AEDT 2019
r
Wed Dec 11 23:00:00 AEDT 2019
_
Wed Dec 11 23:15:00 AEDT 2019
_Wed Dec 11 23:30:01 AEDT 2019
_
Wed Dec 11 23:45:01 AEDT 2019
_
Thu Dec 12 00:00:01 AEDT 2019
D
Thu Dec 12 00:15:01 AEDT 2019
D
Thu Dec 12 00:30:01 AEDT 2019
D
Thu Dec 12 00:45:02 AEDT 2019
D
Thu Dec 12 01:00:01 AEDT 2019
A
Thu Dec 12 01:15:01 AEDT 2019
A
Thu Dec 12 01:30:01 AEDT 2019
A
Thu Dec 12 01:45:01 AEDT 2019
A
Thu Dec 12 02:00:01 AEDT 2019
I
Thu Dec 12 02:15:01 AEDT 2019
I
Thu Dec 12 02:30:01 AEDT 2019
I
Thu Dec 12 02:45:01 AEDT 2019
I
Thu Dec 12 03:00:01 AEDT 2019
L
Thu Dec 12 03:15:01 AEDT 2019
L
Thu Dec 12 03:30:01 AEDT 2019
L
Thu Dec 12 03:45:01 AEDT 2019
L
Thu Dec 12 04:00:01 AEDT 2019
Y
Thu Dec 12 04:15:01 AEDT 2019
Y
Thu Dec 12 04:30:01 AEDT 2019
Y
Thu Dec 12 04:45:01 AEDT 2019
Y
Thu Dec 12 05:00:02 AEDT 2019
_
Thu Dec 12 05:15:01 AEDT 2019
_
Thu Dec 12 05:30:02 AEDT 2019
_
Thu Dec 12 05:45:01 AEDT 2019
_
Thu Dec 12 06:00:01 AEDT 2019
f
Thu Dec 12 06:15:01 AEDT 2019
f
Thu Dec 12 06:30:01 AEDT 2019
f
Thu Dec 12 06:45:01 AEDT 2019
f
Thu Dec 12 07:00:01 AEDT 2019
l
Thu Dec 12 07:15:01 AEDT 2019
l
Thu Dec 12 07:30:01 AEDT 2019
l
Thu Dec 12 07:45:01 AEDT 2019
l
Thu Dec 12 08:00:01 AEDT 2019
4
Thu Dec 12 08:15:01 AEDT 2019
4
Thu Dec 12 08:30:01 AEDT 2019
4
Thu Dec 12 08:45:01 AEDT 2019
4
Thu Dec 12 09:00:01 AEDT 2019
g
Thu Dec 12 09:15:01 AEDT 2019
g
Thu Dec 12 09:30:01 AEDT 2019
g
Thu Dec 12 09:45:01 AEDT 2019
g
Thu Dec 12 10:00:01 AEDT 2019
}
Thu Dec 12 10:15:01 AEDT 2019
}
Thu Dec 12 10:30:01 AEDT 2019
}
Thu Dec 12 10:45:01 AEDT 2019
}
Thu Dec 12 11:00:01 AEDT 2019
H
Thu Dec 12 11:15:01 AEDT 2019
H
Thu Dec 12 11:30:01 AEDT 2019
H
Thu Dec 12 11:45:01 AEDT 2019
H
Thu Dec 12 12:00:01 AEDT 2019
V
Thu Dec 12 12:15:01 AEDT 2019
V
Thu Dec 12 12:30:01 AEDT 2019
V
Thu Dec 12 12:45:01 AEDT 2019
V
Thu Dec 12 13:00:01 AEDT 2019
1
Thu Dec 12 13:15:01 AEDT 2019
1
Thu Dec 12 13:30:01 AEDT 2019
1
Thu Dec 12 13:45:01 AEDT 2019
1
Thu Dec 12 14:00:01 AEDT 2019
9
Thu Dec 12 14:15:01 AEDT 2019
9
Thu Dec 12 14:30:01 AEDT 2019
9
Thu Dec 12 14:45:01 AEDT 2019
9
Thu Dec 12 15:00:01 AEDT 2019
{
Thu Dec 12 15:15:01 AEDT 2019
{
Thu Dec 12 15:30:01 AEDT 2019
{
Thu Dec 12 15:45:01 AEDT 2019
{
Thu Dec 12 16:00:01 AEDT 2019
a
Thu Dec 12 16:15:01 AEDT 2019
a
Thu Dec 12 16:30:01 AEDT 2019
a
Thu Dec 12 16:45:01 AEDT 2019
a
Thu Dec 12 17:00:01 AEDT 2019
n
Thu Dec 12 17:15:01 AEDT 2019
n
Thu Dec 12 17:30:02 AEDT 2019
n
Thu Dec 12 17:45:01 AEDT 2019
n
Thu Dec 12 18:00:01 AEDT 2019
0
Thu Dec 12 18:15:01 AEDT 2019
0
Thu Dec 12 18:30:01 AEDT 2019
0
Thu Dec 12 18:45:01 AEDT 2019
0
Thu Dec 12 19:00:02 AEDT 2019
t
Thu Dec 12 19:15:01 AEDT 2019
t
Thu Dec 12 19:30:01 AEDT 2019
t
Thu Dec 12 19:45:01 AEDT 2019
t
Thu Dec 12 20:00:01 AEDT 2019
h
Thu Dec 12 20:15:01 AEDT 2019
h
Thu Dec 12 20:30:02 AEDT 2019
h
Thu Dec 12 20:45:01 AEDT 2019
h
Thu Dec 12 21:00:01 AEDT 2019
e
Thu Dec 12 21:15:01 AEDT 2019
e
Thu Dec 12 21:30:01 AEDT 2019
e
Thu Dec 12 21:45:01 AEDT 2019
e
Thu Dec 12 22:00:01 AEDT 2019
r
Thu Dec 12 22:15:01 AEDT 2019
r
Thu Dec 12 22:30:02 AEDT 2019
r

