CSAW CTF 2012 Qual

Trivia

• What is the first step of owning a target? recon
• What is the name of the Google's dynamic malware analysis tool for Android applications? bouncer
• What is the x86 opcode for and al, 0x24? Put your answer in the form 0xFFFF. 0x2424

$ echo 'and al, 0x24' >a.asm && nasm a.asm && ndisasm a && rm -f a.asm
00000000  2424              and al,0x24

• Who was the first security researcher to publish the DEP bypass that utilized WriteProcessMemory()? Spencer Pratt
• What is the name of Microsoft's sophisticated distributed fuzzing system that utilizes automated debugging, taint analysis, model building, and constaint solving? SAGE

Recon

• Jordan Wiens
• one of the judges for the CTF
• given Google Search link
• and fmt:key = key{something}
• found his Twitter & LinkedIn accts => @psifertex
• check sites where this alias is taken: NameChk

• nothing much here, so Google for alias instead
• result:psifertex.com, containing the string 'Nothing to see here, move along.'
• http://cty.psifertex.com contains HTML comment string '<!-- The CSAW key is not on this domain. -->'
• http://psifertex.com/csaw looks like:

• the first characters of each word in the string "[S]ome [U]nderstanding [B]ecomes [D]ominant [O]n [M]anipulation [A]nd [I]nquisitive Naming" gives us SUBDOMAIN.
• bruteforce subdomains using: python subbrute.py psifertex.com
• tool performs multithreaded DNS lookups to a configurable list of DNS resolvers
• via a list of possible subdomains
Output

Checking psifertex.com
	74.125.45.121 calendar.psifertex.com
	74.125.45.121 docs.psifertex.com
	69.163.249.183 ftp.psifertex.com
	173.236.129.17 key.psifertex.com
	69.163.249.183 ssh.psifertex.com
	74.125.45.121 start.psifertex.com
	69.163.249.183 www.psifertex.com

• http://key.psifertex.com/2012.html
• key{secret sonambulist}

• Jeff Jarmoc
• again, given Google Search link
• EXIF metadata from photo of Jeff on Judges page

$ jhead jjarmoc.jpg

File name    : jjarmoc.jpg
File size    : 22516 bytes
File date    : 2012:09:29 02:57:00
Resolution   : 213 x 284
Comment      : finger://jjarmoc@finger.offenseindepth.com:79

• ...OR...
• from his Twitter page, he links offenseindepth.com as his homepage
• bruteforce subdomains using: python subbrute.py offenseindepth.com
Output

Checking offenseindepth.com
107.21.146.162 finger.offenseindepth.com
173.201.193.71 imap.offenseindepth.com
74.125.45.121 mail.offenseindepth.com
107.21.146.162 www.offenseindepth.com

• using subdomain name as a clue: finger jjarmoc@finger.offenseindepth.com

Debian GNU/Linux      Copyright (C) 1993-1999 Software in the Public Interest
-----------------------------------------------------------------------------
Username: jjarmoc                   In real life:

Plan:
This is my .plan.  There are many more like it, but this one is mine.

{key:does anyone still use finger?}
-----------------------------------------------------------------------------

• key{does anyone still use finger?}

• Julian Cohen
• just given Google Search link
• @Twitter account

• using NameChk, found his Reddit profile, consistently posting about CSAW CTF

• a link included in a comment on one of his Reddit posts contains the key, ie. http://cockcab.com

• key{The_first_step_of_owning_a_target_is_recon.}

• Dan Guido
• What are Dan Guido's two favorite foods?
• also look at comments on Reddit
• key{salami and cheese}

• Yoda
• hangs out on IRC, so check there
• $ /whois yoda

yoda [~o@ISIS-B0CFAD3E.com]
ircname  : key{hockey lock outs mean probably april}
channels : @#csaw
server   : isis.poly.edu [ISIS IRC Server]
         : is using a Secure Connection
idle     : 0 days 0 hours 22 mins 1 secs [signon: Sat Sep 29 21:31:54 2012]
End of WHOIS

• key{hockey lock outs mean probably april}