Troopers 2018 – Challenge Write-Up

TheVamp

Here is the complete Write up of all challenges at Troopers 18.
Here is the table of content:

Social-Challenges

Meet Heimo

Description

Meet Heimo in the Lobby and get a token! For those of you that are not yet familiar with him, go ahead and tell him how beautiful his eyes are.

Write Up:

Just meet Heimo in the Lobby and have a nice chat with him. Heimo is from https://hm-ts.de and they have some nice training’s. After a nice talk and a subscription to the newsletter you will get the token.

Meet Hacken.IO

Description

Come meet our partners from Hacken.io and pick-up a token. You’ll need to solve their challenge to get one!

Write Up

Well, their challenges was a little bit confusing. You find everything here: http://tr18.hackenproof.com/
One Challenge is a Real-life Hardware Challenge to break the product hideez. The second one are challenges with Smart Contracts.
You find these challenges here: https://sc.hackenproof.com. It is a small introduction into Ethereum and Smart-Contracts. At the end it turned out, that you didn’t need to do any of these challenges. You only need to find the right person, who has the tokens and ask nicely for one.

The only thing I didn’t understand is, what hacken.io really is. It is some sort of cryptocurrency, which is used for bug-bounties or something like this. Maybe someone can explain me that :) Anyway I had some really great chats with the people at the hacken.io booth.

Provide Feedback

Description

Fill out the feedback form you find in your TROOPERS18 bag, drop it at the registration desk and get a token. You will also find feedback forms at the TROOPERS Desk in case you mess one up or your bag is missing them.

Write Up

Just fill out the Feedback form and submit it at the service desk. Interesting that some people already submitted it on the first day :D

Meet ERNW (SecTools)

Description

Meet us at the ERNW Booth, check out our new stuff and get a token.

Write Up

Another booth, where you can inform yourself about the new ERNW Tool „Directory Ranger“ https://ernw-sectools.de/products/ My short summary would be: It is a small Scanner for Active Directories to find misconfigurations and vulnerabilities within it. It only needs read rights and the licensing model based on the size of the AD. After a small chat I got another token. Their Twitter Account is also awesome. You get valuable information of Defending & Attacking AD’s: https://twitter.com/DirectoryRanger

Write a Postcard

Description

Make your loved ones back at home jealous that you’re hanging out at Troopers.
Send them a little love with a postcard which you can get at the info desk.

Write Up

Just write a postcard and submit it at the info desk. The Troopers conference is so nice and pays for the post marks :) I wrote four cards and got another token.

Packetwars

Description

Proof your skills in a real-world hacking environment.
For your battle briefing check https://troopers.de

Write Up

Get a team and participate at the PacketWars. I was not a big help, but it was a lot of fun. Here are the task of Packetwars:

10k run

Description

Shout the TROOPERS battle cadence while running up the historic Philosopher’s Way (also a great time/place to take pictures!). We will meet at 7am in the lobby of the Crowne Plaza Heidelberg.
Infos at https://troopers.de

Write Up

Respect to all the runners. I did not run, cause I am not so well trained. Here are some impressions on twitter:

Soldering

Description

Visit the soldering corner and build a gadget!

Write Up

Grab the parts of a USB-Condom at the soldering station and soldering it together. After successful soldering you get another token:

Here are a picture of them and some pictures from twitter:

Meet the RaumZeitLabor

Description

Visit the RaumZeitLabor and receive a challenge token.

Write Up:

At the RaumZeitLabor was a small box, which you could open by solving a riddle.

I forgot to take photos from the instructions. So basically the first part was a riddle to place symbols on top of the buttons (upper part of the image). After you placed all thing correctly the solution was to tip 3 times on the left button, two times on the right button and one time on the button in the middle. The button between them were never touched. If it was correctly the sword was moving clockwise.

The second part was to take what the lion have and give it twice the fox. So putting the two coins from the lion to the fox and put 2 x 1 cent into the hole. The sword should be moving after this.

The third part said, that you should put a tear to the eel. So I poured some water to the hole on the right time. After this the box broke and they was gone for the whole first day. Sorry!

