DRG Challenge at FIRST 2013 Summary Recap and Trivia Solutions

The Dragon Research Group, for the second year running, hosted the DRG Challenge at FIRST 2013. We undertook some architectural changes to the game and we are pleased to report all went swimmingly. Chalk up another successful and fun-filled event. We would like to acknowledge and thank all the attendees who participated as part of a challenge team, but also all those who simply stopped by or hung out at the challenge headquarters to observe the activities. We would especially like to thank the FIRST 2013 program staff, which includes the program committee, steering committee, secretariat, Cisco on-site network team and CAPS LLC for their unflappable support and assistance. Last, but not least, we are eternally grateful to those who helped provide travel support for DRG volunteers, including those employers who allow their DRG volunteers the flexiblility to participate in these sorts of efforts. Without which none of this would have been possible. A special hats off to CERT.br / NIC.br, RSA Security and Team Cymru Research NFP for helping to underwrite travel costs for one or more DRG volunteers.

This time around we implemented a new, automated web-based challenge framework. This new framework, provided a convenient, easy-to-use interface that managed the roll out of each individual challenge as well as kept track of each team's progress, aggregating progress into a main page scoreboard. As a result, we were able to offer many more challenges, but like last year, the competition was heated until the very end. Ironically, the DRG Challenge at FIRST 2013 Scoreboard shows the team named FIRST Team, so-named because they were the first team to register for the challenge, came out on top, and each participant of that team took home an iPad Mini. There were numerous determined and capable players, but the winning team best demonstrated tenancity and skill to come out on top.

As promised to all those that asked, we will begin releasing the challenges and their solutions in a series of blog posts over the coming months, starting with the trivia challenges today. Like all challenge questions, a varying amount of points were awarded based on the estimated difficulty of the challenge. Without further ado, the DRG Challenge at FIRST 2013 Trivia Questions and Answers:

Question: The size of these attacks keep growing, we saw some of the biggest ones within the past few months. (100 points)
Answer: ddos

Question: What is the number one password tried by SSH scanners? (200 points)
Answer: 12345
The DRG SSH Username and Password Authentication Tag Clouds would provide the answer.

Question: A well known weakness in a class of cryptographic functions that was largely theoretical was recently seen in the wild for the first time. What piece of malware used this weakness? (300 points)
Answer: Flame
The trailofbits MD5 collision analysis blog post is worth a look.

Question: An important algorithm was "in the news" over the past year. The hallmark feature of this algorithm involves a function with two phases that is capable of mapping any size input to any size output. (400 points)
Answer: keccak
The winner of the SHA3 competition utilizes so-called "sponge" functions, making it algorithmically different from existing and commonly used hash functions.

Question: The following assembly instruction can be used as an alternative to what popular sequence of commands used by exploit writers? call dword ptr[esp+8]
Answer: pop pop ret
These commands are commonly used by malware writers to bypass the structure exception handler (SEH) when attempting code injection. call dword ptr[esp+8] effectively moves the stack pointer to the same location in memory as pop pop ret.

Stay tuned for the next installment of the DRG Challenge at FIRST 2013 Summary Recap.

posted at 5:32 pm | permanent link

DRG Online Challenge August 2013 Solution

We received three submissions to August's challenge. Vytautas Krakauskas for the second month running led the way with the first submission and is now unquestionably the reigning challenge champion. Newcomer, Justin Hildreth provided the second and another returning player, last week's featured blog write-up winner Björn Zettergren submitted another exemplary solution. Kudos to all as Vytautas handily discovered the underlying operational requirements to get the binary to run, while Justin, who admits he is "very new to this" impressed us with his enthusiasm and perseverance, and finally Björn again takes us through his efforts demonstrating vigor and thoroughness. This month we feature Justin's write-up, take it away Justin...

