poniedziałek, 15 grudnia 2014

CTF PGS Contest Solutions

Here is how I approached challenges from PGS CTF contest. Task are in order that I was able to solve them. Rules stated that the searched flag will start with PGS_ prefix and will be human readable. More complete solution is available at http://blog.codility.com/2014/12/have-you-got-1337-programming-skillz.html .

4. deepspace

That was the first one that "clicked" for me. I had remembered seeing same image few days before. Comparing provided SVG file with the original "Pioneer plaque" it was easy to spot modified "ray". decoding binary to string gave PGS_PIONEER. Deep space indeed.

5. 01

Just an text file full of 0 and 1. I guessed it was a binary image and I was right. The file size could be factored only in one way so I just had to check 2 possibilities - is it weight * width or other way around. I added line breaks and header and loaded the file directly to Gimp just to see rotated QR Code. After feeding it to some online decoded I got PGS_PRIMENUMBERS.

6. matrioshka

Inside provided file there was part that looked like Base64 encoded. After decoding I got something that I took as Windows Exe file. In reality it was an HDD image for VM, and the string that confused me was from bootloader. After mounting it in VirtualBox I found a file with PGS_formatmaster inside.

10. noneshallpass

After trying to brute force 5-9 letter passwords with starting with "PGS_" prefix I finally noticed there are two files in the archive, besides the flag there is also a PGS logo, also available on their site. Was there known plain text attack on Zip files? Quick googling pointed to tools that were happy to decode the archive without the password. I still wonder what was it. The flag turned out to be: PGS_KNOWNTEXT.

1. whereami

I went back to first one. It is supposed to be easy, right? It took me some time to notice that first two numbers are geographic coordinates, then it was easy to spot that 3rd number is just an index of letter in name of city pointed by coords. Decoded flag: PGS_WORLDISSMALL.

2. math...

That equation is quite long what if I remove digits? Still doesn't look readable. But wait, in sample CTF there was morse code, what if I remove everything beside "." and "-"? The result is PGS_MORSEFOREVER. Yeah, it took me forever - trying to feed that whole equation to Wolfram Alpha and expecting some enlightening output.

3. matrix

I wasted a lot of time on this one. I was sure the information is hidden with gif shuffle and that I just need to guess the password. So I tried running it with anything related to the "Matrix" movie. It got me nowhere. Then I decided to change colors palette, maybe something will appear where I convert everything to green? Lucky for me the way the colors palette looked in Gimp reminded me of something. In the end it was all about Data Matrix barcode and the decoded flag was: PGS_palFun

7. haxor

Just launching this APK file on Android (I used GenyMotion) created text file with flag: PGS_LOVES_ANDROID. Strangely enough I tried to solve it without running, using decompiled code, as the app was just XORing 3 strings but I didn't get the correct result.

8. bigmem

I still don't know what is the proper solution. After unsuccessful attempts as running this binary under Linux I guessed that all haiku related symbols might be realted to HaikuOS and not type of poetry. Sadly even running the binary under right OS still didn't produce any output. Good thing about Haiku is that it has GDB included. After I changed "ctfdelay" method to single "ret" instruction there still was no visible output. I changed the format string "%c%c%c%c%c%c%c%c%c" to "%x%x%x%x%x%x%x%x%x" - then I got D7C7E26DC1E2C3C9C9. And this is where my ideas ended - dropping most significant bit from each byte made it a bit more readable, but it still didn't match PGS_ pattern. So I resorted to guessing. I assumed same bytes will encode same letters and the flag will match "PGS_.S.(.)\1". Lucky for me one of few words in dictionary matching ".S.(.)\1", and the only related to IT, was "ASCII". So PGS_ASCII it is.

while working with this task I stumbled upon ODA, it is quite handy when quick disassemblation is required.

9. tweet(y)

After many attempts to somehow load the file in GIMP I finally tried Audacity. The file was "Looney Tunes Outro". After looking at different spectrum graphs it was easy to see artificial spike on higher frequency. After filtering it with High/Low pass it sounded like a telegraph. So I wasted my time trying to decode it as Morse code. After that i tried to decode it as some kind of barcode. In the end it was just a standard binary code but I didn't notice it until I loaded it into Sonic Visualiser. I finally got the last flag: PGS_soundofsilence


On top - how I have been looking at the file, on bottom - how I should have

It was my first CTF contest and I wasted spent around 30 hours on it, mostly stuck exploring some dead ends. It is hard to remove old ideas from head and restart with clean mind - switch between them helps a bit. Of course I wouldn't do it if I didn't enjoy it, I guess everyone love IT related puzzles and I am not an exception.

