Tuesday, 31 December 2013

Basic tips on hacking challenges in websites

These are the very basic tips to solve challenges and a beginner knowledge in hacking
"Google is the biggest teacher for any Security Researcher or Enthusiast".
Websites :
1.hackthissite.org
2.securityoverride.org
3.enigmagroup.org
4.wechall.net
5.dareyourmind.net
6.canyouhack.it
7.thisislegal.com
8.newbiecontest.org

Web hacking :
Tip 1 : Look for web source page by right click -> View Page Source.
Tip 2 : Use Inspect element wisely to change the data.(Right click -> Inspect Element).
Tip 3 : URL location helps you to know the directories and for SQL injection problems.
Tip 4 : Use "Tamper Data" and "Add n Edit Cookie" plugins in firefox for tampering and cookie editing         challenges.
Tip 5 : Use "No script" plugin to disable javascript  and view page source is the biggest source for javascript challenges.

Cryptography Challenges :
Best tool : Crypt tool.
Link : cryptool-online.org

You can use online version of crypt tool in the website.

Basic ciphers :
1. Base64 Decoder => base64decode.org
2.Hashes
  a. LM , NTML Hash cracker => onlinehashcrack.com
  b.md5 hash cracker => md5online.org/
  c. sha1 hash cracker => crackstation.net/
3.Caeser (ROT 13,ROT 47,Shift Caeser) cracking => online-calculators.appspot.com/caesar/
4.Morse Code (Google around a bit there is a lot of online tools).
5.Vigenere,RSA is all good in Crypt tool so i suggest to download the tool.

Monday, 30 December 2013

EMC Defenders League Attack and Defense-Goodie Server Challenge

Its been long time writing blog.Umm was working something on the chrome js console otherday and came across the challenge that was given in EMC Defenders League Attack and Defense.

The challenge was this piece of symbols:
[][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]][([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]]]]+([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]]]+([][[]]+[])[+[[+!+[]]]]+(![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[+!+[]]]]+([][[]]+[])[+[[+[]]]]+([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]+[])[+[[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]]((![]+[])[+[[+!+[]]]]+(![]+[])[+[[!+[]+!+[]]]]+(!![]+[])[+[[!+[]+!+[]+!+[]]]]+(!![]+[])[+[[+!+[]]]]+(!![]+[])[+[[+[]]]]+([][(![]+[])[+[[+[]]]]+([][[]]+[])[+[[!+[]+!+[]+!+

Tuesday, 10 December 2013

EMC Defenders League Attack and Defense - Goodie Server Challenge

This was a hidden challenge and no one apart from our team got it.Well the file was hidden in the source code of the main page in Goodie Server.Challenge was a Steganography challenge.

You can download the image here : logo

It was simple enough to solve the challenge in minutes by using one of the popular and basic stegno tool outguess.
command : outguess -r logo_zzzzzzzzzz.jpg logo


FLAG : 3335f2c2462c8236934bc6bdd3897a588a0dc2d8

Monday, 18 November 2013

CSCamp CTF Forensics 200(dataNov-8-2013)

As i said i dont remmeber exactly the questions..This was regarding to find the fake users in the database..
As per i remember the question said -
There was a admin who lost his database which was accessed by a script kiddie with tampering of data..Now the task was to find the users who have been registered.

File can be downloaded from here : https://www.dropbox.com/s/zfk8rfrec5pkndu/dataNov-8-2013.rar?m=

Well if you look at the file in text editor it is find to difficult..In notepad++ if you find for \r [carriage return] you would get the count as 5..all those five is the answer.
One more method is to use hexedit.
You would find 2 dots before INSERT and all those users will be the answer.

Now the question said you need to find md5(user1,user2,...userN)

so the answer will be :
MD5 hash for Aurora Davis,Melodie Patton,Octavius Gamble,Lara Benson,Leilani Rivas is : 71284b9edd33e4141952b325a9c6acda

Flag : 71284b9edd33e4141952b325a9c6acda

Sunday, 17 November 2013

CSCamp CTF Stegnography-3[Interesting play!]

