Nullcon HackIm 2014 Forensics-4

This challenge made a good steganographer for jpg images.It took 5-6 hours to solve this coz i was stuck with the passwords.

Question :

A suspicious image was found on the desktop. Our investigator suspects something is hidden.

Hint: remove i from it.

tools i used : Stegsolve,Stegdetect,Invisible secrets 4

Extract the image from autopsy which is in desktop.that is nullcon.jpg

Stegsolve will show that RGB splitting you find a eiffel tower image.So now we have the password "eiffel".Ooops look at the hint.It says remove i from it.So the password is "effel".

Nullcon HackIm 2014 Forensics-3

Question : There was a network traffic dump on the machine. The dump suggests an attack being carried out on a target. As per the client’s information the attack was performed from china (he says that the system was located in china when attack was carried out). Our investigator thinks otherwise. Can you find out the location from where the attack was carried out.

Wireshark is the tool.I used export feature in that and found geo.html interesting.

Look at that the location "failed".So I thought accessing Html5demos and i used tamper data to look how it is accessing the location.There was a javascript file named "ViewportInfoService.GetViewportInfo?1m6&1m2&1d24.56320627014958&2d73.6366821305144......." which by looking itself can be understood that its accessing the geo co-ordinates..It access 4 co-ordinates to make the place accurate..
Now in the challenge i looked at the javascript file and i got four co-ordinates like this :
[24.60706913770969,73.564453125],[24.68695241199915,73.740234375],[24.52713482259781,73.564453125],[24.60706913770969,73.740234375]

By googling we find a place near udaipur.Admins had released a hint in IRC that the name was suffixed with scheme.Now it wasnt so difficult.It was "Ambamata Scheme".

FLAG : Ambamata Scheme 

Nullcon HackIm 2014 Forensics-1

This was the main hunt for me in HackIm.. Downloaded a 2GB image file and got started with a tool called autopsy..

link for image : http://sourceforge.net/projects/nullconctf2014/?source=directory

autopsy download link : http://www.sleuthkit.org/autopsy/download.php

Question : Please download the HackIM image to solve all the forensics level challenges.

Checksum for the HackIM image:
MD5: 71d16cda80ef801d33286825aaf70033
SHA1: 62bbd7babaa409991f7ab1cdb12ac70518dbaffa

Password to extract HackIM image is: "synergyNull2014sdf"

The Client complained that whenever he boots up the machine, all files in his document folder automatically gets deleted. Can you identify the culprit executable process doing this?

Well technically i only know that boot files are in system32 folder.In autopsy you can see the recent accessed files.so while loking at it i also found files required for other challenges.

Now after trial and error i found somewer below in the same recent files folder Ntbackup.exe and it was the flag.

Nullcon HackIm 2014 Misc-3

Question : What you hear is not what you always hear. Channel your energy in finding the unknown.

Link : http://ctf.nullcon.net/data/2014/lev/misc/Level3.mp3

This was the easiest one.

Load the mp3 in audacity.We can easily notice that the effect was reversed.

Go to Effect->reverse now you can use the morse code if u have observed as soon as you have loaded the file.

This is the morse code extracted : ".. .-.. --- ...- . --. --- .- -.-.-- -. ..- .-.. .-.. -.-. --- -. ..--- ----- .---- ....- .. ... .- .-- . ... --- -- . -.-.-- -.-.--"

after decoding the morse code we get ILOVEGOA!NULLCON2014ISAWESOME!!

FLAG : ILOVEGOA!NULLCON2014ISAWESOME!!

Nullcon HackIm 2014 Misc-2

Question : Tracked sam in level 1? Cool. But now you more details. His USB drive gave you a swf file. Now, think like level 1, but more like a pro, and find his email id.

Well Its simple as it looks..
Just a swf to xml will do the job..

Link : http://ctf.nullcon.net/data/2014/lev/misc/Level2.swf

I installed a software called swfmill
Command i used : swfmill.exe swf2xml Level2.swf Level2.xml

we get a error which is a hex code : %68%74%74%70%3a%2f%2f%62%69%74%2e%6c%79%2f%31%61%4c%49%59%76%57

after converting the hex to ascii we get a link http://bit.ly/1aLIYvW which is a apk file.

