Hackvent 2017 Solutions
I participated in the Hackvent 2017. This is a nice CTF-like event with a new challenge every day during Advent. It starts easy and gets harder with later challenges. Here's my write-up of the challenges and how I solved them (for those I did). I did not finish all of them, much less on the same day, but at least the easy and medium ones are here. All files that were downloadable are included here as well, with a link to pastebin (base64 encoded and days 18 and 21 additionally zipped). Let me know if you find any mistakes or if you have additional comments. I think I made about 24 points in total, but you needed 60 points minimum for getting a bronze title and 120 points maximum (I think 115 was required for gold or so). One big problem was to solve everything on time. As usual, I learned a few things and I can hopefully learn even more by reading the correct solutions. Maybe this write-up can help you too.
Text and hints:
Day 01: 5th anniversary
time to have a look back
Given image:
So it meant to look at the previous year's challenges. This meant googling.
I can't remember the exact links I used, but here are two valid links for each year:
2014:
http://lucasg.github.io/2014/12/01/HACKVent-2014-Day-01-writeup/
https://github.com/shiltemann/CTF-writeups-public/blob/master/Hackvent_2014/dec01.md
Flag 2014: HV14-BAAJ-6ZtK-IJHy-bABB-YoMw
2015:
https://morpheuzblog.wordpress.com/category/hackvent-2015/page/3/
https://mohammadg.com/capture-the-flag/hacking-lab/hackvent-2015/hv15-day-1/
Flag 2015: HV15-Tz9K-4JIJ-EowK-oXP1-NUYL
2016:
https://mohammadg.com/capture-the-flag/hacking-lab/hackvent-2016/hackvent-2016-day-1/
https://thevamp.cc/2017/03/08/hackvent-2016-complete-writeup/
Flag 2016: HV16-t8Kd-38aY-QxL5-bn4K-c6Lw
So putting this all together in the form given results in the correct flag:
Flag: HV17-5YRS-4evr-IJHy-oXP1-c6Lw
Text and hints:
Day 02: Wishlist
The fifth power of two
Something happened to my wishlist, please help me.
with a button "Get the Wishlist"
Downloading the file, it immediately looked like base64 encoded:
Vm0wd2QyUXlVWGxWV0d4V1YwZDRWMVl3WkRSV01WbDNXa1JTVjAxV2JETlhhMUpU
CmMxUllhRmhpYXpWWFdXdGtVMVF4V25SbFNHTkxDbFpxUmxwbFYxWkdaRWRvVGxK
Vm0wd2QyUXlVWGxWV0d4V1YwZDRWMVl3WkRSV01WbDNXa1JTVjAxV2JETlhhMUpU
This made me think a bit. After thinking about this, I clicked "decode" a second time. Luckily this used site had "decode" buttons from left to right and from right to left. So I just had to click the decode buttons alternating, but always I got base64 results. Now I understood the meaning of the hint "fifth power of two" (which means 32). So I had to click "decode" 32 times. Very easy with this site. And finally the flag appeared.
Flag: HV17-Th3F-1fth-Pow3-r0f2-is32
Text and hints:
Day 03: Strange Logcat Entry
Lost in messages
I found those strange entries in my Android logcat, but I don't know what it's all about... I just want to read my messages!
button: "Get the logcat"
Downloading the file, it shows a huge log file, with nothing interesting in it. I found that there is a crash but nothing else interesting. When I got stuck, I got the hint that I should "look closer at the crash". This helped me to find the following line:
11-13 20:40:24.044 137 137 DEBUG: I 07914400000000F001000B913173317331F300003AC7F79B0C52BEC52190F37D07D1C3EB32888E2E838CECF05907425A63B7161D1D9BB7D2F337BB459E8FD12D188CDD6E85CFE931
This seems to be the content of the received text message (SMS) that caused the mobile phone to crash. The question is now how to get the real content of that message.
First I tried to find some online site to decode it:
As you can see on that page, there is some nice explanation on how it works and it even explains how to decode the bits manually. Unfortunately the decoded message did not make any sense. Was this the reason that it crashed? I thought I search for another site that can do this decoding and found the site https://www.diafaan.com/sms-tutorials/gsm-modem-tutorial/online-sms-pdu-decoder/
This site could decode the message perfectly:
And there we have our flag.
Flag: HV17-th1s-isol-dsch-00lm-agic
Actually there are more online tools that do work:
https://smspdu.benjaminerhart.com/
http://www.smspdu.com/
Text and hints:
Day 04: HoHoHo
NOTE: New easyfied attachment available
Santa has hidden something for you
with a button: "here"
This button downloads a PDF file with nothing useful visible in it (just a Santa image with some advent text and some links to Wikipedia). I tried various tools, like pdf-parser, peepdf, qpdf, and mupdf to look at the content. I think the peepdf tool is the best one for this challenge, but unfortunately, with none of the tools I could find anything interesting. I tried to solve this for many hours per day for more than a week, but I couldn't get anywhere. Finally I got the hint from someone that I should look closer at the font and that helped me. Maybe this is a known Linux font format or something, but I have never seen an SFD file, so that's why I made no progress for such a long time.
Running peepdf with the command
peepdf.py -i HoHoHo_medium.pdf
gets peepdf into interactive mode on the specified file. Then you can run the command:
tree
to see the various content blocks. The font is in stream 21. To extract the binary, run this command:
stream 21 >stream21.bin
So now we have the font extracted. Let's rename it to its real name, to DroidSans-HACKvent.sfd.
I think this was one of the hardest challenges, unless you're familiar with sfd files.
But as I now already knew to look closer into this font, I searched for a tool to edit such files and found FontForge. The Windows installer is 18MB and running the tool opens an Interface in OS X-like look and feel. Opening the font gets you a list of defined characters:
You can see that near the end there are some new characters defined. Double-clicking on each of them reveals that there is a letter defined using splines. The first character looks like this:
So it seems like there are hidden characters. Clicking on all of them and writing them down in sequence reveals the flag.
Maybe there's an easier way for this or better tools, but this solved the challenge.
Flag: HV17-RP7W-DU6t-Z3qA-jwBz-jItj
Text and hints:
Day 05: Only one hint
OK, 2nd hint: Its XOR not MOD
Here is your flag:
0x69355f71
0xc2c8c11c
0xdf45873c
0x9d26aaff
0xb1b827f4
0x97d1acf4
and the one and only hint:
0xFE8F9017 MOD 0x13371337
Before I started working on this, someone spoiled to me that he googled the result of the hint. When I did the same, I didn't get any useful results though. The next day the challenge was updated:
05.12.2017 13:00 CET, Day 05, Changed challenge description (typo), its XOR, not MOD
Actually this was the same day, but as I was solving the challenges past midnight, it was a day later for me. So with the result:
0xFE8F9017 XOR 0x13371337 = 0xEDB88320
we have a new value. Googling for that indicates that this is used in CRC-32, reverse polynomial representation.
So I searched for the CRC-32 calculation code and found this calculation: http://www.hackersdelight.org/hdcodetxt/crc.c.txt
So I wrote a quick&dirty C#.NET program from that code (I can't find it anymore right now) to simply brute-force through the whole range of 0...0xffffffff and if any of the results is one of the numbers from the task, then it prints out the value (source number and result). The found source values are actually the ASCII codes of the flag.
For this write-up I searched if there are any online tools to do reverse CRC-32 lookup and I found one site that does exactly this. Unfortunately it doesn't work on all of the values, so it cannot really be used to solve this challenge, so I had to re-implement the code to get the flag again.
Flag: HV17-7pKs-whyz-o6wF-h4rp-Qlt6
Text and hints:
Day 06: Santa's journey
Make sure Santa visits every country
Follow Santa Claus as he makes his journey around the world.
button: "Link"
The link goes to http://challenges.hackvent.hacking-lab.com:4200/ and shows a single QR code.
Scanning the code with an app on my mobile phone shows the text of a country.
I pressed "refresh" (F5) and it showed a new QR code. Scanning it with my mobile and a QR app, it seems that the shown country is random. So we need to come up with a plan.
I pressed refresh about 20 times (without scanning each) and then it suddenly showed a much bigger QR code.
I scanned that one and it was the solution. Writing this write-up and trying this again, I was probably pretty lucky then, because there are many other countries with long names.
But anyway, it was solvable that way, even now doing this again. If you just scan all the bigger codes manually, you finally get to the solution after maybe 10-20 tries.
