Monday 30 September 2013

Facebook CTF - ACCESS LEVEL 1 WriteUP

Facebook CTF 2013 - NcN 2013

There where only 3 access levels - web, android apk, and Linux executable. All where reverse engineering only.

Access Level - 1


Whatever input 'key' is given you get a alert saying 'Invalid password!'.

Tools -> browser with JavaScript console. I used Google Chrome :p

Analysing the source code we get -
<form action="login.php" method="POST" onsubmit="return encrypt(this);">

So onsubmit a "encrypt" function is called. So using the browser JavaScript console lets take a look at the script running behind.

 function encrypt(form)
 {
var res;
res=numerical_value(form.password.value);
res=res*(3+1+3+3+7);
res=res>>>6;
res=res/4;
res=res^4153;
if(res!=0)
{
alert('Invalid password!');
}
else
{
alert('Correct password :)');
}
form.key.value=numerical_value(form.password.value);
form.verification.value="yes"+simpleHash(form.password.value);
 return true;
 }

That's it. our work is simple - just to make the condition inside IF as FALSE. That can be achieved by making the var res = 0. So the reverse engineering work starts NOW.

Time to analyse the code and start reversing it.
- Before if we have XOR. so res should be equal to 4153 to make res=0
- res * 4 [ 4153*4 = 16612]
- >>> right shift so we have 16612 = X>>>6.
  16612 - 100000011100100
  we have no idea about the lost rightmost 6 bits. Taking it to 0's lets proceed.
  100000011100100+000000 -  1063168 But it can vary with +0 to +63.
- 1063168/(3+1+3+3+7) = 62539.2941176 ~ 62540.
-  now a weird function numerical_value

 function numerical_value(str)
 {
var i,a=0,b;
for(i=0;i<str.length;++i)
{
b=ascii_one(str.charAt(i));
a+=b*(i+1);
}
 return a;
 }

observe one more function ascii_one

function ascii_one(foo)
{
foo=foo.charAt(0);
var i;
for(i=0;i<256;++i)
{
var hex_i=i.toString(16);
if(hex_i.length==1)
hex_i="0"+hex_i;
hex_i="%"+hex_i;
hex_i=unescape(hex_i);
if(hex_i==foo)
break
}

But here no need to analyse. Just manual brute force of the var str; to get a appx value of 62540. I got 62545.
var str="zzaaaaaaaaaaaaaaaaaaaaaaddaaaaaspea";

start with random number of a's then modify here and there with the logic of starting strings have less weight-age and ending char's have the most!

so for me this is the key - "zzaaaaaaaaaaaaaaaaaaaaaaddaaaaaspea". It will vary from person to person.

After submiting the key -

Congrats! you passed the level! Here is the key: 23f8d1cea8d60c5816700892284809a94bd00fe7347645b96a99559749c7b7b8

*** Note this was easy because without knowing much of JavaScript i could solve it.
-> And a rough screenshot of manual brute force. So you can get a rough idea -
Please download OR open the image for clear view :D :D

-> Any one solved it in a much simpler way please comment your way for solving problem.
-> Suggestions/Comments are most welcomed !!! :)


Thanks for reading through

Happy hacking! Happy coding!!

Monday 17 June 2013

Defcon 2013 3dub - 1, 2 and 4. Web WriteUp

DefCon 2013 3dub - Web based challenges.

This is the first time 'm writing Wiriteup for any ctf [practice].  So please bare with it :D

3dub - 1

What ever name to enter in the username field will be accepted and you be logged in with that name.
After logging in you will get a message that LOGIN as admin.

but if give "admin" in the username field , You will get a message saying admin login disabled.

But for every login with different usernames the cookies where changing.

Observation -->
username  cookie 

a - 09
b - 0a
ab - 09ce
ba - 0acd
abc - 09cd29
aaaaaa - 09cd2994af
its just a hex based addition with the base "aaaaa". But no need to do the hex addition also.
get cookie for 
admi - 09c8259c
aaaan- 09cd2994a0

=> admin - 09c8259ca0

save cookie and refresh, you get the key.
the key is The key is: who wants oatmeal raisin anyways twumpAdby

Easiest challenge in DefCon 2013.

3dub - 2

Login page.

