https://fixme.ch/w/index.php?title=CTF/gits2012teaser/1-TelAviv&feed=atom&action=history
CTF/gits2012teaser/1-TelAviv - Revision history
2024-03-29T09:34:56Z
Revision history for this page on the wiki
MediaWiki 1.25.1
https://fixme.ch/w/index.php?title=CTF/gits2012teaser/1-TelAviv&diff=1383&oldid=prev
Francois at 15:52, 8 January 2012
2012-01-08T15:52:52Z
<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 15:52, 8 January 2012</td>
</tr><tr><td colspan="2" class="diff-lineno" id="L146" >Line 146:</td>
<td colspan="2" class="diff-lineno">Line 146:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>the password is: "the da .i..i .ode"</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>the password is: "the da .i..i .ode"</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div></pre></div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div></pre></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">Update: we have missed the fact that result was ROT-16 encoded instead of being arbitrarily substitued. Thanks to [http://leetmore.ctf.su/wp/gits-2012-teaser-telaviv/ Leet More's writeup] for the info.</ins></div></td></tr>
</table>
Francois
https://fixme.ch/w/index.php?title=CTF/gits2012teaser/1-TelAviv&diff=1374&oldid=prev
Francois: Created page with "== #1 TelAviv == === Question === What is the password? (File)<br> Hint: TeLaViv+ is a packet forensics challenge. === Solution ..."
2012-01-08T15:36:05Z
<p>Created page with "== #1 TelAviv == === Question === What is the password? (<a href="/w/images/9/9c/7139a4ea239dcac655f7c38ca6a77b61.bin" class="internal" title="7139a4ea239dcac655f7c38ca6a77b61.bin">File</a>)<br> Hint: TeLaViv+ is a packet forensics challenge. === Solution ..."</p>
<p><b>New page</b></p><div>== #1 TelAviv ==<br />
<br />
=== Question ===<br />
<br />
What is the password? ([[Media:7139a4ea239dcac655f7c38ca6a77b61.bin|File]])<br><br />
Hint: TeLaViv+ is a packet forensics challenge.<br />
<br />
=== Solution ===<br />
<br />
The file [[Media:7139a4ea239dcac655f7c38ca6a77b61.bin|7139a4ea239dcac655f7c38ca6a77b61.bin]] is a regular pcap file which contains a single TCP session.<br />
<br />
[[Image:gist-telaviv-tcp-session.png]]<br />
<br />
The client sends 245 bytes to the server as an authentification mechanism (red data in the screenshot). The actual data is composed of multiple parts:<br />
<br />
* "GitS", probably some dummy data<br />
* a NULL byte<br />
* "Plague", potential username<br />
* 233 remaining bytes, this is the actual password we're looking for<br />
<br />
The hint (TeLaViv+) tells us that this password is probably encoded with [http://en.wikipedia.org/wiki/Type-length-value Type-Length-Value (TLV) encoding]. However, there was actually no type fields and the length of each field was one byte long.<br />
<br />
[[Image:gist-telaviv-password-data.png]]<br />
<br />
The following Python script ([[Media:tlv.py.gz|tlv.py]]) decodes the password:<br />
<br />
<syntaxhighlight lang="python"><br />
#!/usr/bin/env python<br />
#<br />
# http://ghostintheshellcode.com/<br />
# Ghost in the Shellcode 2012 Teaser<br />
#<br />
# Challenge #1 TelAviv<br />
#<br />
# By Francois Deppierraz <francois@ctrlaltdel.ch><br />
<br />
