-
Notifications
You must be signed in to change notification settings - Fork 170
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
0df1984
commit e022df9
Showing
30 changed files
with
1,988 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
--- | ||
layout: writeup | ||
title: 'Hidden ball 1:' | ||
level: | ||
difficulty: | ||
points: | ||
categories: [] | ||
tags: [] | ||
flag: HV17-4llw-aysL-00ki-nTh3-H34d | ||
|
||
--- | ||
## Solution | ||
|
||
Challenges are accessed by url like | ||
`https://hackvent.hacking-lab.com/challenge.php?day=2` | ||
|
||
Let's see what happens when we try to skip ahead to Christmas `?day=25` | ||
|
||
We get: | ||
|
||
The resource (#1959) you are trying to access, is not (yet) for your eyes. | ||
|
||
ok, weird, what about `?day=26` | ||
|
||
The resource (#1958) you are trying to access, is not (yet) for your eyes. | ||
|
||
day and resource number seem to add up to 1984 every time, so let's see | ||
what happens when we fill in `?day=1984` | ||
|
||
The resource you are trying to access, is hidden in the header. | ||
|
||
whoo! let's check the headers: | ||
|
||
HTTP/1.1 200 OK | ||
Date: Sat, 02 Dec 2017 21:14:21 GMT | ||
Server: Merry Christmas & Hacky New Year | ||
Strict-Transport-Security: max-age=15768000 | ||
Flag: HV17-4llw-aysL-00ki-nTh3-H34d | ||
Keep-Alive: timeout=5, max=99 | ||
Connection: Keep-Alive | ||
Transfer-Encoding: chunked | ||
Content-Type: text/html; charset=UTF-8 | ||
|
||
There is our flag! | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
--- | ||
layout: writeup | ||
title: 'Hidden ball 2:' | ||
level: | ||
difficulty: | ||
points: | ||
categories: [] | ||
tags: [] | ||
flag: | ||
--- | ||
## Solution | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
--- | ||
layout: writeup | ||
title: 'Hidden ball 3:' | ||
level: | ||
difficulty: | ||
points: | ||
categories: [] | ||
tags: [] | ||
flag: HV17-bz7q-zrfD-XnGz-fQos-wr2A | ||
|
||
--- | ||
## Solution | ||
|
||
we check `robots.txt` and see the following message: `We are people, not | ||
machines` | ||
|
||
so then we check `people.txt`: `What's about akronyms?` | ||
|
||
so then we check `humans.txt` and see: | ||
|
||
All credits go to the following incredibly awesome HUMANS (in alphabetic order): | ||
avarx | ||
DanMcFly | ||
HaRdLoCk | ||
inik | ||
Lukasz | ||
M. | ||
Morpheuz | ||
MuffinX | ||
PS | ||
pyth0n33 | ||
|
||
HV17-bz7q-zrfD-XnGz-fQos-wr2A | ||
|
||
whoo, theres a flag! | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
--- | ||
layout: writeup | ||
title: 'Hidden ball 4:' | ||
level: | ||
difficulty: | ||
points: | ||
categories: [] | ||
tags: [] | ||
flag: HE17-W3ll-T00E-arly-forT-his! | ||
|
||
--- | ||
## Solution | ||
|
||
This one was hiding in the css folder `/css/egg.png`, it's an egg from | ||
Hacky Easter! | ||
|
||
![](writeupfiles/egg.png) | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
--- | ||
layout: writeup | ||
title: 'Hidden ball 5:' | ||
level: | ||
difficulty: | ||
points: | ||
categories: [] | ||
tags: [] | ||
flag: HV17-UH4X-PPLE-ANND-IH4X-T1ME | ||
|
||
--- | ||
|
||
## Solution | ||
|
||
we scan the challenge server for open ports | ||
|
||
$ nmap challenges.hackvent.hacking-lab.com | ||
|
||
Starting Nmap 7.01 ( https://nmap.org ) at 2017-12-06 22:59 CET | ||
Nmap scan report for challenges.hackvent.hacking-lab.com (80.74.140.188) | ||
Host is up (0.56s latency). | ||
rDNS record for 80.74.140.188: urb80-74-140-188.ch-meta.net | ||
Not shown: 996 filtered ports | ||
PORT STATE SERVICE | ||
22/tcp open ssh | ||
23/tcp open telnet | ||
80/tcp closed http | ||
443/tcp closed https | ||
|
||
Nmap done: 1 IP address (1 host up) scanned in 67.94 seconds | ||
{: .language-bash} | ||
|
||
so, there's a telnet service running, we connect, and are greeted by | ||
Santa: | ||
|
||
$ telnet challenges.hackvent.hacking-lab.com | ||
|
||
__.----. | ||
_.' '-. | ||
/ _____ '-. | ||
/_.-"" ""-._ \ HO, HO, HO... | ||
." _......._ ". \ | ||
; .-' _ ))) _ '-. ; | | ||
'/ ." _ _ ". \'. / | ||
_| .-.^ ) ^.-. |_ \/-. | ||
\ '"==-.(_).-=="' // \ | ||
'.____.-^-.____.' \ / | ||
| ( - ) | '--' | ||
\ / | ||
_________\_________/_______________________________________________ | ||
{: .language-bash} | ||
|
||
He keeps talking for a minute, and then gives us the flag | ||
|
31 changes: 31 additions & 0 deletions
31
website/writeups/Hackvent_2017/05-dec-1-5th-anniversary.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
--- | ||
layout: writeup | ||
title: 'Dec 1: 5th Anniversary' | ||
level: | ||
difficulty: | ||
points: | ||
categories: [] | ||
tags: [] | ||
flag: HV17-5YRS-4evr-IJHy-oXP1-c6Lw | ||
