Jump to content
Main menu
Main menu
move to sidebar
hide
Navigation
Main page
Recent changes
Random page
Help about MediaWiki
Special pages
YawgNetWiki
Search
Search
Appearance
Log in
Personal tools
Log in
Pages for logged out editors
learn more
Contributions
Talk
Editing
AND!XOR DC28
(section)
Page
Discussion
English
Read
Edit
View history
Tools
Tools
move to sidebar
hide
Actions
Read
Edit
View history
General
What links here
Related changes
Page information
Appearance
move to sidebar
hide
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
=Hacks= ==Map== ************************************ * * * * * 9 A * * *** ***** * * * ******* * * *B**** * * * * * D * *F* C* * *** *** * ***8***** ******* * **** * 4 * *L*7 * E * * * * * ********* ***** *** * *** *** ** * * * 5 * * * * * *H* * * *** * ***** *** *** *** *** * **** *3 * * 6 * * * * * * * * * *I* *** * ***** * ***** * * * * * * * * * *2 * * * * * * * * * ***** *** * * * * * ***** *** * * * * * * 1* * * * * * * ***J*** * *** *********** *** * **** * K * * * G * * * * * * ************************************ ==r3cap papR== Run around the map, find all the hex code, decode, unscramble, solve! <div class="toccolours mw-collapsible mw-collapsed"> Challenge 12 (C) <div class="mw-collapsible-content"> <pre> WTF hapnd 2 DIS world since DC27? WeL AND!XOR rOt it n a note, tore it up, &... itz randomly spred throughout d wrld. Hav :) putting it bak 2geder 4 recap </pre> After collecting all the r3cap papRs I unscrambled this message: <pre> D dc27 and!Xor nuclear wntr badge & hackforsatan pande mic badge got drunk, hookd up, & caused D rona frm som messed ^ std. thn def Con wz cancelled. 4 realsies. s ince thn weve spred rumors cuz we r :") bout d h%k ^. rumors such lik it wz bats, 5 g cel towers, birds, bil l gates trying 2 mAk mone off of vaccines, convincing potus 2 convince u 2 drink Bleach... f U blev ne of da t U r dumb. 1000% fkn lug. coronavirus sux & de-railed our annual con xperens. ignor al dat dumb schet & hav :) hacking dis badge. we hop it brings U :) & hapens. U shud hack flag wit...uppR case... </pre> The final line indicates the upper case characters are for the flag <pre> and!xor:~$ hack flag wit DXDCABUUUUR </pre> * aegis glows weeds parse mused elbow heave colts melts ** Correct flag +100pt </div> <div class="toccolours mw-collapsible mw-collapsed"> r3cap papR Locations <div class="mw-collapsible-content"> <div class="toccolours mw-collapsible mw-collapsed"> U shud hack flag wit...uppR case... <div class="mw-collapsible-content"> <pre> * * * * * * * *** * ***** * * * * * * * * ***** *** * * * * * * * * * *** *** * *** **** * * * ☻ * * * ****************** Wlkn west... and!xor:~$ look U find r3cap papR... 20 55 20 73 68 75 64 20 68 61 63 6b 20 66 6c 61 67 20 77 69 74 2e 2e 2e 75 70 70 52 20 63 61 73 65 2e 2e 2e </pre> </div> </div> <div class="toccolours mw-collapsible mw-collapsed"> mic badge got drunk, hookd up, & caused D rona frm som <div class="mw-collapsible-content"> <pre> * * * * * * * *** * ***** * * * * *° * * * ***** *** * * * * * * * °* * *** *** * *** **** * * * * * ☻* ****************** Wlkn south... and!xor:~$ look U find r3cap papR... 6d 69 63 20 62 61 64 67 65 20 67 6f 74 20 64 72 75 6e 6b 2c 20 68 6f 6f 6b 64 20 75 70 2c 20 26 20 63 61 75 73 65 64 20 44 20 72 6f 6e 61 20 66 72 6d 20 73 6f 6d </pre> </div> </div> <div class="toccolours mw-collapsible mw-collapsed"> t U r dumb. 1000% fkn lug. coronavirus sux & de-railed <div class="mw-collapsible-content"> <pre> * * * * * * * *** * ***** * * * * *° * * * ***** *** * * * * * * * °* * *** *** * *** **** * * ☻ * * * * ****************** Wlkn east... and!xor:~$ look U find r3cap papR... 74 20 55 20 72 20 64 75 6d 62 2e 20 31 30 30 30 25 20 66 6b 6e 20 6c 75 67 2e 20 63 6f 72 6f 6e 61 76 69 72 75 73 20 73 75 78 20 26 20 64 65 2d 72 61 69 6c 65 64 </pre> </div> </div> <div class="toccolours mw-collapsible mw-collapsed"> l gates trying 2 mAk mone off of vaccines, convincing <div class="mw-collapsible-content"> <pre> * ☻ * * * * * * *** * ***** * * * * *° * * * ***** *** * * * * * * * °* * *** *** * *** **** * * * * * * ****************** Wlkn west... and!xor:~$ look U find r3cap papR... 6c 20 67 61 74 65 73 20 74 72 79 69 6e 67 20 32 20 6d 41 6b 20 6d 6f 6e 65 20 6f 66 66 20 6f 66 20 76 61 63 63 69 6e 65 73 2c 20 63 6f 6e 76 69 6e 63 69 6e 67 20 </pre> </div> </div> <div class="toccolours mw-collapsible mw-collapsed"> rumors such lik it wz bats, 5 g cel towers, birds, bil <div class="mw-collapsible-content"> <pre> *° * * * * * * *** * ***** * * * * *° * * * ***** *** * * *☻* * * * °* * *** *** * *** **** * * * * * * ****************** Wlkn south... and!xor:~$ look U find r3cap papR... 72 75 6d 6f 72 73 20 73 75 63 68 20 6c 69 6b 20 69 74 20 77 7a 20 62 61 74 73 2c 20 35 20 67 20 63 65 6c 20 74 6f 77 65 72 73 2c 20 62 69 72 64 73 2c 20 62 69 6c </pre> </div> </div> <div class="toccolours mw-collapsible mw-collapsed"> our annual con xperens. ignor al dat dumb schet & hav <div