Probably the challenge writer wanted you to write some code to automate this. In order to do so, you would have to make the challenge a bit more complicated by making all names the same length (with some padding) and maybe even ensure that the solution is not among the random shown ones, but only shows up randomly after requesting first 50 other images within 10 seconds with the same session or something along those lines. But maybe Burp Suite can help with that as well without writing any code. Here are some images I got:
Flag: HV17-eCFw-J4xX-buy3-8pzG-kd3M
Text and hints:
Day 07: i know ...
... what you did last xmas
We were able to steal a file from santas computer. We are sure, he prepared a gift and there are traces for it in this file.
Please help us to recover it:
button: "Download"
The button downloads a file "SANTA.FILE"
The file starts with "PK", so it must be a zipped file. Renaming it to SANTA.FILE.zip, we find a new file "SANTA.IMA".
IMA is probably some image file (like a DVD image), so opening it with 7-zip works and shows a new SANTA.PRIV file.
That file starts with "regf", so it could be some registry file. And indeed, it is a registry hive. I went to my registry, created a new key and loaded this hive into it. Actually this was a bad idea. I could never delete all subkeys again due to missing permissions. Even taking ownership didn't work. If anyone has some good ideas, please post it into the comments.
But even searching through the registry couldn't find anything interesting. There was no "HV17" in there or anything similar, so I got stuck. Even exporting the entire registry hive as .reg file (text-based) couldn't get anything interesting.
Someone gave me the hint that "this was the easiest challenge of all so far" and the solution was "just in the file".
And indeed, I opened the registry hive file in HxD and searched for "HV17" and found the flag. The other guy even searched one step earlier, in the SANTA.IMA file, so he only had to unzip the challenge and run "strings" on it.
I wanted to know a bit more and find the location in the registry, but couldn't succeed and gave up due to missing time. I found the location of the related key (near GameDVR_GameGUID d48142dc-fba3-4430-80dd-c4eb0143a34e), but there was no value in there with anything related to "HV17". Anyway, we have our flag.
Flag: HV17-UCyz-0yEU-d90O-vSqS-Sd64
Text and hints:
Day 08: True 1337s
... can read this instantly
I found this obfuscated code on a public FTP-Server. But I don't understand what it's doing...
button: "Download"
This downloads a file "True.1338.txt".
It starts like this:
exec(chr(True+True+True+True+True+Tr...
and then has millions of "True+True+" in there.
If you scroll near the end it looks a bit different. You can see:
+1337+1337)+_1337(1337+1337+1337+1337+1337+1337+1337+1337+1337+1337))
with millions of "1337+1337+" in there.
So it's some obfuscated code.
First I thought that this is JavaScript, but it isn't. JavaScript doesn't have the chr command.
Later I thought it was PHP (due to the often-abused exec command and people often find such things on their webserver as mentioned in the text), but that was also not the case.
But actually it doesn't really matter what language it is.
I concluded that "True" evaluates to 1 and adding it several times gives you a number.
So it starts with something like this:
exec(chr(10)+chr(n)+chr(n)... gives some meaningful code.
So I did some text replacing and got this code:
A=chr;
print(_1337(1337+1337+1337+1337+1337+1337+1337+1337+1337+1337)+_1337(1337+1337+...
This means that in the second part a number of 1337 values will get added, then the function _1337(B) called which runs chr(B/1337).
So this means we do the same again.
Simplified I get this code:
A=chr;__1337=exec;SANTA=input;FUN=print
But it seems like something is wrong there anyway.
And indeed, a few days later I see this:
08.12.2017 00:18 CET, Day 08, Wrong challenge file has been replaced
When doing this again, I get the following:
A=chr;__1337=exec;SANTA=input;FUN=print
So I had to simplify it again, but not too much. This resulted in this code:
#A=chr;
#C=SANTA("?")
Flag: HV17-th1s-ju5t-l1k3-j5sf-uck!
Text and hints:
Day 09: JSONion
... is not really an onion. Peel it and find the flag.
button: "Download"
The download gets you a JSONion.zip file.
In the ZIP is a file jsonion.json file.
Opening it with Visual Studio and after selecting "Format Document", I get this:
I had no idea what to do with this.
I thought "op": "map" is something known and so I googled for it, but you can imagine the results for "map and json". Nothing useful. I wasted some hours there.
Also the "mapTo" data looks like a JSON array or something, but nothing useful.
The data itself in all three fields looks a bit like base64, but there are other characters, so it must be something else. I tried base93 and other codes, but without success.
Then, after several days, I had the idea to do a statistical analysis on the used characters. That might reveal what code is being used, or at least how many different characters were used.
I got these results:
As I cannot do this manually, not even with replace commands (you would have to follow a certain order), I wrote a program in C#.NET.
I don't have that program anymore, but you'll see later why. In the program I made a for-loop for each character, searched the string in mapFrom and created a new string from mapTo appending each character. This program ran for 45 minutes and returned a new file.
The new file looked almost the same as the first one:
So now we have an op (operation) gzip. I did this manually with some online tools and got to the next stage. Next we have "op": "b64" and some base64-encoded data in "content". Ok, we can do this manually again. The next stage was a gzip again. And then a "map" operation again.
I think I continued about 10-20 stages, but as the name of the challenge was already something with "onion", I thought this cannot be done manually and started to write more code.
As the string handling in the mapping operation was insanely slow, I had to investigate in how to optimize that. First I tried with pre-ordering the mapping table into an array and then just doing simple lookups instead of searching in mapFrom. This didn't help in increasing the speed. Then I discovered the StringBuilder class, where you can say in advance how long the string will be and simply execute an Append command. This took down the execution time from hours to less than a second. This is because then no longer garbage collection is done within the loop and the string remains in memory.
In my program I wrote the decoded next stage as file into a folder, so I could start at that point later again (because of the initially slow execution).
I also had to implement some JSON parsing code, because that's not built-into .NET. Everywhere I looked this up, they recommended me some 3rd party software and I really didn't want to use other components. I ended up with the class JavaScriptSerializer, which can also be used to parse JSON - it just hasn't got much functionality.
So after running this, new operations showed up. Besides the already known "map", "gzip" and "b64", four more appeared: "nul" (another json directly in the content), "xor" (with a new field "mask", one byte base64 encoded value to xor-decrypt the content which is also base64 encoded), "rev" to reverse the JSON string in content, and "flag".
So running this in a loop wrote 82 stage files into my folder and stage82 was this JSON file:
[{"op":"flag","content":"THIS-ISNO-THEF-LAGR-EALL-Y..."}]
Bummer.
It took me another day and thinking about this to continue.
Well, I think I've done everything correctly, so there must be something hidden in one of the stages.
I started opening all the stages manually in Visual Studio (starting from the end) and I found in stage 74 this nice nasty thing
So as you can see, there are two different ways to continue.
Easy, so I took this apart into two different paths (stage74a and stage74b) and ran my program on both. In the b-path I got lucky with the flag at the end:
[{"op":"flag","content":"HV17-Ip11-9CaB-JvCf-d5Nq-ffyi"}]
Flag: HV17-Ip11-9CaB-JvCf-d5Nq-ffyi
Here's the program I wrote:
https://pastebin.com/2qG56TtS
Day 10: Just play the game
Haven't you ever been bored at school?
Santa is in trouble. He's elves are busy playing TicTacToe. Beat them and help Sata to save christmas!
button: "nc challenges.hackvent.hacking-lab.com 1037"
Pressing the button just loaded the same page again.
So I first had to find out what this means. I discovered that "nc" is some Unix command to connect to that site and port.
It looks like there are some problems with line endings, but it somehow works. So it's the game tic-tac-toe.
I figured that I had to automate this, so I wrote another program.
I wrote code like "if board='....' send '1'" and that for all four states.
