Def Con 24 Caezar Challenges URl Solving

Part of the Caezar challenge involved URL forcing. There were four characters, three unique, that were unsolved in the domain name. Using a combination of scripting and nslookup, it was trivial to solve (though later determined not to be necessary, but was possible after solving via traditional substitution cipher. I wont spoil the preferred method here since it was brlliant and may be used again).

Here I explain this process.

I worked with some good friends on solving the cipher to get to the party website. Whilst it was later revealed to not need any brute forcing, rather than the substitution cipher we used, the method we created to solve the partial URLs was interesting enough to share.

The first script outputed all possible letter substitutions for the missing portions of the URL. We then piped those into dig to look for valid DNS entries.

Output the possible URLs:

for A in { a   b   f   j   k   l   q   u   v   w   x   y   z }
do
for B in { a   b   f   j   k   l  q   u   v   w   x   y   z }
do
for C in { a   b   f   j   k   l  q   u   v   w   x   y   z }
do
echo “http://cc.”$A$B”teno”$C”og”$B”.com
done;
done;
done;

We then piped this into nslookup and saved all the results:

for A in `cat curl_1.sh `; do  nslookup $A >> log;  done;

We then looked for the uncommon DNS answer in the log, versus the most prevelant IP (which was the Cox network DNS hijack that was used for “search suggestions”)”

cat log | grep -r Address: | sort| uniq -c

This output a few responses, one of which was not like the others 🙂

   2197 log:Address:    10.10.0.1#53
      1 log:Address: 54.231.185.23
2196 log:Address: 92.242.140.2
2527 log_bad:Address:    10.10.0.1#53

When we look through the log for that address:

Non-authoritative answer:
Name:   cc.bytenology.com
Address: 54.231.185.23
Server:         10.10.0.1
Address:        10.10.0.1#53

 

This was the website as it stood at the time (it added the party details on the home page when it got late enough). It had two ciphers.

The one on the left was the username, and the right side the password. These went into the URL to give the invite page.

The video was of a great talk by @rileycaezar on what makes a hacker.

website_screenshot

1 Comments