Monday, January 7, 2013

SANS Holiday Challenge 2012 Snow Miser Levels: 

 http://pen-testing.sans.org/holiday-challenge/2012

Snow Zone 0: 
-- The flag for this level is 3b5a630fc67251aa5555f4979787c93f --

Snow Zone 1: 
 -- The flag for this level is 38bef0b61ba8edda377b626fe6708bfa --
 Photo reflection in https://twitter.com/sn0w_m1s3r/status/276820932104957952/photo/1
 http://snowmiser.counterhack.com/zone-1-D2E31380-50E6-4869-8A85-F9CDB3AF6226/

Snow Zone 2:
 -- The flag for this level is b8231c2bac801b54f732cfbdcd7e47b7 --

The image off.jpg has metadata IceIceBaby! which can be used as a
 passphrase for steghide extract against off.jpg

 Data provided is "zone-2-6D46A633-25D7-42C8-AF94-8E786142A3E3"

ch@bluestem:~/snow$ exiftool off.jpg
[...]
User Comment                    : IceIceBaby!
[...]

ch@bluestem:~/snow$ steghide extract -sf off.jpg
Enter passphrase: IceIceBaby!
the file "tmpfile.txt" does already exist. overwrite ? (y/n) y
wrote extracted data to "tmpfile.txt".
ch@bluestem:~/snow$ cat tmpfile.txt
zone-2-6D46A633-25D7-42C8-AF94-8E786142A3E3


Snow Zone 3:
-- The flag for this level is 08ba610172aade5d1c8ea738013a2e99 --

 Link /zone-3-EAB6B031-4EFA-49F1-B542-30EBE9EB3962 found in data from
 android dump in file data/com.android.browser/cache/webviewCacheChromium/data_2 using grep.

ch@bluestem:~/snow/data$ find . -type f -exec grep -a zone-3 '{}' \;  > zone3.out
ch@bluestem:~/snow/data$ grep -a zone-3 zone3.out
[...]
/zone-3-EAB6B031-4EFA-49F1-B542-30EBE9EB3962/' class="menu">Zone 3
[...]


Snow Zone 4:
 -- The flag for this level is de32b158f102a60aba7de3ee8d5d265a --

 Since the "zone-4-" part of the strings would be the same and the encrypted strings started the same way, it was just a matter of working backwards from the ciphertext back to the original.

 z4.py:
 #!/bin/python

 #this is the known string "zone-4-F7677DA8-3D77-11E2-BB65-E4BF6188709B"
 list1=[0x7a, 0x6f, 0x6e, 0x65, 0x2d, 0x34, 0x2d, 0x46, 0x37, 0x36,
 0x37, 0x37, 0x44, 0x41, 0x38, 0x2d, 0x33, 0x44, 0x37, 0x37, 0x2d
 , 0x31, 0x31, 0x45, 0x32, 0x2d,
  0x42, 0x42, 0x36, 0x35, 0x2d, 0x45, 0x34, 0x42, 0x46, 0x36, 0x31,
 0x38, 0x38, 0x37, 0x30, 0x39, 0x42]

 #this is the known ciphertext for string above
 list2=[0x20, 0xd9, 0x16, 0xc6, 0xc2, 0x9e, 0xe5, 0x3c, 0x30, 0xea,
 0x1e, 0xff, 0xc6, 0x3b, 0x1c, 0x72, 0x14, 0x7e, 0xb8, 0x6b, 0x99
 , 0x8a, 0x25, 0xc0, 0xcf, 0x1b,
  0xf6, 0x69, 0x39, 0xe8, 0x62, 0x1b, 0x31, 0x32, 0xd8, 0x3a, 0xbb,
 0x16, 0x83, 0xdf, 0x61, 0x92, 0x38]

 #this is known ciphertext for unknown string
 list3=[0x20, 0xd9, 0x16, 0xc6, 0xc2, 0x9e, 0xe5, 0x43, 0x43, 0xe8,
 0x1f, 0xf1, 0xb1, 0x4c, 0x13, 0x72, 0x65, 0x0c, 0xbf, 0x19, 0x99
 , 0x8f, 0x51, 0xb5, 0xc5, 0x1b,
  0xf6, 0x6f, 0x49, 0xec, 0x62, 0x18, 0x40, 0x34, 0xa9, 0x4f, 0xc9,
 0x19, 0x8f, 0xa9, 0x17, 0x98, 0x49]

 #XOR first string by ciphertext to get the key, then use that key
 against the second ciphertext to get the string

 for z in range(0,len(list1)):
         r = list1[z]
         a = list2[z]
         first = r ^ a
         print first ^ list3[z]

 :END z4.py

 and then use bash to convert output to printable ascii

 ch@bluestem:~$ python z4.py | awk '{printf "%c\n", $1}' | tr -d '\n'
 zone-4-9D469367-B60E-4E08-BDF1-FED7CC74AF33



Snow Zone 5:
 -- The flag for this level is 3ab1c5fa327343721bc798f116be8dc6 --

 The hint at : https://twitter.com/h34t_m1s3r/status/276875683228176384
 linked to the blog post at http://pen-testing.sans.org/blog/pen-testing/2012/12/06/all-your-svn-are-belong-to-us explains how to get the pristine copy of the page.

ch@bluestem:~$ wget http://snowmiser.counterhack.com/zone-5-89DE9B26-CF7D-4B07-88DE-7A2F0A7B16FE/.svn/wc.db
ch@bluestem:~$ sqlite3 wc.db 'select local_relpath, ".svn/pristine/" || substr(checksum,7,2) || "/" || substr(checksum,7) || ".svn-base" as alpha from NODES;'
svn-base" as alpha from NODES;'
|
noaccess.php|.svn/pristine/41/4134e0e954d144ed932fd639b5a897f9ad47fff9.svn-base
index.php|.svn/pristine/7d/7d63810b0da679648fc20b4f1c84680ac08ec872.svn-base

ch@bluestem:~$ wget snowmiser.counterhack.com/zone-5-89DE9B26-CF7D-4B07-88DE-7A2F0A7B16FE/.svn/pristine/7d/7d63810b0da679648fc20b4f1c84680ac08ec872.svn-base

Once you have this page, you learn that you need to pass the sha1 hash of "$time 7998f77a7dc74f182a76219d7ee58db38be3841c" or else you will be redirected to noaccess.php.  In noaccess.php there is a line that provides the server time.  So you need to get that time (within 3 minutes), hash it and send it back. 

Here is what I used at the time I did it: 
ch@bluestem:~$ echo -n "2012-12-20 22:36 7998f77a7dc74f182a76219d7ee58db38be3841c" | sha1sum
cdb74ef7530f56fe02fb50702611093305cf9f11

When you use this hash as the password on the Snow4 page, you will be granted access to Snow5. 








Posted by at

No comments:

Post a Comment

Comments are moderated and will appear only after being reviewed.

Subscribe to: Post Comments (Atom)