Koteyki vs Black sovereign: statistics of the online stage of NeoQUEST-2018
From March 5 to March 16, the online stage of the NeoQUEST-2018 cybersecurity competition took place . Under the cut, we’ll talk in detail about the tasks (but not all, some will go as separate write-ups) and their progress statistics, as well as why all 11 days of the competition, the participants filled up the NeoQUEST team with pictures of an
The online stage included 11 tasks, which, according to legend, contained parts of the key to the treasures of the mysterious Atlantis! Nobody succeeded in getting all the keys - the second key to the task No. 11 “Cat Fur Grows” remained unconquered!
The first place was taken by mityada , gaining 1527 points and receiving all the keys, except for the ill-fated key No. 2 from task 11! “Silver” got bay , collecting the same keys, but slightly losing in time, its result - 1508 points. "Bronze" was at hackzard - all tasks except the 11th, and 1429 points!
Congratulations guys! The struggle for 1st place was very intense, it so happened that during the day the leader took turns 3 times. The top three are waiting for cool gifts, and all those who have completed at least one task in full are souvenirs from the NeoQUEST team!
Details of the tasks and the little easter egg!
The site with the tasks will be available for some time, so there is still a chance to understand them!
Task number 1 - "Green Association"
I see green - I understand that we are talking about Android!
Participants were provided with an APK file, which is an application developed using the Unity3D framework. There is a button in the main application window that, when clicked, shows 2 random bytes.
When decompiling the application and viewing the \ assets \ bin \ Data directory, there were packaged assets for Unity, they can be viewed using the Unity Assets Bundle Extractor program:
A careful study of the directories made it possible to detect one GameObject named e4e623ca0e06d69d7d63a7daae5fb27f - seems like a key? So this is it! This easy first key received as many as 112 participants.
Also in this assembly, various textures were located, on each of which 2 bytes were displayed, named from 1 to 24. Apparently, this is nothing more than a part of the flag! Using these same textures, these textures could (and should!) Have been imported into png format. Now you need to understand if all the parts are used in the second flag, and in what order?
To do this, decompile the C # assembly \ assets \ bin \ Data \ Managed \ Assembly-CSharp.dll. After careful analysis, we see the GetSeqKey function, which is not called anywhere. Suspiciously!
This function executes XOR of the string and array, but at the same time, the source code does not have the correct values of the rows and array.
But in the array there is a hint "what's with the button?". If you carefully look at the button, you can see a strange texture:
We get the height values of each column in px, this is our array for XOR (0x68, 0x5b, 0x59, 0x00, 0x59, 0x58, 0x40, 0x44, 0x17, 0x58, 0x48, 0x57, 0x14, 0x47, 0x45, 0x48, 0x16, 0x58, 0x4f, 0x11, 0x5c, 0x55, 0x00, 0x5b, 0x49, 0x41, 0x40, 0x45, 0xc, 0xe, 0x11, 0x2, 0x0, 0x19). But this is only part of the key!
To find the second part, we carefully look at the composition of the package with assets and see a 3D object with the name text there, import it in * .obj format and open it, for example, in Photoshop. We see the text "You hold the key to my heart ...". To get the correct sequence, do the XOR of the received keys and get the sequence: 14, 17, 7, 24, 16, 11, 3, 21, 1, 7. It remains to extract all parts of the flag and collect the whole, according to the received sequence!
The second key was more complicated: only 49 participants got it!
Task number 2 - "Pair-pair-pair!"
In this task, the participants were given the “input” file, which is a dump of Bluetooth traffic between the phone and the Bluetooth headset. In addition to service information, the traffic also contained audio data transmitted via the RTP / SBC protocol. Participants needed to extract audio data in which the word was encrypted using Morse code, SHA1 from which was the key!
78 participants successfully completed this task!
Task number 3 - "Find Ichthyander"
We love jobs on OSINT, and we know that you love them too! Our participant mr_umnik already wrote a write-up on it , but only we have interesting details about this task! After all, who, if not you, dear participants, showed a storm of imagination and uploaded so amazing photos to us that we even put together a collection!
All that was given in this task is the nickname andr_ihtiandr and a link to the "profile" . Search VKontakte immediately yielded results ! From the profile photo was the name of the organization ( AtlanticNeoSecurity ) and a hint where to move on - to the “secure messenger”, that is, in Telegram!
Attempts to chat with @andr_ihtiandr would not have led to anything, but in the profile photo there was a hint of the following social network: Ask.fm! From there, I manage to find out the name of the founder of the company in which Ichthyander works: Nobody .
However, the VKontakte profile contained not only a hint of Telegram, but also the phrase “And sometimes I write interesting things on text storage site =)”. And this is a pointer to Pastebin, and indeed - there we also find Ichthyander ! His profile contains one single record , which, in fact, is a .jpg image encoded in Base64!
