hack.lu CTF v.2013

Web
ctf timer progress
Archive Mode
overall completion
rank
-

players
-

score
-

announcements

[2013-10-24 08:30:26] Hey all, we hope you enjoyed the ctf!
The ctf is over - please give us some feedback, so we can improve our next ctf. We would appreciate it, if you can send us a mail (fluxfingers (at) rub.de), answering the following (or a subset of) questions:

Which challenge(s) did you like most? Why?
Which challenge(s) did you dislike? Why?
Do you think there were too many/few challenges?
Did you miss a certain challenge category (reversing/web/stegano/crypto/you-name-it)?
Were there enough challenges in each category or was a category imbalanced?
Did you like the scoreboard/theme?
Are you satisfied with the support?
What should we do better next time?

[2013-10-24 08:13:09] [For whom the bell tolls] Ruby Version 1.8.7

[2013-10-23 22:13:40] [BREW'r'Y] Hint: The challenge text gives hints about the protocol involved. We updated it in order to reflect that fact.

[2013-10-23 20:07:01] [Roboparty] The flag starts with 'Y4Y,'

[2013-10-23 20:03:35] [Wannabe] Okay you can stop struggling now: XSS is not the way; leave the http cookie alone; get RIP to do the final trick!

[2013-10-23 16:42:01] Local staff is helplessly wandering around in Luxembourg in order to get food and beverages. See you later!

[2013-10-23 14:58:07] We just extended the CTF by a half hour because it started about half an hour later as well. So the CTF will end on 2013-10-24 08:30:00 UTC now.

[2013-10-23 14:34:17] [Packed] Think outside the box - being several types at once like an animal that can change its color. Excuse the inaccuracy, but that's what you're searching for.

[2013-10-23 13:15:17] [Wannabe] Added an additional URL for the channel without the reverse proxy, but also without ssl

[2013-10-23 12:36:55] [Packed] New Challenge Published: We found a dead robot! Want to take a look at its internals?

[2013-10-23 11:29:37] [Roboparty] Hint: It's neither Velato nor Fugue.

[2013-10-23 09:56:22] [ELF] Ok I think we got it (thanks to Happy-H from Team ClevCode). Ubuntu introduced a patch to disallow ptracing of non-child processes by non-root users. This changes the calculated value. So when you use Ubuntu you should work as root. The other distributions should not be affected. Anyway, I created a VM where the executable works just fine: http://h4des.org/ELF.ova (User: elf:elf and root:root)

[2013-10-23 09:38:10] [ECKA] Hint: He, we have the latest news for you. The first part of their strange key agreement was designed by the famous SHA-Robot Мир!

[2013-10-23 09:18:41] [For whom the bell tolls] New Hints appeard!
RoR has determined that the human agents acts as a proxy and requests meeting place, time and password for others. We think the first message he sends serves to agree on a session key for the answer. RoR analysts have also been staring at pcaps a lot lately. We think that on port 1832 (which we can only monitor passively) we are observing a key establishment that follows the simple ISO/IEC 11770-2 Mechanism 1. However, on tcp/1333 our analysts say that marshalled Ruby DateTime objects are flying by. Not sure, why anyone would do this, but given what we see on the other port, it makes sense (in a twisted way).

Additionally we uploaded a .tar.bz file containing the session key and the IV.

[2013-10-23 08:59:37] [ECKA] For all robo hunters out there: Your quest-description was updated - check it!

[2013-10-23 08:43:03] [ELF] It seems that there are some problems with some Linux Distributions that lead to a wrong flag. The flag is printable and is written in leet-speak. We are working on a VM that works correctly with this challenge. When the VM is ready, you can download it and try again. Sorry for the inconvenience.

[2013-10-23 08:33:42] Guuuuuud morning everyone! Hope you had a save night and enjoyed some Weizenbier! Back to work now..

[2013-10-22 21:05:19] OK everybody. You did a great job till now. Night is coming, stay awake and watch out for random robots appearing near you.

[2013-10-22 19:50:56] [BREW'r'Y] We fixed a tiny bug in BREW'r'Y, it's back now. No game changer, if you're on track you'll notice.

[2013-10-22 15:45:54] [BREW'r'Y] New Challenge Published: The robots took our brewery! Will you help us to get it back?

[2013-10-22 14:53:57] [Breznparadisebugmaschine] Ah, perhaps it helps you to know, that our Breznparadisebugmaschinefirmware is up to date with Windows 2012.

[2013-10-22 14:31:27] [Breznparadisebugmaschine] We managed to reestablish the connection to the Breznparadisebugmaschine! The service is now up.