class="mw-collapsible-content"> <pre> ****************** ° ☻ * ******* * * * **** * * * * * *** ******* * **** * * * * *** * *** *** ** * * * * * * * *** *** *** * **** Wlkn east... and!xor:~$ look U find r3cap papR... 20 6f 75 72 20 61 6e 6e 75 61 6c 20 63 6f 6e 20 78 70 65 72 65 6e 73 2e 20 69 67 6e 6f 72 20 61 6c 20 64 61 74 20 64 75 6d 62 20 73 63 68 65 74 20 26 20 68 61 76 </pre> </div> </div> <div class="toccolours mw-collapsible mw-collapsed"> :) hacking dis badge. we hop it brings U :) & hapens. <div class="mw-collapsible-content"> <pre> ****************** ° ° * ******* * * *°**** *☻ ° * * * °* *** ******* * **** * * * * *** * *** *** ** * * * * * * * *** *** *** * **** Wlkn west... and!xor:~$ look U find r3cap papR... 20 3a 29 20 68 61 63 6b 69 6e 67 20 64 69 73 20 62 61 64 67 65 2e 20 77 65 20 68 6f 70 20 69 74 20 62 72 69 6e 67 73 20 55 20 3a 29 20 26 20 68 61 70 65 6e 73 2e </pre> </div> </div> <div class="toccolours mw-collapsible mw-collapsed"> D dc27 and!Xor nuclear wntr badge & hackforsatan pande <div class="mw-collapsible-content"> <pre> ****************** ° ° * ******* * * *°**** * ° * * * °* *** ******* * **** ° * * * * *** * *** *** ** * ☻ * * * * * * *** *** *** * **** Wlkn east... and!xor:~$ look U find r3cap papR... 44 20 64 63 32 37 20 61 6e 64 21 58 6f 72 20 6e 75 63 6c 65 61 72 20 77 6e 74 72 20 62 61 64 67 65 20 26 20 68 61 63 6b 66 6f 72 73 61 74 61 6e 20 70 61 6e 64 65 </pre> </div> </div> <div class="toccolours mw-collapsible mw-collapsed"> potus 2 convince u 2 drink Bleach... f U blev ne of da <div class="mw-collapsible-content"> <pre> * * * * * * * * ***** *☻* * * * * * * * * * * * * ***** *** * * * * * * ******* *** * **** * * * * ****************** Wlkn nth... and!xor:~$ look U find r3cap papR... 70 6f 74 75 73 20 32 20 63 6f 6e 76 69 6e 63 65 20 75 20 32 20 64 72 69 6e 6b 20 42 6c 65 61 63 68 2e 2e 2e 20 66 20 55 20 62 6c 65 76 20 6e 65 20 6f 66 20 64 61 </pre> </div> </div> <div class="toccolours mw-collapsible mw-collapsed"> ince thn weve spred rumors cuz we r :") bout d h%k ^. <div class="mw-collapsible-content"> <pre> * * * * * * * * ***** * * * * * * * * * * * * * * ***** *** * * * ☻* * * ******* *** * **** * * * * ****************** Wlkn south... and!xor:~$ look U find r3cap papR... 69 6e 63 65 20 74 68 6e 20 77 65 76 65 20 73 70 72 65 64 20 72 75 6d 6f 72 73 20 63 75 7a 20 77 65 20 72 20 3a 22 29 20 62 6f 75 74 20 64 20 68 25 6b 20 5e 2e 20 </pre> </div> </div> <div class="toccolours mw-collapsible mw-collapsed"> messed ^ std. thn def Con wz cancelled. 4 realsies. s <div class="mw-collapsible-content"> <pre> * * * * * * * * ***** * * * * * * * * * * * * * * ***** *** ☻* * * * * * ******* *** * **** * * * * ****************** Wlkn nth... and!xor:~$ look U find r3cap papR... 20 6d 65 73 73 65 64 20 5e 20 73 74 64 2e 20 74 68 6e 20 64 65 66 20 43 6f 6e 20 77 7a 20 63 61 6e 63 65 6c 6c 65 64 2e 20 34 20 72 65 61 6c 73 69 65 73 2e 20 73 </pre> </div> </div> </div> </div> </div> ==LULZ QUIZ== All of these are just simple question/answer challenges. Wrong answers will give -10pt and correct ones will give +5pt. After getting one wrong, I went through each quiz and answered, recorded the flags I was given, reset the badge and re-did each one until I had the flags for each answer. Wrong answers all had the same flag string so I was able to answer 3+ answer quizzes without issue. The 2 answer quizzes were a bit harder, but searching Twitter for AND!XOR and their various members gave me insight into what to expect and answer correctly. The only "difficult" one was the Buffer Under/Overflow one. Any positive answer was giving me the same flag, it wasn't until I put in -1 that I got something different. <div class="toccolours mw-collapsible mw-collapsed">Challenge 1<div class="mw-collapsible-content"> <pre> ~LULZ QUIZ~ (0)EMACS (1)VIM (2)NANO $hack flag wit # </pre> * hack flag wit 1 ** Correct Answer (+5pt) ** riles forgo goats louts angry stalk wages afire gravy * hack flag wit 0 (or 2) ** Wrong Answer (-10pt) ** d97904aa6bcc83764779312eaa0991b69621f8b59d8c59568692a12388ad098ff6de647eaa02d9316be99335ebadcf311015ecd9362a8d51f4409cac2ba48186 </div> </div> <div class="toccolours mw-collapsible mw-collapsed">Challenge 3<div class="mw-collapsible-content"> <pre> ~LULZ QUIZ~ (0)tst n devlpmnt (1)tst n production (2)dun tst $hack flag wit # </pre> * hack flag wit 0 (or 1) ** aeaa059a86f8e0e95618e24d4971e7b05c6d77bbd5295cf09a9f3831ff7732c1da37296692e4d8e19c26a4f978713a31d5f83ecc2b43e3068e154977b3f4dbc8 * hack flag wit 2 ** riles forgo goats apace sound crawl quint virus would ** Correct +5pt </div></div> <div class="toccolours mw-collapsible mw-collapsed">Challenge 4<div class="mw-collapsible-content"> <pre> ~LULZ QUIZ~ (0)Spaces (1)Tabs $hack flag wit # </pre> * hack flag wit 0 ** c51fcabbbf996f9bd646af6da2e4a7e55a5be387fc291fa66bca1338d1fdb6e984cc40fe44bf8e10fcedba94c208967262088cc80d5324e863d98f0bbb3d2739 * hack flag wit 1 ** hubby match nodal liked shred fauna gusts pique agave ** Correct flag +5pt </div></div> <div class="toccolours mw-collapsible mw-collapsed">Challenge 5<div class="mw-collapsible-content"> <pre> ~LULZ QUIZ~ (0)Red Team (1)Blu Team (2)Purpl Team $hack flag wit # </pre> * hack flag wit 1 (or 0) ** d97904aa6bcc83764779312eaa0991b6c69bb755e6d40d07202f596171b1df3dac05b1f6302d6060669bff17741462e9157cb3c056fb39f0e93b716873658100 * hack flag wit 2 ** riles forgo goats leant mower blown faded fails astir ** Correct +5pt </div></div> <div class="toccolours mw-collapsible mw-collapsed">Challenge 7<div class="mw-collapsible-content"> <pre> ~LULZ QUIZ~ (0)Drop 0-Day (1)Notify Vendor $hack flag wit # </pre> * hack flag wit 0 ** d97904aa6bcc83764779312eaa0991b67b84d4e408e03f4d021893dbc9e91b23f336ddf853568421a227382ca316558af7a86b99707c4ece840da678974833b6 * hack flag wit 1 ** riles forgo goats quire vodka depth decay yacht whomp </div></div> <div class="toccolours mw-collapsible mw-collapsed">Challenge 8<div class="mw-collapsible-content"> <pre> ~LULZ QUIZ~ (0)Hack (1)Slp (2)Et (3)showR $hack flag wit # </pre> * hack flag wit 0 (or 1 or 2) ** c51fcabbbf996f9bd646af6da2e4a7e52e81bf9bd688e0a84ed0b97fc477157f379a5d0de272db5739702576ae871e5146aaa59a1de3da09e21e3fa64e7db686 * hack flag wit 3 ** hubby match nodal seems horns burly gilds goofs bated ** Correct (+5pt) </div></div> <div class="toccolours mw-collapsible mw-collapsed">Challenge 9<div class="mw-collapsible-content"> <pre> ~LULZ QUIZ~ (0)OSX (1)Windows (2)Linux (3)BSD $hack flag wit # </pre> * hack flag wit 0 (or 1 or 3) ** c51fcabbbf996f9bd646af6da2e4a7e5ee25b3884074d84b9054cbdd4ca4736ff295518e1cd5ddcaa7f421fab707396ac9b7557b2041262c4fbc8a20bfa70ab5 * hack flag wit 2 ** hubby match nodal place silly gaped lends taint sales ** Correct +5pt </div></div> <div class="toccolours mw-collapsible mw-collapsed">Challenge 10 (A)<div class="mw-collapsible-content"> <pre> ~LULZ QUIZ~ (0)Buffer Underflow (1)Buffer Overflow $hack flag wit # </pre> * hack flag wit 0 (or 1 or 2) ** d97904aa6bcc83764779312eaa0991b67b84d4e408e03f4d021893dbc9e91b23f336ddf853568421a227382ca316558af7a86b99707c4ece840da678974833b6 * hack flag wit -1 ** aegis glows weeds vamps blind towed heave amuse tying </div></div> <div class="toccolours mw-collapsible mw-collapsed">Challenge 13 (D)<div class="mw-collapsible-content"> <pre> ~LULZ QUIZ~ Did Carole Baskin kill her OM? (0)Yes (1)No $hack flag wit # </pre> * hack flag wit 0 ** hubby match nodal stood tends clasp garde monic agora * hack flag wit 1 ** c51fcabbbf996f9bd646af6da2e4a7e5e09af0907f2fa5a51cbf63235e4fb4c18ce29665b756d0809d0b382ca0cf8e96a0223f4ac788b79a95bc4511180b42af </div></div> <div class="toccolours mw-collapsible mw-collapsed">Challenge 18 (I)<div class="mw-collapsible-content"> <pre> ~LULZ QUIZ~ Pineapple on pizza? (0)Yes (1)No $hack flag wit # </pre> * hack flag wit 0 ** riles forgo goats facto mover event amaze jolly knell ** Correct Flag +5pt * hack flag wit 1 ** d97904aa6bcc83764779312eaa0991b669dec1a3a9fd6496ea01eb03fcff64f275353c026e88df02efb7cf9c7d4b3a52de12b21ae045cf7e6452df74858f1140 </div></div> ==Reverse Engineering== <div class="toccolours mw-collapsible mw-collapsed">Challenge 2<div class="mw-collapsible-content"> <pre> U cUm ax a supa secure medical LAPPY covered n stickers. It hz a TACO_CORP_PROMPT on itz scrEn. and!xor:~$ look at TACO_CORP_PROMPT D prolly not HIPAA compliant login 4 Taco Corps medical rEsrch divisN. Did dey release d virus only 2 seL thR salsa vaccine az a cure? and!xor:~$ hack LAPPY wit RUBBER_DUCKY O damn, we hav a l337 haxor Ovr hEr. d louder U R d less U hEr. tAk a L%k @ yor pwned target. and!xor:~$ look at LAPPY D credz auth binary wz XtractD. wot acownt iz Usd 2 login? Saved undR youZer binz... </pre> On the badge under /USR/BIN/ is a new file: TACOTH <pre> file andxor/USR/BIN/TACOTH andxor/USR/BIN/TACOTH: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=1109a4c77bf523765870c7d93233c78223777b5d, for GNU/Linux 3.2.0, not stripped </pre> Time for some reverse engineering with Ghidra <pre> hack flag wit 8GAT35@VAXX34.0RG Ans Submitted. L%k 2 C flag. and!xor:~$ look ChaLenG Complete! ditto stoke waltz hinds agora buyer likes ivied stalk </pre> <div class="toccolours mw-collapsible mw-collapsed">Binary Breakdown<div class="mw-collapsible-content"> * The key seems to be this bit of code: <pre> if ((((((x00 == 0) || (x01 == 0)) || (x02 == 0)) || ((x03 == 0 || (x04 == 0)))) || ((((x05 == 0 || ((x06 == 0 || (x07 == 0)))) || (x08 == 0)) || ((((x09 == 0 || (x10 == 0)) || (x11 == 0)) || (((x12 == 0 || (x13 == 0)) || ((x14 == 0 || ((x15 == 0 || (x16 == 0)))))))))))) || (crc == 0)) { puts("FAILZ!"); } else { puts("SUCCESS!"); } </pre> * So we need to identify x00 thru x16 and make them !