Obviously tried SQL injection first. WORKED!
but i could login as root but no use because no key.

Tried analysis the GET and POST requests in ZAP.
X-SQL : SELECT name FROM users WHERE name ='   ' and pasword='   ' limit 1;

waste time crafting requests wrt to MySQL.
I could login as root and anynumber from 0 yo +Inf :D

Afterwards i found it was SQLite. The done -

  • asd'OR'1'='1' UNION SELECT name FROM sqlite_master WHERE type = "table"--I logged in as keys.
  • asd'OR'1'='1' UNION SELECT name FROM keys --
got the key-
logged in as The key is: literally online lolling on line WucGesJi

3dub - 4

Was a easy one but wasted more than 6 hours in this still managed NOT to get the key. Like a BOSS XD

File name and the access code..
it opened for usernmaes.txt with accesscode - 60635c6862d44e8ac17dc5e144c66539.
But no access fro passwords.txt with the same accesscode.

Found that accesscode=md5(filename)

Opened the passwords.txt i was shocked to see everything was SHA-512/SALT hashing.
Thought i would move on to next one than decrypting these passwords.
But that would be lame to hash to that extent. That was a distraction. :p

Time to brute force the filename. Found
key.txt with accesscode - 65c2a527098e1f7747eec58e1925b453

Content of key.txt-
2GXuC0wS4O1MI8OpuoV1NkjsMM6zkzLpcQfOpMKniiogUoCS3yhTyZbm8a9BCEgHdl19bWEMziZiZDbLI+V2dQ==
By looking at the content of key.txt it was base64. Decoded with online base64 deocder. Got invalid ascii code not the key!

content of key.txt was changing with time. Suspected functions - time() and rand().
Major time waste here.

Afterwards i gave the getfile.php which was helping us to opne the file.
getfile.php with accesscode- 0701593e23e676eaba834916a6ac7272.

Contents of getfile.php-

Acces granted to getfile.php!


$value = time();
$filename = $_GET["filename"];
$accesscode = $_GET["accesscode"];
if (md5($filename) == $accesscode){
echo "Acces granted to $filename!

";
srand($value);
if (in_array($filename, array('getfile.php', 'index.html', 'key.txt', 'login.php', 'passwords.txt', 'usernames.txt'))==TRUE){
$data = file_get_contents($filename);
if ($data !== FALSE) {
if ($filename == "key.txt") {
$key = rand();
$cyphertext = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $data, MCRYPT_MODE_CBC);
echo base64_encode($cyphertext);
}
else{
echo nl2br($data);
}

