Monday, June 28, 2010

Solutions: The Hex Factor v2009 (Level D200)

It's always a treat when you give hackers a box. It only takes a few moments before they break it down and create a completely new box. You guessed it, D-200 was another of our '09 out of the box challenges. Here we go.

ootb-200.exe looked like yet another binary, but was it ? Your first instinct might have been to reverse engineer it, but you would've wasted your time with that. It told so itself :Ok, no need for debuggers. There must be other ways to find the key to the kingdom ... Did I say key ?

I did. The binary is digitally signed. Let's look into the details then :

And there we have it. Hiding in plain sight. Those familiar with basic math recognize a fibonnaci sequence when they see it. The answer is right there : 55

Do you dare to take on The Hex Factor in 2010? Get your tickets now for BruCON (September, Brussels) or at SANS London (December, London)

Monday, June 21, 2010

Solutions: The Hex Factor v2009 (Level C200)

This is a straight-forward reverse engineering challenge. When analyzing the executable, we notice no packing was used by the coders. A simple tool like OllyDbg can tell this. This means we can jump right into the code without having to deal with exotic unpacking – good news!

First things first: we launch the executable and immediately notice a prompt, asking for a password. The username is fixed at “bruCon” – this is already a huge help, since we can use this string to look for clues in the ASM code later on.

Enter a random password: we get the following error message:

We get another useful clue when looking at the failed login screen: the message “Oops, incorrect password.” This is the second clue we get, and a second string we write down for later analysis in OllyDbg.

Next,we have a look at the literal text strings used in the executable from within OllyDbg:

The two strings we remembered from running the exe are already mentioned as the first entries in the string table! (username “bruCon” and error message “Oops, incorrect password”).

Let’s trace jumps to the error message. We arrive at the following location in the assembly trace:

Our string is mentioned at address 0x00401186. Why are we so interested in this error message? Well, whenever this error message is pushed on the stack from within the code, we can assume that somewhere close the keying algorithm is implemented (this is not always the case, but in this challenge, it is). So let’s have a look at what is happening in the assembly code just above this interesting error string.

Just above the call at 0x0040118B, we notice a short loop: since this is a fairly short executable, this loop could possibly be used by the keying algorithm to calculate the password – let’s have a closer look.

We set a breakpoint at 0x00401162, the entry point for the loop. Stepping through the code, we notice that each iteration is processing a different character of our username “bruCon” – a simple counter is incremented each iteration with the ASCII values for each individual character of the username, and this results in a total of 617 (decimal) – when stepping through the code, you will notice the register contains value 269, but this is of course the hexadecimal equivalent of 617.

After processing all characters and summing the ASCII values, we exit the loop at address 0x00401174. Next, the value of EDI (which contains 617 now) is multiplied by 61 – again, remember that OllyDbg is showing us hexadecimal numbers here!

The multiplication seems to be the last arithmetic operation used to calculate the password, so let’s give it a try. Our final result is 0x269 * 0x61 = 0xE9C9. Convert this to decimal, and we get 59849.

Launch the executable, let’s give this a try: bingo! We get a “Password correct!” message.

Do you dare to take on The Hex Factor in 2010? Get your tickets now for BruCON (September, Brussels) or at SANS London (December, London)

Monday, June 14, 2010

Solutions: The Hex Factor v2009 (Level B200)

This challenge is the first of two hacking challenges. In order to solve this exercise the attacker should have sufficient technical knowledge and a mindset that can think out of the box.

Before I can start the actual attack description it is important to know that the vulnerable machine, is hosted at and the attacker’s computer hosted in the same subnet at

I started this attack by performing some basic discovert on the system. I used the best portscanning++ tool every (nmap) to find the open ports:

Based on the information resulting from the nmap output I explored the HTTP part of the vulnerable machine, here I discovered a user exists with username “Hydra”. Next I tried to SSH towards the vulnerable host with the newly acquired username, this resulted in an authentication error because no password was provided. But with some simple brute forcing with SSHBrute, using a pre-defined wordlist available on BackTrack I found the correct password within minutes (of course, we made the password guessing SO easy because it is no fun to do a challenge when you have to wait three days to get your bruteforcing results ...)

Using the username Hydra and password abc123 I obtained access to the B200 system. However this user only has limited rights and cannot execute the binary that gave the maximum amount of points. As a consequence some extra exploring on the system itself had to be performed. After closely examining multiple files I found a bash history file that contained a username and password to authenticate with crashoverride to the system.

When authenticated with this user, I found a backed up shadow file in the users’ home directory. This backed up shadow file was accessible, I copied it back to my BackTrack and used John The Ripper to crack all the hashes available in it within seconds.

The root password found, did unfortunately not work. The acidburn password did work giving me access to the B200 machine with the user needed to score the maximum amount of points. The video below provides you with a recorded demo of the B200 hacking challenge.

Show us your fu at BruCON (September, Brussels) or at SANS London (December, London)

Monday, June 7, 2010

Solutions: The Hex Factor v2009 (Level A200)

Once again most of the answers can be found using Google (or other online search engines), however of the questions are more challenging and require more background knowledge of the hacker universum and as a consequence more searching on the world wide web.

Question: What is the message that is hidden in the ICMP packet located somewhere on the main page of “The Hex Factor” website?

The ICMP packet is located on the background of The Hex Factors logo, this ICMP packet should be decoded to get the answer below. You can identify the IP packet because the hex string starts "45 00", which means IP version 4 and 5 is the IP Header Length in Octets. If you further decode the packet using IP header specifications, you will see it is an ICMP packet with a message as payload.
Answer: My fu is too l33t for you

Question: Who is this?

Answer: Robert (Tappan) Morris

Question: What device is this?

Answer: Enigma machine

Question: What is the title of this book?

By using you can search for similar pictures on the Internet. See there results here. Somebody during BruCON showed me this site, thanks for that! (sorry, no clue anymore who you were)
Answer: Secrets & Lies

Question: What can be considered the most famous novel in "the early years"? It has won the Nebula Award, an award given each year by the Science Fiction and Fantasy Writers of America. Hint: 2+2=5
Answer: Neuromancer

Question: In what country can you find the company that makes one of the best (if not the best) decompilers?
IDA Pro would be one of the better decompilers. It is created by Hex-Rays, a company based in Liege (Belgium). No, we are not sponsored by them (unfortunately though)
Answer: Belgium

Question: If you get on the ‘Rossiya’ at its most western starting point and get off after 3035 km. In what town are you then?
By combining information found on the homepage of Rossiva and information found on google maps (or any other atlas application) the town can be calculated where the Rossiya is at 3035 km.
Answer: Barabinsk

Question: What is the number (2 digits after comma) of Microsoft shares you could have bought when you sold 1 share of Google at NASDAQ closure at June, 3 2009?
Answer: 19, 86

More of that? Get your tickets now for BruCON (September, Brussels) or at SANS London (December, London)