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

Wed Dec 11 22:45:00 AEDT 2019

Wed Dec 11 23:00:00 AEDT 2019

Wed Dec 11 23:15:00 AEDT 2019

_Wed Dec 11 23:30:01 AEDT 2019

Wed Dec 11 23:45:01 AEDT 2019

Thu Dec 12 00:00:01 AEDT 2019

Thu Dec 12 00:15:01 AEDT 2019

Thu Dec 12 00:30:01 AEDT 2019

Thu Dec 12 00:45:02 AEDT 2019

Thu Dec 12 01:00:01 AEDT 2019

Thu Dec 12 01:15:01 AEDT 2019

Thu Dec 12 01:30:01 AEDT 2019

Thu Dec 12 01:45:01 AEDT 2019

Thu Dec 12 02:00:01 AEDT 2019

Thu Dec 12 02:15:01 AEDT 2019

Thu Dec 12 02:30:01 AEDT 2019

Thu Dec 12 02:45:01 AEDT 2019

Thu Dec 12 03:00:01 AEDT 2019

Thu Dec 12 03:15:01 AEDT 2019

Thu Dec 12 03:30:01 AEDT 2019

Thu Dec 12 03:45:01 AEDT 2019

Thu Dec 12 04:00:01 AEDT 2019

Thu Dec 12 04:15:01 AEDT 2019

Thu Dec 12 04:30:01 AEDT 2019

Thu Dec 12 04:45:01 AEDT 2019

Thu Dec 12 05:00:02 AEDT 2019

Thu Dec 12 05:15:01 AEDT 2019

Thu Dec 12 05:30:02 AEDT 2019

Thu Dec 12 05:45:01 AEDT 2019

Thu Dec 12 06:00:01 AEDT 2019

Thu Dec 12 06:15:01 AEDT 2019

Thu Dec 12 06:30:01 AEDT 2019

Thu Dec 12 06:45:01 AEDT 2019

Thu Dec 12 07:00:01 AEDT 2019

Thu Dec 12 07:15:01 AEDT 2019

Thu Dec 12 07:30:01 AEDT 2019

Thu Dec 12 07:45:01 AEDT 2019

Thu Dec 12 08:00:01 AEDT 2019

Thu Dec 12 08:15:01 AEDT 2019

Thu Dec 12 08:30:01 AEDT 2019

Thu Dec 12 08:45:01 AEDT 2019

Thu Dec 12 09:00:01 AEDT 2019

Thu Dec 12 09:15:01 AEDT 2019

Thu Dec 12 09:30:01 AEDT 2019

Thu Dec 12 09:45:01 AEDT 2019

Thu Dec 12 10:00:01 AEDT 2019

}

Thu Dec 12 10:15:01 AEDT 2019

}

Thu Dec 12 10:30:01 AEDT 2019

}

Thu Dec 12 10:45:01 AEDT 2019

}

Thu Dec 12 11:00:01 AEDT 2019

Thu Dec 12 11:15:01 AEDT 2019

Thu Dec 12 11:30:01 AEDT 2019

Thu Dec 12 11:45:01 AEDT 2019

Thu Dec 12 12:00:01 AEDT 2019

Thu Dec 12 12:15:01 AEDT 2019

Thu Dec 12 12:30:01 AEDT 2019

Thu Dec 12 12:45:01 AEDT 2019

Thu Dec 12 13:00:01 AEDT 2019

Thu Dec 12 13:15:01 AEDT 2019

Thu Dec 12 13:30:01 AEDT 2019

Thu Dec 12 13:45:01 AEDT 2019

Thu Dec 12 14:00:01 AEDT 2019

Thu Dec 12 14:15:01 AEDT 2019

Thu Dec 12 14:30:01 AEDT 2019

Thu Dec 12 14:45:01 AEDT 2019

Thu Dec 12 15:00:01 AEDT 2019

{

Thu Dec 12 15:15:01 AEDT 2019

{

Thu Dec 12 15:30:01 AEDT 2019

{

Thu Dec 12 15:45:01 AEDT 2019

{

Thu Dec 12 16:00:01 AEDT 2019

Thu Dec 12 16:15:01 AEDT 2019

Thu Dec 12 16:30:01 AEDT 2019

Thu Dec 12 16:45:01 AEDT 2019

Thu Dec 12 17:00:01 AEDT 2019

Thu Dec 12 17:15:01 AEDT 2019

Thu Dec 12 17:30:02 AEDT 2019

Thu Dec 12 17:45:01 AEDT 2019

Thu Dec 12 18:00:01 AEDT 2019

Thu Dec 12 18:15:01 AEDT 2019

Thu Dec 12 18:30:01 AEDT 2019

Thu Dec 12 18:45:01 AEDT 2019

Thu Dec 12 19:00:02 AEDT 2019

Thu Dec 12 19:15:01 AEDT 2019

Thu Dec 12 19:30:01 AEDT 2019

Thu Dec 12 19:45:01 AEDT 2019

Thu Dec 12 20:00:01 AEDT 2019

Thu Dec 12 20:15:01 AEDT 2019

Thu Dec 12 20:30:02 AEDT 2019

Thu Dec 12 20:45:01 AEDT 2019

Thu Dec 12 21:00:01 AEDT 2019

Thu Dec 12 21:15:01 AEDT 2019

Thu Dec 12 21:30:01 AEDT 2019

Thu Dec 12 21:45:01 AEDT 2019

Thu Dec 12 22:00:01 AEDT 2019

Thu Dec 12 22:15:01 AEDT 2019

Thu Dec 12 22:30:02 AEDT 2019

Putting all this together gives us our flag!