This is something a new and a learning thing.There is a tool which can encrypt your text by giving you a meaningless play.Lets get started

Question :
Phil says "I love you, no really."
Kenny says "Hot steamy grits!"
Jason says "Hot steamy grits!"
Jason says "No."
Adam says "Get off my colon"
Andy says "Who said OJ?"
Paul says "Who said OJ?"
Sam says "Jason paid me for it."
Mike says "Jason paid me for it."
Phil says "Jason paid me for it."
Paul says "But I read slash-dot"
JYA says "Well smother me in curry sauce and lick me."
Andy says "Did he mean to die just then?"
Andy says "Mike - you ladyboy!"
Sam says "I said, you've got beautiful eyes."
Harold says "Mine's a pint"
Harold says "I'm so excited"
Andy says "I said, you've got beautiful eyes."
Kenny says "So avoid that then!"
Mike says "Did he mean to die just then?"
Sam says "But I read slash-dot"
Mike says "Show me the fish!"
Andy says "Okay, now think of a funny line"
Sam says "Well smother me in curry sauce and lick me."
JYA says "Who said OJ?"
Andy says "Mike - you ladyboy!"
Jason says "Okay, now think of a funny line"
Mike says "Jason paid me for it."
Mr Hanky says "I never talk politics."
Mike says "Mmmm ... "
Sam says "Okay, now think of a funny line"
Kenny says "Mine's a pint"
Mr Hanky says "Mike - you ladyboy!"
Paul says "Who said OJ?"

Saturday, 16 November 2013

CSCamp CTF - Crypto 1a

Ah this took me a lot of time to figure out eventhough it was only 30 points.Points doesn't matter.Does it?Uh only if you are good enough.In learning stage never look for points.

well enough of philosophy :-p Now lets get back to work.

Question was to decrypt the message
Message was : Zc duwcievvohpxqv uf bue xw iuzmgwtpthshon. Xpby wg tzx bak eikdxqht; wh'y sse rui ru tx bagh agexmky. Hvk qpiz og hnp pwpkfqgdi mfs rsk qmdx nogn zj bak yse tr thcsfilwm.

Now i guessed it as vigenere cipher and confirmed with admins about it.They told to proceed as i was in correct path.

Now how do i find the key..just keep trying from 1..At 8 you get it.I mean you can see the plain text ..
Key is "GOOGLEIT".

try here : http://www.cryptool-online.org/index.php?option=com_cto&view=tool&Itemid=99&lang=en

You see this ?
"TO PolYaLphabetic oR NoT to PolYalphabeTic. ThIs iS not THe QUeStiOn; iT's hoW YoU do it THaT MaTteRs. the flag iS The loWeRcaSe eMm dee fiVe haSh of THe keY in lOWeRcase."

now the message clearly says : md5(googleit)
MD5 hash for googleit is : 36a2b79e4c40eabc3824b2bb433978f4

Flag :  36a2b79e4c40eabc3824b2bb433978f4

CSCamp Crypto-PNG

Again i don't remember the exact question.
There is an encrypted image can you tell me what is the message?

Download the file here : https://www.dropbox.com/s/njg7i9q5fworlxq/enc.png?m=

When googled about it there was a similar question in some CTF and i found that xor cipher.So asked one of the admin and confirmed it.Now which tool do we use? Xortool from hellman.Astonishingly he himself was there in the irc :-p
Download it here : https://github.com/hellman/xortool

Go to the xortool and type this in command line "python ./xortool.py -c 00"
First time i used the tool and was totally impressed.


