Monthly Archives: September 2011

CSAW CTF Writeup: Dino Dai Zovi’s recon

Posted by on September 28, 2011 No comments

In every CTF, there’s a challenge that takes entirely too much time to complete for no reason. For our team that challenge was the Recon track for Dino Dai Zovi.

The solution was to look on twitter and search for #csaw. Dino had posted a message with the SecureTips account which he controls. The #outguess hashtag was a reference to outguess.org, and after we managed to compile stegdetect, we ran the image through a dictionnary, and we had the password a while later: gobbles. Boom. We can only assume it’s a reference to this picture from blackhats.com.

This should have taken 20 minutes, but several people spent about a day and a half searching through all of Dino’s websites for the key. So to complement this small writeup, we decided to share some of the gems we found.

We ran Tachyon on his website, theta44.org. Some of the stuff on there is very interesting.

First, we have a .svn folder. Those are an amazing replacement for directory listing when it’s disabled.

<entry committed-rev="88" name="" committed-date="2008-08-17T21:06:56.987768Z" url="file:///var/svn/ddz/www/theta44.org" last-author="ddz" kind="dir" uuid="59e2e0df-2ce6-0310-a295-eeaa8d61d4f1" revision="88"/>
<entry committed-rev="18" name="defcon-2000.tar.gz" text-time="2004-12-10T19:01:50.000000Z" committed-date="2004-12-10T19:01:40.120438Z" checksum="551a6ef2afc712364ae6752fcaa06312" last-author="ddz" kind="file" prop-time="2004-12-10T19:01:49.000000Z"/>
<entry committed-rev="18" name="thttpd-ssi.txt" text-time="2004-12-10T19:01:50.000000Z" committed-date="2004-12-10T19:01:40.120438Z" checksum="8615c03c805231c208d3ef0e262596e8" last-author="ddz" kind="file" prop-time="2004-12-10T19:01:49.000000Z"/>
<entry committed-rev="70" name="old.html" text-time="2007-04-04T04:09:59.000000Z" committed-date="2007-04-03T04:01:39.132068Z" checksum="8cbc12be6f15ff46ec5a7d08ac42a76c" last-author="ddz" kind="file" prop-time="2007-04-04T04:09:59.000000Z"/>

Next we did a skipfish scan, and found a bunch more stuff. Like this statistics page under http://theta44.org/analog.html from december 2004 to september 2005. From it we learn that back in 2005 the most popular search term for Dino’s website was karma. Good for him, you never have enough of that!

Successful requests: 35,884 (511)
Average successful requests per day: 126 (72)
Successful requests for pages: 8,425 (192)
Average successful requests for pages per day: 29 (27)
Failed requests: 10,869 (315)
Redirected requests: 321 (9)
Distinct files requested: 4,296 (72)
Distinct hosts served: 3,756 (120)
Corrupt logfile lines: 11
Data transferred: 3.24 gigabytes (45.05 megabytes)
Average data transferred per day: 11.69 megabytes (6.44 megabytes)

And skipfish also found that guy’s party pictures.

I lol’d too :p

Next we moved to his blog, trailofbits.com and noticed there was a .svn folder too. Except this time we can’t access it, amazon’s server config won’t let us. Bad amazon, bad.

After some googling we also found that Dino had another nickname, once upon a time. Some of his old exploits hosted on theta44.org still mention it, like this one. And from that nickname we got to his old website, dopesquad.net, a true diamond from a time where animated GIFs were king. The fun thing with that site is the conspicious CVS folder in the web root, just like the .svn folders on the newer sites. Old habits die hard :)

That was fun!

CTF CSAW 2011

Posted by on September 26, 2011 No comments

So, our team gather up again at Foulab in Montreal to compete in the CTF CSAW contest.

Here’s a link to CSAW 2011 archive: http://capture.thefl.ag/2011/CSAW-quals/

After 48h of hacking, junk food, beer and Tanqueray, we ended up completing all challenges with 9500 points total being the fifth team with that score. We also had those extra points afterward:

CISSP Groupies +10 points for submitting a team photo album
CISSP Groupies +10 points for having Dino Dai Zovi look-a-like
CISSP Groupies +10 points for owning our exploitation servers and letting us know about it
 

Pretty good position (5) for the Groupies and we are quite happy! :)

CSAW 2011 - Top 6 scoreboard

Check out some pictures of the event. Write ups will be coming later on.

http://imgur.com/a/e7kQX#Zf7ec

Now, we are all warmed up for the upcoming iCTF 2011 :P

Here’s what really happened at RSA

Posted by on September 14, 2011 No comments

Cross posted from bottomlesspit.org.

Note: Nothing in here is based on actual evidence. This is just an exercise for fun.

As I write this, everyone is getting their RSA tokens replaced. They think they are getting new ones because their old ones were compromised but what if things are not exactly as they look?

Here’s what happened: RSA was *not* keeping their seeds for the tokens. Because, after all, they didn’t need the seeds. Once the token’s seed database was delivered to their customers, they diligently deleted the seeds they had. It was the most secure thing they could do.

Sometime later, the NSA[1] knocked at their door saying: “We would like to have all the seeds for your tokens in exchange for a sh*tload of money. You see our old usual win32 0-days aren’t cutting it anymore.. With the seeds we would be in way better shape to attack the people who are a _threat_ to our nation.”

RSA replied: No but not because we don’t want to, because we can’t.. We never kept them, the most secure thing we could do for our customers was not to keep them.

Then it got into an RSA sales guy and/or C-level manager’s ear. They mandated their best technical people to it and they came up with a plan:

“Let’s do a big ‘we got owned’ fiasco story and tell all of our customers that we need to give them new tokens because the old ones aren’t safe anymore. But this time, we keep the seeds!”

NSA is happy. RSA is happy. USA is happy.

And of course, this is not what really happened.

[1] RSA, NSA only one letter difference.. ;)