Wednesday, December 5, 2012

Releasing the source code of my puzzler

A couple months ago I released a puzzler on the PaulDotCom podcast and challenged people to complete it.    I designed it to be devious and to foil all automated script kiddie scanners while still being vulnerable.  Today, I got around to putting the source code together in a package so you could run it yourself, or look at the source code if you want to use parts of the challenge to your own ends.  I impose no license restrictions on it.  Do with it as you wish and use at your own risk.

The file is located here:
http://micrmsoft.com/puzzlerchallengeh4u3t4enjr8gr94/package.zip

Here is a copy of the readme file with instructions:

My puzzler.  This is a challenge created and designed to be completed within a day.  It was something I wrote up in a few weekends.  I didn't make the code pretty so it might take a little while to adapt to your own servers if you want to set it up.  If you want to take the time, the instructions are here.  You'll need to change a couple references to domains in some PHP files and a pcap.  You'll also need to set up mySQL, an IRC server, and install Comic Sans which is a nonstandard font on Linux.  I set this up on an Ubuntu box but you can probably make it work on any flavor of Linux.


The challenge is accomplished in a linear fashion where the URL to the next step is given upon completing the first step.

ZEROTH STAGE************************************************
This is an optional stage where I put together a huge obfuscated blob of text containing a URL pointing to the first stage.  I used the converter tool found at this blog:
http://www.kahusecurity.com/tools/

Here is an example blob of text.  The blob that I made was totally massive and I made it by feeding the obfuscated text back into the obfuscator for more.  
%54%68%69%73%20%74%65%78%74%20%6C%65%74%73%20%79%6F%75%20%6B%6E%6F%77%20%79%6F%75%20%64%65%63%6F%64%65%64%20%69%74%20%72%69%67%68%74%2C%20%62%75%74%20%79%6F%75%20%61%72%65%6E%27%74%20%64%6F%6E%65%20%79%65%74%2E%0D%0A%53%47%56%79%5A%53%42%70%63%79%42%30%61%47%55%67%56%56%4A%4D%49%48%64%6F%61%57%4E%6F%49%48%42%76%61%57%35%30%63%79%42%30%62%79%42%30%61%47%55%67%62%6D%56%34%64%43%42%7A%64%47%46%6E%5A%51%3D%3D

Of course, if you want to have this stage then you'll need to make your own.

FIRST STAGE************************************************
This is a login page that authenticates using the client only.  There is a highly secure javascript to protect against right clicks, and an FBI warning to boot!  Finally, there is a chunk of obfuscated javascript.  I used Dean Edward's packer to obfuscate, and then broke it in small ways so the corresponding de-obfuscater could not be used.  If the user can reach page453543543.php successfully, then they are pointed to the second stage.  
-You'll need to supply your own URL on that page.

SECOND STAGE************************************************
first it contains a SQL injection specially designed to foil automated scanners.  All SQL error messages are displayed, but they are only displayed rendered as a PNG image, in bright pink Comic Sans.  No SQL scanner I know of can get these error messages, and any tool that I run against it spews garbage because it literally reads the PNG data.  To make it work:

-you need to install the comic sans font which is not standard to Linux distributions.  If you receive font errors you can change line 15 in image.php to refer to a different font or directory of your choice.  I included the font file in this package.  
-You may also need to install some non-standard php image manipulation libraries(I don't remember which) but it's likely you will have that by default.
-You need to set up mySQL and run the .sql script so your database is populated with the necessary data.  The SQL username and password is on lines 11 and 12 of index.php
-You also need to set up an IRC server, protected by a server password of your choice.  Details below:



The pcap itself contains a record of a user logging into my IRC server over plain text while visiting some websites at the same time. The correct packet is the only one on its port, and would appear anomalous when viewing statistics about the pcap.  There is a server password used to log in to the IRC server, so one would have to find the correct packet in the pcap to find the correct domain and password. It points to a domain I own, and if you wanted to set up your own IRC server, I suggest you set it up with a server password, and run a packet capture of yourself while visiting websites and logging into your own IRC server.  

The final, winning step of the puzzle is of course when the user can find the correct IRC credentials, log in, and join the #winnerscircle channel.

Hopefully you find this challenge as devious and frustrating as I intended it to be.

A final mention- there are a couple references left in the pcap of the domain I originally used.  I used to point it to a sinkhole because the previous owner used it for malware.  I am not responsible for the malware but it amused me to hold a challenge on a domain that would trigger DNS blacklist alerts for any contestants.  You are of course free to use any domain you want to register.  YMMV.

No comments:

Post a Comment