NDH 2015 Weshgrow Writeup
Point = 300
Category = Crypto

By openning the url we redirected to following link:

http://weshgrow.challs.nuitduhack.com/?hmac=ca8473d35a80a5ca4e9f3555c2869f71

As we know HMAC is a cryptographic message for authenticating using a secret key. So this has been made of something.

Also we could find another HMAC in the page source as you can see:

http://weshgrow.challs.nuitduhack.com/admin?hmac=fac0887096a54ac497d968daf4c4fe0b

if you open the /flag address without the purposed HMAC you see redirection to address+"#missinghmac".

So this could be HMAC of pages and we should prepare a HMAC for flag.

NDH 2015 Facesec Writeup
Point = 100
Category = Web
Description :

“Hello there,

We are looking for a developer or security consultant to secure our filebox system. We stumbled upon your LinkedIn profile and it seems like you would be a perfect candidate for this job. Could you please send us your CV and Motivation letter?
Thanks,

http://facesec.challs.nuitduhack.com/

after you open the link , you can see a login/register system.so sign up and login to my account

after that you seen a upload form with this description :

You can upload a .txt file if you specify the type of the content (cv or motivation letter). If you want, you can upload a tar archive which contains two files (cv.txt and motiv.txt). The content will be update in your profil we can examine your instance.

so try to upload your file , contents of 2 texts go to 2 field in your profile name as CV and Motivation Letter

NDH 2015 Cooper Writeup
Point = 300
Category = Stegano

“I am not crazy, my mother had me tested.” (Sheldon)

What did Sheldon … huh sorry, Dr. Cooper really mean? (http://quals.nuitduhack.com/challenges/view/14)

The tar zip contains a Windows executable, so the first thing I did was opening it in CFF Explorer. Doing so I found a picture of Sheldon … or better say "Dr. Cooper" in resources and a section called .hidden containing a ZIP file.

NDH 2015 Private Writeup
Point = 100
Category = Forensics
Description :

“The quiet you are, the more you are able to ear”

We’ve provided a pcapng file in this challenge. At first glance I thought it may be VoIP challenge because of description but after viewing packets , this assumption goes wrong. there were some STP , CDP and some ICMP packets . after some investigation in packets i found some unusual ICMP packets ! their identification fields were 0 ! all of them ! hmmm. seems somebody generated them manually by a packet generator . so i focused on them to find a pattern .actually their IP headers had a pattern and they were ASCII numbers ! sweet . that’s easy . let’s have some fun with Scapy .

1
2
3
4
5
6
7
8

from scapy.all import *
from scapy.utils import rdpcap
flag=""
pkts=rdpcap("private.pcap")
for pkt in pkts:
   if (ICMP in pkt and pkt[ICMP].type==8 and pkt[ICMP].id==0 ):
      flag += chr(pkt[IP].id)
print flag        

NDH 2015 Updator Writeup
Point = 200
Category = Exploit

Unhackable : “Not hackable; that cannot be hacked or broken into.” We manage updates and thus have fixes, this is not a PS3 as it is unhackable … or is it? Score 200 Link http://updator.challs.nuitduhack.com/

openning the url gives us a login page and a update button. pressing update button shows an notification:

The update managing system is still under construction but will be available soon.

We noticed it’s a python script update.py. So attempting to loading update.pyc gave us the permission to download the file. Instantly i tried to decompile the code with uncompyle2 as:

Backdoor 2015 TEAM Writeup
Point = 600
Category = Exploit

There is a wierd kind of authentication service running: nc hack.bckdr.in 8004. The binary can be found here. The vampire says that there is no need for bruteforce.

1
2
3
4
5

$ file team
team: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=3fb6836dc9249bd1e7c33e023d563ff429d7dca4, stripped
$ checksec.sh --file team
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Partial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   team

Ok looking into the binary in IDA shows us two function 0x08048769 and 0x080486ad are important to us. the first one can be seen bellow:

Backdoor 2015 FORGOT Writeup
Point = 200
Category = Exploit

Fawkes has been playing around with Finite State Automaton lately. While exploring the concept of implementing regular expressions using FSA he thought of implementing an email-address validator.
Recently, Lua started to annoy Fawkes. To this, Fawkes, challenged Lua to a battle of wits. Fawkes promised to reward Lua, only if she manages to transition to a non-reachable state in the FSA he implemented. The replication can be accessed here.

1
2

$ file forgot
forgot: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=35930a2d9b048236694e9611073b759e1c88b8c4, stripped

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

$ ./forgot 
What is your name?
> AAAAAAAAA

Hi AAAAAAAAA


                        Finite-State Automaton

I have implemented a robust FSA to validate email addresses
Throw a string at me and I will let you know if it is a valid email address

                                Cheers!

I should give you a pointer perhaps. Here: 8048654

Enter the string to be validate
> AAAAAAAAAAAAAAAAAA
Dude, you seriously think this is going to work. Where are the fancy @ and [dot], huh?

without loosing time opening the binary into IDA shows us several functions but the General function to this functionality is 0x08047AA. lets see the psuedo-code :

Backdoor 2015 CONCEALED Writeup
Point = 150
Category = Exploit

All paths have been concealed. Get the hidden flag: nc hack.bckdr.in 8005. Submit sha-256 of the flag

1
2
3
4
5
6
7
8
9
10
11
12
13

$ nc hack.bckdr.in 8005
######################################
####           CONCEAL            ####
######################################

Welcome to CONCEAL
You have access to object named sandboxed and its functions 
Rest everything is sandboxed, don't be a jerk and break something
Wrap your code in a function and return what you want as output
Flag is hidden somewhere in the code. 
Get the flag :D!

home@jail:$ 

First of all as banner says we should use all our payload as a function like :

Backdoor 2015 ECHO Writeup
Point = 100
Category = Binary

Little Suzie started learning C. She created a simple program that echo’s back whatever you input. Here is the binary file. The vampire came across this service on the internet. nc hack.bckdr.in 8002. Reports say he found a flag. See if you can get it.

1
2

$ file echo
echo: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=15ec07e5664a13e94069c818141cc9f70591d0f0, not stripped

As it seems we have a 32bit binary as a ECHO server. the output confirms this:

1
2
3

$ nc hack.bckdr.in 8002
GeeksSpeak
ECHO: GeeksSpeak

opening the binary in IDA shows us that the main function calls test() as we can see the psuedo-code below :

Backdoor2015 Medusa Writeup
Point = 100
Category = Web
Description :

The html page you create will be visited by the backdoor admin with the flag. You can enter a fake flag to simulate the challenge.

Get the flag at http://hack.bckdr.in/MEDUSA/

After We open the link that is provided in description we are welcomed with a form.you can send message with html code and after that admin will visit your page with the flag.