Upcoming blockchain CTF games

Cryptocurrency is the hype and we are ready with our partners to publish the next CryptoCurrency is The Flag games. For the 5th and 6th time, paricitpants will have the chance to win real Ethereum and HODLbag tokens while learning about cryptocurrency, information security and hacking.

The upcoming events will be organized online and the participation is open for everyone local or remote. Like last year, a new guide for beginners will be provided, so don’t worry if you are just getting started! You are here to improve yourself!

If you want to have a look at past challenges, you can read the writeups written by previous CCTF participant:

BIPolognese

Don’t be eval

Pwncoin Challenge

Foxy

EVM bytes


CCTF Vol5 is focusing more on beginners, so don’t miss the chance. If you join the conference you will have extended rewards!

Live during BDAY 4.0 || 2021.May.18.

https://blockchainbudapest.hu/


Feel like a 1337 haxor? Prove yourself with the hardest crypto* challenges during BsidesBud and win the local prizes too!

CCTF Vol6 during BsidesBUD 2021 || April 27.

https://2021.bsidesbud.com/


Get ready and HODL yourself!

Bitcoin and Crypto* events in Dubai

Looking for meeting other people who are into crypto*? Wants to find the best place to start your blockchain business? Awalcon and the HODLbag project shares the best places to get started. If you are an enthusiast, already have a project, looking for investors or just a beginner who wants to learn and meet interesting people: this is what you need to know.

EcoX Networking Events

Every Tuesday, you have the chance to meet people from different backgrounds, many of them are into crypto*. Just get there and be brave to start discussions with people you do not know yet!

Find the flyers on Instagram: https://www.instagram.com/ecoxdubai/

Website: https://www.ecox.pro/

Crypto Mondays

Crypto* people in the space! Mostly for beginner, but you can meet some big names there. Last Monday, we had Tone Vayes and Gary Sheynkman with us.

For the next meetup, make sure to follow: https://twitter.com/CryptoMondaysSJ

You can also join the cryptoDubai group on Signal where we keep posting about the events. Contact: https://linktr.ee/awalcon

Dubai allows crypto businesses to set up in free zone

Just as the heading says, things are moving on in the free zone.

An economic free zone in Dubai has opened for businesses that are offering, issuing, listing and trading crypto assets. The Dubai Multi Commodities Center (DMCC) signed the initial agreement with the Securities and Commodities Authority (SCA) to allow licensing for firms that deal with crypto assets.

Find more details on this link:

https://www.arabnews.com/node/1828681/business-economy

4 Microsoft Exchange Server vulnerabilites

March is not a good month for Microsoft in 2021. At the beginning of March, Microsoft has given out warnings about critical unpatched Exchange Server vulnerabilities.

These vulnerabilities can infect tens of thousands of businesses, government entities in the U.S., in Asia, and in Europe. In addition, the number of targeted attacks have increased.

Outside of U.S, the malware also infected services in Norway, the Czech Republic, and the Netherlands. Attackers scan offensively Microsoft’s email servers, which represent high-value. This time the numbers of attacks were higher compared to last December’s SolarWinds hacking spree. The vulnerability allows breaking into Microsoft Exchange Servers and allows the installation of unauthorized web-based backdoors to facilitate long-term access.

Awalcon recommends updating or disconnecting the affected Exchange Servers immediately.

The vulnerability CVE-2021-26855 allows the bypass of authentication of an on-premises Microsoft Exchange Server that’s able to receive untrusted connections from an external source on port 443. The next vulnerabilities are CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065: these allow malicious parties to gain remote access to the vulnerable systems. It is an interesting fact that both CVE-2021-26855 and CVE-2021-27065 were reported in October 2020.

On March 12, 2021 Microsoft released an emergency patch for all the four security issues. As always, the bad news for the affected businesses: installing the patches is not enough if you have already been backdoored.

Google Chrome zero-day vulnerability

Google has introduced an update to the Chrome browser and released a second patch within a month that fixes five vulnerabilities, including a zero-day vulnerability. One of the most important bugs can be traced as CVE-2021-21193 and affects the Windows, Linux, OS X versions of the browser.