The fourth Part said something that the moon and the sun rises 10 times. On the left side you see two holes. I think you need to cover one hole so that only the sun get lights. the you switch, so that only the moon get light and so on. If you do it correctly the box should open like this. You get some candy and a token, which are laying inside the box:

Radio Challenges

First a big thank you to @net0SKi for borrow me a 3-pole male-to-male audio jack, so that I could record all these challenges.

Tune in

Description: Groove it.

Write Up

Find the right frequency. Here is my Audio recording (bad quality):

or you find a public leak on twitter from Travis:

Mayday Mayday

Description: It’s not SOS.

Find the right frequency. Here is my Audio if you want try it yourself:

Write Up:

It is just Morse Code. I loaded my recording into audacity and looked at the spectrogram:


If you write everything correctly down, you should get:

---.. .---- ... .-. . .--. --- --- .-. - ---... 
--... ....- ----- -.... -....- -.... .---- --... ..--- -....- ..--- --... ..---  ---.. -....- ..... --... ----- ....- -....- ..--- ...-- ----- ..---

The first line is TROOPERS something and the second line is the token. For decoding I use Happy-Security – Decoder, but you need to know that the decoder don’t know what „-….-“ is. After decoding I got the token 7406-6172-2728-5704-2302, but unfortunately this is not the right one. If you reverse the token it will work: 2032-4075-8272-2716-6047

E-Mail killed the Telefax-Star

Description: Phreak out.

Write Up:

You here some audio, which is similar when you press a button on your phone. The tones are called DTMF Tones. I uploaded my recording to an online decoder (it takes some time):

I wrote all numbers down to this point as they repeating: 31112333322740796847

Know I only submit the possible token. If it is wrong, then I move every number one to the right and the last number get to the first. Or the other way. After a few tries I got the right token:

1112-3333-2274-0796-8473 (11123333227407968473)

Can I haz crytp0?! plx1! – Write Up from @ChadBrigance

Description: That is a hard one – we will see who solves that one.

Write Up:

The token was XOR encoded first with a single byte key 2b, then with a different key which changed for each token. The format of the token is five groups of four numbers separated by a dash. When transmitted, the hex value found where the dash should be is the XOR key.

Additional Notes:

@ChadBrigance showed me an awesome tool, which really helps in this case:

Catch me if you can – Write Up from @ChadBrigance

Description: Can you?

There was some guy walking the whole time with a big antenna.
Funny Picture & Videos on Twitter:

Write Up:

This was difficult due to the fact that someone was walking around and the only visual clue was a long antenna. Not knowing much of anything, myself and a few colleagues roamed around looking. We heard that the frequency might be around 100.9 Mhz and eventually we picked up a signal. That’s when someone kind of walked up to us and we realized that was the person we needed to find. The part that made this tricky was the fact that he kept moving and the signal strength was weak. In order to get a clear signal I had to hold the badge very close to the antenna.

The audio consisted of the famous Niel Armstrong quote „… that’s one small step for man…“ followed by the token spoken out in words, but at a fast pace. That combined with the signal source moving around made it a little challenging to write down the token. Therefore, recording the audio made the difference.

Troopers Blog

The blog was introduced at the first Keynote of the troopers. It was only available from the internal network. Here are some images of the Blog:

The first Article is really important. You will see this in the detailed WriteUps

CSS to the Rescue

From the Main-Page we go to the Login-Area. It would be https://blog.troopers.de/wp-admin or you click on the lock in the top right corner of the Blog (see first image in the introduction part). Now we are on the login page:

Like the title of the Challenge, I dig into the CSS files and found a image file, encoded within the CSS:

If we decode the base64 string and look into the Image Header we find the Token for the „CSS to the rescue challenge“

The Code is 1392-7331-5010-4331-1703

All Roads Lead to Rome

So I assumed that the first article on the blog plays a big role. So I analyzed many images on the page. The Lock in the top right corner, which leads to the admin area, has also a token in it:

The Token is 0e0c-2bf2-2bbc-b2af-caaf , but it looks obfuscated. The last article on the page has a small caesar decryption tool:

Sadly I forgot, which was the right token. Shift 6 is 6462-8158-8112-1805-2005 and shift 7 is 7573-9269-9223-2916-3116 but I think Shift 7 was the right one.

