Page 1
Page | 1
C0C0N 2011 – CTF Walkthrough
Riyaz Walikar a.k.a karniv0re
http://www.riyazwalikar.com
Greetings fellow readers!! As usual another great CTF has ended and most of us who played this have
lost some hair from their heads with the collective effort of yanking it out or banging our heads on the
nearest walls . On a more serious note, people who thought only 'corrupt' could be nightmarishly
creepy, you can now go ahead and add Anant a.k.a infinity to the list!
Great job guys, to the team who made this possible!!
This was all in all, an enjoyable event, with the levels being fairly designed to supposedly increase in
order of complexity, frustration and technical incoherence as you progressed up. I managed to finish all
except one level, to which I will come to in a bit.
The CTF was divided into multiple sections as listed below and each section had 3 levels.
1. Crypto Levels – Mostly to do with some sort of cipher/obfuscation/symbol substitution.
2. Programming Levels – Programming related questions. People actually had to write programs!!
3. Reverse Engineering Levels – Reverse engineering binaries, PYCs and APKs.
4. Log Analysis Levels – Analysis of Apache logs, PMLs and Wireshark Pcap dumps.
As is with all CTFs, different people would have different approaches which may lead to the same
answer that enables you to complete a level and unlock the next. This is my approach and I agree it is
not the best, not the most elegant or the most uber out there, but hell it worked . I have also tried to
tag the levels based on their difficulty as Easy, Average, Hard and WTF! This categorization/classification
is entirely based on my experience with the CTF and is entirely my opinion. Your opinion may differ so
don’t take it too seriously.
Page 2
Page | 2
Crypto Levels
Crypto Level 1 URL: http://nullcon.net/challenge/c0c0n/clevel-1.php
Difficulty: Average
Solution: The source code of the page shows two HTML comments. The first one appears to be an
obfuscated/encoded string. The '==' at the end points us to the string being base64 encoded. However a
subsequent decoding does not provide anything conclusive.
The second HTML comment is an apparent clue to the use of ROT-13 before you decode the string using
Base 64.
Page 3
Page | 3
Having played a similar level at last year’s nullcon HackIM challenge, this wasn’t very hard. Using the
ROT-13 decoder at http://web.forret.com/tools/rot13.asp, I obtained the following:
Base 64 decoding this, after adding the necessary padding gives:
Call it intuition or just the way the characters were arranged, this had to be re-Base64 decoded!!
Page 4
Page | 4
A quick Google search for "Google Beer" gives "URKontinent". Converting this to title case gives
"Urkontinent" which is the flag.
Crypto Level 2 URL: http://nullcon.net/challenge/c0c0n/clevel-2.php
Difficulty: Easy
Solution: This was one easy because I had recently finished reading The Code Book by Simon Singh. The
book’s appendix contains an explanation of the symbol substitution. This has also been depicted in the
Dan Brown book, The Lost Symbol. This is a mono-alphabetic simple geometric substitution cipher called
Pigpen Cipher (also called the Masonic Cipher).
Page 5
Page | 5
For people who have never heard of this before, a quick Google search for "Image Ciphers" also provides
obvious clues to this being the Pigpen Cipher substituted string. Decoding this is straight forward with
the help of the following key.
The code then translates to the string "FLAGISTHENAMEGIVENTOTHEENLIGHTENEDGROUP". A quick
Google search for "name given to the enlightened group" gives "Illuminati" as the first result which also
happens to be the flag!!
Crypto Level 3 URL: http://nullcon.net/challenge/c0c0n/clevel-3.php
Difficulty: Average
Solution: The level description was the hint. This is written in the Braille system which is a method that
is widely used by blind people to read and write, and was the first digital form of writing (source:
Wikipedia). Using a Braille Character Chart, the above text can be decoded to:
I devised Braille in 1825 based on a method of communication originally developed by Charles Barbier.
Who am I?
Google and general knowledge tells you the answer is Louis Braille which also happens to be the flag!