Flag: HV17-y0ue-kn0w-7h4t-g4me-sure
Day 11: Crypt-o-Math 2.0
So you bruteforced last years math lessions? This time you cant escape!
c = (a * b) % p
c=457210035143347787689077715544591571908955061300162780487882896908050064
p=1228485890518970293934792032966354040636054244099097597451085919424026163
b=941026773241901737880457587235031905127428585147705900188262353910357399
I got lazy and simply entered this into the online WolframAlpha tool and got this result:
So essentially you can solve the equation for a and get a = 499... + n * p (with n being any integer value). The second term is clear; that means you can add the modulo value any number of times and still get a valid result. I thought maybe I have to iterate through this and try higher values to get the correct result, so the minimum value should be "HV17-....-....-....-....-...." converted to hex. But the value 499... is already bigger, so we don't need that condition. So I tried this 499 value and converted it to hex:
485631372D587444772D30447A4F2D595267422D326232652D55574E7A00
And converting this to ASCII gives us the flag:
Flag: HV17-XtDw-0DzO-YRgB-2b2e-UWNz
After solving the challenge, I found the following comment:
11.12.2017 11.55 CET, Day 11, Challenge has changed, due to cheating activities
and indeed, the numbers did change:
c=0x559C8077EE6C7990AF727955B744425D3CC2D4D7D0E46F015C8958B34783
c=590867720467499739656230398758801227927329092826661098133553607261505411
p=1023659786424349813810435942750567812478342322946284370914320216115614427
b=1419762318326277663933821153866524377417016166171412157761654041111779443
Solving this again by simply using WolframAlpha:
So here we get the hex value:
485631372D7A51427A2D417744672D3146454C2D725545392D474B677100
And converting this to ASCII gives us the new flag:
Flag: HV17-zQBz-AwDg-1FEL-rUE9-GKgq
Additional thoughts:
It seems like they added a null-byte to the end of the flag in the hex value. I'm not sure why they did this. As they mentioned some brute-forcing in the challenge description, I assumed that the result is larger then the smallest value and we would have to try higher values, but for some reason this wasn't the case. I don't know why it was that simple.
Another thing I looked into was how to solve that equation manually. For this write-up I did it manually on paper with smaller numbers and started solving it with these big numbers too. It's a lot of work. So for the simple equation 363=17*x mod 453 we would have to find out how many times we would have to multiply x by 17 to "wrap-around" the 453. This gives 27 times and results in a mod value of 6. If I now do this multiple times, I can wrap-around this 6 as well, so I get 76 with a mod value of 3. The result 363 is divisible by 3, so I can use this. We now have 27 rounds for wrap1 and 76 rounds for wrap2. This results in 2052. And because 363 is divisible by 3 (=121), we calculate 2052*121=248292. This now mod 453 gives 48. And 48 is our final result: x=48+n*453, which you can prove in the initial equation. I tried this with the big numbers above and only made slow progress (about 3 minutes per digit), so I gave up there. WolframAlpha is good enough.
One thing to keep in mind is that WolframAlpha in the free edition has a size-limit on the input field, so make sure the input is not truncated.
Text and hints:
Day 12: giftlogistics
Unfortunately this was an incomplete countermeasure. It's still possible to retrieve the protected user profile data where you will find the flag.
two buttons: "Link" and "Traffic"
The link goes to the site http://challenges.hackvent.hacking-lab.com:7240/giftlogistics/
There's a menu with Home/About/Contact and a "Log in".
"Powered by Santa Enging 1.2.6, (c) 2017 The Santa Corporation and Elves Laboratories."
Text on the page:
Welcome to GiftLogistics!
In the pcap file there was only one unencrypted HTTP traffic, essentially a GET to host hackvent.hacking-lab.com, with an answer 301 (Moved Permanently) to https and two OCSP lookups. I mapped the SSL traffic between the different IP addresses and created a list of DNS traffic, looked at the one ARP request, but didn't get anywhere further. Additionally the site is now no longer reachable, so should I find anything, I cannot try it out anymore anyway.
I did not solve this challenge, so no flag here.
Text and hints:
Day 13: muffin_asm
How about some custom asm to obsfucate the codez?
button: "Download"
Actually I don't have the original file anymore, but in the download you can see (commented out) my solution. Essentially this is implementing some custom assembler code, emulated.
I simply added debugging instructions to print out the current command.
You had to input the flag yourself. If you entered a wrong key, it printed out an error. The assembly code did simple comparisons with the flag in the code (not plaintext, somehow obfuscated). So after entering one character, it compared the value against the first letter of the correct flag, so comparing CMP r1, 'H', which means you knew that the correct character there was 'H'. I advanced character by character and wrote down the flag. It would be nice to statically disassemble the whole file or do other things, but due to lack of time, I didn't.
Flag: HV17-mUff!n-4sm-!s-cr4zY
Text and hints:
Day 14: Happy Cryptmas
todays gift was encrypted with the attached program. try to unbox your xmas present.
Flag: 7A9FDCA5BB061D0D638BE1442586F3488B536399BA05A14FCAE3F0A2E5F268F2F3142D1956769497AE677A12E4D44EC727E255B391005B9ADCF53B4A74FFC34C
button: "Download"
I disassembled the binary and found that it's implementing RSA encryption. Actually you wouldn't even need any reverse engineering skills, because the public key was visible as decimal in the hex dump of the binary (65537) and that already indicates that RSA was used. The only tricky thing without reversing skills would be to get the correct modulus, but as it was there in ASCII (hex) that shouldn't be too complicated. So we have the public key the flag was encrypted with:
public key: 65537
modulus: 0xF66EB887F2B8A620FD03C7D0633791CB4804739CE7FE001C81E6E02783737CA21DB2A0D8AF2D10B200006D10737A0872C667AD142F90407132EFABF8E5D6BD51
Converting this to decimal:
12906717464348092265956410210860282684261200239649314436822666616460740520052403025774625130601134473716449192270880280937288228652858915015044165744901457
The nice page https://www.alpertron.com.ar/ECM.HTM could factorize it:
p=18132985757038135691
p-1 = 2*5*7*7*7*1571*3365108064173
lambda=921908390310578018946044932882076211416131168968630537624772335953022533577106442830457416651290676124946911475532705088802440278371452331309775226730710
And with WolframAlpha:
d=840418311346493937224964653098353009366393648761186243493818735053136064300023609876296563779463664104381162994861313957389154096022461328436931979580993
With the given encrypted flag, converted to decimal:
flag=6422364120026732410681865634854254183147125246054233723304764504977840830688444841588552434965602224626422836832323525577199101442006761403538743492592460
decrypt=flag^d mod modulus
decrypt=6422364120026732410681865634854254183147125246054233723304764504977840830688444841588552434965602224626422836832323525577199101442006761403538743492592460 840418311346493937224964653098353009366393648761186243493818735053136064300023609876296563779463664104381162994861313957389154096022461328436931979580993 12906717464348092265956410210860282684261200239649314436822666616460740520052403025774625130601134473716449192270880280937288228652858915015044165744901457
remainder=1950193263214537087126063880738805970134683456457941605829795971018850
or in hex:0x485631372D35424D752D6D6744302D473753752D455973702D4D673062
Flag: HV17-5BMu-mgD0-G7Su-EYsp-Mg0b
Text and hints:
Level: hard
Day 15: Unsafe Gallery
two buttons:
and there it showed some images.
So I thought that the URL probably somehow contains the user-id or something like that.
The given code bncqYuhdQVey9omKA6tAFi4rep1FDRtD4H8ftWiw looks base64-encoded and decoded resembles to these 30 bytes:
6E 77 2A 62 E8 5D 41 57 B2 F6 89 8A 03 AB 40 16
2E 2B 7A 9D 45 0D 1B 43 E0 7F 1F B5 68 B0
Not much information there yet.
Next was to find the correct user in the user list. In the description, there was only "Danny" mentioned, but there were dozens of Dannys in the list.
I loaded the list into Excel and filtered by pictureCount=15, because there were exactly 15 pictures shown. Additionally I filtered by state=active, because disabled accounts are probably not shown.
This leaves us with two possible accounts:
id=32009 or 41752
prename=Danny (for both)
name, address, zip, city, email are probably not of interest
memberType=gold (for both)
galleryCount=1 (for both)
state=active (for both)
crmId=44967219 or 78987754
mbUsed=39 or 38
logCorrelationId=91819254 or 78323661
advertisingId=128486 or 167628
To further narrow it down, I now (writing this) I should've downloaded the pictures and calculated the total size to check if it's 39 or 38 MB.
Anyway, I was stuck now, as I couldn't find any of these numbers in the bytes above. The length of 30 also indicates that it's not a hash.
So I was stuck and didn't solve this challenge. No flag here.
Text and hints:
Day 16: Try to escape ...
... from the snake cage
Santa programmed a secure jail to give his elves access from remote. Sadly the jail is not as secure as expected.
button: "nc challenges.hackvent.hacking-lab.com 1034"
Due to missing time, I didn't even start solving this. It probably is something similar to the tic-tac-toe challenge.
As it's an online challenge, we cannot try to solve it later. No flag here.