This vulnerability was detected by an anonymous user, and through this bug an attacker can execute arbitrary code on the target system. The measuring of this error is  8.8 out of 10 on the CVSS scale. To avoid this security issue, update your Google Chrome browser at Settings -> Help -> About.

Why the browsers?
Browsers tend to evolve faster in many organizations than other applications, and browsers are a great way to reap the benefits, and attackers continue to target them because they continue to be excellent entry points for endpoint threats within the organization. In addition, the extensions are usually updated less frequently and require hardening to prevent further attacks.

What is a zero-day vulnerability?
Timing is most important here. The moment the flaw becomes known, hackers around the world can try to exploit it. Overall, programmers have zero days to find a solution to the issue, henceforth the term “zero-day vulnerability”.

This can take almost any form, such as missing data encryption, buffer overflows, missing permissions, SQL injection, broken algorithms, URL redirects, errors, or password security issues.

How protect yourself?
Here are some tips to help protect your business from these types of attacks:

Be informed: pay attention to software vendor spending, it may be time to take advantage of security measures or respond to threats before taking advantage of them

Take additional security measures: consider seeking the assistance of an experienced professional, as the safety measures mentioned above are not sufficient to fully protect you.

Keep your system up to date: make sure your software platforms are up to date. The best solution is to allow automatic updates so that the software is updated regularly without any manual intervention.

Inspiration from Dubai and the Global Blockchain Congress 2021

The Awalcon HODL Bag team visited Dubai for finding new possibilities, inspiration and attending the Global Blockchain/DeFi congress which took place between 2021.02.09.-10.

The whole trip was a positive experience from the point of meeting new people, learning more about DeFi projects and discussing with investors (VCs, Private Equity Firms, Family Offices and High Networth Individuals). Though we are not seeking financial support, advice is always welcome from individuals who have already created projects that work on the long run.

The days we have spent in Dubai truly gave us inspiration and new ideas to push our IDeaLs (Indpendent Decentralized Life System) further. We are very soon making the HODL Bag system public and accessible for everyone who is interested.

Awalcon OÜ has also been fully initialized in Estonia (registration code 16156552). That means we are ready to sell the HODL Bags and also ready to work for the system.

We take decentralization serious: you will be able to use the first functions in this HODL Bag NFT smart contract with just your MetaMask app and the frontend will also be runable from any computers, not centralizing all the contact interactions to a single website.

We are looking forward to keeping in touch with all our new friends.

A global start from Estonia

Awalcon becomes global in 2021. If you haven’t followed us during the first year, here are some active projects we are working on:

Awalcon Information Security and Blockchain Services

HODLBag DAO (will be presented first around mid-January)

CryptoCurrency (is) The Flag – CTF game, in a collaboration with our partners

CryptoZSH – Tools and configuration for ZSH users

2020 was not an easy year, but with clear goals and enthusiast people around, growth occurs even in the hardest times.

We are looking forward to go global in 2021!

CCTF4 Hacktivity Writeups 3. (Final)

Foxy challenge

The data given was printable ASCII, which implied a fair chance that it was encrypted (or obfuscated) with a cipher that always outputs such characters. Two obvious suggestions come to mind: base64 and rot13. However, the ciphertext didn’t exactly look like any mainstream base64 output, nor the rot13 of anything reasonable; what other similar ciphers (or encodings) are there?

The key giveaway was the hint of “!47 -> 42”. The main part of the solution was to take the rot42 of the reverse rot47 of the data. This produced what looked like base64 output. It was the base64 of the flag.

Author: Mr. SI

Ethereum VM bytecode challenge

The task was to uncover the flag from a thing that looked like 0x6080… To those familiar with Ethereum smart contract programming, this thing is obviously Ethereum VM bytecode; for others, as a starting point: the problem said “sometimes the code is 404”.

Decompiling the bytecode using an Ethereum VM decompiler <https://ethervm.io/decompile>, we could discover the following:

1. The constructor is uninteresting, it just sets up the contract’s long-term code.
2. The reverse engineered long-term code contains:
function getflag() {
storage[0x01] = 0x0b47326dc54f49d6f674;
}
which looks like a giveaway.