Page 6
Page | 6
Programming Levels
Programming Level 1 URL: http://nullcon.net/challenge/c0c0n/plevel-1.php
Difficulty: Hard
Solution: This level was one of the crappiest. Finally wrote a python script to generate the necessary
number. The pseudocode is as below:
a=0
b=a+1
for (x = 0 to 31334)
c = a+b
a = b
b = c
a = hex(c)
for (x = 0 to len(a))
if (x mod 3 == 0)
p = a.position(x-1)
b = b + todecimal(p)
print b
The final answer that the script would generate is 13590 which is the flag for this level.
Page 7
Page | 7
Programming Level 2 URL: http://nullcon.net/challenge/c0c0n/plevel-2.php
Difficulty: Average
Solution: A quick Google search for "Goldbach Partition" or "Goldbach’s Conjecture" generates a lot of
helpful results. Basically, it states that Every even integer greater than 2 can be expressed as the sum of
two primes.
There are two ways of doing this: Method 1 is to write a program to identify all primes smaller than
13590 and then all combinations of their sums can be checked if they equal 13590. A comma separated
list of the result would be the answer.
Method 2 is for the lazy types like me. Google for an online generator, which although sounds like a
straight forward job requires some special Googling skills. Format the output in CSV format and paste it
in the flag box.
The flag is the following string of numbers:
13,13577,23,13567,37,13553,53,13537,67,13523,103,13487,113,13477,127,13463,139,13451,149,13441
,173,13417,179,13411,191,13399,193,13397,223,13367,251,13339,263,13327,277,13313,281,13309,293
,13297,331,13259,349,13241,373,13217,419,13171,431,13159,439,13151,443,13147,463,13127,487,131
03,491,13099,541,13049,547,13043,557,13033,587,13003,607,12983,617,12973,631,12959,673,12917,6
83,12907,691,12899,701,12889,761,12829,769,12821,809,12781,827,12763,877,12713,887,12703,919,1
2671,937,12653,953,12637,971,12619,977,12613,1013,12577,1021,12569,1049,12541,1051,12539,1063
,12527,1087,12503,1093,12497,1103,12487,1117,12473,1153,12437,1181,12409,1213,12377,1217,1237
3,1289,12301,1301,12289,1321,12269,1327,12263,1427,12163,1429,12161,1433,12157,1447,12143,147
1,12119,1481,12109,1483,12107,1489,12101,1493,12097,1549,12041,1553,12037,1579,12011,1583,120
07,1609,11981,1619,11971,1621,11969,1637,11953,1657,11933,1663,11927,1667,11923,1693,11897,17
23,11867,1759,11831,1777,11813,1783,11807,1789,11801,1801,11789,1811,11779,1847,11743,1871,11
719,1873,11717,1889,11701,1901,11689,1913,11677,1933,11657,1973,11617,1993,11597,1997,11593,2
003,11587,2011,11579,2039,11551,2063,11527,2087,11503,2099,11491,2143,11447,2153,11437,2179,1
Page 8
Page | 8
1411,2207,11383,2221,11369,2237,11353,2239,11351,2269,11321,2273,11317,2311,11279,2333,11257,
2339,11251,2347,11243,2351,11239,2377,11213,2393,11197,2417,11173,2441,11149,2459,11131,2473,
11117,2477,11113,2503,11087,2521,11069,2531,11059,2543,11047,2617,10973,2633,10957,2687,1090
3,2699,10891,2707,10883,2729,10861,2731,10859,2753,10837,2791,10799,2801,10789,2819,10771,283
7,10753,2851,10739,2857,10733,2861,10729,2879,10711,2903,10687,2927,10663,2939,10651,2963,106
27,3001,10589,3023,10567,3061,10529,3089,10501,3137,10453,3163,10427,3191,10399,3221,10369,32
53,10337,3257,10333,3259,10331,3301,10289,3319,10271,3323,10267,3331,10259,3343,10247,3347,10
243,3413,10177,3449,10141,3457,10133,3491,10099,3499,10091,3511,10079,3529,10061,3581,10009,3
583,10007,3617,9973,3623,9967,3659,9931,3719,9871,3733,9857,3739,9851,3761,9829,3779,9811,380
3,9787,3821,9769,3823,9767,3847,9743,3851,9739,3911,9679,3929,9661,3947,9643,3967,9623,3989,96
