From 5e67a2c847ca36258f324a8f80d8b8513db8ca64 Mon Sep 17 00:00:00 2001
From: Danny Quist <dquist@ether-dev.(none)>
Date: Thu, 8 Oct 2009 14:15:45 -0600
Subject: [PATCH 1/3] Reordered puzzles, added the new Sandia challenges.

---
 .../150}/aacaaebb0cd0503e7bad97c42321a738     | Bin
 puzzles/bletchley/150/index.html              |   2 +
 puzzles/bletchley/150/key                     |   1 +
 .../350}/936bc08007a9076673a81040024728be     | Bin
 puzzles/{compaq/300 => bletchley/350}/key     |   0
 .../50/adddbafb502355634d9ef10e1848cf52       | Bin
 puzzles/bletchley/50/key                      |   1 +
 .../900}/1d45b460b5844d0d769ca469f7b5bdc7     | Bin
 puzzles/{compaq/1000 => bletchley/900}/key    |   0
 puzzles/compaq/100/index.html                 |  50 +++++++++++++++++-
 puzzles/compaq/100/key                        |   2 +-
 puzzles/compaq/50/index.html                  |  48 +++++++++++++++++
 puzzles/compaq/50/key                         |   2 +-
 13 files changed, 102 insertions(+), 4 deletions(-)
 rename puzzles/{compaq/100 => bletchley/150}/aacaaebb0cd0503e7bad97c42321a738 (100%)
 create mode 100644 puzzles/bletchley/150/index.html
 create mode 100644 puzzles/bletchley/150/key
 rename puzzles/{compaq/300 => bletchley/350}/936bc08007a9076673a81040024728be (100%)
 rename puzzles/{compaq/300 => bletchley/350}/key (100%)
 rename puzzles/{compaq => bletchley}/50/adddbafb502355634d9ef10e1848cf52 (100%)
 create mode 100644 puzzles/bletchley/50/key
 rename puzzles/{compaq/1000 => bletchley/900}/1d45b460b5844d0d769ca469f7b5bdc7 (100%)
 rename puzzles/{compaq/1000 => bletchley/900}/key (100%)
 create mode 100755 puzzles/compaq/50/index.html

