Get best of the week

Results of the online phase of NeoQUEST-2020: survived as best they could



NeoQUEST-2020 has come to an end, and now is the time to talk about these rich two weeks: we will reveal the essence of the tasks (but not all, some will come out as separate wright-ups), show the statistics of their progress and announce the winners!

Attention! The article contains spoilers for those who have not yet completed the task, but are honestly going to (and there is such an opportunity - the online stage site continues to work!).

We will not languish with a long introduction. This year they became winners of steel:

  1. hellow0rld666 , 1221 points
  2. KARASIQUE , 1221 points
  3. ch1sh1rsk1 , 1085 points

Three-time “cheers” to these guys! The struggle for the first place started in earnest - the leader changed almost every day. It is also worth noting that hellow0rld666 and KARASIQUE became participants who completed ALL of our assignments! We did not believe our eyes, but it happens.

Fun fact: all the tasks that aroused great interest on the first day of the competition were developed by girls :)

Explain on assignments!


Over the course of two weeks, our support@neoquest.ru mailbox did not stop sending signals to receive incoming messages! But we are only happy about this - this means that our tasks are being carried out and interest the participants!

So, what did we have in the assignments.

Assignment No. 1 - “There is no admission against hacking”. The

participants were given a link, following which they got to the page with the only inscription “Hello world!”. What do we do from the very beginning in such cases? Of course, we’ll go into the source code of the page:



to solve this Case use full power of GIT - like GIT, the name is well-known. But why is another letter highlighted? And if we connect them? .. CGIT? .. Exactly, I heard something like that!

CGIT - repository web interface.

So, we figured it out. Follow the link213.170.100.213/cgit , where we poke around in all the folders, try to find the key, but after a certain number of hours of time we understand that the point is different.

And now people are divided into two categories: those who heard about the high-profile vulnerability of cgit, and those who did not hear.

In any case, you have to google and find CVE-2018-14912 . Further only sleight of hand and no fraud:

213.170.100.213/cgit/cgit.cgi/my_repo.git/objects/?path=../../../../../../../etc/ passwd
We get the file with passwords, then from it we get the first part of the key:
NQ2020Gka2rFseNPexB4JsnP9k9RKulFVQDCcXwYy1aPKI + see more ...

It remains to find the second part. It’s easy here: the repository doesn’t contain so many files, by enumeration we understand that there is nothing in them. But we are in the Git repository, which means that you can see all the changes that were in it! There, the information will obviously be more complete ...

Go to diff, either by the “see more” pointer, or manually find “see more = e9a3c19a544e6589825fd643f4e6d5c1c4e9”, concatenate with the first part and get our key!

Task number 2 - "Disassemble the robot or do you have l_apk_and?"

Participants are given an apk application that is a file client. It communicates with the server and receives an encrypted file by the specified name. You need to deal with certificates and access tokens in order to get the key.

A detailed analysis of the assignment will be released as a separate article!

Assignment No. 3 - “The Most Cool Left”

In the assignment, it is proposed to download an archive that contains a 1 GB binary file with the speaking name memdump.bin, based on which we can assume that this is a RAM dump ...

Are you intrigued? Soon we will post this wright-up as a separate article, because our participants were interested in this task throughout NeoQUEST!

Assignment No. 4 - “Difficulties in writing”

The “Highlight” of NeoQUEST-2020, an assignment that collected a record number of enthusiastic reviews on support! The bottom line is that the sound from the wav file is nothing more than the sound of typing on the keys. It is necessary to sample this sound and conduct a frequency analysis!
A more detailed explanation of the assignment will be published shortly.

Target №5 - «Epileptic curves"

job Conditions:

A = 119008536160574978629781290147818127606791827844670246888266509216288777541932
B = 125173392763487646441684374997817715298134647755542804722568603162177610612799
char_field = 137503105969312982065490544697816890680820287577287920391172791053955276754533
P = (24588378651043317545653993517686345205594551142728198236546389666483449174897, 64035697994960793657311999090254655816706285115803662919872675661618460099464)
Q = (70440277554855197417972068200756767916691677649413431083023577625869629031919, 72025841911476301630338043296901014469577623652063349003687337089744015808109)

frankly hints at the need to solve the discrete logarithm problem on an elliptic curve. Having looked at the parameters of the elliptic curve and studied its characteristics, we guess that this curve is anomalous: the order of the group of points of such a curve coincides with the characteristic of the field over which it is given. And for this class of curves there is a Smart attack that allows you to calculate the desired discrete logarithm quickly enough.

Further, it’s a matter of technology: we write the attack code, substitute the data from the task, find the discrete logarithm and enjoy the key obtained!

Task number 6 - "Hidden telegrams"

Another of our pearls, because we heard a little about geocats in a telegram. A detailed analysis of the assignment will also be released as part of a separate article - there are many interesting nuances here.

Task number 7 - “Align me if you can”

Given a picture: The



trick of the task is that this Diophantine equation with three variables does not have positive integer solutions, which means that the essence of the task is not in a simple solution of the equation, and you need to dig deeper!

