p4-team
diff --git a/‎2016-12-10-seccon-2016-quals/memory/README.md
+99 b/‎2016-12-10-seccon-2016-quals/memory/README.md
+99
diff --git a/‎2016-12-10-seccon-2016-quals/vigenere/README.md
+148 b/‎2016-12-10-seccon-2016-quals/vigenere/README.md
+148
diff --git a/‎2016-12-10-seccon-2016-quals/voip/README.md
+20 b/‎2016-12-10-seccon-2016-quals/voip/README.md
+20
diff --git a/‎2016-12-10-seccon-2016-quals/voip/voip.pcap
521 KB b/‎2016-12-10-seccon-2016-quals/voip/voip.pcap
521 KB
diff --git a/‎2016-12-10-seccon-2016-quals/voip/ws.png
220 KB b/‎2016-12-10-seccon-2016-quals/voip/ws.png
220 KB
@@ -0,0 +1,99 @@
+# Memory (forensics 100)
+
+###ENG
+[PL](#pl-version)
+
+In the task we get a memdump (quite large so we won't add it here).
+We proceed with the analysis using volatility.
+
+If we check connections we can see that there is only one:
+
+```
+$ ./volatility-2.5.standalone.exe connections -f forensic_100.raw
+Volatility Foundation Volatility Framework 2.5
+Offset(V)  Local Address             Remote Address            Pid
+---------- ------------------------- ------------------------- ---
+0x8213bbe8 192.168.88.131:1034       153.127.200.178:80        1080
+```
+
+No we can still play with volatility or we can just check this IP directly in the memdump strings and we can find:
+
+```
+# Copyright (c) 1993-1999 Microsoft Corp.
+# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
+# This file contains the mappings of IP addresses to host names. Each
+# entry should be kept on an individual line. The IP address should
+# be placed in the first column followed by the corresponding host name.
+# The IP address and the host name should be separated by at least one
+# space.
+# Additionally, comments (such as these) may be inserted on individual
+# lines or following the machine name denoted by a '#' symbol.
+# For example:
+#      102.54.94.97     rhino.acme.com          # source server
+#       38.25.63.10     x.acme.com              # x client host
+127.0.0.1       localhost
+153.127.200.178    crattack.tistory.com 
+```
+
+So it seems someone added this IP manually for host `crattack.tistory.com`.
+
+If we now look for the host `crattack.tistory.com` we can find:
+
+
+```
+C:\Program Files\Internet Explorer\iexplore.exe http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
+```
+
+This matches what we've seen - someone was accessing this IP on port 80, so it was IE.
+But this IP does not match the actual IP of this host.
+So we check what did the user see under `http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd` -> `http://153.127.200.178/entry/Data-Science-import-pandas-as-pd` and it turnes out to be the flag:
+
+`SECCON{_h3110_w3_h4ve_fun_w4rg4m3_}`
+
+###PL version
+
+W zadaniu dostajemy memdump (duży więc go nie wrzucamy).
+Rozpoczynamy analizę z volatility.
+
+Jeśli sprawdzimy połączenia to widzimy tylko jedno:
+
+```
+$ ./volatility-2.5.standalone.exe connections -f forensic_100.raw
+Volatility Foundation Volatility Framework 2.5
+Offset(V)  Local Address             Remote Address            Pid
+---------- ------------------------- ------------------------- ---
+0x8213bbe8 192.168.88.131:1034       153.127.200.178:80        1080
+```
+
+Moglibyśmy dalej bawić się z volatility ale szybciej będzie poszukać tego IP w stringach z memdumpa:
+
+```
+# Copyright (c) 1993-1999 Microsoft Corp.
+# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
+# This file contains the mappings of IP addresses to host names. Each
+# entry should be kept on an individual line. The IP address should
+# be placed in the first column followed by the corresponding host name.
+# The IP address and the host name should be separated by at least one
+# space.
+# Additionally, comments (such as these) may be inserted on individual
+# lines or following the machine name denoted by a '#' symbol.
+# For example:
+#      102.54.94.97     rhino.acme.com          # source server
+#       38.25.63.10     x.acme.com              # x client host
+127.0.0.1       localhost
+153.127.200.178    crattack.tistory.com 
+```
+
+Jak widać ktoś ręcznie dodał ten IP dla hosta `crattack.tistory.com`.
+
+Jeśli teraz poszukamy hosta `crattack.tistory.com` znajdziemy:
+
+```
+C:\Program Files\Internet Explorer\iexplore.exe http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
+```
+
+Co pasuje do tego co obserwowaliśmy - ktoś łączył się z tym adresem na porcie 80, więc było to IE.
+Ale ten IP nie pasuje do faktycznego adresu tego hosta.
