TigerTeam - suomalainen tietoturvablogi

Haasteen ratkaisi kaikkiaan 19 henkilöä, joista 12 kutsuttiin haastatteluun.

Sivulatauksia haastepalvelimelle tehtiin noin 200 000 kaikkiaan 66 eri maasta.

Julkaisemme ratkaisun englanniksi, koska haastetta yritti ratkaista myös moni ulkomaalainen henkilö:

The browser starts by fetching a simple JavaScript from r.php without parameters. Typing the script URL in the location bar causes the user’s IP to be banned as the script contains a JavaScript comment that also can be interpreted as an HTML meta redirect. The ban can be removed by visiting the base64 encoded address hidden in the source code of the “403 Forbidden” page. The first script does a few simple loops and calculations to fetch the next script.

Every script except the first one can be fetched only once and this needs to be done within a short timeframe. The scripts are dynamically generated and different every time.

The next script contains xor-encrypted code to get the script of the next phase. This script sends the browser local time in the rand-parameter to the server.

The first two scripts can be bypassed e.g. by using a proxy tool (Burp etc.) in order to directly fetch the last phase script. This script implements an obfuscated stack-based virtual machine processing the byte-code which in turn does the actual validation of the password.

The virtual machine contains an embedded time-check comparing the local time into the timestamp sent to the server during the second phase. In case the local time differs too much from the expected time, the bytecode execution is disrupted. The password is converted into a base-63 number system and the resulting number is compared to a known value.

During the first week the password was aeIrfYh and then it was changed to dEys56_.

Congratulations to all who were able to solve the puzzle!

Pekka Sillanpää vastaa Nixun tarkastuspalvelutuotteiden kehittämisestä ja on tehnyt teknisiä tarkastuksia ja penetraatiotestejä vuodesta 2005 lähtien.