But actually “0x0b47326dc54f49d6f674” wasn’t accepted as the flag. Unfortunately, the bytes therein don’t appear to encode anything sensible either. However:

3. The rest of the long-term code is also not really interesting: it has methods to plainly store and retrieve data.
4. There was no inclination about any deployments of this smart contract.

So one ought to have been baffled: the flag must really be somehow in that outstanding constant. It turns out that the number 0x0b47326dc54f49d6f674 was indeed the flag, but the system accepted it only in decimal format.

Author: Mr. SI

MVP presentation: Information security for Bács-Kiskun region

The recording is available in Hungarian language. The Awalcon presentation by six starts at 35 minutes:

https://mkik.videosquare.eu/hu/recordings/details/7358,Modern_Vallalkozasok_Programja_-Munkaszervezes_2.0-Tav-_es_csoportmunkat_tamogato_eszkozok_IT_biztonsagi_kockazatok-_Bacs-Kiskun_megye

In Hungary, most of the companies are just getting started with information security. Our goal is to support them to implement more secure systems, both from human and technical point of views: IT security awareness, policies, audits, penetration testing, cryptography and the Awalcon Certification system.

The presentation covers an introduction to IT and Information Security. We start from the topic of homeoffice and arrive to enterprise networks.

CCTF4 Hacktivity Writeups 2.

Don’t be eval

The task was to somehow break a specified website. The HTML markup of the website contained the text “Figwheel”. A quick web search will reveal that Figwheel is a software package for developing websites — live¹ — in the Clojure programming language.

On the website, the only item of interest was the link anchored to the text “do you even REPL, bro?”: the URL contained an argument of “(cons 1 2)”, which looks like Clojure code (a lot like Lisp). Along with the challenge’s name of “Don’t be eval”, these all gave the suggestion that the web request’s single parameter was taken as Clojure code to be evaluated, and indeed it was.

Clojure has access to the full Java ecosystem, including IO functions. By sending in appropriate code snippets (in the URL parameter), it was possible to list the contents of the current directory; it contained a file called “flag.txt”. Then that file could be printed, which contained the flag.

¹ to get a feel for what raz, the creator of this challenge, does for a living, see https://www.youtube.com/watch?v=XSIy8gmjmgY#t=1204s

Author: Mr. SI

Pwncoin challenge

For this challenge, a host was specified, and it was suggested that one ought to use Netcat. It was also blatantly stated that one should try overflowing the “meaning of life” (i.e. 42). The solution was to send an arbitrary string exactly of length 43 (not more, which might be weird, but is realistic), over a plain TCP connection; this revealed the flag.

On top of that — and this is something that even the creator of this challenge didn’t think about —, one could discover that the service served at most 1 client at a time, denying other connections while one is open. This permitted a shrewd contestant to prevent other contestants from even attempting to solve this challenge thereafter, by leaving a connection to the server hanging without submitting anything — it wasn’t me! :trollface.jpg:

Note from six for this solution: it was a wargame! 🙂

Author: SI

Thank you SI for submitting the writeups!

CCTF4 Hacktivity Writeups 1.

We have received many requests for the CCTF game writeups. Here is the first one, the challenge was called “BIPolognese”. Be careful, spoilers follow.

Challenge: BIPolognese

BIPolognese (100 points)
Crypto Wojack (beginner)

Crypto Wojack was considerate again and made a cold backup of his wallet seed so Bogdanoff can't hak it again.
Meanwhile, he was lost in eating ₿10.000 pizza.

Look at that picture! Can you get the account address?

The hints

  1. The challenge’s name itself suggests a BIP seed
  2. Cold backup
    • These are copied somewhere offline, but before it is shown on the screen
  3. Doing something during eating
    • Crypto Wojack is doing something with the BIP seed and a wallet
  4. Look at the picture
    • You will find the BIP seed on the right laptop’s screen

The solution

Note the BIP44 seed words from the screen, open a web browser, install MetaMask.

After you have installed it, this screen will appear:

Choose the “Import wallet” option and use the seed phrase from the picture.

You find that the wallet it empty, but the flag is the first address as mentioned in the Rules.

Writeup by: six