Untitled

20:59:18  <GrossT>	game over
20:59:24  <Rewzilla>	:)
20:59:28  <freefirex>	GG
20:59:32  <root4days>	  _____   _____ _    _
20:59:33  <root4days>	 |  __ \ / ____| |  | |
20:59:33  <root4days>	 | |  | | (___ | |  | |
20:59:33  <root4days>	 | |  | |\___ \| |  | |
20:59:33  <root4days>	 | |__| |____) | |__| |
20:59:33  <root4days>	 |_____/|_____/ \____/
20:59:35  <root4days>
20:59:36  <OhYou_>	fail
20:59:37  <root4days>
20:59:47  <root4days>	  _____   _____ _    _
20:59:47  <root4days>	 |  __ \ / ____| |  | |
20:59:47  <root4days>	 | |  | | (___ | |  | |
20:59:47  -> bahaviland has joined #threatspace
20:59:49  <root4days>	 | |  | |\___ \| |  | |
20:59:51  <root4days>	 | |__| |____) | |__| |
20:59:52  -> J2TheROC has joined #threatspace
20:59:53  <root4days>	 |_____/|_____/ \____/
20:59:57  <root4days>
20:59:59  * OhYou_ reports for flood
20:59:59  <root4days>
21:00:21  <- Rewzilla has left #threatspace ["Leaving"]
21:00:29  -> Rewzilla has joined #threatspace
21:00:36  <ipp>	congratz root4days Rewzilla and whomever else is on DSU
21:00:43  <freefirex>	Thanks :)
21:00:46  <J2TheROC>	yep
21:00:50  <GrossT>	:D
21:00:52  <ipp>	I tried to do my best
21:00:54  <ipp>	to prevent that
21:00:58  <Rewzilla>	haha
21:01:00  -> m4dh4tt3rs_minio has joined #threatspace
21:01:01  <Rewzilla>	gg all
21:01:05  <ipp>	gg
21:01:08  <xonec>	gg
21:01:11  <m4dh4tt3rs_minio>	Good Game Everyone
21:01:17  <root4days>	gg
21:01:25  <J2TheROC>	gg
21:02:45  <OhYou_>	alright, now lets all share answers
21:02:59  <bahaviland>	I got
21:03:01  <bahaviland>	for 2+2
21:03:01  <bahaviland>	4
21:03:18  <freefirex>	dang I got 5
21:03:30  <root4days>	i got 22
21:03:32  <bahaviland>	Check for hemorrhoids with a small mirror
21:03:40  <J2TheROC>	oh that was a + i thought it was x
21:03:48  <Rewzilla>	bahaviland how did you get that???
21:04:15  <bahaviland>	I asked a psychic
21:04:29  <bahaviland>	she read my palm
21:04:45  <- bahaviland has left #threatspace ["Leaving"]
21:04:58  <Rewzilla>	ohhhhh of course i should have thought of that ><
21:05:04  <- root4days has left #threatspace ["Leaving"]
21:05:04  <- freefirex has left #threatspace
21:08:14  <xonec>	what was the theme for passwords 1
21:08:48  <Rewzilla>	high-collision-algos
21:08:55  <xonec>	i noticed half were WOW related
21:11:02  <xonec>	Lol as soon as i used rockyou to try to crack them, i saw the collision rate
21:11:09  <ipp>	World of Warcraft xonec
21:11:24  <xonec>	ipp: All of them?
21:11:25  <ipp>	I created a script to crawl wow wiki, extract text of all the links
21:11:31  <ipp>	all but root
21:12:25  <xonec>	Dude! i crawl most of the wiki too, but only got half
21:12:51  <ipp>	did you extract the text in links
21:12:55  <ipp>	because there were spaces
21:12:59  <ipp>	so if you just did words
21:13:02  <ipp>	you wouldn't get it
21:13:13  <xonec>	what was root?
