{"id":1172,"date":"2019-12-22T20:08:04","date_gmt":"2019-12-22T20:08:04","guid":{"rendered":"http:\/\/sigterm.ch\/?p=1172"},"modified":"2019-12-22T20:08:04","modified_gmt":"2019-12-22T20:08:04","slug":"hackvent-2019-write-up","status":"publish","type":"post","link":"https:\/\/sigterm.ch\/?p=1172","title":{"rendered":"HACKvent 2019 write-up"},"content":{"rendered":"\n

HACKvent\u2026 Initially, I didn’t want to participate at all – or at least not go all in and solve every challenge in time. I started solving the first ones and as the challenges became harder and of course more interesting I got more and more hooked. In the end I did solve them all, and in time.<\/p>\n\n\n

A big part of the CTF are interactions and discussions with other participants. Thanks and shouts to ludus<\/strong>, jokker<\/strong>, 0xI<\/strong>, multifred, veganjay<\/strong> and others for the good discussions, support and motivation!<\/p>\n\n\n

This year the event ran on the brand new Hacking Lab 2.0. There are still some minor issues, like the responsive design which can be optimized. The session timeout was a bit short for my taste, but hey Security! \ud83d\ude04 Issues which occurred with some challenges were not Hacking Lab 2.0 related. All in all I got a very good impression of the new HL. <\/p>\n\n\n

I will never understand how the ranking works in Hacking-Lab. There were three different rankings (the one in the registered event, a public one<\/a> and a statistics page<\/a>) and all three seemed to have a different ordering. \ud83d\ude05 Two of the rankings are shown in the print-screens below. The black & green statistics page is probably the most accurate one. At least with the diff in minutes to the fastest perfect scorer the ranking looks about right.<\/p>\n\n\n

I am very happy to have finished HACKvent as perfect scorer!<\/p>\n\n\n

\"\"
https:\/\/ranking.academy.hacking-lab.com\/<\/a><\/figcaption><\/figure><\/div>\n\n\n\n\n\n
\"\"
https:\/\/hv19.idocker.hacking-lab.com\/<\/a><\/figcaption><\/figure><\/div>\n\n\n

HV19.01 censored (Author: M — Level: easy)<\/h1>\n\n\n

Description:<\/strong>
I got this little image, but it looks like the best part got censored on the way. Even the tiny preview icon looks clearer than this! Maybe they missed something that would let you restore the original content?<\/p>\n\n\n

\"\"
Censored by Santa!<\/figcaption><\/figure><\/div>\n\n\n

Solution:<\/strong>
The description already tells us the solution (Even the tiny preview icon looks clearer than this…) We can extract the thumbnail from the image to get the QR Code containing the flag:<\/p>\n\n\n

