Thursday, May 27, 2010

Capture the Pequod

Last weekend I distracted myself from my university work by competing in ddtek's Defcon CTF quals. It was a bunch of fun and I recommend that everyone gives it a go. A good place to start if you're not sure what I'm talking about is over at wikipedia: Capture the Flag. Defcon CTF is played by teams of 5-6 people who spend the weekend trying to solve puzzles ranging from binary reverse engineering, exploit development, disk forensics, cryptanalysis to random trivia. Since I was playing on a team of 1 I mostly stuck to the "Pursuits Trivial" category which is a grab bag of trivia based puzzles. This worked out well since I managed solved all but the hardest one which I was working on when time expired.

Here's a quick run down of the problems that I faced:

Pursuits Trivial 100
This was very straight forward, the question was "What linux command was mentioned in the Spiderman movie". I didn't know the answer off hand so I googled it and it turns out someone had set up a StackOverflow.com question and someone had posted the answer: "sudo". Well that was an easy start, pity it wouldn't continue.

Pursuits Trivial 200
The 'question' was "sheep@pwn21.ddtek.biz:6000 sheep go baaAaaA"

This was a bit cryptic but not too terrible as you'd discover if you try and ssh to sheep@pwn21.ddtek.biz:6000. The next step was to figure out the password which wasn't much of a stretch either "baaAaaA" being the first thing you're likely to try. This is where it gets tricky however, you find yourself at a blank screen and typing doesn't seem to do much. I must admit that I quickly grew bored of this question and moved on to the next one but later I came back. Due to some lucky keyboard mashing I ended up hitting 'i' and then some other characters and saw that my cursor moved, after that I tried it again with a ttyrecorder in place and found out that when you press 'i' you get the text "INSERT MODE" back just not legibly. So we were inside vim but with the colours messed up, a bit of Googling turns up the command "hl clear" that reset the colours back to normal. Unfortunately you can't quit vim and it didn't look like you could write files anywhere and you couldn't shell out to regular commands. What you could do is to open a directory (I used the 'open ../' command) and start navigating the file system. From there you quickly find /home/sheep/key and find the passphrase you need to score 200 points. Wasn't that fun?

Pursuits Trivial 300
Question "Vulcan needs more friends" and a link to a site that asks you for a Facebook username, a Flickr account and a Twitter account. Vulcan is the name of one of the organisers at ddtek and it looks like you need to hunt him down on some social networks. This wasn't actually too hard, it took a little bit of creativity at times as often there was an account called "ddtek" but it wasn't a user but a group and you have to look around to see if someone called Vulcan had friended the "ddtek" group. The hardest part was convincing the script that you actually had found Vulcan, the twitter part was especially finicky.

Pursuits Trivial 400
This one was great fun. The question is something like "Rank these hackers" with a link to a file. The file turns out to be a java app that when run shows you two photos of hackers and asks you to pick one (first time I got Halvar Flake and The Dark Tangent) and if you choose correctly it will show you two more faces but if you choose incorrectly the program exits. Since I didn't recognise most of the faces and there was no way to know the ranking system I figured I would have to find some other advantage. At first I started pulling apart the network traffic to see if any hints were being sent over the wire, there weren't any that I could see but the protocol itself looked pretty straight forward. The client says "illogical\n" to start and then receives two jpegs each XORed with a different constant and then if the client wants to pick left it sends 0x00 and if it chooses right send 0x01 (I didn't look into figuring out how the server tells the client which constant to use, I figured I could just brute forced it). If the client guesses wrong a 4 byte error code is sent and the socket closes.

I figured that this was all simple enough and wrote my own client f400.py (named f400 because I for some reason was confused with the forensic problems). My client would slowly accumulate knowledge about which hackers were superior to which by playing the game over and over. I also would dump a copy of the images sent as well as the entire network exchange to disk for later analysis. Once that was working I left it to run overnight (it didn't need to run nearly that long but it was late and I need sleep) and in the morning I had a pickle file with a list of images in order and wrote another script (f400_sort.py) that would give me a nice set of jpegs named in numerical order from 001.jpg out to 080.jpg or so. I then played the game manually consulting my list to make the choices. After 64 correct choices the game did something different, it asked me to tell it what path I took in the format of "LRLRLRRRRLRLRR...". At this point I was a little over the problem and instead of coding the solution just ran through it a second time recording my decisions manually.

Looking back at the problem there are several improvements that I could have made. Firstly I could have reversed the java application so that I didn't have to guess at the protocol, I could have either derived it from the code or skipped writing my own client and just modifying the existing one. Secondly my network code was a bit naive and used sleeps and assumed that all the data would be ready to read (perhaps one part of the protocol I didn't analyse was a length field?) and I ended up with an occasional malformed file which I just lived with. I should have used PIL  or similar to detect broken or truncated images. Finally I shouldn't have wimped out and I should have had my client play complete games rather than not knowing what to do after 64 correct guesses.

T400 was a blast but that brings us to T500

Pursuits Trivial 500
Time was called while I was working on this problem and I was mostly just poking around rather than actually trying to solve it. The question was "Tell me about your appendage" and there was a file. The file turned out to be an APE format lossless audio file that I had no idea how to play. I eventually decoded it to wav and listened to it. A bit of Googling on lyrics later made realise that it was a modified version of Captain Ahab's song Ride. I won't go any further, I'll instead direct you to this excellent write up of the puzzle by Scott Wolchok http://scott.wolchok.org/t500.html. First though I insist you listen to the song yourself by playing the youtube video below. It has unicorns.

Tuesday, May 25, 2010

Xbox 360 Forensics

Lately my blogging energies have been redirected into my study, namely a communications plan and a research proposal.

The communication plan was for a persuasive communications class and the aim was to be able to devise a plan that could realistically alter the attitudes (and hopefully the behaviour) of an audience, it was a fascinating exercise that I don't plan on repeating any time soon. It turns out that I'm not much of a public relations hand and while I think I grasped the theory writing up a viable strategy for a hypothetical situation was harder than I expected.

More relevantly the research proposal is for my upcoming final project (dissertation?) and it involves creating a tool to automate the extraction of useful information from an Xbox 360. Seriously I didn't come up with the topic —my supervisor suggested it— isn't that awesome? So I've been spending a lot of my time reading xbox modding forums and reading the few bits and pieces in academia on the topic.

Things that I learnt:

  • The xbox 360 is easier to access than the original due to a lack of ATA security lock down
  • There is an xbox file system that is mostly just a clean up of FAT
  • The xbox 360 uses a big-endian version of this operating system due to its PowerPC architecture
  • People go to great lengths to install homebrew operating systems and play pirated games
  • There is a lot of information that might be accessible via someone's xbox
  • Most Windows users use a defunct program called Xplorer360 to read/write to xbox 360 file systems
  • For Linux the choices are a BSD example implementation uxtaf.c or x360 a GPLv3 FUSE driver
  • Actually there's a kernel driver available too if you're into that kind of thing
So next semester I'm going to be messing around with a whole bunch of xboxes, it's amazing what you can do and still get course credit. I'll keep you all updated as it unfolds.

In the mean time, watch this Google Tech talk about the Xbox and Xbox 360 security systems: