CTF write-up: Lork edition

Ben0xA has outdone himself with his latest CTF challenge.

In a lead up to BSides Detroit, the website hosting the challenges( bsjtf.com) suddenly changed into a terminal prompt.

It asked if I wanted to play a game.

Yes….yes I do.

(If you want to play it yourself, it’s up at https://bsjtf.com/lork/  Don’t read ahead if you want to figure it out for yourself!)




The scenario is that a rogue agent has hacked our server and replaced it with a complex set of puzzles.  First, I had to start the game.  The obvious choice was “Global Thermonuclear War”, as it references WarGames.  However, being inquisitive, I tried every game that showed up at the “LIST GAMES” command.

I got nothing but trolling responses until entering the obvious choice.

Now the real game begins.

The game is titled “Lork” and it is a clone of the old text adventure Zork, which I have fond memories of playing as a kid.  In the starting room, there is only one way to go.

Going that way gets you eaten by a grue.  Unless you turn on your flashlight first.

Now we get our first challenge.  There’s a door locked by a keypad which we have to get through.  The only clue is a note in a closet saying “Mr. Fuzzing’s name must be fuzzed, trimmed, and truncated.”  After playing around with manipulating my entries to try bypassing the keypad, I took note of the fact that the server response was a block of JSON data followed by a zero.  I also noted that although I could enter up to 45 characters, the username returned was cut down to 20.

If you enter any random data, it says you must be ADMIN.  If you enter ADMIN, it says you are not ADMIN.  But, because of the operations listed in the clue (fuzzing, trimming, truncating), I figured out that entering ADMIN followed by 15 spaces and then 1 would let me through.  The spaces pad it out to the maximum length, but they are then trimmed.  The server then has the name ADMIN, but the extra 1 replaces that 0 in the server response.  That changes the admin flag from false to true, and we are on to the next room.

In this room, there is a blank piece of paper, but when a candle is lit with the provided matches, some glowing symbols appear.  The symbols are <~3<~>, <~2#~>, <~1&~>, and <~1B~>.  The number 85 is also on the page.  Also in the room, there is a four digit lock on a trap door under the carpet.

After a little thinking and research, I realized that the symbols were numbers encoded in ASCII85.  I found a decoder online and got 9,5,2, and 3.  I iterated through combinations on the lock until I succeeded with 3592.

Down into the next room.  This one gave me some trouble.  There was a central room with chambers to the North, East, South, and West.  Each of the four chambers had a touch screen and a button.  The central room had a red and a green button on the floor, and a piece of paper.  The paper had a phone number and code on it.

I had seen this phone number in a prior CTF challenge, it’s a voicemail service.  When the number and code were dialed, a series of tones played.  I knew it was an rtty transmission that I needed to decode.

However, between calling on my cell phone and recording to my laptop speaker I got a very degraded signal.  I tried many settings, but nothing seemed to work.  I thought that perhaps the rtty would decode to a ciphertext that I would have to decode with something else, but that went nowhere.  Finally, I asked some questions to the challenge author, who confirmed the message would result in cleartext.  That focused my attempts, and I was able to see parts of words with certain settings.  Using the minimodem program on a Linux virtual machine, I was able to alter the baud rate by small increments.  These small changes made different letters appear more clearly, and eventually, I was able to tease our parts of the message.  Most importantly, I clearly saw r7=FLOWER.  That let me know that the message had the codes for each of the four touch screens.  Through trial and error and some educated guessing, I got the four codes: CONTRA, FLOWER, NITRO, and FROGGER.  That first password also gave me an idea of what I had to do next.

The rooms were arranged like a Nintendo pad.  I pushed the buttons in the order of the famous Konami code: N, N, S, S, W, E, W, E

The green button in the middle then led to the final room (instead of a painful death, as it did every other time).

The final challenge presented a laptop logged into a bash prompt.  Most normal Linux commands resulted in “command not found”, but a few things worked.

First, I was able to list the current directory and see that there was a Python file.  Trying to run it resulted in a joke, claiming four pythons slithered out of the wall panels.  Thankfully, it did not kill you and make you start over.

I was able to see that contents of the python file with the ‘cat’ command.  The script would generate an encoded string based on three variables, the last variable would depend on the current time every 30 seconds.

The variables had been erased after the last time it was run (according to the history, which also showed the server to connect to when you have the correct password)

Based on the variable names and some quick Google searching, I discovered that the variables (firsthacker, rats, year) were based on Nevil Maskelyne, who famously interrupted Marconi’s demonstration of the telegraph in 1903.  The year was clearly meant to be 1903, and “RATS” was the initial uninvited message Maskelyne sent to Marconi’s telegraph.  The rats variable was mapped to the variable “ditdah” in the function, which indicated we needed to write it out in morse code (.-. .- – …) .

With the variable populated, the last thing to do is synchronize the time between the server and my machine where I could generate the password.  I hardcoded a time that was a little ahead of the reported time from running the ‘date’ command on the laptop.  The passwords I received had some characters which appeared to be erroneous or invalid.  I kept trying different things but (with some assistance from @Ben0xA) I realized that I had to just go ahead and enter those bad characters.  It worked!

This was a fun — occasionally infuriating — but ultimately satisfying challenge.



Leaking sandbox?

Everyone’s favorite exploitation target, Adobe, seemed to have made some big strides with its newer versions of their Reader software. They implemented sandboxing, which theoretically restricts the program’s access to only the resources it requires.

I say “theoretically” as it seems to have been broken

I’ve said it before, but if you just need basic PDF reading functionality, don’t use Adobe Reader. There are lots of other options, and It’s far too big a target. And there’s always a new hole found.

It’s fun to pick on Adobe for poor security, but in their defense, the two widely exploited products (Reader and Flash) that they own are:

  1. very popular
  2. and…

  3. the types of programs that are most difficult to secure

Any application that processes large files that can contain a wide range of data is highly susceptible to exploitation. It’s difficult to secure a program when you have to accept and load such a variety of inputs.

To paraphrase Chris Rock: “Adobe, I’m not saying you shouldn’t secure your programs….but I understand.”

Are we at cyberwar?

This blog post at Computer World has an inflammatory headline, which should hopefully get some attention from CISOs (Chief Information Security Officers).

I generally appreciate Richard Clarke’s work, but it should be taken with a grain of salt.  His positions on information security remind me a lot of Al Gore’s positions on global warming.  They both overemphasize and focus on worst-case scenarios, but they do so because they see a problem being largely ignored.  That said, I think the big takeaway from this is that although we face many attacks from foreign nations (a fraction of which are state-sponsored), the main target of the attacks is not the military or government.

The Department of Defense has pretty strong policies in place to protect their information systems (how well those policies are implemented vary widely).  An external attack would require a lot of work for relatively little payoff.  Insider threats (such as Bradley Manning) are the issue that should really worry the military.

It is private industry that is being assaulted from overseas, because this so-called “cyberwar” is a war of economics.  Corporations are global entities, and by obtaining inside information of a U.S.-based corporation, foreign companies and individuals can gain a distinct advantage.

To use one of my favorite movie quotes:

The world isn’t run by weapons anymore, or energy, or money. It’s run by little ones and zeroes, little bits of data.

Sneakers (1992)

Too many companies are lax on security because they think they don’t have anything desirable. “We don’t have any military contracts or credit card information, why would we be a target?”

These companies end up being some of the biggest targets, since they are easier to exploit and their inside business information can be as valuable as stolen credit card numbers, if not more so.

Idiots and their luggage.

Recently, the Syrian government’s webmail server was compromised by Anonymous.  They went on to dump the users and passwords on the system.

The most common password?  12345.

This story broke last week, but countless websites are not telling it correctly.  The  error is that they claim the President’s account was hacked and his password was 12345.  I started off writing this post with that information, but I like to do a little something called “fact-checking” before I commit information to the Internet.  I linked two original sources above.  Haaretz, the Israeli publication that seems to be the original source had their information correct.

The attack took place overnight Sunday and the target was the mail server of the Syrian Ministry of Presidential Affairs. Some 78 inboxes of Assad’s aides and advisers were hacked and the password that some used was “12345”.

It seems pretty straightforward, but apparently reading comprehension isn’t an important skill to be an Internet journalist.

The other problem is that most people assume the breach was due to the weak passwords.  That is not necessarily the case.  The passwords on display are the passwords used to get into an individual user’s email box… to dump the users and passwords from the email system they would need remote access to either the server or the mySQL instance*.  Hopefully that access was not guarded by such weak passwords.  I believe it is most likely that the server (or database) was accessed through an unpatched vulnerability.  Once access was obtained, they dumped out the passwords, and then went through the webmail interface to sift through all of the email boxes.

All that said, weak passwords are a major issue.  I intend to post a follow up soon with some steps to prevent bad passwords.



*Please don’t put your databases online unless absolutely necessary.

Hacking the Superbowl

This Sunday is Superbowl XLVI (or if you prefer, XLII part 2…Will the scrappy underdog Giants stun the Patriots again, or will Tom Brady get his revenge and fourth ring*)

It seems every year a slew of articles come out talking how tight security is at the Superbowl.  This year a quote jumped out at me:

Brigadier Gen. Stewart Goodwin, of the Indiana War Memorial, said keeping tabs on downtown security will be just a click away for some officials.”If you had the right (Internet) address, you could set up a laptop anywhere and you could watch the camera from there,” Goodwin said.


Now I sincerely hope that this is an oversimplification to be used as a sound-bite, because if I were someone interested in messing around with the security at Lucas Oil Stadium I get a couple of takeaways from this brief quote.

  • “If you had the right (Internet) address…”  Access to the cameras is restricted by IP address.  This is a good practice BUT it must be combined with other controls.  If they are solely relying on IP address, that is a hack waiting to happen, since IP addresses can be spoofed.
  • ” you could set up a laptop anywhere …” Combined with the previous bit of information, we can assume some of those IP addresses are not hardwired into a government/law enforcement office.   So officials with this access must have a mobile Internet connection.  Such as a hotspot or aircard.

So now I need to figure out which individuals are likely to have access to the cameras and get the IP address of their mobile Internet connection.  Certainly not an easy task, but possible.

The overall point here is that it’s fine to talk about the security measures you have put in place, but be careful that you do not expose any information that could give potential attackers a blueprint to target your organization.


Well that didn’t take long.

2012 got interesting pretty quickly.

Zappos’ database was breached, leading to the exposure of 24 million customer records.

The database contained userames, email addresses and “cryptographically scrambled” passwords.  The worst scenario is that the passwords were simply hashed (instead of hashed and salted).

Someone with access to those database values can run a common password list through the different hash algorithms and probably crack a large percentage of those 24 million records in minutes.

They then have an email address and password, and the first thing they do?

Try to log into that email account with that password.

This is why password reuse is very dangerous.  Especially when combined with weak passwords.


Then we had the SOPA/PIPA blackout, which thankfully stalled any congressional action on these poorly thought out bills.

As written, that legislation would have circumvented the rollout of DNSSEC.  The secure implementation of DNS (DNSSEC) adds signature verification to the normal DNS function of mapping a human-readable name to an IP address.  When DNSSEC is able to be widely adopted, it will substantially curtail DNS hijacking attacks. (wherein an attacker seizes a users DNS request to get the IP address for, say http://www.mybank.com, and returns an IP address where the attacker has set up a fake server to harvest credentials/install malware/etc.)

Immediately following the SOPA blackout, the FBI took down the file sharing site Megaupload.com.  I happen to believe this is merely coincidental, unlike some conspiracy-minded folks on the Internet.

Naturally, this provoked a DDOS from Anonymous, briefly taking down the webpages of the DOJ and Universal Music Group and accomplishing nothing.


Fighting Fire with Fire.

Japan has issued a contract to research the development of a virus which could counterattack malware sources.


This idea comes up from time to time, to use hackers’ own weapons and techniques against them instead of only playing defense.   There’s even a course dedicated to it now.

Some of these countermeasures are great ideas: Honeypots waste an attacker’s time and can collect data on them.  Tarpits can tie up the attacker’s network connection.

Sending out “good” viruses seems like a logical step, but it’s probably not a good idea.

Sending out self-replicating code can have ripple effects that are not always considered when the code is written.  For example, the Stuxnet virus which was seemingly created to only target Iranian nuclear facilities still ended up spreading into Eastern Europe and causing problems on some systems (which is how the virus was discovered).

Taking specific and limited action against a hostile IP address is a reasonable and sometimes necessary action.  Virus code is neither specific nor limited.  It cannot be controlled once released to the Internet.

It would be like trying to clean out dead underbrush by setting a fire.  You think it will just burn all the dead stuff and then peter out, but the possible repercussions make it highly irresponsible and dangerous to do.

So lets just keep this research as research and not go anywhere else with it.

OK, Japan?


And the answer is….PRISONS

The question posed in my last post was “what will be hacked next?”

Now we know: Federal prisons

Similar to the attack on satellites, systems that should have never been connected to the Internet… were.

And the results?

You could open every cell door, and the system would be telling the control room they are all closed

Here’s the thing…maintaining security is not easy.

It sounds easy.  Just turn on these settings, turn off some others, set good passwords, etc.

But once you add users, security starts to get chipped away.

  • This guy needs to access the system from home
  • That admin needs a hole in the firewall to run updates.
  • The client needs a new feature pushed out in two weeks, so we just need to make it work.  We’ll sort out the security implications later.

When building a system the three points for security are cost, flexibility, and security.  If you need it to be secure AND flexible, it will be very expensive.  If you don’t have a huge budget, either the flexibility or the security will be compromised.

It seems most choose the security, and it’s easy to see why.  Few people complain when the system isn’t secure enough, but if it isn’t flexible enough management will be hearing about it on a daily basis.

…and they are shocked when their organizations are compromised.

What will be hacked next?

This is a bit unsettling.

I admittedly have no idea to set up a connection to a satellite, but this story seems like there were security failures at several levels.

According to the report, the satellites were accessed via a ground control station, which is how the attackers potentially got in.

The Landsat-7 and Terra AM-1 satellites utilize the commercially operated Svalbard Satellite Station in Spitsbergen, Norway that “routinely relies on the Internet for data access and file transfers,” says the commission, quoting a NASA report.

If I were designing a system to communicate with an expensive and sensitive piece of equipment, routine access to the Internet would not be part of the spec.  There should be a ground control system that only connects to the satellite.  That system would be under tight physical security to ensure only authorized satellite operators had access.

If that ground control system needs any new data, or needs satellite data transferred off, it would be ideally be done through removable media (burn to DVD, external HDD).  If that will not work for whatever reason, the ground control system could be networked to another system.  Access would have to go through a well configured firewall and require strong, two-factor authentication.

Making a system “hacker-proof” is not a realistic goal.  Anything can be hacked if someone has the resources and determination to gain access.  The best we can do is set up enough checks and safe-guards to make it not worthwhile to keep trying.

In this case, it clearly wasn’t enough to dissuade the attackers.

Good timing…

I guess it’s not a bad time to start a security blog.

LulzSec has come out of their Favre-like “retirement” to announce their latest exploits.  This time they have hit News International (The Sun, News of the World).


For all the mayhem they’ve created, LulzSec has provided a great service.

They offer an excellent “what-not-to-do” blueprint.

Here’s today’s lesson.

We are going to assume that the information being released is accurate.  If that is the case we have two big issues.  Besides the fact that they allowed their server to be rooted in the first place.

1) It’s nice that you have used a salt for your passwords.  Next time, please generate a random salt.  Utilizing the username as the salt is barely better than not bothering to salt at all.

2) Password restrictions: have you heard of them?  A 5 digit number should never have been allowed as a password in the first place.  Any password cracker will get that from the hash in a matter of SECONDS.

Postscript:  I initially wrote this up on July 19th.  I’m publishing it on the 21st, and it seems there’s been a hack against NATO now.  Waiting for more details before I add any commentary.