HACKvent 2018 write-up

Like every year, Christmas time means hacking time! I started the HACKvent journey in 2016 and it already became some sort of tradition. As usual I invested a lot and it was a very stressful time. I would like to thank my family and friends for the patience and the support they brought up. Especially to my wife! πŸ™‚

I also want to thank all of you who participated in discussions and helped finding solutions. It is always a great pleasure to talk to you guys! Big shouts to
otaku,
Β pjslf, veganjay, ludus, rfz,Β jokker, 0xI,Β 0x90v1! I hopeΒ I didn’t forget anyone!!

HACKvent was great like every year and I would also like to thank Compass Security for organizing it! There were some hick-ups this year and I preferred the 2017 edition most so far. The difficulty was not as hard as last year and the variety and content of the challenges was better in 2017. I also think ten teaser challenges, some of them really hard, which counted to the main score was too much.

And then there was muffinCTF! I love the idea behind it and when it was finally working it was definitely an amazing part of HACKvent. The implementation was not very stable and it didn’t seem finished when it was launched though. MuffinCTF got postponed from day 16 to day 22 and then still buggy. I (We?) lost a lot of time because of this. I understand providing challenges for HACKvent is voluntary and takes a lot of time, probably next to another day job. Thanks for all the effort muffinx! The attack-defense CTF was great but with a bit more testing and maybe support from others, this challenge could have been so much more. Maybe this should be a new, separate hacking-lab event? Yearly summer Attack-Defense CTF FTW!

Lets get to the scoreboard: With all the support I mentioned in the beginning I managed to finish this year as perfect solver! πŸ™‚

Day 01: Just Another Bar Code (Author: DanMcFly)




Description:
After a decade of monochromity, Santa has finally updated his infrastructure with color displays. With the new color code, the gift logistic robots can now handle many more gifts:

Solution:

This was the first challenge of HACKvent and I almost got pulled inside a rabbit hole. I was already reading research papers from Stanford University when I told myself to go back to the start.
After googling for the titiel “Just Another Bar Code” I found this website on the website of the BSI: https://jabcode.org/.

–> HV18-L3ts-5t4r-7Th3-Phun-G33k


Day 02: Me (Author: M.G.)

Lost in translation


Description:
Can you help Santa decoding these numbers?

Solution:
This looked like a simple decimal to ASCII conversion, but unfortunately it wasn’t. Several different decodings had to be done to find the right flag:

Step 1 (Octal to ASCII):
https://www.browserling.com/tools/octal-to-text

Step 2 (Base32 decode):
https://www.dcode.fr/base-32-encoding

Step 3 (LED 14 Segment Display):
The third step was actually pretty hard to find, I stumbled across a corresponding image by pure luck..
https://github.com/dmadison/LED-Segment-ASCII#segment-order http://kryptografie.de/kryptografie/chiffre/14-segment.htm

–> HL18-7QTH-JZ1K-JKSD-GPEB-GJPU


Day 03: Catch me (Author: inik)

… if you can


Description:
To get the flag, just press the button.
https://hackvent.hacking-lab.com/C4tchM3_dizzle/

Print-screen of the website:

Solution:
On the linked website there was a button named “get the flag” which jumped away from the cursor if you wanted to select it with your mouse. This challenge was very easy to solve:
1. Inspect in Google Chrome
2. Set a watch on the variable “_0x766f”
3. Read out the flag from the watch.

–> HV18-pFAT-O1Dl-HjVp-jJNE-Zju8


Day 04: pirating like in the 90ies (Author:HaRdLoCk)

Ahoy, my name is Santa and I want to be a pirate!


Description:
https://hackvent.hacking-lab.com/Pirates_123/

Print-screen of the website:

Solution:
Once again rabbit hole alarm! According to the description I was sure it had to be something related to Monkey Island. After googling for Monkey Island and 3 of the names appearing on the challenge website I found this image, which looked really promising:

Searching a bit further I have found this awesome website: http://www.oldgames.sk/codewheel/secret-of-monkey-island-dial-a-pirate. Some manual work had to be done to enter the right years. After filling up all the boxes the flag could be collected!