import sys<br />
from pprint import pprint<br />
from binascii import hexlify<br />
<br />
f = open("7139a4ea239dcac655f7c38ca6a77b61.bin")<br />
f.seek(0x244) # seek to the data of interest, offset found with wireshark<br />
data = f.read(233) # data size<br />
<br />
total_len = 0<br />
packets = []<br />
index=0<br />
while index < len(data):<br />
length = ord(data[index])<br />
packets.append(data[index+1:index+1+length])<br />
index += length+1<br />
total_len += length+1<br />
<br />
# Ensure that all data was actually parsed<br />
assert total_len == len(data)<br />
<br />
print "Found %d packets: " % len(packets)<br />
for p in packets:<br />
print " ",<br />
for c in p:<br />
print hex(ord(c)),<br />
print<br />
print<br />
<br />
numbers = [[ord(c) for c in p] for p in packets]<br />
#print "Values: ",<br />
#pprint(numbers)<br />
#print<br />
<br />
# Sum all byte values for each packet (idea comes from the + sign in the hint TeLaViv+)<br />
sums = [sum(row) for row in numbers]<br />
print "Sums: " + repr(sums)<br />
print<br />
<br />
s = "".join([chr(c/2) for c in sums])<br />
print "Divide by 2 and then convert to ASCII: "<br />
print s<br />
print<br />
<br />
print "Simple subsitution: "<br />
# "Dro Zkccgybn sc" to "The Password is"<br />
from_txt = "\":dro zkccgybn sc"<br />
to_txt = "\":the password is"<br />
assert len(from_txt) == len(to_txt)<br />
<br />
for c in s.lower():<br />
idx = from_txt.find(c)<br />
if idx != -1:<br />
sys.stdout.write(to_txt[idx])<br />
else:<br />
sys.stdout.write(".")<br />
print<br />
</syntaxhighlight><br />
<br />
<pre><br />
$ ./tlv.py<br />
Found 37 packets: <br />
0x2b 0x2e 0x1 0x17 0x10 0x1 0x5 0x1<br />
0x57 0x21 0x57 0x1 0x1 0x12 0x1<br />
0x4d 0x5d 0x1d 0x8 0xd 0x2<br />
0x1b 0xa 0x18 0x2 0x1<br />
0x5a 0x4 0x46 0x10<br />
0x84 0x27 0x16 0x12 0x3<br />
0x9d 0x22 0x5 0x1 0x1<br />
0xb8 0x9 0x4 0x1<br />
0x33 0x5d 0x38 0x5 0x1<br />
0x5e 0xd 0x68 0x1f<br />
0x50 0x2d 0x1a 0x20 0x2 0x9 0x2<br />
0x90 0xc 0x20 0x10 0xf 0x1<br />
0x3a 0x4 0x1 0x1<br />
0x17 0x3b 0x34 0x18 0x37 0xf 0x1 0x1<br />
0x21 0x78 0x25 0x8<br />
0x1d 0x4b 0x8 0x3 0x1<br />
0x1a 0x21 0x2 0x3<br />
0x19 0x25 0x4 0x1 0x1<br />
0x5c 0x17 0x12 0x2 0x1<br />
0x5d 0x49 0x33 0x4 0x3 0x2 0x1 0x1<br />
0x96 0x1a 0x29 0x5<br />
0x3a 0x5 0x1<br />
0x39 0x4 0x53 0xa 0x1 0x1<br />
0x79 0x2 0x7 0x1b 0x1 0x37 0x1<br />
0x3 0xe 0x18 0x17<br />
0x6e 0x11 0x9 0x3 0x1<br />
0xb4 0x6 0x1 0x3 0x4 0x3 0x1e 0x2 0x1<br />
0x2 0xa7 0x10 0x10 0x12 0x13 0x2<br />
0x4c 0x9 0x43 0x7 0xd 0x4 0x2a<br />
0xd 0x78 0x5f 0x2<br />
0x2b 0x7 0xd 0x1<br />
0x74 0xd 0xe 0x9 0x2<br />
0x2d 0xa6 0xd 0xb 0x1 0x6<br />
0x9d 0x39 0x5 0x1<br />
0xd5 0x9<br />
0x38 0x6 0x2 0x2 0x1 0x1<br />
0x2f 0x5 0xb 0x1<br />
<br />
Sums: [136, 228, 222, 64, 180, 214, 198, 198,<br />
206, 242, 196, 220, 64, 230, 198, 116,<br />
64, 68, 136, 228, 222, 64, 156, 214,<br />
64, 140, 230, 240, 218, 230, 64, 154,<br />
242, 220, 222, 68, 64]<br />
<br />
Divide by 2 and then convert to ASCII: <br />
Dro Zkccgybn sc: "Dro Nk Fsxms Myno" <br />
<br />
Simple subsitution: <br />
the password is: "the da .i..i .ode"<br />
</pre></div>
Francois