+Sprawwdźmy więc co użytkownik widział pod `http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd` -> `http://153.127.200.178/entry/Data-Science-import-pandas-as-pd` a okazuje się to być flagą:
+
+`SECCON{_h3110_w3_h4ve_fun_w4rg4m3_}`
@@ -0,0 +1,148 @@
+# Vigenere (crypto 100)
+
+###ENG
+[PL](#pl-version)
+
+In the task we get a ciphertext:
+
+```
+LMIG}RPEDOEEWKJIQIWKJWMNDTSR}TFVUFWYOCBAJBQ
+```
+
+And information that this is Vigener Cipher with alphabet:
+
+```
+ABCDEFGHIJKLMNOPQRSTUVWXYZ{}
+```
+
+And the md5 of plaintext is `f528a6ab914c1ecf856a1d93103948fe`
+
+We of course know the flag prefix `SECCON{` so we can instantly recover the prefix of the key:
+
+```python
+def get_key_prefix(alphabet, ct, known_pt):
+    result = ""
+    for i in range(len(known_pt)):
+        plain = known_pt[i]
+        cipher = ct[i]
+        key = alphabet[alphabet.index(cipher) - alphabet.index(plain)]
+        result += key
+    return result
+```
+
+which gives us `VIGENER`
+
+Next we can just brute-force the missing 4 bytes of the key:
+
+```python
+def decode(alphabet, ct, key):
+    result = ""
+    for i in range(len(ct)):
+        c = ct[i]
+        k = key[i % len(key)]
+        if k != "?":
+            p = alphabet[alphabet.index(c) - alphabet.index(k)]
+        else:
+            p = "?"
+        result += p
+    return result
+
+
+def worker(data):
+    c, alphabet, ct, key = data
+    key += c
+    for suffix in itertools.product(alphabet, repeat=4):
+        new_key = key + "".join(suffix)
+        pt = decode(alphabet, ct, new_key)
+        if hashlib.md5(pt).hexdigest() == "f528a6ab914c1ecf856a1d93103948fe":
+            print(pt)
+            return pt
+
+
+def main():
+    alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ{}"
+    ct = "LMIG}RPEDOEEWKJIQIWKJWMNDTSR}TFVUFWYOCBAJBQ"
+    key_prefix = get_key_prefix(alphabet, ct, "SECCON{")
+    print('key prefix ', key_prefix)
+    print(brute(worker, [(c, alphabet, ct, key_prefix) for c in alphabet]))
+
+
+if __name__ == '__main__':
+    freeze_support()
+    main()
+```
+
+Which gives us almost instantly `SECCON{ABABABCDEDEFGHIJJKLMNOPQRSTTUVWXYYZ}`
+
+###PL version
+
+W zadaniu dostajemy zaszyfrowany tekst:
+
+```
+LMIG}RPEDOEEWKJIQIWKJWMNDTSR}TFVUFWYOCBAJBQ
+```
+
+I informacje że to szyfr Vigenera z alfabetem:
+
+```
+ABCDEFGHIJKLMNOPQRSTUVWXYZ{}
+```
+
+Mamy też md5 plaintextu: `f528a6ab914c1ecf856a1d93103948fe`
+
+I oczywiście znamy prefix flagi `SECCON{` więc możemy od razu odzyskać prefix klucza:
+
+```python
+def get_key_prefix(alphabet, ct, known_pt):
+    result = ""
+    for i in range(len(known_pt)):
+        plain = known_pt[i]
+        cipher = ct[i]
+        key = alphabet[alphabet.index(cipher) - alphabet.index(plain)]
+        result += key
+    return result
+```
+
+co daje nam `VIGENER`
+
+Następnie możemy brute-forcować brakujące 4 bajty klucza:
+
+```python
+def decode(alphabet, ct, key):
+    result = ""
+    for i in range(len(ct)):
+        c = ct[i]
+        k = key[i % len(key)]
+        if k != "?":
+            p = alphabet[alphabet.index(c) - alphabet.index(k)]
+        else:
+            p = "?"
+        result += p
+    return result
+
+
+def worker(data):
+    c, alphabet, ct, key = data
+    key += c
+    for suffix in itertools.product(alphabet, repeat=4):
+        new_key = key + "".join(suffix)
+        pt = decode(alphabet, ct, new_key)
+        if hashlib.md5(pt).hexdigest() == "f528a6ab914c1ecf856a1d93103948fe":
+            print(pt)
+            return pt
+
+
+def main():
+    alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ{}"
+    ct = "LMIG}RPEDOEEWKJIQIWKJWMNDTSR}TFVUFWYOCBAJBQ"
+    key_prefix = get_key_prefix(alphabet, ct, "SECCON{")
+    print('key prefix ', key_prefix)
+    print(brute(worker, [(c, alphabet, ct, key_prefix) for c in alphabet]))
+
+
+if __name__ == '__main__':
+    freeze_support()
+    main()
+```
+
+Co od razu daje nam `SECCON{ABABABCDEDEFGHIJJKLMNOPQRSTTUVWXYYZ}`
@@ -0,0 +1,20 @@
+# VoIP (forensics 100)
+
+###ENG
+[PL](#pl-version)
+
+In the task we get a [pcap](voip.pcap) of a VoIP call.
+There was not much to do here since Wireshark can out-of-the-box decode this for us:
+
+[!](ws.png)
+
+And the flag is `SECCON{9001IVR}`
+
+###PL version
+
+W zadaniu dostajemy [pcapa](voip.pcap) z rozmowy przez VoIP.
+Nie było tu zbyt wiele do roboty bo wireshark potrafi to od razu zdekodować:
+
+[!](ws.png)
+
+A flaga to `SECCON{9001IVR}`