—> HV18-5o9x-4geL-7hkJ-wc4A-xp8F


Day 05: OSINT 1 (Author: DanMcFly featuring the awesome R.R.)

It’s all about transparency


Description:
Santa has hidden your daily present on his server, somewhere on port 443.
Start on https://www.hackvent.org and follow the OSINT traces.

Solution:
Very cool challenge, I even learned something new! The hint says something about certificate transparency. Therefore I made some research and did read about certificate transparency on http://www.certificate-transparency.org/what-is-ct. There is an open log for everyone to inspect:
https://transparencyreport.google.com/https/certificates?hl=en&cert_search_auth=&cert_search_cert=&cert_search=include_expired:true;include_subdomains:true;domain:hackvent.org&lu=cert_search
This revealed an unknown subdomain which led to the flag: osintiscoolisntit.hackvent.org

–> HV18-0Sin-tI5S-R34l-lyC0-oo0L


Day 06: Mondrian (Author: xorkiwi)




Description:
Piet’er just opened his gallery to present his pieces to you, they’d make for a great present πŸ™‚
https://hackvent.hacking-lab.com/Mondrian-Gallery/

Print-screen of the website:

Solution:
Another challenge which has to be solved by googling the right things…

  1. The Painters name looks suspicious. But googling for Mondrian didn’t result in something tangible.
  2. I analyzed the website, there are some hex encoded strings and debug logs. But apparently this is a trap and a wrong path.
  3. Suspicious is that we have 6 pictures. Like the format of the flag..
  4. Started researching the author and found the “Piet programming language” and this little nice decoder: https://www.bertnase.de/npiet/npiet-execute.ph

–> HV18-M4ke-S0m3-R3Al-N1c3-artZ


Day 07: flappy.pl (Author: M.)




Description:
Time for a little game. It’s hardy obfuscated, i promise … πŸ˜‰
https://sigterm.ch/stuff/hackvent18/flappy.pl.txt

Solution:
1. Deobfuscate the perl script:

2. Go through the source code and remove all the “last” in the loop.
3. Remove print elements which are not needed.

4. Run and profit
–> HV18-bMnF-racH-XdMC-xSJJ-I2fL


Day 08: Advent Snail (Author: otaku)




Description:
In cyberstan there is a big tradition to backe advents snails during advent.

Solution:
It is needed to “de-snail” this picture. We start in the middle and do a spiral until we get to the end. To know in which direction we have to do the spiral, we can count the black pixels. We need to start with 7 consecutive black pixels to get a valid QR code! First of all I cut out the middle of the image and created a grid in GIMP to orientate myself.

We have an image with 25×25 blocks. I figured out that we start in the middle at pixel (13×13) and had to go up and do the spiral to the right. I solved this challenge in Python. Here is my complete script, which creates the solution picture, but also directly decodes the QR Code itself.

–> HV18-$$nn-@@11-LLr0-B1ne


Day 09: fake xmass balls (Author: M.)




Description:
A rogue manufacturer is flooding the market with counterfeit yellow xmas balls.They are popping up like everywhere!
Can you tell them apart from the real ones? Perhaps there is some useful information hidden in the fakes…

Solution:
There are two Xmas balls on the page. The one which indicates that it is a medium challenge and the second one in the challenge description itself. It is necessary to download both images. This very much smells like steganography and I am very happy that I already know Stegsolve from challenges of previous years. πŸ™‚ You can download stegsolve from this website: http://www.caesum.com/handbook/stego.htm
I opened one image and played a bit with Stegsolve. I came across the Image Combiner in the menu Analyse, where I opened the second xmas ball I got.
SUB RGB looked almost like a QR Code! But it was not readable yet.

I saved this new image and reopened that with Stegsolve. Now I was able to find the final QR Code when changing to “Green Plane 0” in Stegsolve.

