You can find the SAINTCON 2014 Hackers Challenge Introduction here.
And this is all the files referenced below: SAINTCON_2014_Hackers_Challenge_CF.zip
The challenges referenced below can be found here:
Contents
CF100 – I Lost My Keys?
Puzzle:
Sometimes what you are looking for is a left over from a very long time ago. Disks are treasure troves of information... If only you know where to look Files: Disk_Image CF100.dd.gz
Solution:
Uncompress and you have a DD disk image. Mount it. Nothing meaningful there. (windows users might like this http://www.osforensics.com/tools/mount-disk-images.html)
Ok, lets see if there is anything useful in the full DD image:
strings ~/HC/CF/Files/CF100.dd | less
Key:
| UtahSAINT 2014 | Its not unusual for a drive to contain lots of stuff from previous drive formats because of the fact that simply formating the drive does not remove the previous data. When you are working with confidential data you should be sure to wipe the drive with ZEROS or RANDOM data. There are reasons for ether type of wipe. ZEROS make it obvious that the drive has been wiped, and are used in computer forensic labs to sanitize drives before evidence is copied to them. This preserves the integrity of the evidence. Wiping a drive with RANDOM data makes it nearly impossible to prove that the drive was wiped. When people do not wipe there drives there is often a ton of very valuable data on them… | The HC Key for this challenge is: WIPEYOURDRIVES
CF200 – Invisible Files
Puzzle:
What should you do when what you want is no longer there? Files: Disk_Image CF200.dd.gz
Solution:
Repeat Step from CF100, but you know it’s not going to be that simple! Uncompress and you have a DD disk image. Mount it. Nothing too useful there. (windows users might like this http://www.osforensics.com/tools/mount-disk-images.html)
Ok, lets see if there is anything useful in the full DD image:
strings ~/HC/CF/Files/CF200.dd | less
or maybe strings ~/HC/CF/Files/CF200.dd | grep key
or on Windows strings CF\Files\image-compressed.dd | findstr key
and there it is!
– http://technet.microsoft.com/en-us/library/bb490907.aspx
– http://technet.microsoft.com/en-us/sysinternals/bb897439.aspx
Or maybe: “what should you do when what you want is no longer there?” Undelete!
I like to use http://www.cgsecurity.org/wiki/PhotoRec for lots of data recovery. (There are hundreds of alternative available.)
Use it, and it will have found a coupe html files that weren’t there before! View the HC Key in the source at the top of one of them.
Key:
12QXZ0PQAFVMQW8302323100289200QAZ09342123JF
CF300 – iSee iKnow iFind Nothing
Puzzle:
Computers are not the only devices that have data on them... Files: Image CF300.tar.gz
Solution:
Don’t you love that Hogan’s Hero’s reference!
Same rigamarole, extract that tar.gz.
What do we have here? Taking a look at info.plist
it is “jer’s iPod” Backup!
LEARN MORE about iDevice backups!
https://theiphonewiki.com/wiki/ITunes_Backup
http://resources.infosecinstitute.com/ios-5-backups-part-1/
http://resources.infosecinstitute.com/iphone-forensics-part2/
http://resources.infosecinstitute.com/iphone-forensics-2/
You can a use a tool like this:
http://www.imactools.com/iphonebackupviewer/ (I’m told this tool might not work on Windows 8.1, it does work on Windows 7, you can try the OR method below)
Copy the extracted backup into the right folder, ie C:\Users\me\AppData\Roaming\Apple Computer\MobileSync\Backup and the easily browse the contents, and you will find a note.
OR download http://sqlitebrowser.org/ and open the raw files If you open the ca3bc056d4da0bbf88b5fb3be254f3b7147e639c file in sqlitebrowser then browse the znote table, you will find a row with the zitle of key and zsummary with the key!
Key:
AppleIOSIsFullOfStuff
CF400 – Duplicity
Puzzle:
The often imitated, but never... ... duplicated... duplicated... duplicated... duplicated... Genie of the Lamp! Hints: Focus on the one photo that is different than all the rest... Files: Photos CF400.tar.lrz
Solution:
Decompress the LRZIP file. (https://code.google.com/p/lrzip-decompressor/)
Yes. From 338K to 1.3G. 10,000 copies of the same image. Beautiful picture of Kolob Canyon! (Yes I recognize that pretty place.)
Or are they the same?
generate a hash of each file to see if the are the same: openssl dgst -md5 * > md5.txt
Parse the list to determine if they all match.
And we find this one is different!
MD5(southernutah-03467.jpg)= f532f4cb9af0fd52fbbdf2b556ae9646
The rest are:
MD5(southernutah-09999.jpg)= c4f87dc0b04babeb6e6ec1fa1a230cb5
So what is actually different? Visually the appear the same. Doing a binary diff, they are QUITE different. And the modified file has no EXIF data.
Here you make the leap to there must be hidden data.
LEARN MORE about http://en.wikipedia.org/wiki/Steganography_tools
And here you try lots of different steganography tools to see what you can get, and fixate on a tool to try.
I chose and got lucky with http://steghide.sourceforge.net/
Now, trying to extract nothing is found without a password. What could that password be? Let’s take a look at the EXIF data in the original files. Where exactly is this photo? Load it into iPhoto and use the places feature, or use http://www.verexif.com/en/ or any other exif data viewer and zoom in on the map. Ah there it is: Kolob Canyons Viewpoint
So steghide extract -sf southernutah-03467.jpg
and in KEY.txt we have:
Key:
MD5ISKEY4U2USE
CF500 – Committee Pwn
Puzzle:
Each committee member is wearing something that contains data. This data can only be read at 125kHz. Each item is worth 50 points. Totaling 500 points for that part of the challenge. If you get all the Tags, show your completed challenge list to a TJ, SJ, or JC and you will get a key for an additional 500 points. Making the challenge worth 1000 points in total. Hints: - http://youtu.be/sYq5KhXMyHQ
Solution:
Go LEARN MORE about RFID, watch the video in the hint. And then find you a Proxmark3 or RFIDler.
Alas I didn’t have one. But I did get one badge scan done on display during a demo.
Something dangerous and interesting about batches of RFID badges, is that they come nearly sequential! So wrote this quick script to bruteforce the 10 sequential badges!
#!/usr/bin/env ruby require 'httpclient' c = HTTPClient.new i = 137530098700 while i < 137530098999 do # Avoid BruteForce Fail sleep 15 # Convert INT to HEX uri = "https://hak.saintcon.org/play/api/SECRET-KEY-HERE/" + i.to_s(16) p uri c.ssl_config.ssl_version = :TLSv1 puts c.get_content(uri) i +=1 end
Well, I took my list of 10 to be verified for the extra 500 points and was told there were actually 11 committee members/badges. 1 badge was not in the batch, knew who’s it was, but no RFID reader available to score the last 500 points.