=0 along with the crc <pre> if (((int)local_28[0] - 0x30U & 0x3fffffff) == 8) { x00 = 1; } \\ so 0x38 or '8' </pre> * x00 = 8 <pre> if (((local_28[1] == 'G') && (local_28[2] == 'A')) && (local_28[3] == 'T')) { x01 = 1; x02 = 1; x03 = 1; } </pre> * x01 = G * x02 = A * x03 = T <pre> if ((iVar1 + 1) % 0x24 == 0) { x04 = 1; x05 = 1; } </pre> * x04 and x05 seem to need a bit more investigation ** This was frustrating me a ton and I ended up just bruteforcing a bit here with some for loops for i in $(cat list4); do echo Trying$i && sudo ./TACOTH $i; done > results * This only really worked since it was my last couple characters to figure out. Result ended up being '35' <pre> __stream = fopen(".temp","w+"); fputc(0x47,__stream); fclose(__stream); local_36 = local_24; iVar1 = atoi(&local_36); iVar1 = fgetc(__stream); </pre> * I'm not 100% sure but it looks like these two resolve themselves though I don't have a defined view of what local_24 is from here, it should be 'G' which is what gets written to .temp in hex <pre> if (local_22 == '@') { x06 = 1; } </pre> * local_22 doesn't appear defined anywhere, but this pretty easily needs to be an '@' ** However, there is a big loop that occurs and after is this: <pre> if (((x07 != 0) && (x08 != 0)) && ((x09 != 0 && (x10 != 0)))) { x06 = 1; } </pre> * so we need to get x07-x10 and x06 will fall in line, let's look at the loop <pre> local_2f = 0x78787878; local_2b = 0x7878; local_6c = 7; while (local_29 = 0, local_6c < 0xb) { switch(local_28[local_6c]) { case 'A': if (local_6c == 8) { x08 = 1; local_2f = 0x63616261; local_2b = 0x7375; } break; case 'B': if (local_6c == 8) { a02 = 1; local_2f = 0x69626162; local_2b = 0x7365; } break; case 'C': if (local_6c == 9) { a03 = 1; local_2f = 0x61626163; local_2b = 0x616c; } else { if (local_6c == 10) { a03 = 1; local_2f = 0x61626163; local_2b = 0x616c; } } break; case 'D': if (local_6c == 7) { a04 = 1; local_2f = 0x62626164; local_2b = 0x7265; } break; case 'E': if (local_6c == 8) { a05 = 1; local_2f = 0x65676165; local_2b = 0x7372; } break; case 'F': if (local_6c == 9) { a06 = 1; local_2f = 0x6c626166; local_2b = 0x7365; } else { if (local_6c == 10) { a06 = 1; local_2f = 0x6c626166; local_2b = 0x7365; } } break; case 'G': if (local_6c == 7) { a07 = 1; local_2f = 0x69626167; local_2b = 0x6e6f; } break; case 'H': if (local_6c == 8) { a08 = 1; local_2f = 0x69626168; local_2b = 0x7374; } break; case 'I': if (local_6c == 9) { a09 = 1; local_2f = 0x63696269; local_2b = 0x7365; } else { if (local_6c == 10) { a09 = 1; local_2f = 0x63696269; local_2b = 0x7365; } } break; case 'J': if (local_6c == 7) { a10 = 1; local_2f = 0x6262616a; local_2b = 0x7265; } break; case 'K': if (local_6c == 8) { a11 = 1; local_2f = 0x6162616b; local_2b = 0x616c; } break; case 'L': if (local_6c == 9) { a12 = 1; local_2f = 0x6761616c; local_2b = 0x7265; } else { if (local_6c == 10) { a12 = 1; local_2f = 0x6761616c; local_2b = 0x7265; } } break; case 'M': if (local_6c == 7) { a13 = 1; local_2f = 0x6163616d; local_2b = 0x7377; } break; case 'N': if (local_6c == 8) { a14 = 1; local_2f = 0x6863616e; local_2b = 0x736f; } break; case 'O': if (local_6c == 9) { a15 = 1; local_2f = 0x756b616f; local_2b = 0x736d; } else { if (local_6c == 10) { a15 = 1; local_2f = 0x756b616f; local_2b = 0x736d; } } break; case 'P': if (local_6c == 7) { a16 = 1; local_2f = 0x6b636170; local_2b = 0x6465; } break; case 'Q': if (local_6c == 8) { a17 = 1; local_2f = 0x6c626971; local_2b = 0x7361; } break; case 'R': if (local_6c == 9) { a18 = 1; local_2f = 0x62626172; local_2b = 0x6e69; } else { if (local_6c == 10) { a18 = 1; local_2f = 0x62626172; local_2b = 0x6e69; } } break; case 'S': if (local_6c == 7) { a19 = 1; local_2f = 0x6f626173; local_2b = 0x6172; } break; case 'T': if (local_6c == 8) { a20 = 1; local_2f = 0x6c626174; local_2b = 0x7365; } break; case 'U': if (local_6c == 9) { a21 = 1; local_2f = 0x696c6775; local_2b = 0x7265; } else { if (local_6c == 10) { a21 = 1; local_2f = 0x696c6775; local_2b = 0x7265; } } break; case 'V': if (local_6c == 7) { x07 = 1; local_2f = 0x75636176; local_2b = 0x6d75; } break; case 'W': if (local_6c == 8) { a23 = 1; local_2f = 0x62626177; local_2b = 0x656c; } break; case 'X': if (local_6c == 9) { x09 = 1; local_2f = 0x696e6578; local_2b = 0x6c61; } else { if (local_6c == 10) { x10 = 1; local_2f = 0x696e6578; local_2b = 0x6c61; } } break; case 'Y': if (local_6c == 7) { a25 = 1; local_2f = 0x62626179; local_2b = 0x7265; } break; case 'Z': if (local_6c == 8) { a26 = 1; local_2f = 0x6666617a; local_2b = 0x7265; } } local_6c = local_6c + 1; } </pre> * A lot going on here but local_6c seems to be a counter given the last line. It also appears to start at 7 and stands in for the array position that appears to be our flag ** local_6c == 7 has D,G,J,M,P,S,Y modifying some a00 number while V gives x07 = 1 ** local_6c == 8 has B,E,H,K,N,Q,T,W,Z does similar while A gives x08 = 1 ** local_6c == 9 has C,F,I,L,O,R,U does similar again while X gives x09 = 1 ** local_6c == 10 has other stuff but x10 = 1 was found under X anyway so ** 'VAXX' <pre> if (((int)local_1c + (int)local_1d == 0x67) && ((int)local_1c - (int)local_1d == 1)) { x11 = 1; x12 = 1; } </pre> * This is a pretty simple one, 0x67 is 103, so 1c + 1d = 103 and 1c - 1d = 1. ** 52 and 51 work cleanly in here ** '4' and '3' <pre> if (local_1b == '.') { x13 = 1; } </pre> * Another easy one '.' <pre> uVar2 = rot13((int)local_1a); if (((int)uVar2 == 0x3d) && (uVar2 = rot13((int)local_19 + 1), (int)uVar2 == 0x60)) { x14 = 1; x15 = 1; } ---------------------------- rot13 { return (ulong)(param_1 + 0xd); } </pre> * '0' for local_1a will give us at least the first part of the if statement * 'R' for local_19 gives the next part <pre> __stream = fopen(".temp","w+"); fputc(0x47,__stream); fclose(__stream); ... iVar1 = fgetc(__stream); fclose(__stream); remove(".temp"); if (iVar1 == (int)local_18) { x16 = 1; } </pre> * Beginning bits put 'G' into .temp and check it against local_18 later so local_18 needs to be 'G' </div> </div> </div> </div> <div class="toccolours mw-collapsible mw-collapsed">Challenge 16 (G)<div class="mw-collapsible-content"> <pre> Theres an elctrnk bug. ! d NSA kind bt d ROACH frm con kind. PrograMn INTRFAC exposed. f only U c%d hack dis HW. and!xor:~$ look at ROACH U haz a senS of longing 4 Lulvil. Trevor 4get icing Dave whIl dressed az a *<|:). and!xor:~$ hack INTRFAC wit ICEDEBUGGER O damn, we hav a l337 haxor Ovr hEr. d louder U R d less U hEr. tAk a L%k @ yor pwned target. and!xor:~$ look Theres an elctrnk bug. ! d NSA kind bt d ROACH frm con kind. PrograMn INTRFAC exposed. f only U c%d hack dis HW. and!xor:~$ look at INTRFAC D mny bug badge blings raw whIl itz binary dumps. Itz az f frm warez iz jst hidden n pln cite. </pre> Looking at the BLING_BW folder on the badge, I ran file BLING_BW/* And identified DERBY.RAW as an ELF file instead of data. <pre> chmod +x DERBY.RAW ./DERBY.RAW What is the password to get Trevor in to heaven: TrevorForget WRONG! </pre> I run ltrace to see what's going on <pre> ltrace ./DERBY.RAW printf("What is the password to get Trev"...) = 49 gets(0x7fffdbb0e440, 32, 0, 0What is the password to get Trevor in to heaven: fail ) = 0x7fffdbb0e440 strcmp("fail", "ROUNDERS") = 20 puts("WRONG!"WRONG! ) = 7 +++ exited (status 0) +++ </pre> strcmp("fail", "ROUNDERS") seems to be the ticket <pre> ./DERBY.RAW What is the password to get Trevor in to heaven: ROUNDERS RIGHT! </pre> Back to the badge: <pre> and!xor:~$ hack flag wit ROUNDERS Ans Submitted. L%k 2 C flag. and!xor:~$ look ChaLenG Complete! riles forgo goats anise sixes piled strip idols mulch </pre> </div></div> ==Blinking Lights== <div class="toccolours mw-collapsible mw-collapsed">Challenge 11 (B)<div class="mw-collapsible-content"> <pre> D chaLenG iz locked! Xchang frend flag 4 unlock! bit.ly/3eRTR4B </pre> Adding one friend appears to unlock this one <pre> and!xor:~$ look u c Mt BER cn, sobr thotz :( mAbE U cn cure d rona by putn smTIN inside yo slf. U scratch BUTT whIl tinkiN bout it. and!xor:~$ hack BUTT wit UVLIGHT O damn, we hav a l337 haxor Ovr hEr. d louder U R d less U hEr. tAk a L%k @ yor pwned target. and!xor:~$ look at BUTT Yor gutz lite ^ & blink. Itz supa serial 2 stRt tink bout lEst & mst sigNfict tNgs thN stop, cuz DIS mA b d wrng cure. </pre> After Hacking, the LEDS flash in the following pattern (with a small rest for each newline) * P - Pink * G - Green <pre> PGPPPGGPPG PPGGGPPGPG PPPPGPPGPG PPPPPPPGPG PPPGGPPGPG PGGPPGGPPG PPPGGPPGPG PGPPGGPGPG PPPGGPPGPG PGPPGGPGPG PGPGPGGPPG PPPPPGGPPG PGGGPGGPPG </pre> This one was pretty crazy, but really drove home the "Hey, there's hints in the challenge stupid". Serial... So, converting to binary: <pre> 0100011001 0011100101 0000100101 0000000101 0001100101 0110011001 0001100101 0100110101 0101011001 0000011001 0111011001 </pre> Thanks to [https://www.fpga4fun.com/SerialInterface1.html this] resource on how Serial interfaces, we can recognize that the 10 bit grouping is padded with start and stop bits. Serial also communicates LSB first so I manually reversed each line for: <pre> 00110001 01001110 01001000 01000000 01001100 00110011 01001100 01011001 00110101 00110000 00110111 </pre> This decodes nicely into ASCII for: 1NH@L3LY507 <pre> and!xor:~$ hack flag wit 1NH@L3LY507 Ans Submitted. L%k 2 C flag. and!xor:~$ look ChaLenG Complete! aegis glows weeds brave funds swear rival tonic tours </pre> * Correct flag, +100pt </div> </div> <div class="toccolours mw-collapsible mw-collapsed">Challenge 20 (K)<div class="mw-collapsible-content"> <pre> and!xor:~$ look D chaLenG iz locked! Xchang frend flag 4 unlock! bit.ly/3eRTR4B </pre> After some friends <pre> and!xor:~$ look A lRg comms tower itz n not powered, a PIGEON_HOLE gap exists whch needs somTIN 4 cndctvity. l%kin awA U notic som CLOUDS. c%d DIS b d coz of it aL. d rona? and!xor:~$ look at CLOUDS R thOs clouds? problE not, thOs R chem trails. Dey put a hex on U morse so thN U tink. and!xor:~$ hack PIGEON_HOLE wit BIRB and!xor:~$ look at PIGEON_HOLE woah, d bIrb ComplEtd d cIrcuit! a vanilla iCe trak starts playin & lyts r flashin waaa t% fst. nEd 2 lit'rally netflIx & Chill 2 slo thngz dwn b4 i git a hedakE </pre> The lights on the badge start flashing super quick after hacking, I took a video and replayed it much slower so I could catch it. The clue from the CLOUDS was morse which correlated with the lights flashing Green for Short and Pink for Long with some pauses between. This gave me: <pre> ...-- ..... ....- --... ..... ....- ...-- ----- ..... --... ...-- ...-- ..... ..--- ..... .- ....- ....- --... ..... ....- ---.. </pre> * Translated to: 354754305733525A447548 * From Hex gave: 5GT0W3RZDuH <pre> and!xor:~$ hack flag wit 5GT0W3RZDuH Ans Submitted. L%k 2 C flag. and!xor:~$ look ChaLenG Complete! hubby match nodal shirt nixed shrug thaws loped booth </pre> * Correct Flag +100pt </div> </div> ==Decode/Decrypt== <div class="toccolours mw-collapsible mw-collapsed">Challenge 14 (E)<div class="mw-collapsible-content"> <pre> U find a locked Q10 w tiny ENGRAVING. itz asking 4 a PW. A BIRB flies overhead, you l%k ^ & 2 d L. and!xor:~$ look at BIRB Itz not real, birbs R guvment survlnce drone dat wraprownd d globe ch1rpin 'key key' and!xor:~$ hack ENGRAVING wit AMSCOPE O damn, we hav a l337 haxor Ovr hEr. d louder U R d less U hEr. tAk a L%k @ yor pwned target. and!xor:~$ look at ENGRAVING on d bak d following iz inscribed: tzizcz </pre> Looking at a Q10 keyboard, which hey, that's what the badge has! Along with the info from looking at the birb, we toy around with the ciphertext and keyboard shifting while wrapping around. <pre> and!xor:~$ hack flag wit canada Ans Submitted. L%k 2 C flag. and!xor:~$ look ChaLenG Complete! aegis glows weeds guide floes otter porch seize lived </pre> * Correct flag +100pt </div> </div> <div class="toccolours mw-collapsible mw-collapsed">Challenge 15 (F)<div class="mw-collapsible-content"> <pre> Wut? Itz MrBill. Hes trying 2 coLec OSINT on Hs net of hard hat SD haXor fam. StA classy & giv him wot he wants. and!xor:~$ hack OSINT wit MALTEGO O damn, we hav a l337 haxor Ovr hEr. d louder U R d less U hEr. tAk a L%k @ yor pwned target. and!xor:~$ look at OSINT he pEpn SSN off W3s and!xor:~$ look at SSN k not boomer, dat iz social security # </pre> Looking around MrBill's twitter for SSNs I found: [https://twitter.com/SecureThisNow/status/1237073467771514881 420-69-1337] <pre> hack flag wit 420-69-1337 </pre> * hubby match nodal twice mrbil roped kilns sayer smash ** Correct +100pt </div> </div> <div class="toccolours mw-collapsible mw-collapsed">Challenge 19 (J)<div class="mw-collapsible-content"> <pre> and!xor:~$ look Theres a robotic HED on d ground, bt it iz lacking d milliamps. FAC & reminds of U of pure annoyance. and!xor:~$ look at FAC Blu grEn red yeLo w two eyes som brows & wot d fuk iz dat a nose o mouth?! and!xor:~$ hack HED wit BATTERY and!xor:~$ look at HED U cn ask me simpl questions bout how Slack works, o jst typ a few keywords lIk "m355@g3" bt TLK 2 yorself so others lIk guvment dun knO </pre> Slack myself on AND!XOR channel: <pre> Slack myself on AND!XOR channel: m355@g3 Slackbot 10:36 PM wlcm 2 Slack! U uncovered d 1st clue: "grY Fynpxobg: Ebg13NyyGurGuvatm"</pre> * rot13 to: teL Slackbot: Rot13AllTheThingz <pre> Yawg:hypnotoad: 10:37 PM Rot13AllTheThingz Slackbot 10:37 PM nIs wrk. d NXT clue iz: "53 6c 61 63 6b 62 6f 74 20 77 69 4c 20 72 65 77 61 72 64 20 55 20 34 20 73 61 79 69 6e 67 2c 20 22 48 33 78 52 6f 78 22" </pre> * Hex to: "Slackbot wiL reward U 4 saying, "H3xRox"" <pre> Yawg:hypnotoad: 10:37 PM H3xRox Slackbot 10:37 PM U R almost ther. "C@n%20y0%7C_%7C%20s/%5Cy%20T%7C-%7C3s3%20w0rdz?%20%22%7C-%7CE%7C_%7C_O%20%5C/%5C/OR%7C_D!%22" </pre> * URL Decode to: "C@n y0|_| s/\y T|-|3s3 w0rdz? "|-|E|_|_O \/\/OR|_D!"" <pre> Yawg:hypnotoad: 10:38 PM |-|E|_|_O \/\/OR|_D! Slackbot 10:38 PM ⠎⠥⠍⠞⠊⠍⠵⠀⠥⠀⠉⠀⠍⠕⠀⠃⠽⠀⠝⠕⠞⠀⠉⠝⠀⠁⠎⠅⠀⠎⠇⠁⠉⠅⠃⠕⠞⠀⠐⠁⠗⠑⠺⠑⠞⠓⠑⠗⠑⠽⠑⠞⠐ </pre> * Braille to: "SUMTIMZ U C MO BY NOT CN ASK SLACKBOT "AREWETHEREYET"" <pre> Yawg:hypnotoad: 10:38 PM AREWETHEREYET Slackbot 10:38 PM .. --.. / / -.. .. ... / / -.. / / . -. -.. --..-- / / --- / / .-. / / --- ..- .-./.-..-. .... ----- .--. ...-- ... -.. .--.-. ... .... . -.. .-..-. ..--.. </pre> * Morse Code to: "IZ DIS D END, O R OUR "H0P3SD@SHED"?" <pre> Yawg:hypnotoad: 10:44 PM H0P3SD@SHED Slackbot 10:49 PM k k. Enuf alredi. U R l%kin 4 a flag dat wen decrypted wiL L%k lIk "flag{REDACTED}". d encryptd msg iz bElO. U wiL hav 2 decode it first, thN U wiL hav 2 figur out d XOR key & actually decrypt it. wen U hav it, go bak 2 d badge & "hack flag wit REDACTED" n saEm plAc u found dis chlng: BwIFCQMGMQAALA8CKhwCHB0eDCZCD1EZ </pre> * This one took some running around that was long and unnecessary. My gut instinct was that this was Base64 from which I would need to XOR to get "flag...." but using CyberChef I was struggling with understanding the output and using XOR Brute Force after B64 was crashing out after a key length of 3. * After getting a hint from a friend, we discussed how XOR ciphering worked a bit more indepth and that the first step was indeed B64, it's just that encrypted output could still look like gibberish. * Using CyberChef I first decoded Base64, then put up XOR decryption and changed from HEX to UTF-8 and took a stab at entering the key * As I began typing "andnxor", each letter brought my output closer to "flag{" and finally gave me the desired output of flag{iCanHazEncryptI0n?