Key is : x0Rk3y
well i havent made the python xortool.py a executable.If you are using linux you can just run this command "chmod +x xortool.py" and after this you can just use xortool.
Now lets go ahead note that i haven't made my xortool.py a executable.
Lets run this command now enc.png python ./xortool.py/00_x0Rk3y
After this you would see a folder named "xortool_out" and in that a file named "0.out"
Rename it to .png and open it in paint or whichever image viewer you want.

you will see "The key is pwnthexorcrypto"

Flag : pwnthexorcrypto

CSCamp CTF Stegnography-1

As the portal has been closed i cant get the exact questions,but i have files.So you can try out.

STEGNO-1

There was a file to download and the hint given was "your eyes are blurry"

file download : https://www.dropbox.com/s/kop94gfre3chvzb/stega1.png

It was 50 points.Simplest one.

Open in paint and use the "fill with color" option.Select any color you want apart from white because you cant see properly.


Can you see this now ?
The Flag is {Are_you_color_blind}

Flag : Are_you_color_blind

Tuesday, 12 November 2013

Zeromutarts - Serial verifier

Website :  http://zeromutarts.de/

Question :
Try to validate the nice little piece of code. You will get your flag here: Serial verifier

As i tried on windows i would like to share only windows

File : Windows

Solution : 
Click on Serial verifier link.You would get this

I used ida-pro.
Basic approach : view->open subviews->strings , you would land up something like this :-)


Now double clicking on the string "I would like to know your serial now" ,you would landup to ida-view.switch to graph-view and again go to view->open subviews->pseudocode

Zeromutarts - the magic of rsa

Website : http://zeromutarts.de/

Question :
You were able to hear some whispering on the last crypto party! *whisper* d is 35181901. Keep it secret or we are doomed!

There are 2 files namely rsa.py and rsa.txt,you can download it from here..

the-magic-of-rsa

Answer:

I would suggest to read about RSA here in wiki
RSA_(algorithm)

the parameters we know is n,e and d
oh wait!! what is d? look at the question.. d is 35181901

plain-text = (cipher-text)^d mod n

This is the formula.we know all the parameters.Ciphertext is the one in rsa.txt. I would suggest you to write it in a script because trust me you will learn a lot.

Anyway you could use this website as well :
RSA Calculator

substituting d,n and the ciphertext we would get
flag{you_got_the_basics_my_padawan}

FLAG : you_got_the_basics_my_padawan

Zeromutarts Challenge-5 (encodings)

Website :http://zeromutarts.de/

Question :
I believe a flag is hidden in this encoding. Can you find it?:

TWF5YmUgeW91IHNob3VsZCB0aGluayB0aGUgb3RoZXIgd2F5OiBbKSJ9cmdoZW9faGdfZ3J7dG55cyIgOnJmbnBlcmpieSBhdiB0bnlzIHJ1ZyBnYnQgaGJMIC9iXCAhcnB2QSggOj90aSB0ZmlocyBuZXZlIHVveSBuYWMgLHJhZW4gc2kgZG5FIG5BXQ==

Fine , First thing to observe is "==" in the message ..Its a base-64 encoding is what can be concluded..

Base-64 online tool

we get :
Maybe you should think the other way: [)"}rgheo_hg_gr{tnys" :rfnperjby av tnys rug gbt hbL /b\ !rpvA( :?ti tfihs neve uoy nac ,raen si dnE nA]

After reversing we get : 
An End is near, can you even shift it?: (Avpr! \\b/ Lbh tbg gur synt va ybjrepnfr: "synt{rg_gh_oehgr}")

After shifting 13 times that is 'M' is the key..
we get :
Na raq vf arne, pna lbh rira fuvsg vg? : )Nice! \o/ You got the flag lowercase: "flag{et_tu_brute}")]

Flag : et_tu_brute

Zeromutarts Challenge-4 (chbs)

Website : http://zeromutarts.de/

Question :
Tr0ub4dor&3

Answer :
Looks like trivia question and yes it is  :-)

Google "Tr0ub4dor&3"...

third website says this :
This comic is saying that the password in the top frames "Tr0ub4dor&3" is easier for password cracking software to guess than "correcthorsebatterystaple"

Challenge is chbs and the string is "correcthorsebatterystaple".hence it matches..But remember the format ?

