Skip to content

Commit 66b56c6

Browse files
0xf4b10xf4b1
committed
Added syskronctf
1 parent 7387129 commit 66b56c6

File tree

13 files changed

+311
-0
lines changed

13 files changed

+311
-0
lines changed

ctf2019.syskron-security.com/crypto/enhanced-plc-encryption-standard/20191003-epes-test.log

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
--------------- START LOG FILE ---------------
2+
3+
20191003080257 - 08:61:95:bb:bb:bb - INI
4+
20191003080301 - 08:61:95:aa:aa:aa - CHA VkcV29UKCGbfuZyqea7uKbZ9
5+
20191003080308 - 08:61:95:bb:bb:bb - RES 5daaa90b563017184bb8dc277f63f02366a59519113b9ac87ba6fd46f93dc1ff
6+
20191003080308 - 08:61:95:bb:bb:bb - RES 01b4e096bcb756f176beaa2ebbb99ef144dc3fb0bc2d27e5fe63a5601e3abace
7+
20191003080308 - 08:61:95:bb:bb:bb - RES db00873b16b99e32c6c67672ea52df6769cf7801ebb3dbf168f5b2e0f2ecc3bf
8+
20191003080309 - 08:61:95:bb:bb:bb - RES 146797c2afa9e1a2ad2ff8f05de647702949923f9a5dc12b26452b2c520c3340
9+
20191003080309 - 08:61:95:bb:bb:bb - RES 67dacf84cce58a6bf283d62354ad05052fe42808b59866dfb30137a08b4ff12d
10+
20191003080309 - 08:61:95:bb:bb:bb - RES c13dcb97dccf5e3942324409202a103eb9f007866f247ebea48e2a67cbbcd07f
11+
20191003080309 - 08:61:95:bb:bb:bb - RES d72a057ba7fddd03cae3d3f7d75f865fb1c2ddbe8ef65afc0ce8fbc0fc4122cb
12+
20191003080309 - 08:61:95:bb:bb:bb - RES 6eddcbed70839add89ed38c3068ffe6780f7b86f0bc7276e2d7e06f47ea2e05a
13+
20191003080310 - 08:61:95:bb:bb:bb - RES 146797c2afa9e1a2ad2ff8f05de647702949923f9a5dc12b26452b2c520c3340
14+
20191003080310 - 08:61:95:bb:bb:bb - RES d72a057ba7fddd03cae3d3f7d75f865fb1c2ddbe8ef65afc0ce8fbc0fc4122cb
15+
20191003080310 - 08:61:95:bb:bb:bb - RES db00873b16b99e32c6c67672ea52df6769cf7801ebb3dbf168f5b2e0f2ecc3bf
16+
20191003080311 - 08:61:95:bb:bb:bb - RES 4c1b4d5c926c4160b19effa23c93710f3086866a74aca5dad801fd81118d8d68
17+
20191003080311 - 08:61:95:bb:bb:bb - RES 67dacf84cce58a6bf283d62354ad05052fe42808b59866dfb30137a08b4ff12d
18+
20191003080311 - 08:61:95:bb:bb:bb - RES 4d4ac18fd35d3707fc3671d372bbe494691b01611632359c7d39b7becbfc1184
19+
20191003080311 - 08:61:95:bb:bb:bb - RES 4d4ac18fd35d3707fc3671d372bbe494691b01611632359c7d39b7becbfc1184
20+
20191003080312 - 08:61:95:bb:bb:bb - RES 571aef6ff2d25a7a32c3a9fc3b1c06d874979f082b5e90b0c30a01203885a2b0
21+
20191003080312 - 08:61:95:bb:bb:bb - RES fdc984b4a8fec04fcb9faacf99f9dbfd0fbef0a33906c3fa89d9fb0b63947a0e
22+
20191003080312 - 08:61:95:bb:bb:bb - RES 146797c2afa9e1a2ad2ff8f05de647702949923f9a5dc12b26452b2c520c3340
23+
20191003080312 - 08:61:95:bb:bb:bb - RES 588917d1f04bbc53aed45c6db061092dde79af4c5fc3f01e96eab2e86b30e581
24+
20191003080312 - 08:61:95:bb:bb:bb - RES a122c3b77eaf01341cc0c7da6e45e7ff9ff57f97a4c9542ad7e96a0f28499029
25+
20191003080313 - 08:61:95:bb:bb:bb - RES fdc984b4a8fec04fcb9faacf99f9dbfd0fbef0a33906c3fa89d9fb0b63947a0e
26+
20191003080313 - 08:61:95:bb:bb:bb - RES 8419e8ddded5e57e71db42841f865f9fd751ec3b8e0395ba36818b52a015e47e
27+
20191003080313 - 08:61:95:bb:bb:bb - RES af621e444935d03bc563e24982ad25d19c3ca4f52341232c978f7e63c809a27e
28+
20191003080313 - 08:61:95:bb:bb:bb - RES 572c394ed63437090aec71c806d92a2a10d5e3651eb30a91d1573ba3d37f4ad9
29+
20191003080345 - 08:61:95:aa:aa:aa - MSG 24066241b2c524457a58196640197307469c18fd71bb6de304501a8d50981e25
30+
20191003080347 - 08:61:95:bb:bb:bb - MSG 07d89c21b9dd1eb81e26d52398da02a3d000ba82f9198b2b3311cb1cda901418
31+
32+
---------------- END LOG FILE ----------------