$ exiftool -b -ThumbnailImage f182d5f0-1d10-4f0f-a0c1-7cba0981b6da.jpg > thumb.jpg<\/pre>\n\n\n
\"\"<\/figure><\/div>\n\n\n
Flag: HV19{just-4-PREview!}<\/strong><\/p>\n\n\n
\n\n\n
HV19.02 Triangulation (Author: drschottky — Level: easy)<\/h1>\n\n\n
Description:<\/strong> 
Today we give away decorations for your Christmas tree. But be careful and do not break it.<\/p>\n\n\n
Resources:
<\/strong>a5f47ab8-f151-4741-b061-d2ab331bf641.zip<\/a><\/p>\n\n\n
Solution:<\/strong> 
I solved this one on my mobile phone with the following Android app: https:\/\/play.google.com\/store\/apps\/details?id=com.performance.meshview&hl=en<\/a> 
First, I used the ‘separate’ function and deleted the two outer layers. After these steps a QR Code became visible.<\/p>\n\n\n
\n
\"\"<\/a><\/figure><\/div>\n<\/div><\/div>\n\n\n
\n
\"\"<\/a><\/figure><\/div>\n<\/div><\/div>\n\n\n
\n
\"\"<\/a><\/figure><\/div>\n<\/div><\/div>\n\n\n
This is an Aztec Barcode which can be decoded with several tools, one being this online decoder: https:\/\/www.onlinebarcodereader.com<\/a> <\/p>\n\n\n
Flag: HV19{Cr4ck_Th3_B411!}<\/strong><\/p>\n\n\n
\n\n\n
HV19.03 Hodor, Hodor, Hodor (Author: otaku feat. trolli101 — Level: easy)<\/h1>\n\n\n
Description: <\/strong><\/p>\n\n\n
\"\"<\/figure><\/div>\n\n\n
$HODOR: hhodor. Hodor. Hodor!?  = `hodor?!? HODOR!? hodor? Hodor oHodor. hodor? , HODOR!?! ohodor!?  dhodor? hodor odhodor? d HodorHodor  Hodor!? HODOR HODOR? hodor! hodor!? HODOR hodor! hodor? !\nhodor?!? Hodor  Hodor Hodor? Hodor  HODOR  rhodor? HODOR Hodor!?  h4Hodor?!? Hodor?!? 0r hhodor?  Hodor!? oHodor?! hodor? Hodor  Hodor! HODOR Hodor hodor? 64 HODOR Hodor  HODOR!? hodor? Hodor!? Hodor!? .\nHODOR?!? hodor- hodorHoOodoOor Hodor?!? OHoOodoOorHooodorrHODOR hodor. oHODOR... Dhodor- hodor?! HooodorrHODOR HoOodoOorHooodorrHODOR RoHODOR... HODOR!?! 1hodor?! HODOR... DHODOR- HODOR!?! HooodorrHODOR Hodor- HODORHoOodoOor HODOR!?! HODOR... DHODORHoOodoOor hodor. Hodor! HoOodoOorHodor HODORHoOodoOor 0Hooodorrhodor HoOodoOorHooodorrHODOR 0=`;\nhodor.hod(hhodor. Hodor. Hodor!? );<\/pre>\n\n\n
Solution: <\/strong>
After some googling I found that there is a Hodor programming language<\/a>… There is an online tool which can run many different programming languages, Hodor included: https:\/\/tio.run\/#hodor<\/a><\/p>\n\n\n
Awesome, you decoded Hodors language!\nAs sis a real h4xx0r he loves base64 as well.\nSFYxOXtoMDFkLXRoMy1kMDByLTQyMDQtbGQ0WX0=<\/pre>\n\n\n
The Flag is Base64 encoded and can be decoded with CyberChef<\/a>.<\/p>\n\n\n
Flag: HV19{h01d-th3-d00r-4204-ld4Y}<\/strong><\/p>\n\n\n
\n\n\n
HV19.04 password policy circumvention (Author: DanMcFly — Level: easy)<\/h1>\n\n\n
Description<\/strong>: 
Santa released a new password policy (more than 40 characters, upper, lower, digit, special).
The elves can’t remember such long passwords, so they found a way to continue to use their old (bad) password:<\/p>\n\n\n
merry christmas geeks<\/pre>\n\n\n
Resources:
<\/strong>6473254e-1cb3-444e-9dac-5baeaaaf6d11.zip<\/a><\/p>\n\n\n
Solution<\/strong>: 
The ZIP archive contains an AutoHotKey<\/a> file.<\/p>\n\n\n
$ cat HV19-PPC.ahk\n::merry::\nFormatTime , x,, MM MMMM yyyy\nSendInput, %x%{left 4}{del 2}+{right 2}^c{end}{home}^v{home}V{right 2}{ASC 00123}\nreturn\n::christmas::\nSendInput HV19-pass-w0rd\nreturn\n:*?:is::\nSend - {del}{right}4h\n:*?:as::\nSend {left 8}rmmbr{end}{ASC 00125}{home}{right 10}\nreturn\n:*?:ee::\nSend {left}{left}{del}{del}{left},{right}e{right}3{right 2}e{right}{del 5}{home}H{right 4}\nreturn\n:*?:ks::\nSend {del}R3{right}e{right 2}3{right 2} {right 8} {right} the{right 3}t{right} 0f{right 3}{del}c{end}{left 5}{del 4}\nreturn\n::xmas::\nSendInput, -Hack-Vent-Xmas\nreturn\n::geeks::\nSend -1337-hack\nreturn<\/pre>\n\n\n
The AHK file can be loaded with AutoHotkey. The scripts recognizes the pressed keys and replaces “merry christmas geeks” with a valid password. The valid password is the flag we are looking for. It is important not to type too fast, otherwise AutoHotkey will not replace the password correctly. But when done right, the flag appears:<\/p>\n\n\n
Flag: HV19{R3memb3r, rem3mber – the 24th 0f December}<\/strong><\/p>\n\n\n
\n\n\n
HV19.05 Santa Parcel Tracking (Author: inik — Level: easy)<\/h1>\n\n\n
