Thursday, April 18, 2013

Ihack 2013 - Forensic Challenge - Writeup Collections.

So, I'll put all of them in 1 post so everyone can refer it easier :)

10 Points
- just find my twitter on that day.

50 Points
- look at the phone numbers

100 Points
1 - Pokemon Cryptography - here
2 - Kamen Rider Image Forensic - here
3 - Snow White - here

200 Points
1 - XOR Crypto - By BeardBazen
2 - Packet Analysis - By Naja

300 Points
1 - VM Forensic - here
2 - File Recovery - By Naja

400 Points
1 - Packet Analysis - By BeardBazen
2 - Audio/Video Forensic - By BeardBazen

500 Points
1 - File Recovery - By BeardBazen
2 - File Recovery - By Nafiez
3 - QR Code - here

Complete! And again congratz to all participants. :)

Ihack2013 - Forensic Writeup Challenge 500 Point - QReption

Hopefully this last writeup will complete the solutions for all forensic questions in Ihack2013. BeardBazen, you owe me writeups for any puzzle that is(are) not published yet :P

This is the another question that no one able to solve. Yes,I made this one for that purpose LOL. This is my trump card in case any team manage to solve other questions.

Team was given with this QR image
The clue? Look at the question.
Leonardo asked if you guys ever watched inception. Its a story where a person jump into others dream and so on.. same as this puzzle. there'll be QR code in another Qr code and so on.
hahahaha..that's the real thing that you guys should do actually..BUT....

I uploaded a wrong qr file. so its impossible to solve it.muahahahahahahahahahhahahahahahaha just noticed it few minutes ago. ROFL!

guys,i'm sorry.haha

Wednesday, April 17, 2013

Ihack2013 - Forensic Writeup Challenge 100 Point - Snow White

Hi again, another writeup from me for you guys to learn especially the 1st timer in Ihack. Most of the team really give their best in solving each puzzle/challenge. Its good to see that kind of passion in youngsters. Do send me your CV if once you graduated :P

For this challenge each team was given this kind of task

again, the clue is right in front of you..SPACEWHITE..what kind of IT related to the SPACEWHITE? its a whitespace programming.
read it here

Can see lots of contestants give some efforts in googling..but less of them give an effort to READ them carefully.
Patience young padawan. Read if you must, dont too depend on the online tools.
From the wikipedia, can see that this whitespace programming
"Onlyspacestabs and linefeeds have meaning"
Read more about it.

"Data is represented in binary using spaces (0) and tabs (1), followed by a linefeed, space-space-space-tab-space-tab-tab-linefeed is the number 11"
Yes. That's the right way to understand how to solve this puzzle. Look at the Snow White poem given during the game. Each paragraph,there'll be a weird spacing..Decode each of them to get a binary code and you'll get the flag on the spot once its been decoded.
How I can decode those spaces and tabs into binary? Simple.Use notepad++ :)

Once you replaced all the tabs and spaces available ( note that just change those between paragraph,else your poem will be messy )

the flag is th1s_!5_s0_s1mPl3

Tuesday, April 16, 2013

Ihack2013 - Forensic Writeup Challenge 300 Point - VM Forensic

As requested by Mr Ramadhan, here's the writeup!
The question was
So each team was given with this file 695f616d5f7468655f6861786f72.7z.
Extract it will gives them another folder and in it there's a file named ihaxor.
What kind of file is that? Again, use FILE command.
Yes. Its a tar archive. Extract it again will give you a virtualbox image. Import it in your virtualbox machine.

Hello Slitaz! Its a slitaz VM. Dont know the password? Please,google it.

Ok now I'm in. What's next? Most of the teams were confused with the files exist in this slitaz. Everyone keep thinking the way to be a root user..But its not the right way to solve it! Why those folders existed? Yeah, of course I put it as a troll LOL!

Read the question "Dont think too hard". As a Pro Hacker, please..a basic step. Look for ALL files available first.