ctf2019.syskron-security.com/crypto/enhanced-plc-encryption-standard/README.md

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
# Enhanced PLC Encryption Standard
2+
3+
## Crypto - Points: 600
4+
5+
> Our IT department wants us to encrypt our PLC traffic. So we created our own encryption scheme, called the Enhanced PLC Encryption Standard.
6+
>
7+
> The idea is simple, and brilliant:
8+
>
9+
> 1.) Every PLC gets the shared secret password – this is so long, nobody can brute force it.
10+
>
11+
> 2.) If two devices want to communicate, one of them (A) sends a unique challenge to the other device (B).
12+
>
13+
> 3.) B gets the challenge, and hashes each character of the password with the challenge: response = hash(char + challenge).
14+
>
15+
> 4.) For security purposes, we use SHA-256 here (no insecure MD5 or SHA-1!). We also hash each character separately, so the full password can't be leaked if an attacker records the responses.
16+
>
17+
> 5.) B sends a lot of responses back to A. A knows the length of the password, and the password itself. So A can terminate the connection if responses are missing, or if there are too many responses.
18+
>
19+
> 6.) A also conducts hash(char + challenge), and compares every response. If there is any mismatch, A terminates the connection.
20+
>
21+
> 7.) If every response matches, A and B start to communicate using the shared secret password as the key. We use 3DES in CBC mode here, because our PLCs don't support military-grade AES.
22+
>
23+
> We sent a sample log to IT. For us, this looks clearly encrypted and secure. Our key is 24 bytes strong. One website says it takes 76 SEXTILLION YEARS to crack this.
24+
>
25+
> P.S. We didn't find a possibility to implement an IV, so it's 8 times 0.
26+
27+
Since every character of the key is hashed separately, we can calculate the hashes of all printable characters and compare with the responses to get the key and finally decrypt the DES3 encrypted messages.
28+
29+
flag: `{never-roll-your-own-crypto}`

