LSE Blog

Operating systems, computer security, languages theory, and even more!

  • About us

    • Main website
    • Git repositories
    • @lse_epita

    RSS Feed

  • Categories
    • Events
    • Hardware
    • Language
    • Reverse Engineering
    • Security
    • System
      • Linux
    • Tutorials
      • Parallelism
      • PythonGDB
    • Writeups
      • CSAW CTF 2012 Quals
      • DEFCON 2013 Quals
      • DEFCON2K12 Prequals
      • Hack.lu CTF 2012
      • Hack.lu CTF 2013
      • NDH2K12 Prequals
      • NDH2K13 Quals
      • Olympic-CTF 2014
      • PlaidCTF 2012
      • SecuInside2K12 Prequals
      • ebCTF 2013
  • Authors
    • ✉ Samuel Angebault
    • ✉ Remi Audebert
    • ✉ Jean-Loup Bogalho
    • ✉ Pierre Bourdon
    • ✉ Marwan Burelle
    • ✉ Samuel Chevet
    • ✉ Pierre-Marie de Rodat
    • ✉ Ivan Delalande
    • ✉ Corentin Derbois
    • ✉ Nassim Eddequiouaq
    • ✉ Louis Feuvrier
    • ✉ Fabien Goncalves
    • ✉ Nicolas Hureau
    • ✉ Gabriel Laskar
    • ✉ Stanislas Lejay
    • ✉ Franck Michea
    • ✉ Bruno Pujos
    • ✉ Clement Rouault
    • ✉ Pierre Surply
    • ✉ Kevin Tavukciyan
    • More »
  • DEFCON2K12 Prequals

    Written by Nicolas Hureau
    2012-06-04 22:56:00

    So it was DEFCON 2012 Prequals this week-end! First time for a few of us and definitly first time as "LSE". We planned it carefully, bought food and drinks, defined a sleep schedule to be up and running for the prequals beginning, and of course, none of us respected "the Plan". Too bad.

    About the CTF, we noticed that the further you pwn the challenges, the less guessing you have. Hence we had problems (as lots of other teams I guess according to the IRC channel) with ur200, f100, and almost had f200 (we had the picture).

    We are quite happy with our finishing rank (20) even though we were secretly hoping to be around place 15.

    Hereafter you will find some writeups and also a few pictures and a timelapse of people working on the prequals in our lab!

    Writeups

    • pwn100
    • pwn300
    • gb300
    • for400
    • for500

    Timelapse

    Video file

    Images

    Our setup: Setup Webcam

    2:41:11 until the start: Setup 1

    Did you say Alpha?: Alpha

    See you next week for Secuinside!

    Tweet
    Permalink & comments
  • NDH2K12 Prequals

    Written by Nicolas Hureau
    2012-03-26 01:00:00

    We deemed it was a good idea to have some content to open our blog, therefore we chose to put it online right after the Nuit du Hack 2012 CTF prequals which happened March 24-25th.

    After the Codegate where we finished at the 14th place and first French team, we were confident that we could achieve a similar ranking during the NdH2k12 prequals.

    We were at 10/12 challenges after 18 hours, but like many other teams, we were blocked by this !@$#? BMP chall at 15500 points. We finally ended up 7th at 17200 points, having all 13 challenges done (yes, 13/12).

    We were a bit disappointed by these prequals, and the best résumé we could think of about these 48 hours is: "WTF is happening to the scoreboard?".

    Hereafter you will find some writeups and also a few pictures and a timelapse of people working on the prequals in our lab!

    Writeups

    • exploit-me2 (4004)
    • sp111
    • executable2.ndh (4002)
    • URL shortner
    • web3.ndh (4005)
    • executable1.ndh (4001)

    Timelapse

    Video file

    Images

    Our setup: Setup 1 Setup 2

    We always have security in mind at the LSE, that is why when kushou doesn't want to lose his password, he just pastes it on an IRC channel so that anyone can reminds him! kushou's password

    Tweet
    Permalink & comments
  • NDH2K13 crackme300 writeup

    Written by Nicolas Hureau
    2013-03-09 00:00:00

    1
    2
    3
    4
    5
    Connect to the remote machine and break the code. Oh wait, maybe you'll
    need some tools.
    
    Score   300
    Link    ssh://user:ndh2k13@z0b.nuitduhack.com:2222/
    

    We are able to retrieve two files: - an ELF asking for a password - a vmlinux

    Launching crackme on my box failed miserably. The code didn't make any sense and the e_flags field of the ELF header which was supposed to be 0 was equal to 0x20.

    As we were provided with a vmlinux, I guessed the ELF loading routine of the kernel had been modified to check if e_flags was 0x20, and in this case apply some operation. When reversing load_elf_binary (fs/binfmt_elf.c), you see that the code is xored. It can be fixed with the following code:

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    #include <stdio.h>
    
    #define OFFSET (0x610)
    #define SIZE (0x418 + 0xe + 0x28)
    
    int main(int argc, char** argv)
    {
        char key[] =
            "\x12\x43\x34\x65\x78\xcf\xdc\xca\x98\x90"
            "\x65\x31\x21\x56\x83\xfa\xcd\x30\xfd\x12"
            "\x84\x98\xb7\x54\xa5\x62\x61\xf9\xe3\x09"
            "\xc8\x94\x12\xe6\x87";
    
        FILE* f = fopen(argv[1], "r+");
        char buf[SIZE];
    
        fseek(f, OFFSET, SEEK_SET);
        fread(buf, 1, SIZE, f);
    
        for (int i = 0; i < SIZE; ++i)
            buf[i] = buf[i] ^ key[i % 35];
    
        fseek(f, OFFSET, SEEK_SET);
        fwrite(buf, 1, SIZE, f);
    
        fclose(f);
        return 0;
    }
    

    Now that we have a working ELF, we can look at it and see that it a quite straightforward to reverse. There may only be four different characters: - w - a - s - d

    Looking closer, we can see that there is to globals, which begin at 0, and that must both be equals to 15 to have the right password. We can also se that there is a 16x16 table filled with ones and zeroes, and the globals (which are in fact w and h position in the table) must point to a 0 (it's a maze, you must get from (0, 0) to (15, 15) without going through a wall).

    The following python script find the correct sequence of keys, which is the key:

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    #! /usr/bin/env python3
    
    import sys
    
    TABLE = [
        0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x01, 0x00, 0x01, 0x01,
        0x00, 0x01, 0x00, 0x01, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x01,
        0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x01, 0x01,
        0x01, 0x01, 0x00, 0x01, 0x01, 0x00, 0x01, 0x01, 0x01, 0x01, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00,
        0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x01, 0x01,
        0x01, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x01,
        0x01, 0x00, 0x01, 0x01, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00,
        0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x01,
        0x00, 0x01, 0x01, 0x01, 0x00, 0x01, 0x01, 0x01, 0x01, 0x00, 0x01, 0x00, 0x01, 0x01, 0x01, 0x00,
        0x00, 0x01, 0x01, 0x01, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x01, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x01, 0x00, 0x01, 0x01, 0x01, 0x00, 0x01, 0x00, 0x00, 0x01,
        0x01, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x01,
        0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00,
        0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x01, 0x01, 0x00, 0x01, 0x00,
        0x00, 0x00, 0x01, 0x01, 0x01, 0x01, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
        0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x01, 0x00, 0x01, 0x00, 0x01, 0x01, 0x00,
    ]
    
    CHARS = {
        "w" : "wad",
        "s" : "sad",
        "a" : "was",
        "d" : "wsd",
    }
    
    def get_counts(key):
        count_1 = 0
        count_2 = 0
    
        for i in key:
            if i == 's':
                count_1 += 1
            elif i == 'd':
                count_2 += 1
            elif i == 'w':
                count_1 -= 1
            else:
                count_2 -= 1
    
        return count_1, count_2
    
    def test(key):
        count_1, count_2 = get_counts(key)
    
        if count_1 == 15 and count_2 == 15:
            print(key)
            sys.exit(0)
    
        if count_1 < 0 or count_2 < 0 or count_1 > 15 or count_2 > 15:
            return False
    
        offset = (count_1 << 4) + count_2
        if TABLE[offset] != 0:
            return False
    
        print(key)
    
        for c in CHARS[key[-1:]]:
            test(key + c)
    
        return False
    
    test("s")
    

    Key is:

    1
    ssddsssassdddssssdssaawaasssddddddwwwwwwddwwwwwdwwdddsssssaassssaasssddddwwddsss
    

    Tweet
    Permalink & comments
  • LSE Week 2012 videos

    Written by Nicolas Hureau
    2012-09-30 16:30:00

    It has been about three months since the 2012 edition of the LSE week, and we are happy because it was quite a success, having on average 57 people attending each talk.

    Now is time to publish slides (in english) and videos (in french).