The picture looked like this (here the participants' imagination bloomed in a riotous color). “Continue” refers to the further analysis of the image, which (since it is .jpg) also opened as a RAR archive!
The contents of the archive (read more about this here ) consisted of a text file and a picture, which was opened with a notepad or HEX editor, the participants found a hint that this picture will help them find the year the company was founded!
Indeed, a Google search on pictures returned results with news about the remains of Atlantis found in 2009 !
All that’s left is to get the key: upload the file. And not just a file, but, as we specifically wrote in the onine profile, "A photo of someone who hid in an almost black and white picture."
And it must happen that the active mind of those passing the task tied the Black sovereign and the phrase “almost black and white” ... By this logic, only ... a white slave could hide behind the Black sovereign!
As a result, the NeoQUEST team watched in horror as the number of half-naked men was growing among the uploaded photos! In addition to them, fortunately, there were abstract pictures, and even variations on the theme of Ichthyander! From a strange, but decent, we made a collage:
And only then, finally, the seals began to appear! Yes, yes, they are! Indeed, a yellow taxi was shown on an almost black and white picture of VKontakte, and the letters “c” , “a” , “T” were also highlighted in color . Cat - this is whose photo we have been waiting for!
Cats also pleased with the variety, and we were not too lazy to make a selection of the most interesting:
When downloading the correct photo, participants received a key. 76 people coped with the task!
Task number 4 - "The airship? Aha! ”
The distributed network ZeroNet was waiting for participants in this assignment, and for this assignment there is already a write-up from Nokta_strigo .
To get the first key, it was simple enough to study the principles of ZeroNet. To get the second one, participants had to sweat, breaking a cipher based on a shift register with linear feedback.
Task number 5 - "Torture a donkey!"
The input to this task is the site address, which is a “technical support” page where you can create a call and download a PDF file. After some time, the response came with a response containing the first page of the downloaded PDF file and, at the very end, the phrase “Answered from Internet Explorer 11”. All this hinted that the administrator opens the PDF in Internet Explorer 11.
To open the PDF in IE11 there is an Adobe Reader plugin, but so far this has not helped in any way in finding the key. By carefully examining the page, one could find a hidden menu item “GET KEY”, which redirected to the /setkey.php page.
In this form, there is only one element - the user login. In different situations, different messages are issued, but when entering the correct login, the participant received the following message:
Apparently, the administrator needs to take this action. How to do this?
Here the vulnerability scanner came to the rescue (any) - when scanning the form, it was found that it was not protected from CSRF ! Well, all that remains is to prepare a special PDF file.
One of the possible options is to write a POST request in FormCalc using the site address (22.214.171.124):
var b = Post("https://213/170.100.210/setkey.php", "login=test&setKey=Выдать ключ", "application/x-www-form-urlencoded")
Everything seems to be true, but ... there is no key. Here it was necessary to remember that the site had an invalid SSL certificate! Here part of the hint “And to open your files, he installed the Adobe plugin. It runs on the same server as the web server. ” We look at the security settings of Internet Explorer - and for sure! The localhost site is safe. We change the address of the site 126.96.36.199 to localhost - and here it is, the key!
The task was successfully completed by 16 participants.
Task number 6 - "Who is the engineer?"
Participants were given a log of the readings of the smartphone’s accelerometer, and according to legend, it was possible to find out about a certain message in the RTTY format and the parameters of the RTTY encoding: carrier frequency - 100 Hz, offset 70 Hz.
After analyzing the accelerometer log, participants could see that the acceleration values of the device were measured only on one of the coordinate axes 600 times per second, and the acceleration readings look quite adequate: 0-60 m / s 2 .
The main idea of the task was that according to the available acceleration values, you can calculate the location of the device, and many, many location measurements per unit of time are a completely audible sound track! Further, it’s a technical matter: remembering the basics of numerical integration, participants had to calculate a lot of “timestamp-location” pairs and “overtake” the received data into a sound wav-file. All that remained was to play a little with the amplitude of the sound and, amplifying the signal, decode the RTTY message in which there was a key!
The engineers were 29 participants.
Assignment No. 7 - “Hellish Reverse - My Role!”
Task number 7 was devoted to the search and exploitation of use-after-free vulnerabilities, in addition, the task itself hinted at the use of the Lua language .
A detailed analysis of this task (and not only it!) Was made by GH0st3rs , write-up is available here ! Only four participants completed the task!
Task number 8 - "Blockchain got even to Atlantis ..."
In this task, the participants were given a client to interact with a simple blockchain. To get the key, you had to smash the block containing the nickname of the participant. But the standard mining algorithm was too slow! To increase speed, participants had to find a vulnerability in the hash function that was used to check the blocks.
Only 10 participants completed the assignment, and we will analyze it in more detail, wait for write-up!
