Challenge Board Solutions

• Trivia

  • 100
    • Question: You are training as a malware analyzer for the LA Counter Terrorist Unit. The Unit's Malware Pattern Miner (TM) software has determined that the snippet in attachment is extremely common in malicious samples used by the Softerror terrorist group. Assuming that the attackers are targeting a Windows XP machine, what is the content of the esi register at the end of the execution? NOTE: the correct answer is *not* the concrete address, but what it points to...
    • File: sample.bin
    • Answer: the base address of kernel32.dll
    • Walkthrough: t100_walkthrough.txt
  • 200
    • Question: We have retrieved this password file from a Softerror.com server. Unfortunately, they seem to have used a better, stronger hashing algorithm. However, our insider was able to steal the code for the new hashing function. Are you able to crack the password for the user cats?
    • File: passwd crypt.c
    • Answer: cats2008
    • Walkthrough: t200_walkthrough.txt
  • 500
    • Question: Which corporation built the state-of-the-art development facilities of Softerror.com?
    • Answer: RAND

• Binary

  • 100
    • Question: At what time, after the timer activation, will the dynamite detonate? Give your answer in the "hh:mm:ss" format.
    • File: dynamite.jar
    • Answer: 12:46:55
  • 200
    • Question: The forensics team of the Counter Terrorist Unit has recovered part of a deleted file from the hard disk of a suspected terrorist. We believe the file was used in a drive-by download attack through which the Softerror group obtained credentials for financial accounts. Your task is to find out the site that hosted the malware that was downloaded and installed on the victims' machines during the attack.
    • File: recovered
    • Answer: http://www.cs.ucsb.edu/~marco/ictf/challenge-bonus.php
    • Walkthrough: b200_walkthrough.txt
  • 500
    • Question: I am Saul, the mole man. I was able to take evidence that Softerror is planning to launch a soft-based erroristic attack. Play your cards and find the evidence... and remember: what you see is not always what you get.
    • File: landscape
    • Answer: The Bomb's Online

• Forensics

  • 100
    • Question: What is the password that can be entered through the keyboard?
    • File: MyVoiceIsMyPassword.mp3
    • Answer: DEADBAG
  • 200
    • Question: We have intercepted a jpeg image sent from a known Softerror operative. Unfortunately, it seems as though the file has been corrupted in some way, as the image just looks like static. Can you find anything interesting here? We're going cross-eyed over this thing.
    • File: error.jpg
    • Answer: Twenty-twenty-twenty four hours to go I wanna be sedated
    • Walkthrough: f200_walkthrough.txt
  • 500
    • Question: Seize the opportunity and see what lurks below the surface...
    • File: seizure.avi
    • Answer: w00t w00t

• Reverse Engineering

  • 100
    • Question: Create a version of the Softerror.com mission.txt file that has steganographically encoded the sentence: "All Your Base Are Belong To Us". This means that when the modified mission.txt file is fed to the program whose source is Softerror.com's prog.c, the string "All Your Base Are Belong To Us" is printed. The correct answer is the MD5 sum of the resulting mission.txt file.
    • File: prog.c mission.txt
    • Answer: 7d0f74cd0e957dacee3589b6262f2398
    • Walkthrough: r100_walkthrough.txt
  • 200
    • Question: In order to solve the challenge a team must submit a program to murnau.cs.ucsb.edu:6666 that causes the interpreter to output "please feed me a stray cat!". Once the correct program is submitted, the interpreter will return the key. The attached source code is a copy of the interpreter for testing.
    • File: sillygoose.txt
    • Answer: excrete the 1337
  • 500
    • Question: A field agent discovered an abandoned Softerror.com laptop. Forensic software discovered a web cookie containing the text "bombSerial=d54d43c4fa6ba5fc" along with a SWF file located in the browser's cache called SecureCookie.swf. Can you discover the true contents of the cookie?
    • File: SecureCookie.swf
    • Answer: DOD09718
    • Walkthrough: r500_walkthrough.txt

• Bonus

  • 1000
    • Question: The following software and message were intercepted by signals intelligence. Your task is to reverse the software and decrypt the message.
    • File: Message.hs encrypted
    • Answer: PAPABEARHUNGOVERWILLFINISHDISARMFUNCTOMORROWANDUPLOADNEWFIRMWAREPEACEOUTROUGHRIDER
    • Walkthrough: bonus_walkthrough.txt