21:13:27  <OhYou_>	ncl format probably
21:13:35  <OhYou_>	aint nobody got time for that
21:13:39  <ipp>	NCL-####-UUUU according to someone else, i hadn't got it
21:13:39  <ipp>	i did UUUU-####
21:13:40  <xonec>	Yeah i took spaces into account
21:14:08  <OhYou_>	speakign of ncl format, Dat wireless 4
21:15:02  <OhYou_>	that must have been painful for people without gpus
21:16:06  <Rewzilla>	something I've learned form ncl-games is that password cracking is almost always less about gpu power and more about clever dictionaries
21:16:24  <OhYou_>	so from what I've heard, NCL is going to be releasing the answers to all these shortly?
21:16:36  <OhYou_>	except for wifi 4
21:16:49  -> nix_xin has joined #threatspace
21:17:10  <OhYou_>	my ears still hurt from my 290x going for like 2 hours
21:17:10  <xonec>	How about web exploits?
21:17:21  <xonec>	lol ^
21:17:47  <nix_xin>	Yeah, how about those web servers?
21:18:04  <nix_xin>	Web 1 , Web 2 specifically?
21:18:04  <OhYou_>	Yea web servers
21:18:49  <xonec>	the web server with drupal installed looked pretty beat up
21:19:15  <nix_xin>	HAHAHA !! Luckily I got in just in time to get flag1
21:19:26  <nix_xin>	Someone screwed it up bad
21:20:17  <xonec>	i think some people used their ncl login credentials to create accounts on one of those web servers.
21:20:32  <ipp>	Web 2 - https://www.idontplaydarts.com/2010/07/mongodb-is-vulnerable-to-sql-injection-in-php-at-least/
21:20:38  <ipp>	Web 1 - Write a captcha analyzer
21:20:55  <nix_xin>	Ahh!
21:20:58  <ipp>	and get it correct 10,000 times in a row
21:21:05  <GrossT>	and don
21:21:13  <GrossT>	*go over 10000
21:21:19  <ipp>	I stopped it at 9,999
21:21:27  <ipp>	took the loop out
21:21:30  <ipp>	and ran it again haha
21:21:30  <OhYou_>	and then mistype the 10000
21:21:34  <GrossT>	^that
21:21:39  <m4dh4tt3rs_minio>	lol
21:21:41  <xonec>	ipp: how do you write a captcha analyzer?
21:21:44  <xonec>	Lol
21:21:56  <ipp>	http://www.boyter.org/decoding-captchas/
21:22:02  <ipp>	redid a little of that code
21:22:10  <ipp>	used mechanize to simulate the web
21:22:32  <nix_xin>	Ahhh!
21:22:33  <xonec>	interesting
21:22:37  <nix_xin>	very!
21:22:46  <OhYou_>	I tried outsourcing it to china but they kept getting it wrong
21:22:58  <ipp>	I'll try to get around to cleaning my code
21:23:02  <ipp>	and create a github
21:23:29  <xonec>	man, this ncl folks are raising the bar every time. GG
21:23:37  <ipp>	If I don't have something by the end of the month, ping me and i'll let you read my horrible code
21:23:46  <OhYou_>	so the intended way of solving that was to type out the captchas 10,000 times
21:24:24  <ipp>	and don't mess up
21:24:25  <OhYou_>	couldnt they have at least used cookies to keep track of how manty you did?
21:24:28  <ipp>	because it rests to 0
21:24:28  <xonec>	more or less write your own ocr for captchas
21:24:38  <nix_xin>	I used JMeter to hit the captcha page 10,000...it crapped out eventually
21:24:44  <OhYou_>	so that you know, could change it?
21:25:15  <OhYou_>	are the images complete random?
21:25:25  <ipp>	on the captcha?
21:25:27  <ipp>	it seemed so
21:25:30  <ipp>	and they are case sensitive
21:25:34  <OhYou_>	thats evil
21:26:10  <OhYou_>	I mean, if they used standard captchas, I could have probably blew through it in an hour
21:26:25  <ipp>	eh? this one was realyl simple
21:26:27  <ipp>	no overlap
21:26:43  <OhYou_>	I mean standard as in easy for humans
21:26:49  <ipp>	oh haha
21:27:41  <nix_xin>	Ok, so what was up eith Web2
21:27:50  <ipp>	I linked it, it was a mongo db
21:28:06  <ipp>	and you could do like username[$ne]=1&password[$ne]=1
21:28:11  <ipp>	do do a select * basically
21:28:16  <GrossT>	wait it wasn't postgres, like the image??? :P
21:28:21  <OhYou_>	did you get what sql server was running on that stupid victim in ne5?
