DRG Challenge at FIRST 2013 Summary Recap and Trivia Solutions
The Dragon Research Group, for the second year running, hosted the DRG Challenge at FIRST 2013. We
undertook some architectural changes to the game and we are pleased to
report all went swimmingly. Chalk up another successful and fun-filled
event. We would like to acknowledge and thank all the attendees who
participated as part of a challenge team, but also all those who simply
stopped by or hung out at the challenge headquarters to observe the
activities. We would especially like to thank the FIRST 2013 program
staff, which includes the program committee, steering committee,
secretariat, Cisco on-site network team and CAPS LLC for their
unflappable support and assistance. Last, but not least, we are
eternally grateful to those who helped provide travel support for DRG
volunteers, including those employers who allow their DRG volunteers the
flexiblility to participate in these sorts of efforts. Without which
none of this would have been possible. A special hats off to CERT.br / NIC.br,
RSA Security and Team Cymru Research NFP for helping to
underwrite travel costs for one or more DRG volunteers.
This time around we implemented a new, automated web-based challenge
framework. This new framework, provided a convenient, easy-to-use
interface that managed the roll out of each individual challenge as well
as kept track of each team's progress, aggregating progress into a main
page scoreboard. As a result, we were able to offer many more
challenges, but like last year, the competition was heated until the
very end. Ironically, the DRG Challenge at FIRST 2013
Scoreboard shows the team named FIRST Team, so-named because
they were the first team to register for the challenge, came out on top,
and each participant of that team took home an iPad Mini. There were
numerous determined and capable players, but the winning team best
demonstrated tenancity and skill to come out on top.
As promised to all those that asked, we will begin releasing the
challenges and their solutions in a series of blog posts over the coming
months, starting with the trivia challenges today. Like all challenge
questions, a varying amount of points were awarded based on the
estimated difficulty of the challenge. Without further ado, the DRG
Challenge at FIRST 2013 Trivia Questions and Answers:
- Question: The size of these attacks keep growing, we saw some of
the biggest ones within the past few months.
- Answer: ddos
- Question: What is the number one password tried by SSH scanners?
- Answer: 12345
- The DRG SSH Username
and Password Authentication Tag Clouds would provide the
- Question: A well known weakness in a class of cryptographic
functions that was largely theoretical was recently seen in the
wild for the first time. What piece of malware used this
weakness? (300 points)
- Answer: Flame
- The trailofbits
MD5 collision analysis blog post is worth a look.
- Question: An important algorithm was "in the news" over the past
year. The hallmark feature of this algorithm involves a function
with two phases that is capable of mapping any size input to any
size output. (400 points)
- Answer: keccak
- The winner of the SHA3 competition utilizes so-called "sponge"
functions, making it algorithmically different from existing
and commonly used hash functions.
- Question: The following assembly instruction can be used as an
alternative to what popular sequence of commands used by exploit
call dword ptr[esp+8]
pop pop ret
- These commands are commonly used by malware writers to bypass
the structure exception handler (SEH) when attempting code
call dword ptr[esp+8] effectively
moves the stack pointer to the same location in memory as
pop pop ret.
Stay tuned for the next installment of the DRG Challenge at FIRST 2013
posted at 5:32 pm | permanent link
DRG Online Challenge August 2013 Solution
We received three submissions to August's challenge. Vytautas
Krakauskas for the second month running led the way with the first
submission and is now unquestionably the reigning challenge champion.
Newcomer, Justin Hildreth provided the second and another returning
player, last week's featured blog write-up winner Björn Zettergren
submitted another exemplary solution. Kudos to all as Vytautas handily
discovered the underlying operational requirements to get the binary to
run, while Justin, who admits he is "very new to this" impressed us with
his enthusiasm and perseverance, and finally Björn again takes us
through his efforts demonstrating vigor and thoroughness. This month we
feature Justin's write-up, take it away Justin...