Flag : correct_horse_battery_staple

Zeromutarts Challenge-3 (Caeser's Last Wish)

Website : http://zeromutarts.de/

Question :
Caesar left a message for me. Can you decrypt it?

message :
zh zrxog qhyhu pdnh lw wkdw hdvb.. rxu hqfubswlrq lv rqh vwhs dkhdg!livi mw er mrgvihmfpi xlsyklx sj geiwevr alex ai amwl, ai viehmpc fipmizi, erh alex ai syvwipziw xlmro, ai mqekmri sxlivw xlmro epws. ai amwl xli jpek mw jpek{xairxc_xlvii_wxefw_evi_aec_xss_qerc}

Caeser online tool

Simple caesar decryption would give us a hint :
we would never make it that easy.. our encryption is one step ahead!ifsf jt bo jodsfejcmf uipvhiu pg dbftbso xibu xf xjti, xf sfbejmz cfmjfwf, boe xibu xf pvstfmwft uijol, xf jnbhjof puifst uijol bmtp. xf xjti uif gmbh jt gmbh{uxfouz_uisff_tubct_bsf_xbz_upp_nboz}

Now we need to try Shift Caeser: Lets check from key 1,2,3,4 woajh got it :-)

In the same online tool you see this ?
"Number of letters to shift to the right:" In the box put 4 and click decipher.

We get :
vd vntkc mdudq lzjd hs sgzs dzrx.. ntq dmbqxoshnm hr nmd rsdo zgdzc!here is an incredible thought of caesarn what we wish, we readily believe, and what we ourselves think, we imagine others think also. we wish the flag is flag{twenty_three_stabs_are_way_too_many}

Flag : twenty_three_stabs_are_way_too_many

Zeromutarts Challenge-2 (antonin)

website : http://zeromutarts.de/

Question :
antonin

I got a letter from my friend Antonín. However, it's all Czech to me, maybe you can read it.

Message :
E.ap ipc.bew
C dgoy ,aby yt n.y ötg rbt, yh. o.jp.y itp yh. .bjpözy.e ojptnn C o.by ötgv Go. cy ,co.nö abe et bty uck. cy yt abötb.v

Yh. o.jp.y coV inau{i..n'ot'xth.mcab'ncr.'ötg}


Well now the question is clear so how do we proceed ?
Lets have some google search..Who is antonin? is there a encoding method blah blah..

wiki says that the guy in the picture is antonin dvorak and there is a dvorak encoding..
Antonin Dvorak  Dvorak Encoding

Lets search for a online tool.
dvorak cipher decoder

After we convert it to QWERTY we get this :
Dear griend,
I hust want tk let öku onkw tje secret gkr tje encrö/ted scrkll I sent öku. Use it wiselö and dk nkt five it tk anökne.
Tje secret is> glaf_geelqskqbkjemianqlioeqöku+

So now its easier..so which alphabets is replaced from normal english

g replaced with f
h replaced with j
o replaced with k
ö replaced with y
/ replaced with p
q replaced with _

Now how do you think i got to know that q is _ ? Uh , simple what does the zeromutarts home page say? it says the format for flag is x_x_x_x  right? :-)

After replacing you will get this :
Dear friend,
I just want to let you know the secret for the encrypted scroll I sent you. Use it wisely and do not give it to anyone.

The secret is> flag_feel_so_bohemian_like_you

Flag : feel_so_bohemian_like_you

Zeromutarts Challenge-1 (404)

Well this is the write up regarding the beginners CTF which was held recently..Got over yesterday but still you can solve the challenges as the site is live..

