Heyya mates,

we’ve been really busy trying to take a look at the different wargames that have been running during this weekend. We had one not so far away, the Hacking At Random CTF. HAR was taking place in the Netherlands but this guys let teams to join remotely, nice huh? There was also another wargame, the ISEC2009 CTF prequals organized by or friends from Wowhacker, where two standalone pandas had a lot of fun ;D Congratulations to all the qualified teams that will play the final round next month in Seoul, South Korea. But there’s more! If you missed those two wargames or you still want more, our friend Julianno warned us about tomorrow starting the ekoparty pre-conference CTF!!!

It’s been a crazy and funny weekend. Enjoy the ekoparty CTF and see you in upcoming competitions

For us it was impossible to imagine two years ago, when the “Sexy Pandas” concept was born, that this group of friends would become… well, whatever we are now xD Anyways, this two years have been amazing and we think it’s time to say thanks to you, all anonymous friends, that have been supporting us in so many different ways. Thanks!

And about this year’s prequals, we played hard in a competition controlled almost from start to end by Sk3wl and VodaGodz, but we did a good work during the last hours and scored a nice amount of points that allowed us to tie them. At the last moment (that sounds familiar…) Sk3wl solved pwn400 and got first place, we were almost done with that same exploit but time was over and we still have to train a bit those last-minute-pwnage skills.

As for the rest of the qualified teams (you can see the full list in the Defcon forums), all are well known and highly skilled friends so this year we are expecting one of the hardest CTF competitions ever.

That’s all folks, see some of you in Vegas and be ready for some awesomeness!

PS: Yes, we know there are some pending posts but, tempus fugit

Update: complete results at ddtek.biz

Ok, maybe you have no idea what are we talking about, but this weekend took place the qualification/preliminary round for the CodeGate Hacking Festival. Of course we at Sexy Pandas couldn’t miss an event like this one, so we had the pleasure of participate and to realize about the high level of the competition.

The contest was built over 21 crazy problems that included stego, crypto, web hacking and exploiting… having only (cough) 50 hours to solve them. As already happened in other contests, we had a good start being in 1st position during a quite long time, but the last 15 hours were a pain in the ass. We kept stuck at some problems while the rest of teams were solving them with extreme speed and precision. Fortunately for us, the bell saved us and as you can see in the Final Rank, we finished in 6th place.

Despite our last 15 minutes of fame hours of hell, we can only thank the Beistlab staff for creating a wonderful game, and congratulate the rest of the teams, you guys are awesome! We hope to see you all in the final round ;D

Note: For those who asked why we resigned taking the 550 points from problem #21, here is the reason: we play for the challenge, the fun and making friends. Of course we like to win, but taking profit of a such situation means to avoid the challenge, which in turn takes away the fun and maybe the friends.

Update: A really nice writeup coming from the CGLT team at vnsecurity.net

an nyeong hi gye se yo!! See you in Seoul next month!

1.- Introduction.
At quals  we hardly had time  to analyse rev500.  However, what we saw  was very
appealing : interesting code obfuscation, use of fpu and random numbers, and the
string "./MathIsHard" suggested  that the algorithm could be  interesting. So we
decided to give it another try with more time.

A brief initial analysis doesn't bring a lot of information : The binary is a 32
bit ELF for FreeBSD  that listens for connections on port  2600. When we connect
to it we receive 5 dwords containing integers, all of them below 1000.





$ readelf -a ./rev
ELF Header:
  ...
  Class:                             ELF32
  OS/ABI:                            UNIX - FreeBSD
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Intel 80386
  ...

Relocation section '.rel.plt' at offset 0x808 contains 43 entries:
 Offset     Info    Type            Sym.Value  Sym. Name
0804e0d4  00000507 R_386_JUMP_SLOT   00000000   random                         
0804e0d8  00000607 R_386_JUMP_SLOT   00000000   recv
0804e0f4  00000e07 R_386_JUMP_SLOT   00000000   socket
0804e0f8  00000f07 R_386_JUMP_SLOT   00000000   send
0804e0fc  00001107 R_386_JUMP_SLOT   00000000   accept
0804e108  00001507 R_386_JUMP_SLOT   00000000   bind
...

