Security Challenge IX

h57xiucj2z946q

Security Challenge IX.

Yes time for another one.

http://damo.clanteam.com/sch9

Look at the attachment or site above for the challenge.
NOTE: the challenge server is separate from the hall of fame web hosting server this time. You only need to concentrate on the challenge server. When you get the required information, you can then submit towards the hall of fame.

For the security conscious:
https://www.virustotal.com/file/ce8e82c4377bd373d0513afb18078fa667b85a5c9b57d4e5dae64373b3fee037/analysis/1346006470/ (One false positive)
http://anubis.iseclab.org/?action=result&task_id=19b8bfd5275fc0bc40145ce15e0d80d9a&format=html

moneymad

Very nice

h57xiucj2z946q

One person confirmed to have completed. Hope to get the hall of fame up soon.

moneymad

i've been looking at it for ages not sure what to do.

h57xiucj2z946q

moneymad wrote: »

i've been looking at it for ages not sure what to do.

Try figure out what the client is doing.

Maybe monitor the traffic with Wireshark, then use OllyDbg http://www.ollydbg.de/odbg200.zip or IDA Pro demo http://www.hex-rays.com/products/ida/support/download_demo.shtml

Also:

If that was you at the server earlier, remember just because it connects to port 80, doesn't mean it's a web-server. The micro VPS seems to block most incoming ports except those associated with common services. 80 was one I picked.

moneymad

Alistair Numerous Preschooler wrote: »

Try figure out what the client is doing.

Maybe monitor the traffic with Wireshark, then use OllyDbg http://www.ollydbg.de/odbg200.zip or IDA Pro demo http://www.hex-rays.com/products/ida/support/download_demo.shtml

Also:

If that was you at the server earlier, remember just because it connects to port 80, doesn't mean it's a web-server. The micro VPS seems to block most incoming ports except those associated with common services. 80 was one I picked.

Ya that was me.I was using them tools already.I'll keep looking.

h57xiucj2z946q

Hall of fame now online:

http://damo.clanteam.com/sch9

moneymad

This is definitely the best one you've done over the years.
I'm having so much fun doing this. I don't want it to end.
I'm enjoying every single minute of figuring out how this all works.

syklops

I'll look at it tomorrow.

h57xiucj2z946q

Just to note, the challenge daemon restarts every hour to kill forked and/or zombie processes that may be endless (i.e expecting input or need to be terminated with CTRL+C, but the user has disconnected so it just sits there) and wasting (limited to 128MB only!) memory . So if you get disconnected simply reconnect.


Also this shouldn't be needed for the challenge but if for some reason you need it, you can write files into /var/tmp. You cannot do a 'ls' in these directories to prevent you from viewing other peoples files, but you can create, modify, delete files if you specify a name. E.g.:

user@vks24665:~$ ls -l /var/tmp
ls: cannot open directory /var/tmp: Permission denied
user@vks24665:~$ echo "Hi there" > /var/tmp/myfile.txt
user@vks24665:~$ ls -l /var/tmp/myfile.txt
-rw-rw-r-- 1 user user Aug 28 11:35 /var/tmp/myfile.txt
user@vks24665:~$ cat /var/tmp/myfile.txt
Hi there
user@vks24665:~$

moneymad

This challenge was unbelievable. Took me a fair few hours and I learned a lot about Linux. I'll talk more when it's closed and everyone has had a bash off it. Thanks again Damo very cool challenge.
Thanks for the help along the way .

h57xiucj2z946q

Glad you liked it. Will try come up with more ideas in future.

Anyone know of any communities that would be interested in this? perhaps they could be made aware of this, as the Security forum here is pretty dead.

VHS80s

Do I just PM my finding to you to get into the wall of fame?

h57xiucj2z946q

Just put your name on the hall of fame.

DonkeyStyle \o/

Looks like good fun. I have a sense of what to do, but my assembly knowledge is absolute squat. Which makes using a debugger, eh interesting.

got as far as nop'ing out the first client check, but couldn't figure out the challenge/response numbers, I wanted to replicate it so I could get the hell out of ASM land

Interesting stuff though, thanks for doing it. I await the solution.

moneymad

Alistair Numerous Preschooler wrote: »

Glad you liked it. Will try come up with more ideas in future.

Anyone know of any communities that would be interested in this? perhaps they could be made aware of this, as the Security forum here is pretty dead.

Looking forward to it.
I don't visit security forums any more I just look in here the odd time.

embed

Thanks for the challenge, took a while to figure out. When is the next one?

h57xiucj2z946q

Hopefully soon, just hard to come up with ideas. Wanna make this stuff more popular, so blog/tweet/whatever about this challenge. The more interest there is in them, the more new ones will appear. And hopefully other people can start creating their challenges also.

I recommend people sign up for a VPS here (free if you sign up now) on the off chance you wanna set-up your own challenges: http://www.boards.ie/vbulletin/showthread.php?t=2056732264

VHS80s

Ok i've hit a wall with this, any hints/clues, do i have to decrypt anything?

h57xiucj2z946q

Put in a spoiler how far you got. Figure out the handshake.

VHS80s

Ok:

I have got as far as opening the EXE in assembly bypassed the error, got all the server info and monitored all the traffic with wireshark I was unable to pull any useful info from that

I will examine the handshake again I'm sure am missing something!

h57xiucj2z946q

Yeah don't bypass the checks as they are checked server side, and the client is just parsing the response.

Step through it with ollydbg.

h57xiucj2z946q

clanteam seems to be down at the minute, but its only hosting the hall of fame, so the challenge is still good.

You can get the challenge binary in first post or here:
http://dl.dropbox.com/u/14338572/sch9.zip

h57xiucj2z946q

Just a FYI, SCH1, 2, 3, and 6 are back online.

1 & 2 are same as before so have old hall of fame, but new comers ca n try it out.

CH 3 & 6 have been changed to protect clanteam.com hosting. Also they have some things changed and removed to make them much easier. This should attract more people to them.

Also, don't assume the DB is the same as last time

http://damo.clanteam.com

h57xiucj2z946q

Here is some hints/spoilers for the first part. Note, each sequential pic is progressively a further spoiler!!

http://i.imgur.com/8VDDi.jpg
http://i.imgur.com/6czsO.jpg
http://i.imgur.com/0flpT.jpg
http://i.imgur.com/DvEUf.jpg
http://i.imgur.com/GpAtZ.jpg
http://i.imgur.com/h4mY0.jpg
http://i.imgur.com/QjRaZ.jpg
http://i.imgur.com/ya13W.jpg
http://i.imgur.com/KhR2W.jpg
http://i.imgur.com/4zdFB.jpg

900913

Great challenge.
I've found a way to bypass the handshake :-)

I'm gonna have a go at the next part now :-)

h57xiucj2z946q

900913 wrote: »

Great challenge.
I've found a way to bypass the handshake :-)

I'm gonna have a go at the next part now :-)

Cool. You'll get it yet.

Give sch3 and 6 ago also. I have changed the a little form last time also.

h57xiucj2z946q

Not creating a new thread for this. Challenge X is up.
http://damo.clanteam.com/ ...

Think socially :-)

Enjoy.

moneymad

Going to have a look at it there now.
Thanks damo