Now after a long time waiting for a apk reversing i got this :-)

First method is renaming it to rar and extracting the contents will give 1 folder and 3 files namely res,resources.arsc,classes.dex,AndroidManifest.xml

i got a email in about.xml and it was this research@foundstone.com  which was wrong.Now only thing left out was classes.dex i used dex2jar to convert classes.dex to a jar file so that i can use jar file to see the java files.
I used JD(Java Decompiler) to get the java files.I found the email in com-service->Loginservice
Email was : sam0908nlu771@gmail.com

FLAG : sam0908nlu771@gmail.com

Nullcon HackIm 2014 Misc-1

This was sooo fun.trust me..was ma first solve after trivia in the competition.
Question : Sam has parked his car in front of a store. Find the name of the store.
Link : http://ctf.nullcon.net/data/2014/lev/misc/Level1.pcap

Well straight forward..extract the only object which was shared..that is nullCTF.png..Wireshark was the tool i used..

Click to enlarge..i have written comments..Dnt miss out!!
the image looks like this..

Arghhh png I hate png stegano :-(
A hexeditor game a clue on this to learn more..
It said this somewhere in the beginning "Raw Profile type Exif"

FLAG : wellsfargo

Nullcon HackIm 2014 Reverse-1

This was a easier one though i had to dig a bit.

Question : Find the flag hidden not so deep inside.

link : http://ctf.nullcon.net/data/2014/lev/re/win32_input.zip

Ah now lets get back to work. :-)

First thing load in olly to patch it and load in IDA to understand program flow.This is my way of solving reverse engineering challenges for windows.

In IDA if u look at strings window u find this ")T(+,*'))$&T(Y)*#(+&#+)$%'T+&#(T" repeated 4 times and 1 accompaning the string FLAG.By running the exe u can find that it prints out "FLAG:)T(+,*'))$&T(Y)*#(+&#+)$%'T+&#(T",so It goes to the 4th ")T(+,*'))$&T(Y)*#(+&#+)$%'T+&#(T".Well now we will check what is making it print it and you can see that in olly similarly these calls before it prints the string FLAG:")T(+,*'))$&T(Y)*#(+&#+)$%'T+&#(T"

Click to enlarge..I have written comments..so check it out..
NOP the Call..

Nullcon HackIm 2014 Crypto-1

This was amazingly awesome.need really some brain.Well i got hints and solved it too.Getting hints is not bad but trading for flags is bad. :-) just a advice.

Question : dna nihilistic humanoids lost nihilistic weak cloned nihilistic dna dna nihilistic humanoids lost dna into tools dna soulless zombies dna into lost breed xenophobes lost zombies dna soulless nihilistic cloned

So what do u understand from this?? basically nothing :-D so when u dont understand things u should google around.So from a blog writer u can notice that similar words were used to built a sentence which had all alphabets in a order and in the beginning.Thats the HINT.. :-D

So take out all the first letters from the sentence and u would get a string like ..
dnhlnwcn....

Now after this was a break point.hard to guess the cipher.It was substitution cipher.Now using the technique of most occuring letters u can deduce that ,'d' was most occurred alphabet so it should either be matching to 'e' or 't' coz those are the most frequently occurred letters in english.you can work out this by googling out for a nice tutorial to solve monoalphabetic substitution cipher.

d->t n->o h->b l->e w->r c->n......

substituting , you would get a string and thats the flag

Flag : tobeornottobethatisthequestion

Nullcon HackIm 2014 trivia Challenges

Well, had a nice weekend..probably best.I felt world never existed around me.2 CTF's.
Lets get back to what happened and discuss how to solve it.
Trivia was easy enough so let me begin with that.

Question 1 : This esoteric programming language uses AWSUM THX and O NOES as error handling.

Flag : LOLCODE

Simple google or copy paste the question first result you get it.

Question 2 : What software is used to hack into ENCOM's computer system?

Flag : CLU

website : en.wikipedia.org/wiki/Tron

Question 3 : Outcome of Stealth Project to make coffee.

Flag : Java

website : www.sis.pitt.edu/~icucart/fshi/java_introduction.html‎