Flag: HV19{an0ther_DAILY_fl4g}

No Comments

Posted Mo BeigiPersianMG in Hackvent 2019

Hackvent 2019: Day 11

11 Dec 2019

CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com

Date Completed: 11 December 2019

Challenge

HV19.11 Frolicsome Santa Jokes API

Introduction
The elves created an API where you get random jokes about santa.
Resources
Go and try it here: http://whale.hacking-lab.com:10101

Introduction

The elves created an API where you get random jokes about santa.

Resources

Go and try it here: http://whale.hacking-lab.com:10101

Html file mirror: FSJA API Description

Solution

We have the spec for the FSJA API that the elves have made. We use Postman to play around with the API to get a feel for how it works.

Following the instructions, we are able to register a new user and authenticate to get a token.
We use the following payload for our user data:

{
"username": "mobeigi_test_1",
"password": "ABCDEFG123"
}

{

"username": "mobeigi_test_1",

"password": "ABCDEFG123"

}

Upon logging in with the /fsja/login endpoint we get a token which looks like this:

{
"message": "Token generated",
"code": 201,
"token": "eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjp7InVzZXJuYW1lIjoibW9iZWlnaV90ZXN0XzEiLCJwbGF0aW51bSI6ZmFsc2V9LCJleHAiOjE1NzYwNTk5MzQuNzgwMDAwMDAwfQ.pbVVcSUmcBEgsV1vYcUs4tVwchH5GP8SaHulTIczpac"
}

{

"message": "Token generated",

"code": 201,

"token": "eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjp7InVzZXJuYW1lIjoibW9iZWlnaV90ZXN0XzEiLCJwbGF0aW51bSI6ZmFsc2V9LCJleHAiOjE1NzYwNTk5MzQuNzgwMDAwMDAwfQ.pbVVcSUmcBEgsV1vYcUs4tVwchH5GP8SaHulTIczpac"

}

The token looks like base64 encoded data. In fact, it happens to be a JWT token.

We finally use the /fsja/random endpoint to get a joke:

{
"joke": "People really act weird at Christmas time! What other time of year do you sit in front of a dead tree in the living room and eat nuts and sweets out of your socks?",
"author": "Author Unknown",
"platinum": false
}

{

"joke": "People really act weird at Christmas time! What other time of year do you sit in front of a dead tree in the living room and eat nuts and sweets out of your socks?",

"author": "Author Unknown",

"platinum": false

}

The platinum field stands out to me the most.
As a random hunch, I decide to register a user and provide the platinum field value in the payload myself like so:

{
"username": "mobeigi_test_2",
"password": "ABCDEFG123",
"platinum": true
}

{

"username": "mobeigi_test_2",

"password": "ABCDEFG123",

"platinum": true

}

I generate another joke and the API kindly provides us with our flag:

{
"joke": "Congratulation! Sometimes bugs are rather stupid. But that's how it happens, sometimes. Doing all the crypto stuff right and forgetting the trivial stuff like input validation, Hohoho! Here's your flag: HV19{th3_cha1n_1s_0nly_as_str0ng_as_th3_w3ak3st_l1nk}",
"author": "Santa",
"platinum": true
}

{

"joke": "Congratulation! Sometimes bugs are rather stupid. But that's how it happens, sometimes. Doing all the crypto stuff right and forgetting the trivial stuff like input validation, Hohoho! Here's your flag: HV19{th3_cha1n_1s_0nly_as_str0ng_as_th3_w3ak3st_l1nk}",

"author": "Santa",

"platinum": true

}

Flag: HV19{th3_cha1n_1s_0nly_as_str0ng_as_th3_w3ak3st_l1nk}

Bonus

This challenge also contained the solution to HV19.H2 Hidden Three

No Comments

Posted Mo BeigiPersianMG in Hackvent 2019

Hackvent 2019: Day 10

11 Dec 2019

CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com

Date Completed: 11 December 2019

Challenge

HV19.10 Guess what

Introduction
The flag is right, of course

1 2	Introduction The flag is right, of course

Resources: HV19.10-guess3.zip

Solution

We are provided with an ELF binary so the first thing we do is run in in a Linux virtual machine.

The binary prompts us for some input and then tells us we have failed!

Example with input of test:

mo@ubuntu:~/Hackvent$ ./guess3 
Your input: test
nooooh. try harder!

mo@ubuntu:~/Hackvent$ ./guess3

Your input: test

nooooh. try harder!

We look at the strings in the binary for some clues:

mo@ubuntu:~/Hackvent$ strings ./guess3 
/lib64/ld-linux-x86-64.so.2
&J5g
libc.so.6
exit
sprintf
__isoc99_sscanf
time
__stack_chk_fail
getpid
strdup
calloc
strlen
memset
__errno_location
memcmp
putenv
memcpy
malloc
getenv
stderr
execvp
fwrite
fprintf
__cxa_finalize
atoll
strerror
__libc_start_main
__environ
__xstat
GLIBC_2.7
GLIBC_2.14
GLIBC_2.4
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
ATSH
[A\]
AWAVI
AUATL
[]A\A]A^A_
x%lx
=%lu %d
%lu %d%c
E: neither argv[0] nor $_ works.
<null>
%s%s%s: %s
;*3$"
1DB/
WF9s
@?H,
4'M0
\@J5
o-72z
GCC: (Ubuntu 7.4.0-1ubuntu1~18.04.1) 7.4.0
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.data
.bss
.comment

mo@ubuntu:~/Hackvent$ strings ./guess3

/lib64/ld-linux-x86-64.so.2

&J5g

libc.so.6

exit

sprintf

__isoc99_sscanf

time

__stack_chk_fail

getpid

strdup

calloc

strlen

memset

__errno_location

memcmp

putenv

memcpy

malloc

getenv

stderr

execvp

fwrite

fprintf

__cxa_finalize

atoll

strerror

__libc_start_main

__environ

__xstat

GLIBC_2.7

GLIBC_2.14

GLIBC_2.4

GLIBC_2.2.5

_ITM_deregisterTMCloneTable

__gmon_start__

_ITM_registerTMCloneTable

ATSH

[A\]

AWAVI

AUATL

[]A\A]A^A_

x%lx

=%lu %d

%lu %d%c

E: neither argv[0] nor $_ works.

<null>

%s%s%s: %s

;*3$"

1DB/

WF9s

@?H,

4'M0

\@J5

o-72z

GCC: (Ubuntu 7.4.0-1ubuntu1~18.04.1) 7.4.0

.shstrtab

.interp

.note.ABI-tag

.note.gnu.build-id

.gnu.hash

.dynsym

.dynstr

.gnu.version

.gnu.version_r

.rela.dyn

.rela.plt

.init

.plt.got

.text

.fini

.rodata

.eh_frame_hdr

.eh_frame

.init_array

.fini_array

.dynamic

.data

.bss

.comment

We observe how the string Your input and nooooh. try harder! don’t appear as strings.

It is reasonable to assume obfuscation is used at this point to conceal some strings.
We decide to load up the program in one shell and, while its open waiting for input, check the process status output in another shell:

mo@ubuntu:~/Desktop$ ps -eaf | grep guess
mo         2500   2297  0 20:11 pts/0    00:00:00 ./guess3 -c                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 #!/bin/bash  read -p "Your input: " input  if [ $input = "HV19{Sh3ll_0bfuscat10n_1s_fut1l3}" ]  then   echo "success" else    echo "nooooh. try harder!" fi   ./guess3
mo         2502   2263  0 20:11 pts/2    00:00:00 grep --color=auto guess

mo@ubuntu:~/Desktop$ ps -eaf | grep guess

mo 2500 2297 0 20:11 pts/0 00:00:00 ./guess3 -c #!/bin/bash read -p "Your input: " input if [ $input = "HV19{Sh3ll_0bfuscat10n_1s_fut1l3}" ] then echo "success" else echo "nooooh. try harder!" fi ./guess3

mo 2502 2263 0 20:11 pts/2 00:00:00 grep --color=auto guess

The original binary essentially delegates to calling execve on /bin/bash with the above command but we abuse the fact that it is all in memory to easily fetch our flag!

Flag: HV19{Sh3ll_0bfuscat10n_1s_fut1l3}

No Comments

Posted Mo BeigiPersianMG in Hackvent 2019

Hackvent 2019: Day 9

09 Dec 2019

CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com

Date Completed: 9 December 2019

Challenge

HV19.09 Santas Quick Response 3.0

Introduction

Visiting the following railway station has left lasting memories.

Santas brand new gifts distribution system is heavily inspired by it. Here is your personal gift, can you extract the destination path of it?

Solution

We know that the QR code system is inspired by the first image so we do a reverse image lookup to try and find out more information about it. We find many articles such as this one discussing a pattern called Rule 30.

After some light research, we discover that rule 30 can be used to generate a pattern downwards starting from a single black pixel (or 1). The algorithm is:

s = s[i-1] XOR (s[i] OR s[i+1])

1	s = s[i-1] XOR (s[i] OR s[i+1])

This video does a better job explaining it than I ever could:

Next, we notice that our invalid QR code has two QR alignment patterns in the correct positions (top left and top right corners) but is missing one in the bottom left corner. That, combined with the fact that the Rule 30 algorithm generates a tree like pattern is a very strong indication that we should overlap the rule 30 pattern over the QR code and use it as mask from the middle of the first row (so that the current QR alignment patterns are left intact).

This was our approach. For illustration purposes, this is the area that would be left intact:

We attempt common boolean operators such as and, or and xor and check to see if the bottom left QR alignment pattern suddenly appears. Unfortunately, it initial does not appear. After some head scratching we later find out that xor is the right boolean operation and we have to shift the rule30 pattern by 1 to the right.

This is what the final Rule 30 mask looked like:

Note that the mask is not perfect as it eventually overlaps with itself but is was large enough to fully cover our 33×33 QR code.

Finally, here is our python script:

# Hackvent 2019 - Day 9
# Mo Beigi (https://mobeigi.com)
import PIL
from PIL import Image
bitmap = [
[1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 0, 1, 1, 0, 0, 0, 1, 1, 1, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1],
[1, 0, 0, 0, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 1, 1, 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1],
[1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1],
[1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1, 0, 0, 0, 1, 0, 1, 1, 1, 0, 1],
[1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 1, 0, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 1, 1, 0, 1],
[1, 0, 0, 0, 0, 0, 1, 0, 1, 1, 1, 1, 0, 0, 1, 1, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, 0, 0, 0, 0, 0, 1],
[1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 1, 0, 0, 1, 1, 1, 0, 1, 0, 0, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1],
[0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
[0, 0, 1, 0, 0, 1, 1, 1, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 1, 1, 1, 1, 1, 0],
[0, 0, 1, 1, 1, 1, 0, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 1],
[1, 0, 1, 0, 1, 0, 1, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1],
[0, 1, 0, 0, 0, 0, 1, 1, 0, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 1, 1, 0, 0, 1, 1, 1, 0, 0, 0],
[0, 0, 0, 0, 1, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, 0, 1, 1, 0, 0, 1, 1, 1, 0, 1, 1, 0, 1, 1],
[0, 1, 1, 1, 0, 0, 0, 0, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1, 1, 0, 1, 0, 1, 1, 1, 0, 0],
[0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0, 0, 0, 1, 1, 1],
[0, 1, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 0, 0, 1, 0, 1, 0, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 0, 1],
[0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 1, 1, 0],
[1, 1, 1, 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1, 0, 0, 0, 1, 0, 1],
[1, 0, 1, 0, 0, 1, 1, 1, 1, 1, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, 0, 0, 1, 1, 0, 0, 1, 1, 1, 1],
[1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 0, 1, 1, 1],
[0, 1, 0, 1, 1, 0, 0, 0, 1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 0, 1, 0, 0, 1, 1, 1, 1, 1, 1, 1, 0, 0],
[1, 1, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 0, 1, 1, 1, 1, 0, 0, 1, 0, 0, 1, 1, 1, 1, 1, 0],
[1, 1, 1, 0, 1, 0, 0, 0, 0, 1, 1, 0, 1, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 0, 1, 0],
[1, 0, 1, 0, 0, 1, 1, 1, 1, 0, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1, 1, 1],
[1, 0, 0, 1, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 1, 1, 0, 1, 0, 0, 0, 0, 1, 0, 1],
[1, 1, 0, 0, 1, 1, 1, 0, 1, 0, 1, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 1, 0],
[0, 1, 0, 0, 0, 1, 1, 1, 1, 1, 0, 0, 0, 0, 1, 1, 1, 0, 1, 1, 0, 1, 0, 1, 1, 0, 0, 1, 1, 1, 0, 0, 0],
[0, 0, 1, 0, 0, 1, 0, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1, 0, 0, 0, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 0, 0],
[1, 0, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 0, 0, 1, 1, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1, 1, 1, 0, 1, 1, 1, 1],
[0, 1, 0, 1, 1, 0, 0, 0, 1, 1, 0, 1, 1, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1],
[0, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 1, 0, 1, 0, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 1, 1, 1, 1],
[1, 1, 1, 1, 0, 1, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 1, 0, 0, 1, 1, 1, 1, 1, 0, 0, 0, 0, 1, 0],
[0, 0, 1, 1, 1, 0, 0, 1, 1, 1, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 1, 1, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, 1]
]
# QR
qr_modules = 33
# Rule 30 parameters
rule30_arr = [[0 for x in range(50)] for y in range(50)] # 50x50 grid for pattern, has to be significantly larger than our QR code so it overlaps it
rule30_arr[0][16] = 1 # initial black pixel to start pattern
START_INDEX = 16 # guess, middle of first row
offset = 0 # to expand horizontally after progressing to next row
for i in range(len(bitmap)):
for j in range(max(START_INDEX-offset, -50), min(START_INDEX+offset+1, 50)):
rule30_arr[i+1][j] = rule30_arr[i][j-1] ^ (rule30_arr[i][j] | rule30_arr[i][j+1]) # s = s[i-1] XOR (s[i] OR s[i+1])
# Constrain bounds of QR code to [0, qr_modules]
if j >= 0 and j <= qr_modules - 1:
# XOR with current QR data in bitmap
# Pattern has to be shifted to the right by 1
bitmap[i][j] ^= rule30_arr[i+1][j-1]
# Increase offset for next row
offset += 1
# Generate QR code
im = Image.new('RGB', (qr_modules, qr_modules))
data = []
for row in bitmap:
for bit in row:
if bit == 0:
data.append((255,255,255))
elif bit == 1:
data.append((0,0,0))
im.putdata(data)
im.save('qr.png')

# Hackvent 2019 - Day 9

# Mo Beigi (https://mobeigi.com)

import PIL

from PIL import Image

bitmap = [

[1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 0, 1, 1, 0, 0, 0, 1, 1, 1, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1],

[1, 0, 0, 0, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 1, 1, 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1],

[1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1],

[1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1, 0, 0, 0, 1, 0, 1, 1, 1, 0, 1],

[1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 1, 0, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 1, 1, 0, 1],

[1, 0, 0, 0, 0, 0, 1, 0, 1, 1, 1, 1, 0, 0, 1, 1, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, 0, 0, 0, 0, 0, 1],

[1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 1, 0, 0, 1, 1, 1, 0, 1, 0, 0, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1],

[0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],

[0, 0, 1, 0, 0, 1, 1, 1, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 1, 1, 1, 1, 1, 0],

[0, 0, 1, 1, 1, 1, 0, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 1],

[1, 0, 1, 0, 1, 0, 1, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1],

[0, 1, 0, 0, 0, 0, 1, 1, 0, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 1, 1, 0, 0, 1, 1, 1, 0, 0, 0],

[0, 0, 0, 0, 1, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, 0, 1, 1, 0, 0, 1, 1, 1, 0, 1, 1, 0, 1, 1],

[0, 1, 1, 1, 0, 0, 0, 0, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1, 1, 0, 1, 0, 1, 1, 1, 0, 0],

[0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0, 0, 0, 1, 1, 1],

[0, 1, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 0, 0, 1, 0, 1, 0, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 0, 1],

[0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 1, 1, 0],

[1, 1, 1, 1, 0, 0, 1, 0, 1, 1, 0, 0, 1, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1, 0, 0, 0, 1, 0, 1],

[1, 0, 1, 0, 0, 1, 1, 1, 1, 1, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, 0, 0, 1, 1, 0, 0, 1, 1, 1, 1],

[1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 0, 1, 1, 1],

[0, 1, 0, 1, 1, 0, 0, 0, 1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 0, 1, 0, 0, 1, 1, 1, 1, 1, 1, 1, 0, 0],

[1, 1, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 0, 1, 1, 1, 1, 0, 0, 1, 0, 0, 1, 1, 1, 1, 1, 0],

[1, 1, 1, 0, 1, 0, 0, 0, 0, 1, 1, 0, 1, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 0, 1, 0],

[1, 0, 1, 0, 0, 1, 1, 1, 1, 0, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1, 1, 1],

[1, 0, 0, 1, 1, 1, 0, 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 1, 1, 0, 1, 0, 0, 0, 0, 1, 0, 1],

[1, 1, 0, 0, 1, 1, 1, 0, 1, 0, 1, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 1, 0],

[0, 1, 0, 0, 0, 1, 1, 1, 1, 1, 0, 0, 0, 0, 1, 1, 1, 0, 1, 1, 0, 1, 0, 1, 1, 0, 0, 1, 1, 1, 0, 0, 0],