Base64^2

Digging on the Blog I found at the buttom of the source code a small piggy image (the path is different in the original, because I dumped the site):

If we analyze it with a hex-editor or hexdump, we found a base64 string in it:

The Base64 code is the following:

iVBORw0KGgoAAAANSUhEUgAAAAwAAAALCAYAAABLcGxfAAACJklEQVR4AQEbAuT9AGlWQgBPUncAMEtHAGdvQQBBQUEATlNVAGhFVQBnQUEAQUFjAEFBQQBBSEMAQVlBAABBQUQARVVsAGZUQQBBQUEAMWtsAEVRVgBSNEEAUUhMAEFEVAAvQUcAbFdRAGdCUAAAVW5jAEFNRQB0SEEAR2R2AFFRQgBCUVUARUFUAGxOVgBBR2gARlZRAEFBWgAwRkIAAEFFRgBCVFEAQkJRAFVFQQBRVVIAREFFAEZaUQBRQkIAUVVJAEFWMAB0TUEAQUJYAABMMEUAQVFVAEZCQQBFMXIAYkFCAEZVVgBZQVUAalJCAEFGRgBGYmcAQkJUAG1vQQAAQUM5AEJSQQBCRmUAVTRBAFowRgA1QUUAeFVhAHdCQgBUWG8AQVkzAHBCQQBFRkIAAGRBQQBBVDAAUlZBAEVGTgBWQUIAUmRFAEVBUgBFVjUAQUU5AFJRUQBCQlQAMU1BAABNSGgAQkFBAEJFYQAzY0EAVG5kAEJBRQBGQlEAUUJCAFFXRQBBWjMAZEZBAEhwdQAAVXdBADJkUwBzQUEARTFCAFFRQgBCUVUARUFVADFWVwBBRTkAU1N3AEExUQAxa0EAAFNVawA5QUEAQUFBAEFBQgBieXkARjdxAFhSZwBnQUEAQUFCAEpSVQA1RXIAa0pnAABnZz0APQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACPKW1XFKdeMgAAAABJRU5ErkJggg==

If we decode the Base64, we got another image with base64 in it. Here is the next base64 string:

iVBORw0KGgoAAAANSUhEUgAAAAcAAAAHCAYAAADEUlfTAAAA1klEQVR4AQHLADT/AGlWQgBPUncAMEtHAGdvQQBBQUEATlNVAGhFVQAAZ0FBAEFBTQBBQUEAQURDAEFZQQBBQUIAV0tMAABXL0EAQUFBAE1rbABFUVYAUjRBAFFFbgBBTmoAAC9BRABFeU4AZ0F5AExUawBBTXoAY3pBAEFBdAAAT0RVAEFNVABRdEEAREV5AE9RQQBBT1MAMHhBAABEa3cATndBAEFBQQBBQWEAZ3dFAHpuUwA2dSsAAE1BQQBBQUEAU1VWAE9SSwA1Q1kASUk9AAAAAAABbyyF7qXRggAAAABJRU5ErkJggg==

and another image with base64 in it:

iVBORw0KGgoAAAANSUhEUgAAAAMAAAADCAYAAABWKLW/AAAAMklEQVR4AQEnANj/ADEyNgAyLTkAMzczAAAtODUAMTQtADEyOQAAOS0xADkwNwAAAAAAagwEznS6u+MAAAAASUVORK5CYII=

and another image, but with the token in it:

The Token is 1262-9373-8514-1299-1907

Counting 1-2-3

If you check all articles, you see that every article is written by root. You can click on the name and it will send you to the User-Page https://blog.troopers.de/user/0. Like the Challenge title say, I assume I need to enumerate all possible users. I wrote a small C# Script for this:


string temp = "";
            WebClient web = new WebClient();

            for (int i = 1; i < 10000; i++) {
                string tmp = web.DownloadString("https://blog.troopers.de/user/" + i.ToString());
                if(!tmp.Contains("User was not found")) {
                    temp += "User id: " + i.ToString() + " - " + tmp;
                    break;
                }
            }

txt_debug.Text = temp;

and I got the following result:

0352-0390-1616-9683-2610 is the token.

Secret Appliance from TROOPERS16

Description: Remember the secret appliance from TROOPERS16?

