Hack.lu's CTF

Bonjour les gens !

The last two days, we have seen Hack.lu's CTF taking place online.
It was a lot of fun, their IRC channel was really fun, so was their challenges :)

Last results? 106 over 413 applying teams. Well done HackGyver \o/

Now it's time for the write-up. More precisely, the one on Pay TV, their 200 points web challenge.

Pay TV, the challenge

The website is composed of a static image, a gif (the noise on the TV) and an input text box (a decoder?).

Really simplistic design and not so much to look around, except that noise and that input field.
When I saw that noise gif for the first time, I was really scared about some stegano inside.

My thought? Screw you stega, I'm not looking for you. Let's focus on the rest instead :P

Hack.lu's CTF

Bonjour les gens !

The last two days, we have seen Hack.lu's CTF take place online.
It was a lot of fun, their IRC channel was really fun, so was their challenges :)

Last results? 106 over 413 applying teams. Well done HackGyver \o/

Now it's time for the write-up. More precisely, the one on Robots Exclusion Committee, their 150 points web challenge.

Robots Exclusion Committee, the challenge

That web page only contains few fields.
They only ask for credit cards information :)

If we validate the form with some random inputs, it redirects us to a nice We are sorry response.
That looks like a XSS to me, no?

The workframe

Among my missions in Société Générale, a key element is to collect information about websites in order to pentest them.

The group Société Générale counts more than 150 000 employees.
It has a really complex organizations, like every big companies I guess.

Therefore it becomes really hard to have an overall point of view on all its servers, since they are spreaded across all the group's branches and their sectors.
That is to say that I have to deal with hundreds, thousands of domain names and IP addresses, and gathering information about them takes a lot of time.

What we mean by collect information about a website is to identify several main information like:

• The IP address
• The domain name
• The service running on the machine (web, ssh, dns, etc.)
• If there is any load balancing
• The sector affiliated to
• etc.

In this post, I assume that I only have IP addresses.

During some tests about getting the hostname of an IP address, I had to use gethostbyaddr.
If you ever tried to use gethostbyaddr, you must have seen that it can take long time to answer.
The problem with this function is that it takes a high amount of time before giving up on the domain name resolution.

Among the thousands of IP addresses, a bunch of them come from ranges reserved by the SG group.
Not all of them point to a running machine, therefore a lot of them don't have a host name.

When you can wait like 5 to 10 seconds for 1 or 2 addresses, it is not viable to wait hours and hours for thousands of them.

Due to maintenance from TonBNC on server9, you might have seen that the blog was down during these 2 last days.

The maintenance finished Sunday night but for some unknown reason, the configuration of the network interface disappeared...
The administrators gave me the serial access and I was able to restart it.
From now on, all the services have been successfully restarted.

Too bad that my uptime of 182 days disappeared too :'(

I will spend my next 24 weeks in the company Société Générale, in their Information Systems Security service.
Therefore I will have less time for posting stuff around.

I will try to write a paper about the packer stuff though, since the project progressed substantially this summer.

See you then!