|
||
--- | ||
|
||
## Challenge | ||
|
||
|
||
*time to have a look back* | ||
|
||
|
||
![](writeupfiles/HV17-hv16-hv15-hv14.svg) | ||
|
||
## Solution | ||
|
||
Looks like we need the solutions from previous years, good thing I kept | ||
writeups | ||
|
||
2014: HV14-BAAJ-6ZtK-IJHy-bABB-YoMw | ||
2015: HV15-Tz9K-4JIJ-EowK-oXP1-NUYL | ||
2016: HV16-t8Kd-38aY-QxL5-bn4K-c6Lw | ||
|
||
Putting the fragments together gives our nugget | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
--- | ||
layout: writeup | ||
title: 'Dec 2: Wishlist' | ||
level: | ||
difficulty: | ||
points: | ||
categories: [] | ||
tags: [] | ||
flag: HV17-Th3F-1fth-Pow3-r0f2-is32 | ||
|
||
--- | ||
|
||
## Challenge | ||
|
||
*The fifth power of two* | ||
|
||
Something happened to my wishlist, please help me. | ||
|
||
[Get the Wishlist](writeupfiles/Wishlist.txt) | ||
|
||
## Solution | ||
|
||
This is clearly base-64 encoded, we decode, and still looks base64 | ||
encoded. Taking the hint | ||
into account, we decode 32 times: | ||
|
||
$ cat Wishlist.txt | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | | ||
base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | | ||
base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | | ||
base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | | ||
base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | ||
|
||
HV17-Th3F-1fth-Pow3-r0f2-is32% | ||
{: .language-bash} | ||
|
70 changes: 70 additions & 0 deletions
70
website/writeups/Hackvent_2017/07-dec-3-strange-logcat-entry.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
--- | ||
layout: writeup | ||
title: 'Dec 3: Strange Logcat Entry' | ||
level: | ||
difficulty: | ||
points: | ||
categories: [] | ||
tags: [] | ||
flag: HV17-th1s-isol-dsch-00lm-agic | ||
|
||
--- | ||
|
||
## Challenge | ||
|
||
*Lost in messages* | ||
|
||
|
||
I found those strange entries in my Android logcat, but I don't know | ||
what it's all about... I just want to read my messages! | ||
|
||
[Get the logcat](writeupfiles/logcat.txt) | ||
|
||
## Solution | ||
|
||
This is a long logcat file, but we notice that only two lines have raw | ||
tabs, | ||
suggesting they were manually added for the challenge: | ||
|
||
![](writeupfiles/logcat1.jpg) | ||
|
||
![](writeupfiles/logcat2.jpg) | ||
|
||
which are the following lines: | ||
|
||
11-13 20:40:13.542 137 137 I DEBUG : FAILED TO SEND RAW PDU MESSAGE | ||
|
||
[..] | ||
|
||
11-13 20:40:24.044 137 137 DEBUG: I 07914400000000F001000B913173317331F300003AC7F79B0C52BEC52190F37D07D1C3EB32888E2E838CECF05907425A63B7161D1D9BB7D2F337BB459E8FD12D188CDD6E85CFE931 | ||
|
||
This seems to be a raw SMS format, which we can decoded here: | ||
|
||
https://www.diafaan.com/sms-tutorials/gsm-modem-tutorial/online-sms-pdu-decoder/ | ||
|
||
or using a python script: | ||
|
||
$ pip install python-gsmmodem | ||
{: .language-bash} | ||
|
||
import gsmmodem | ||
import json | ||
|
||
PDU='07914400000000F001000B913173317331F300003AC7F79B0C52BEC52190F37D07D1C3EB32888E2E838CECF05907425A63B7161D1D9BB7D2F337BB459E8FD12D188CDD6E85CFE931' | ||
|
||
decoded = gsmmodem.pdu.decodeSmsPdu(PDU) | ||
print json.dumps(decoded, indent=4) | ||
{: .language-python} | ||
|
||
{ | ||
"reference": 0, | ||
"protocol_id": 0, | ||
"text": "Good Job! Now take the Flag: HV17-th1s-isol-dsch-00lm-agic", | ||
"smsc": "+44000000000", | ||
"number": "+13371337133", | ||
"type": "SMS-SUBMIT", | ||
"tpdu_length": 64 | ||
} | ||
|
||
So the flag is in the SMS! | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
--- | ||
layout: writeup | ||
title: 'Dec 4: HoHoHo' | ||
level: | ||
difficulty: | ||
points: | ||
categories: [] | ||
tags: [] | ||
flag: HV17-RP7W-DU6t-Z3qA-jwBz-jItj | ||
|
||
--- | ||
*hint* | ||
|
||
## Challenge | ||
|
||
Santa has hidden something for you | ||
[here](writeupfiles/HoHoHo_medium.pdf) | ||
|
||
## Solution | ||
|
||
It's a pdf file, opening in okular popped up that ther was an embedded | ||
font file, named [DroidSans-HACKvent.sfd](DroidSans-HACKvent.sfd) ..with | ||
hackvent in the name, that's got to be hiding our flag! | ||
|
||
We used [fontforge][1] to extract the font from the pdf file and view | ||
it: | ||
|
||
![](writeupfiles/dec4-fontforge-before.png) | ||
|
||
hmm, we don't see any characters in the boxes, so we select `view->fit | ||
to bounding box`: | ||
|
||
![](writeupfiles/dec4-fontforge.png) | ||
|
||
And there is our flag! ..looks like the characters were just tiny and | ||
being selectively enlarged in the pdf to create the visible text. | ||
|
||
|
||
|
||
[1]: https://fontforge.github.io/overview.html |
Oops, something went wrong.