} * Back to the badge: <pre> hack flag wit iCanHazEncryptI0n? Ans Submitted. L%k 2 C flag. and!xor:~$ look ChaLenG Complete! aegis glows weeds flour rents lunar flirt crabs quack </pre> * Correct flag +100pt </div> </div> <div class="toccolours mw-collapsible mw-collapsed">Challenge 21 (L)<div class="mw-collapsible-content"> <pre> and!xor:~$ look D chaLenG iz locked! Xchang frend flag 4 unlock! bit.ly/3eRTR4B </pre> After some friends <pre> Pon d flOr ther sits a glitter covered tink pad frm TyMkrs. Itz old, runN win 2000, & evN hz an IOMEGA_DRIVE. hack IOMEGA_DRIVE wit ZIP_DISK and!xor:~$ look at IOMEGA_DRIVE W a solid clik d disk snaps in2 plAc. Un4tuN8ly d files R credential locked by d win SAM and!xor:~$ look at SAM Navigating 2 d win SYS thirty two config SAM U find: 0E7FDE76B8A417953D640D5CDB0D9B72 </pre> Welp, gotta crack the hash <pre> hashcat64.exe -m 1000 -a 0 0e7fde76b8a417953d640d5cdb0d9b72:m3atl0af </pre> back to the badge <pre> and!xor:~$ hack flag wit m3atl0af Ans Submitted. L%k 2 C flag. and!xor:~$ look ChaLenG Complete! hubby match nodal false sheik sight veals thyme panic </pre> * +100pts </div> </div> ==Phone Call== A few challenges have a phone number attached: 1-337-628-4623 <div class="toccolours mw-collapsible mw-collapsed"> Challenge 6 <div class="mw-collapsible-content"> <pre> D chaLenG iz locked! Xchang frend flag 4 unlock! bit.ly/3eRTR4B </pre> Several frends later... <pre> U entR a building & wiLCaruana runs awA az U apRch an OpN elvt0r. Yln he hz a :X & dropz a CELL. Thr iz l0kd CALLBOX bElO d flOr btNz. and!xor:~$ look at CELL Therz only 1 fone # n d recnt caL lst 312d3333372d4d41542d492d4f4245592e2e2e4d6179422064726f7020442059 </pre> * Hex : "1-337-MAT-I-OBEY...MayB drop D Y" <pre> and!xor:~$ hack CALLBOX wit LOCKPICK O damn, we hav a l337 haxor Ovr hEr. d louder U R d less U hEr. tAk a L%k @ yor pwned target. LUG caL bawx iz n chaLenG 4 you, d trusT baL pik pWns it n 2nds. and!xor:~$ look at CALLBOX Bt hW u caL? Etchd w wot wz problE a hevE gauge wire U c ZXh0LjQxNzc= </pre> * Base64: ext.4177 * Calling the number and using the extension we get the flag "OTIS" <pre> and!xor:~$ hack flag wit OTIS </pre> * riles forgo goats drear feint angel hates rinse fitly ** Correct Flag +100pt </div> </div> <div class="toccolours mw-collapsible mw-collapsed"> Challenge 17 (H) <div class="mw-collapsible-content"> <pre> A PAYPHONE by a run dwn gas statN. P$ shows -$1337 / gal. WUT?! wiLCaruana again, n he iz runN awA :-d & shooting a laser @ U. and!xor:~$ hack PAYPHONE wit QUARTER O damn, we hav a l337 haxor Ovr hEr. d louder U R d less U hEr. tAk a L%k @ yor pwned target. d # U R clng cnt b rEchD pls hang ^ & try agen: 312d3333372d4d41542d492d4f4245592e2e2e4d6179422064726f7020442059 </pre> * Last bit is Hex ** "1-337-MAT-I-OBEY...MayB drop D Y" <pre> and!xor:~$ look at PAYPHONE d fone worx bt itz auto dialing a messed ^ #. how Ls c%d U caL it? & u 1Dr wut ^ wit itz COINBOX... and!xor:~$ look at COINBOX it hz Bin pryed OpN & NE coins put n faL rght bak out. N bak u C msg: Rm9yIGEgZ29vZCB0aW1lIGNhbGwgZXh0LiAyMzIz </pre> * Base64: For a good time call ext. 2323 ** gave a link for [http://bit.ly/2B2Wq4r a zip] <pre> This file is in WAV IQ format. To upsample to RAW IQ...(DO NOT CHANGE THE OUTPUT FILE NAME) $ sox dc28_andnxor_ost.wav -e float -t raw -r 1024000 -b 32 -c 2 gqrx_20200806_123456_123456789_1024000_fc.raw </pre> This one took so damn long to figure out but we got there! The phone bit mentions Pager so I ended up using [https://www.discriminator.nl/pdw/index-en.html PDW] and GQRX to decode the POCSAG audio <pre> and!xor:~$ hack flag wit DUALCORE </pre> * ditto stoke waltz brats bosun owing pinko levis asset ** Correct +100pt <div class="toccolours mw-collapsible mw-collapsed"> The Rap <div class="mw-collapsible-content"> <pre> This one's dedicated to all the hackers. Even out settle score quick. My disaster recovery requires even more disks Put your bytes up, prove it or you forfeit. Got my C64 and we blew it into orbit. 1:M. Bison with eight straight perfects Overload emotions make hate, break circuits. In case you heard, it's a name fake service. Optimize our runtime to escape verdicts. Got an integer scope flow. That they can't sign. Passing code, didn't sanitize. Command lines; land mine So before, they'll see me after. I'm Advice dog. Courage Wolf. Plus Philosoraptor. Don't prove we're human unless we really hafta My team built schemes that destroyed recaptcha. Hate what they see, finish this chapter. By the way we're not any geeks, we hack into NASA. Drink all the booze. Hack all the things. Drink all the booze. Hack all the things Drink all the booze. Hack all the things. Drink all the booze. Hack all the things Got this Vodka and this Redbull. They still give me wings. Drink all the booze. Hack all the things. Drink all