Text and hints:
Day 17: Portable NotExecutable
here is your flag.
but wait - its not running, because it uses the new Portable NotExecutable Format. this runs only on Santas PC. can you fix that?
button: "get the flag here"
Hint #1: IMAGE_FILE_HEADER and its friends
Hint #2: No reversing/bruteforcing needed. Just make it run ...
Hint #3: take the hint in the file serious, the black window should not appear (wine and cmd users might not see it - change OS or how you run the exe)
Due to missing time, I didn't even start solving this. Probably in the PE header there is some unusual flag set, so that it can't execute.
As I didn't solve it, no flag here.
Text and hints:
Day 18: I want to play a Game (Reloaded)
last year we played some funny games together - do you remember? ready for another round?
download the game here and play until you find the flag.
button: "get the game"
Hint #1: follow the fake flag in the unsigned binary. this challenge needs RE
So given was an ISO image. In there were four files:
ICON0.PNG
PARAM.SFO
USRDIR\EBOOT.BIN
USRDIR\hackvent.self
The png file was an image of a Christmas ball with an unreadable QR code on it.
With Photoshop and some image-enhancing skills I could get it readable, but it wasn't useful for this challenge, it reads: "HACKvent - mess with the best, die like the rest"
As I don't know the file extensions, this challenge is probably for Linux and needs some more time, so I skipped this one. No flag here.
Text and hints:
Day 19: Cryptolocker Ransomware
Pay the price, Thumper did it already!
This flag has been taken for ransom. Transfer 10'000 Szabo to 0x1337C8b69bcb49d677D758cF541116af1F2759Ca with your HACKvent username (case sensitive) in the transaction data to get your personal decryption key. To get points for this challenge, enter the key in the form below.
Disclaimer: No need to spend r34l m0n3y!
Enter your 32-byte decryption key here. Type it as 64 hexadecimal characters without 0x at the beginning.
"put your 64 hexadecimal characters her..." and button "Sumbit key" (yes with typo)
I thought that we might need to somehow sign a bitcoin transaction or something, but actually I had no idea what to do next. I got stuck here. And as it's an online challenge, no way to try it out later. No flag here.
Text and hints:
Day 20: linux malware
oh boy, this will go wrong... =D
ohai my name is muffinx...
...um yeah btw. cyberwar just started and you should just pwn everyone?
Make sure you don't leave traces and make the lifes of your opponents harder, but fairplay!
You are a hacker? Then think like a hacker!
Attack! Defend! And trick!
Ladies and gentlemen,
We understand that you
Have come tonight
To bear witness to the sound
Of drum And Bass
We regret to announce
That this is not the case,
As instead
We come tonight to bring you
The sonic recreation of the end of the world.
Ladies and gentlemen,
Prepare
To hold
Your
Colour
OK.
Fuck it,
I lied.
It's drum and bass.
What you gonna do?
WARNING:
RUN INSIDE VM, THIS CONTAINER MAYBE DANGEROUS FOR YOUR SYSTEM,
WE TAKE NO RESPONSIBILITY
You should keep the container inside the same host your haxxing on (same ip) or some things will not work...
button: "https://hub.docker.com/r/muffinx/hackvent17_linux_malware/"
Hint #1: check https://hub.docker.com/r/muffinx/hackvent17_linux_malware/ for regular updates, keep the container running (on the same ip) when you are haxxing the bot panel
Hint #2: you can also use https://hookbin.com/ to create private endpoints
I did not try this challenge. But as the links are public (not on HackingLab), you might want to try yourself. No flag here.
Later added:
20.12.2017 14:00 CET, Day 20, Hints added to the challenge description
(already included above)
Text and hints:
Day 21: tamagotchi
ohai fuud or gtfo
ohai
I'm a little tamagotchi who wants fuuuuud, pls don't giveh me too much or I'll crash...
button 1: "nc challenges.hackvent.hacking-lab.com 31337"
button 2: "File #1: tamagotchi"
button 3: "File #2: libc-2.26.so"
Here are the two files.
I didn't start this challenge and as it's an online challenge, there is probably no way to solve it later. No flag here.
Text and hints:
Day 22: frozen flag
todays flag is frozen. its quite cold in santas house at the north pole.
can you help him to unfreeze it?
button: "get the frozen flag here ..."
The zip file contains the encrypted flag (32 bytes length) and an exe file. So somehow you have to "unfreeze" it. This probably needs some reverse engineering. I didn't find the time for it, but I might have a look later. No flag for now.
Text and hints:
Day 23: only perl can parse Perl
... but there is always one more way to approach things!
button: "get your flag here ..."
(in doubt, use perl5.10+ on *nix)
This looked like an interesting challenge, even though I've never worked with Perl. But as I saw that the .pl file was binary (probably compiled), I quickly gave up, because that would already need some decompilers or something and I was lagging behind with the earlier challenges. No flag here.
Text and hints:
Day 24: Chatterbox
... likes to talk
I love to chat secure and private.
For this I mostly use http://challenges.hackvent.hacking-lab.com:1087.
It's easy to create a private chat and start chatting without a registration.
button: "Chatterbox" -> http://challenges.hackvent.hacking-lab.com:1087/
Hint #1: the admin is a lazy clicker boy and only likes <a href="..."></a>
Hint #2: As a passionate designer, the admin loves different fonts.
Hint #3: For step 2: I'd better be my own CA.
Hint #4: For step 2: It's all about the state
Hint #5: For step 3: python programmers don't need {{ ninjas }}
Link is showing a chat with dates, names and one-line texts and an input field below.
Above are four links: Messages (selected), Private Messages, Feedback, Login.
Private Messages: "Create your own private chat" with an input "Chat Title" and Chat CSS Style (file selector) and Create button.
Feedback: "Send us feedback" with input "First Name", "Last Name", "input text", reCAPTCHA, Submit button.
Login: Password field and reCAPTCHA and Submit button
As this is some kind of online challenge, we cannot work on this later. No flag here.
Day 1 - 5th anniversary
Level: easyText and hints:
Day 01: 5th anniversary
time to have a look back
Given image:
 |
| Image from day 1 |
I can't remember the exact links I used, but here are two valid links for each year:
2014:
http://lucasg.github.io/2014/12/01/HACKVent-2014-Day-01-writeup/
https://github.com/shiltemann/CTF-writeups-public/blob/master/Hackvent_2014/dec01.md
Flag 2014: HV14-BAAJ-6ZtK-IJHy-bABB-YoMw
2015:
https://morpheuzblog.wordpress.com/category/hackvent-2015/page/3/
https://mohammadg.com/capture-the-flag/hacking-lab/hackvent-2015/hv15-day-1/
Flag 2015: HV15-Tz9K-4JIJ-EowK-oXP1-NUYL
2016:
https://mohammadg.com/capture-the-flag/hacking-lab/hackvent-2016/hackvent-2016-day-1/
https://thevamp.cc/2017/03/08/hackvent-2016-complete-writeup/
Flag 2016: HV16-t8Kd-38aY-QxL5-bn4K-c6Lw
So putting this all together in the form given results in the correct flag:
Flag: HV17-5YRS-4evr-IJHy-oXP1-c6Lw
Day 2 - Wishlist
Level: easyText and hints:
Day 02: Wishlist
The fifth power of two
Something happened to my wishlist, please help me.
with a button "Get the Wishlist"
Downloading the file, it immediately looked like base64 encoded:
Vm0wd2QyUXlVWGxWV0d4V1YwZDRWMVl3WkRSV01WbDNXa1JTVjAxV2JETlhhMUpU
VmpBeFYySkVUbGhoTVVwVQpWbXBCZUZZeVNrVlViR2hvVFZWd1ZRcFdiWEJDWlVa
...CmMxUllhRmhpYXpWWFdXdGtVMVF4V25SbFNHTkxDbFpxUmxwbFYxWkdaRWRvVGxK
RldsaFdSM1J2WkRGa2RGTnUKVWxCV1JUVlhWRlJLVTAxc1ZrZFNibHBSVlZjNE9V
Tm5QVDBLCg==
So I went to an online base64 decoder. For some reason I went to the site http://www.utilities-online.info/base64/ (doesn't work in IE, use Chrome). But when decoding it, the result doesn't look any different:Vm0wd2QyUXlVWGxWV0d4V1YwZDRWMVl3WkRSV01WbDNXa1JTVjAxV2JETlhhMUpU
VmpBeFYySkVUbGhoTVVwVQpWbXBCZUZZeVNrVlViR2hvVFZWd1ZRcFdiWEJDWlVa
WmVWTnJWbFZpUjJodlZGWldkMVpSY0ZkaVdFSkRXbFZhCldtVldUbkpXYkZacFVq
...This made me think a bit. After thinking about this, I clicked "decode" a second time. Luckily this used site had "decode" buttons from left to right and from right to left. So I just had to click the decode buttons alternating, but always I got base64 results. Now I understood the meaning of the hint "fifth power of two" (which means 32). So I had to click "decode" 32 times. Very easy with this site. And finally the flag appeared.
