This year at the POC conference there was an special “event”. The staff organized a hacking/reversing challenge called “Hacker’s Dream” that was composed by two crackmes, two script deobfuscation tests, two malware-like samples to analyze and a network forensics challenge to solve. You can download the second place report slides (in korean) (seems that the winner team was unable to attend the conference and therefore, the second one had to do the speech). During this speech, one of our pandas was checking his own writeup against the speaker’s one and also had the oportunity to chat with other people that tried the challenge. That panda (yes it’s you, moron) missed to solve two parts of the challenge, one of them being Scripting#1. So while talking with somebody that solved this particular part and also had a report, we managed to convince her to translate it. Finally, after some panda laziness, here we have the POC’08 Scripting#1 writeup by Woos. Enjoy!

Note: As it seems that the original contest files are no longer available on the POC webpage, you can download here the Scripting#1 challenge.

(more…)

This year at the Defcon CTF there was only one kenshoto-level service (or at least only one that scored as a Kenshoto, you’ll know what we mean in further writeups). That service was Kryptod, so we will be trying to explain how we managed to exploit it.

As in the major part of the CTF bins the service starts setting up the socket, in this case listening at port 20020, and dropping the proper user privileges. Then it sets up signal handlers for SIGILL, SIGTRAP, SIGEMT, SIGBUS, SIGSEGV, SIGSYS and SIGALRM. The handler is always the same and it just uses the current socket to send back to the client an encoded value related to the signal received and then doing a clean exit (let’s say it’s a nice way to say: “Hey, I crashed!”).

The next step is just the client handler. Kryptod reads the file ‘/home/krypto/key’ (the token) and put its contents into a buffer, then it reads from the socket up to 63 chars (or a terminating \x0A if it comes before). The next part is a bit tricky, if the socket received 0 bytes it justs send the contents of the token/keyfile to the user. WTF??? Strike one! No luck this time, the token is an overwrite one so reading it gives you nothing

(more…)

1.- Introduction.
At quals  we hardly had time  to analyse rev500.  However, what we saw  was very
appealing : interesting code obfuscation, use of fpu and random numbers, and the
string "./MathIsHard" suggested  that the algorithm could be  interesting. So we
decided to give it another try with more time.

A brief initial analysis doesn't bring a lot of information : The binary is a 32
bit ELF for FreeBSD  that listens for connections on port  2600. When we connect
to it we receive 5 dwords containing integers, all of them below 1000.





$ readelf -a ./rev
ELF Header:
  ...
  Class:                             ELF32
  OS/ABI:                            UNIX - FreeBSD
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Intel 80386
  ...

Relocation section '.rel.plt' at offset 0x808 contains 43 entries:
 Offset     Info    Type            Sym.Value  Sym. Name
0804e0d4  00000507 R_386_JUMP_SLOT   00000000   random                         
0804e0d8  00000607 R_386_JUMP_SLOT   00000000   recv
0804e0f4  00000e07 R_386_JUMP_SLOT   00000000   socket
0804e0f8  00000f07 R_386_JUMP_SLOT   00000000   send
0804e0fc  00001107 R_386_JUMP_SLOT   00000000   accept
0804e108  00001507 R_386_JUMP_SLOT   00000000   bind
...

(more…)

Hace un par de semanas, la gente de 48bits pensó en hacer un reto al que decidieron llamar Exploit4Food. El reto consistía en encontrar un bug en un software determinado, explotarlo y redactar unas cuantas líneas explicando el proceso seguido para conseguirlo. Una de las soluciones publicadas ha sido la de uno de nuestros pandas y, mientras en 48bits ya preparan la segunda edición del reto, aquí hemos pensado dejar una versión corregida (y mínimamente ampliada) del report presentado. Consideradlo un aperitivo de cara a las prequals del CTF que empiezan mañana ;D

(more…)

It seems that it’s time for our first english post as we finally managed to write some kind of walk-through for the hfd service. In this release the metasploit how-to is not included (wait for a further update) so we explain how to exploit hfd using the SPEF (Sexy Pandas Exploitation Framework), that is, our famous perl and netcat pwning-spree-combo xD

Nothing more to say, enjoy!

Esta semana, mientras veía cómo habíamos sido ¿barrapunteados?, me dí cuenta de que en Nops ‘R Us habían añadido información sobre el CTF. Pese a que según ellos seguimos siendo “Alemanes”, al menos se han dignado a poner una foto del scoreboard del viernes, eso sí, de cuando ya iban primeros (pero prácticamente empatados con nosotros) por lo que yo ya me doy por satisfecho.

También me ha hecho ilusión ver la solución de Sk3wlm4st3r al reversing 500, más que nada porque estábamos en el camino correcto. El truco estaba en las 4 primeras funciones a las que llamaba, dos de modificación (la 1ª y la 3ª) y dos de comprobación (la 2ª y la 4ª). Se podía ver que en las decomprobación se operaba sobre las posiciones 0, 3, 6, 9, 12, 15, 18 y 21 en la primera, y 1, 4, 7, 10, 13, 16, 19 y 22 en la segunda. Teniendo en cuenta que las funciones de modificación eran del tipo key[i] = key[i] <sum/xor> key[(i + 1) % 24], se reducía el bruteforcing a sólo (ejem) las posiciones 2, 5, 8, 11, 14, 17,
20 y 23. Nos faltó ponernos en serio con las últimas dos funciones…

Y hablando de soluciones, estamos preparando un texto con la solución a uno de los servicios que sólo explotamos los Sexy Pandas (hoooo!). Se está retrasando porque queremos aprovechar para usarlo de tutorial de perl+netcat^H^H^H metasploit.

Dicho esto sólo nos queda felicitar a sk3wlm4st3r & friends por la currada que se pegaron.

PD: Todavía estoy esperando a que alguien nos ownee el blog, ¿voluntarios?