–> HV18-PpTR-Qri5-3nOI-n51a-42gJ


Day 10: >_ Run, Node, Run (Author: zanidd)




Description:
Santa has practiced his nodejs skills and wants his little elves to practice it as well, so the kids can get the web- app they wish for.
He made a little practice- sandbox for his elves. Can you break out?
Location: http://whale.hacking-lab.com:3000/

Print-screen of the website:

And the corresponding source code:

Solution:
Sandbox Escape already sounds a lot like command injection. After reading a bit about the used libraries I found an interesting issue in the sandbox, which basically says that the sandbox can be broken: https://github.com/gf3/sandbox/issues/50

Which returns the following output:

–> HV18-YtH3-S4nD-bx5A-Nt4G


Day 11: Crypt-o-Math 3.0 (Author: Lukasz_D)




Description:
Last year’s challenge was too easy? Try to solve this one, you h4x0r!

finding “a” will give you the flag.

Solution:
I was very glad that I did the math for this challenge already last year. πŸ™‚ The only special part was, that multiple “a” exist and the first one does reveal “HV18-” but the rest is not readable. To find the right “a” we take the calculated “a” and add “p” to it until we get the right flag:

The script returns this output:

Fun fact: You have to add 1337 times the value “p” to “a” to get the right result! Nice job Lukasz_D! I almost didn’t get that because of the automated script, thanks ludus for pointing it out.

–> HV18-xLvY-TeNT-YgEh-wBuL-bFfz


Day 12: SmartWishList (Authors: xorkiwi featuring avarx and muffinx)



Description:
Santa’s being really innovative this year! Send your wishes directly over your favorite messenger (telegram): @smartwishlist_bot
Hint(s):
– How does the bot differentiate your wishes from other people?

Solution:
I liked this challenge a lot, very innovative! It was clear very soon that it had to be some kind of SQL injection. If I submitted long wishes the Telegram bot returned a mysql error. After a while I found that the vulnerable method was the name of the user, which is the name configured in the personal Telegram account.
First step was to gather information about the database. To achieve that I altered my first and last name accordingly:

Which returned this output:

Now I knew that probably the interesting table is called “SecretStore”. To read out the columns in SecretStore I changed my name to this:

The bot’s answer was:

I could also have guessed that! πŸ™‚ The final SQL injection to read the flag was:

–> HV18-M4k3-S0m3-R34L-N1c3-W15h


Day 13: flappy’s revenge (Author: M.)




Description:
There were some rumors that you were cheating at our little game a few days ago … like godmode, huh?
Well, show me that you can do it again – no cheating this time.
Location: telnet whale.hacking-lab.com 4242

Solution:
According to the description and the output when connecting to the telnet server I concluded that the same script like on day 7 is running. But this time we could not just alter the code to get back the flag.
I thought about implementing a script which connects to the server and plays the game. But I had an hour train ride ahead and I just played the game! πŸ˜€ After around 40 minutes I was able to read the full flag.

–> HV18-9hYf-LSY1-hWdZ-496n-Mbda


Day 14: power in the shell (Author: HaRdLoCk)




Description:
seems to be an easy one … or wait, what?
Encrypted flag:

2A4C9AA52257B56837369D5DD7019451C0EC04427EB95EB741D0273D55

Appended was this Powershell script:

Solution:
Interpreting the script revealed another math challenge… This was the equation to solve:

At first I thought this is RSA and was reading about cube root attacks. But this revealed to be a rabbit hole. It is the Rabin Cryptosystem which uses exact this equation: https://en.wikipedia.org/wiki/Rabin_cryptosystem
After remembering http://www.factordb.com I was able to get the primes p & q out of n.

I was too lazy to implement the decryption algorithm by myself, therefore I used and modified this Java program: https://github.com/arxenix/Rabin
I directly added a main method into Rabin.java

–> HV18-DzKn-62Qz-dAab-fEou-ImjY


Day 15: Watch Me (Author: HaRdLoCk)




Description:
Turn on your TV! Santa will broadcast todays flag on his member channel. Can you get it without subscription?
get it here!

Solution:
This was the day where the muffinCTF should have started. But it was not ready so they postponed it to day22. Instead we had to reverse an Apple TV binary.
First step was to extract the .ipa file as it is just an archive.