I would love to see more feedback during competition - for example live results/ranking, like the one in Google Code Jam. I am not sure how it is handled in other CTF contests.

piątek, 17 października 2014

Spring component-scan classpath pitfall

There is one non-intuitive behavior with Spring's component-scan - it works on _current_ classpath. For example:

Project A

context-a.xml:

    <component-scan package="x">


Project B

context-a.xml:

    <import resource="classpath:/a.xml" /> 

    <component-scan package="x.y">


This will load all components from  package "x.y" already at <import> tag.  It can lead to very strange errors in bigger projects (sudden appearance of "NoSuchBeanDefinitionException: No qualifying bean of type" errors) and  trying to cherry-pick used imports/components might be hard or even impossible.
There is similar issue with integration tests - Spring will scan all classes in package, including test files, for components. If you are using inner static classes to override context configuration spring will pick up all of them. And that problem might propagate if you are reusing test support code (<classifier>tests</classifier>). Lucky this one is easy to deal with: it is possible to filter it out:
<context:component-scan base-package="my.package" >
        <context:exclude-filter type="annotation" expression="org.springframework.context.annotation.Configuration" />
        <context:exclude-filter type="regex" expression=".*IT" />
        <context:exclude-filter type="regex" expression=".*Test" />
</context:component-scan>

piątek, 7 czerwca 2013

Unable to find a public constructor for class org.jboss.resteasy.core.AsynchronousDispatcher

Takim wspaniałym komunikatem wita nas próba zdeployowania prostej aplikacji używającej RestEasy na JBossa 7.1. Obejście jest proste ale mało wygodne. Trzeba wyłączyć automatyczne skanowanie w web.xml:
<context-param>
    <param-name>resteasy.scan</param-name>
    <param-value>false</param-value>
</context-param>
I ręcznie podać usługi np.:
<context-param>
    <param-name>resteasy.resources</param-name>
    <param-value>net.purevirtual.web.MyService</param-value>
</context-param>
Inne opcje konfiguracyjne są w dokumentacji . A skoro już jesteśmy przy temacie AS: http://stackoverflow.com/questions/12511192/replaced-with-quot-when-loading-page Tak, nie ma to jak wersja serwera aplikacji z dopiskiem Final, która od czasu do czasu kompletnie rozwala serwowany kod JavaScript

piątek, 22 lutego 2013

File extensions recognized by Drools

Just in case anybody else needs it. I didn't know why KieRepository didn't pick up one file, of course I had a typo in file extension.

typeextensions
Drools Rule Language.drl
Drools XML Rule Language.xdrl
Drools DSL.dsl
Drools DSL Rule.dslr
Drools Rule Flow Language.rf
jBPM BPMN2 Language.bpmn, .bpmn2
Decision Table.xls
Binary Package.pkg
Drools Business Rule Language.brl
Change Set.xcs
XSD.xsd
Predictive Model Markup Language.pmml
Knowledge Descriptor.descr
List is copied from org.drools.builder.ResourceType.

niedziela, 14 października 2012

WINE oneliners

fixme:d3dcompiler:D3DCompile data data_size 424, filename "memory", defines (nil), include 0x32ed50, entrypoint "VShad",
is solved by
winetricks d3dcompiler_43

Switching to multi-arch on NVidia amd64 systems

The following packages have unmet dependencies:
 nvidia-glx : Depends: xserver-xorg-video-nvidia (= 304.60-1) but it is not going to be installed
              Recommends: nvidia-settings
              Recommends: libgl1-nvidia-glx-i386 but it is not installable
              Conflicts: nvidia-glx:i386 but 304.60-1 is to be installed

or
"err:module:load_builtin_dll failed to load .so lib for builtin L"opengl32.dll": libGL.so.1: cannot open shared object file: No such file or directory"
"Direct rendering is disabled, most likely your OpenGL drivers haven't been installed correctly"
is fixed by
sudo dpkg --add-architecture i386
sudo apt-get update
#remove ALL nvidia related packages
dpkg -l *nvidia* |cut -f 3 -d ' '|grep -v any|grep nvidia|xargs sudo apt-get purge -y
#install the driver just for amd64
sudo apt-get install nvidia-glx
#install the openGl libs for both archs
sudo apt-get install libgl1-nvidia-glx libgl1-nvidia-glx:i386

czwartek, 14 czerwca 2012

Java Classes Fun Fact

java.lang.NoClassDefFoundError can be caused by runtime exception (i.e. NPE) in static initialization blocks or even variable initialization of class you are trying to use.

czwartek, 9 lutego 2012

Reading outlook .msg files under Linux

Got an email in format unreadable for your mail reader?
I always forget that there is great tool for doing just that: http://code.google.com/p/ruby-msg/