Hack The Packet Online PreQUAL 이진혁 [ loca ] loca@loca.kr
L01 Q 2012_htp_prequal.pcap 파일은어떤환경 (System Information) 에서캡쳐한것일까? EQ Which System be used when this 2012_htp_prequal.pcap file captured? Hex Editor 로 pcap 파일을열어보면 64-bit Windows 7 Service Pack 1, build 7601 이있다. Key : 64-bit Windows 7 Service Pack 1, build 7601
L02 Q 2012_htp_prequal.pcap 파일은어떤도구로캡쳐한것일까? ( 대문자로입력 ) EQ What tools be used in capturing this 2012_htp_prequal.pcap file? (Upper case) 게싱으로 WIRESHARK 입력했더니인증성공 Key : WIRESHARK
L1 Q. ARP_Spoofing 에의해서나의아이디와패스워드가유출됬다! EQ. ID and Password of mine were leaked by ARP Spoofing! ** key is AttackerMacaddress_VictimPassword HTTP object list 를보니로그인한프레임이보여 Save As 로 460,462 프레임을저장해서열어보니 하나엔 charset_test=%e2%82%ac%2c%c2%b4%2c%e2%82%ac%2c%c2%b4%2c%e6%b0%b4%2c%d0%94%2c% D0%84&lsd=PPm9h&locale=ko_KR&email=HI_GAL@gmail.com&pass=YONG_GAL&default_persistent=0&c harset_test=%e2%82%ac%2c%c2%b4%2c%e2%82%ac%2c%c2%b4%2c%e6%b0%b4%2c%d0%94%2c%d 0%84&lsd=PPm9h 이적혀있어 pass의값인 YONG_GAL이패스워드임을짐작할수있고다른파일엔 LOGIN_SUCCESS!!!!!!!!! 이적혀있고 460 번프레임을보면 arp spoofing 을한 Attacker 의 MAC Address 를얻을수있다. Key : 00:0c:29:f3:21:ad_YONG_GAL
L2 Q. 남자들이뼛속까지좋아하는여자는누구? DNA 연구결과가발표되었다. 바코드를찾아라! EQ. Who s the girl loved of man s bones? It s released the result of DNA. Find the Barcode! Wireshark 의 Export Objects 기능을이용해 HTTP 데이터를모두저장시키니 DNA_MAP.jpg 라는바코드가나옴 http://www.onlinebarcodescan.com/ 위사이트를이용해바코드를읽어보니 Key:IU Good 라는 Content 값이나옴 Key : IU Good
L3 Q. 화창한봄날 G 마켓에코드가삽입됐다. EQ. Spring, A code injected in G-market. L3 Hint. VB Script, URI contains /gmk/ 힌트가나오기전 G마켓이라는키워드를보고 market을검색해보니 Filter: tcp.stream eq 60 위패킷들을찾을수있었고화창한봄날 (Spring) 을보고 export시킨 http 데이터중에서 GMainSpring.css GMainSpring.js 두파일을찾을수있었고 GMainSpring.js를열어보니 function getflashplayerhtml 부분에 http://script.gmarket.co.kr/js/www/main/main.js 에는없는 shtml = shtml + " <PARAM NAME+'base64 hash : #@~^dq4aaa==-md~ky9{/ddbuo,'~[[%fila%li[[f!zi'aw%p[:,0ila{fp'arvi'[%ci'[%qil:rcila8!%p[[{cp[:%2i':ffil:%yi[[qq*p[[%{i':+ %I[[{cp[:{8i[:qZFI[[0+i'[F8 ilar{ila{,p[:0wi[[vp[a8t*ilar I[:*Oi'aOTiLaqTOi[:0Fi'a8TOi'[*2i[[%FI[[G{iLa{qp[aR+iLa%OI'aR&p[:FT1p[:F81iLaqp[a0fp[:%lILaqZ!p[aW%p'aO%I[[GqILa%+I[[%c p':%8ila0ci'[ft%p'afci'[%&i'[gqil:r ILa8F*p[[0Gp[:vRi':FciL:G8i[[qTFp[[%i':8F+iL:%Fi':F,i':RcI[[+i'[FZciLaR+iLa*,p[:1Zi[[q!Oi[[0{iLa8!1i':l&I[[0Gp[:{Fi[:{8i'aR+p[:R,p[a R&p'a8!1iLaqqOi[[Fp[aRfI[[%li'aqTZi'aW0iLa10p[a{qp[:%+ILa0WiLa%8iL:%Wi'a8!0ILaGWI[[%&p':G8iLa0 I'[Fq*p'aRGI'[v%I'[G*iL:FFILa8!Fp[[0vp[:F8 I'[%Gp'aF,iL:0cp[[vi':8!