ctf2019.syskron-security.com/crypto/enhanced-plc-encryption-standard/sol.py

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
import hashlib
2+
import string
3+
import binascii
4+
5+
from Crypto.Cipher import DES3
6+
7+
challenge = "VkcV29UKCGbfuZyqea7uKbZ9"
8+
9+
table = []
10+
11+
for c in string.printable:
12+
m = hashlib.sha256()
13+
m.update(c+challenge)
14+
table.append(m.hexdigest())
15+
16+
hashes = '''5daaa90b563017184bb8dc277f63f02366a59519113b9ac87ba6fd46f93dc1ff
17+
01b4e096bcb756f176beaa2ebbb99ef144dc3fb0bc2d27e5fe63a5601e3abace
18+
db00873b16b99e32c6c67672ea52df6769cf7801ebb3dbf168f5b2e0f2ecc3bf
19+
146797c2afa9e1a2ad2ff8f05de647702949923f9a5dc12b26452b2c520c3340
20+
67dacf84cce58a6bf283d62354ad05052fe42808b59866dfb30137a08b4ff12d
21+
c13dcb97dccf5e3942324409202a103eb9f007866f247ebea48e2a67cbbcd07f
22+
d72a057ba7fddd03cae3d3f7d75f865fb1c2ddbe8ef65afc0ce8fbc0fc4122cb
23+
6eddcbed70839add89ed38c3068ffe6780f7b86f0bc7276e2d7e06f47ea2e05a
24+
146797c2afa9e1a2ad2ff8f05de647702949923f9a5dc12b26452b2c520c3340
25+
d72a057ba7fddd03cae3d3f7d75f865fb1c2ddbe8ef65afc0ce8fbc0fc4122cb
26+
db00873b16b99e32c6c67672ea52df6769cf7801ebb3dbf168f5b2e0f2ecc3bf
27+
4c1b4d5c926c4160b19effa23c93710f3086866a74aca5dad801fd81118d8d68
28+
67dacf84cce58a6bf283d62354ad05052fe42808b59866dfb30137a08b4ff12d
29+
4d4ac18fd35d3707fc3671d372bbe494691b01611632359c7d39b7becbfc1184
30+
4d4ac18fd35d3707fc3671d372bbe494691b01611632359c7d39b7becbfc1184
31+
571aef6ff2d25a7a32c3a9fc3b1c06d874979f082b5e90b0c30a01203885a2b0
32+
fdc984b4a8fec04fcb9faacf99f9dbfd0fbef0a33906c3fa89d9fb0b63947a0e
33+
146797c2afa9e1a2ad2ff8f05de647702949923f9a5dc12b26452b2c520c3340
34+
588917d1f04bbc53aed45c6db061092dde79af4c5fc3f01e96eab2e86b30e581
35+
a122c3b77eaf01341cc0c7da6e45e7ff9ff57f97a4c9542ad7e96a0f28499029
36+
fdc984b4a8fec04fcb9faacf99f9dbfd0fbef0a33906c3fa89d9fb0b63947a0e
37+
8419e8ddded5e57e71db42841f865f9fd751ec3b8e0395ba36818b52a015e47e
38+
af621e444935d03bc563e24982ad25d19c3ca4f52341232c978f7e63c809a27e
39+
572c394ed63437090aec71c806d92a2a10d5e3651eb30a91d1573ba3d37f4ad9'''
40+
41+
key = ""
42+
43+
for line in hashes.splitlines():
44+
key += string.printable[table.index(line)]
45+
46+
print key
47+
48+
cipher = DES3.new(key, DES3.MODE_CBC, "0"*8)
49+
print cipher.decrypt(binascii.unhexlify("07d89c21b9dd1eb81e26d52398da02a3d000ba82f9198b2b3311cb1cda901418"))

ctf2019.syskron-security.com/crypto/schlamperei/README.md

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
# Schlamperei
2+
3+
## Crypto - Points: 200
4+
5+
> I suspect the new IoT-Gateway module, which has been installed on the machine, is sending back some data to the vendor. I was able to extract a message from the network traffic, but the content doesn't make sense. Maybe the setup archive that I found on the machine is helpful.
6+
>
7+
> [message.txt](message.txt)
8+
>
9+
> [setup_customerID_9721.zip](setup_customerID_9721.zip)
10+
11+
The provided ZIP archive is password protected with a very weak password. I used `john` to crack it.
12+
13+
$ zip2john setup_customerID_9721.zip > hash
14+
$ john hash
15+
16+
The password is `9721` and lets to extract the archive. It contains a GPG encrypted sessionkey `sessionkey_2fishecb.txt.gpg` that might be the key to decrypt the `message.txt`.
17+
18+
Additionally there is a `71062c43B022BE72_public-key.txt` that contains public and private keys! Lets import the keys with `gpg --import 71062c43B022BE72_public-key.txt`, but we need the passphrase. When looking in the `README.txt` there is a note at the bottom that states:
19+
20+
NOTE: The old default encryption password 'VMC' has been replaced since 09/2018. Please use the new one.
21+
22+
And looking at the top:
23+
24+
Copyright MY F4N74571C M4CH1N3 C0rP (MFMC) - formerly known as V41U3 M4CH1N3 C0rP (VMC)
25+
26+
So `MFMC` might be the password. This allows to import the GPG keys and decrypt the sessionkey:
27+
28+
$ gpg -d sessionkey_2fishecb.txt.gpg
29+
gpg: encrypted with 2048-bit RSA key, ID 71062C43B022BE72, created 2019-09-15
30+
"MYF4N74571CM4CH1N3C0rP (MFMC)"
31+
A0 C9 18 74 33 F2 2C 00 83 2B 1E 99 22 10 1A 6A
32+
33+
The filename of the key hints that the message is encrypted with `TWOFISH ECB`, so I quickly found [this](http://twofish.online-domain-tools.com/) website where I could paste the hex values of the message and the key to get the flag.
34+
35+
flag: `{silence_is_golden}`