Flag: HV17-Th3F-1fth-Pow3-r0f2-is32
Day 3 - Strange Logcat Entry
Level: easyText and hints:
Day 03: Strange Logcat Entry
Lost in messages
I found those strange entries in my Android logcat, but I don't know what it's all about... I just want to read my messages!
button: "Get the logcat"
Downloading the file, it shows a huge log file, with nothing interesting in it. I found that there is a crash but nothing else interesting. When I got stuck, I got the hint that I should "look closer at the crash". This helped me to find the following line:
11-13 20:40:24.044 137 137 DEBUG: I 07914400000000F001000B913173317331F300003AC7F79B0C52BEC52190F37D07D1C3EB32888E2E838CECF05907425A63B7161D1D9BB7D2F337BB459E8FD12D188CDD6E85CFE931
This seems to be the content of the received text message (SMS) that caused the mobile phone to crash. The question is now how to get the real content of that message.
First I tried to find some online site to decode it:
 |
| failed decoding |
This site could decode the message perfectly:
 |
| successful PDU decoding |
Flag: HV17-th1s-isol-dsch-00lm-agic
Actually there are more online tools that do work:
https://smspdu.benjaminerhart.com/
http://www.smspdu.com/
Day 4 - HoHoHo
Level: mediumText and hints:
Day 04: HoHoHo
NOTE: New easyfied attachment available
Santa has hidden something for you
with a button: "here"
This button downloads a PDF file with nothing useful visible in it (just a Santa image with some advent text and some links to Wikipedia). I tried various tools, like pdf-parser, peepdf, qpdf, and mupdf to look at the content. I think the peepdf tool is the best one for this challenge, but unfortunately, with none of the tools I could find anything interesting. I tried to solve this for many hours per day for more than a week, but I couldn't get anywhere. Finally I got the hint from someone that I should look closer at the font and that helped me. Maybe this is a known Linux font format or something, but I have never seen an SFD file, so that's why I made no progress for such a long time.
Running peepdf with the command
peepdf.py -i HoHoHo_medium.pdf
gets peepdf into interactive mode on the specified file. Then you can run the command:
tree
to see the various content blocks. The font is in stream 21. To extract the binary, run this command:
stream 21 >stream21.bin
So now we have the font extracted. Let's rename it to its real name, to DroidSans-HACKvent.sfd.
I think this was one of the hardest challenges, unless you're familiar with sfd files.
But as I now already knew to look closer into this font, I searched for a tool to edit such files and found FontForge. The Windows installer is 18MB and running the tool opens an Interface in OS X-like look and feel. Opening the font gets you a list of defined characters:
 |
| FontForge with the DroidSans-HACKvent.sfd font |
 |
| first letter of the DroidSans-HACKvent.sfd font |
Maybe there's an easier way for this or better tools, but this solved the challenge.
Flag: HV17-RP7W-DU6t-Z3qA-jwBz-jItj
Day 5 - CRC
Level: mediumText and hints:
Day 05: Only one hint
OK, 2nd hint: Its XOR not MOD
Here is your flag:
0x69355f71
0xc2c8c11c
0xdf45873c
0x9d26aaff
0xb1b827f4
0x97d1acf4
and the one and only hint:
0xFE8F9017 MOD 0x13371337
Before I started working on this, someone spoiled to me that he googled the result of the hint. When I did the same, I didn't get any useful results though. The next day the challenge was updated:
05.12.2017 13:00 CET, Day 05, Changed challenge description (typo), its XOR, not MOD
Actually this was the same day, but as I was solving the challenges past midnight, it was a day later for me. So with the result:
0xFE8F9017 XOR 0x13371337 = 0xEDB88320
we have a new value. Googling for that indicates that this is used in CRC-32, reverse polynomial representation.
So I searched for the CRC-32 calculation code and found this calculation: http://www.hackersdelight.org/hdcodetxt/crc.c.txt
So I wrote a quick&dirty C#.NET program from that code (I can't find it anymore right now) to simply brute-force through the whole range of 0...0xffffffff and if any of the results is one of the numbers from the task, then it prints out the value (source number and result). The found source values are actually the ASCII codes of the flag.
For this write-up I searched if there are any online tools to do reverse CRC-32 lookup and I found one site that does exactly this. Unfortunately it doesn't work on all of the values, so it cannot really be used to solve this challenge, so I had to re-implement the code to get the flag again.
Flag: HV17-7pKs-whyz-o6wF-h4rp-Qlt6
Day 6 - Santa's journey
Level: mediumText and hints:
Day 06: Santa's journey
Make sure Santa visits every country
Follow Santa Claus as he makes his journey around the world.
button: "Link"
The link goes to http://challenges.hackvent.hacking-lab.com:4200/ and shows a single QR code.
Scanning the code with an app on my mobile phone shows the text of a country.
I pressed "refresh" (F5) and it showed a new QR code. Scanning it with my mobile and a QR app, it seems that the shown country is random. So we need to come up with a plan.
I pressed refresh about 20 times (without scanning each) and then it suddenly showed a much bigger QR code.
I scanned that one and it was the solution. Writing this write-up and trying this again, I was probably pretty lucky then, because there are many other countries with long names.
But anyway, it was solvable that way, even now doing this again. If you just scan all the bigger codes manually, you finally get to the solution after maybe 10-20 tries.
Probably the challenge writer wanted you to write some code to automate this. In order to do so, you would have to make the challenge a bit more complicated by making all names the same length (with some padding) and maybe even ensure that the solution is not among the random shown ones, but only shows up randomly after requesting first 50 other images within 10 seconds with the same session or something along those lines. But maybe Burp Suite can help with that as well without writing any code. Here are some images I got:
 |
| Kyrgyzstan |
 |
| Central African Republic |
 |
| South Georgia and the South Sandwich Islands |
 |
| Our Flag |
Flag: HV17-eCFw-J4xX-buy3-8pzG-kd3M
Day 7 - I know what you did last xmas
Level: mediumText and hints:
Day 07: i know ...
... what you did last xmas
We were able to steal a file from santas computer. We are sure, he prepared a gift and there are traces for it in this file.
Please help us to recover it:
button: "Download"
The button downloads a file "SANTA.FILE"
The file starts with "PK", so it must be a zipped file. Renaming it to SANTA.FILE.zip, we find a new file "SANTA.IMA".
IMA is probably some image file (like a DVD image), so opening it with 7-zip works and shows a new SANTA.PRIV file.
That file starts with "regf", so it could be some registry file. And indeed, it is a registry hive. I went to my registry, created a new key and loaded this hive into it. Actually this was a bad idea. I could never delete all subkeys again due to missing permissions. Even taking ownership didn't work. If anyone has some good ideas, please post it into the comments.
But even searching through the registry couldn't find anything interesting. There was no "HV17" in there or anything similar, so I got stuck. Even exporting the entire registry hive as .reg file (text-based) couldn't get anything interesting.
Someone gave me the hint that "this was the easiest challenge of all so far" and the solution was "just in the file".
And indeed, I opened the registry hive file in HxD and searched for "HV17" and found the flag. The other guy even searched one step earlier, in the SANTA.IMA file, so he only had to unzip the challenge and run "strings" on it.
 |
| HxD view of SANTA.PRIV |
Flag: HV17-UCyz-0yEU-d90O-vSqS-Sd64
Day 8 - True 1337s
Level: mediumText and hints:
Day 08: True 1337s
... can read this instantly
I found this obfuscated code on a public FTP-Server. But I don't understand what it's doing...
button: "Download"
This downloads a file "True.1338.txt".
It starts like this:
exec(chr(True+True+True+True+True+Tr...
and then has millions of "True+True+" in there.
If you scroll near the end it looks a bit different. You can see:
+1337+1337)+_1337(1337+1337+1337+1337+1337+1337+1337+1337+1337+1337))
with millions of "1337+1337+" in there.
So it's some obfuscated code.
First I thought that this is JavaScript, but it isn't. JavaScript doesn't have the chr command.
Later I thought it was PHP (due to the often-abused exec command and people often find such things on their webserver as mentioned in the text), but that was also not the case.