01,4003,9587,4051,9539,4057,9533,4079,9511,4093,9497,4099,9491,4111,9479,4127,9463,4129,9461,4
153,9437,4157,9433,4159,9431,4177,9413,4219,9371,4241,9349,4253,9337,4271,9319,4297,9293,4349,
9241,4363,9227,4391,9199,4409,9181,4457,9133,4463,9127,4481,9109,4523,9067,4547,9043,4549,904
1,4561,9029,4583,9007,4591,8999,4621,8969,4639,8951,4649,8941,4657,8933,4703,8887,4723,8867,47
29,8861,4751,8839,4759,8831,4783,8807,4787,8803,4871,8719,4877,8713,4909,8681,4943,8647,4967,8
623,4993,8597,5009,8581,5051,8539,5077,8513,5147,8443,5167,8423,5171,8419,5227,8363,5237,8353,
5261,8329,5273,8317,5279,8311,5297,8293,5303,8287,5347,8243,5381,8209,5399,8191,5419,8171,544
3,8147,5479,8111,5501,8089,5503,8087,5521,8069,5531,8059,5573,8017,5581,8009,5639,7951,5641,79
49,5653,7937,5657,7933,5683,7907,5689,7901,5711,7879,5717,7873,5737,7853,5749,7841,5801,7789,5
849,7741,5867,7723,5903,7687,5987,7603,6007,7583,6029,7561,6043,7547,6053,7537,6067,7523,6073,
7517,6091,7499,6101,7489,6113,7477,6131,7459,6133,7457,6173,7417,6197,7393,6221,7369,6257,733
3,6269,7321,6337,7253,6343,7247,6353,7237,6361,7229,6379,7211,6397,7193,6469,7121,6481,7109,65
21,7069,6547,7043,6551,7039,6563,7027,6571,7019,6577,7013,6599,6991,6607,6983,6619,6971,6673,6
917,6679,6911,6691,6899,6719,6871,6733,6857,6761,6829,6763,6827
Programming Level 3 - Unsolved URL: http://nullcon.net/challenge/c0c0n/plevel-3.php
Difficulty: Double WTF!
Page 9
Page | 9
Solution: The guys who thought of this level get some extra credit. The level description presents an
MD5 hash that supposedly is the MD5 of the password (flag) for this level. However a quick look at the
page source code shows the following HTML comment.
The server code logic, if it uses this pseudo code, takes the input value from the user submitted form,
MD5 hashes it and then compares only the first 8 characters with an internal hash (which happens to be
the MD5 hash printed on the page).
In simpler words, you would need to input a string whose MD5 hashes first 4 bytes (8 characters) match
"a180ce8a". This sounds awfully easy and looks possible since there exist multiple strings whose MD5
hashes’ first 8 characters match.
How wrong I was!! Since the MD5 algorithm has been developed in such a way that minimum change
(even a single bit) would result in a completely different hash. However MD5 is now known to have
collisions, which means that 2 unique data sets can be created with identical MD5 hashes. However
generating a plain text with a predefined hash, also called a pre-image collision, still remains nearly
impossible. The best we can do is brute force by generating multiple possible combinations of data and
attempt to match hashes.
It is true that there are multiple strings whose MD5 hashes have common first 8 characters, however it
was not true in this case. Or maybe I should have attempted a comparison with a larger data set. I
generated over 3 miillion unique character combination and attempted to match the first 8 characters
of the hashes, but after several hours of full CPU utilization I still had no luck. I am sure this is achievable
but requires a larger data set and a faster processor. For the adventurous, here’s my python code:
I ran it for a little over 8 hours and was not able to find any string which satisfied the script. I am
currently running a more complex version of this script on a more powerful server back in office for the
past 3 days, hoping to see something before the end of this week.
