Archive | December, 2015

Cryptography Challenge – Collision (Medium): National Cyber League (NCL) 2015 Postseason

Oh, so you want a program “that find strings that have ‘nice’ digests.”

Fun fact, I had to go through 9,540,244,837 hashes to find the sha256! Editing the perl script [1] allowed for solving md5, sha1 and sha256. See the write up below regarding the question, answer, and solution code. For other National Cyber League content see Categories: NCL – Enjoy

Question 1:
What is an input that will yield an md5 hash that starts with D391B?

Answer 1:
“@^

echo -n '"@^' | md5sum | awk '{print toupper($0)}'
D3917551061C099469F49F4F4F1D4324  -

Solution 1:

#!/usr/bin/env perl

package Words;

sub new {
    my $class = shift;
    my $self = bless {}, $class;
    $self->{ 'next' } = [ 32 ];
    return $self;
}

sub next {
    my $self = shift;
    $self->increment();
    return pack( 'C*', @{ $self->{ 'next' } } );
}

sub increment {
    my $self = shift;
    my $N    = $self->{ 'next' };
    $N->[ -1 ]++;

    for ( my $i = $#{ $N } ; $i ; $i-- ) {
        return if $N->[ $i ] < 127;
        $N->[ $i ] = 33;
        $N->[ $i - 1 ]++;
    }

    if ( $N->[ 0 ] == 127 ) {
        $N->[ 0 ] = 33;
        unshift @{ $N }, 33;
    }
}

package main;

use Digest::MD5 qw( md5_hex );
use Time::HiRes qw( time );

$SIG{ INT } = sub { exit };

my $generator = Words->new();

#my $vanity   = '314159265358979323';
my $vanity = 'd391b';
my $search   = 4;
my $look_for = substr( $vanity, 0, $search );

my $print_speed = 1000000;
my $start_time  = time();

my $i = 0;
my $j = 0;
while ( 1 ) {
    my $word   = $generator->next();
    my $digest = md5_hex( $word );
    $i++;
    $j++;
    if ( $j == $print_speed ) {
        my $new_time = time();
        printf "%d hashes in %.3fs\n", $print_speed, $new_time - $start_time;
        $start_time = $new_time;
        $j          = 0;
    }
    next unless $look_for eq substr( $digest, 0, $search );
    printf "%10d : %-20s : %-10s : %s\n", $i, $word, $look_for, $digest;
    $search += 1;
    last if $search == length( $vanity );
    $look_for = substr( $vanity, 0, $search );
}

FILE: find.vanity.NCL-2015-Postseason.tar.gz

 

Question 2:
What is an input that will yield an sha1 hash that starts with 45EECA8?

Answer 2:
!Zxu’

echo -n '!'"Zxu'" | sha1sum | awk '{print toupper($0)}'
45EECA8E9BFCA37E76B30B8E873DC4527062508B  -

Solution 2:

#!/usr/bin/env perl

package Words;

sub new {
    my $class = shift;
    my $self = bless {}, $class;
    $self->{ 'next' } = [ 32 ];
    return $self;
}

sub next {
    my $self = shift;
    $self->increment();
    return pack( 'C*', @{ $self->{ 'next' } } );
}

sub increment {
    my $self = shift;
    my $N    = $self->{ 'next' };
    $N->[ -1 ]++;

    for ( my $i = $#{ $N } ; $i ; $i-- ) {
        return if $N->[ $i ] < 127;
        $N->[ $i ] = 33;
        $N->[ $i - 1 ]++;
    }

    if ( $N->[ 0 ] == 127 ) {
        $N->[ 0 ] = 33;
        unshift @{ $N }, 33;
    }
}

package main;

use Digest::SHA qw( sha1_hex );
use Time::HiRes qw( time );

$SIG{ INT } = sub { exit };

my $generator = Words->new();

#my $vanity   = '314159265358979323';
my $vanity = '45eeca8';
my $search   = 7;
my $look_for = substr( $vanity, 0, $search );

my $print_speed = 1000000;
my $start_time  = time();

my $i = 0;
my $j = 0;
while ( 1 ) {
    my $word   = $generator->next();
    my $digest = sha1_hex( $word );
    $i++;
    $j++;
    if ( $j == $print_speed ) {
        my $new_time = time();
        printf "%d hashes in %.3fs\n", $print_speed, $new_time - $start_time;
        $start_time = $new_time;
        $j          = 0;
    }
    next unless $look_for eq substr( $digest, 0, $search );
    printf "%10d : %-20s : %-10s : %s\n", $i, $word, $look_for, $digest;
    $search += 1;
    last if $search == length( $vanity );
    $look_for = substr( $vanity, 0, $search );
}

FILE: find.vanity.NCL-2015-Postseason.tar.gz

 

Question 3:
What is an input that will yield an sha256 hash that starts with 542715A3?