But actually it doesn't really matter what language it is.
I concluded that "True" evaluates to 1 and adding it several times gives you a number.
So it starts with something like this:
exec(chr(10)+chr(n)+chr(n)... gives some meaningful code.
So I did some text replacing and got this code:
A=chr;
#__1337=exec;
SANTA=input;
#FUN=print
def _1337(B):return A(B//1337)
print(_1337(1337+1337+1337+1337+1337+1337+1337+1337+1337+1337)+_1337(1337+1337+...
This means that in the second part a number of 1337 values will get added, then the function _1337(B) called which runs chr(B/1337).
So this means we do the same again.
Simplified I get this code:
A=chr;__1337=exec;SANTA=input;FUN=print
def _1337(B):return A(B//1337)
C=SANTA("?")
if C=="1787569":FUN("HV17-aaaa-bbbb-cccc-dddd")
Someone hinted to me that this is Python (I have almost no Python experience.)But it seems like something is wrong there anyway.
And indeed, a few days later I see this:
08.12.2017 00:18 CET, Day 08, Wrong challenge file has been replaced
When doing this again, I get the following:
A=chr;__1337=exec;SANTA=input;FUN=print
def _1337(B):return A(B//1337)
C=SANTA("?")
if C=="1787569":FUN(''.join(chr(ord(a) ^ ord(b)) for a,b in zip("{g???MZF?_M?C¶_?X??\ER?F[X?","31415926535897932384626433832")))
The only problem there is that it seems that some values for the zip command are binary and get lost in the ASCII representation.So I had to simplify it again, but not too much. This resulted in this code:
#A=chr;
#_chr=exec;
#SANTA=input;
#FUN=print
#def chr(B):return A(B//1)
#print("\nC=SANTA(\"?\")\nif C==\"1787569\":FUN(\'\'.join(chr(ord(a) ^ ord(b)) for a,b in zip(\"{"+chr(103)+chr(5)+chr(6)+chr(24)+"M"+chr(90)+chr(7)+"F"+chr(30)+chr(95)+"M"+chr(12)+"C"+chr(20)+chr(95)+chr(1+1+1)+chr(88)+chr(11)+chr(25)+chr(92)+chr(7)+"ER"+chr(30)+"F"+chr(91)+chr(88)+chr(19)+"\",\"31415926535897932384626433832\")))\n")#C=SANTA("?")
#if C=="1787569":
print(''.join(chr(ord(a) ^ ord(b)) for a,b in zip("{"+chr(103)+chr(5)+chr(6)+chr(24)+"M"+chr(90)+chr(7)+"F"+chr(30)+chr(95)+"M"+chr(12)+"C"+chr(20)+chr(95)+chr(1+1+1)+chr(88)+chr(11)+chr(25)+chr(92)+chr(7)+"ER"+chr(30)+"F"+chr(91)+chr(88)+chr(19),"31415926535897932384626433832")))
So I could simply run this Python code and it returned the flag. A bit too late for being on time, but solved.Flag: HV17-th1s-ju5t-l1k3-j5sf-uck!
Day 9 - JSONion
Level: mediumText and hints:
Day 09: JSONion
... is not really an onion. Peel it and find the flag.
button: "Download"
The download gets you a JSONion.zip file.
In the ZIP is a file jsonion.json file.
Opening it with Visual Studio and after selecting "Format Document", I get this:
 |
| Original JSON file |
I had no idea what to do with this.
I thought "op": "map" is something known and so I googled for it, but you can imagine the results for "map and json". Nothing useful. I wasted some hours there.
Also the "mapTo" data looks like a JSON array or something, but nothing useful.
The data itself in all three fields looks a bit like base64, but there are other characters, so it must be something else. I tried base93 and other codes, but without success.
Then, after several days, I had the idea to do a statistical analysis on the used characters. That might reveal what code is being used, or at least how many different characters were used.
I got these results:
- 0...9 20581,... 7: 3x, 8: 3x
- a...z g: 10x, l: 3x, r: 3x, t:3x, u:4x
- A...Z
- \" 19542x
- + 20406x
- , 20839x
- \/ 3x
- : 24761x
- = 19813x
- [ 26653x
- \\ 21891x
- ] 20830x
- { 20943x
- } 22940x
As I cannot do this manually, not even with replace commands (you would have to follow a certain order), I wrote a program in C#.NET.
I don't have that program anymore, but you'll see later why. In the program I made a for-loop for each character, searched the string in mapFrom and created a new string from mapTo appending each character. This program ran for 45 minutes and returned a new file.
The new file looked almost the same as the first one:
 |
| JSON, stage 2 |
So now we have an op (operation) gzip. I did this manually with some online tools and got to the next stage. Next we have "op": "b64" and some base64-encoded data in "content". Ok, we can do this manually again. The next stage was a gzip again. And then a "map" operation again.
I think I continued about 10-20 stages, but as the name of the challenge was already something with "onion", I thought this cannot be done manually and started to write more code.
As the string handling in the mapping operation was insanely slow, I had to investigate in how to optimize that. First I tried with pre-ordering the mapping table into an array and then just doing simple lookups instead of searching in mapFrom. This didn't help in increasing the speed. Then I discovered the StringBuilder class, where you can say in advance how long the string will be and simply execute an Append command. This took down the execution time from hours to less than a second. This is because then no longer garbage collection is done within the loop and the string remains in memory.
In my program I wrote the decoded next stage as file into a folder, so I could start at that point later again (because of the initially slow execution).
I also had to implement some JSON parsing code, because that's not built-into .NET. Everywhere I looked this up, they recommended me some 3rd party software and I really didn't want to use other components. I ended up with the class JavaScriptSerializer, which can also be used to parse JSON - it just hasn't got much functionality.
So after running this, new operations showed up. Besides the already known "map", "gzip" and "b64", four more appeared: "nul" (another json directly in the content), "xor" (with a new field "mask", one byte base64 encoded value to xor-decrypt the content which is also base64 encoded), "rev" to reverse the JSON string in content, and "flag".
So running this in a loop wrote 82 stage files into my folder and stage82 was this JSON file:
[{"op":"flag","content":"THIS-ISNO-THEF-LAGR-EALL-Y..."}]
Bummer.
It took me another day and thinking about this to continue.
Well, I think I've done everything correctly, so there must be something hidden in one of the stages.
I started opening all the stages manually in Visual Studio (starting from the end) and I found in stage 74 this nice nasty thing
 |
| JSON, stage 74 |
Easy, so I took this apart into two different paths (stage74a and stage74b) and ran my program on both. In the b-path I got lucky with the flag at the end:
[{"op":"flag","content":"HV17-Ip11-9CaB-JvCf-d5Nq-ffyi"}]
Flag: HV17-Ip11-9CaB-JvCf-d5Nq-ffyi
Here's the program I wrote:
https://pastebin.com/2qG56TtS
Day 10 - Just play the game
Text and hints:Day 10: Just play the game
Haven't you ever been bored at school?
Santa is in trouble. He's elves are busy playing TicTacToe. Beat them and help Sata to save christmas!
button: "nc challenges.hackvent.hacking-lab.com 1037"
Pressing the button just loaded the same page again.
So I first had to find out what this means. I discovered that "nc" is some Unix command to connect to that site and port.
As I'm a Windows guy, I used the telnet command. First I had to open my firewall and then I got this:
 |
| telnet result |
 |
| telnet result, 2nd screen |
Although the image was a bit distorted, I could still play a bit.
So I played a bit and found some winning strategy: Play 1-9-7-4. Then I got the message "Congratulations you won! 1/100 Press enter to start again".
So I thought I try this manually by entering 1-9-7-4-Enter-1-9-7-4-Enter etc. but after 10 times or so I always made a mistake and I lost.
While debugging, I also came across the correct image, which I couldn't see before:
 |
| Welcome screen |
 |
| Correct rendering of board |
I also added the "if otherwise" case (throw exception) and running it, it quickly ran into said exception. This means that I wasn't making mistakes (playing before manually), but instead the server responded with different moves sometimes.
So I had to change my winning strategy. For some cases I couldn't find a winning move, but at least I did not lose. So after implementing a few more board states (16 in total), it ran without running into an unknown combination and won fast enough.
