NeoQUEST-2020 has come to an end, and now is the time to talk about these rich two weeks: we will reveal the essence of the tasks (but not all, some will come out as separate extreme ups), show the statistics of their progress and announce the winners!
Attention! The article contains spoilers for those who have not yet completed the task, but honestly going (and there is such an opportunity – site The online stage continues to work!).
We will not languish with a long introduction. This year they became the winners of steel:
1. hellow0rld666, 1221 points
2. KARASIQUE, 1221 points
3. ch1sh1rsk1, 1085 points
Three-time “cheers” to these guys! The struggle for the first place started in earnest – the leader changed almost every day. It is also worth noting that hellow0rld666 and KARASIQUE became participants who completed ALL of our assignments! We did not believe our eyes, but it happens.
Fun fact: all the tasks that aroused intense interest on the first day of the competition were developed by girls 🙂
Explain on assignments!
For two weeks, our email@example.com mailbox did not stop sending incoming messages! But we are only happy about this – this means that our tasks are being carried out and interest the participants!
So, what did we have in the assignments.
Task number 1 – “There is no reception against hacking”
The participants were given a link, following which they got to the page with the only inscription “Hello, world!”. What do we do from the very beginning in such cases? Of course, we climb into the source code of the page:
to solve this Case use full power of GIT – like GIT is a well-known name. But why is another letter highlighted? And if we connect them? .. CGIT? .. Exactly, I heard something like that!
CGIT – repository web interface.
So, we figured it out. Follow the link 188.8.131.52/cgit, where we poke around in all the folders, try to find the key, but after a certain amount
hours time we understand that the point is different.
And now people are divided into two categories: those who heard about the high-profile vulnerability of cgit, and those who did not hear.
In any case, you have to google and find CVE-2018-14912. Further only sleight of hand and no fraud: 184.108.40.206/cgit/cgit.cgi/my_repo.git/objects/?path=../../../../../../../etc/passwd
We get the file with passwords, then from it we get the first part of the key:
NQ2020Gka2rFseNPexB4JsnP9k9RKulFVQDCcXwYy1aPKI + see more …
It remains to find the second part. It’s easy here: the repository doesn’t contain so many files, by enumeration we understand that there is nothing in them. But we are in the Git repository, which means that you can see all the changes that were in it! There, the information will obviously be more complete …
We go into diff, either by the “see more” pointer, or manually find “see more = e9a3c19a544e6589825fd643f4e6d5c1c4e9”, concatenate with the first part and get our key!
Task number 2 – “Disassemble the robot or do you have l_apk_and?”
Participants are given an apk application that is a file client. It communicates with the server and receives an encrypted file by the specified name. You need to deal with certificates and access tokens in order to get the key.
A detailed analysis of the assignment will be released as a separate article!
Assignment No. 3 – “The Most Left Look”
In the task it is proposed to download archive, which contains a 1 GB binary file with the speaking name memdump.bin, based on which we can assume that this is a dump of RAM …
Intrigued? Soon we will post this wright-up as a separate article, because our participants were interested in this task throughout NeoQUEST!
Task number 4 – “Difficulties in writing”
“Highlight” NeoQUEST-2020, a task that collected a record number of rave reviews on support! The bottom line is that the sound from the wav file is nothing more than the sound of typing on the keys. It is necessary to sample this sound and conduct a frequency analysis!
A more detailed explanation of the assignment will be published shortly.
Task number 5 – “Epileptic curves”
A = 119008536160574978629781290147818127606791827844670246888266509216288777541932
B = 125173392763487646441684374997817715298134647755542804722568603162177610612799
char_field = 137503105969312982065490544697816890680820287577287920391172791053955276754533
P = (24588378651043317545653993517686345205594551142728198236546389666483449174897, 64035697994960793657311999090254655816706285115803662919872675661618460099464)
Q = (70440277554855197417972068200756767916691677649413431083023577625869629031919, 72025841911476301630338043296901014469577623652063349003687337089744015808109))
frankly hints at the need to solve the discrete logarithm problem on an elliptic curve. Having looked at the parameters of the elliptic curve and studied its characteristics, we guess that this curve is anomalous: the order of the group of points of such a curve coincides with the characteristic of the field over which it is given. And for such a class of curves there Smart attack, allowing to calculate the required discrete logarithm quickly enough.
Further, it’s a matter of technology: we write the attack code, substitute the data from the task, find the discrete logarithm and rejoice at the key obtained!
Task number 6 – “Hidden telegrams”
Another pearl of ours, because we heard a little about geo-chats in a telegram. A detailed analysis of the assignment will also be released as part of a separate article – there are many interesting nuances here.
Task number 7 – “Align me if you can”
Given a picture:
The trick of the job is that this Diophantine equation with three variables does not have positive integer solutions, which means that the essence of the task is not in a simple solution of the equation, and you need to dig deeper!
char_field = 2733425503484079885916437054066624513727898092580736050087
base_point = (2003799601518383430823233516441563713038362096795740845531,2732921640345227083457754907818649009295467132857674744044)
open_key = (1259834880846103046383661778550941435260068858903099332507,1686622613601304663126341188899964094370838010363453830341)
secret < 4351098091135498422 ---> y ^ 2 = x ^ 3 + Ax ^ 2 + Bx
again hint at elliptic curves, but how are they related to this equation? It turns out there is a connection! Having found the coefficients A and B of the curve, we are faced with a new difficulty: the points from the metadata of the picture do not belong to this curve. What to do? In the hope of finding a clue, we reread the legend and see the mention of “Twisted Sister”. Eureka! What if the points belong twisted curve? Now it’s up to you to find a curve containing points from metadata. After going to the correct twisted curve, apply Polygus-Hellman attack and enjoy our discernment!