Yes, I know the old appliance and also the mail:

I also wrote them a mail, but sadly the mail-servers were already closed. The Appliance was only available from the internal network. The first part was to log into the machine, by guessing the password. Username and Password is „trooper“. You have the following commands on the server:

Hexify

In the directory /home/trooper/secret/ is a file called „troopers“. If you do hexdump on the file you see some 0, 1 and 2 characters:

If you get the right width, you are able to see the token. I used a small notepad++ trick for this. First I dumped the content and the replace all 2’s with „█“ and all 1’s with „▒“. Everything is in one line and I activate „automatic line breaks“. It should something like this:

If you make the window so small, at some point a number will appear:

The Token is 7102-7099-1920-2815-0999

Did you try turning it off and on again?

Just shutdown the server:

As you see 6882-8804-6522-6655-3822 is the token.

Connection established!

First I read the hosts file. There was a hint of URL called „token.fshbwl.ru“. If we try to telnet it, it won’t work, because the port was moved. I just guessed it is maybe Port 1337:

0592-6338-9424-2718-0489 is the token.

Do they still make those?

In the directory /pub/session is a „a.out“ file and a „session.c“ file. Here is the source code:


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "secret.h"

char const hex_chars[16] = { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C', 'D', 'E', 'F' };

char *encrypt(char *src, char *key) {
    int lSrc = strlen(src);
    int lKey = strlen(key);
    char *result = malloc(2 * lSrc + 1);
    for(int i = 0; i < lSrc; i++) { char xor = src[i] ^ key[i % lKey]; result[2 * i] = hex_chars[(xor & 0xF0 ) >> 4];
        result[2 * i + 1] = hex_chars[(xor & 0x0F) >> 0];
    }
    result[2 * lSrc] = 0;
    return result;
}

long pow2(long base, long power) {
    long out = 1;
    for (int i = 0; i < power; i++) { out *= base; } return out; } short parseShort(char *src) { int out = 0; for (int i = 0, j = strlen(src); j > 0; i++,j--) {
        if (src[j-1] < 48 || src[j-1] > 57) {
            i--;
            continue;
        }
        out += pow2(10, i) * (src[j-1] - 48);
    }
    return out;
}

int main(int argc, char *argv[]) {
    if (argc < 3) {
        printf("usage: %s <length> <session>\n", argv[0]);
        return 1;
    }

    char *secret = SECRET;
    char *key = KEY;

    char lName[5];
    if (strlen(argv[1]) > 5) {
        printf("Length must not exceed 5 characters!");
        return 1;
    }
    strncpy(lName, argv[1], 5);
    short length = parseShort(lName);

    int lSession = strlen(argv[2]);
    char *session = malloc(lSession + 1);
    strncpy(session, argv[2], lSession);
    session[lSession] = 0;
    if (lSession < length) {
        length = lSession;
    }

    char *store = malloc(25 + 3 * lSession + 1);
    memset(store, 0, 25 + 2 * lSession);

    // Copy the secret to the beginning
    strncpy(store, secret, 24);
    // Separate the secret from user data with a null byte
    store[24] = 0;
    strncpy(store + 25, session, lSession);
    // Need double the space, as this is a hex string
    strncpy(store + 25 + lSession, encrypt(session, key), 2 * lSession);

    printf("%s\n", store + 25 + length);

    return 0;
}

@ChadBrigance ’s screenshot shows his approach to solve it. I think it is some sort of Integer Overflow:

Hidden Challenges

Special Challenge

Enno Ray has some Special Tokens for you. If you meet him, you should ask him, if he have some.

IPv6

You had to set twitter alarms of the ERNW IPv6 Master Christopher Werny (@bcp38_)

Here are his tweets, with the token. You are only able to use the token once. So first come, first serve:

Maybe another way would be to have a talk with him or ask him nicely :)

Fun Facts

Signals at the Keynote

Someone was sending a radio signal with the music Rage Against the Machine before the Keynote begun. I thought it was a challenge but it was just for enjoying the music. I think @talynrae was it:

Rick Roll

@ChadBrigance RickRolled people at the 3rd floor, by sending a radio signal with Rickley Martins Never Gonna Get you up song

Catch me if you can

I witness the hand over of the „Catch me if you can“ challenge in the evening of day 1. Wojciech I knew it! :)

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht.