hellok · December 30, 2015 11:58 · hellok · Dec 6, 2013 · hellok · Dec 6, 2013
diff --git a/email.log b/email.log
 [ctf-participants] IMPORTANT PARTICIPANT INFO: iCTF 2013 Game Rules

 Adam Doupé adamdoupe at gmail.com 
 Wed Dec 4 22:09:27 PST 2013
 Previous message: [ctf-participants] Going on to the next goal and scoring
 Next message: [ctf-participants] IMPORTANT PARTICIPANT INFO: iCTF 2013 Game	Rules
 Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
 THE GAME
 ——————

 Your goal is to be the best country in the world, building up and unleashing a nuclear arsenal!

 WOULD YOU LIKE TO PLAY A GAME?
 ./yes_but_how_does_it_work


 Your Machine
 ——————

 You will be given non-root access to a virtualized server. On this server, there will be a number of services running.

 Your job is to keep the services up, detect attacks against the services, patch your services, and develop exploits to be used against other teams’ services. 

 When patching your service, you must keep the original functionality. If any of the scripts that simulate a user using the service is unable to fully exercise your service, then the service is considered non-functional.

 You will gain Resources (to progress in the game) by keeping your services up and detecting attacks. You will gain Credits to spend on bonuses by developing exploits.

 To detect attacks, you will be able to use tcpdump on your machine’s interface. There will be a publicly-accessible web interface where you can specify if a netflow in the last round was an attack and you will instantly see the results of your detection (i.e., if the attack was correctly detected or if the detection represents a false positive). 

 A netflow is identified by (source_ip, source_port, dest_ip, dest_port, timestamp). The timestamp that you see in the web interface will be when our side created the TCP connection. The timestamp you see from your vulnerable machine may differ slightly.


 The Levels
 —————

 There are four levels in the game. Everyone starts out on the first level, with zero Resources.  At each level you generate a specific Resource, and once you generate enough Resources you will be promoted to the next level.

 You will only attack and be attacked by teams at your level.

 Your team’s ranking will be based on what level your team is in and how many Resources you’ve collected in your current level (that is, Resources collected in previous levels don't matter).
 Teams in level 4 will be ranked above teams in level 3, and so on.



 Collecting Resources
 —————————

 Here’s what a sample level looks like (specifics like color and so on could change):


 Red states are active, Blue states are inactive, and the smaller light blue nodes are services that are associated with each state.

 In the example, “Mine Uranium” is the active state. Service dexware is active, because it is associated with “Mine Uranium.” 

 We will only generate traffic against active services. This traffic will consist of “benign” traffic and “attack” traffic. Part of your job is to decide which is which.

 Each change of the level is called a “tick.” The tick will change (almost) every 3 minutes.

 So, how do you create Resources?

 Resources are allocated every “round.” A round is a complete traversal of the level, with the XMAS state being the last state. 

 The XMAS state is special, it will last for 1 minute, and there will be no traffic. This will give you time to identify attack traffic in the previous states.

 So, there will be a round every 10 minutes, as every level has 3 states and 1 XMAS state. After the XMAS state, a round is complete and Resources are awarded to each team.


 Calculating Resources
 —————————— 

 Every round you will be awarded Resources for how well you performed in that round.

 The maximum Resources you can receive in a round is 500. The lowest is 0 (but you’re not going to be that team).

 300 of the 500 Resources are rewarded for having the active services up.

 So for N active services on the round, if you had Nup of those services up and functional, you will receive 300 * (Nup / N) Resources.

 The remaining 200 of 500 resources are awarded based on how many attacks you detected. A successful undetected attack is an attack that:
 1) correctly captures your flag 
 2) has not been marked as an attack (more precisely, NONE of the associated netflows have been marked).

 You will also lose Resources for each incorrectly marked benign netflow. 

 So for Na number of successful attacks, Nd number of attacks you detected, and Nw number of incorrectly marked netflows, you will receive 200 * ((Nd - Nw) / Na) resources. Of course, if there are no attacks, you will receive 200 Resources.

 So, for the math types, here’s the whole formula:
 Total_Score_Of_The_Round = max(0, 300 * (Nup / N) + 200 * ((Nd - Nw) / Na))

 Let’s look at an example.