[2013-10-22 14:28:25] We experienced high load on our servers due to the use of scanners. Please DO NOT use them. If we catch you, we have to ban you!

[2013-10-22 13:48:09] [Geier's Lambda] Version Controll has tricked us. Here is the latest version of pwd_check

[2013-10-22 13:41:52] [Robotic Superiority] As Lieutenant Don Sim realized, his bots are under heavy load. So he just started lib6, ..., lib9 as additional load balancers.

[2013-10-22 12:30:17] [Breznparadisebugmaschine] New Challenge partially online! Server is not set up yet.

[2013-10-22 09:05:00] [For whom the bell tolls] New Challenge Published:
#14 For whom the bell tolls (Misc)

Have fun with it!

[2013-10-22 08:59:20] For Local Teams: Please come to our desk to register as a local team. Local teams can win prices, but only after registration!

[2013-10-21 20:00:26] [Begin Mission Briefing]
Hello everyone,

good to see that so many joined us in our fight for freedom. The robot forces are rising and threaten our Wiesn party. They already captured our main Wiesn party tent and they are about to overrun our breweries. To avoid more damage, we need you to protect the entrances to Oktoberfest, defend the breweries, and regain control of our main beer pump located in the main tent, so that we can continue to party and satisfy our thirst!

We gathered different challenges that you have to solve, to help us fight back the robot forces. Solving even a single one will help us on our way to take back the fairground from the robots. Feel free to find yourself a group of like-minded people and hack ALL the robots.

Now, get ready, grab your keyboards, and rock!
[Mission Briefing Ended]

We will publish new annoucements and hints on this page. Meanwhile you can join our IRC channel #fluxfingers or visit our Twitter account fluxfingers for critical information, if something is down. Almost all challenges are available at start, but few challenges are delayed.

Challenges

For whom the bell tolls (Category: Misc) Author(s): Til

To be frank, the impact partying robots had on the Oktoberfest in the recent years was disastrous. While the authorities have been able to downplay all recent incidents in the press (which habitually tends to blame visitors from the U.S., Australia, Cologne, and other places, where proper beer can only be found by the initiated), they can no longer deny the problem. Several public safety and law enforcement agencies have joined forces to spoil the robot's fun. They have planned a massive crackdown on our fun-seeking robotic friends. Time and location are currently being communicated together with a passphrase. Our organization, Robots on Rampage (RoR), is determined to stop them from stopping our annual beer-tasting event.
A robot agent on location in Munich has dectected a transmission between timestamp 2013-10-19-20:21:42 and 2013-10-19-20:21:43. The precise beginning of the transmission is unknown. The agent was unable to decrypt the message content. Being not the smartest agent, he also disposed of the message capture. In the following we were able to determine the sender location and the Forensic Analysis Robot Team (FART) was able to retrieve the session key and a initialization vector (IV). Judging from the memory fragments FART found, our best guess is that OpenSSL's AES implementation was used in one of the better modes to encrypt the communication. As the session key length is 128bit, the long term key is most probably longer. Due to time constraints we strongly advise against trying to break it. We have less confidence in the humans' ability to design proper communication protocols and services, though. However, we need a human to attack their logic.

We have no way to actively communicate with the server the use for coordination. However, we can give you access to one of the lawful interception wiretaps those humans build into all their equipment. A TCP connection to ctf.fluxfingers.net:1334 will give you a maximum of 60 seconds of traffic. We have also found active equipment of a human agent we can interact with. He seems to listen on ctf.fluxfingers.net:1333, but we have no idea what he does with the input, except that there is encrypted traffic.

Update:
Sessionkey and IV can be downloaded here
 

Scoreboard is in archive mode. You can submit solutions, but you will only receive feedback and are not entered into the scoreboard

Enter solution for challenge

Announcements for For whom the bell tolls

(Published on 2013-10-24 08:13:09)

Ruby Version 1.8.7

(Published on 2013-10-23 09:18:41)

New Hints appeard!
RoR has determined that the human agents acts as a proxy and requests meeting place, time and password for others. We think the first message he sends serves to agree on a session key for the answer. RoR analysts have also been staring at pcaps a lot lately. We think that on port 1832 (which we can only monitor passively) we are observing a key establishment that follows the simple ISO/IEC 11770-2 Mechanism 1. However, on tcp/1333 our analysts say that marshalled Ruby DateTime objects are flying by. Not sure, why anyone would do this, but given what we see on the other port, it makes sense (in a twisted way).

Additionally we uploaded a .tar.bz file containing the session key and the IV.

(Published on 2013-10-22 09:05:00)

New Challenge Published:
#14 For whom the bell tolls (Misc)

Have fun with it!