The interesting file is “HACKvent-2018”. I analyzed this file with Hopper disassembler. The interesting part of the binary is in the function “decryptFlag”. Fortunately the pseudo code was pretty good and enough to decrypt the function.

Apparently the key is loaded and it is looped over every character. In the loop the value “0x3” is added to every character code. The altered key is used to decrypt the flag with AES.
The initial key is: “uQA-nM@=1wl\x1EbN!
Ciphertext: “xQ34V+MHmhC8V88KyU66q0DE4QeOxAbp1EGy9tlpkLw=
I created a small python script to generate the right key and decrypt the flag.

Running the script…

–> HV18-Nc7c-VdEh-pCek-Bw08-jpM3


Day 16: Pay 100 Bitcoins (Author: inik)

… or find the flag

Description:
It changed the host. Fortunately it doesn’t do the full job … so there’s hope. Get the things straight again and find the flag.
The OS is encrypted, but you know the key: IWillNeverGetAVirus
Download the image here: local

Solution:
In my opinion the parts in this challenge were not connected very well. The consistency was somehow missing..
When starting the OVA file in Virtualbox a Petya ransomware screen was presented.

If we look close at the personal decryption code we can read “To restore your data only xor and move blocks”. But I didn’t know what to do with this hint and also did not use it in the end.. The rest of the challenge was not connected to Petya at all.
I started a Linux live CD and mounted the encrypted disk. The password is “IWillNeverGetAVirus”. The mounting part was the one which actually took me the longest. The problem was that the ext4 Journal was broken and therefore mounting didn’t work as straight forward as it should have been.

Now I had access to the encrypted partition and it was only about finding the flag. I browsed the usual directories “/home”, “/root”. In root there is an interesting file “.ash_history”. Apparently renamed “.bash_history”. If we look at the file, we see that the file “/etc/motd” was edited. Inside motd we find the flag.

–> HV18-622q-gxxe-CGni-X4fT-wQKw


Day 17: Faster KEy Exchange (Author: pyth0n33)




Description:
You were somehow able to intercept Santa’s traffic.
But it’s encrypted. Fortunately, you also intercepted the key exchange and figured out what software he was using…..

Download the server source code here: https://sigterm.ch/stuff/hackvent18/FasterKeyExchange.py

Solution:
Maths again, yay… I wrote a python script to calculate the missing pieces and reveal the flag.

If we run the script, we get the following output.

–> HV18-DfHe-KE1s-w44y-b3tt-3r!!


Day 18: Be Evil (Author: inik)

Only today and for this challenge, please.


Description:

Thanks to scal for the artwork!

Solution:
Very nice challenge!
Because jd-gui didn’t work as expected I used this tool to decompile the jar file: http://www.benf.org/other/cfr/

With the decompiled Java-files I created a new IntelliJ project. It looks like new Java classes are loaded with reflection, but the classes themselves are stored as binary arrays inside the Java files. I wrote a function to read the binary arrays and store them as new files on the disk:

I call this method from the main method like that:

Now we have the class files and the png files and we can run cfr.jar to decompile these new classes again.

If we go through the newly created source code we can see that we could add an ENV variable to get into evil mode and get the flag. But to find the needed value for the ENV variable we have to reverse the function. Because we have the source code, we can solve this challenge in a much easier way. I copied the decompiled class back into IntelliJ as EvilEvent2 and just call the method from the main function.

–> HV18-ztZB-nusz-r43L-wopV-ircY


Day 19: PromoCode (Author: inik)

Get your free flag


Description:
Santa is in good mood an gives away flags for free.
Get your free flag: https://hackvent.hacking-lab.com/Pr0m0C0de_new/promo.html 

Printscreen of the website:

This looked like a web challenge at first, but webassembly was used. There is a JS wrapper script around a wasm (WebAssembly) file. So this was another reverse engineering challenge. The first edition of this challenge had a bug in it and apparently very hard to solve. The released an easier challenge later on this day. Fortunately I had no time to look a the challenge early and went straight with the easier one.
The webassembly file can be found in the source code of the website. I uploaded it to my server: https://sigterm.ch/stuff/hackvent18/promo.wasm.

