{"id":553,"date":"2017-06-03T14:40:03","date_gmt":"2017-06-03T14:40:03","guid":{"rendered":"http:\/\/sigterm.ch\/?p=553"},"modified":"2017-06-03T14:40:03","modified_gmt":"2017-06-03T14:40:03","slug":"hackyeaster-2017-write-up","status":"publish","type":"post","link":"https:\/\/sigterm.ch\/?p=553","title":{"rendered":"HackyEaster 2017 write-up"},"content":{"rendered":"

Easter 2017 – means new HackyEaster challenges are online. The challenges were easier than the ones on Hackvent 2016. For HackyEaster\u00a0all challenges are released at once and it does not matter in what time-frame the challenges are solved, this makes the CTF much less stressful than Hackvent. I\u00a0solved my last challenge on April 16th at 01:24 AM and completed the CTF after eleven\u00a0others did before me. Here is a screenshot of the ranking at the time I finished the last challenge.
\n\"\"<\/a>
\nAfter the competition ended in total 53 hackers solved all challenges and got the full points.
\n<\/p>\n

01 – Puzzle this!<\/h1>\n

\"\"
\nAuthor: PS<\/a>
\nLevel: easy
\nSolutions:\u00a0882<\/span>
\nAn easy one to start with.
\n\"\"<\/p>\n

Solution<\/h2>\n

You could actually play the game by clicking on the fields. If you were able to solve it the QR code was revealed. I started to play the game but in the end finalized the QR code with gimp, as I was faster this way. \ud83d\ude42
\n\"\"<\/p>\n

02 – Lots of Dots<\/h1>\n

\"\"
\nAuthor: PS<\/a>
\nLevel: easy
\nSolutions: 647
\nThe dots in the following image contain a secret message. Can you find it?
\n(click to enlarge)
\n\"\"<\/a><\/p>\n

Solution<\/h2>\n

While\u00a0examining the picture in Gimp I recognized\u00a0that the orange color has slight different specifications. The bigger dots are\u00a0RGB 232\/178\/97 and the small ones\u00a0RGB 232\/178\/98! To solve this challenge I selected one of the colors with the pipette and filled the background with it. Then I\u00a0used the “fuzzy select tool” to select a region based on the color. I just clicked somewhere inside the picture and the code was revealed:\u00a070 57 49 36 13 22 8 42
\n\"\"<\/a><\/p>\n

03 – Favorite Letters<\/h1>\n

\"\"
\nAuthor: Goo9ping<\/a>
\nLevel: easy
\nSolutions: 802
\nFrancesca’s favourite letter is s
\nRiley’s favourite letter is o
\nEllie’s favourite letter is a
\nVince’s favourite letter is p
\nQuintain’s favourite letter is r
\nOtto’s favourite letter is i
\nDavid’s favourite letter is p
\nTom’s favourite letter is l
\nPaul’s favourite letter is e
\nUlrich’s favourite letter is y
\nHenry’s favourite letter is w
\nNorman’s favourite letter is h
\nLouis’ favourite letter is i
\nZane’s favourite letter is s
\nYork’s favourite letter is c
\nBob’s favourite letter is h
\nMeave’s favourite letter is s
\nIan’s favourite letter is o
\nSidney’s favourite letter is g
\nGeorge’s favourite letter is s
\nKitty’s favourite letter is d
\nWilbert’s favourite letter is h
\nAdam’s favourite letter is t
\nXander’s favourite letter is i
\nCallum’s favourite letter is e
\nJack’s favourite letter is r<\/p>\n