Page 10
Page | 10
Reverse Engineering Levels
Reversing Level 1 URL: http://nullcon.net/challenge/c0c0n/rlevel-1.php
Difficulty: Average
Solution: This level is straight forward if you know the right tools. APK files are compressed archives of
xml and dex files. A tool like Dex2jar can be used to extract the jar file from the cocon_apk.apk and jd-
gui can be used to decompile the jar file. The jar contained a public function called show_key that
returned a string.
The function, if carefully analyzed produces the MD5 of the string "Key:Value;Challange:cocon;Date:”
and the system date. The system date is found in the HTML source code of the page.
The flag for this level would then be MD5(Key:Value;Challange:cocon;Date:2011-10-16) which is
f5d2fe1f612f022ee9033667963f5ae6
Page 11
Page | 11
Reversing Level 2 URL: http://nullcon.net/challenge/c0c0n/rlevel-2.php
Difficulty: Easy
Solution: The level description gives the hint regarding this having something to do with .NET. In any
case, when you download the program you can run it through strings to find the following output.
Since this was a .Net application, I opened it using .Net Reflector to do an analysis. The button1_click
event contained some promising code.
Page 12
Page | 12
The hex encoded text decodes to CeCmmUxzvPAIAVA9Udiv5ab07Q which is the flag for this level.
Reversing Level 3 URL: http://nullcon.net/challenge/c0c0n/rlevel-3.php
Difficulty: Hard
Solution: The cookpie.zip file contains a cookiepie.pyc file which is a compiled executable python file.
What makes this level difficult is that there are very few python decompilers available. Depython, an
online python decompilation service does not decompile version 2.6 compiled python files which was
the version in which cookpie was compiled in.
I used a decompiler called Decompyle on Ubuntu and was provided with a pseudo bytecode/assembly
style output. The de-compiled output contained references to 3 variables: C0C09CTF, PIEKING and
DUMPMENOT. The final flag was the MD5 output of a combination of the username and the 3 variables.
Here’s the decompiled output of the pyc file. The interesting stuff happens in section 16 of the following
decompiled code.
Page 13
Page | 13
magic d1f20d0a
moddate ead78c4e (Wed Oct 5 22:19:22 2011)
2 0 LOAD_CONST 0 (-1)
3 LOAD_CONST 1 (None)
6 IMPORT_NAME 0 (re)
9 STORE_NAME 0 (re)
3 12 LOAD_CONST 0 (-1)
15 LOAD_CONST 1 (None)
18 IMPORT_NAME 1 (os)
21 STORE_NAME 1 (os)
4 24 LOAD_CONST 0 (-1)
27 LOAD_CONST 1 (None)
30 IMPORT_NAME 2 (hashlib)
33 STORE_NAME 2 (hashlib)
5 36 LOAD_CONST 2 ('welcome to COCON CTF')
39 PRINT_ITEM
40 PRINT_NEWLINE
6 41 LOAD_CONST 3 ('C0C09CTF')
44 STORE_NAME 3 (val)
7 47 LOAD_CONST 4 ('PIEKING')
50 STORE_NAME 4 (val243)
8 53 LOAD_NAME 5 (raw_input)
56 LOAD_CONST 5 ('Please enter your userid :')
59 CALL_FUNCTION 1