Website : http://zeromutarts.de

Question :
HTTP codes are kinda fun
Link

The challenge is about Http error codes.So  lets dig in deep what is error 404 from our friend wikipedia.
http://en.wikipedia.org/wiki/HTTP_404

well it tells us that "It is the webpage when user tries to access dead link or broken link".
So just try some random page like login.php..

http://zeromutarts.de:8080/login.php

this would result in :

404 - Not Found


414 is so much better...

so now search what is 414 error,its nothing but a huge link.try randomly giving something and you would land up in flag..

something like this :  http://zeromutarts.de:8080/loginajsdnjsakndakjsdnaskjdnsadniweeuwihnwefjsdnsjdnvjkdsniuwksdnvkjsnvrkjsdvn.php

Now you will see the flag : 
flag{sometimes_error_codes_are_just_a_teapot}

Saturday, 2 November 2013

EMCDefendersleague2013 week-1 challenge-7 solution

Files can be downloaded from here : https://db.tt/s2niLU2s

Challenge-7

Question : We have obtained an innocent looking file from our sources who confirm that there is a coded message hidden somewhere inside. Get the message!


Hint 1:Hidden in bits!

Hint 2:PE File Format

Hint 3:Hex Editor

We know that the file is a PE executable.
Now a good reverser's best tool is "strings"

Command : strings Contest7.sample

Now scroll a bit and observe this string 
0x53 0x4a 0x6a 0x58 0x65 0x66 0x61 0x52 0x53 0x7a 0x58 0x42 0x6f 0x71 0x56 0x57 0x52 0x74 0x46 0x66 0x6a 0x72 0x5a 0x73 0x78 0x75 0x64 0x76 0x43 0x54 0x48 0x62 0x63 0x55 0x6f 0x51 0x4a 0x58 0x75 0x78

now we know that its a hex string,Converting it to ASCII gave me the answer.
I dint go by the hints.but this would be a easy reversing.

here you go the flag is : SJjXefaRSzXBoqVWRtFfjrZsxudvCTHbcUoQJXux

By this week-1 questions and solutions are done.Hope you enjoyed it! Thank you..

EMCDefendersleague2013 week-1 challenge-6 solution

Files can be downloaded here :  https://db.tt/s2niLU2s
Challenge-6

Mickey Mouse loves to be in company with his friends and when they are not available, Mickey always keeps a group photo with him.

Hint 1:Hidden in bits!

Hint 2:Steganography

file name : Contest6.sample

so we know that its a zip file and when we try extracting we get a pop up for password like this :


so we need to use a zip cracker.Just a guess of range to be 4 solved it.It worked with a lucky guess.but be sure to have bigger for other similar challenges.Here is the link for zip password cracker which i used temporarily.
Zip-Password-cracker


password is : xtOQ

Thursday, 31 October 2013

EMCDefendersleague2013 week-1 challenge-5 solution

Files can be downloaded from here :  https://db.tt/s2niLU2s
Challenge-5

Question : Mr. H4x0r has intercepted an attack by his friend on a website. Help Mr. H4x0r to obtain the admin password of the website from the attack log.


Hint 1:SQL Injection

Hint 2:Hash Cracking

file name : Contest5.sample

First thing to do is use file command..
result : data file

hence we know that its a data file now.opening it in gedit or notepad++ will tell you that its a log file of sql injection.

Scrolling down till the end you will find this :

Firstname::isf:1pvyjsradminpvyjsrpvyjsrs@s.compvyjsradminpvyjsradminpvyjsr2a9a4d20c6fdafa8917c8e7c3f63733fpvyjsr2013-07-22 07:43:09pvyjsr0pvyjsr:tlf:

from this we come to know that the password hash is : 2a9a4d20c6fdafa8917c8e7c3f63733f and its a md5 hash too..
A google search will give you the flag for this : 

the flag is cHDiN

EMCDefendersleague2013 week-1 challenge-4 solution

Files can be downloaded here : https://db.tt/s2niLU2s
Challenge-4

Question : Mr. H4x0r managed to sniff the HTTP traffic of his nemesis, however he is unable to figure out the credentials used by the victim to access the protected webpage.

