Sqall Blog

The "Torrent" challenge in the PlaidCTF 2012:

It turns out that robots, like humans, are cheap and do not like paying for their movies and music. We were able to intercept some torrent downloads but are unsure what the file being downloaded was. Can you figure it out?

All you got was a pcap dump file with torrent data traffic. With a little bit google searching and tshark we could extract the data.

tshark -r torrent.pcap -R 'bittorrent.piece.data and ip.dst_host == 128.237.112.101' -T fields -e bittorrent.piece.index -e bittorrent.piece.begin -e bittorrent.piece.data -E separator=_ > dump.txt

The dump.txt looks like the following: INDEX_PIECEBEGIN_DATA. The data was stored as HEX values separated via ":". Now some dirty ctf python coding was doing the trick and gave us the transferred file:

from operator import itemgetter
import binascii

content = []
with open('dump.txt', 'r') as f:
for line in f:
idx, begin, data = line.strip().split('_')
content.append([int(idx[2:], 16),int(begin, 16), data.replace(":","")])

content = sorted(content, key = itemgetter(0))


result = ""
i=0
while i < len(content):
if content[i][1] == 0:
result += content[i][2]
result += content[i+1][2]
else:
result += content[i+1][2]
result += content[i][2]
i += 2

print binascii.unhexlify(result)

We executed the script and saved the output in a file. The "file" command showed us, that this file was a bzipped file:

sqall@pctf:~/Desktop/pctf/Torrents/content file result
result: bzip2 compressed data, block size = 900k

Unzipping it revealed a key.txt and a key.mp3. In the key.txt was the key (I loled when I read this ):

t0renz0_v0n_m4tt3rh0rn

This weekend the FluxFingers and I we were participating in the PlaidCTF 2012. We played this CTF for 48h and finally we got the 6th place (of over 700 teams). Thanks to the organizers for such a nice CTF with a lot of good challenges. Unfortunately the great idea with a browser RPG didn't use it full potential. Perhaps next year. Thanks again

Over a year ago I found a bug in the openvpn-auth-ldap module (bug report and patch for debian here and an explanation on my blog in german here).

Yesterday I got an eMail that this bug report is now fixed and closed.

We believe that the bug you reported is fixed in the latest version of
openvpn-auth-ldap, which is due to be installed in the Debian FTP archive:

openvpn-auth-ldap_2.0.3-2.debian.tar.gz
to main/o/openvpn-auth-ldap/openvpn-auth-ldap_2.0.3-2.debian.tar.gz
openvpn-auth-ldap_2.0.3-2.dsc
to main/o/openvpn-auth-ldap/openvpn-auth-ldap_2.0.3-2.dsc
openvpn-auth-ldap_2.0.3-2_i386.deb
to main/o/openvpn-auth-ldap/openvpn-auth-ldap_2.0.3-2_i386.deb

A summary of the changes between this version and the previous one is
attached.

[...]

Changes:
openvpn-auth-ldap (2.0.3-2) unstable; urgency=low
.
- Acknowledge Matthias Klose's NMU for #625146.
- patched/STARTTLS_before_auth.patch: Run STARTTLS before authenticatingi
to the LDAP server. Thanks Andre Pawlowski for finding this and the fix.
(Closes: #610339)
- debian/control: added Homepage field, added autotools-dev Build-Dep
- Added debian/source/format
- Added debian/watch
[...]

I have to say, it took a long time and I'm already forgot about the report (because I used a self compiled version of it with the fix). But I'm glad it's finally fixed, because I saw this module in a lot of environments used and the admins I talked to didn't know about this behavior of this module (and never would find out because they allowed anonymous access to their OpenLDAP system).

Some weeks ago you were able to play the MozillaCTF 2012. Some FluxFingers helped to organize it and so I wrote a web challenge for it. I don't know if the challenges are still available and playable and so I decided to publish this challenge here. Because this website is obviously vulnerable you have to download and set it up for yourself.

When you unzip the archive, you get three files. Copy these files into a directory under your webroot and then you are ready to go!

Notice that this web challenge has some rules:
- don't look in the source code (this challenge should be solved without knowing the source)
- the flag file and parser.sh are not directly accessible (originally the webserver denies any attempt to open these files directly with your browser)

Have fun

Exploit Mozillas IP Panel! This IP Panel is used for whitelisting IP addresses. We know that the webinterface will call a bash script that will execute an iptables command without validation. Find the flag and submit it!

A write-up for this challenge can be found here.

Last year the FluxFingers organized the hack.lu 2011 CTF. Some weeks ago I read an eMail on the FluxFingers eMail account, that the server with all challenges is down.

I don't know if we find a mirror, where we can set up a VM for all challenges, so I would like to publish my challenge for this CTF here. Notice that this was the first time I wrote a challenge for a CTF and the first time I coded something with python. Therefore, the code isn't such a beauty

Spy aboard!
We have a spy aboard! Around 5 minutes ago we intercepted an encrypted transmission to an enemy outpost. It seems like we interrupted the mole in the act because
we found an open transmission program on our terminals. We are 100% sure that he sent the position of our fleet to the outpost to plan an attack against us. Our position
at the time of the transmission was:

position: Harcon System , Planet Crematoria , x: 129.23432231423 degrees y: 111.13442353423 degrees , z: 100,13142234423 degrees

We need the spies authorization code to prevent this attack. You as our crypto expert you have to find it! The survival of 10000 brave men, women and children depends on you!!!
GOOD LUCK!

download challenge here


A write-up for this challenge can be found on the website of Leet More.