Metadata images

char_field = 2733425503484079885916437054066624513727898092580736050087
base_point = (2003799601518383430823233516441563713038362096795740845531,2732921640345227083457754907818649009295467132857674744044)
open_key = (1259834880846103046383661778550941435260068858903099332507,1686622613601304663126341188899964094370838010363453830341)
secret <4351098091135498422 ---> y ^ 2 = x ^ 3 + Ax ^ 2 + Bx

again hint at elliptic curves, but how are they related to this equation? It turns out that there is a connection! Having found the coefficients A and B of the curve, we are faced with a new difficulty: the points from the metadata of the picture do not belong to this curve. What to do? In the hope of finding a clue, we reread the legend and see the mention of “Twisted Sister”. Eureka! What if the points belong to a twisted curve ? Now it's up to you to find a curve containing points from metadata. After moving to the correct twisted curve, we apply the Polyg-Hellman attack and enjoy our insight!

Task number 8 - "Can I have your autograph?"

According to NeoQUEST-2020 statistics, this task is the most difficult, so we decided to devote a separate article to it. In short, you need to find out how to upload an unsigned pdf document to the site . To do this, participants will need to exploit an interesting vulnerability :)

Task number 9 - "Devote yourself to programming"

"Do not trust your eyes" - this is the motto we would give to this task. When downloading a file with C source code, it seems that there is only code inside that encrypts / decrypts according to the AES algorithm, but “it wasn’t there” - we tell you. You should pay attention to the presence of errors in the code, as well as suspicious spaces and indents. We promised esotericism? Receive and sign!

The fact is that in this file, in addition to C code, there is also code in esoteric programming languages ​​- Whitespace and Spoon! The code in the Whitespace language will give us the key, the code in the Spoon language will give us the ciphertext. Now we will correct the errors in the code, run it with the received data and get the key!

Task number 10 - “Being Human”

OSINT this year is trying not to retreat from modern trends! We created the image of a robot that wants to become a human being and therefore studies human habits, and allowed participants on all social networks in which this robot appeared.

So, the participants are given the following text:

cHVibGljMTAxMTAxMTAwMTAxMDExMDAxMDAwMDAxMDAwMeKArA ==. Two "=" signs literally shout: "yes, yes, I'm base64, decode me completely!". We listen to this call and get public101101100101011001000000010001. Next, turn the binary into decimal, we get public191194129. Very reminiscent of something, right?

We find a VKontakte group in which the robot collects statistics and people's answers. Questions on the wall quite entertaining, but we are interested in a link to ASK.FM . There are also quite entertaining answers to questions, but we are interested in a link to the YouTube channel . Here we find out that our robot is trying to become not only a person, but also a blogger! It remains just a little bit: follow the prompts on the video.

We look at the type of password in the diary:



The city of dreams is clear from the desktop screen saver - Paris. The name of the pet also does not go unnoticed - Rose. We see your favorite song in one of the tabs in the browser, and the identifier is written on a cup of coffee.

The answer is Paris.Rose.Starlight.S3574mT

Mini-task number 1

In this task, you just need to look at the source code of the page where the phrase "People are making apocalypse jokes like there's no tomorrow." Who said that? ". The answer to this question is found in Google - "Ellie".

Mini-task number 2

Download the archive with text entries spoken by the bot. Yes, only the bot does not just read Stephen King's book Badlands, but reads with errors. Having written the missing letters, we get the phrase "book on the spread of the virus." However, this is not the answer! We need to find some book about the spread of the virus. But the task already has a clue that the author is still the same well-known Mr. S. King! The correct answer is The Stand.

Mini-task number 3

An executable file is given. It is necessary to get at least something from him, preferably, of course, the key. If you run it, then nothing will be displayed in response. There are many options for the development of events, but the right one is to extract lines from a given file that will be folded into readable text. The answer to this task is the name of the book from which the fragment was extracted - the hitchhiker's guide to the galaxy.

Mini-task â„–4

This task is a modern hacker interpretation of Einstein 's logical task . There is nothing complicated in its solution, it is easiest to build a table and see how the conditions are met. The correct answer is RREKPA. # AC + P.EDWKU.LKPGM.MASLHAC - encoded according to the condition.

Mini-task number 5

Schrödinger's job is both simple and complex. The simplicity here is in getting the answer - all you need to do is send a POST request with the flag parameter to the server, which will give the correct answer. The difficulty lies in the fact that you need to think of it :) But many of our participants have valiantly dealt with it, cheers!

Statistics minute


The statistics for this year are as follows:

  • The number of registered participants is 1266 people.
  • The number of completed tasks - 10/10
  • The number of participants who completed at least one task in full is 110 people.

Distribution of participants who have found at least one key:



And this is a graph of our participants' activity by the days of the competition:



We finish the statistics section with our traditional GIF:



Talk about the days to come


At the moment, we plan to hold a “Confrontation” NeoQUEST-2020 at the end of June in St. Petersburg, but castles are possible in the current situation in the country. The main thing - do not worry, we will definitely meet with you this year!

We will leave the coolest and favorite: reports, workshops and demonstrations of attacks, and add a new one! Like last year, NeoQUEST will be held together with the scientific and technical conference "Methods and technical means of ensuring information security" ! NeoQUEST 2020 guests will learn a lot about the relationship between science and cybersecurity practice, the importance of scientific research for an information security specialist and how scientifically modern information protection mechanisms work!

Those interested can take part not only in NeoQUEST, but also in the scientific sections of the conference! To learn more about participating in a report or workshop on NeoQUEST, write to support@neoquest.ru, and for more information about the conference “Methods and Technical Means of Ensuring Information Security” , see the united site , for all questions, please contact mitsobi@neobit.ru.

Ahead - write-ups of several tasks and active preparation for the “Face to face”! By the way, participants who have completed at least one task at all - check your mail, we will soon start mailing!

More articles:


All Articles