Task number 8 – “Can I have your autograph?”
According to NeoQUEST-2020 statistics, this task is the most difficult, so we decided to devote a separate article to it. In short, you need to find out how to site Download unsigned pdf document. To do this, participants will need to exploit an interesting vulnerability 🙂
Task number 9 – “Devote yourself to programming”
“Do not trust your eyes” – this is the motto we would give to this task. When downloading a file with source code in C language, it seems that there is only code inside that encrypts / decrypts according to the AES algorithm, but “it wasn’t there” – we tell you. You should pay attention to the presence of errors in the code, as well as suspicious spaces and indents. We promised esotericism? Receive and sign!
The fact is that in this file, in addition to C code, there is also code in esoteric programming languages - Whitespace and Spoon! The code in the Whitespace language will give us the key, the code in the Spoon language will give us the ciphertext. Now we will correct the errors in the code, run it with the received data and get the key!
Assignment No. 10 – “Being Human”
OSINT this year is trying not to deviate from modern trends! We created the image of a robot that wants to become a human being and therefore studies human habits, and allowed participants on all social networks in which this robot appeared.
So, the participants are given the following text: cHVibGljMTAxMTAxMTAwMTAxMDExMDAxMDAwMDAxMDAwMeKArA ==. Two “=” signs literally shout: “yes, yes, I’m base64, decode me completely!”. We listen to this call and get public101101100101011001000000010001. Next, turn the binary into decimal, we get public191194129. Very reminiscent of something, right?
We find Vkontakte the group in which the robot collects statistics and answers of people. The questions on the wall are quite entertaining, but we are interested ask.fm link. There are also quite entertaining answers to questions, but interests us YouTube link . Here we find out that our robot is trying to become not only a person, but also a blogger! It remains just a little bit: follow the prompts on the video.
We look at the type of password in the diary:
The city of dreams is clear from the desktop screensaver – Paris. The name of the pet also does not go unnoticed – Rose. We see your favorite song in one of the tabs in the browser, and the identifier is written on a cup of coffee.
The answer is Paris.Rose.Starlight.S3574mT
Mini-task number 1
In this task, you just need to look at the source code of the page where the phrase “People are making apocalypse jokes like there’s no tomorrow.” Who said that? “. We find the answer to this question in Google – “Ellie”.
Mini-task number 2
Download the archive with text entries spoken by the bot. Yes, only the bot does not just read Stephen King’s book Badlands, but reads with errors. Having written the missing letters, we get the phrase “book on the spread of the virus.” However, this is not the answer! We need to find some book about the spread of the virus. But the task already has a clue that the author is still the same well-known Mr. S. King! The correct answer is The Stand.
Mini-task number 3
An executable file is given. It is necessary to get at least something from him, preferably, of course, the key. If you run it, then nothing will be displayed in response. There are many options for the development of events, but the right one is to extract lines from a given file that will be folded into readable text. The answer to this task is the name of the book from which the fragment was extracted – the hitchhiker’s guide to the galaxy.
Mini-task number 4
This task is a modern hacker interpretation of the logical Einstein’s tasks. There is nothing complicated in its solution, it is easiest to build a table and see how the conditions are met. The correct answer is RREKPA. # AC + P.EDWKU.LKPGM.MASLHAC – encoded according to the condition.
Mini-task number 5
Schrödinger’s job is both simple and complex. The simplicity here is in receiving the answer – all you need to do is send a POST request with the flag parameter to the server, which will give the correct answer. The difficulty lies in the fact that you need to think of it 🙂 But many of our participants have valiantly dealt with it, cheers!
The statistics for this year are as follows:
The number of registered participants is 1266 people.
The number of completed tasks – 10/10
The number of participants who completed at least one task in full is 110 people.
Distribution of participants who found at least one key:
And this is a graph of the activity of our participants by competition days:
Finish the statistics section with our traditional GIF:
Let’s talk about the days to come
At the moment, we plan to hold “Face to face” NeoQUEST-2020 at the end of June in St. Petersburg, but in the current situation in the country castling is possible. The main thing – do not worry, we will definitely meet with you this year!
We will leave the coolest and favorite: reports, workshops and demonstrations of attacks, and add a new one! Like last year, NeoQUEST will be held together with scientific and technical conference “Methods and technical means of ensuring information security”! Guests NeoQUEST-2020 they learn a lot about the relationship between science and cybersecurity practice, the importance of scientific research for an information security specialist and how scientifically modern information protection mechanisms work!
Those interested can take part not only in NeoQUEST, but also in the scientific sections of the conference! To learn more about participating with a report or workshop on NeoQUEST, write to firstname.lastname@example.org, and learn more about the conference “Methods and Technical Means of Ensuring Information Security” at joint site, for all questions, please contact email@example.com.
Ahead – write-ups of several tasks and active preparation for the “Face to face”! By the way, participants who have completed at least one task at all – check your mail, we will soon start mailing!