21:28:26  <ipp>	Nope
21:28:36  <ipp>	If you sent an invalid char i forget which, you got an error message
21:28:36  <nix_xin>	How did you know it was mongo db?
21:28:43  <xonec>	Yeah^
21:28:55  <nix_xin>	From the error?
21:29:00  <xonec>	ipp: how did you know?
21:29:04  <GrossT>	try other sql injections until you get an error
21:29:08  <GrossT>	google error
21:29:09  <GrossT>	done
21:29:10  <ipp>	yea it said mongo
21:29:10  <ipp>	in the error
21:29:10  <ipp>	and gave the query essentially
21:29:37  <nix_xin>	Dang..I ran sqlmap on it a few times and no glory....
21:30:11  <nix_xin>	Keep trying harder next time....check!
21:30:14  <GrossT>	prolly need: http://www.nosqlmap.net/
21:30:25  <ipp>	https://107.22.162.98/index.php?username=admin%92&password=
21:30:27  <ipp>	^error message
21:30:48  <OhYou_>	well...
21:30:59  <nix_xin>	DANG !
21:31:11  <xonec>	dude!
21:31:12  <nix_xin>	Thanks for that man ...
21:31:43  <ipp>	https://107.22.162.98/index.php?username[$ne]=1&password[$ne]=1
21:31:44  <ipp>	^Exploit
21:32:13  <OhYou_>	I love how the key was the same on crypto 9.4 and 9.5 btw lol
21:32:43  <GrossT>	you don't even need the =1 part
21:33:08  <ipp>	ah til
21:33:21  <ipp>	Anything else i can help with?
21:33:45  <nix_xin>	Yes, the server with the crc32.py file....
21:33:52  <ipp>	It was Reverse Engineering
21:34:04  <ipp>	needed to dumpa bin off port 1234
21:34:13  <nix_xin>	I scanned it, found nothing....nikto'd it, found nothing,
21:34:28  <nix_xin>	Ahhhhh!
21:34:32  <nix_xin>	nice!
21:34:35  <ipp>	open up in debugger (i used EDB)
21:34:41  <ipp>	examine memory, then crc32-b what it came with and do a few other things
21:34:47  <ipp>	i don't fully remember off hte top of my head
21:34:54  <ipp>	it was similiar to exploits 4-6
21:35:09  <ipp>	except the termination character of input was NUL versus EOT
21:35:30  <OhYou_>	so were we suppost to get a shell on one fo the web ones?
21:35:34  <nix_xin>	nice....will do
21:35:45  <ipp>	If you don't have RE experience, i twill be difficult
21:35:58  <nix_xin>	RE and regular expressions
21:36:00  <ipp>	no
21:36:03  <ipp>	Reverse Engineering
21:36:09  <nix_xin>	oh!
21:36:12  -> Vital_ has joined #threatspace
21:36:16  <ipp>	You open it up in a debugger
21:36:20  <ipp>	step threw the statements
21:36:36  <nix_xin>	gotcha!
21:36:40  <ipp>	for instance exploit 4 or 5, had a string that it was adding 2F to which is a ROT cipher
21:37:02  <ipp>	if you input like abc123 it becomes easy to see it do the ROT in memory
21:37:07  <ipp>	because it stays sequential
21:37:40  <ipp>	or if you just know some "ROTX Words" you can input them
21:37:48  <ipp>	like ln ares is a ROT word
21:37:54  <ipp>	which looks semi legitimate
21:37:54  <OhYou_>	so what the hell was the brainwallet password... past the season: part
21:38:00  <ipp>	idk
21:38:08  <ipp>	probably NCL format
21:38:19  <ipp>	wasn't enough points for me to crack it
21:38:28  <ipp>	and Rewzilla got the $
21:38:32  <OhYou_>	yea
21:38:52  <OhYou_>	Rewzilla what are you going to spend your $0.14 on?
21:39:04  <GrossT>	silkroad 3.0
21:39:31  <OhYou_>	you can buy 0.00003 oz of fake drugs with that