convert HV2017 event

shiltemann · May 20, 2023 · e022df9 · e022df9
1 parent 0df1984
commit e022df9
Show file tree

Hide file tree

Showing 30 changed files with 1,988 additions and 0 deletions.
diff --git a/website/writeups/Hackvent_2017/00-hidden-ball-1.md b/website/writeups/Hackvent_2017/00-hidden-ball-1.md
@@ -0,0 +1,45 @@
+---
+layout: writeup
+title: 'Hidden ball 1:'
+level:
+difficulty:
+points:
+categories: []
+tags: []
+flag: HV17-4llw-aysL-00ki-nTh3-H34d
+
+---
+## Solution
+
+Challenges are accessed by url like
+`https://hackvent.hacking-lab.com/challenge.php?day=2`
+
+Let's see what happens when we try to skip ahead to Christmas `?day=25`
+
+We get:
+
+    The resource (#1959) you are trying to access, is not (yet) for your eyes.
+
+ok, weird, what about `?day=26`
+
+    The resource (#1958) you are trying to access, is not (yet) for your eyes.
+
+day and resource number seem to add up to 1984 every time, so let's see
+what happens when we fill in `?day=1984`
+
+    The resource you are trying to access, is hidden in the header.
+
+whoo! let's check the headers:
+
+    HTTP/1.1 200 OK
+    Date: Sat, 02 Dec 2017 21:14:21 GMT
+    Server: Merry Christmas & Hacky New Year
+    Strict-Transport-Security: max-age=15768000
+    Flag: HV17-4llw-aysL-00ki-nTh3-H34d
+    Keep-Alive: timeout=5, max=99
+    Connection: Keep-Alive
+    Transfer-Encoding: chunked
+    Content-Type: text/html; charset=UTF-8
+
+There is our flag!
+
diff --git a/website/writeups/Hackvent_2017/01-hidden-ball-2.md b/website/writeups/Hackvent_2017/01-hidden-ball-2.md
@@ -0,0 +1,12 @@
+---
+layout: writeup
+title: 'Hidden ball 2:'
+level: 
+difficulty: 
+points: 
+categories: []
+tags: []
+flag: 
+---
+## Solution
+
diff --git a/website/writeups/Hackvent_2017/02-hidden-ball-3.md b/website/writeups/Hackvent_2017/02-hidden-ball-3.md
@@ -0,0 +1,36 @@
+---
+layout: writeup
+title: 'Hidden ball 3:'
+level:
+difficulty:
+points:
+categories: []
+tags: []
+flag: HV17-bz7q-zrfD-XnGz-fQos-wr2A
+
+---
+## Solution
+
+we check `robots.txt` and see the following message: `We are people, not
+machines`
+
+so then we check `people.txt`: `What's about akronyms?`
+
+so then we check `humans.txt` and see:
+
+    All credits go to the following incredibly awesome HUMANS (in alphabetic order):
+    avarx
+    DanMcFly
+    HaRdLoCk
+    inik
+    Lukasz
+    M.
+    Morpheuz
+    MuffinX
+    PS
+    pyth0n33
+
+    HV17-bz7q-zrfD-XnGz-fQos-wr2A
+
+whoo, theres a flag!
+
diff --git a/website/writeups/Hackvent_2017/03-hidden-ball-4.md b/website/writeups/Hackvent_2017/03-hidden-ball-4.md
@@ -0,0 +1,18 @@
+---
+layout: writeup
+title: 'Hidden ball 4:'
+level:
+difficulty:
+points:
+categories: []
+tags: []
+flag: HE17-W3ll-T00E-arly-forT-his!
+
+---
+## Solution
+
+This one was hiding in the css folder `/css/egg.png`, it's an egg from
+Hacky Easter!
+
+![](writeupfiles/egg.png)
+
diff --git a/website/writeups/Hackvent_2017/04-hidden-ball-5.md b/website/writeups/Hackvent_2017/04-hidden-ball-5.md
@@ -0,0 +1,54 @@
+---
+layout: writeup
+title: 'Hidden ball 5:'
+level:
+difficulty:
+points:
+categories: []
+tags: []
+flag: HV17-UH4X-PPLE-ANND-IH4X-T1ME
+
+---
+
+## Solution
+
+we scan the challenge server for open ports
+
+    $ nmap challenges.hackvent.hacking-lab.com
+
+    Starting Nmap 7.01 ( https://nmap.org ) at 2017-12-06 22:59 CET
+    Nmap scan report for challenges.hackvent.hacking-lab.com (80.74.140.188)
+    Host is up (0.56s latency).
+    rDNS record for 80.74.140.188: urb80-74-140-188.ch-meta.net
+    Not shown: 996 filtered ports
+    PORT    STATE  SERVICE
+    22/tcp  open   ssh
+    23/tcp  open   telnet
+    80/tcp  closed http
+    443/tcp closed https
+
+    Nmap done: 1 IP address (1 host up) scanned in 67.94 seconds
+{: .language-bash}
+
+so, there's a telnet service running, we connect, and are greeted by
+Santa:
+
+    $ telnet challenges.hackvent.hacking-lab.com
+
+    __.----.
+                  _.'        '-.
+                 /    _____     '-.
+                /_.-""     ""-._   \                 HO, HO, HO...
+               ."   _......._   ".  \
+               ; .-' _ ))) _ '-. ;   |
+               '/  ." _   _ ".  \'.  /
+               _|  .-.^ ) ^.-.  |_ \/-.
+               \ '"==-.(_).-=="' //    \
+                '.____.-^-.____.' \    /
+                 |    ( - )   |   '--'
+                  \           /
+          _________\_________/_______________________________________________
+{: .language-bash}
+
+He keeps talking for a minute, and then gives us the flag
+
diff --git a/website/writeups/Hackvent_2017/05-dec-1-5th-anniversary.md b/website/writeups/Hackvent_2017/05-dec-1-5th-anniversary.md
@@ -0,0 +1,31 @@
+---
+layout: writeup
+title: 'Dec 1: 5th Anniversary'
+level:
+difficulty:
+points:
+categories: []
+tags: []
+flag: HV17-5YRS-4evr-IJHy-oXP1-c6Lw
+
+---
+
+## Challenge
+
+
+*time to have a look back*
+
+
+![](writeupfiles/HV17-hv16-hv15-hv14.svg)
+
+## Solution
+
+Looks like we need the solutions from previous years, good thing I kept
+writeups
+
+    2014: HV14-BAAJ-6ZtK-IJHy-bABB-YoMw
+    2015: HV15-Tz9K-4JIJ-EowK-oXP1-NUYL
+    2016: HV16-t8Kd-38aY-QxL5-bn4K-c6Lw
+
+Putting the fragments together gives our nugget
+
diff --git a/website/writeups/Hackvent_2017/06-dec-2-wishlist.md b/website/writeups/Hackvent_2017/06-dec-2-wishlist.md
@@ -0,0 +1,35 @@
+---
+layout: writeup
+title: 'Dec 2: Wishlist'
+level:
+difficulty:
+points:
+categories: []
+tags: []
+flag: HV17-Th3F-1fth-Pow3-r0f2-is32
+
+---
+
+## Challenge
+
+*The fifth power of two*
+
+Something happened to my wishlist, please help me.