the booze. Hack all the things Drink all the booze. Hack all the things. Drink all the booze. Hack all the things Zero through Three. We're in every single ring. I'm just waiting until my blackberry dies Cause I'll replace it with a raspberry pi. Don't compare to this track. It makes everything they said dull Neutralize any threat. Turn Red skull to dev null. They killed virus writers that we mentioned But instead they ascended to the VXHeavens. To reincarnate as live wires. Still inside we hide ciphers in signed device drivers Which school will we hit next? They didn't learn the format. So we've gotta printf. Next step is a chin check Freestyles that I spit best. They didn't decrypt yet. I crush internet MC's in rhyme battles. Get your WiFi tackled Hak5 Pineapple. I don't think you'll like my snapple. Cause I popped it with vodka. And a cyanide capsule Drink all the booze. Hack all the things. Drink all the booze. Hack all the things Drink all the booze. Hack all the things. Drink all the booze. Hack all the things Got this Vodka and this Redbull They still give me wings So we drink all the booze. Hack all the things. Drink all the booze. Hack all the things Drink all the booze. Hack all the things. Drink all the booze. Hack all the things First we drink all the booze. Then we hack all the things. Then backdoor the firmware. On anything you bring. Regardless of the hardware, service, or encoding. Connected it to the internet And someone's gonna own it. This is for the pirates who clap. And love the sound attacking from the cloud Then we're back in underground. There's no masking from us now. We pop Tor nodes around the globe Track and hunt you down. Hacked on schedule, add it to your calendar. Devices online; here comes another challenger State infiltrated, so undercover. This is for my comrades who stare at their debuggers. And trace every buffer Examining the code flow. Haven't been to sleep? Better pop another No-Doz. I think I'll need a planet sized urn Cause some men just wanna see the world burn. Your turn! Drink all the booze. Hack all the things. Drink all the booze. Hack all the things Drink all the booze. Hack all the things. Drink all the booze. Hack all the things Got this zodka and this Redbull. They still give me wings So we drink all the booze. Hack all the things. Drink all the booze. Hack all the things Drink all the booze. Hack all the things. Zero through three. We're in every single ring FLAG: DUALCORE </pre> </div> </div> </div> </div> ===Easter Eggs=== <div class="toccolours mw-collapsible mw-collapsed"> Phone Menu <div class="mw-collapsible-content"> <pre> "Welcome to taco corp pharmaceutical elevator right to repair bathtub favorite quantine vodka and artisinal organic ????? super friendly and sometimes but not always helpful customer service hotline you may be charged 1337 dollars per hour for support review your customer agreement for details Please enter the extension of the party you wish to reach now" </pre> </div> </div> <div class="toccolours mw-collapsible mw-collapsed"> Non-Challenge Related Extensions <div class="mw-collapsible-content"> * 1111 ** Clip from Aerosmith - Love In An Elevator music video * 2222 ** clip from Sneakers (call to the NSA) * 3333 ** clip from Hackers (informing dade about the pool) * 4444 ** clip from Hackers ("pool on the roof sprung a leak") * 5555 ** clip from Futurama (Bender "Well, we're boned!") * 6666 ** Clip from Futurama (fry wants holophonor lessons from the robot devil) * 7777 ** clip from Ghost (elevator scene) * 8888 ** clip from Spider-man 2 (elevator scene) * 9999 ** clip from Mr and Mrs Smith (elevator scene) * 0000 ** clip from Hackers (phreak calling from jail) * 1234 ** Rick Roll :-/ *2345 ** Hackers "rabbit flue shot" ya know, HACK THE GIBSON *3456 ** Castle "Someone synced a RAT"... *4567 ** Hackers too many garbage files *6789 ** Castle "they're onto us" right after 3456 *2580 ** Hackers "We're being framed it's in that place where I put that thing that time" * 6969 ** "Nice" </div> </div> ==Completionist== <div class="toccolours mw-collapsible mw-collapsed" style="overflow:auto;"> <pre> and!xor:~$ bender statz C0mpl37!0n: 100% Congratz! U iz dn! bit.ly/2Aw1s9C </pre> * link goes [https://nevergonnagiveyouupnevergonnaletyoudown.com/completionist_fin_1337_dc28_xjsnf8.txt here] * Using CyberChef "From Hex" -> "From Base85" <pre> Years of bn beaten dwn frm partying & burned & robotized & d nuclear wNtR & d 2020 bingo card pandemic whr DEF CON wz canceled... d maze opens ^ & U c dat U R nw frE. U L%k 2 yor watch 2 c wot tym it iz bt dat watch iz lng gone. Doesnt m@R. Theres n tym n d apocalypse. So U run... AEgikH </pre> * Decoder: ditto stoke waltz tombs trace canny zippy jokes zingy * +10pt </div>
Summary:
Please note that all contributions to YawgNetWiki may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
YawgNetWiki:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Search
Search
Editing
AND!XOR DC28
(section)
Add topic