diff --git a/puzzles/compaq/100/aacaaebb0cd0503e7bad97c42321a738 b/puzzles/bletchley/150/aacaaebb0cd0503e7bad97c42321a738
similarity index 100%
rename from puzzles/compaq/100/aacaaebb0cd0503e7bad97c42321a738
rename to puzzles/bletchley/150/aacaaebb0cd0503e7bad97c42321a738
diff --git a/puzzles/bletchley/150/index.html b/puzzles/bletchley/150/index.html
new file mode 100644
index 0000000..672516c
--- /dev/null
+++ b/puzzles/bletchley/150/index.html
@@ -0,0 +1,2 @@
+Recovery, while not strictly necessary, may be tremendously helpful.
+
diff --git a/puzzles/bletchley/150/key b/puzzles/bletchley/150/key
new file mode 100644
index 0000000..1349adc
--- /dev/null
+++ b/puzzles/bletchley/150/key
@@ -0,0 +1 @@
+jackalope wheeze
\ No newline at end of file
diff --git a/puzzles/compaq/300/936bc08007a9076673a81040024728be b/puzzles/bletchley/350/936bc08007a9076673a81040024728be
similarity index 100%
rename from puzzles/compaq/300/936bc08007a9076673a81040024728be
rename to puzzles/bletchley/350/936bc08007a9076673a81040024728be
diff --git a/puzzles/compaq/300/key b/puzzles/bletchley/350/key
similarity index 100%
rename from puzzles/compaq/300/key
rename to puzzles/bletchley/350/key
diff --git a/puzzles/compaq/50/adddbafb502355634d9ef10e1848cf52 b/puzzles/bletchley/50/adddbafb502355634d9ef10e1848cf52
similarity index 100%
rename from puzzles/compaq/50/adddbafb502355634d9ef10e1848cf52
rename to puzzles/bletchley/50/adddbafb502355634d9ef10e1848cf52
diff --git a/puzzles/bletchley/50/key b/puzzles/bletchley/50/key
new file mode 100644
index 0000000..0db4aae
--- /dev/null
+++ b/puzzles/bletchley/50/key
@@ -0,0 +1 @@
+extra special text
diff --git a/puzzles/compaq/1000/1d45b460b5844d0d769ca469f7b5bdc7 b/puzzles/bletchley/900/1d45b460b5844d0d769ca469f7b5bdc7
similarity index 100%
rename from puzzles/compaq/1000/1d45b460b5844d0d769ca469f7b5bdc7
rename to puzzles/bletchley/900/1d45b460b5844d0d769ca469f7b5bdc7
diff --git a/puzzles/compaq/1000/key b/puzzles/bletchley/900/key
similarity index 100%
rename from puzzles/compaq/1000/key
rename to puzzles/bletchley/900/key
diff --git a/puzzles/compaq/100/index.html b/puzzles/compaq/100/index.html
index 672516c..b2dc9d2 100644
--- a/puzzles/compaq/100/index.html
+++ b/puzzles/compaq/100/index.html
@@ -1,2 +1,48 @@
-Recovery, while not strictly necessary, may be tremendously helpful.
-
+<HTML>
+<BODY>
+<B>You are doing a forensics evaluation of a linux box that you know has been compromised.  You find a binary on the system and assume it was used by the attackers to hide data on box that that was exfiltrated.  You dissamble the file and find the x86 assembly shown below (from Ida) - this function was used for obfuscation.   You also find a file obfuscated by this tool.  Using the key you find in this encoder code what is the unobfuscated first line of the file which starts with</B><PRE>8%%>p2pzpzp8%%>pe8%%>pe(#$e(+9"</PRE>
+<BR>  HINT: The function was orginally defined as void convert_buf(unsigned char * buf, int len).
+<BR>
+<PRE>
+.text:08048474 ; =============== S U B R O U T I N E =======================================
+.text:08048474
+.text:08048474 ; Attributes: bp-based frame
+.text:08048474
+.text:08048474                 public convert_buf
+.text:08048474 convert_buf     proc near               ; CODE XREF: main+B2p
+.text:08048474
+.text:08048474 cnt             = dword ptr -4
+.text:08048474 buf             = dword ptr  8
+.text:08048474 len             = dword ptr  0Ch
+.text:08048474
+.text:08048474                 push    ebp
+.text:08048475                 mov     ebp, esp
+.text:08048477                 sub     esp, 10h
+.text:0804847A                 mov     [ebp+cnt], 0
+.text:08048481                 mov     [ebp+cnt], 0
+.text:08048488                 jmp     short loc_80484A4
+.text:0804848A ; ---------------------------------------------------------------------------
+.text:0804848A
+.text:0804848A loc_804848A:                            ; CODE XREF: convert_buf+36j
+.text:0804848A                 mov     eax, [ebp+cnt]
+.text:0804848D                 mov     edx, eax
+.text:0804848F                 add     edx, [ebp+buf]
+.text:08048492                 mov     eax, [ebp+cnt]
+.text:08048495                 add     eax, [ebp+buf]
+.text:08048498                 movzx   eax, byte ptr [eax]
+.text:0804849B                 xor     eax, 4Ah
+.text:0804849E                 mov     [edx], al
+.text:080484A0                 add     [ebp+cnt], 1
+.text:080484A4
+.text:080484A4 loc_80484A4:                            ; CODE XREF: convert_buf+14j
+.text:080484A4                 mov     eax, [ebp+cnt]
+.text:080484A7                 cmp     eax, [ebp+len]
+.text:080484AA                 jl      short loc_804848A
+.text:080484AC                 leave
+.text:080484AD                 retn
+.text:080484AD convert_buf     endp
+.text:080484AD
+.text:080484AE
+</PRE>
+</BODY>
+</HTML>
diff --git a/puzzles/compaq/100/key b/puzzles/compaq/100/key
index 1349adc..53d2da6 100644
--- a/puzzles/compaq/100/key
+++ b/puzzles/compaq/100/key
@@ -1 +1 @@
-jackalope wheeze
\ No newline at end of file
+root:x:0:0:root:/root:/bin/bash
\ No newline at end of file
diff --git a/puzzles/compaq/50/index.html b/puzzles/compaq/50/index.html
new file mode 100755
index 0000000..c4a1490
--- /dev/null
+++ b/puzzles/compaq/50/index.html
@@ -0,0 +1,48 @@
+<HTML>
+<BODY>
+<B>You are doing a forensics evaluation of a linux box that you know has been compromised.  You find a binary on the system and assume it was used by the attackers to hide data on box that they were going to exfiltrate.  You dissamble the file and find the following lines of x86 assembly - this function was used to encode a buffer in place to obfuscate a file.  What is the 1 byte key used to obfuscate the data (in hex)?</B>
+<BR>  HINT: The function was orginally defined as void convert_buf(unsigned char * buf, int len).  You can solve this puzzle by writing some code, or by using some of the advanced functions of some of the hex editors out there.
+<BR>
+<PRE>
+.text:08048474 ; =============== S U B R O U T I N E =======================================
+.text:08048474
+.text:08048474 ; Attributes: bp-based frame
+.text:08048474
+.text:08048474                 public convert_buf
+.text:08048474 convert_buf     proc near               ; CODE XREF: main+B2p
+.text:08048474
+.text:08048474 cnt             = dword ptr -4
+.text:08048474 buf             = dword ptr  8
+.text:08048474 len             = dword ptr  0Ch
+.text:08048474
+.text:08048474                 push    ebp
+.text:08048475                 mov     ebp, esp
+.text:08048477                 sub     esp, 10h
+.text:0804847A                 mov     [ebp+cnt], 0
+.text:08048481                 mov     [ebp+cnt], 0
+.text:08048488                 jmp     short loc_80484A4
+.text:0804848A ; ---------------------------------------------------------------------------
+.text:0804848A
+.text:0804848A loc_804848A:                            ; CODE XREF: convert_buf+36j
+.text:0804848A                 mov     eax, [ebp+cnt]
+.text:0804848D                 mov     edx, eax
+.text:0804848F                 add     edx, [ebp+buf]
+.text:08048492                 mov     eax, [ebp+cnt]
+.text:08048495                 add     eax, [ebp+buf]
+.text:08048498                 movzx   eax, byte ptr [eax]
+.text:0804849B                 xor     eax, 4Ch
+.text:0804849E                 mov     [edx], al
+.text:080484A0                 add     [ebp+cnt], 1
+.text:080484A4
+.text:080484A4 loc_80484A4:                            ; CODE XREF: convert_buf+14j
+.text:080484A4                 mov     eax, [ebp+cnt]
+.text:080484A7                 cmp     eax, [ebp+len]
+.text:080484AA                 jl      short loc_804848A
+.text:080484AC                 leave
+.text:080484AD                 retn
+.text:080484AD convert_buf     endp
+.text:080484AD
+.text:080484AE
+</PRE>
+</BODY>
+</HTML>
diff --git a/puzzles/compaq/50/key b/puzzles/compaq/50/key
index 0db4aae..1661a56 100644
--- a/puzzles/compaq/50/key
+++ b/puzzles/compaq/50/key
@@ -1 +1 @@
-extra special text
+4C
\ No newline at end of file

From d14e07c0dbf86015c447f8f61bb44e6a162ec995 Mon Sep 17 00:00:00 2001
From: Curt Hash <chash@cfl-superfund.lanl.gov>
Date: Thu, 8 Oct 2009 14:32:33 -0600
Subject: [PATCH 2/3] javascript to read the team name and passwd from cookie

---
 mkpuzzles.py | 30 +++++++++++++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/mkpuzzles.py b/mkpuzzles.py
index 9ace9d6..e3a199d 100755
--- a/mkpuzzles.py
+++ b/mkpuzzles.py
@@ -51,6 +51,34 @@ for cat in os.listdir(opts.puzzles):
   <head>
     <title>%(title)s</title>
     <link rel="stylesheet" href="%(css)s" type="text/css" />
+	<script type="text/javascript">
+		function readCookie(key) {
+			var s = key + '=';
+			var toks = document.cookie.split(';');
+			for (var i = 0; i < toks.length; i++) {
+				var tok = toks[i];
+				while (tok.charAt(0) == ' ') {
+					tok = tok.substring(1, tok.length);
+				}
+				if (tok.indexOf(s) == 0) {
+					return tok.substring(s.length, tok.length);
+				}
+			}
+			return null;
+		}
+		
+		function getTeamInfo() {
+			team = readCookie('team');
+			passwd = readCookie('passwd');
+			if (team != null) {
+				form.t.value = team;
+			}
+			if (passwd != null) {
+				form.w.value = passwd;
+			}
+		}
+		window.onload = getTeamInfo;
+	</script>
   </head>
   <body>
     <h1>%(title)s</h1>
@@ -66,7 +94,7 @@ for cat in os.listdir(opts.puzzles):
                     f.write('<li><a href="%s">%s</a></li>\n' % (fn, fn))
             f.write('</ul>\n')
         f.write('''
-    <form action="%(cgi)s" method="post">
+    <form id="form" action="%(cgi)s" method="post">
       <fieldset>
         <legend>Your answer:</legend>
         <input type="hidden" name="c" value="%(cat)s" />

From 5b8c83bf68f0ff35d46a8e2caee00daf67327cfa Mon Sep 17 00:00:00 2001
From: Curt Hash <chash@cfl-superfund.lanl.gov>
Date: Thu, 8 Oct 2009 14:33:43 -0600
Subject: [PATCH 3/3] proper way to reference an element

---
 mkpuzzles.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/mkpuzzles.py b/mkpuzzles.py
index e3a199d..3d3e0da 100755
--- a/mkpuzzles.py
+++ b/mkpuzzles.py
@@ -71,10 +71,10 @@ for cat in os.listdir(opts.puzzles):
 			team = readCookie('team');
 			passwd = readCookie('passwd');
 			if (team != null) {
-				form.t.value = team;
+				document.getElementById("form").t.value = team;
 			}
 			if (passwd != null) {
-				form.w.value = passwd;
+				document.getElementById("form").w.value = passwd;
 			}
 		}
 		window.onload = getTeamInfo;