*iL:%yi':W,i':O!I[[qZ,ILaRGiLa8T,p[:*2i':RGiL:GFi[[{qiLaR I[:0Oi'aRfiLaqTOi[:q8,I[[8i'[%2i[[%lI[[FT!p[:*Ri[[1%p[aFqI[[%+i'a0*p[:%8I[[%*ILaFT0p[:GWILa02iLaG8iL:%yi'a8FXILa%FI[[v%p':G WiLa{FI'[FTFp'aRvI'[FF+ILa0Gp'[G1p[[%cp[[vp[:FZcI'[% p'aw,il:1!p[[ft,i'[%{il:fz,i'[*&i'[%{il:fgilaffilar+ila0,p[:02i[[q!oi[[qq,p[[vqi':r&i[[0*p[:qz!i':w%i[[1ri'[g8i[[%+i[[%*ila0qp[ar* ilafz0i[[gwi'a0fp[:g8i[[%+ilafqxp[:%filarilagwil:g8i'a8!qila%+i[[ffyi'argp[:g1ila0cp'a+vi'[f!*ila0 p'[c1p[[,!p[[q!oi'argi'[f!oi[[*&p':%fila{gi'[gqil:%yi':r,i':r&i[[qz,ila8f,p[[fp[:%2i':r*il:fz!il:*%p[[,0i':ffi[[0vp[:0wi[:08i'ar*p[ :8!Ri[[GWI[[%fiLa{qp[aR+iLaF8XI[[%Fi'a0p[:GWI[[GqILaFTqp[:%+ILaq8 p[argp'af,i[[%*ilav+i[[f!wi'ar p[:c1ila1!p'a8!1ila%{ilaq!oilax2ila%fil:gfi'affi'[% p'ar,il:0&p[[ft,i'[fq,p'a+fi'[%&i'[%xil:8!tp[[c%p[[1%p[:g8i':rvil:%wi[[0qilarci[:qz%i[[{cp[:02i[:{8i'ar+p[:8fli[[%fi[[v0ila{*p[a FqiLaFZqI[[%+i'aqqyi'aR{iLa{1p[a0*p[:v+ILaqZcp[aR p'aw,i[[,tilafz1ila%fi'a8!oi'axfp[:%fi[[g{ilagqila0 p'[%1p[[%&p[[q!oi'a8f1ilav8i[[%&p':%lilaq!tila*%p'ao%i'[gfi'[%il:rcilarfilar*ilaq!ri':fcil:%2i[[{qilar I[:q8*I[[0Gp[:Ri[:{Wi'aFqp[:8!8i[[%+I[[Fq p[:0fi[[{,p[ar*i[[v+i'aqtwi'ar+ila*1p[a1tp[:fz1p[:rgp[a8!oi[[*fila0{p[af{ilag8i'ar p[:%1ila0&p'a8!1ilafq1p[:v8ila02ila%lil:fz!i[[c0ila,ri[[gfp':%+ila0ci'[%qil:%wi':8!%i'[g*il:r&ilaffilar+ilaqfli':rgil:vri[[{ *ilaffi[:qzfi[[0vp[:q8 i':rgi[[{oi'[%wi[[v+i[[ftcp[:0yi[[*,p[aoti[[fz,i[:0fi'a8t,p[:x2i[:0fi'af{p[:ffp[ar p'ar,i[[%filafz1ilaf81i[[v8i'a0fp[:%li[[fttp[a*0p[:,rila{8ila%+il:%wi'arfi'[%cp'a8!%p':gwila0&i'[gqil:%yi':8f*i'[%{il:+%ila FciLaFqiLaq!8i':RviL:F8 il:0gp[[g1i':rci[[vp[:qzci':r I[[*Oi'[,Zi[[FZ1iLa0Gp[:qZ,iL:*2i[[0{iLaFGI[:{8i'aR+iLa01p[a0fp[:FZ1p[:8FOi[[v8I[[%fiLa0Xp[a8T!p[aW0I[[,Ri'a{qp[:%+I[[%*ILa%qILa 0cp'[FTRiLaGWiL:%2i'aFFI'[% p'a8f*p':%fila%i'[g*il:g8i':8!fi'[%il:8f+p[[%gp[[{,p[:%wi':+vil:fzcil:0 p[[c1i':o!i[[q!oi':rgi':8!1il:l&ilargilaf{ila{fp[:0yi[[0,p[arfi[[fz,i[:q8,i[[fp[:02i[:0li'a8tzi'[cri[[,ri[[gqila0p[ar*ila%8i'arcp[:f T0p[:GWI[[%fILaGqILa0 p'[fqlila%fil:vri'afci'[gfp'a8!fp':%+ilaqf+ila0gp'af,i'[%ci'[vil:8!