kpmg cyber - kpmg international - kpmg global › content › dam › kpmg › pdf › 2016 › 06...

1© 2016 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under the Malaysian Companies Act

1965 and a member firm of the KPMG network of independent member firms affiliated with KPMG International

Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Malaysia.

KPMG CYBERSECURITY

CHALLEGE 2015 – SOLUTIONS

9TH DECEMBER 2015

2

© 2016 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under the Malaysian Companies Act



Contents Tick Tock!! ............................................................................................................................................. 3

Don't Brute Force Me .......................................................................................................................... 3

Decipher Me! ......................................................................................................................................... 3

The Grocery Heist ................................................................................................................................ 3

Where is the body? .............................................................................................................................. 3

1-11-111 .................................................................................................................................................. 3

Just Another Dot Dot Slash .............................................................................................................. 3

APK 101 ................................................................................................................................................... 3

Catch The Fly ......................................................................................................................................... 4

Thorin's Passkey ................................................................................................................................... 4

ShockWave ............................................................................................................................................ 4

Reverse Engineering 1 (asd.exe) ...................................................................................................... 4

Reverse Engineering 2 ........................................................................................................................ 4

Reverse Engineering 3 ........................................................................................................................ 9

Pcap 1 – network analysis ............................................................................................................... 16

Pcap 2 .................................................................................................................................................... 16

3




Tick Tock!! 1. Dump file into hex editor and analyze the file signature of the original file 2. Extract the Additional Hex and analyze the file type. 3. Use SoX to identify and extract the channels. 4. Analyze both the extracted sound channel in hex to identify hidden Zip file 5. Repair the extracted zip file and obtain flag

Don't Brute Force Me 1. Identify the running version of glassfish 2. Conduct information gathering via google to identify critical vulnerability 3. Exploit the glassfish server via authentication bypass flaw and obtain the flag

Decipher Me!

1. File name = base64 encoded = URL Link 2. Image contains the 2nd part of the URL Link 3. Navigate to the given URL. Decipher using the shift left method. 4. Cipher text is shifted 3 times.

The Grocery Heist

1. Run strings on the file to obtain URL 2. Follow the URL to download a file and a reference link to decipher the cipher text. 3. Paragraph , Line , Count = The hint given on the challenge 4. Use the reference material to obtain the flag.

Where is the body? 1. Analyze the sound.wav file and extra a spectrogram to obtain the flag

1-11-111 1. Identify the morse code equivalent to 1 2. Based on the title the character 1 is increased after each character 3. remove all 1 and convert the morse code to readable format to obtain flag

Just Another Dot Dot Slash 1. Navigate to the readme file path given on page 2. Intercept the response from the page provides a set of MD5 hashes 3. decrypting the MD5 hashes provides the next hint to solve the challenge 4. Conduct a google search to identify the vulnerability affecting the revslider plugin for wordpress 5. Download the flag via local file inclusion vulnerability found on the particular version.

APK 101 1. Decompile the app 2. Analyze the login function 3. Obtain the string name from /res folder ; Str1 and Str2 which will generate the paramview

code(flag)

4




Catch The Fly 1. Analyze the packet via wireshark 2. Identify encrypted wireless packets 3. Crack with aircrack-ng 4. Decrypt the packet with airdecap-ng to obtain the flag

Thorin's Passkey 1. Follow the pattern on keyboard based on the given cipher code. 2. Capitalize the letters and submit as flag

Imaweird

1. Run exif on the file 2. Decode the base64 encoded flag to obtain flag

ShockWave 1. Decompile swf using SWF Investigator 2. The flag location will be located in Metadata Tag "http://goo.gl/PL0XpF" 3. The Flag will be shown in text file

Reverse Engineering 1 (asd.exe) Open the asd.exe in OllyDBG or ImmunityDBG Hit F9 to run, it will hits the “Enter Password:” at command prompt. If you enter “asd” as password it will go display unreadable content. If your enter any characters, it will back to “Enter Password:” Read through the disassembly from IDA Pro, you will find compare statement always point to true. Patch the true become false, you will jump to a function has an array of string that XOR the next character of the array. The flag will show as w0vv_cOngR@tv|atioN_fLAG

Reverse Engineering 2 Open the file in OllyDBG or ImmunityDBG. Hit F7 step in and F8 to step over some functions until you see a function that checks for debugger. ** Use F2 as breakpoint. **

5




You can NOP out the assembly as below.