Description:<\/strong> 
To handle the huge load of parcels Santa introduced this year a parcel tracking system. He didn’t like the black and white barcode, so he invented a more solemn barcode. Unfortunately the common barcode readers can’t read it anymore, it only works with the pimped models santa owns. Can you read the barcode<\/p>\n\n\n
\"\"<\/figure><\/div>\n\n\n
Solution:<\/strong> 
The flag is hidden in the colors of the barcode. The blue value out of RGB is the character code of the hidden message. I created a python script, which reads the image pixel by pixel from left to right and gets the message hidden in the image.<\/p>\n\n\n
from PIL import Image\nim = Image.open('code.png','r')\nwidth, height = im.size\npix_val = list(im.getdata())\nres = \"\"\nlast = \"\"\ncounter = 0\nwhile counter <= width:\n    x = pix_val[counter][2]\n    if x >= 32 and x <= 132 and x != last:\n        res += chr(x)\n    last = x\n    counter += 1\nprint(res)<\/pre>\n\n\n
$ python sol.py\nX8YIOF0ZP4S8HV19{D1fficult_to_g3t_a_SPT_R3ader}S1090OMZE0E3NFP6E<\/pre>\n\n\n
Flag: HV19{D1fficult_to_g3t_a_SPT_R3ader}<\/strong><\/p>\n\n\n
\n\n\n
HV19.06 bacon and eggs (Author: brp64 — Level: easy)<\/h1>\n\n\n
Description: <\/strong><\/p>\n\n\n
\"\"<\/figure><\/div>\n\n\n
F<\/em>ran<\/em>cis Bacon<\/em> w<\/em>as<\/em> a<\/em>n Eng<\/em>lish phi<\/em>los<\/em>op<\/em>her an<\/em>d s<\/em>tate<\/em>sma<\/em>n wh<\/em>o serve<\/em>d a<\/em>s Att<\/em>orn<\/em>ey Gene<\/em>ral and as L<\/em>ord<\/em> Ch<\/em>ance<\/em>ll<\/em>or of En<\/em>gl<\/em>and<\/em>. His<\/em> w<\/em>orks are<\/em> cred<\/em>ite<\/em>d with<\/em> de<\/em>velo<\/em>ping<\/em> t<\/em>he<\/em> scie<\/em>nti<\/em>fic met<\/em>hod and rem<\/em>ained<\/em> infl<\/em>uen<\/em>tial<\/em> throu<\/em>gh t<\/em>he scien<\/em>tific r<\/em>evo<\/em>lu<\/em>tio<\/em>n. B<\/em>aco<\/em>n has<\/em> b<\/em>ee<\/em>n cal<\/em>led th<\/em>e f<\/em>athe<\/em>r of<\/em> empiric<\/em>is<\/em>m. Hi<\/em>s wor<\/em>ks arg<\/em>ued for the<\/em> possi<\/em>bili<\/em>ty<\/em> of sc<\/em>ien<\/em>tific<\/em> kno<\/em>wledg<\/em>e ba<\/em>sed<\/em> only<\/em> up<\/em>on in<\/em>duc<\/em>ti<\/em>ve r<\/em>eas<\/em>oning<\/em> a<\/em>nd caref<\/em>ul<\/em> obs<\/em>erv<\/em>ation of<\/em> e<\/em>ve<\/em>nts<\/em> in na<\/em>ture<\/em>. Most<\/em> i<\/em>mport<\/em>ant<\/em>ly<\/em>, he<\/em> argue<\/em>d sci<\/em>enc<\/em>e could<\/em> b<\/em>e a<\/em>chi<\/em>eved by use<\/em> of a s<\/em>cep<\/em>tical<\/em> and<\/em> met<\/em>hodi<\/em>cal<\/em> a<\/em>pproa<\/em>ch wher<\/em>eby s<\/em>cientists<\/em> aim<\/em> to<\/em> avoi<\/em>d mi<\/em>slead<\/em>ing<\/em> themselve<\/em>s. A<\/em>lthoug<\/em>h h<\/em>is p<\/em>rac<\/em>tica<\/em>l id<\/em>ea<\/em>s about<\/em> s<\/em>uch<\/em> a<\/em> m<\/em>eth<\/em>od, t<\/em>he Ba<\/em>coni<\/em>an metho<\/em>d, di<\/em>d not<\/em> have a<\/em> lo<\/em>ng<\/em>–la<\/em>st<\/em>ing i<\/em>nfluenc<\/em>e, th<\/em>e g<\/em>ene<\/em>ral i<\/em>dea of<\/em> t<\/em>he impo<\/em>rtan<\/em>ce and poss<\/em>ib<\/em>ilit<\/em>y of<\/em> a sc<\/em>epti<\/em>cal methodology makes Bacon the father of the scientific method. This method was a new rhetorical and theoretical framework for science, the practical details of which are still central in debates about science and methodology.<\/p>\n\n\n
Bacon was the first recipient of the Queen’s counsel designation, which was conferred in 1597 when Elizabeth I of England reserved Bacon as her legal advisor. After the accession of James VI and I in 1603, Bacon was knighted. He was later created Baron Verulam in 1618 and Viscount St. Alban in 1621. Because he had no heirs, both titles became extinct upon his death in 1626, at 65 years. Bacon died of pneumonia, with one account by John Aubrey stating that he had contracted the condition while studying the effects of freezing on the preservation of meat. He is buried at St Michael’s Church, St Albans, Hertfordshire.<\/p>\n\n\n
Born: January 22\nDied: April 9\nMother: Lady Anne\nFather: Sir Nicholas\nSecrets: unknown      \t \t  \t \t    \t    \t   \t       \t  <\/pre>\n\n\n
Solution<\/strong>: 
According to the description and title it is clear that the Bacon Cipher <\/a>was applied to this text. <\/p>\n\n\n