*p[[% p[[*,p[:,zi':8!,p'argil:q!oilax&i'[%{il:gfi':ffi':r I[[0Oi'[%2i[[FZ1iLaqFOi':+FiL:%2i[[0XiLa8!Ti':W%I[[1%p[:{8i[:0+i'aR*p[:RFp[aRcp'a8!0iLa{*p[aRfiLaG8I'aR p[:fqxp[:%fi[[v0ilag*ila{fp'[ft8ila%+il:f8 I[[%{ILaGOI[[%cp':v+iLaq!*ILa0 p'aw,i'[,!i'[ft,p'[%{p[[f!oil:*2i'argi'[ggp'affil:0 p[[%1i':r&i[[q!oi':8f,i'[vqil:r&ilar*ila8t!p[:cri':o%il:g8i[[0ilarci[:08i'ar*ilaqtri[:{wi'arfp[:ffp[ar p'a8fxila0{p[a+0ilagwi'affp[:ftqp[:%+i[[fq+p[a0{p[:goila0wilav+il:fzci[[%+ilacoi[[,!p':fz,p[:%{ilaq!oi[[*fila%{ila{gp'[gqp [[% p[[0,p[:%2i':8!,p'a8f,p':v8ila0&i'[%xil:fz!i'[c%i'[,0il:ffilarvilar*ila0fp[:0wi[[q!ri[[{*ilar&i[:{8i'ar+ilaqqli[:0fi'a+0p[:fcp[af Fp'a8!qiLa0p[a8q p[ar{i[[goi'a0*p[:v+i[[ft*p[a0+p[:coila1zilafz,p'argi[[ft1p[alfila%fi'afgp[:gqila0 p'ar,i'[%&i'[ft,p'[fqoilav8il:%2i'ar*i'[f!zi[[c%p':,rila{fi'[%il:%wi':rfi':rci[[qz%ilafcilarfila{fp[:0yi[[qfli[[0{ila+%i[:{wi'a FqiLaqT8i[:0+i'a8qyi'[%Fi[[GOI[[%*iLap[a8Tcp[aR+I[[cOi'a1Tp[:FZ1iLa0{p[aqTOi'alfp[:RGp[aFGp'aFFI[[%+ILa%OI[[%&p':FZ,p[:F q1p[:v8i@#@&rrqcaa==^#~@'>" ;
위내용을발견했고힌트에주어진 VB Script를보고 http://www.greymagic.com/security/tools/decoder/ 에위값을입력했더니 var std_string = SUd0bGVTQTlJSGRsWDJGeV 2;WOTBhR1ZmWm5WMGRYSmw=S&# 85;d0bGVTQTlJSGRsWDJGeVpW& #79;TBhR1ZmWm5WMGRYSmw=SU
 0;0bGVTQTlJSGRsWDJGeVpWO 4;BhR1ZmWm5WMGRYSmw=SUd0& #98;GVTQTlJSGRsWDJGeVpWOTB& #104;R1ZmWm5WMGRYSmw=SUd0b 1;VTQTlJSGRsWDJGeVpWOTBh&# 82;1ZmWm5WMGRYSmw=SUd0bGV& #84;QTlJSGRsWDJGeVpWOTBhR1 ZmWm5WMGRYSmw=SUd0bGVT 1;TlJSGRsWDJGeVpWOTBhR1Z&# 109;Wm5WMGRYSmw=SUd0bGVTQT& #108;JSGRsWDJGeVpWOTBhR1Zm 7;m5WMGRYSmw=SUd0bGVTQTl&# 74;SGRsWDJGeVpWOTBhR1ZmWm 5WMGRYSmw=SUd0bGVTQTlJS GRsWDJGeVpWOTBhR1ZmWm5&# 87;MGRYSmw=SUd0bGVTQTlJSG&# 82;sWDJGeVpWOTBhR1ZmWm5WM GRYSmw=SUd0bGVTQTlJSGR 5;WDJGeVpWOTBhR1ZmWm5WMG&# 82;YSmw=SUd0bGVTQTlJSGRsW& #68;JGeVpWOTBhR1ZmWm5WMGRY Smw=SUd0bGVTQTlJSGRsWD 4;GeVpWOTBhR1ZmWm5WMGRYS&# 109;w=SUd0bGVTQTlJSGRsWDJG& #101;VpWOTBhR1ZmWm5WMGRYSm 19;=SUd0bGVTQTlJSGRsWDJGe&# 86;pWOTBhR1ZmWm5WMGRYSmw= 위값이나왔고 http://rishida.net/tools/conversion/ 사이트의 Decimal NCRs에 std_string값을넣고 Convert를해보니 SUd0bGVTQTlJSGRsWDJGeVpWOTBhR1ZmWm5WMGRYSmw=SUd0bGVTQTlJSGRsWDJGeVpWOTBhR1ZmWm5 