CTF Hack Dat Kiwi Writeups


           I've participated in a CTF hack dat kiwi held on 19th and 20th November 2015. The CTF was organized by Abius X. Let me tell you this was one of the finest CTF that I've every participated.
Everything was awesome and organised.

I've solved few challenges and was at 234th rank http://hack.dat.kiwi/scoreboard (Handle: Transformers)


  • SSL_Sniff 1 (50 points)

A wireshark file was given (dump.pcap) can be found
https://www.dropbox.com/s/85f7kipys931m8n/dump.pcap?dl=0




Reading the file dump.pcap can be done in 2 ways.
1) Open the file dump.pcap using wireshark
2) Read the file using tcpdump

I chose the second option (Ref: http://serverfault.com/questions/38626/how-can-i-read-pcap-files-in-a-friendly-format)

Command used to read a pcap file using tcpdump is :
tcpdump -qns 0 -A -r dump.pcap



It gave me the flag { Key-Is-dUs1mKl4 }

***********************************************************************************
  • SSL_Sniff 2 (120 points)

There was a wireshark capture file client.pcap which contains SSL request/response. There was also a private key (server.key.insecure) given.
I've shared both the challenge file with my dropbox https://www.dropbox.com/s/6egaxti7t80b7fk/SSLSniff2.zip?dl=0




Googling a bit I came to know that SSL traffic can be decrypted using private key. 

1) Open client.pcap file with wireshark.
2) Go to edit   ---  preference. Click on '(+) Protocol ' and search SSL.


3) Now click on RSA key Edit.. button. and configure it as shown below.


4) Click ok and then click on apply.
5) The SSL traffic gets decrypted and shown as below.


This is how I got the key { 39u7v25n1jxkl }

*********************************************************************************

Phone_Lock 1 (50 points)

  Given a dialpad containing 0-9 digits. We have to find 4 digit code to unlock the phone.
Checking out the view source I saw the following in javascript 

salt="8ac6a49d2c8efcce6537a00882cafa00";
valid="0f2e193d8d478abc41dff75e4849b138";
if(md5(salt+answer)==valid)

Straight away we can figure out that salt and valid string is given and we have to find answer.

My javascript code to get the answer:

// To create random 4 digit number 
function random4Digit(){
  return shuffle( "0123456789".split('') ).join('').substring(0,4);
}function shuffle(o){
    for(var j, x, i = o.length; i; j = Math.floor(Math.random() * i), x = o[--i], o[i] = o[j], o[j] = x);
    return o;
}


// Logic to get the answer
function getResult()
{
salt="8ac6a49d2c8efcce6537a00882cafa00";
valid="0f2e193d8d478abc41dff75e4849b138";
var answer;
for(var i=0; i<10000 ; i++)    // For loop to create 4 digit random number 10000 times
{
no = random4Digit();
if(md5(salt+answer)==valid)
{
alert("Matched");
alert("No is : "+answer);
alert("Flag is: "+md5(salt+answer+answer));
return ;
}
}
}

Note: along with the above code I've to use md5.js


Got the code. Now enter the code to unlock the phone.


This is how I got the flag.

********************************************************************************

Vigenere 1 (Crypto) (50 Points)

Question:

 


Basically you have to enter a plaintext string and ciphertext is generated.


The challenge is to find the key of Chosen plaintext Vigenere.
"Chosen plaintext attack: The attacker can specify his own plaintext and encrypt or sign it. He can carefully craft it to learn characteristics about the algorithm. For example he can provide an empty text, a text which consists of one "a", two "aa", ... For example: if the Vigenère cipher is used, it is very easy to extract the key length and recover the key by repeating one letter."

Few Reference to learn about Vigenere cipher:

Encryption of Vigenere ciphere:

Plaintext: ATTACKATDAWN
Key: LEMONLEMONLE    //Key is LEMON which is repeated to match the length.
Ciphertext: LXFOPVEFRNHR
For example, the first letter of the plaintext, A, is paired with L, the first letter of the key. So use row L and column A of the Vigenère square, namely L. Similarly, for the second letter of the plaintext, the second letter of the key is used; the letter at row E and column T is X. The rest of the plaintext is enciphered in a similar fashion:

Decryption of Vigenere Ciphere:

Decryption is performed by going to the row in the table corresponding to the key, finding the position of the ciphertext letter in this row, and then using the column's label as the plaintext. For example, in row L (from LEMON), the ciphertext L appears in column A, which is the first plaintext letter. Next we go to row E (from LEMON), locate the ciphertext X which is found in column T, thus T is the second plaintext letter.

Lets enter series of A and check.


For letter A Vignere square table is:




It is observed that the word "KIWIKI" is repeated.
Confirming this with the Vigenere square table. We get the Key as { KIWIKI }

******************************************************************************

Comments

Post a Comment

Popular posts from this blog

MY OSCP REVIEW

Minishare 1.4.1 Bufferoverflow

EchoServer (Strcpy) bufferoverflow Securitytube Exploit research Megaprimer