|
in 2015 migishu was the hapless victim of the puzzle box it's 2016 and the puzzle box is back Symbolic Butt posted:geez I just got home! the puzzle box is a worthy adversary created by cocoa crispies and I'll need the help of yospos' great minds to open it
|
# ? Dec 30, 2016 01:13 |
|
|
# ? Jun 9, 2024 05:27 |
|
<chapter 0> I don't have my notebook available but I have this antenna thing here indispensable gadget for every hacker so yea now I can get into this machine using my desktop computer ah yes, binary ninja never heard of it before but I'm sure it's indispensable software for every hacker let's look at the pictures wait a minute.... let me examine the first picture... more carefully alright!
|
# ? Dec 30, 2016 01:15 |
|
I really enjoyed the original puzzle box thread and am looking forward to this one
|
# ? Dec 30, 2016 01:52 |
|
hell yeah
|
# ? Dec 30, 2016 02:12 |
|
do you have dremel?
|
# ? Dec 30, 2016 05:33 |
|
am I the first to suggest putting you dick in it this year? Put you dick in it
|
# ? Dec 30, 2016 05:59 |
|
run metasploit on it op, its what the hax0rz use
|
# ? Dec 30, 2016 11:30 |
|
gently caress yes puzzle box try: ' or 1 = 1
|
# ? Dec 30, 2016 16:26 |
|
gimme teh binary i wanna reverse something i'm in the south of spain on holiday and bored out of my gourd
|
# ? Dec 30, 2016 16:39 |
|
spankmeister posted:gimme teh binary i wanna reverse something go outdoors
|
# ? Dec 30, 2016 18:35 |
|
Satellit3 posted:go outdoors I did. There were no computers there?
|
# ? Dec 30, 2016 18:44 |
|
Migishu posted:gently caress yes puzzle box Sqli always good
|
# ? Dec 30, 2016 18:58 |
|
op make with the challenges already
|
# ? Dec 30, 2016 19:01 |
|
Did you try http://10.219.2.1/login.php
|
# ? Dec 30, 2016 19:16 |
|
vodkat posted:Did you try http://10.219.2.1/lomarf.php
|
# ? Dec 30, 2016 20:25 |
|
spankmeister posted:gimme teh binary i wanna reverse something hows he gonna get the binary
|
# ? Dec 30, 2016 22:19 |
|
vodkat posted:Did you try http://10.219.2.1/lomarf.php KOTEX GOD OF BLOOD fucked around with this message at 23:37 on Dec 30, 2016 |
# ? Dec 30, 2016 23:21 |
|
vodkat posted:Did you try http://10.219.2.1/login.php 404 to these I don't think the puzzle box is running php, iirc cocoa crispies is more of a ruby kind of person. speaking of this let's check the http response headers oh that's not very informative
|
# ? Dec 31, 2016 00:09 |
|
post the page source
|
# ? Dec 31, 2016 00:13 |
|
<chapter 1> so let's check that url lol ok now it's time for some serious hacking I press F12 and... greenpos supremacy. this is like one of those clicker games I think you buy posters to produce more posts and their respective upgrades to multiply those posts but the point doesn't seem to be to maximize (notice what happened when I bought tori's upgrade here, that's so bullshit) the true objective is to get to 219 posters careful investiment is needed I wonder if you can optimize the gameplay of this kind of game with a knapsack algorithm or something... I'm pretty sure someone figured this out alright! reached 219 posters
|
# ? Dec 31, 2016 00:21 |
|
Symbolic Butt posted:<chapter 1> not in it voted 1
|
# ? Dec 31, 2016 00:28 |
|
oh my loving god
|
# ? Dec 31, 2016 05:32 |
|
Migishu posted:oh my loving god Lmfao this is awesome, also Tori getting probed when you upgrade
|
# ? Dec 31, 2016 22:00 |
|
lmaoooooo @ Tori probe
|
# ? Jan 1, 2017 12:11 |
|
op did u do the netcat
|
# ? Jan 1, 2017 23:42 |
|
<chapter 2> one important detail here is that I can't select the code I pressed F12 again to bypass this bullshit another thing is that if I keep playing the game and buying more posters, the code changes... this deserves further study for sure but for now let's send this one code suffix posted:op did u do the netcat funny that you ask that... at this point I probably should've used netcat but I forgot about it instead, because my brain is utterly broken by p-langing, I wrote this: so let's see... Nice! I tried the url because I can't read well (or maybe I did understand it right?) and it downloaded a binary file... huh. trying to access http://10.219.2.1:1338/level2 gives me nothing but... hmm... this is something... so let's xxd that binary code:
see? now I get it, this is the binary that is running on 1338 the answer is an url to a specific port so... code:
I finally remembered netcat is a thing so I decided to scan every port to see if I find the one that would be the answer there this is running right now, it's gonna take a while maybe the right way to go about it is to actually, you know, debug the binary... but gently caress the police
|
# ? Jan 2, 2017 00:24 |
|
spankmeister posted:post the page source I think cocoa crispies will eventually post the source of everything on his github like last year anyway there isn't anything special in the pages source but here's the level2 binary https://mega.nz/#!ZFth3AhJ!vemcqVGu3LT-1xTUDMPB_m4DAsZW7NonAvxe93Ww1WE hosted by kim dotcom
|
# ? Jan 2, 2017 00:32 |
|
holy poo poo this binary ninja thing seems pretty cool
|
# ? Jan 2, 2017 01:05 |
|
This is super cool, also post about binary ninja because idk anything about it. How'd the port scan go?