Here's my program (C#.NET): https://pastebin.com/P5nnEr7p |
| final run |
Day 11 - Crypt-o-Math 2.0
Text and hints:Day 11: Crypt-o-Math 2.0
So you bruteforced last years math lessions? This time you cant escape!
c = (a * b) % p
c=0x423EDCDCDCD928DD43EAEEBFE210E694303C695C20F42A27F10284215E90
p=0xB1FF12FF85A3E45F722B01BF3135ED70A552251030B114B422E390471633
b=0x88589F79D4129AB83923722E4FB6DD5E20C88FDD283AE5724F6A3697DD97
find "a" to get your flag.
First I converted the numbers to decimal using some online tool.c=457210035143347787689077715544591571908955061300162780487882896908050064
p=1228485890518970293934792032966354040636054244099097597451085919424026163
b=941026773241901737880457587235031905127428585147705900188262353910357399
I got lazy and simply entered this into the online WolframAlpha tool and got this result:
 |
| WolframAlpha solution 1 |
485631372D587444772D30447A4F2D595267422D326232652D55574E7A00
And converting this to ASCII gives us the flag:
Flag: HV17-XtDw-0DzO-YRgB-2b2e-UWNz
11.12.2017 11.55 CET, Day 11, Challenge has changed, due to cheating activities
and indeed, the numbers did change:
c=0x559C8077EE6C7990AF727955B744425D3CC2D4D7D0E46F015C8958B34783
p=0x9451A6D9C114898235148F1BC7AA32901DCAE445BC3C08BA6325968F92DB
b=0xCDB5E946CB9913616FA257418590EBCACB76FD4840FA90DE0FA78F095873
or converted into decimal:c=590867720467499739656230398758801227927329092826661098133553607261505411
p=1023659786424349813810435942750567812478342322946284370914320216115614427
b=1419762318326277663933821153866524377417016166171412157761654041111779443
Solving this again by simply using WolframAlpha:
 |
| WolframAlpha solution 2 |
485631372D7A51427A2D417744672D3146454C2D725545392D474B677100
And converting this to ASCII gives us the new flag:
Flag: HV17-zQBz-AwDg-1FEL-rUE9-GKgq
Additional thoughts:
It seems like they added a null-byte to the end of the flag in the hex value. I'm not sure why they did this. As they mentioned some brute-forcing in the challenge description, I assumed that the result is larger then the smallest value and we would have to try higher values, but for some reason this wasn't the case. I don't know why it was that simple.
Another thing I looked into was how to solve that equation manually. For this write-up I did it manually on paper with smaller numbers and started solving it with these big numbers too. It's a lot of work. So for the simple equation 363=17*x mod 453 we would have to find out how many times we would have to multiply x by 17 to "wrap-around" the 453. This gives 27 times and results in a mod value of 6. If I now do this multiple times, I can wrap-around this 6 as well, so I get 76 with a mod value of 3. The result 363 is divisible by 3, so I can use this. We now have 27 rounds for wrap1 and 76 rounds for wrap2. This results in 2052. And because 363 is divisible by 3 (=121), we calculate 2052*121=248292. This now mod 453 gives 48. And 48 is our final result: x=48+n*453, which you can prove in the initial equation. I tried this with the big numbers above and only made slow progress (about 3 minutes per digit), so I gave up there. WolframAlpha is good enough.
One thing to keep in mind is that WolframAlpha in the free edition has a size-limit on the input field, so make sure the input is not truncated.
Day 12 - giftlogistics
Level: hardText and hints:
Day 12: giftlogistics
countercomplete inmeasure
Most passwords of Santa GiftLogistics were stolen. You find an example of the traffic for Santa's account with password and everything. The Elves CSIRT Team detected this and made sure that everyone changed their password.Unfortunately this was an incomplete countermeasure. It's still possible to retrieve the protected user profile data where you will find the flag.
two buttons: "Link" and "Traffic"
The link goes to the site http://challenges.hackvent.hacking-lab.com:7240/giftlogistics/
There's a menu with Home/About/Contact and a "Log in".
"Powered by Santa Enging 1.2.6, (c) 2017 The Santa Corporation and Elves Laboratories."
Text on the page:
Welcome to GiftLogistics!
With GiftLogistics all gifts will arrive on time. Great tool for Santa, his Elves and Subsidiaries to manage the huge load on gifts!!!
The traffic is in the pcap file.In the pcap file there was only one unencrypted HTTP traffic, essentially a GET to host hackvent.hacking-lab.com, with an answer 301 (Moved Permanently) to https and two OCSP lookups. I mapped the SSL traffic between the different IP addresses and created a list of DNS traffic, looked at the one ARP request, but didn't get anywhere further. Additionally the site is now no longer reachable, so should I find anything, I cannot try it out anymore anyway.
I did not solve this challenge, so no flag here.
Day 13 - muffin_asm
Level: hardText and hints:
Day 13: muffin_asm
As M. said, kind of a different architecture!
ohai \o/How about some custom asm to obsfucate the codez?
button: "Download"
Actually I don't have the original file anymore, but in the download you can see (commented out) my solution. Essentially this is implementing some custom assembler code, emulated.
I simply added debugging instructions to print out the current command.
You had to input the flag yourself. If you entered a wrong key, it printed out an error. The assembly code did simple comparisons with the flag in the code (not plaintext, somehow obfuscated). So after entering one character, it compared the value against the first letter of the correct flag, so comparing CMP r1, 'H', which means you knew that the correct character there was 'H'. I advanced character by character and wrote down the flag. It would be nice to statically disassemble the whole file or do other things, but due to lack of time, I didn't.
Flag: HV17-mUff!n-4sm-!s-cr4zY
Day 14 - Happy Christmas
Level: hardText and hints:
Day 14: Happy Cryptmas
todays gift was encrypted with the attached program. try to unbox your xmas present.
Flag: 7A9FDCA5BB061D0D638BE1442586F3488B536399BA05A14FCAE3F0A2E5F268F2F3142D1956769497AE677A12E4D44EC727E255B391005B9ADCF53B4A74FFC34C
button: "Download"
I disassembled the binary and found that it's implementing RSA encryption. Actually you wouldn't even need any reverse engineering skills, because the public key was visible as decimal in the hex dump of the binary (65537) and that already indicates that RSA was used. The only tricky thing without reversing skills would be to get the correct modulus, but as it was there in ASCII (hex) that shouldn't be too complicated. So we have the public key the flag was encrypted with:
public key: 65537
modulus: 0xF66EB887F2B8A620FD03C7D0633791CB4804739CE7FE001C81E6E02783737CA21DB2A0D8AF2D10B200006D10737A0872C667AD142F90407132EFABF8E5D6BD51
Converting this to decimal:
12906717464348092265956410210860282684261200239649314436822666616460740520052403025774625130601134473716449192270880280937288228652858915015044165744901457
The nice page https://www.alpertron.com.ar/ECM.HTM could factorize it:
p=18132985757038135691
q=711781150511215724435363874088486910075853913118425049972912826148221297483065007967192431613422409694054064755658564243721555532535827
Now some RSA math:p-1 = 2*5*7*7*7*1571*3365108064173
q-1 = 2*7*19*2268252249169* 1179705206008108078335285886992779782156858516784490216210640425176946641657869996965142017379636333789517414336552972069
lcm(p-1,q-1)=2*5*7*7*7*19*1571*3365108064173*2268252249169* 1179705206008108078335285886992779782156858516784490216210640425176946641657869996965142017379636333789517414336552972069lambda=921908390310578018946044932882076211416131168968630537624772335953022533577106442830457416651290676124946911475532705088802440278371452331309775226730710
And with WolframAlpha:
d=840418311346493937224964653098353009366393648761186243493818735053136064300023609876296563779463664104381162994861313957389154096022461328436931979580993
With the given encrypted flag, converted to decimal:
flag=6422364120026732410681865634854254183147125246054233723304764504977840830688444841588552434965602224626422836832323525577199101442006761403538743492592460
decrypt=flag^d mod modulus
decrypt=6422364120026732410681865634854254183147125246054233723304764504977840830688444841588552434965602224626422836832323525577199101442006761403538743492592460 840418311346493937224964653098353009366393648761186243493818735053136064300023609876296563779463664104381162994861313957389154096022461328436931979580993 12906717464348092265956410210860282684261200239649314436822666616460740520052403025774625130601134473716449192270880280937288228652858915015044165744901457
remainder=1950193263214537087126063880738805970134683456457941605829795971018850
or in hex:0x485631372D35424D752D6D6744302D473753752D455973702D4D673062
Flag: HV17-5BMu-mgD0-G7Su-EYsp-Mg0b
Day 15 - Unsafe Gallery
Level: hardText and hints:
Level: hard
Day 15: Unsafe Gallery
See pictures you shouldn't see
The List of all Users of the Unsafe Gallery was leaked (See account list).