Solution<\/h2>\n

This challenge can be solved with bash in 1 line:<\/p>\n

$ sort file.txt | grep -o '.$' | tr -d '\\012\\015'\nthepasswordishieroglyphics<\/pre>\n
04 – Cool Car (mobile)<\/h1>\n
\"\"
\nAuthor: PS<\/a>
\nLevel: easy
\nSolutions: 481<\/span>
\n\"\"<\/p>\n
Solution<\/h2>\n
I downloaded and decompiled the APK. The sensors are somehow used to change the graph in the mobile app. While browsing through the source code files I found interesting code-parts in two different files:
\nps\/hacking\/hackyeaster\/android\/Activity.java:<\/strong><\/p>\n
...\nif (l >= 1000.0d) {\n    k = sha1(\"file:\/\/\/android_asset\/www\/index.html\");\n}\nthis.appView.loadUrl(\"javascript:sensorFeedback('{\\\"k\\\": \\\"\" + k + \"\\\", \\\"l\\\": \\\"\" + l + \"\\\"}')\");\n...<\/pre>\n
assets\/www\/challenge04.html:<\/strong><\/p>\n
...\nif (jsonResp.k) {\n    decryptScrambledEggWithKey(jsonResp.k);\n    clearInterval(intervalId);\n}\n...<\/pre>\n
This means ‘k’ is the key to decrypt the scrambled egg, and ‘k’ is nothing else than the sha1 sum of the string\u00a0“file:\/\/\/android_asset\/www\/index.html”. I rebuilt the java-script function which is used to decrypt the scrambled egg and got the QR code.<\/p>\n
<html>\n<script type=\"text\/javascript\" src=\"js\/crypto-js\/aes.js\"><\/script>\n<script type=\"text\/javascript\" src=\"js\/crypto-js\/sha1.js\"><\/script>\n<script type=\"text\/javascript\" src=\"js\/crypto-js\/core-min.js\"><\/script>\n<script type=\"text\/javascript\" src=\"js\/crypto-js\/enc-base64-min.js\"><\/script>\n<img class=\"eggImage\" id=\"scrambledEggImage\" \/><br \/>\n<script>\nscrambledEggCipher = 'U2FsdGVkX1+KZ3l0MlF......<truncated>......BCA5nYgqRIl7iA==';\ndecryptScrambledEggWithKey(\"d2d109036a07c1080a6e77e8063cebdc155f888b\");\nfunction decryptScrambledEggWithKey(key) {\n\tvar decrypted = CryptoJS.AES.decrypt(scrambledEggCipher, key);\n\tvar fin = 'data:image\/png;base64,' + CryptoJS.enc.Latin1.stringify(decrypted);\n\tconsole.log(fin);\n\tdocument.getElementById('scrambledEggImage')\n\t\t\t.setAttribute(\n\t\t\t\t\t'src',\n\t\t\t\t\t'data:image\/png;base64,'\n\t\t\t\t\t\t\t+ CryptoJS.enc.Latin1.stringify(decrypted));\n}\n<\/script>\n<\/html><\/pre>\n
This html page then reveals the QR code:
\n\"\"<\/p>\n
05 – Key Strokes<\/h1>\n
\"\"
\nAuthor: PS<\/a>
\nLevel: easy
\nSolutions: 532<\/p>\n
esc i c e l a n d esc a y a n k e e space f o x\nspace esc o f l o w e r up esc $ esc i y esc e esc a\ny esc \/ l a return esc r w esc right right right\nright esc x i f r esc e esc X x x : s \/ c e \/ a g i\nc \/ return esc down d d esc i m esc Z Z<\/pre>\n
Solution<\/h2>\n
This one took me some time until I found out what to do with it. I first thought it’s a log from a keylogger. After thinking about where this could make sense, I finally figured out it is from the editor VI! After typing it exactly the way described I got the password:\u00a0magicwandfrankfoxy<\/strong>.<\/p>\n
06 – Message to Ken<\/h1>\n
\"\"
\nAuthor: PS<\/a>
\nLevel: easy
\nSolutions: 460<\/span>
\nBarbie has written a secret message for her sweetheart Ken. Can you decrypt it?<\/p>\n
Fabrgal JaeM Hsa faonah uiff;rnl tf btuxbrffuinhzoroyhitbM Fincta dd<\/pre>\n
Hint:
\n\"\"<\/p>\n
Solution<\/h2>\n
I had no clue what to do here. After googling for “barby encryption” I came across this interesting link:\u00a0Barbie typewriter encoding<\/a>! It even has an encoder on the website which works. The decoded string is:
\nBeloved Ken. The secret password is lipglosspartycocktail<\/strong>. Barbie xx<\/p>\n
07 – Crypto for Rookies<\/h1>\n
\"\"
\nAuthor: PS<\/a>
\nLevel: easy
\nSolutions: 458<\/span>
\nThis crypto is not hard to crack.
\n\"\"<\/p>\n
Solution<\/h2>\n
– B O N T B B O K –> http:\/\/www.dcode.fr\/dancing-men-cipher<\/a>
\n– B O N T E A O K –> Base64 encoded
\n– B O N T E B R K –> Index of the alphabet
\n– B A N T E B O K –> Rot13
\n– C O N T E B O K –> http:\/\/www.pruzkumnik.cz\/praxe\/sifry\/tabulky.html<\/a>
\n– B O N T E B O A –> Reverse string
\n– B O P T E B O K –> Caesar (rot 3)
\n– B O N Y E B O K –>\u00a0Character codes
\nAfter having decrypted all words we need to get the final password. If we keep the format exactly as in the picture and look at the columns and rows we see that in each column one character is different than the others. If we take all different characters from left to right we get the final password: CAPYBARA<\/strong><\/p>\n
08 – Snd Mny (mobile)<\/h1>\n
\"\"
\nAuthor: PS<\/a>
\nLevel: easy
\nSolutions: 330
\n\"\"<\/p>\n
Solution<\/strong><\/h2>\n
Not much information here. I again worked with the decompiled APK and went through the code. In one java class I found what was needed to solve this challenge.
\nps\/hacking\/hackyeaster\/android\/SndActivity.java<\/strong><\/p>\n
...\nif (\"android.intent.action.SEND\".equals(action) && type != null && HTTP.PLAIN_TEXT_TYPE.equals(type)) {\n    String text = intent.getStringExtra(\"android.intent.extra.TEXT\");\n    if (text != null && \"c95259de1fd719814daef8f1dc4bd64f9d885ff0\".equals(sha1(text.toLowerCase()))) {\n        ((TextView) findViewById(C0085R.id.sndTextView)).setText(\"Thank you!!\");\n...\n}\n...<\/pre>\n
We need to send an android action.SEND intent as PLAIN_TEXT_TYPE containing a text which matches\u00a0the sha1 hash “c95259de1fd719814daef8f1dc4bd64f9d885ff0”. Cracking the sha1 hash was easy as no salt was used. The needed text is “money”.
\nWe can send Android intents from the command line with ADB:<\/p>\n
am [start|instrument]\nam start [-a <action>] [-d ]\n[-t <mime_type>] [-c <category> [-c <category>] ...]\n[-e <extra_key> <extra_value>\n[-e <extra_key> <extra_value> ...]\n[-n <component>] [-D] [<uri>]\nam instrument [-e <arg_name> <arg_value>] [-p <prof_file>] [-w] <component><\/pre>\n
I solved this challenge with the following two commands:<\/p>\n
$ adb shell\n$ am start -a android.intent.action.SEND -t \"text\/plain\" -e android.intent.extra.TEXT \"money\"<\/pre>\n
\"\"
\nI over-engineered the solution for this challenge a bit, as it would have been possible to just share the text “money” with the app in Android to solve it. \ud83d\ude42<\/p>\n
09 – Microscope (mobile)<\/h1>\n
\"\"
\nAuthor: PS<\/a>
\nLevel: easy
\nSolutions: 414
\n\"\" \"\"<\/a><\/p>\n
Solution<\/h2>\n
Another mobile challenge, again I worked with the decompiled APK.
\nps\/hacking\/hackyeaster\/android\/MicroscopeActivity.java<\/strong><\/p>\n
...\nwebview.loadUrl(\"https:\/\/hackyeaster.hacking-lab.com\/hackyeaster\/challenge09_su6z47IoTT7.html\".replace('6', '5'));\n...<\/pre>\n
The URL gets changed because there is “.replace(‘6’, ‘5’)” in the code. The QR Code is embedded in the website\u00a0https:\/\/hackyeaster.hacking-lab.com\/hackyeaster\/challenge09_su5z47IoTT7.html<\/a>\u00a0and if we look at the HTML source code we can see the image is loaded from\u00a0https:\/\/hackyeaster.hacking-lab.com\/hackyeaster\/images\/challenge\/egg09_fs0sYle2SN.png<\/a>.
\n\"\"<\/p>\n
10 – An egg or not …<\/h1>\n
\"\"
\nAuthor: inik<\/a>
\nLevel: medium
\nSolutions: 233<\/span>
\n… an egg, that’s the question!
\nAre you able to answer this question and find the (real) egg?
\n<\/p>\n
Solution<\/h2>\n
Analyzing the SVG shows that there are duplicate coordinate declarations! In SVGs the last of the duplicated coordinates will be used, as it just overwrites existing locations with the new declarations. To solve this challenge, I wrote a python script which ignores duplicates if there is already a declaration for the coordinates.<\/p>\n
from collections import Counter\nFILE = \".\/aneggornot.svg\"\nSOLUTION = \".\/solution.svg\"\ncontent = []\n'''\n    in the original svg file duplicate coordinate declarations are found!\n    in SVG files the last coordinates defined in the file will be used,\n    therefore in the original file duplicated lines at the end of the file will be used.\n    this challenge is solved by removing duplicate lines which come later, this will reveal the new QR code\n'''\nwith open(FILE) as f:\n    for i, line in enumerate(f):\n        item = line.split(\" \")\n        fnd = False\n        for c, x in enumerate(content):\n            if len(x) == 4 and len(item) == 4\\\n                    and item[1] == x[1] and item[2] == x[2]:\n                print(\"[+] Duplicate found - Don't use it in solution\")\n                fnd = True\n                break\n        if not fnd:\n            content.append(item)\nsolution = open(SOLUTION, 'w')\nfor line in content:\n    for x in line:\n        solution.write(\"%s \" % x)<\/pre>\n
Finally the solution looks like this:
\n<\/p>\n
11 – Tweaked Tweet (mobile)<\/h1>\n
\"\"
\nAuthor: PS<\/a>
\nLevel: medium
\nSolutions: 108
\n\"\"
\n\"\"<\/p>\n
Solution<\/h2>\n
This was the\u00a0last mobile challenge. The only useful part I extracted from the APK was:<\/p>\n
startActivity(new Intent(\"android.intent.action.VIEW\", Uri.parse(\"https:\/\/twitter.com\/intent\/tweet?text=%23%EF%BC%A8a%EF%BD%83%EF%BD%8By%CE%95%EF%BD%81ste%EF%BD%92%E2%80%A9201%EF%BC%97%E2%80%A9%E2%85%B0%EF%BD%93%E2%80%80a%E2%80%84l%EF%BD%8F%EF%BD%94%E2%80%80%CE%BFf%E2%80%89%EF%BD%86un%EF%BC%81%E2%80%A8%23%D1%81tf%E2%80%88%23%EF%BD%88%EF%BD%81%CF%B2king-lab\")));<\/pre>\n
This one almost drove my crazy!
\nI tried to find any suspicious pattern, like to identify standard ASCII characters and extended ASCII characters, mapping them to 0s and 1s, exclude all extended ones, exclude all standard ones, etc. In the end I was identifying\u00a0characters which were used as\u00a0some Unicode combinations instead of the standard, most simple way. But I did not come to any solution.. After wasting hours on this one I just googled for “Twitter steganography”. First link\u00a0http:\/\/holloway.co.nz\/steg\/<\/a>\u00a0hosts a converter which can be used to decode our message!!!