|
# ? Jan 2, 2017 04:41 |
|
Symbolic Butt posted:I think cocoa crispies will eventually post the source of everything on his github like last year sw8. I'm about to leave for the day but will take a look tonight (europe time) if you haven;t figured it out by then I might be able to help.
|
# ? Jan 2, 2017 08:14 |
|
.
|
# ? Jan 2, 2017 09:33 |
|
Captain Foo posted:This is super cool, also post about binary ninja because idk anything about it. How'd the port scan go? I'll try to learn about binary ninja and then later post about what I could get from it about the port scan... I went to sleep, woke up the next day and it wasn't finished spankmeister posted:sw8. I'm about to leave for the day but will take a look tonight (europe time) if you haven;t figured it out by then I might be able to help. feel free to check it, this is the level where the puzzle box is definitely outwitting me, I'm absolute crap at today at lunch I poked the binary with gdb and got "congratulations! http://10.219.2.1:8239/" but I'm not confident this isn't garbage... I'll try this port and post the details later.
|
# ? Jan 2, 2017 15:19 |
|
Symbolic Butt posted:I'll try to learn about binary ninja and then later post about what I could get from it if you really want to portscan nmap will do it quicker, though i wouldnt be surprised if it only starts after you put in the right password here's an assembly listing: http://lpaste.net/82099429439438848 it looks like it reads in a line of text, then calls the "check" function, which calls check_0 to check_11 on the corresponding bytes each of the checks does some 64-bit additions/substractions on its byte, then checks that the result is a specific value with the xor/or combo (xor checks that the lower 32 bits is the exact value, or checks that the upper 32 bits are zero) if a checks fails it immediately calls exit(-1)
|
# ? Jan 2, 2017 17:52 |
|
suffix posted:if you really want to portscan nmap will do it quicker, though i wouldnt be surprised if it only starts after you put in the right password confirm
|
# ? Jan 2, 2017 17:56 |
|
wow binary ninja is nice and has some nice quality of life features compared to IDA
|
# ? Jan 2, 2017 18:43 |
|
The password is: TheRealQuaid and the url becomes http://10.219.2.1:5186/ I'm a bit knackered now, but I'll promise to do a writeup.
|
# ? Jan 2, 2017 23:46 |
|
spankmeister posted:The password is: TheRealQuaid and the url becomes http://10.219.2.1:5186/ oh yes I was able to do it too in the most roundabout way here's a preview of how I did it: https://gist.github.com/mcsalgado/5d255e6635f74f451d10bff4a32ff9be I guessed the last character though
|
# ? Jan 3, 2017 03:35 |
|
I was lazy:code:
|
# ? Jan 3, 2017 04:34 |
|
Symbolic Butt posted:oh yes I was able to do it too in the most roundabout way Ah yeah guessing it char by char would work... I got the chars it expects from the code. Cocoa Crispies posted:I was lazy: Ah yes angr. I should really practice more with it. Especially in combination with z3.
|
# ? Jan 3, 2017 09:11 |
|
|
# ? Jun 9, 2024 05:27 |
|
what's in the BOX
|
# ? Jan 12, 2017 19:06 |