[0, 0, 1, 0, 0, 1, 0, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1, 0, 0, 0, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 0, 0],

[1, 0, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 0, 0, 1, 1, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1, 1, 1, 0, 1, 1, 1, 1],

[0, 1, 0, 1, 1, 0, 0, 0, 1, 1, 0, 1, 1, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1],

[0, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 1, 0, 1, 0, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 1, 1, 1, 1],

[1, 1, 1, 1, 0, 1, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 1, 0, 0, 1, 1, 1, 1, 1, 0, 0, 0, 0, 1, 0],

[0, 0, 1, 1, 1, 0, 0, 1, 1, 1, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 1, 1, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, 1]

]

# QR

qr_modules = 33

# Rule 30 parameters

rule30_arr = [[0 for x in range(50)] for y in range(50)] # 50x50 grid for pattern, has to be significantly larger than our QR code so it overlaps it

rule30_arr[0][16] = 1 # initial black pixel to start pattern

START_INDEX = 16 # guess, middle of first row

offset = 0 # to expand horizontally after progressing to next row

for i in range(len(bitmap)):

for j in range(max(START_INDEX-offset, -50), min(START_INDEX+offset+1, 50)):

rule30_arr[i+1][j] = rule30_arr[i][j-1] ^ (rule30_arr[i][j] | rule30_arr[i][j+1]) # s = s[i-1] XOR (s[i] OR s[i+1])

# Constrain bounds of QR code to [0, qr_modules]

if j >= 0 and j <= qr_modules - 1:

# XOR with current QR data in bitmap

# Pattern has to be shifted to the right by 1

bitmap[i][j] ^= rule30_arr[i+1][j-1]

# Increase offset for next row

offset += 1

# Generate QR code

im = Image.new('RGB', (qr_modules, qr_modules))

data = []

for row in bitmap:

for bit in row:

if bit == 0:

data.append((255,255,255))

elif bit == 1:

data.append((0,0,0))

im.putdata(data)

im.save('qr.png')

Running our Python script gave us the following QR code which scans to give us our flag!

Flag: HV19{Cha0tic_yet-0rdered}

No Comments

Posted Mo BeigiPersianMG in Hackvent 2019

Hackvent 2019: Day 8

08 Dec 2019

CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com

Date Completed: 8 December 2019

Challenge

HV19.08 SmileNcryptor 4.0

Introduction
You hacked into the system of very-secure-shopping.com and you found a SQL-Dump with $$-creditcards numbers. As a good hacker you inform the company from which you got the dump. The managers tell you that they don't worry, because the data is encrypted.
Dump-File: dump.zip
Goal
Analyze the "Encryption"-method and try to decrypt the flag.

Introduction

You hacked into the system of very-secure-shopping.com and you found a SQL-Dump with $$-creditcards numbers. As a good hacker you inform the company from which you got the dump. The managers tell you that they don't worry, because the data is encrypted.

Dump-File: dump.zip

Goal

Analyze the "Encryption"-method and try to decrypt the flag.

Dump-File: dump.zip

Solution

We download the zip file and extract the dump.sql file within.
It contains the database schema for some credit cards as well as our flag.

First we look at the flag insert statement:

INSERT INTO `flags` VALUES (1,'HV19{',':)SlQRUPXWVo\Vuv_n_\ajjce','}');

1	INSERT INTO `flags` VALUES (1,'HV19{',':)SlQRUPXWVo\Vuv_n_\ajjce','}');

The prefix and postfix of the flag is stored explicitly in different fields. We then see our first smile ciphertext which looks like this: :)SlQRUPXWVo\Vuv_n_\ajjce
We don’t know the plaintext that generated this ciphertext so there isn’t much information we can extract from this. We note that it appears as if all smiley ciphertexts begin with an ASCII smiley face :)

Next we look at the credit card insert statements:

INSERT INTO `creditcards` VALUES 
(1,'Sirius Black',':)QVXSZUVY\ZYYZ[a','12/2020'),
(2,'Hermione Granger',':)QOUW[VT^VY]bZ_','04/2021'),
(3,'Draco Malfoy',':)SPPVSSYVV\YY_\\]','05/2020'),
(4,'Severus Snape',':)RPQRSTUVWXYZ[\]^','10/2020'),
(5,'Ron Weasley',':)QTVWRSVUXW[_Z`\b','11/2020');

INSERT INTO `creditcards` VALUES

(1,'Sirius Black',':)QVXSZUVY\ZYYZ[a','12/2020'),

(2,'Hermione Granger',':)QOUW[VT^VY]bZ_','04/2021'),

(3,'Draco Malfoy',':)SPPVSSYVV\YY_\\]','05/2020'),

(4,'Severus Snape',':)RPQRSTUVWXYZ[\]^','10/2020'),

(5,'Ron Weasley',':)QTVWRSVUXW[_Z`\b','11/2020');

Again we see some smile ciphertext which is in the cc_number field which indicates that the plaintext for these ciphertexts should be valid credit card numbers (why would invalid numbers be stored on a shopping website).

At this point we do some research on credit card number formats and standards. See Payment card number on Wikipedia.
In particular, we wanted to know how long various credit card numbers can be, if they have any hard coded values and how to check if a credit card number is valid.