}
else{
echo "File does not exist";
}
}
else{
echo "File does not exist";
}

}
else{
echo "Invalid access code";
}
?>

```````````````````````````````````````````````````
***k it! 'm going to sleep. But i dint. Because I have wasted a lot of time on this..
This needed a Brute force. No way for manually doing that.

Brute force script in PHP -
<?php
error_reporting(0); 
for ($key = 0; $key <= getrandmax(); $key++) 
{

$text="5HHOwWMXYH5UxvzIzxqMY3vuwyCJ5BVdzwm5puqduZrsPTxfsFNKXXMlwhZj5W/1o  Sv3ENrCpbIMF9cJQ5Gndg==";

$data=mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, base64_decode($text),           MCRYPT_MODE_CBC);

echo $data;
echo "<br>";
}
?>

Dump of brute force.

Search for the string with starting "the key is".
No match found. No idea WHY?

Waiting for other Writeups from pros to find my mistake.

Any suggestions, please comment.

Update on 18-06-2013-->

With the help of the comment by CĂ©lestin Perdu got to know where i had missed the point.

You can use ZAP or Burp Suite anything. Get the date and time of the response, convert it to linux timestamp.

$ date -d "which you got from the tool" +% s

Use this value as key. And you should get the flag.

Thanks for reading. Suggestion and comments welcomed!

Wednesday 12 June 2013

InCTF'13 [Amrita Cyber Security]


National level Capture the flag contest targeting only for Undergraduate, graduate and post-graduate level students.

This CTF is meant just for learning and getting more good teams from India into world finals in CTF contest.
FYI: CTF means capture the flag.

I would recommend any one interested in computer's to give this CTF a try. They teach you through the process. But yeah! HARD WORK is expected from you. And you should have some programming knowledge. Doesn't matter from which branch/stream of specialisation you are doing. Don't think its meant only for geeks from computer science branch. I'm from Electronics and Communication background still took a respectable position in InCTF'13 --> second position. Even if you are from mechanical background still fascinated about these computer stuff. Then go ahead start off with InCTF.

As i have said earlier InCTF aims more on learning.
This is how InCTF works->

1st round -

  • Purely meant for learning.
  • Designed smartly by the admins/organisers of InCTF, to divide the work between the team members. Everyone can't be good in everything so you got to stick the topics which you choose to take in this round. And become good at it.
  • Topics- Basics of Linux, SQL [ Web Based ], secure programming, Reverse Engineering, Cryptography.
This round is not mandatory but I STRONGLY RECOMMEND to take this round seriously and use it to learn. Because the organisers are ready to help to any time during 1st round.

The tool needed to finish this round successfully is GOOGLE.

2nd round - Jeopardy type.

Qualification round for National level finals i.e main CTF game.

This time they gave us 1 week time duration UNLIKE other CTF's which has 1-2days.
This round is damn interesting because for noobs like US, we need to learn and then use that knowledge to complete the tasks. So utilized this round also for learning.

I saw that many teams where giving up because they had NO CLUE about how to even look at the tasks. Even when we opened the task, we were BLANK. But according to me what you need is just PATIENCE and DETERMINATION. That's all, you can solve 80% of tasks in all categories. What you need is just patience and determination. Any time you can walk into their IRC and query them if you are on your right path for solving a particular task or not.


3rd round - Capture the flag



Time to implement! Time to test what you have learnt!

1st day you will have a mock round, which gives an idea about what to do the next day. Basically aimed at not wasting the time on the contest day. Every minute matters in the finals.

Basically you will have to exploit the different types of services to get the flag.

Your team will be scored/valued on your

  1. Defence - your patching work.
  2. Offence - exploiting other team services and submitting their precious flags :p
  3. Ethical - reporting advisories.
That's all about InCTF.

We participated with the team name r00t. 
Team members-
  • y0g1337h - Yogeesh Seralthan,
  • vn4v1n - Movnavinothan V &
  • x7r0n - Adithya Naresh.
1st round we divided the work and learnt.
2nd round. LANing up is very important. We LANed up in our college hostel [ Amrita School of Engineering ] :p
3rd round. We had awesome fun exploiting services, patching them, and reporting the vulnerabilities.

Thanks for organising such a awesome event -
Arvind S Raj, Seshagiri Prabhu, Bithin Alangot.
They represent the team bi0s. One of the 1337 team in INDIA.

Pic of the trophy we earned in InCTF'13



So what are you waiting for. Form a team and start working. earn the trophy + good cash prize + respect + knowledge + recognition.

http://inctf.in/gallery/inctf13.html

Useful link-


mailto: contact@inctf.in
http://www.inctf.in
Google groups secure-codein@googlegroups.com

Feel free to comment.

Monday 27 May 2013

XSS Testing


Sunday 31 March 2013

MAC address on android, Windows and iOS phones/Tablets

Finding MAC address on android ,Windows and iOS[Apple] phones/Tablets.


Brief Introduction on "MAC address"