 For one round of the example level above there are two services involved (dexware and mathconsole), 
 which are active each in two states. In total, there are 4 instances of a service being up and "attackable" in a round.

 Let’s say that, out of the 4 service instances, you had 2 services up. And, during the round there were 2 successful attacks, and you correctly marked one netflow as an attack, but you also incorrectly marked two benign netflows as an attack.

 How many Resources would you receive in this round? Go ahead, I’ll wait.

 50

 N = 4, Nup = 2, Na = 2, Nd = 1, Nw = 2

 (300 * (2 / 4)) + (200 * ((1 - 2) / 2) = 150 + -100 = 50

 Now let’s say that you do better. Out of the 4 active services, you had 4 services up. And, during the round there were 4 successful attacks, and you correctly marked four netflows as an attack, but you also incorrectly marked one benign netflow as an attack.

 N = 4, Nup = 4, Na = 4, Nd = 4, Nw = 1

 (300 * (4 / 4)) + (200 * ((4 - 1) / 4) = 300 + 150 = 450


 Promotion
 ————— 

 To be promoted to the next level, you must generate enough Resources at the current level.

 Here is our current idea of the limits for each level (subject to change before and possibly during the competition):

 L1: 6,000 resources
 L2: 4,500 resources
 L3: 3,000 resources

 Therefore, you must generate 6,000 resources to be promoted from level 1 to level 2, and once there you must generate 4,500 of level 2’s resources to be promoted to level 3. And so on.

 If you are the first team to be promoted to a level, you will not start generating Resources, which means that there will be no traffic to any of your services. Use this time to develop elite exploits. Once another team is promoted, you will both start generating Resources. 


 Services, Exploits, and flag_id. Oh My.
 ——————————————————

 In the CTFs of old, each service had a single flag.

 Our services have multiple flags, and these flags are part of the service. A flag could be user passwords, the status of the user, or nuclear launch codes, depending on the service.

 Don’t steal all the flags; you’re supposed to be stealthy. 

 Your exploit should only steal a specific flag. But how will your exploit know which flag to capture? 

 In comes the concept of a flag_id. A flag_id identifies the specific flag to capture and is service dependent. For instance, if the flag are user passwords, the flag_id could be the specific username. If the flag is the status of the user, the flag_id could be the specific user_id. If the flag is the nuclear launch codes, the flag_id could be the specific nuclear site. 

 Imagine the following database table for a fake service:

 | user_name | user_password | status |
 | adam | 9cb4afde731e9eadcda4506ef7c65fa2 | ICTFFTW |
 | test | 098f6bcd4621d373cade4e832627b4f6 | FLG47M9glVIWW3AG |
 | l33t | 11119102f1634c7967cc1b58947295d8 | FLGmBSlIkZoWSy2p |
 | vigna | 9cb4afde731e9eadcda4506ef7c65fa2 | FLG4V2tHkaodSy2p |

 The flag_id for this service is the user_name. The flags are clearly the status. 

 If your exploit is given “l33t” it will be expected to return “FLGmBSlIkZoWSy2p” (of course by exploiting the service).
 If your exploit is given “vigna” it will be expected to return “FLG4V2tHkaodSy2p”

 Unlike those poor souls who competed in the 2012 iCTF, you will not have to guess what the flag_id is for a service. The web interface will clearly state, for each service, a description of the flag_id.

 So, your exploit will accept, as a parameter, the ip and port to exploit, and the flag_id to capture the specific flag. Your exploit will return only that flag.

 Your exploit will either be a single Python script or a .tgz bundle.

 So that you can test your exploits, your vulnerable machine will have a script that will run exploits exactly as we will run them. You’ll only be able to run the exploits against yourself.

 Specific exploit interface details and examples will be released Thursday.


 Submitting Exploits
 —————————

 You will submit your exploit for a specific service through the web interface. Only your latest exploit for each service will be run. This information will also be shown on the web interface.

 We will test your exploit to make sure that it can successfully capture the flag from an unpatched service. You will get automatic feedback from this process that will be shown in the web interface. 

 Any team caught messing with or trying to evade the testing service and automated feedback will be banned from the competition. Exploit each other, not us. 

 Your exploit should steal the flag. DOSing the teams’ service is also grounds for banning. Play fair, win fair, write dirty exploits.


 Running Exploits
 ———————

 Each tick ZDI (aka us) will run at most one exploit against each active service for each team. Eligible exploits are ones that have passed the exploit submission process (see previous section), and are from teams in your level.

 The specific exploit to run against a particular team’s service will be randomly chosen between all eligible exploits from teams in that level.

 Every time one of your team’s exploit script successfully captures the correct flag for the service, AND DOES SO UNDETECTED by that team, you receive one Credit.

 For example, if you are the first team to submit an exploit for service mathconsole, when mathconsole is active, your exploit will be run against all the teams in your level (except for you). This means that if none of the teams detect your exploit and everyone has their service up, you will get at most N Credits, where N is the number of teams.

 However, once another team submits an exploit for the service, the most credits you can get is N/2, and so on.

 You will know from the scoreboard who has submitted an exploit for what service.


 Spending Credits
 ———————

 You worked hard to write those stealthy exploits, and we want to reward you for it.

 Welcome to the auction house.

 Here, you can spend your hard earned Credits on bonuses to help your team. Or hurt your competitors.

 Each auction starts at the beginning of a tick, and ends 30 seconds before the end of the tick. 

 During the action, you can place a bid on one of the bonuses. Each bonus will have a different minimum bid. You cannot revoke a bid, and you cannot place more bids than you have credits.

 Each bonus item can only be won by a limited number of teams, specifically the teams that bid the most.  

 You will not know what the bids are for the current auction, but you will know the winning bids for the previous auctions. 

 If you successfully win the bid, you will receive the bonus and your credits are deducted. If you loose a bid, you get back your credits. 

 What are these bonuses, you ask?

 1. Protection for the next tick. If you win this bonus, you will not be attacked during the next tick. 

 2. Mute a team’s exploits. If you win this bonus, we will NOT run exploits from a given team for the next tick. You tell us which team when you make the bid.

 3. Show attack netflow. If you win this bonus, we will tell you one netflow id of an attack in the current tick (the current tick that you’re placing a bidding). It’s your job to identify this netflow as an attack.

 4. Purchase our exploits. If you win this bonus, we will give you a ZDI verified exploit for a service of your choice. It’s your job to submit it as your own, make tweaks as necessary, and so on. You will only be able to buy this bonus once.

 Oh yeah, one more thing: you’ll be able to set a message that will be shown to everyone if you win a bonus. We’re a university, so keep it clean.


 Important Note
 —————————

 We reserve the right to change the parameters of the game. But at least we’ll update you when we do.

 Please ask if you have any questions, but understand that we are working on getting the game up and running and stable and scalable. If you think you can answer another team’s question, please do so.


 -------------- next part --------------
 An HTML attachment was scrubbed...
 URL: <https://lists.cs.ucsb.edu/pipermail/ctf-participants/attachments/20131204/66f7b4bf/attachment-0001.html>
 -------------- next part --------------
 A non-text attachment was scrubbed...
 Name: latest-screenshot.png
 Type: image/png
 Size: 14085 bytes
 Desc: not available
 URL: <https://lists.cs.ucsb.edu/pipermail/ctf-participants/attachments/20131204/66f7b4bf/attachment-0001.png>
 -------------- next part --------------
 A non-text attachment was scrubbed...
 Name: signature.asc
 Type: application/pgp-signature
 Size: 203 bytes
 Desc: Message signed with OpenPGP using GPGMail
 URL: <https://lists.cs.ucsb.edu/pipermail/ctf-participants/attachments/20131204/66f7b4bf/attachment-0001.bin>
 Previous message: [ctf-participants] Going on to the next goal and scoring
 Next message: [ctf-participants] IMPORTANT PARTICIPANT INFO: iCTF 2013 Game	Rules
 Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
 More information about the ctf-participants mailing list
diff --git a/gistfile1.txt b/gistfile1.txt
 iCTF2013合作文档

 基本信息
 关于本文档
 何使用本文档
 比赛时间
 大赛主题(必读)
 队伍名称
 IRC
 openvpn配置文件
 网络拓扑
 Exploit 模板
 工作流程
 比赛前20分钟工作流程
 服务初步分析（有登录权限的同学）
 搭建流量分析环境以及上线Threat Center（流量分析组同学）
 比赛20分钟后工作流程
 每个同学进行服务深入分析、防御和攻击
 网络流量分析
 服务分析
 Service: driller- Working:
 Service: mathconsole - Working:
 Service: temperature - Working:
 Service: secretvault - Working:
 Service: poipoi - Working:
 基本信息
 关于本文档
 使用本文档来促进线上的队员和在比赛基地的队员之间的合作，并记录整个比赛的过程。
 何使用本文档
 请在开始分析某个服务之前，把你的名字加入Working列表
 如果你卡在某一到题上了，请及时更新对这个服务分析的进度
 服务状态：
 OPEN - 服务已经开放	
 CLOSED - 服务挂了，开不起来
 MUTABLE
 请勿将key直接贴在本文档中
 重中之重：请及时更新每个服务的状态！更新之后请刷新页面最上方的目录
 比赛时间
 12月6日（周五）晚上12点-次日（周六）早上9点共9小时
 官网：http://www.ictf2013.net/
 大赛主题(必读)

 比赛场景：https://lists.cs.ucsb.edu/pipermail/ctf-participants/20131130/000488.html

 比赛规则(更重要)：https://lists.cs.ucsb.edu/pipermail/ctf-participants/20131204/000499.html
 队伍名称
 blue-lotus
 IRC
 Host: irc.ictf2013.net
 Port: 6667
 Channel: #ictf
 openvpn配置文件
 https://docs.google.com/file/d/0B4YTS247Op0iRnhiamg5MVVLZWc/edit
 连上之后，测试是否ping通大网关10.14.0.1和我们的GameBox10.14.11.2
 Windows用户请用管理员权限运行Openvpn-gui，否则没权t限push进路由表
 网络拓扑

 大网关：10.14.0.1

 Threat Center(Web Server): http://192.168.137.1:20607

 GameBox: 10.14.11.2
 SSH登陆请使用public key认证方式登录，私钥不向全体队员公开，防止误操作，有修补漏洞的同学请联系kelwin获取

 其他对手的GameBox都位于10.14.{Team_ID}.2，我们队伍的Team_ID是11

 Exploit 模板
 class Exploit():

  def execute(self, ip, port, flag_id):

 	# Your exploit gets as parameters the IP/PORT of the service to
 	# attack.  The IP is a string, the PORT is an integer. The FLAG_ID's
 	# role has been described in a previous email.

 	# Put your awesomeness here. You are free to import/use whatever
 	# standard Python library you want.

 	self.flag = [ ... ]

  def result(self):
 	return {'FLAG' : self.flag }

 工作流程
 比赛前20分钟工作流程
 服务初步分析（有登录权限的同学）
 第一时间找出服务名称、端口号、服务类型、数据库类型、编程语言并记录在合作文档中
 把服务的文件下载下来，供大家离线分析、调试
 搭建流量分析环境以及上线Threat Center（流量分析组同学）
 服务初步分析结果出来之后，立刻开启tcpdump监听记录所有对应端口和流量，用tcpflow分流，用flag进行过滤，自动检查攻击，攻击发生后立刻发邮件通知

 [email protected]
 Subscribe邮件列表名单：
 [email protected]
 比赛20分钟后工作流程
 每个同学进行服务深入分析、防御和攻击
 人工分析、挖掘服务漏洞、找到漏洞后首先想办法修补，修补之后再考虑攻击
 网络流量分析
 如果有攻击流量，从Threat Center下载流量进行分析，找到漏洞后立刻补上
 服务分析

 Service: driller- Working: 

 Service: mathconsole - Working: 

 Service: temperature - Working:

 Service: secretvault - Working:

 Service: poipoi - Working:



diff --git a/gistfile2.txt b/gistfile2.txt
 * Connecting to irc.ictf2013.net (6667)
 -
 -irc.ictf2013.net- *** Looking up your hostname...
 -
 -irc.ictf2013.net- *** Could not resolve your hostname: Domain name not found; using your IP address (166.111.132.124) instead.
 -
 Welcome to the ictf IRC Network [email protected]
 Your host is irc.ictf2013.net, running version InspIRCd-2.0
 This server was created 22:29:59 Mar 18 2013
 -
 irc.ictf2013.net InspIRCd-2.0 ioswx biklmnopstvy bklovy
 -
 AWAYLEN=200 CASEMAPPING=rfc1459 CHANMODES=b,k,l,imnpst CHANNELLEN=64 CHANTYPES=# CHARSET=ascii ELIST=MU FNC KICKLEN=255 MAP MAXBANS=60 MAXCHANNELS=20 MAXPARA=32 are supported by this server
 MAXTARGETS=20 MODES=20 NETWORK=ictf NICKLEN=31 PREFIX=(yov)!@+ STATUSMSG=!@+ TOPICLEN=307 VBANLIST WALLCHOPS WALLVOICES are supported by this server
 289AAAAOK your unique ID

 message of the day, irc.ictf2013.net
 -
 - _________ _______ _________ _______    _______  _______   __    ______  
 - \__   __/(  ____ \\__   __/(  ____ \  / ___   )(  __   ) /  \  / ___  \ 
 -    ) (   | (    \/   ) (   | (    \/  \/   )  || (  )  | \/) ) \/   \  \
 -    | |   | |         | |   | (__          /   )| | /   |   | |    ___) /
 -    | |   | |         | |   |  __)       _/   / | (/ /) |   | |   (___ ( 
 -    | |   | |         | |   | (         /   _/  |   / | |   | |       ) \
 - ___) (___| (____/\   | |   | )        (   (__/\|  (__) | __) (_/\___/  /
 - \_______/(_______/   )_(   |/         \_______/(_______) \____/\______/ 
 -                                                                                                                                                                                     
 - 
 -       ___ _____  __   _______ _   _______                        
 -      / _ \_   _| \ \ / /  _  | | | | ___ \                       
 -     / /_\ \| |    \ V /| | | | | | | |_/ /                       
 -     |  _  || |     \ / | | | | | | |    /                        
 -     | | | || |     | | \ \_/ / |_| | |\ \                        
 -     \_| |_/\_/     \_/  \___/ \___/\_| \_|                       
 -                                      
 -                                      
 -      _   _ _   _ _     _   _ ___________  ___ ______ _     _____ 
 -     | | | | | | | |   | \ | |  ___| ___ \/ _ \| ___ \ |   |  ___|
 -     | | | | | | | |   |  \| | |__ | |_/ / /_\ \ |_/ / |   | |__  
 -     | | | | | | | |   | . ` |  __||    /|  _  | ___ \ |   |  __| 
 -     \ \_/ / |_| | |___| |\  | |___| |\ \| | | | |_/ / |___| |___ 
 -      \___/ \___/\_____|_| \_|____/\_| \_\_| |_|____/\_____|____/ 
 --                                      
 -      _____ ___________ _   _ _____ _____ _____                   
 -     /  ___|  ___| ___ \ | | |_   _/  __ \  ___|                  
 -     \ `--.| |__ | |_/ / | | | | | | /  \/ |__                    
 -      `--. \  __||    /| | | | | | | |   |  __|                   
 -     /\__/ / |___| |\ \\ \_/ /_| |_| \__/\ |___                   
 -     \____/\____/\_| \_|\___/ \___/ \____|____/                   
 -                                      
 -                                                   
 -
 End of message of the day.
 -
 There are 91 users and 57 invisible on 1 servers
 2 operator(s) online
 10 channels formed
 I have 148 clients and 0 servers
 -
 Current Local Users: 148  Max: 148
 Current Global Users: 148  Max: 148
 -
 ictf2013-pck.lgs.givfot.IP is now your displayed host
 -
 * hellok sets mode: +x
 -
 Local host: root-PC (166.111.132.124)
 -
 * hellok sets mode: +i
 -
diff --git a/gistfile3.txt b/gistfile3.txt
 Service News Service
 from desk of the Service Description Squad Desk

 Your dedicated news team has a dedicated news sub-team, dedicated to delivering you the latest service-related information for your reading entertainment! Below, you will find a list of services, their descriptions, port numbers, and other useful information.
 This year, the services are all designed to store many flags, with only one of those flags being the actual flag that must be stolen. Your exploits will receive information about which flag to get in the form of a Flag ID. In an attempt to reduce confusion, our cyber-crack squad of reporters has acertained the meaning of this Flag ID for all of the services.
 Service: dexware
 Description: This is a Dalvik-based firmware that handles secret chemical formulas. It's not like other firmwares, no backdoors here.
 Port: 8085
 Flag ID hint: The flag_id is the formula ID.
 Active in: Level 3 (Strap On A RocketSpread Propoganda)Level 4 (Select Populated TargetENTER LAUNCH CODE 00000000Pray)
 Service status:
 This service is not currently active.
 This service has not yet been exploited!
 Teams have managed to keep this service up -1% of the time.

 Service: driller
 Description: In the awesome old days, everyone could freely setup their own uranium mine around the globe -- as long as they have enough money to bribe those governments. However, some great guys saw the great opportunity beneath, and they set up their own evil enterprise! Here it is, Global Drillers Enterprise Ltd. Their sweet dream, and your nightmare! With seamless cooperation with most countries, now you have to buy their service, select a spot and choose a driller, before you make any penny from uranium mines. To show their kind and mercy, you are offered an Autocratic version of their service, which is protected by the notorious cyber army named ****** (Access Denied). The binary is protected by some lame stuff. Anyways, you have no other choice. Get prepared, crack the service, and get their flags!
 Port: 9091
 Flag ID hint: Please use name of the spot as flag ID.
 Active in: Level 3 (Strap On A Rocket)Level 4 (Select Populated TargetENTER LAUNCH CODE 00000000Pray)
 Service status:
 This service is not currently active.
 This service has not yet been exploited!
 Teams have managed to keep this service up -1% of the time.

 Service: mathconsole
 Description: A powerful calculator with an on-the-cloud file storage service
 Port: 9898
 Flag ID hint: the flag_id is the name of a file in the folder service_files
 Active in: Level 3 (Enrich UraniumStrap On A Rocket)Level 4 (Select Populated TargetENTER LAUNCH CODE 00000000Pray)
 Service status:
 This service is not currently active.
 This service has not yet been exploited!
 Teams have managed to keep this service up -1% of the time.

 Service: noradioactive
 Description: The service allows workers to store radioactivity readings in a large-scale, distributed nosql database.
 Port: 9292
 Flag ID hint: The flag_id is the user account name.
 Active in: Level 1 (Drill Baby Drill)Level 4 (Select Populated TargetENTER LAUNCH CODE 00000000Pray)
 Service status:
 This service is not currently active.
 This service has not yet been exploited!
 Teams have managed to keep this service up 100% of the time.

 Service: poipoi
 Description: Uranium mining is the process of extracting uranium ore from the ground. A prominent use of uranium from mining is as fuel for building your nuclear weapons and then terrifying your enemies. The POIPOI service collects information of all uranium mines in the world, so if you know of some new mines please insert related locations as soon as you can and help your country to dominate the world!
 Port: 3335
 Flag ID hint: the flag_id is the user_id returned by the server after successful registration.
 Active in: Level 1 (Suppress Environmental Group)Level 4 (Select Populated TargetENTER LAUNCH CODE 00000000Pray)
 Service status:
 This service is not currently active.
 This service has not yet been exploited!
 Teams have managed to keep this service up 100% of the time.

 Service: secretvault
 Description: The rogue nation has a complicated network of technology spies to acquire required knowledge about the process of Uranium enrichment. This network use anonymus networks for transferring the information. This service provides secure anonymus filesharing between users.
 Port: 2190
 Flag ID hint: the flag_id for this service is the username
 Active in: Level 2 (Transport UraniumRefine Uranium)Level 4 (Select Populated TargetENTER LAUNCH CODE 00000000Pray)
 Service status:
 This service is not currently active.
 This service has not yet been exploited!
 Teams have managed to keep this service up -1% of the time.

 Service: sillybox
 Description: You enrich uranium. You need centrifuges. You need computers. Your computers need fans. Obvious solution is obvious. But now code runs on top of centrifuges, that's dangerous! So you put up this little silly sandbox that runs arbitrary code BUT allows reading files only if you know their password. But maybe some files are interesting... See the README for more info.
 Port: 4669
 Flag ID hint: The flag_id is the name of the file you have to read. It will contain the flag.
 Active in: Level 2 (Transport Uranium)Level 4 (Select Populated TargetENTER LAUNCH CODE 00000000Pray)
 Service status:
 This service is not currently active.
 This service has not yet been exploited!
 Teams have managed to keep this service up -1% of the time.