Yeah. There's a .ash_history  file. Look at that file. Its a common thing once you get into someone's PC in order to do some forensic investigation.
Viewed the file and will noticed that there's a weird file named wipipipipi.txt. Did you guys try to look for that file??
Woot!! I found the file. Its in the /log folder. (and its one of the folder that a forensic investigator should look at )
Found,lets look what is inside.
TADAAAAAA!!! there's your flag!
flag is f0r3ns!

muahahahaha..easy right?! Trolled hard?yeah you got trolled. Stop claiming yourself as a hacker now. LOL

Monday, April 15, 2013

Ihack2013 - Forensic Writeup Challenge 100 Point - Image Analysis

Here's the 2nd one for Forensic Challenge 100 points. People keep up trying on this one..seems there's no one can answer this during the unlucky :P
If you guys look back at the previous Ihack 2010 by Yondie, there's a similar puzzle given in Hack&Defence category.

Let's look at the writeup!
Team were given with this Kamen Rider GIF file.

If you guys look at the file carefully. There are several images with same design.YERP! the one with kamen rider + their airing years :P
Extract them and eliminate those that are not related.
Did you guys read the question carefully?again..there's already a CLUE in it!!
"you should start watching them"
when we'r going to watch a series, we should watch starting from the first one. So, put the kamen rider in order based on their airing years.
Some of the contestants already manage until this part,but then they dont know what to do.hahaha..
Here's the way to get the flag.
For each images extracted, look at the COLORS!

- Open up your photo editor such as GIMP or Photoshop.
- Use Color Picker Tool.
- Click on the Font's color.
- Look at the color's code!!

By put the code in order,you'll get the hex code,decode it you'll get the flag :P

muahahahahahaha :P

Ihack2013 - Forensic Writeup Challenge 100 Point - Cryptography

Ihack2013 already finished but most of the contestants still eager to know what's the solution for most of the questions.
Here's 1 of them.

They were given a file with this image as a clue.

A clue?!! yes..each image for every questions is THE CLUE!
So what's the relation between Ash Ketchum from Pokemon with this cryptography?

 Wait.How did I know that file is an image file? Basic forensic step. Use FILE command in linux to identify the type of that file.

So I can see some of the contestants using many ways to decode the code. Applause to them. Its great to see some efforts from the youngsters :D

So what's actually this code is about? And the important thing is,WTF IS THIS CODE?!!
Its a bionicle encoding.
Google about them :)

Hard to decode it 1 by 1? Here's the trick, you just need to decode the 1st line of the cryptography message. Once you decoded it, try to google them.
Yes! The code is coming from Pokemon's wikipedia which already mentioned by the clue!
So encode the paragraph where your 1st line decoded message were using online bionicle encoding tool, compare it with the question given by the forensic game, you'll notice a slightly difference in the coded message. Yes there's where the flag located. Decode that part and voilla. You got the flag!
Flag is g0tta.h4cK.th3m.@LL

Its not hard at all :P
Congratz for those manage to get the flag.

Thursday, April 11, 2013

How I Rewarded with USD?K Just With a Simple Search Form

Its been a while and I'm quite busy with works lately. Today I want to share with you guys on my recent successful findings on Paypal Bug Bounty Program.

Paypal's Bug Bounty Program currently limited its testing application so in order for you to find any bug quite hard nowdays. Read it here from ehackingnews

One of the Apps that still under the scope is BillSafe. Previously, I noticed that @Vigneshkumarmr found XSS and CSRF in that application however he was not the one the 1st person found it. @KrutarthShukla was the one that rewarded by Paypal for his submissions on Billsafe.

Then that day I just trying my luck to see if there's any bug that was missed by other researchers/hunters. Looking luck..until..I met this search form

Its a search form where we can see our transaction history. I tried to search some random words. Nothing unusual.

Then with the power of double quotes, BOOM! The page become blank!
Aha! Now its weird. At first I thought it might be just a normal error. So I tried to close the double quotes.
BAM!! Welcome to papa Blind SQLi!
And it will be not enough with just like that. I need to give them a working POC. Tried to use a common technique. Not working..darn!..I take a look..have a rest..take my coffee..then brain knocked on me " lets try with a simple sql query "

So I tried using something like “ or column_name like “%
How it'll working? Simple. If the column_name I guess is TRUE, the page will load normally..else it'll become blank. So does it works?

and is it done? Yes.For SQLi. As a bonus, I found that this form is vulnerable to XSS as well.

All of these bugs had been fixed by Paypal. And I already received the payment. How much? I leave it to your imagination.