With this list the URL to each gallery can be constructed. E.g. you find Danny's gallery here.
Now find the flag in Thumper's gallery.two buttons:
- "Link to Danny's gallery"
- "account list"
and there it showed some images.
So I thought that the URL probably somehow contains the user-id or something like that.
The given code bncqYuhdQVey9omKA6tAFi4rep1FDRtD4H8ftWiw looks base64-encoded and decoded resembles to these 30 bytes:
6E 77 2A 62 E8 5D 41 57 B2 F6 89 8A 03 AB 40 16
2E 2B 7A 9D 45 0D 1B 43 E0 7F 1F B5 68 B0
Not much information there yet.
Next was to find the correct user in the user list. In the description, there was only "Danny" mentioned, but there were dozens of Dannys in the list.
I loaded the list into Excel and filtered by pictureCount=15, because there were exactly 15 pictures shown. Additionally I filtered by state=active, because disabled accounts are probably not shown.
This leaves us with two possible accounts:
id=32009 or 41752
prename=Danny (for both)
name, address, zip, city, email are probably not of interest
memberType=gold (for both)
galleryCount=1 (for both)
state=active (for both)
crmId=44967219 or 78987754
mbUsed=39 or 38
logCorrelationId=91819254 or 78323661
advertisingId=128486 or 167628
To further narrow it down, I now (writing this) I should've downloaded the pictures and calculated the total size to check if it's 39 or 38 MB.
Anyway, I was stuck now, as I couldn't find any of these numbers in the bytes above. The length of 30 also indicates that it's not a hash.
So I was stuck and didn't solve this challenge. No flag here.
Day 16 - Try to escape from the snake cage
Level: hardText and hints:
Day 16: Try to escape ...
... from the snake cage
Santa programmed a secure jail to give his elves access from remote. Sadly the jail is not as secure as expected.
button: "nc challenges.hackvent.hacking-lab.com 1034"
Due to missing time, I didn't even start solving this. It probably is something similar to the tic-tac-toe challenge.
As it's an online challenge, we cannot try to solve it later. No flag here.
Day 17 - Portable NotExecutable
Level: hardText and hints:
Day 17: Portable NotExecutable
here is your flag.
but wait - its not running, because it uses the new Portable NotExecutable Format. this runs only on Santas PC. can you fix that?
button: "get the flag here"
Hint #1: IMAGE_FILE_HEADER and its friends
Hint #2: No reversing/bruteforcing needed. Just make it run ...
Hint #3: take the hint in the file serious, the black window should not appear (wine and cmd users might not see it - change OS or how you run the exe)
Due to missing time, I didn't even start solving this. Probably in the PE header there is some unusual flag set, so that it can't execute.
As I didn't solve it, no flag here.
Day 18 - I want to play a Game (Reloaded)
Level: finalText and hints:
Day 18: I want to play a Game (Reloaded)
last year we played some funny games together - do you remember? ready for another round?
download the game here and play until you find the flag.
button: "get the game"
Hint #1: follow the fake flag in the unsigned binary. this challenge needs RE
So given was an ISO image. In there were four files:
ICON0.PNG
PARAM.SFO
USRDIR\EBOOT.BIN
USRDIR\hackvent.self
The png file was an image of a Christmas ball with an unreadable QR code on it.
With Photoshop and some image-enhancing skills I could get it readable, but it wasn't useful for this challenge, it reads: "HACKvent - mess with the best, die like the rest"
As I don't know the file extensions, this challenge is probably for Linux and needs some more time, so I skipped this one. No flag here.
Day 19 - Cryptolocker Ransomware
Level: finalText and hints:
Day 19: Cryptolocker Ransomware
Pay the price, Thumper did it already!
This flag has been taken for ransom. Transfer 10'000 Szabo to 0x1337C8b69bcb49d677D758cF541116af1F2759Ca with your HACKvent username (case sensitive) in the transaction data to get your personal decryption key. To get points for this challenge, enter the key in the form below.
Disclaimer: No need to spend r34l m0n3y!
Enter your 32-byte decryption key here. Type it as 64 hexadecimal characters without 0x at the beginning.
"put your 64 hexadecimal characters her..." and button "Sumbit key" (yes with typo)
I thought that we might need to somehow sign a bitcoin transaction or something, but actually I had no idea what to do next. I got stuck here. And as it's an online challenge, no way to try it out later. No flag here.
Day 20 - Linux malware
Level: finalText and hints:
Day 20: linux malware
oh boy, this will go wrong... =D
ohai my name is muffinx...
...um yeah btw. cyberwar just started and you should just pwn everyone?
Make sure you don't leave traces and make the lifes of your opponents harder, but fairplay!
You are a hacker? Then think like a hacker!
Attack! Defend! And trick!
Ladies and gentlemen,
We understand that you
Have come tonight
To bear witness to the sound
Of drum And Bass
We regret to announce
That this is not the case,
As instead
We come tonight to bring you
The sonic recreation of the end of the world.
Ladies and gentlemen,
Prepare
To hold
Your
Colour
OK.
Fuck it,
I lied.
It's drum and bass.
What you gonna do?
WARNING:
RUN INSIDE VM, THIS CONTAINER MAYBE DANGEROUS FOR YOUR SYSTEM,
WE TAKE NO RESPONSIBILITY
You should keep the container inside the same host your haxxing on (same ip) or some things will not work...
button: "https://hub.docker.com/r/muffinx/hackvent17_linux_malware/"
Hint #1: check https://hub.docker.com/r/muffinx/hackvent17_linux_malware/ for regular updates, keep the container running (on the same ip) when you are haxxing the bot panel
Hint #2: you can also use https://hookbin.com/ to create private endpoints
I did not try this challenge. But as the links are public (not on HackingLab), you might want to try yourself. No flag here.
Later added:
20.12.2017 14:00 CET, Day 20, Hints added to the challenge description
(already included above)
Day 21 - Tamagotchi
Level: finalText and hints:
Day 21: tamagotchi
ohai fuud or gtfo
ohai
I'm a little tamagotchi who wants fuuuuud, pls don't giveh me too much or I'll crash...
button 1: "nc challenges.hackvent.hacking-lab.com 31337"
button 2: "File #1: tamagotchi"
button 3: "File #2: libc-2.26.so"
Here are the two files.
I didn't start this challenge and as it's an online challenge, there is probably no way to solve it later. No flag here.
Day 22 - Frozen flag
Level: finalText and hints:
Day 22: frozen flag
todays flag is frozen. its quite cold in santas house at the north pole.
can you help him to unfreeze it?
button: "get the frozen flag here ..."
The zip file contains the encrypted flag (32 bytes length) and an exe file. So somehow you have to "unfreeze" it. This probably needs some reverse engineering. I didn't find the time for it, but I might have a look later. No flag for now.
Day 23 - Only perl can parse Perl
Level: finalText and hints:
Day 23: only perl can parse Perl
... but there is always one more way to approach things!
button: "get your flag here ..."
(in doubt, use perl5.10+ on *nix)
This looked like an interesting challenge, even though I've never worked with Perl. But as I saw that the .pl file was binary (probably compiled), I quickly gave up, because that would already need some decompilers or something and I was lagging behind with the earlier challenges. No flag here.
Day 24 - Chatterbox
Level: finalText and hints:
Day 24: Chatterbox
... likes to talk
I love to chat secure and private.
For this I mostly use http://challenges.hackvent.hacking-lab.com:1087.
It's easy to create a private chat and start chatting without a registration.
button: "Chatterbox" -> http://challenges.hackvent.hacking-lab.com:1087/
Hint #1: the admin is a lazy clicker boy and only likes <a href="..."></a>
Hint #2: As a passionate designer, the admin loves different fonts.
Hint #3: For step 2: I'd better be my own CA.
Hint #4: For step 2: It's all about the state
Hint #5: For step 3: python programmers don't need {{ ninjas }}
Link is showing a chat with dates, names and one-line texts and an input field below.
Above are four links: Messages (selected), Private Messages, Feedback, Login.
Private Messages: "Create your own private chat" with an input "Chat Title" and Chat CSS Style (file selector) and Create button.
Feedback: "Send us feedback" with input "First Name", "Last Name", "input text", reCAPTCHA, Submit button.
Login: Password field and reCAPTCHA and Submit button
As this is some kind of online challenge, we cannot work on this later. No flag here.
Comments
Post a Comment