CSAW CTF 2012 Qual

tags: netsec, ctf, csaw, 2012


  • What is the first step of owning a target? recon
  • What is the name of the Google's dynamic malware analysis tool for Android applications? bouncer
  • What is the x86 opcode for and al, 0x24? Put your answer in the form 0xFFFF. 0x2424
  • $ echo 'and al, 0x24' >a.asm && nasm a.asm && ndisasm a && rm -f a.asm
    00000000  2424              and al,0x24
  • Who was the first security researcher to publish the DEP bypass that utilized WriteProcessMemory()? Spencer Pratt
  • What is the name of Microsoft's sophisticated distributed fuzzing system that utilizes automated debugging, taint analysis, model building, and constaint solving? SAGE
  • Jordan Wiens
    • one of the judges for the CTF
    • given Google Search link
    • and fmt:key = key{something}
    • found his Twitter & LinkedIn accts => @psifertex
    • check sites where this alias is taken: NameChk
    • nothing much here, so Google for alias instead
    • result:psifertex.com, containing the string 'Nothing to see here, move along.'
    • http://cty.psifertex.com contains HTML comment string '<!-- The CSAW key is not on this domain. -->'
    • http://psifertex.com/csaw looks like:
    • the first characters of each word in the string "[S]ome [U]nderstanding [B]ecomes [D]ominant [O]n [M]anipulation [A]nd [I]nquisitive Naming" gives us SUBDOMAIN.
    • bruteforce subdomains using: python subbrute.py psifertex.com
      • tool performs multithreaded DNS lookups to a configurable list of DNS resolvers
      • via a list of possible subdomains
      Checking psifertex.com calendar.psifertex.com docs.psifertex.com ftp.psifertex.com key.psifertex.com ssh.psifertex.com start.psifertex.com www.psifertex.com
    • http://key.psifertex.com/2012.html
    • key{secret sonambulist}
  • Jeff Jarmoc
    • again, given Google Search link
    • EXIF metadata from photo of Jeff on Judges page
    • $ jhead jjarmoc.jpg
      File name    : jjarmoc.jpg
      File size    : 22516 bytes
      File date    : 2012:09:29 02:57:00
      Resolution   : 213 x 284
      Comment      : finger://jjarmoc@finger.offenseindepth.com:79
    • ...OR...
    • from his Twitter page, he links offenseindepth.com as his homepage
    • bruteforce subdomains using: python subbrute.py offenseindepth.com
    • Output
      Checking offenseindepth.com finger.offenseindepth.com imap.offenseindepth.com mail.offenseindepth.com www.offenseindepth.com
    • using subdomain name as a clue: finger jjarmoc@finger.offenseindepth.com
    • Debian GNU/Linux      Copyright (C) 1993-1999 Software in the Public Interest
      Username: jjarmoc                   In real life:
      This is my .plan.  There are many more like it, but this one is mine.
      {key:does anyone still use finger?}
    • key{does anyone still use finger?}
  • Dan Guido
    • What are Dan Guido's two favorite foods?
    • also look at comments on Reddit
    • key{salami and cheese}
  • Yoda
    • hangs out on IRC, so check there
    • $ /whois yoda
    • yoda [~o@ISIS-B0CFAD3E.com]
      ircname  : key{hockey lock outs mean probably april}
      channels : @#csaw
      server   : isis.poly.edu [ISIS IRC Server]
               : is using a Secure Connection
      idle     : 0 days 0 hours 22 mins 1 secs [signon: Sat Sep 29 21:31:54 2012]
      End of WHOIS
    • key{hockey lock outs mean probably april}