ctf2019.syskron-security.com/crypto/schlamperei/message.txt

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
6C C4 4E FD 19 11 1D 07 23 DB 20 9A 3D 3B 32 1B 48 AC 9E 7B 99 F1 3D EE 1D 8B B2 93 4F EF ED 87 02 B8 DD 44 35 F5 A7 89 33 08 9E 8C 3D 09 7E 1B F4 DC 99 2B 3A 07 B4 5F C0 A1 56 28 FA 85 B0 3B 4B E1 2A EF 67 F3 F7 37 70 A3 43 09 4E 8C B4 7D 94 FE 4A E3 47 42 0A 6B D2 AB E1 D4 0E 71 38 5B 67 93 DE 51 30 B7 78 59 C9 DE 34 4F AC 06 72 FD 79 79 7A 3D 7F CD 26 30 2A E5 01 B1 E4 68 0A 3B

ctf2019.syskron-security.com/crypto/schlamperei/setup_customerID_9721.zip

3.93 KB
Binary file not shown.

ctf2019.syskron-security.com/forensics/error-log/README.md

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
# Error log
2+
3+
## OSINT - Points: 200
4+
5+
> Something doesn't look right here.
6+
>
7+
> [motor-log.txt](motor-log.txt)
8+
9+
The error log contains various entries that state to check interface numbers, where the numbers look like characters in octal representation, so converting them to ASCII gives the flag.
10+
11+
flag: `{the-motor-needs-to-be-replaced!}`