We find out the following:

American Express has 15 digits and starts with 3
Diners Club has 14-19 digits and starts with 3
Mastercard has 16 digits and starts with 5
Visa has 16 digits and starts with 4
JCB has 16-19 chars and starts with 3528–3589

American Express has 15 digits and starts with 3

Diners Club has 14-19 digits and starts with 3

Mastercard has 16 digits and starts with 5

Visa has 16 digits and starts with 4

JCB has 16-19 chars and starts with 3528–3589

When inspecting the lengths of our credit card numbers with the smiley face :) removed, we observe the following lengths:

A) 15: QVXSZUVY\ZYYZ[a
B) 14: QOUW[VT^VY]bZ_
C) 16: SPPVSSYVV\YY_\\]
D) 16: RPQRSTUVWXYZ[\]^
E) 16: QTVWRSVUXW[_Z`\b

A) 15: QVXSZUVY\ZYYZ[a

B) 14: QOUW[VT^VY]bZ_

C) 16: SPPVSSYVV\YY_\\]

D) 16: RPQRSTUVWXYZ[\]^

E) 16: QTVWRSVUXW[_Z`\b

Naturally, as these lengths match the required lengths of credit card numbers produced by various vendors, we can assume that a 1 to 1 mapping exists between the ciphertext and plaintext. This is a good indicator that an ASCII rotation/shift cipher should be used. We match each credit card vendor to the ciphertext based on its length. Ciphertext A is matched to American Express and B to Diners Club. For the 16 digit ciphertexts, we don’t know exactly which vendor to use. However, as ciphertext E begins with Q (just like A and B) which means that logically Q maps to the digit 3. We take a guess here and assume that the other two 16 digit ciphertexts belong to Mastercard and Visa respectively. As R comes after Q in the alphabet we guess that R maps to the digit 4 and S maps to the digit 5.

From this we guess we need to do an ASCII rotation which shifts Q (ASCII 81) to equal 3 (ASCII 51) which is a shift of -30 dec.
We write a script to perform this ASCII rotation decipher on our ciphertexts, throwing the final result in a credit card checksum validator function but the results are not valid credit card numbers.

Finally, we notice that our ciphertexts creep up the ASCII range as we move through the string character by character even though the number space for the credit cards is always 0-9 (digits). This implies the ASCII rotation is offset after each character is encoded or decoded. Ciphertext E (JCB) helped us the most here as we know it has to start with the digits 35. Based on our initial mapping, this suggested the offset simply grew by 1 each character.
After adding this offset to our script, our computed plain texts validate as valid credit card numbers!

Python script:

# Hackvent Day 8
# Mo Beigi (https://mobeigi.com)
INITIAL_ASCII_ROTATE_OFFSET = 30 # Initial offset
def smile_decode(ciphertext):
plaintext = ''
incremental_offset = 0
for c in ciphertext:
shifted_val = ord(c) - INITIAL_ASCII_ROTATE_OFFSET - incremental_offset
plaintext += chr(shifted_val)
incremental_offset += 1
return plaintext
# Source: https://dev.to/anuragrana/python-script-validating-credit-card-number-luhn-s-algorithm-2f7c
def sum_digits(digit):
if digit < 10:
return digit
else:
sum = (digit % 10) + (digit // 10)
return sum
def validate(cc_num):
# reverse the credit card number
cc_num = cc_num[::-1]
# convert to integer list
cc_num = [int(x) for x in cc_num]
# double every second digit
doubled_second_digit_list = list()
digits = list(enumerate(cc_num, start=1))
for index, digit in digits:
if index % 2 == 0:
doubled_second_digit_list.append(digit * 2)
else:
doubled_second_digit_list.append(digit)
# add the digits if any number is more than 9
doubled_second_digit_list = [sum_digits(x) for x in doubled_second_digit_list]
# sum all digits
sum_of_digits = sum(doubled_second_digit_list)
# return True or False
return sum_of_digits % 10 == 0
# Remember to escape backslashes for python here!
credit_cards = [
{"name": "A) American Express", "ciphertext": 'QVXSZUVY\ZYYZ[a'},
{"name": "B) Diners Club", "ciphertext": 'QOUW[VT^VY]bZ_'},
{"name": "C) Mastercard", "ciphertext": 'SPPVSSYVV\YY_\\\\]'},
{"name": "D) VISA", "ciphertext": 'RPQRSTUVWXYZ[\\]^'},
{"name": "E) JCB", "ciphertext": 'QTVWRSVUXW[_Z`\\b'},
]
# Credit Card numbers
for cc in credit_cards:
cc_num = smile_decode(cc['ciphertext'])
assert(validate(cc_num))
print(f"{cc['name']} with ciphertext {cc['ciphertext']} was decoded to: {cc_num}")
# Final flag
print("\nFinal flag is: HV19{" + smile_decode('SlQRUPXWVo\\Vuv_n_\\ajjce') + "}")

# Hackvent Day 8

# Mo Beigi (https://mobeigi.com)

INITIAL_ASCII_ROTATE_OFFSET = 30 # Initial offset

def smile_decode(ciphertext):

plaintext = ''

incremental_offset = 0

for c in ciphertext:

shifted_val = ord(c) - INITIAL_ASCII_ROTATE_OFFSET - incremental_offset

plaintext += chr(shifted_val)

incremental_offset += 1

return plaintext

# Source: https://dev.to/anuragrana/python-script-validating-credit-card-number-luhn-s-algorithm-2f7c

def sum_digits(digit):

if digit < 10:

return digit

else:

sum = (digit % 10) + (digit // 10)

return sum

def validate(cc_num):

# reverse the credit card number

cc_num = cc_num[::-1]

# convert to integer list

cc_num = [int(x) for x in cc_num]

# double every second digit

doubled_second_digit_list = list()

digits = list(enumerate(cc_num, start=1))

for index, digit in digits:

if index % 2 == 0:

doubled_second_digit_list.append(digit * 2)

else:

doubled_second_digit_list.append(digit)

# add the digits if any number is more than 9

doubled_second_digit_list = [sum_digits(x) for x in doubled_second_digit_list]

# sum all digits

sum_of_digits = sum(doubled_second_digit_list)

# return True or False

return sum_of_digits % 10 == 0

# Remember to escape backslashes for python here!

credit_cards = [

{"name": "A) American Express", "ciphertext": 'QVXSZUVY\ZYYZ[a'},

{"name": "B) Diners Club", "ciphertext": 'QOUW[VT^VY]bZ_'},

{"name": "C) Mastercard", "ciphertext": 'SPPVSSYVV\YY_\\\\]'},

{"name": "D) VISA", "ciphertext": 'RPQRSTUVWXYZ[\\]^'},

{"name": "E) JCB", "ciphertext": 'QTVWRSVUXW[_Z`\\b'},

]