(more…)

Pandas With Gambas reversing monkeys are glad to introduce…
Reversing 500 CTF Prequals solution!

#!/usr/bin/python
import struct
import socket
import math

def makeSin( freq, number_samples, samples_per_seq ) :
    data = ''
    for i in range(0,number_samples):
        data += struct.pack('h', 1000*math.sin( 2*freq*i*math.pi/samples_per_seq ))
    return data

# print '''Rev 500'''

Host = '127.0.0.1'
Port = 2600

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((Host, Port))
chunk = s.recv(4*5)

print struct.unpack_from('LLLLL', chunk)

if chunk == '':
    print 'Error receiving data\n'

number_samples  = 5000
samples_per_sec = 4000

header_fmt  = struct.pack('L', 0x20746d66 )   # fmt
header_fmt += struct.pack('L', 16 )           # size   = 16
header_fmt += struct.pack('h', 1  )           # format = pcm
header_fmt += struct.pack('h', 1  )           # n. Chanels. unused
header_fmt += struct.pack('L', samples_per_sec )
header_fmt += struct.pack('L', 1  )           # Avg. Bytes Sec. unused
header_fmt += struct.pack('h', 2  )           # block align. Bytes/sample*channel
header_fmt += struct.pack('h', 16 )           # bits_per_sample

size_header_data = number_samples * 2
frequencies = struct.unpack_from('LLLLL', chunk)
header_data  = struct.pack('L', 0x61746164       )
header_data += struct.pack('L', size_header_data )
header_data += makeSin( frequencies[0], number_samples/5, samples_per_sec)
header_data += makeSin( frequencies[1], number_samples/5, samples_per_sec)
header_data += makeSin( frequencies[2], number_samples/5, samples_per_sec)
header_data += makeSin( frequencies[3], number_samples/5, samples_per_sec)
header_data += makeSin( frequencies[4], number_samples/5, samples_per_sec)

size = len(header_fmt) + len(header_data) + 4

header  = struct.pack('<L', 0x46464952 )  # RIFF
header += struct.pack('<L', size )        # size
header += struct.pack('<L', 0x45564157 )  # WAVE

s.send( header)
s.send( header_fmt)
s.send( header_data )

file = header + header_fmt + header_data
print s.recv(1024)

Stay tuned for the write-up….

Esta semana, mientras veía cómo habíamos sido ¿barrapunteados?, me dí cuenta de que en Nops ‘R Us habían añadido información sobre el CTF. Pese a que según ellos seguimos siendo “Alemanes”, al menos se han dignado a poner una foto del scoreboard del viernes, eso sí, de cuando ya iban primeros (pero prácticamente empatados con nosotros) por lo que yo ya me doy por satisfecho.

También me ha hecho ilusión ver la solución de Sk3wlm4st3r al reversing 500, más que nada porque estábamos en el camino correcto. El truco estaba en las 4 primeras funciones a las que llamaba, dos de modificación (la 1ª y la 3ª) y dos de comprobación (la 2ª y la 4ª). Se podía ver que en las decomprobación se operaba sobre las posiciones 0, 3, 6, 9, 12, 15, 18 y 21 en la primera, y 1, 4, 7, 10, 13, 16, 19 y 22 en la segunda. Teniendo en cuenta que las funciones de modificación eran del tipo key[i] = key[i] <sum/xor> key[(i + 1) % 24], se reducía el bruteforcing a sólo (ejem) las posiciones 2, 5, 8, 11, 14, 17,
20 y 23. Nos faltó ponernos en serio con las últimas dos funciones…

Y hablando de soluciones, estamos preparando un texto con la solución a uno de los servicios que sólo explotamos los Sexy Pandas (hoooo!). Se está retrasando porque queremos aprovechar para usarlo de tutorial de perl+netcat^H^H^H metasploit.

Dicho esto sólo nos queda felicitar a sk3wlm4st3r & friends por la currada que se pegaron.

PD: Todavía estoy esperando a que alguien nos ownee el blog, ¿voluntarios?