ctf2019.syskron-security.com/forensics/error-log/motor-log.txt

Lines changed: 131 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,131 @@
1+
--------------------------------------------------------------------------------
2+
1: Sep 7 18:44:24 2019 - Motor 8 - Error code 174 - First occurrence
3+
Motor emergency break enabled - check interface 173
4+
5+
--------------------------------------------------------------------------------
6+
2: Sep 7 18:45:56 2019 - Motor 8 - Error code 174
7+
Motor emergency break enabled - check interface 164
8+
9+
--------------------------------------------------------------------------------
10+
3: Sep 7 18:46:54 2019 - Motor 8 - Error code 174
11+
Motor emergency break enabled - check interface 150
12+
13+
--------------------------------------------------------------------------------
14+
4: Sep 7 18:47:33 2019 - Motor 8 - Error code 174
15+
Motor emergency break enabled - check interface 145
16+
17+
--------------------------------------------------------------------------------
18+
5: Sep 7 18:48:50 2019 - Motor 8 - Error code 174
19+
Motor emergency break enabled - check interface 55
20+
21+
--------------------------------------------------------------------------------
22+
6: Sep 7 18:49:48 2019 - Motor 8 - Error code 174
23+
Motor emergency break enabled - check interface 155
24+
25+
--------------------------------------------------------------------------------
26+
7: Sep 7 18:50:23 2019 - Motor 8 - Error code 174
27+
Motor emergency break enabled - check interface 157
28+
29+
--------------------------------------------------------------------------------
30+
8: Sep 7 18:51:21 2019 - Motor 8 - Error code 174
31+
Motor emergency break enabled - check interface 164
32+
33+
--------------------------------------------------------------------------------
34+
9: Sep 7 18:52:29 2019 - Motor 8 - Error code 174
35+
Motor emergency break enabled - check interface 157
36+
37+
--------------------------------------------------------------------------------
38+
10: Sep 7 18:53:24 2019 - Motor 8 - Error code 174
39+
Motor emergency break enabled - check interface 162
40+
41+
--------------------------------------------------------------------------------
42+
11: Sep 7 18:54:49 2019 - Motor 8 - Error code 174
43+
Motor emergency break enabled - check interface 55
44+
45+
--------------------------------------------------------------------------------
46+
12: Sep 7 18:55:21 2019 - Motor 8 - Error code 174
47+
Motor emergency break enabled - check interface 156
48+
49+
--------------------------------------------------------------------------------
50+
13: Sep 7 18:56:34 2019 - Motor 8 - Error code 174
51+
Motor emergency break enabled - check interface 145
52+
53+
--------------------------------------------------------------------------------
54+
14: Sep 7 18:57:49 2019 - Motor 8 - Error code 174
55+
Motor emergency break enabled - check interface 145
56+
57+
--------------------------------------------------------------------------------
58+
15: Sep 7 18:58:23 2019 - Motor 8 - Error code 174
59+
Motor emergency break enabled - check interface 144
60+
61+
--------------------------------------------------------------------------------
62+
16: Sep 7 18:59:32 2019 - Motor 8 - Error code 174
63+
Motor emergency break enabled - check interface 163
64+
65+
--------------------------------------------------------------------------------
66+
17: Sep 7 19:00:44 2019 - Motor 8 - Error code 174
67+
Motor emergency break enabled - check interface 55
68+
69+
--------------------------------------------------------------------------------
70+
18: Sep 7 19:01:38 2019 - Motor 8 - Error code 174
71+
Motor emergency break enabled - check interface 164
72+
73+
--------------------------------------------------------------------------------
74+
19: Sep 7 19:02:16 2019 - Motor 8 - Error code 174
75+
Motor emergency break enabled - check interface 157
76+
77+
--------------------------------------------------------------------------------
78+
20: Sep 7 19:03:34 2019 - Motor 8 - Error code 174
79+
Motor emergency break enabled - check interface 55
80+
81+
--------------------------------------------------------------------------------
82+
21: Sep 7 19:04:49 2019 - Motor 8 - Error code 174
83+
Motor emergency break enabled - check interface 142
84+
85+
--------------------------------------------------------------------------------
86+
22: Sep 7 19:05:42 2019 - Motor 8 - Error code 174
87+
Motor emergency break enabled - check interface 145
88+
89+
--------------------------------------------------------------------------------
90+
23: Sep 7 19:06:45 2019 - Motor 8 - Error code 174
91+
Motor emergency break enabled - check interface 55
92+
93+
--------------------------------------------------------------------------------
94+
24: Sep 7 19:07:25 2019 - Motor 8 - Error code 174
95+
Motor emergency break enabled - check interface 162
96+
97+
--------------------------------------------------------------------------------
98+
25: Sep 7 19:08:32 2019 - Motor 8 - Error code 174
99+
Motor emergency break enabled - check interface 145
100+
101+
--------------------------------------------------------------------------------
102+
26: Sep 7 19:09:11 2019 - Motor 8 - Error code 174
103+
Motor emergency break enabled - check interface 160
104+
105+
--------------------------------------------------------------------------------
106+
27: Sep 7 19:10:11 2019 - Motor 8 - Error code 174
107+
Motor emergency break enabled - check interface 154
108+
109+
--------------------------------------------------------------------------------
110+
28: Sep 7 19:11:27 2019 - Motor 8 - Error code 174
111+
Motor emergency break enabled - check interface 141
112+
113+
--------------------------------------------------------------------------------
114+
29: Sep 7 19:12:27 2019 - Motor 8 - Error code 174
115+
Motor emergency break enabled - check interface 143
116+
117+
--------------------------------------------------------------------------------
118+
30: Sep 7 19:13:24 2019 - Motor 8 - Error code 174
119+
Motor emergency break enabled - check interface 145
120+
121+
--------------------------------------------------------------------------------
122+
31: Sep 7 19:14:47 2019 - Motor 8 - Error code 174
123+
Motor emergency break enabled - check interface 144
124+
125+
--------------------------------------------------------------------------------
126+
32: Sep 7 19:15:47 2019 - Motor 8 - Error code 174
127+
Motor emergency break enabled - check interface 41
128+
129+
--------------------------------------------------------------------------------
130+
33: Sep 7 19:16:44 2019 - Motor 8 - Error code 174
131+
Motor emergency break enabled - check interface 175

ctf2019.syskron-security.com/forensics/error-log/sol.py

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
data = [173, 164, 150, 145, 55, 155, 157, 164, 157, 162, 55, 156, 145, 145, 144, 163, 55, 164, 157, 55, 142, 145, 55, 162, 145, 160, 154, 141, 143, 145, 144, 41, 175]
2+
3+
print("".join(chr(int('0o' + str(d), 8)) for d in data))

ctf2019.syskron-security.com/forensics/packets-are-wonderful/README.md

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
# Packets are wonderful
2+
3+
## Forensics - Points: 500
4+
5+
> All the PLCs programs have a high information value. I just have to get it.
6+
>
7+
> [fieldbus.pcapng](fieldbus.pcapng)
8+
9+
When executing `strings fieldbus.pcapng` you can find the base64 string `e3M3X3IwY2tzfQ==` that gives the flag after decoding.
10+
11+
flag: `{s7_r0cks}`

0 commit comments

Comments
 (0)