DEF CON Quals - Access Control (Reverse Engineering 1)
by: ColdwaterQ on June 2 2015
This challenge was a rather simple reversing problem. Me and Javantea worked on this.
The hint for this challenge was:
When we connect to that site a connection id is returned to us, and we are expected to return a version. Since we didn’t know the version to send we tried running the client. The client requests the user to enter something before it will connect, so we opened the client in hexrays. This showed that the client was expecting “hack the world”. We ran the client again, entering the phrase and watched the communication with the server in wireshark.
With this we found that the communication worked as follows.
Running this a couple of times we found that the password changed every time. As such we tried to impersonate the server. Looking at this in hexrays it was clear that the password was an xor of the user-name and connection id. But with the connection id offset by 0 to 3. This offset was probably based on something; however, since the password could be tried multiple times, it was easier to try the password at each offset.
Once we had a client that could log in as grumpy, which is the same user as the client provided, we took the list of users and tried logging in with each of them. With each user we logged in and we tried the command “print key”. The full list of listed users was:
The user duchess was the only user that seemed to be allowed to view the key, which we took as a reference to Archer. With this user we were presented with a challenge that looked similar to the generated passwords. That part of the connection is shown bellow.
So we looked at the client again, and found the part of the client that handled the challenge and response. This was also an xor however it was of the challenge, and an offset of the connection id. Although this time the connection id is offset by six plus the offset used before.
Then we sent the answer to the server and the server sent back the flag of:
Bellow is the client I wrote in python.
In order to see write ups for more challenges completed by others on Neg9 check out the neg9 site.