You will notice a prompt for “Not bad!” then continue to call a function.

You may encounter some compare statement as below that try to execute exit.

After that you will end up at the image below

6




View in IDA Pro

Step into the decode function 1. You may notice a XOR loop. CMP ESI, 40 is compare the size for 64 characters, we can assume it is decoding the base64 key.

View in IDA Pro

7




After few loop you will obtain the edited base64 key.

When you start to step through few functions you will notice there is an exception raise which is cause by SEH.

8




You will get the false flag.

Restart the program and let it jump to correct function.

You are required to spot infinity loop function and patch it with NOP before it jump into the infinity loop function. After that you will reach XOR loop decoded different base64 key.

After that you will face anti debugger technique.

9




You will see another infinity loop. Patch it will NOP and continue looping. You may notice a new base64 key.

Before it decodes the string, you will encounter another SEH.

Then the flag appear.

Reverse Engineering 3 Open the executable file in x64dbg. It is a 64 bits executable file. Step over few functions, then you will found the “Enter Password:” function.

10




You will notice there are compare less than 1000 inputs, 2000 inputs, 3000 inputs, 4000 inputs and less than 100 inputs.

Input less than 1000, 2000 and 3000 is trap functions. Only less than 100 function call and less than 4000 function call is the real function to obtain the flag. After checking the inputs size, if less than 100 characters, it perform bitwise shifting for 8 characters.

11




Then the 8 characters passed to XOR function_1. XOR function_1 has 4 new characters pass to bitwise shifting function_1 and combine with the previous 8 characters to perform XOR decode.

After that the 12 XORed characters were passed to basae64 function_1. Base64 function_1 has 4 new characters will perform bitwise shift, XOR and then combine with 12 characters become 16 characters.

Then it continues jump to another function and will output “Where is my head?” in command prompt. Trace back, we will find the 16 decoded characters.

12




The hint “Where is my head?” tells there is another part of the code is missing. Go to the function less than 4000 input characters. It did bitwise shift, XOR and base64 same as previous method just slightly different approach.

13




The decoded 16 characters are shown in below.

Combine the previous 16 character with the new 16 characters and start base64 decode. Then modify the existing 32 characters.

14




15




The flag

16




Pcap 1 – network analysis Rebuild the email file header to .msg type. It is a Outlook .msg format. Extract the attachment in the email and performs 10 times base64 decode. Insert the private key file into wireshark to decrypt the SSL traffic. Extract pyc file from the Wireshark. Obtain username and password from the post/index.html packet. Decompile pyc file using uncomplye2. “import binascii” is not used in python script. realkey = binascii.unhexlify(“password_data”) Flag is: iloveencodeandencryption!

Pcap 2 andy private key = tcp.stream eq 61 metasploit keylogger = stdapi_ui_get_keys andy private ket password = tcp.stream eq 61 (search "[email protected][email protected]") *when user extract the private key from wrieshark spcacing run, 0A 0A change to 0D 0D 0A david private key = tcp.stream eq 83 david private key password = tcp.stream eq 83 (...H.....2.R.....D.3.....R. .P.....2.S.5.) *in msf keylogrecorder, all keys will transmit in capital letter, view it in hex: 01 01 01 01 01 48 03 10 03 a1 03 32 01 52 03 10 .....H.. ..2.R.. ^ mean small h not capital H ^10 03 a1 mean shift on on key 2 become @ ^52 is R without 10 03 a1 mean small r 03 a1 03 44 01 22 03 10 ...D.3.. ^10 03 a1 mean shift on + 44 is D mean capital D 10 03 a0 also indicated as shift on actual flag = tcp.stream eq 87 (harry potter and hermione) I_THINK_I_FALL_ON_YOU_FLAG require to base64 decode and use david private key to decrypt.

kpmg cyber - kpmg international - kpmg global › content › dam › kpmg › pdf › 2016 › 06...

Documents