# Credit Card numbers

for cc in credit_cards:

cc_num = smile_decode(cc['ciphertext'])

assert(validate(cc_num))

print(f"{cc['name']} with ciphertext {cc['ciphertext']} was decoded to: {cc_num}")

# Final flag

print("\nFinal flag is: HV19{" + smile_decode('SlQRUPXWVo\\Vuv_n_\\ajjce') + "}")

Output:

C:\Users\Mo\Desktop>py -3 ./day8.py
A) American Express with ciphertext QVXSZUVY\ZYYZ[a was decoded to: 378282246310005
B) Diners Club with ciphertext QOUW[VT^VY]bZ_ was decoded to: 30569309025904
C) Mastercard with ciphertext SPPVSSYVV\YY_\\] was decoded to: 5105105105105100
D) VISA with ciphertext RPQRSTUVWXYZ[\]^ was decoded to: 4111111111111111
E) JCB with ciphertext QTVWRSVUXW[_Z`\b was decoded to: 3566002020360505
Final flag is: HV19{5M113-420H4-KK3A1-19801}

C:\Users\Mo\Desktop>py -3 ./day8.py

A) American Express with ciphertext QVXSZUVY\ZYYZ[a was decoded to: 378282246310005

B) Diners Club with ciphertext QOUW[VT^VY]bZ_ was decoded to: 30569309025904

C) Mastercard with ciphertext SPPVSSYVV\YY_\\] was decoded to: 5105105105105100

D) VISA with ciphertext RPQRSTUVWXYZ[\]^ was decoded to: 4111111111111111

E) JCB with ciphertext QTVWRSVUXW[_Z`\b was decoded to: 3566002020360505

Final flag is: HV19{5M113-420H4-KK3A1-19801}

Flag: HV19{5M113-420H4-KK3A1-19801}

No Comments

Posted Mo BeigiPersianMG in Hackvent 2019

Hackvent 2019: Hidden 2

08 Dec 2019

CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com

Date Completed: 7 December 2019

Challenge

HV19.H2 Hidden Two

Again a hidden flag.

1	Again a hidden flag.

For easy download, get it here: HV19-SantaRider.zip

Solution

During the Day 7 challenge HV19.07 Santa Rider, we notice there is a ZIP file available to download.
This ZIP file has the typical guid file name and contains one file called 3DULK2N7DcpXFg8qGo9Z9qEQqvaEDpUCBB1v.mp4.
The inner MP4 file has the same hash as the one shown on the webpage so it is of no particular interest.

We attempt to decode the file name string using base64:

5+c{
W*Yo

5+c{

W*Yo

It looks like it may be partially decoding correctly so we instead try to base58 decode this and finally this gives us our flag!

Flag: HV19{Dont_confuse_0_and_O}

Note: It is painful to note that base32, base64, base85, base91 decoding was attempting on this file name was attempted within the first 15 minutes of the challenge but unfortunately base58 was not attempted until much, much later. In the mean time we attempted many other things such as switching the Day 7 binary to match wire configuration in backdrop and inspecting the videos audio stream. Rough one!

No Comments

Posted Mo BeigiPersianMG in Hackvent 2019

Hackvent 2019: Day 7

08 Dec 2019

CTF: Hackvent 2019
Link to challenge: https://academy.hacking-lab.com

Date Completed: 7 December 2019

Challenge

HV19.07 Santa Rider

Santa is prototyping a new gadget for his sledge. Unfortunately it still has some glitches, but look for yourself.

1	Santa is prototyping a new gadget for his sledge. Unfortunately it still has some glitches, but look for yourself.

Resources:

For easy download, get it here: HV19-SantaRider.zip

Solution

We watch the provided video and notice that about half way through the LEDs light up in an interesting order. There are 8 total LEDs and multiple LEDs light up at once so we think that this may be hidden binary messages that decode to ASCII. As the video moves very fast its necessary to inspect each frame individually. We can do this by extracting each frame using a tool like FFmpeg but in this case it was faster to simply use a video editor like MPC-HC which allows you to navigate the video frame by frame.

It is very cool to note that because the video is stationary and position of LEDs do not move, one could use a computer vision library like OpenCV to extract the hidden binary.

We get the following binary:

01001000

01010110

00110001

00111001

01111011

00110001

01101101

01011111

01100001

01101100

01110011

00110000

01011111

01110111

00110000

01110010

01101011

00110001

01101110

01100111

01011111

00110000

01101110

01011111

01100001

01011111

01110010

00110011

01101101

00110000

01110100

00110011

01011111

01100011

00110000

01101110

01110100

01110010

00110000

01101100

01111101

We convert this binary to ASCII and get our final flag!

Flag: HV19{1m_als0_w0rk1ng_0n_a_r3m0t3_c0ntr0l}

Bonus

This challenge also contained the solution to HV19.H2 Hidden Two

No Comments

Posted Mo BeigiPersianMG in Hackvent 2019

Archive for the ‘Hacking Lab’ Category

Challenge

HV19.14 Achtung das Flag

Solution

Bonus

Challenge

HV19.13 TrieMe

Solution

Challenge

HV19.12 back to basic

Solution

Challenge

HV19.H1 Hidden Three

Solution

Challenge

HV19.11 Frolicsome Santa Jokes API

Solution

Bonus

Challenge

HV19.10 Guess what

Solution

Challenge

HV19.09 Santas Quick Response 3.0

Solution

Challenge

HV19.08 SmileNcryptor 4.0

Solution

Challenge

HV19.H2 Hidden Two

Solution

Challenge

HV19.07 Santa Rider

Solution

Bonus

Pages

Recent Posts

Recent Comments

My Networks

Site Stats