This is an outline of my approach and solution to Dragon Research Group's Online Challenge for August 2013. This was my first foray into anything resembling reverse engineering/program analysis. I had a blast and learned a lot - and I hope to learn a great deal more in this area. Throughout this process, I moved back and forth between Windows 7 and Kali Linux environments, though I don't imagine it's necessary to note when I did so in the write-up.

I downloaded the .zip file, which I found to be password protected. I fired up fcrackzip and ran it against the file - feeling a bit silly when it quickly revealed the password to be 123456.

I extracted the file, which was an unrecognized binary file. When I viewed it in a hex editor and browsed through the file, I saw two helpful clues:

  1. .ELF at the beginning of the file, suggesting this may in fact be an ELF file.
  2. A handy message pointing out that this file had been packed with the UPX executable packer.

I ran the strings tool against the binary file, but that turned up little more information.

I used UPX Packer with upx -d to unpack the file, resulting in the ELF file. Examining this file in my hex editor showed quite a few more strings. I ran the program in the terminal, resulting in message: You have 5 seconds. Factors are: %d and %d.

At this point, I tried many things with no success. What immediately occurred to me was to multiply the two factors, and enter the result. When this did not work, I thought perhaps the factors were multiplied together more than just once, and tried multiplying by each factor multiple times, hoping to randomly encounter the solution. I discarded this approach when one of the times I ran the program, one of the factors was 0. When I entered 0, without success, it became apparent that the desired input was not simply some multiple of the given factors. I did find it interesting, that the timer (at least seemed to) reset every time I entered a response. It seemed I could enter responses indefinitely, as long as I never paused longer than the duration of the timer (presumably 5 seconds).

I used objdump to get at the assembly code of the file, and spent a while digging around in there. This however, did not get me very far.

As I stated earlier, this has been my first adventure into anything of this nature. I dusted off the copy of OllyDbg refused to run the file. I was able to open the file in Evan's Debugger (edb), but it didn't seem to run correctly. I could not get it to simply run through the program, and when I tried to step-through the program, it usually got stuck in what seemed like an infinite loop (which I believe I may have seen later in my static analysis). In any event, I was never able to get it to the point in the program where the prompt exists, in order to examine the contents of the stack and registers at that point.

I had been hesitant to use IDA, as I didn't want to feel like I was running a trial, I wanted to stick to tools I could grow into. I'm glad I finally gave in, the free version of IDA will be sufficient for me to grow into for a good, long time I think.

IDA broke things down really nicely, and was a blast to use. However, my knowledge of assembly and C is so limited, that I found myself lost for the most part. I explored as best I could, with IDA up on one screen, Google up on the other, and the Malware Analysis book open on my desk. I managed to limp along enough to find the portion of code responsible for printing "The factors are..." (0804E95D).

Despite knowing the general area in which to root around now, I still was unable to parse what the program was looking for as input here. However, just a little further down, I found something very interesting - a string of sections of code that printed a bunch of single characters.

From here, it was a simple (albeit tedious) task to go through all the code, put together the string of characters listed in hex, and convert them to ASCII. This produced lines that began to reveal the mythic creature I was seeking. I did have some issues at first, as I (foolishly) ignored the loops that created space characters in some places for spacing. Once I went back and added those in, the image became very clear!

So, I never did get the active program to display the dragon image for me, but I was able to retrieve the target information from the code. This has really sparked an interest for me, and I'm excited to learn more about reverse engineering and malware analysis. Thank you to Dragon Research Group for putting on this challenge, I had a great time working through it!

For further details on how the challenge was constructed along with notes and write-ups from all challenge players who solved solved the challenge, please see the updated DRG Online Challenge August 2013 page. The newest, DRG Online Challenge September 2013 is now available. Visit the DRG Challenges page for information about all current, future and past challenges.

posted at 7:01 pm | permanent link

About DRG

Apply to DRG

Host a DRG Distro Pod

Insight & Analysis


Weekend Reads


Security Innovation Grant

Mailing lists

DRG PGP public key

Follow us on Twitter Follow DragonResearch on Twitter

Feedback: dragon@dragonresearchgroup.org