\nIf we enter our decoded string “#\uff28a\uff43\uff4by\u0395\uff41ste\uff52\u2029201\uff17\u2029\u2170\uff53\u2000a\u2004l\uff4f\uff54\u2000\u03bff\u2009\uff46un\uff01\u2028#\u0441tf\u2008#\uff48\uff41\u03f2king-lab” into the decoder on the website, we get the result:\u00a0st3g4isfunyo.<\/strong>
\nStego is no fun yo \ud83d\ude41<\/p>\n
12 – Once Upon a File<\/h1>\n
\"\"
\nAuthor: inik<\/a>
\nLevel: medium
\nSolutions: 252<\/span>
\nOnce upon a file<\/a> there was a hidden egg. It’s still waiting to be saved by a noble prince or princess.<\/p>\n
Solution<\/h2>\n
‘binwalk’ is a tool to identify header information within a file. If multiple files are hidden in one single file, ‘binwalk’ can identify and automatically extract these files. With ‘binwalk’ this challenge is pretty easy to solve.<\/p>\n
$ unzip 12_onceupon.zip\nArchive:  12_onceupon.zip\n  inflating: file\n$ binwalk -e file\nDECIMAL       HEXADECIMAL     DESCRIPTION\n--------------------------------------------------------------------------------\n36447         0x8E5F          Unix path: \/0\/1\/2\/3\/4\/5\/6\/7\/8\/9\/:\/;\/<\/=\/>\/?\/@\/A\/B\/C\/D\/E\/F\/G\/H\/I\/J\/K\/L\/M\/N\/O\/P\/Q\/R\/S\/T\/U\/V\/W\/X\/Y\/Z\/[\/\\\/]\/^\/_\/`\/a\/b\/c\/d\/e\/f\/g\/h\/i\/j\/k\/l\/m\/n\/o\n184320        0x2D000         Zip archive data, at least v2.0 to extract, compressed size: 439156, uncompressed size: 5242880, name: file\n623596        0x983EC         End of Zip archive\n$ cd _file.extracted\/\n$ ls\n2D000.zip  file\n$ binwalk -e file\nDECIMAL       HEXADECIMAL     DESCRIPTION\n--------------------------------------------------------------------------------\n36447         0x8E5F          Unix path: \/0\/1\/2\/3\/4\/5\/6\/7\/8\/9\/:\/;\/<\/=\/>\/?\/@\/A\/B\/C\/D\/E\/F\/G\/H\/I\/J\/K\/L\/M\/N\/O\/P\/Q\/R\/S\/T\/U\/V\/W\/X\/Y\/Z\/[\/\\\/]\/^\/_\/`\/a\/b\/c\/d\/e\/f\/g\/h\/i\/j\/k\/l\/m\/n\/o\n1093632       0x10B000        Microsoft Cabinet archive data, 17834 bytes, 1 file\n2832320       0x2B37C0        Microsoft Cabinet archive data, 17834 bytes, 1 file\n3116030       0x2F8BFE        Microsoft executable, MS-DOS\n3788479       0x39CEBF        mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit\n3793983       0x39E43F        mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit\n4477995       0x44542B        mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: SHA-1 hash\n5073287       0x4D6987        mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit\n5075359       0x4D719F        mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit\n5173248       0x4EF000        PNG image, 480 x 480, 8-bit colormap, non-interlaced\n5173767       0x4EF207        Zlib compressed data, best compression\n$ cd _file.extracted\/\n$ ls\n 10B000.cab   2B37C0.cab   4EF207   4EF207.zlib   egg12.png  'eg'$'\\t''Z2.png'\n<\/pre>\n
The QR code is in the file ‘egg12.png’.
\n\"\"<\/p>\n
13 – Lost the Thread<\/h1>\n
\"\"
\nAuthor: CoderKiwi<\/a>
\nLevel: medium
\nSolutions: 126
\nSearching for eggs is fun! But sometimes they come in weird shapes and sizes. Download the image and wind up the strand!
\n