62 STORE_NAME 6 (nm)
9 65 LOAD_CONST 6 ('DUMPMENOT')
68 STORE_NAME 7 (val542)
10 71 LOAD_NAME 5 (raw_input)
74 LOAD_CONST 7 ('Please enter your key : ')
77 CALL_FUNCTION 1
80 STORE_NAME 8 (key)
11 83 LOAD_NAME 2 (hashlib)
86 LOAD_ATTR 9 (md5)
89 LOAD_NAME 6 (nm)
92 CALL_FUNCTION 1
95 LOAD_ATTR 10 (hexdigest)
98 CALL_FUNCTION 0
101 LOAD_ATTR 11 (upper)
104 CALL_FUNCTION 0
107 STORE_NAME 12 (md)
Page 14
Page | 14
12 110 LOAD_CONST 8 ('')
113 STORE_NAME 13 (y)
13 116 SETUP_LOOP 44 (to 163)
119 LOAD_NAME 12 (md)
122 GET_ITER
>> 123 FOR_ITER 36 (to 162)
126 STORE_NAME 14 (x)
14 129 LOAD_NAME 13 (y)
132 LOAD_NAME 15 (str)
135 LOAD_NAME 16 (ord)
138 LOAD_NAME 14 (x)
141 CALL_FUNCTION 1
144 LOAD_CONST 9 (2)
147 BINARY_XOR
148 LOAD_CONST 10 (10)
151 BINARY_MODULO
152 CALL_FUNCTION 1
155 BINARY_ADD
156 STORE_NAME 13 (y)
159 JUMP_ABSOLUTE 123
>> 162 POP_BLOCK
15 >> 163 LOAD_NAME 13 (y)
166 LOAD_NAME 8 (key)
169 COMPARE_OP 2 (==)
172 JUMP_IF_FALSE 63 (to 238)
175 POP_TOP
16 176 LOAD_CONST 11 ('key is ')
179 LOAD_NAME 2 (hashlib)
182 LOAD_ATTR 9 (md5)
185 LOAD_NAME 3 (val)
188 LOAD_NAME 6 (nm)
191 LOAD_CONST 1 (None)
194 LOAD_CONST 1 (None)
197 LOAD_CONST 0 (-1)
200 BUILD_SLICE 3
203 BINARY_SUBSCR
204 BINARY_ADD
205 LOAD_NAME 6 (nm)
208 BINARY_ADD
209 LOAD_NAME 4 (val243)
212 BINARY_ADD
213 LOAD_NAME 7 (val542)
216 BINARY_ADD
217 CALL_FUNCTION 1
Page 15
Page | 15
220 LOAD_ATTR 10 (hexdigest)
223 CALL_FUNCTION 0
226 LOAD_ATTR 11 (upper)
229 CALL_FUNCTION 0
232 BINARY_ADD
233 PRINT_ITEM
234 PRINT_NEWLINE
235 JUMP_FORWARD 11 (to 249)
>> 238 POP_TOP
18 239 LOAD_CONST 12 ('Key is to try harder, not
everything is found by executing files')
242 PRINT_ITEM
243 PRINT_NEWLINE
19 244 LOAD_CONST 13 ('BTW i forgot to code the data
stealer in this, although would have loved to')
247 PRINT_ITEM
248 PRINT_NEWLINE
>> 249 LOAD_CONST 1 (None)
252 RETURN_VALUE
consts
-1
None
'welcome to COCON CTF'
'C0C09CTF'
'PIEKING'
'Please enter your userid :'
'DUMPMENOT'
'Please enter your key : '
''
2
10
'key is '
'Key is to try harder, not everything is found by executing files'
'BTW i forgot to code the data stealer in this, although would have
loved to'
names ('re', 'os', 'hashlib', 'val', 'val243', 'raw_input', 'nm',
'val542', 'key', 'md5', 'hexdigest', 'upper', 'md', 'y', 'x', 'str', 'ord')
varnames ()
freevars ()
cellvars ()
filename '/home/anant/Desktop/CTF work/cookpie.py'
name '<module>'
firstlineno 2
lnotab
0c010c010c010501060106010c0106010c011b0106010700060122010d01
3f020501
Page 16
Page | 16
The flag can deduced from the decompiled code and was the MD5 of the following combination:
C0C09CTF + <username_in_reverse> + <username> + PIEKING + DUMPMENOT. The flag is obviously
different for every user, or for atleast the username that is provided in the text box on the flag
submission page.