A media access control address (MAC address) is a unique identifier assigned to network interfaces for communication on the physical network segment.

MAC address is a hard coded/embedded in your device which cant be changed.|
But there's always a way ;-)
Yeah! It can be SPOOFED!

Any ways this POST is just going to cover "how to find MAC Address". Before knowing how to spoof or how to get others[Victim's] MAC address, we should know what it is. Why is it SO important!

How a MAC address looks like-
It is in the form of six groups of t2o hexadecimal digits, separated by hyphens (-) or colons (:)

Ex- 01-23-45-67-89-ab  or  01:23:34:45:67:89:ab


Let's GET STARTED!

ANDROID -->
Finding MAC address on a Android Phones
1. On your HOME screen, click on MENU, goto SETTINGS.
2. click on  About Phone.
3. Click on Status. 
And VIEW your Wi-Fi MAC address!

View your MAC address under Wi-Fi MAC address.
Or,
1. On your HOME screen, click on MENU, goto SETTINGS.
2. Select
Wireless & network.
3. Select
Wi-Fi Settings.


You will find MAC Address under Advanced section.

Or,
1. On your HOME screen, click on MENU, goto SETTINGS.
2. Select
Wireless & network.
3. Select
Wi-Fi Settings.


You will find MAC Address under Advanced section.

Finding MAC address on an Android Tablet
1. 
On your HOME screen, click on MENU, goto SETTINGS.
2. click on  About Tablet.
3. Click on Status. 

And VIEW your Wi-Fi MAC address!

iOS [ iPad, i pod or iPhone Touch]


Finding MAC address on in iPad, iPhone or iPod Touch-.
1.  Click on Settings.

2.  Select General -> About.
MAC address can be seen in Wi-Fi Address.

Windows Phones

Finding  MAC address  on a windows phone.1. On Start,  flick left to App  list.
2. Tap Setting, then About, then More info.
3. MAC Address  can be seen.

*** I have not added screenshot's! Screen shot's would make the post very big.
***Use this Like a cheat sheet to find MAC Address on Phone's.
*** Any difficulty feel free to leave a comment in the comment section.
***Advises on improving my post is also accepted. 

No 1 is perfect :-)



Happy hacking!
Happy coding :-)


-y0g1337h
Yogeesh Seralathan

Saturday 30 March 2013

25000!!!



My blog reached 25000 views on 27-03-2013...

Thanks for the support folks. I'm a newbie hacker. Trying a learn and share whatever i know.

SHARING is CARING!
-yogeesh seralathan
-y0g1337h

Happy c0d1ng.
Happy h4ck1ng!! :-)

Wednesday 20 February 2013

How to Hack Whatsapp

An theoretical approach to hack whatsapp


Whatapp

Many of my friends were like "Dude u on whatsaap?".

I got that question from many of my friends. So finally decided to download "whatsapp".
Even u guys should try it out, if u haven't tried it yet!

So i have been using this app from past 3 days, and i got value idea about how it works and how it authenticates You as You.

If you people would have observed -

1. You can read all the messages Offline o.O
2. You can access all d profile pictures offline.

But Whatsapp encrypts all d DATA. But guys "hold on". Obviously it can be decrypted or any other way to access all d messages..

"" There's always a way "" :D

Here what 'm going to talk about is not just getting there messages which can be accessed offline.
'll add that with video or screenshot in my next post :p

The method which i thought about when i was writing my "exams in coll 2day" is interesting..
And YA while writing exam.. Lol :D Cant help it ...
That's ME :p

Enough of Stories and background on whatsapp and Myself :p

Lets Get into Tech stuff


Its theoretical because i haven't tried it.
I'll try it and post with video or screenshots s00n :-)

Ohk guys, lets get busy


So if you people have observed you can not have your whatsapp account logged in in two devices. Means session is given to only 1 mac address. If the MAC [ Media Access Control ] address of the device requesting access changes then whatsapp asks you to re-verify your account! 

And common, "whatsapp people" you think Mac address cant be spoofed. But yeah Nice try whatsapp developer's :p

So here d point you will have to get access to the phone to get the victims phone "MAC address + the verifying massage" which is received to verify your device.

Simple you code a app to get the user's MAC address and checking the message from whats app in the victims inbox. Very easy in case of android devices.

As soon the message s received Push the "MAC address" + "Verifying code" to your server or mail it your ID. That depends on your convince.

That's it guys.

Spoof your phone's MAC address to your Victims address and install whatsapp and type the "verify code".

And done guys. You get complete access to the victims whatsapp ID..
where as you can keep spying/watching your victims movements :D
i.e 2 people - U + ur victim are using the same ID from different devices.

But its very LAME to spy on other people's private messages. So try not to.

This article is just an theoretical approach and only for understanding and knowledge purpose.
And 'm not responsible for any thing you do after reading this post :D :p

I have no clue up-to which extent the approach will work.

Any ways Thanks for reading this post.
Hope you people enjoyed it..

I look forward for your comments so that the flaws in method can be found out and rectify because even 'm not a gr8 hacker :p
Even 'm a beginner .

Happy Hacking..
Happy Coding :-)