+
+[Get the Wishlist](writeupfiles/Wishlist.txt)
+
+## Solution
+
+This is clearly base-64 encoded, we decode, and still looks base64
+encoded. Taking the hint
+into account, we decode 32 times:
+
+    $ cat Wishlist.txt | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d |
+    base64 -d | base64 -d  | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d |
+    base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d |
+    base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d |
+    base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d
+
+    HV17-Th3F-1fth-Pow3-r0f2-is32%
+{: .language-bash}
+
diff --git a/website/writeups/Hackvent_2017/07-dec-3-strange-logcat-entry.md b/website/writeups/Hackvent_2017/07-dec-3-strange-logcat-entry.md
@@ -0,0 +1,70 @@
+---
+layout: writeup
+title: 'Dec 3: Strange Logcat Entry'
+level:
+difficulty:
+points:
+categories: []
+tags: []
+flag: HV17-th1s-isol-dsch-00lm-agic
+
+---
+
+## Challenge
+
+*Lost in messages*
+
+
+I found those strange entries in my Android logcat, but I don't know
+what it's all about... I just want to read my messages!
+
+[Get the logcat](writeupfiles/logcat.txt)
+
+## Solution
+
+This is a long logcat file, but we notice that only two lines have raw
+tabs,
+suggesting they were manually added for the challenge:
+
+![](writeupfiles/logcat1.jpg)
+
+![](writeupfiles/logcat2.jpg)
+
+which are the following lines:
+
+    11-13 20:40:13.542	 137   137 I DEBUG	 : 			FAILED TO SEND RAW PDU MESSAGE
+
+    [..]
+
+    11-13 20:40:24.044	137	  137  DEBUG: I 07914400000000F001000B913173317331F300003AC7F79B0C52BEC52190F37D07D1C3EB32888E2E838CECF05907425A63B7161D1D9BB7D2F337BB459E8FD12D188CDD6E85CFE931
+
+This seems to be a raw SMS format, which we can decoded here:
+
+https://www.diafaan.com/sms-tutorials/gsm-modem-tutorial/online-sms-pdu-decoder/
+
+or using a python script:
+
+    $ pip install python-gsmmodem
+{: .language-bash}
+
+    import gsmmodem
+    import json
+
+    PDU='07914400000000F001000B913173317331F300003AC7F79B0C52BEC52190F37D07D1C3EB32888E2E838CECF05907425A63B7161D1D9BB7D2F337BB459E8FD12D188CDD6E85CFE931'
+
+    decoded = gsmmodem.pdu.decodeSmsPdu(PDU)
+    print json.dumps(decoded, indent=4)
+{: .language-python}
+
+    {
+        "reference": 0,
+        "protocol_id": 0,
+        "text": "Good Job! Now take the Flag: HV17-th1s-isol-dsch-00lm-agic",
+        "smsc": "+44000000000",
+        "number": "+13371337133",
+        "type": "SMS-SUBMIT",
+        "tpdu_length": 64
+    }
+
+So the flag is in the SMS!
+
diff --git a/website/writeups/Hackvent_2017/08-dec-4-hohoho.md b/website/writeups/Hackvent_2017/08-dec-4-hohoho.md
@@ -0,0 +1,40 @@
+---
+layout: writeup
+title: 'Dec 4: HoHoHo'
+level:
+difficulty:
+points:
+categories: []
+tags: []
+flag: HV17-RP7W-DU6t-Z3qA-jwBz-jItj
+
+---
+*hint*
+
+## Challenge
+
+Santa has hidden something for you
+[here](writeupfiles/HoHoHo_medium.pdf)
+
+## Solution
+
+It's a pdf file, opening in okular popped up that ther was an embedded
+font file, named [DroidSans-HACKvent.sfd](DroidSans-HACKvent.sfd) ..with
+hackvent in the name, that's got to be hiding our flag!
+
+We used [fontforge][1] to extract the font from the pdf file and view
+it:
+
+![](writeupfiles/dec4-fontforge-before.png)
+
+hmm, we don't see any characters in the boxes, so we select `view->fit
+to bounding box`:
+
+![](writeupfiles/dec4-fontforge.png)
+
+And there is our flag! ..looks like the characters were just tiny and
+being selectively enlarged in the pdf to create the visible text.
+
+
+
+[1]: https://fontforge.github.io/overview.html