Log Analysis Levels
Log Analysis Level 1 URL: http://nullcon.net/challenge/c0c0n/llevel-1.php
Difficulty: Easy
Solution: This was pretty easy, mostly because of the amount of attention this had got on Full Disclosure
a few weeks ago. Anyways, the dump.zip contained a packet capture, and thanks to the creators
contained a LOT of redundant data.
Opening this file with Wireshark showed standard HTTP traffic, but what was noticeable was a number
of HTTP Head requests. A quick look at the Header information via the Follow TCP Stream option in
Wireshark showed a long string of numbers being sent in the range header. Since I had already worked
on this Denial of Service exploit before, the data appeared familiar. In any case, a Google search for
Range Bytes vulnerability produces several promising results.
The CVE-ID for this vulnerability was CVE-2011-3192 and the attacker’s IP clearly was 192.168.0.105.
Page 19
Page | 19
Log Analysis Level 2 URL: http://nullcon.net/challenge/c0c0n/llevel-2.php
Difficulty: Average
Solution: This level involved reading an Apache log to identify the name of the database and the table
that was accessed by the attacker. As usual the creators of this level, used whatever means possible to
bury this information as deep as possible since the log contained a LOT of redundant GET requests to
the server, including requests caused by running Grendel Scan!
If you scroll down slowly through the file, you will see that SQLMAP was used to exploit a SQL Injection
vulnerability and a LOT of requests show that database and table name enumeration was performed.
The following image shows the database name encoded in one of the requests. Note that the file was
first grepped for sqlmap and then parsed through a URL decoder to clean the output a bit.
The 67,84,70,95,67,48,67,48,57 can be quickly ASCII equated to CTF_C0C09 and the table name can be
obtained by constructing the characters from each log entry that reads table_schema=CTF_C0C09.
Database name: CTF_C0C09
Table name: key_efd231b97af472e52f2a5413bde54b3f
Page 20
Page | 20
Log Analysis Level 3 URL: http://nullcon.net/challenge/c0c0n/llevel-3.php
Difficulty: Easy
Solution: This was an interesting level mostly because I work a lot with Process Monitor. I finished this
level in less than 5 minutes, making it the fastest level that I had played in the entire CTF. And
coincidentally, I had analyzed the same malware a few weeks ago hence I knew the answers as soon as I
found a single reference to it in the PML file.
The infectedlog.zip contained a .pml file which is basically a Process Monitor saved session. To find
unwanted process activity in Process Monitor, you can eliminate known Windows processes till you hit
an unwanted/unknown application, as I did till I stopped at mluchaby.exe
The process image had all the properties that most common Windows malware possess; located in the
Windows folder, description that made it sound important, no company description etc.
Page 21
Page | 21
The Chinese characters in the description of the process translate to Foundation Classes Application
which meant that it was a Windows MFC application. A quick Google search for mluchaby.exe shows
that it is part of the Rustock Botnet malware family. Finding the parent process was trivial since we
could obtain the Parent Process ID using the properties page of the mluchaby.exe process which was
1956. Removing all applied filters and quickly applying a Include Process PID = 1956 filter gave
Explorer.exe as the result.
Page 22
Page | 22
There was however some confusion with the malware family name since Rustock is also known with
several other names. However, the answer to the malware family was TDSS/TDL/Alureon family and not
Rustock, which I still believe to be an error on the part of the level developers. However, considering
how this is such a rare oversight and in the spirit of the CTF, its alright . The final answers are as
follows:
Malware family: TDL/TDSS/Alureon
Service: mluchaby
Parent Executable: Explorer.exe
Last words It was a brilliant CTF (mostly because I won ), considering the variation in all the levels and the
number of people who worked on this, I must commend them on the awesome stuff. Greetz to corrupt,
Anant, Pushkar and all the others who worked on this!
- Riyaz Walikar a.k.a karniv0re
- http://www.riyazwalikar.com
- End of File -