Answer 3:
!<21hA

echo -n '!<21hA' | sha256sum | awk '{print toupper($0)}'
542715A3959F733B0C9B63DEAE2C98B08F522720118D20D541FA1B6C81C2B118  -

Solution 3:

#!/usr/bin/env perl

package Words;

sub new {
    my $class = shift;
    my $self = bless {}, $class;
    $self->{ 'next' } = [ 32 ];
    return $self;
}

sub next {
    my $self = shift;
    $self->increment();
    return pack( 'C*', @{ $self->{ 'next' } } );
}

sub increment {
    my $self = shift;
    my $N    = $self->{ 'next' };
    $N->[ -1 ]++;

    for ( my $i = $#{ $N } ; $i ; $i-- ) {
        return if $N->[ $i ] < 127;
        $N->[ $i ] = 33;
        $N->[ $i - 1 ]++;
    }

    if ( $N->[ 0 ] == 127 ) {
        $N->[ 0 ] = 33;
        unshift @{ $N }, 33;
    }
}

package main;

use Digest::SHA qw( sha256_hex );
use Time::HiRes qw( time );

$SIG{ INT } = sub { exit };

my $generator = Words->new();

#my $vanity   = '314159265358979323';
my $vanity = '542715a3';
my $search   = 8;
my $look_for = substr( $vanity, 0, $search );

my $print_speed = 1000000;
my $start_time  = time();

my $i = 0;
my $j = 0;
while ( 1 ) {
    my $word   = $generator->next();
    my $digest = sha256_hex( $word );
    $i++;
    $j++;
    if ( $j == $print_speed ) {
        my $new_time = time();
        printf "%d hashes in %.3fs\n", $print_speed, $new_time - $start_time;
        $start_time = $new_time;
        $j          = 0;
    }
    next unless $look_for eq substr( $digest, 0, $search );
    printf "%10d : %-20s : %-10s : %s\n", $i, $word, $look_for, $digest;
    $search += 1;
    last if $search == length( $vanity );
    $look_for = substr( $vanity, 0, $search );
}

FILE: find.vanity.NCL-2015-Postseason.tar.gz
Reference:

[1] https://github.com/depesz/vanity-hash-finder/blob/master/find.vanity.md5.by.rhodiumtoad.pl

Leave a Comment

SMTP Challenge – Web 6 (Medium): National Cyber League (NCL) 2015 Post-Season

For a total of 300-points and using Node.js; this challenge required submitting a line-by-line solution via telnet or [ netcat / ncat / nc ].

The difficulty in this challenge came form having to craft the email in a very particular way which the server was expecting. For example: used the wrong syntax[1], improper use of case in the command(s) or spacing. Simply put, without the proper solution – the flag would not display.

Kudos to all who conqueror this challenge!

Question:

  • Connect to the smtp server at sb1.cyberskyline.com:3060 and send an email to daniel@hacker.test from the address, user4928@hacker.test, with a title saying you have the latest exploit and he will open it, allowing you to unlock the flag.
  • This SMTP server does not follow protocol exactly, but close enough.
  • What is the flag you receive from sending the spoofed email?

Code:

HELO HACKER.TEST
MAIL FROM:<user4928@hacker.test>
RCPT TO:<daniel@hacker.test>
DATA
From: "user4928" <user4928@hacker.test>
To: "daniel" <daniel@hacker.test>
Subject: you have the latest exploit
.
QUIT

Answer/Solution:

Telnet:

$ telnet sb1.cyberskyline.com 3060
Trying 104.236.16.36...
Connected to sb1.cyberskyline.com.
Escape character is '^]'.
220 sb1.cyberskyline.com ESMTP CyberSkyline
HELO HACKER.TEST
250 Hello HACKER, sb1.cyberskyline.com at your service
MAIL FROM:<user4928@hacker.test>
250 OK Sounds good, I like this idea
RCPT TO:<daniel@hacker.test>
250 OK Seems like a good person to write a note to
DATA
354 Go ahead, send all the cyber big data
From: "user4928" <user4928@hacker.test>
To: "daniel" <daniel@hacker.test>
Subject: you have the latest exploit
.
250 Ok: I will try my best to send this, I'm the little server that could
QUIT
221 Don't leave... I'm just a sad lonely server... closing connection.
Your flag is NCL-SAAS-3564 Thank you for playing
Connection closed by foreign host.

Netcat:

$ ncat sb1.cyberskyline.com 3060
220 sb1.cyberskyline.com ESMTP CyberSkyline
HELO HACKER.TEST
250 Hello HACKER, sb1.cyberskyline.com at your service
MAIL FROM:<user4928@hacker.test>
250 OK Sounds good, I like this idea
RCPT TO:<daniel@hacker.test>
250 OK Seems like a good person to write a note to
DATA
354 Go ahead, send all the cyber big data
From: "user4928" <user4928@hacker.test>
To: "daniel" <daniel@hacker.test>
Subject: you have the latest exploit
.
250 Ok: I will try my best to send this, I'm the little server that could
QUIT
221 Don't leave... I'm just a sad lonely server... closing connection.
Your flag is NCL-SAAS-3564 Thank you for playing

Reference:
[1] https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol#SMTP_transport_example

Leave a Comment

Update Kali Linux Repositories

Getting errors when updating? Check your /etc/apt/sources.list because the labeled “kali” in repository is now “sana” – replace or add:

# Regular repositories
deb http://http.kali.org/kali sana main non-free contrib
deb http://security.kali.org/kali-security sana/updates main contrib non-free

# Source repositories
deb-src http://http.kali.org/kali sana main non-free contrib
deb-src http://security.kali.org/kali-security sana/updates main contrib non-free

Afterwards you may have to import your key into your apt-keyring:

apt-key adv --keyserver hkp://keys.gnupg.net --recv-keys 7D8D0BF6

suces

Leave a Comment