WMGRYSmw=SUd0bGVTQTlJSGRsWDJGeVpWOTBhR1ZmWm5WMGRYSmw=SUd0bGVTQTlJSGRsWDJGeVpWOT BhR1ZmWm5WMGRYSmw=SUd0bGVTQTlJSGRsWDJGeVpWOTBhR1ZmWm5WMGRYSmw=SUd0bGVTQTlJSGRs WDJGeVpWOTBhR1ZmWm5WMGRYSmw=SUd0bGVTQTlJSGRsWDJGeVpWOTBhR1ZmWm5WMGRYSmw=SUd0b GVTQTlJSGRsWDJGeVpWOTBhR1ZmWm5WMGRYSmw=SUd0bGVTQTlJSGRsWDJGeVpWOTBhR1ZmWm5WMGR YSmw=SUd0bGVTQTlJSGRsWDJGeVpWOTBhR1ZmWm5WMGRYSmw=SUd0bGVTQTlJSGRsWDJGeVpWOTBhR1Z mwm5wmgrysmw=sud0bgvtqtljsgrswdjgevpwotbhr1zmwm5wmgrysmw=sud0bgvtqtljsgrswdjge VpWOTBhR1ZmWm5WMGRYSmw=SUd0bGVTQTlJSGRsWDJGeVpWOTBhR1ZmWm5WMGRYSmw=SUd0bGVTQT ljsgrswdjgevpwotbhr1zmwm5wmgrysmw=sud0bgvtqtljsgrswdjgevpwotbhr1zmwm5wmgrysmw= SUd0bGVTQTlJSGRsWDJGeVpWOTBhR1ZmWm5WMGRYSmw= 이계속반복되는값이나왔고 base64 decode를해보니 IGtleSA9IHdlX2FyZV90aGVfZnV0dXJl 이나와인증을해봤지만인증에실패해한번더 base64 decode를하니 key = we_are_the_future 라는값이나왔다. Key : we_are_the_future
L4 Q. 우탱아, 가을인데단풍놀이가야지 ~ 어디로갈까? EQ. Wootang, Let s go to see the maple leaves~ it s Autumn! where is it? export 한데이터중 Where_is_it.jpg 를발견하고 google 의이미지검색기능을이용해검색을시도해보니제주도한라산이라는것을알수있었고한라산의영어명 칭 Hallasan 을입력하니인증성공 Key : Hallasan
L5 Q 악성다운로더 EQ Malware Downloader export 한데이터중악성다운로더로의심이되는 exe 파일을발견하고메모장으로열어보니중간쯤 An$w3r is HTP_Forever@^^@~~ 키값으로추측되는값발견 Key : HTP_Forever@^^@~~
M1 Q. 나는누구인가? 네오는오라클에게 FTP 로 Zip 파일을받게되는데... EQ. Who am I? Neo got a zip file from oracle via FTP... zip 파일의헤더부분인 50 4b 03 04 를검색하니 FTP-DATA 를주고받는것을볼수있었고그내용을저장해서열어 보면 who_am_i.txt 파일을볼수있다. 파일을열면헥스값이적혀있어그내용을헥스에디터를이용하여입력해보면 base64 로 encode 이된값이나옴 위 base64 값을 decode 하면 I_AM_Trainee_Ahn 라는값이나온다. Key : I_AM_Trainee_Ahn
M2 Q. DB 이름을찾아라! EQ. Fine the name of DataBase HTTP object list 를보면 SQL Injection 이시도된프레임들을찾을수있다. 각프레임을확인해보면 Blind SQL Injection 을이용해데이터베이스이름을찾고있고, 참일경우 WELCOME IU 라는내용이출력되므로 WELCOME IU 가출력되는글자들을이어붙이면키값이나온다. Key : easywebsiteattack
M3 Q 라우터에백도어가삽입되어있다. 마지막으로실행된명령어는? EQ. Backdoor injected in Router. what's the last command? 작년도 HTP 라우터관련문제에서 hostname 에키값이적혀있던것이생각나서혹시나하는마음으로 hostname 을검색하니키값이나옴 Key : hostname An$w3r_is^tclsh