The promo.wasm file can be decompiled but it is really hard to read! I created pseudo C code out of the promo.wasm file using wasm2c: https://github.com/WebAssembly/wabt. I couldn’t really work with the decompiled source code. I re-compiled the generated C code using gcc and the -c flag to ignore linker errors:

The created binary can be disassembled by IDA Pro and we get better results than before. Thanks rfz for providing me the IDA pro pseudo code!

This code is much easier to read than before. I recreated the relevant algorithm:

I extracted the stack array from the binary and reversed the algorithm. For getting the flag only the loop in the middle is relevant. Here is my Python script which calculates the flag:

If we run this script, we get the promo code:

We can now enter this promo code on the website and get back the HV flag.

–> HV18-rKRV-Cg2G-jz4B-QrIy-OF9i


Day 20: I want to play a game (Author: HaRdLoCk)




Description:
Santa didn’t forget about the games this year! Ready to play?
Get your game: https://hackvent.hacking-lab.com/HaRdvent.nro

Solution:
Another reverse engineering challenge. This time we got a Nintendo Switch binary. We can run the binary with this emulator: https://yuzu-emu.org/

Apparently this time we have to encrypt, not decrypt. We can disassemble the file using this plugin: https://github.com/pgarba/SwitchIDAProLoader. In parallel I ran the strings command on the binary, which reveals this suspicious looking string: “shuffle*whip$crush%squeeze”. The string in question is used in the function “sub_88”.

I googled for “shuffle whip crush” and found that this is related to the SPRITZ cipher: https://github.com/edwardcunningham/spritz.
In the meanwhile HaRdLoCk revealed a hint, that we don’t have to go to deep and not much assembler knowledge is need to solve the challenge. Therefore I tried to encrypt the string with Spritz and use the string in question as key. I used the python implementation which I found on Google. But it didn’t work… I checked the decompiled source code again and again. Then it hit me.

v24 holds our key, the next variable is decimal 27. Our key is 26 chars… C, pointers, null termination! To solve this challenge we had to append \x00 to the key and it could easily be decrypted. That was pretty mean!!

–> HV18-Wl8b-jSu3-TtHY-ziO4-5ikM


Day 21 – Day 23: MuffinCTF (Author: muffinx featuring xorkiwi)




Description:
MuffinCTF is an attack-defense CTF within HACKvent! We got an OVA file to run as a virtual machine and an attack library. For three days every day 2 new services have been released. The services contained a lot of security vulnerabilities and the given OVA had many backdoors as well. There was a checker service which tested if your services were available. You could steal other players’ muffinCTF{flags}.
In at least 2 of the last 5 ticks (1 tick = 3 minutes) the following requirements had to be met for at least one of the two services to get the HV18 flags:

  • At least one muffinCTF{} flag has to be stolen from another player
  • Maximal defense points
  • Maximal availability points

Solution:
This was a very great idea! Unfortunately it was still buggy even though it had been postponed to day 21. The first two days the tunnel and the services were not very usable.
It was all about fixing services and attacking other players. We were provided with an attack library which made exploitation easier. When the tunnel finally was stable this challenge was actually a lot of fun! I would love to participate in an online all attack-defense CTF.
Due to lack of time I will not describe all 6 services and all the bugs in the services and the virtual machine.
I automated as much as possible. I had scripts which did restart the tunnel (because it was still buggy), attacking was all automated after I implemented the exploits and in the log files I was scavenging for new attack methods from other players. πŸ™‚ And because the HV18 flag disappeared when the criteria wasn’t met anymore I even had a script which was checking for HV18 flags. Here is an image of my control center:

We teamed up on muffinCTF together with otaku, jokker, 0x90v1 and 0xI. Thank you guys for this fun time!
When I met the daily criteria these three HACKvent flags were revealed. They didn’t have the usual HV18 flag format at all.
HV18{muffinCTF{d4y_1_l3t_th3_g4m3s_b3g1n_st4y_c0v3r3d_f0r_m0r3_h4x_stuff}}
HV18{muffinCTF{d4y_2_g0sh_y0ur_r34lly_pwn1n_th3_stuff_l3l_g00d_b0y_g0_4h34d}}
HV18{muffinCTF{d4y_3_t3h_1337_b001s_g3t_4ll_d3m_gr0up13z_4nd_b0x3n}}


Day 24: Take the red pill, take the blue pill (Author: inik and HaRdLoCk )



Description:
Have you already taken your vitamins today? Here are some pills for your health.
https://sigterm.ch/stuff/hackvent18/redpill.zip && https://sigterm.ch/stuff/hackvent18/bluepill.zip
Hint:
it might take a minute or two until the blue pill shows its effect. blue pill manufactury is in GMT+1.

Solution:
A very big thanks to otaku who has provided this nice write-up!

The last final day or night in Hackvent. We gathered together with
jokker
, 0xI and mcia to solve this final challenge. We have a jar-File (Redpill) and an executable (Bluepill) with given encrypted flags. After a short analysis we assumed, that the same PNG-flag file was encrypted once with the Red- and with the Bluepill. So we need to crack both Pills go get the flag.

Redpill
When you run the jar file it needs a 8 digits long serial number to be executed correctly. As we know the first 10 bytes of a PNG-Header, we started a brute-force session and got a unique serial for it: 45288109. This serial was also the IV for the Encryption (Which we found out was the RABBIT Streamcipher. And the crypt-Function can be used for en- and decryption). And luckily the key was twice the IV: 4528810945288109. We also figured out that only the last four bits of every byte are encrypted:

Bluepill
When you run the exe it needs a file starting with β€œβ€°PNG”. That also confirmed also our assumption, that it is an image. Unsurprisingly we saw that the only first four bits of every byte of  the flag are encrypted:

So we just need the key and IV from the bluepill and we are done. The key we found in the data-segment: 870589CDA87562EF3845FFD1413754D5. And the IV was derived from the filetime (131852077180000000) in range minus 2 mins (As given in the hint: β€œit might take a minute or two until the blue pill shows its effect.”). That had to be bruteforced in milliseconds-steps. Big and Little-Endian was not our friend, but jokker and 0xl successfully retrieved the IV: 1071EFFEC36ED401. Yupie! We have all keys and IVs ready for the final merge.

Red- & Bluepill
Merging the pills successfully together, by taking the first 4 lower bits of the bluepill and the 4 higher bits of the redpill for every byte:

Gave us the final PNG-Image. It’s hard to describe the emotions we had, when seeing it. It kinda felt like christmas.:

Thank you HaRdLoCk and inik for this great challenge. β˜†β˜†β˜†β˜†β˜†
For the completeness here is the source code used to get the final HV18 flag!

–> HV18-GetR-eady-4Hac-kyEa-steR


Teaser -10: ROT13 decoded URL




Description:
We are ready – r u?

follow the white rabbit …

Solution:
The code in the image is Braille text containing a link to http://bit.ly/2TJvxHt. Browsing to this link shows a QR Code with the message “Rushed by…”.
Apparently I was already too far. I inspected the network traffic and found a redirection to https://hackvent.hacking-lab.com/T34s3r_MMXVIII/index.php?flag=UI18-GAUa-lXhq-htyV-w2Wr-0yiV.

I took the flag in the URL GET param and encoded it with Rot13 which returns us the first of 10 teaser flags.