Tasks No. 9 - “QEMU + eCos = QECOS” and No. 10 - “Specter”
For these two tasks, the active GH0st3rs also managed to write write-up! Read them here . We will only say that task No. 9 was devoted to working with the eCos operating system , which was unusual for many people ; it contained 2 keys, the first of which was received by only 5 participants, and the second - even less: four participants!
The title of task No. 10 immediately indicated that Specter could not have done without the vulnerability ! NeoQUEST participants had to extract the keys (as many as 3 pieces!) From the broken application, having previously found errors in it and "fixed" it.
The first and third keys were received by 29 participants, and the second turned out to be more difficult and was found only by 19 participants.
Assignment No. 11 - “Cat Fur Grows”
With this unusual name, we strongly hinted to the participants that there is no way around a Windows protection mechanism called Control Flow Guard (CFG)! In the task, it was necessary to find / nazfazit vulnerabilities and get ReadWrite primitive to bypass everything that is in the last Windows - DEP , ASLR , CFG, etc.
The first of the two keys was received only by four participants, but the second key was never submitted to anyone. We will devote a separate harastra to this task, because, in addition to the fact that it is the most difficult, he had several options for passing!
A few days before the end of the competition, one of our developers decided to make a small surprise to the participants and came up with a small engineering Easter egg. In the text of the legend, some characters are highlighted in bold:
Introduction - ON (at the clock)
Task 1 - LM (contents), and (expedition)
Task 2 - ON (but we all)
Task 3 - CT (my state)
Task 5 - AR (not detecting in them)
Task 6 - T (smart phone)
Task 7 - 7 (from the IP address)
Task 8 - P (smart), AZ (Analysis)
Having gathered all the characters together, the participants received the following phrase: “CLICK ON THE START 7 TIMES”.
Yes, yes, to the very start, that under the airship!
After 7 clicks, this page opens:
To get the missing piece of the link, participants had to find the pixel-by-pixel difference between the pictures. There are enough ways to do this, but the simplest is to find an online tool, for example, this one , she found this difference:
The phrase “W3Are1n1AMMn0W! 11” reflected the joyful emotions of the developer due to the fact that his native department “Information Security of Computer Systems” of SPbPU (one of the organizers of NeoQUEST!) Transferred to the Institute of Applied Mathematics and Mechanics . Well, applicants, bachelors and graduate students - now you know where to find us! Moreover, successful participation in NeoQUEST is taken into account when entering the IBS department!
But enough lyrics, because the Easter egg has not yet been completed to the end! By clicking on the link received, the participants received a new riddle:
Gears, formulas ... It is not clear. Although soon, taking a closer look, the participants realized that the upper formula was nothing more than the ratio of the number of cloves on the largest gear to the number of cloves on the smallest! Now the whole difficulty was to correctly count the cloves (63 and 16, respectively), divide one by the other (3.9375), multiply by 10 4 and take SHA1 from the resulting value (6246a5c59e9cd5944ab1b196dcb9d950c2172254)!
46 participants passed the Easter egg, each got 10 points - the dynamic scale did not work on this task.
And now - the statistics!
1253 people took part in the competition, at least one key was received by 167 participants. Changes in the standings - in our traditional GIF:
We also collected statistics on the complexity of the tasks (taking into account the number of participants who completed the task completely ):
And yet - statistics on tasks with several keys! There were 5 of them:
- Task number 1, "Green Association" - 2 keys;
- Task number 4, "The airship? Aha! ”- 2 keys;
- Task No. 9, “QEMU + eCos = QECOS” - 2 keys;
- Task number 10, "Specter" - 3 keys;
- Assignment No. 11, “Cat Fur Grows” - 2 keys;
For the entire period of the online stage of NeoQUEST-2018, 594 keys were received! The easiest was the first key to the task with Android (No. 1, "Green Association").
Ahead - "Confrontation"!
This year, “Confrontation” will take place in St. Petersburg not in the summer, but in the fall - at the end of September. However, this is not all the changes that await guests and participants!
We will leave the coolest and favorite: reports, workshops and demonstrations of attacks and add a new one! For the first time NeoQUEST will be held together with the scientific and technical conference "Methods and technical means of ensuring information security" ! Guests of NeoQUEST-2018 will learn a lot about the relationship between science and practice of cybersecurity, the importance of scientific research for an information security specialist and how, from a scientific point of view, modern information protection mechanisms work!
At the same time, those who wish can take part not only in NeoQUEST, but also in the scientific sections of the conference! To learn more about participating in a report or workshop on NeoQUEST, write to firstname.lastname@example.org, and for more information about the conference “Methods and Technical Means of Ensuring Information Security” , see the united site , for all questions, please contact email@example.com.
Ahead - write-ups of several tasks and active preparation for the “Face to face”! By the way, participants who have completed at least one task at all - check your mail, we will soon start mailing!