M4 Q. 누군가가나의 Secret 폴더의내용을읽었다! EQ. Someone read a Secret folder of min! ** Key is Secret.txt_hiden.txt_pass.txt in Secret Folder ** hiden is not wrong. it s just typo hiden.txt를검색하면웹쉘을이용하여해당파일을본프레임들이있어각파일들을저장해서보니총 7개가나옴세번째파일에서 secret.txt, hiden.txt, pass.txt가있는경로까지찾음그다음파일부터각파일의내용이출력됨 cmd=cd secret&type secret.txt [07/Oct/2011:18:36:07 +0900] "GET /index.php?cmd=cd%20secret%26dir&page=../server/apache/logs/access.log%00noopen HTTP/1.1" 200 1968 cmd=cd secret&type key.txt [07/Oct/2011:18:36:35 +0900] "GET /index.php?cmd=cd%20secret%26type%20secret.txt&page=../server/apache/logs/access.log%00iloveu HTTP/1.1" 200 1000 cmd=cd secret&type hiden.txt [07/Oct/2011:18:37:10 +0900] "GET /index.php?cmd=cd%20secret%26type%20key.txt&page=../server/apache/logs/access.log%00apachelog HTTP/1.1" 200 1168 cmd=cd secret&type pass.txt [07/Oct/2011:18:37:20 +0900] "GET /index.php?cmd=cd%20secret%26type%20hiden.txt&page=../server/apache/logs/access.log%00injection HTTP/1.1" 200 1348 Key : NOOPEN_APACHELOG_INJECTION
M5 Q 메일사용자계정과패스워드가 IRC 봇에감염되어유출됐다. EQ. mail account and password leak by infected IRC bot. Key is password 위의 M3 문제를풀면서 hostname 을검색했다가운좋게 irc 관련패킷을봤고 Follow TCP Stream 을보니키값이 있었음 PRIVMSG #test :Root -> [:] Executing pstore PRIVMSG #test :pstore https://accounts.google.com/servicelogin idol@hackthepacket.com:k~e!y:good_bye_jobs Key : good_bye_jobs
M6 Q 누군가내컴퓨터에문자를남겼다헉... EQ Someone put words on my computer... tcp.steam eq 21 에서 MOUSE_EVENT 와 KEY_EVENT 들이있는것을보고 KEY_EVENT 의값들을이어붙여보니 키값이나옴 Key : POCHTP
H2 Q. 수학을공부하던꼬비는잠이들었는데, 공식이다른이상한글자들로바뀌어있는꿈을꾸게되었다. EQ. GGOBI went to sleep in studying math and had a dream that the function replaced with strange words. Network Miner로열어 [File] 탭을보니 Math.part1.jpg Math.part2.jpg Math.part3.jpg가있어파일을저장한후헥스에디터로열어보니 eof뒷부분에 rar파일이붙어있는것이확인되어파일을따로저장한후압축을해제해보니 hwp파일이여러개있었는데그중 cp 공통수학정리.hwp 파일을열어보니공식대신다른값이적혀있는것을발견했고그값을인증했더니인증성공 Key : Y0ur_Dr34m
H3 Q. 우태혁의여자친구이름은무엇이고, 어디에살고있는가? EQ What is the name of Woo Tae Hyuck s girl firend, and where she is? (Key Format :: Woo Tae Hyuck_Hanla Mountain) tae hyuck 을검색해보니 Microsoft NetMeeting 에서주고받은패킷을발견했고 tcp.stream eq 40 의 TCP Stream 을보니이름과위치를찾을수있었다. Key : Kim Ha Neul_Dokdo island
H5 Q. 네이트온사진함께보기를통해, 우탱이는어떤수학문제를알게됐을까? EQ. What does Wootang get a mathematical problem via the function of sharing the picture on NateOn? 정답은수학문제를푼값입니다. The answer is the right value solving the math. 네이트온에서통신을했기때문에 @nate.com 을검색해보니사진파일이전송된것을발견했고파일을추출해보니아 래와같은그림파일이하나나왔다. Key : 40