Jurackerfest.ch, which took place on August 27th, was part of the first edition of Jura Security Days. This event was organized by BIMO (www.bimo.ch), whose aim is to promote quality software development, and featured conferences running throughout Friday and Saturday. The white-hat hacking competition was organized by SCRT (www.scrt.ch) who are the organizers of the renowned InsomniHack.
In the morning we practiced on specially crafted websites designed with specific errors to give participants an idea of what they would be facing during the contest. After a brief lunch break, we were given two hours to solve a set of 10 varied problems, ranging from a (fairly simple) protocol hack, to an exercise in steganography which no team managed to solve in the timeframe given.
Arriving early, the competition room was fairly empty and quiet, but as the starting time neared, it quickly becamecrowded and lively. Participants came from an array of different backgrounds; there was a technical school teacher with about fifteen of his pupils, quite a few qualified and experienced developers, a few security experts and lambda citizens interested to pick up a few things along the way
The buzzing of laptop fans and the smell of energy drinks was overpowering!
The funniest part of it all was that in order to prove that one had indeed found a solution; one had to explain how it was found. And as the solutions themselves usually consisted of random characters, people were constantly running to the referee table with their laptops in their hands, to be able to show both the solution and how they had found it!
Competing with me was Nicolas Heiniger, currently working in IT security for the Hôpital du Jura. We studied at the EPFL together and spent many exercise sessions tuning our brains to work together (along with three more classmates, who could unfortunately not make it). Knowing each others strengths allowed us to split the challenges efficiently.
Nicolas was running a Linux Backtrack distribution (a dedicated penetration testing OS), while I was running Ubuntu Natty almost out-of-the-box (with zsh and vim added to it).
A sample challenge
Out of the ten challenges:
- One was a cypher to decode (a variation on a Cesar cypher)
- Two were oriented towards reverse engineering
- Two were so-called trivia challenges (steganography concepts actually)
One of the reverse engineering challenges consisted of finding the password verified by a python function.
The source file, which we were given, wasnt too complex (remember we only had two hours to solve ten challenges):
- When run, it checked that the number of arguments was correct and if so, started verifying the user input - if not, it printed usage instructions.
- The verification consisted of a series of tests, based (amongst others) on comparisons between the value of an internal variable and the position of one character of the input string in the ASCII table (i.e. the value of the corresponding byte).
One of the tests (the last one) checked that the length of the input was exactly seven. Working backwards from there (and with the help of an ASCII table), we were able to work out that the code was Jc4HAcK.
All in all, a very fun day and a thrilling experience (more in my league than extreme sports, admittedly). And a surprisingly satisfying outcome, since Nicolas and I were first-timers in an ethical hacking contest. Next time though (andyes, there WILL be a next time), Ill make sure I have all the necessary tools installed before going, rather than lamenting not having Internet access from there!
PS: How did we fare?
Well, we were proud 3rd place winners and got our pictures in the local papers! View the article (in French).