Intro to Lock Picking
A few weeks ago, I presented "Intro to Lock Picking" at the B-Sides Orlando Security Conference. For those wanting the slides, you can download the slides here.
If you missed the presentation, I will have a video posted in the near future!
ARM Single-Board Computers
In the past year or so, ARM single-board computers have really gained popularity. You've probably already heard of the Raspberry Pi, by far the most popular ARM computer to-date. More Linux distros are coming out with versions supporting the ARM architecture, and even the recent release of Windows RT means we will be seeing a lot more ARM devices in the future. Of course, there are already many devices with ARM processors, such as phones and tablets, but these are able to be used as a desktop, or embedded in a project.
| Raspberry Pi | www.raspberrypi.org |
|---|---|
| Chip | Broadcom BCM2835 |
| CPU | 700 MHz ARM1176JZF |
| ARM Family | ARM11 |
| GPU | Broadcom VideoCore IV |
| RAM | 256/512 MB |
| Size | 86 mm x 54 mm x 18 mm |
| Form Factor | None |
| Power | Micro USB |
| On-board Storage | None |
| External Storage | SD |
| Ethernet | 10/100 Mb |
| WiFi | None |
| Included OS | None |
| A/V Ports | HDMI, 3.5 mm audio, composite video, LCD via DSI, Camera via CSI |
| Notes |
|
| APC | apc.io |
|---|---|
| Chip | WonderMedia WM8750 |
| CPU | 800 MHz ARM1176JZF |
| ARM Family | ARM11 |
| GPU | Unknown |
| RAM | 512 MB |
| Size | 170 mm x 85 mm x 35 mm |
| Form Factor | Neo-ITX |
| Power | 9V DC |
| On-board Storage | 2 GB |
| External Storage | Micro SD |
| Ethernet | 10/100 Mb |
| WiFi | None |
| Included OS | Android 2.3 |
| A/V Ports | HDMI, VGA, 3.5 mm audio, 3.5 mm mic |
| Notes |
|
| Gooseberry | gooseberry.atspace.co.uk |
|---|---|
| Chip | AllWinner A10 |
| CPU | 1.0 GHz ARM Cortex-A8 |
| ARM Family | ARM Cortex-A |
| GPU | Mali-400 |
| RAM | 512 MB |
| Size | 108 mm x 75 mm x 6 mm |
| Form Factor | None |
| Power | 5V DC |
| On-board Storage | 4 GB |
| External Storage | Micro SD |
| Ethernet | None |
| WiFi | 802.11 b/g/n |
| Included OS | Android 4.0 |
| A/V Ports | Mini HDMI, 3.5 mm audio |
| Notes |
|
Of course there are many other boards out there, these are just the ones I've been interested in enough to purchase. It's hard to say if any one is better than the other, it depends on what you want to do with it.
The GPIO on the Raspberry Pi makes it good for interfacing with other electronics, without needing additional micro-controllers. Think physical devices that can be controlled over a network.
The Gooseberry has the best CPU, WiFi, and more on-board storage, but you need adapters to connect anything to it. It's also tiny and could be awesome as part of a portable device, like a homebrew tablet.
The APC follows a standard form factor and has front panel connectors, making it the most suitable for miniature computer cases (set-top box). It is the largest board out of the three, at about the size of three Raspberry Pis.
I've always liked the idea of using one of these devices as a pentesting drop box; leave it cleverly hidden on a client site to perform vulnerability assessments, log data, and provide a route into the network. Any of these would be perfect for the job.
Happy hacking, let me know what kind of projects you come up with!
HackYou CTF Solutions
I've finally finished posting my solutions for the HackYou CTF!
The CTF ran for 10 days, and was a category-style, hacker capture-the-flag competition.
Here are my solutions: www.hacksonville.com/?cat=26
I only wrote up solutions for the 9 challenges that I've solved. I was unable to solve the other 9 while the competition was running. I switched back and forth between Linux and Windows, so don't worry about some of the screenshots looking different.
I got 195th place, out of 588 people who made it on the scoreboard. 
HackYou CTF, Packet200 – Epic Arc Pt. 2
Epic Arc is presented as a 3-part scenario.
In the second part, you need to get the MD5 hash of a transferred file.
Here is the original epicarc200 packet capture.
This packet capture has a bit of FTP traffic.
Interesting things to note here are some of the commands that were issued to the server, and the responses.
