Friday, February 28, 2014

The Art of Software Testing

Review: Good classic book about basic principles of software testing. Most of the principles and testing approaches from the book were already known to me. But it's a classic book, so, I'm highly recommend it to the newcomers to software testing.

Sunday, February 16, 2014

Olympic CTF 2014 - Find da key writeup

I didn't solved this task during the competition, and today I've finally solved it. Since I haven't found a write-up for it, I decided to write my own solution.

Freestyle 200 - Find da Key
Author: vos
Task is very unusual: find the key. stego.txt

We have a file with base64 encoded lines. After decoding of all of them we get the text about Steganography from wikipedia.
First encoded line: U3RlZ2Fub2dyYXBoeSBpcyB0aGUgYXJ0IGFuZCBzY2llbmNlIG9m
Decoded text: Steganography is the art and science of
After trying to encode to base64 just decoded lines it's possible to discover that the last bytes are sometimes changing. For example for a line:
Decoded text: " writing hidden messages in such a way that no one"
And again encoded to base64:
The last byte (before pad character "=") changed from V to U. Then to solve this task, we need to know base64 encoding and decoding algorithm. I've used the description from RFC 4648.
So after reading and understanding the algorithm (especially pads adding ), its possible to make an assumption: if one pad (=)  is at the end of encoded data then two bits are available for hiding data, if two pads (==) then four bits are available for hiding, and if no pad then no bits are available.
Here is a solution source code in Python:
def get_base64_diff_value(s1, s2):
 base64chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
 res = 0
 for i in xrange(len(s1)):
  if s1[i] != s2[i]:
   return abs(base64chars.index(s1[i]) - base64chars.index(s2[i]))
 return res

def solve_stego():
 with open('stego.txt', 'rb') as f:
  file_lines = f.readlines()

 bin_str = ''
 for line in file_lines:
  steg_line = line.replace('\n', '')
  norm_line = line.replace('\n', '').decode('base64').encode('base64').replace('\n', '')

  diff = get_base64_diff_value(steg_line, norm_line)
  pads_num = steg_line.count('=')
  if diff:
   bin_str += bin(diff)[2:].zfill(pads_num * 2)
   bin_str += '0' * pads_num * 2

 res_str = ''
 for i in xrange(0, len(bin_str), 8):
  res_str += chr(int(bin_str[i:i+8], 2))
 print res_str

The flag is: Base_sixty_four_point_five
P.S. The task is truly unusual, and it is the first time I met a method of hiding data in Base64.

Tuesday, February 11, 2014

Sochi 2014 Winter Olympic rings JavaScript

Just published JavaScript and HTML5 Canvas version of Sochi 2014 Winter Olympic rings on github
It's also available on JSFiddle:
A reliable version is available here:
Олимпийские кольца Сочи 2014 на JavaScript

Sunday, February 9, 2014

Olympic CTF 2014 - Writeups

Some my writeups for Olympic CTF 2014 tasks.

Figure Crypting 10 - Crypting 
Author: touzoku
43wdxz 4edcvgt5 65rdcvb 6tfcgh8uhb 9ijn

After a lot of unsuccessful attempts to decrypt message using popular methods, I've found a solution:

Binathlon 10 - Just No One
Author: vos
Here's your binary: setup.exe

Flag was in EULA:

CURLing 10 - Out there
Author: kyprizel
Flag is out there: http://[2a02:6b8:0:141f:fea9:d5ff:fed5:XX01]/

After quick search of address, I've found that uses 2a02:6b8:0:141f:fea9:d5ff:fed5:6901 as its IPv6 address. After that, I've used site for get its content with a flag.
<p><a href="">Vladimir Mikhaylovich Smirnov</a> (born 7 March 1964) is an Kazakhstani former cross-country skier who raced from the 1982 until 1991 for the USSR and, later, for Kazakhstan. First Olympic champion from independent Kazakhstan. He is also a vice president of the International Biathlon Union. Smirnov is a former member of International Olympic Committee.</p>
<!-- CTF{7a0dd6d4556a7ed60e6f7686eae0590d} -->
Flag is: CTF{7a0dd6d4556a7ed60e6f7686eae0590d}

Freestyle 10 - Trivial
Author: vos
Hack the Planet_
Flag is:!