–> HV18-TNHn-yKud-uglI-j2Je-0lvI


Teaser -9: Morse code




Solution:
If we browse to https://hackvent.hacking-lab.com/T34s3r_MMXVIII/index.php?flag=HV18-TNHn-yKud-uglI-j2Je-0lvI we get a PDF file. We download the PDF and open it with LibreOffice. In LibreOffice we can remove the layers and inspect the PDF a bit better. There we find a Morse code, which is written in white on a white background. Sneaky!
…. …- .—- —.. -….- –. — .-. .. -….- –.. .-. … -… -….- ..- ..-. .- . -….- – … -…. -.-. -….- -.-. …- – –
We can decode the Morse code with this website: https://www.dcode.fr/morse-code

–> HV18-GORI-ZRSB-UFAE-TS6C-CVTT


Teaser -8: Stereogram




Solution:
Still working on the PDF with LibreOffice. In the back of the image there is a layer with a stereogram. Fortunately, with LibreOffice this can be easily extracted. We can get the hidden image with this website: http://magiceye.ecksdee.co.uk/

I had to scale and change the colors in Gimp to make it scannable. (Select by Color -> black; Select invert; Edit -> Fill with background color).


Teaser -7: Q3RC.png




Solution:
The PDF file contained many other teaser challenges. First step to access those challenge, was to extract them using binwalk:

This teaser challenge was about the file QR3C.png

To get the final QR Code I extracted the 3 different color layers (RGB) and saved them as separate images. I found this awesome website to read data from partial QR codes: https://merricx.github.io/qrazybox/
The red and green layer could be read easily and gave me two third of the flag: HV18-3I5a-Rnrl-s28r-
Blue was a bit harder. But with activating the experimental sequence analysis on the same website and the description how to read a QR code it was still possible:

–> HV18-3I5a-Rnrl-s28r-SRHj-Lhzx


Teaser -6: old_school.jpg




Solution:
From now on we always are working with the extracted files from the pdf, like described in teaser challenge -7.
The image old_school.jpg was obviously a punchard, IBM-029.

Unfortunately I could not find a punchcard reader which supported this image. I had to do some manual steps to get the flag. Thanks to rfz I found this online punchcard writer. http://tyleregeto.com/article/punch-card-emulator. Super annoying but I had to copy the code into the emulator to get the flag.

–> HV18-0LD$-SCH0-0L1S-4W3S-0M3!


Teaser -5: quickresponse.txt




Solution:
The file was inside the RAR file from the files out of the PDF, but it could only be extracted on Windows. Because it was embedded as NTFS alternate datastream. This was the file in question:

Quickresponse is the longword for QR-Code! πŸ˜‰ I was lazy and used this converter: https://bahamas10.github.io/binary-to-qrcode/

–> HV18-Idwn-whWd-9sNS-ScwC-XjSR


Teaser -4: teaser.pls




Solution:
File in question:

PLS is Oracle PL/SQL. The most important information we have in the teaser.pls file is the hint to the Wrap function. https://docs.oracle.com/cd/B28359_01/appdev.111/b28370/wrap.htm

But it can be unwrapped: https://www.codecrete.net/UnwrapIt/

This is pretty straight forward to read and can be easily reversed.
–> HV18-7389-H0b0-HODL-2969-F0m0


Teaser -3: Santa.txt




Solution:
File in question:

According to the hints in the text we have a classic cipher (Toolless encryption) and we most likely need more than one key to decrypt the message.
I honestly had a long time to solve this. Over a timeframe of multiple days I tried all different encryption algorithm and tools. In the end I’ve found the right tool and algorithm. I could solve it with the transposition cipher, but only with crypttool on Windows! Apparently in Crypttool for Windows the transposition cipher can be used together with permutation, which worked..
After trying different combinations of the keywords I have found the right one: Donder and Blitzen.

–> HV17-NORT-HPOL-EMAI-NSTA-TION


Teaser -2: z.zip




Solution:
Embedded in the PDF file there is also a z.zip file. Which is password protected.. Only a single character password is used. I used fcrackzip to crack the password.

But then another zip file was extracted, also password protected. This had to be solved in an automated way. And all the passwords concatenated return a string with the flag.

Which resulted in something like this.

The zips with “-” dashes as password I had to unzip manually. I didn’t find a method to include this in my bash one liner. πŸ™‚

–> HV18-WO3y-7FLk-ExvN-kDue-28JF


Teaser -1: xenon.elf




Solution:
The final file extracted from the last teaser challenge zip, was xenon.elf! This actually was the hardest challenge of HACKvent for me. I had support to solve this one from otaku and rfz. Thank you guys.