Request: CWD / Response: 250 CWD successful. "/" is current directory. Request: LIST Response: FTP Data: -r--r--r-- 1 ftp ftp 194 Oct 08 16:05 crypto_lvl2.txt.enc -r--r--r-- 1 ftp ftp 3048 Oct 08 16:37 tcp_serv.beam Request: SIZE /tcp_serv.beam Response: 213 3048 Request: MDMT /tcp_serv.beam Response: 213 20121008123714 Request: RETR /tcp_serv.beam
Important info: name of the file requested (tcp_serv.beam), and the size of the file (3048 bytes).
If you right-click on one of the FTP-DATA packets, you can follow the TCP stream and see the segments put together. The conversation size should match our previously-determined file size of 3048 bytes.
Click the Save As button to export the bytes to a file. Double check the file size if you want to be careful, and take an MD5 hash of the file.
$ md5sum tcp_serv.beam 77f92edb199815b17e2ff8da36e200df tcp_serv.beam
Flag: 77f92edb199815b17e2ff8da36e200df
HackYou CTF, Packet100 – Epic Arc Pt. 1
Epic Arc is presented as a 3-part scenario.
In the first part, you need to find the secret link in a conversation.
Here is the original epicarc100 packet capture.
This packet capture shows some HTTP traffic, nothing special going on here. There are a few frames of this capture that are particularly important, though. The first one that contains a message at the end of the packet, and looks like this:
message=some%20shit%20happend%20%20this%20sunday.%20i%20have%20downloaded%20this%20(key-http%3A%2F%2Ftinyurl.com%2F9qj5r4r)&to=%23hacku some shit happend this sunday. i have downloaded this (key-http://tinyurl.com/9qj5r4r)
The link goes to the same capture file that we were already working with, so we'll keep looking.
message=oh%2C%20sry.%20key%20is%20tinyurl.com%2F8pdox5a&to=%23hacku oh, sry. key is tinyurl.com/8pdox5a
Flag: tinyurl.com/8pdox5a
Important note:
This URL is for the packet capture needed in third part of the scenario.
HackYou CTF, Reverse100 – Open-Source
In this challenge, you're given C source code to reverse engineer. Even without much programming knowledge, you can follow along the steps to solve this one.
Here is the original rev100.c source.
In Linux, compile with gcc and run the program like this:
$ gcc rev100.c -o rev100 $ ./rev100 what?
The first condition is making sure you there are 4 elements when you call this from the command line: the program being called, and 3 arguments.
Important note:
We are trying to make each if condition fail to reach the end of the program.
if (argc != 4) {
Pass in your 3 arguments and make your way to the next condition.
$ ./rev100 1 2 3 you are wrong, sorry.
The next condition is taking the first argument as an integer, and comparing it to a hexadecimal value.
unsigned int first = atoi(argv[1]);
if (first != 0xcafe) {
0xCAFE is hexadecimal for 51966. Plug that in as your first argument and go on to the next step.
$ ./rev100 51966 2 3 ha, you won't get it!
The third condition is a bit of math, specifically modulo.
unsigned int second = atoi(argv[2]);
if (second % 5 == 3 || second % 17 != 8) {
What we need is a number that when divided by 5, does not have a remainder of 3, and when divided by 17, has a remainder of 8. The first number that fits the bill is 25. (25 % 17 == 8 && 25 % 5 != 3)
$ ./rev100 51966 25 3 so close, dude!
The last part is a little tricky at first glance.
if (strcmp("h4cky0u", argv[3])) {
If you lookup the strcmp function, you'll see it is a string comparison (typically used for sorting). To make the condition fail, we need the function to return 0. To make it return 0, the 2 strings needs to be identical.
./rev100 51966 25 h4cky0u Brr wrrr grr Get your key: c0ffee
Flag: c0ffee
HackYou CTF, Web100 – Pentagon Authentication
This challenge was insanely fun. The challenge is all about JavaScript.
