The level 1 challenge was a binary that asked for input and, if your input was correct, printed out an e-mail address you could use to get the level 2 binary. The Khallenge is a contest of speed, so the first person to get to and beat level 3 wins. Unfortunately, I solved level 1 after the contest ended and the level 2 and 3 binaries aren’t online yet, so no prizes and no info on those.

The first thing I did was open the binary is a disassembler and try to get a general feel for it. This would help me develop an attack strategy. In IDA, you can easily identify that your input is being XOR’d almost a dozen times and with a global variable somewhere. It quickly overwhelmed me, so I took out a pen and paper and started writing things down. I also had lots of problems identifying exact addresses and byte offsets in IDA (I haven’t used it much before), so I switched to Immunity Debugger at this point.

The first set of instructions your input needs to pass through are at addresses
69001081 to 6900108F, and it turns out they are a compiler-optimized strlen function. Pseudocode for these addresses looks like this:

if(strlen(input) != 4)
    fail();
else
    ...

The XORs start immediately after this check. After staring at it for a while, you will figure out that your input is being used as a key to decrypt a global variable located at 0×690030D0. This global variable becomes the answer e-mail. I wrote out the encrypted e-mail in a column and mapped the XOR’d input bytes to it. Here is that table (encompasses addresses 69001095 to 690010F6):

e-mail @ 0x690030D4		input @ 69003100
e-mail[0]: 0x07		XOR	input[0]
e-mail[1]: 0x2E		XOR	input[1]
e-mail[2]: 0x35		XOR	input[2]
e-mail[3]: 0x29		XOR	input[3]
e-mail[4]: 0x70		XOR	input[0]
e-mail[5]: 0x20		XOR	input[1]
e-mail[6]: 0x76		XOR	input[2]
e-mail[7]: 0x68		XOR	input[3]

After all the XOR’s, the application starts to check the final values of 4 select bytes in the e-mail buffer.

e-mail[4]: 0x70		XOR	input[0] == 0x32
e-mail[1]: 0x2E		XOR	input[1] == 0x61
e-mail[6]: 0x76		XOR	input[2] == 0x30
e-mail[3]: 0x29		XOR	input[3] == 0x79

If you do the XOR in reverse, you can find out the input they are looking for:

0x70	XOR	0x32 = input[0] = 0x42 = B
0x2E	XOR	0x61 = input[1] = 0x4F = O
0x76	XOR	0x30 = input[2] = 0x46 = F
0x29	XOR	0x79 = input[3] = 0x50 = P

Run the executable, put BOFP into the prompt, all the XORs happen, all the checks pass, and the e-mail buffer decrypts to “Easy2o08.” Done!

Thanks again Aleksey and Phn1x!

As far as the creation of the case goes, I didn’t really follow any guides. Pretty much all you have to do is buy a mix of legos and strip a USB stick (leaving only the chip and the metal connector). Then, you have to pick a few legos (I used 3, in two different configurations) the combination of which will house the chip. You need to cut out some of their insides with a box cutter to place the chip. Then, you need to glue them together with 3M glue, fill them with transparent construction silicone and place the chip inside. Finally, you need to place some more silicon on the chip and cover the bottom hole with flat lego pieces. The color of lego pieces matters. Yellow allowed the USB LED to shine through it. Selection of the USB stick also matters – I used “SanDisk Cruzer Micro” which are medium in size and come loaded with U3.

As far as the Hak5 package goes, well, I’m not giving a guide for that. But basically, it works by modifying the U3 binaries and autorun configuration files to execute windows batch files (that are also placed on the same stick) upon insertion of the USB. The scripts provided (payloads) vary form system password stealing to IE history viewing. The information stolen is saved on the stick itself. Alternatively, there is a way to email it to yourself. Anyway, don’t pick these up on the street (not that I would part with any ).

Q: I have two illiterate users on my network and they click on everything they see. They also insist on installing random software. I can’t give them a guest account because that interferes with certain software they need to use. I would like to give them ‘computer administrator’ accounts (they’re on an XP pro machine) but still make sure they can’t infect the machine with all sorts of malware. Any suggestions? To reiterate, all I want to do is control they software they install, etc. They still need to be able to create files, have access to already installed software, etc.

A: Unfortunately, the best way to handle this situation is to bite the bullet and do exactly what you say you don’t want to: remove them from the Administrators group and put them in a limited account. No other way around it. Getting them out of the Administrators group won’t interrupt their ability to use already installed software or create files in directories they have permission to write to, but it will prevent them from installing [most] software.

I always suggest installing SiteAdvisor. It’s a free browser extension that attempts to warn you when you’re at a bad website. I like it because it passively trains users to recognize bad websites. You can also have them use OpenDNS to block access to certain classes of websites.

Re-imaging nightly is a possibility, but overkill I think. You can do it with Deep Freeze or Norton Ghost.

I know there are better solutions out there, I just didn’t have the time to remember all of them. Anyone care to help this guy out in the comments?