I tried to generate pseudo code with Hopper disassembler or IDA Pro. But both didn’t give very good results for PPC. πŸ™ Therefore we really had to go through the assembler code. In the end I used binary ninja to work on this.

Soon it was very clear that the flag was encrypted using RC4. We had the ciphertext but needed to recreate the key. The ciphertext gets loaded from the location 8001ea20 and is:

The relevant part where the key is constructed is in this loop:

The inputs for the loop are loaded from the fusesets. Apparently the hint in the assembler code “I wish I was a Devkit” led to that conclusion. Thanks otaku for helping me out here!

otaku and I created and shared Google document where we went through the assembly instructions.

I implemented the algorithm to solve this challenge in Python:

Code in action:

–> HV18-LIBX-ENON-ISST-ILLA-LIVE


Hidden Flag #1




Solution:
Unfortunately the challenge didn’t seem to be up anymore at the time I wrote this. Thus I don’t put the exact console outputs to this one.
Last year there was a flag on a telnet server. I tried to find similarities this year.

  • nmap -sS challenges.hackvent.hacking-lab.com
    • Open Ports: 21, 22, 23
  • nc challenges.hackvent.hacking-lab.com 23
    • Santa animation like last year, but Santa says he has no flag. Clearly he is lying!
    • Store animation to file
  • nc challenges.hackvent.hacking-lab.com 23 | tee secret.txt
  • cat secret.txt | sed ‘s/[^a-zA-Z0-9]//g’ | awk ‘length < 2’ | tr ‘\r\n’ ‘ ‘ | tr -s ‘ ‘
    • Filter for only alphanumeric strings and remove all strings, left only character
    • This returned the string “ctrl154n1llu51on”

I didn’t exactly know how to continue from this. But after a while I remembered the other ports I’ve found with nmap: 21, 22. I first tried to connect through SSH but it didn’t work. Second attempt was FTP with the username “santa” and the password “ctrl154n1llu51on”.
The FTP login worked. But we had no rights to do directory listings. I just guessed for the file “flag”

–> HV18-PORT-scan-sARE-essn-tial


Hidden Flag #2




Solution:
This one was embedded in the OSINT challenge of day 5.

–> HV18-OSIN-Tc4n-R3V3-alIt-All1


Hidden Flag #3




Solution:
After some people found the hidden number 3, I also started to look for it and found it embedded in day 14. Already when solving day 14 I thought the commented thumbprint was suspicious, but didn’t go after it back then.
This time I tried what I was trying with the original day 14 challenge, decryption with RSA. I tried the different exponents 3,5,17,257 and 65537. The last one then worked.

–> HV18-fn8o-Az1a-cbpG-6gJd-sPkU

9 thoughts on “HACKvent 2018 write-up

  1. Just FYI, Teaser pdf was modified on 3rd of December. Unfortunately I did noticed that after reading your write-up. This is the original (v1) pdf http://ge.tt/8VDalgt2

    Thank you for great write-up.

    • Thanks for the comment and the hint. Yeah indeed, I worked with the easier version which was released a bit later.

  2. Hey can you elaborate on Day3? I have never used watch before, and struggling to find what I am looking for when following:

    2. Set a watch on the variable β€œ_0x766f”
    3. Read out the flag from the watch.

    • Ciao Anthony. I opened up the developer console in Google Chrome: Right click on the webpage, then inspect. There I browsed to the “Sources” tab. After inspecting the JS file, I knew about the variable “_0x766f”. On the right side in the Sources Tab you can create a watch. Just press the “+” and then add “_0x766f”. When the JS is executed then you can inspect the values of the watch. That’s all.

  3. hey mcia, congratz on perfect score!
    nice write-up! i like the way how you solved the QR3C.png. i didn’t find any tool to read corrupted qrcodes so i had to get my hands dirty…
    btw you have a typo in my nick ^^
    see ya!

Leave a Reply

Your email address will not be published. Required fields are marked *