This is an outline of my approach and solution to Dragon Research Group's Online Challenge for
August 2013. This was my first foray into anything resembling
reverse engineering/program analysis. I had a blast and learned a lot -
and I hope to learn a great deal more in this area. Throughout this
process, I moved back and forth between Windows 7 and Kali Linux environments, though I don't
imagine it's necessary to note when I did so in the write-up.
I downloaded the
.zip file, which I found to be password
protected. I fired up fcrackzip and ran it against the file - feeling a
bit silly when it quickly revealed the password to be 123456.
I extracted the file, which was an unrecognized binary file. When I
viewed it in a hex editor and browsed through the file, I saw two
.ELF at the beginning of the file, suggesting this
may in fact be an ELF file.
- A handy message pointing out that this file had been packed with
the UPX executable
I ran the
strings tool against the binary file, but that
turned up little more information.
I used UPX Packer with
upx -d to unpack the file,
resulting in the ELF file. Examining this file in my hex editor showed
quite a few more strings. I ran the program in the terminal, resulting
in message: You have 5 seconds. Factors are: %d and %d.
At this point, I tried many things with no success. What immediately
occurred to me was to multiply the two factors, and enter the result.
When this did not work, I thought perhaps the factors were multiplied
together more than just once, and tried multiplying by each factor
multiple times, hoping to randomly encounter the solution. I discarded
this approach when one of the times I ran the program, one of the
factors was 0. When I entered 0, without success, it became apparent
that the desired input was not simply some multiple of the given
factors. I did find it interesting, that the timer (at least seemed to)
reset every time I entered a response. It seemed I could enter
responses indefinitely, as long as I never paused longer than the
duration of the timer (presumably 5 seconds).
objdump to get at the assembly code of the file, and
spent a while digging around in there. This however, did not get me very
As I stated earlier, this has been my first adventure into anything of
this nature. I dusted off the copy of OllyDbg refused to run the file. I
was able to open the file in Evan's Debugger (edb),
but it didn't seem to run correctly. I could not get it to simply run
through the program, and when I tried to step-through the program, it
usually got stuck in what seemed like an infinite loop (which I believe
I may have seen later in my static analysis). In any event, I was never
able to get it to the point in the program where the prompt exists, in
order to examine the contents of the stack and registers at that point.
I had been hesitant to use IDA, as I
didn't want to feel like I was running a trial, I wanted to stick
to tools I could grow into. I'm glad I finally gave in, the free
version of IDA will be sufficient for me to grow into for a good,
long time I think.
IDA broke things down really nicely, and was a blast to use. However,
my knowledge of assembly and C is so limited, that I found myself lost
for the most part. I explored as best I could, with IDA up on one
screen, Google up on the other, and the Malware Analysis book open on my
desk. I managed to limp along enough to find the portion of code
responsible for printing "The factors are..." (
Despite knowing the general area in which to root around now, I still
was unable to parse what the program was looking for as input here.
However, just a little further down, I found something very interesting
- a string of sections of code that printed a bunch of single
From here, it was a simple (albeit tedious) task to go through all the
code, put together the string of characters listed in hex, and convert
them to ASCII. This produced lines that began to reveal the mythic creature I was
seeking. I did have some issues at first, as I (foolishly) ignored the
loops that created space characters in some places for spacing. Once I
went back and added those in, the image became very clear!
So, I never did get the active program to display the dragon image for
me, but I was able to retrieve the target information from the code.
This has really sparked an interest for me, and I'm excited to learn
more about reverse engineering and malware analysis. Thank you to
Dragon Research Group for putting on this challenge, I had a great time
working through it!
For further details on how the challenge was constructed along with
notes and write-ups from all challenge players who solved solved the
challenge, please see the updated DRG
Online Challenge August 2013 page. The newest, DRG Online Challenge September 2013 is
now available. Visit the DRG Challenges page
for information about all current, future and past challenges.
posted at 7:01 pm | permanent link
Apply to DRG
Host a DRG Distro Pod
Insight & Analysis
Security Innovation Grant
DRG PGP public key
Follow us on Twitter