Help Mr. H4x0r to figure out the credential for accessing the protected page.

Hint 1:Base

Hint 2:Julias Caesar

Basic thing is ?
Do a file command on the file 
result ; Contest4.sample: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535)

What is the inference?
It says its a tcpdump. Hence wireshark is what you should look for.

opening it in wireshark will give you this :

lookin at the tcp dump you can analyze that the user was trying to get admin access..In the first try he used admin:1234 where it failed later he got admin access using the Credentials: nqzva:jQCNniEvTX
Now we got into the first level next as the hint says its Caesar encryption.

EMCDefendersleague2013 week-1 challenge-3 solution

File can be downloaded here : https://db.tt/s2niLU2s

Challenge 3 :
question : Everybody loves HTML. It’s good looking and all sources available. View the source, find the answer and impress us!

Hint 1:Decode and find the logic.

file name : Contest3.sample.gz

I hope you remember from my last post how to decompress a gzip file 
gzip -d Contest3.sample.gz will give you the file.

doing a file command on extracted file will tell us that its a HTML document.
file Contest3.sample
result : Contest3.sample: HTML document text

so replace Contest3.sample to Contest3.html
opening it in browser gives you this : 


the logic is to do a arithmetic calculation of a number and the result to be zero.meaning 30-10-10-10=0 ,it can be anything it can be 40-20-10-10 also

EMCDefendersleague2013 week-1 challenge-2 solution

This is a continuation of my previous blog.This is about week-1 challenge-2.

File for this challenge can be downloaded here : https://db.tt/s2niLU2s

Challenge-2

question : While performing an incident response, the team obtained a rather strange looking file. We need help in analyzing its content.
file name : Contest2.sample

This is about Firmware analysis.
doing a file command on Contest2.sample.gz shows us that its a .gzip (file Contest2.sample.gz)
result : Contest2.sample.gz: gzip compressed data, from Unix, last modified: Thu Sep 12 14:18:08 2013, max compression

hence we do gzip decompression using the command
gzip -d Contest2.sample.gz
you will get the real data file which has to be firmware analyzed.


commands after you put this package into your Linux desktop:
Step 1 : tar -zxvf binwalk-1.2.2-1.tar.gz
step 2 : cd binwalk-1.2.2-1
step 3 : cd src
step 4 : chmod +x debian_quick_install.sh
step 5 : ./debian_quick_install.sh
step 6 : open a new terminal and type  binwalk -e Contest2.sample(this file is after decompression)
step 7 : cd _Contest2.sample.extracted/
step 8 : cat 1*

There you go you find the flag?

scroll down a bit you can see this :
Here you go: IhPEvuAKhEVMyJFCFPyN

the flag is IhPEvuAKhEVMyJFCFPyN

EMCDefendersleague2013 week-1 challenge-1 solution

Hi, this is my first write-up on CTF , hope you like it.

This is a recent CTF called EMCDefendersLeague2013 . It was nice playing the CTF. An Indian style CTF and only for Indians :-p

Anyway lets get to job. There were 3 weeks.each week has a difficulty rating,week-1 was beginner and week-2 is intermediate and week-3 was hard.Today am writing only on week-1,later i will be writing on week-2 challenges. Now lets begin!!!

All files for week-1 challenges can be downloaded here  :  https://db.tt/s2niLU2s
Week-1

Challenge-1 :
Debug Debug Debug
file name : Contest1.sample

Running the file in wine would give the flag.According to my analysis it would be because of the library which is missing in windows.Am not sure but if you run the file in wine you would be getting the flag.

Check this out :


For those who don't know about wine : http://winetools.org/
you can install it in your Linux system by just opening a terminal and typing apt-get install wine