    CSAT (Pierre-Marie de Rodat - 30mn)

    The premise of an interactive disassembler aiming at being collaborative.

    slides


    ARM architecture (Julien Frêche - 30mn)

    Global overview and emulator writing.

    slides


    Datameat (Victor Apercé - 1h)

    Metadata oriented filesystem.

    slides


    FrASM (Pierre-Marie de Rodat - 30mn)

    An assembler writing framework.

    slides


    Video game console emulation (Pierre Bourdon & Nicolas Hureau - 1h30)

    Implications and problems of emulating high performance hardware and cycle-accurate emulation. slides


    Possible optimizations for an interpreter (Benoît Zanotti - 30mn)

    What can be done? How will it impact performance? Prolog as an example. slides


    Routing protocol: BGP4 (Sylvain Laurent - 18h00 - 30mn)

    Introduction to BGP4 and its role in networks. slides


    WTF is ACPI? (Ivan Delalande - 1h)

    Global overview and implementation of an ACPI VM. slides


    Forensics (Samuel Chevet - 1h)

    Interest and tools. slides


    Tutorial: Arduino development (Augustin Chéron - 1h)

    Use cases, limitations and demonstration of the Arduino platform. slides


    Tutorial: Exploitation techniques (Clément Rouault - 1h)

    Examples and mitigation of software exploits. slides


    Introduction to CTFs (Nicolas Hureau - 1h)

    Interest of participating in security contests and walkthrough of a few exercises. slides


    WPA2 enterprise and Wi-Fi security (Pierre Bourdon - 1h)

    What is to be avoided when deploying Wi-Fi on a student campus. slides


    C!: Interface Implementation (Marwan Burelle - 30mn)

    slides


    Evolution of rootkits (Samuel Chevet - 1h)

    Inner working, analysis and development of the major rootkits. slides


    Crackme LSE Week (Pierre Bourdon - 30mn)

    Making-of and solution of the LSE Week crackme. slides

    Tweet
    Permalink & comments
  • LSE Week 2012 announcement

    Written by Nicolas Hureau
    2012-06-15 14:00:00

    Last year we introduced the idea of doing a yearly week of talks to show the work we are doing here at the LSE, and also to introduce concepts we have been working on, or concepts we have encountered. As it was quite a success, we decided to go on with the idea.

    This year, we have reserved 5 days, from Monday, 16th of July to Friday, 20th July. We have 15 talks scheduled which amounts for 14 hours.

    One thing though is that these talks are going to be in french, however slides will be in english. Recordings should be available soon after the event.

    More informations (in french, including a full abstract of each talk) are available on this page.

    We are also putting a small crackme online (available here) for people who want some challenge.


    Monday, 16th July

    CSAT (Pierre-Marie de Rodat - 18h00 - 30mn)

    The premise of an interactive disassembler aiming at being collaborative.

    ARM architecture (Julien Frêche - 18h30 - 30mn)

    Global overview and emulator writing.

    Datameat (Victor Apercé - 19h00 - 1h)

    Metadata oriented filesystem.

    FrASM (Pierre-Marie de Rodat - 20h00 - 30mn)

    An assembler writing framework.


    Tuesday, 17th July

    Video game console emulation (Pierre Bourdon & Nicolas Hureau - 18h00 - 1h30)

    Implications and problems of emulating high performance hardware and cycle-accurate emulation.

    Possible optimizations for an interpreter (Benoît Zanotti - 19h30 - 30mn)

    What can be done? How will it impact performance? Prolog as an example.


    Wednesday, 18th July

    Routing protocol: BGP4 (Sylvain Laurent - 18h00 - 1h)

    Introduction to BGP4 and its role in networks.

    WTF is ACPI? (Ivan Delalande - 19h00 - 1h)

    Global overview and implementation of an ACPI VM.

    Forensics (Samuel Chevet - 20h00 - 1h)

    Interest and tools.


    Thursday, 19th July

    Tutorial: Arduino development (Augustin Chéron - 18h00 - 1h)

    Use cases, limitations and demonstration of the Arduino platform.

    Tutorial: Exploitation techniques (Clément Rouault - 19h00 - 1h)

    Examples and mitigation of software exploits.

    Introduction to CTFs (Nicolas Hureau - 20h00 - 30mn)

    Interest of participating in security contests and walkthrough of a few exercises.


    Friday, 20th July

    WPA2 enterprise and Wi-Fi security (Pierre Bourdon - 18h00 - 1h)

    What is to be avoided when deploying Wi-Fi on a student campus.

    Evolution of rootkits (Samuel Chevet - 19h00 - 1h)

    Inner working, analysis and development of the major rootkits.

    Crackme LSE Week (Pierre Bourdon - 20h00 - 30mn)

    Making-of and solution of the LSE Week crackme.

    Tweet
    Permalink & comments
    • More »

© LSE 2012 — Main website — RSS Feed