You are first presented with this prompt:
Any incorrect passwords result in the box popping up again. Let's take a look at the source.
var PasswordPrompt = "Enter the password";
var TodaysSecretPassphrase = "Climbing is dangerous";
var QuoteOfTheDay = "the beige hue on the waters of the loch impressed all, including the zapped french queen, before she heard that symphony again, as kind young arthur wanted. keen oxygen vendor.";
do {
var SuppliedPassword = prompt(PasswordPrompt);
if (SuppliedPassword === null) {
break;
}
if (SuppliedPassword.length == 12) {
PasswordIsCorrect = true;
}
if (! IsNumber(SuppliedPassword.charAt(0))) {
PasswordIsCorrect = false;
}
if (! IsNumber(SuppliedPassword.charAt(10)) || ! IsNumber(SuppliedPassword.charAt(1))) {
PasswordIsCorrect = false;
}
if (! IsNumber(SuppliedPassword.charAt(6)) || ! IsNumber(SuppliedPassword.charAt(2))) {
PasswordIsCorrect = false;
}
if (Number(SuppliedPassword.charAt(0)) + Number(SuppliedPassword.charAt(1)) + Number(SuppliedPassword.charAt(2)) + Number(SuppliedPassword.charAt(6)) + Number(SuppliedPassword.charAt(10)) != SuppliedPassword.length) {
PasswordIsCorrect = false;
}
if (SuppliedPassword.charAt(7) != PasswordPrompt.charAt(PasswordPrompt.length - 1)) {
PasswordIsCorrect = false;
}
if (SuppliedPassword.charCodeAt(7) != SuppliedPassword.charCodeAt(8) - Number(SuppliedPassword.charAt(0)) / Number(SuppliedPassword.charAt(0))) {
PasswordIsCorrect = false;
}
if (Number(SuppliedPassword.charAt(2)) != Number(SuppliedPassword.charAt(6)) || Number(SuppliedPassword.charAt(6)) != Number(SuppliedPassword.charAt(1))) {
PasswordIsCorrect = false;
}
if (Number(SuppliedPassword.charAt(1)) * Number(SuppliedPassword.charAt(10)) != 0) {
PasswordIsCorrect = false;
}
if (Number(SuppliedPassword.charAt(1)) - Number(SuppliedPassword.charAt(10)) != SuppliedPassword.charAt(3).length) {
PasswordIsCorrect = false;
}
if (Number(SuppliedPassword.charAt(1)) - Number(SuppliedPassword.charAt(10)) != SuppliedPassword.charAt(3).length) {
PasswordIsCorrect = false;
}
if (SuppliedPassword.charAt(11) + SuppliedPassword.charAt(3) + SuppliedPassword.charAt(4) != TodaysSecretPassphrase.substr(Number(SuppliedPassword.charAt(0)) / 2, 3)) {
PasswordIsCorrect = false;
}
if (! IsLowercase(SuppliedPassword.charAt(9))) {
PasswordIsCorrect = false;
}
if (QuoteOfTheDay.indexOf(SuppliedPassword.charAt(9)) != -1) {
PasswordIsCorrect = false;
}
This part of the source is the JavaScript that validates the password. Let's get started.
if (SuppliedPassword.length == 12) {
We need to make sure our password is 12 characters long. Let's use 012345678901 as our starting password.
if (! IsNumber(SuppliedPassword.charAt(0))) {
if (! IsNumber(SuppliedPassword.charAt(10)) || ! IsNumber(SuppliedPassword.charAt(1))) {
if (! IsNumber(SuppliedPassword.charAt(6)) || ! IsNumber(SuppliedPassword.charAt(2))) {
We need to make sure the characters at indices 0, 1, 2, 6, and 10 are numbers. We started with numbers, so we're fine for now.
if (Number(SuppliedPassword.charAt(0)) + Number(SuppliedPassword.charAt(1)) + Number(SuppliedPassword.charAt(2)) + Number(SuppliedPassword.charAt(6)) + Number(SuppliedPassword.charAt(10)) != SuppliedPassword.length) {
We already know that these 5 characters have to be numbers, and that our password has to be 12 characters long. Now we know that the 5 characters have to add up to 12.
if (SuppliedPassword.charAt(7) != PasswordPrompt.charAt(PasswordPrompt.length - 1)) {
We now know that index 7 of our password is equal to the last character of the password prompt string (Enter the password). We'll update our password to 0123456d8901.
if (SuppliedPassword.charCodeAt(7) != SuppliedPassword.charCodeAt(8) - Number(SuppliedPassword.charAt(0)) / Number(SuppliedPassword.charAt(0))) {
From this, we can determine that index 8 is the next value from index 7. Our password is now 0123456de901.
if (Number(SuppliedPassword.charAt(2)) != Number(SuppliedPassword.charAt(6)) || Number(SuppliedPassword.charAt(6)) != Number(SuppliedPassword.charAt(1))) {
This is basically saying that indices 1, 2, and 6 need to be identical.
if (Number(SuppliedPassword.charAt(1)) * Number(SuppliedPassword.charAt(10)) != 0) {
if (Number(SuppliedPassword.charAt(1)) - Number(SuppliedPassword.charAt(10)) != SuppliedPassword.charAt(3).length) {
From these 2 statements, we get some important data. If index 1 * index 10 = 0, one of these has to have a value of 0. If index 1 - index 10 = length of index 3 (each index is only 1 character, so the length is 1), and we already know that one of the indexes has to be 0, then we are looking at 1 * 0 = 0 and 1 - 0 = 1. So, index 1 = 1, and index 10 = 0. Updating our password to 0123456de901. The second statement is in the source twice. Just ignore that.
We also know that indices 1, 2, and 6 are identical. Updating our password to 0113451de901.
Since we also know that indices 0, 1, 2, 6, and 10 have to add up to 12, we know that index 0 has to be 9. Updating our password to 9113451de901.
if (SuppliedPassword.charAt(11) + SuppliedPassword.charAt(3) + SuppliedPassword.charAt(4) != TodaysSecretPassphrase.substr(Number(SuppliedPassword.charAt(0)) / 2, 3)) {
Here we can tell that indices 11, 3, and 4 are equal to a substring of the TodaysSecretPassphrase variable. The substring is 3 characters, starting at index 4 (9 / 2 = 4.5, round it down), and the substring is "bin". Updating our password to 911in51de90b.
if (! IsLowercase(SuppliedPassword.charAt(9))) {
if (QuoteOfTheDay.indexOf(SuppliedPassword.charAt(9)) != -1) {
Index 9 needs to be a lowercase letter, and it needs to not be anywhere in the QuoteOfTheDay. The only character not in this variable, is the letter j. Updating our password to 911in51dej0b.
There is no check whatsoever for index 5, anything will work. We'll leave it as it is, and the password reads (in 1337speak) "911 inside job".
Enter 911in51dej0b as the password, and you are greeted with this mess.
If you act too slow, the message will disappear and you'll have to enter the password again.
Flag: n0-evidence-0n1y-this-8030
HackYou CTF, Crypto100 – Schneier’s Algorithm
This challenge is not really an encryption, but the message is encoded.
TTHOH FEEUA FSBIC TTESK WCSTY
By itself, the letters don't really mean anything. However, rotate the whole thing counter-clockwise 90°, and things make a bit more sense.
HACKY OUIST HEBES TESTC TFFTW
HackYou is the bestest CTF FTW
Flag: HACKYOUISTHEBESTESTCTFFTW
HackYou CTF, Stego200 – Halloween
This challenge was really fun, and the solution is one that might not be easily found if you haven't done image manipulation before.
One way that you might find the hidden message is if you noticed the light markings around the face of the creature, and decided to lighten it up a bit.
This image shows something you might find when tweaking the contrast/brightness in crazy ways:
And here is the image with just the hidden message showing:
The resulting dots are a 7-bit binary message. Convert to decimal and lookup the numbers on the ASCII table to find your message.
1100001 1101001 1101110 1110100 1011111 1100001 1100110 1110010 1100001 1101001 1100100 1011111 1101111 1100110 1011111 1101110 1101111 1011111 1100111 1101000 1101111 1110011 1110100 1110011 97 105 110 116 95 97 102 114 97 105 100 95 111 102 95 110 111 95 103 104 111 115 116 115 a i n t _ a f r a i d _ o f _ n o _ g h o s t s
Flag: aint_afraid_of_no_ghosts
HackYou CTF, Stego100 – Perfect Concealment
This challenge is pretty simple once you see the pattern.
Here is the original Stego100 text file.
If you read through the article, you'll notice that some letters are capitalized in the middle of a word. I've separated the words so you can see what I mean:
deFend
bLeating
pandAs
stronGest
gIves
chooSe
ChineSe
ThE
eXtinction
babY
pandaS
UniTed
changEd
aGree
herbivOrous
tyPe
cAn
TraditioNal
panDas
PandAs
firSt
Put the letters together and you get "Flag is sexy stego pandas".
Flag: SEXYSTEGOPANDAS