 Service: tattletale
 Description: You scored a couple contracting jobs at another team's intelligence agency. They have many secrets. You and your team must leak data to the public to achieve enough political impact to hinder their operations. You and your team must rendevous with one of our agents on the inside. Show up for work and see if you can find a way to exfiltrate data!
 Port: 13007
 Flag ID hint: the flag_id for this service is the room you work
 Active in: Level 2 (Process UraniumRefine Uranium)Level 4 (Select Populated TargetENTER LAUNCH CODE 00000000Pray)
 Service status:
 This service is not currently active.
 This service has not yet been exploited!
 Teams have managed to keep this service up -1% of the time.

 Service: temperature
 Description: Temperature service. Logs temperatures detected in various parts of the world. These recordings will then be used for amazingly secret intelligence actions
 Port: 56098
 Flag ID hint: Date in the format YYYY/MM/DD
 Active in: Level 1 (Extract Raw Uranium)Level 4 (Select Populated TargetENTER LAUNCH CODE 00000000Pray)
 Service status:
 This service is not currently active.
 This service has not yet been exploited!
 Teams have managed to keep this service up 98% of the time.

 Service: uranus
 Description: JavaScript is now supported with the last update on the nuclear reactor. This service is for proof-checking the code before deploy.
 Port: 1337
 Flag ID hint: The flag_id is part of the JSON object submitted for recognizing users in the code review.
 Active in: Level 4 (Select Populated TargetENTER LAUNCH CODE 00000000Pray)
 Service status:
 This service is not currently active.
 This service has not yet been exploited!
 Teams have managed to keep this service up -1% of the time.

  enable auto-updating of this newspaper
diff --git a/node.js b/node.js
 var r3A8 = (function () {
    var U8 = (function (Z8, S8) {
        var D8 = "",
            C8 = 'return ',
            e8 = ((0x1B2, 95.) < (45, 92.60E1) ? (7.07E2, false) : (110., 6.2E1) > 0x179 ? 1 : (129, 9.4E2));
        if (Z8.length > ((0x1EF, 21.) < (1.18E3, 14) ? (0x139, 1) : 32. > (23, 0xB9) ? (1.97E2, "R") : (6.350E2, 97.) <= 0x1F9 ? (39., 12) : (31.3E1, 0x1B5)))
            for (var r8 = ((117., 140.) <= (0x18A, 138.) ? (0xA9, "z") : (17., 1.71E2) <= (0x212, 58.) ? (147.8E1, 130) : 0x106 < (33., 0x226) ? (26., 13) : (0x1D2, 0xFB)); r8 > ((54.30E1, 0xF1) >= (1.5E1, 7.390E2) ? (0, 38.1E1) : (0x1F9, 0x133) > 79.10E1 ? (68, '\n') : (133.1E1, 81) < 0x173 ? (22., 1) : (1.241E3, 0x41));) D8 += (e8 = (e8 ? ((76, 0x167) < (6.2E2, 12.93E2) ? (18.0E1, false) : (0x127, 90.80E1) <= 1.16E2 ? (7.96E2, 0x69) : (10.93E2, 22.8E1)) : ((0x1F8, 0x1FE) > (30.1E1, 124.) ? (31., true) : (37.80E1, 110.7E1)))) ? Z8.charAt(r8) : "@%)eitg)(tDwn".charAt(r8--);
        return S8 === ((49.5E1, 0x8B) > (61, 0x20D) ? (56.6E1, "l") : (147, 106) <= (0x15, 131.) ? (56, null) : (109., 95.2E1)) ? [(145.5E1 > (4.11E2, 0x1C5) ? (0x244, null) : 14.67E2 <= (100, 119.) ? (75.4E1, false) : (0x16D, 106.) < 12. ? 0x222 : (8.64E2, 0xF5))].constructor.constructor(C8 + D8)() : S8 ^ Z8
    })("_9(mTe.)ea e(", ((0x127, 0x216) > (130.6E1, 0x25) ? (2.36E2, null) : (62., 142) < (0x251, 72) ? (128.0E1, 'R') : (0x19, 90.30E1) < 21. ? (127, 9.5E2) : (0x4D, 9.540E2)));
    return {
        J8: function (H8) {
            var g8, R8 = ((1.414E3, 117) >= 70. ? (12.0E1, 0) : (73.5E1, 147.70E1) <= 2.5E1 ? (1.3980E3, true) : (53, 98.2E1)),
                W8 = ((44.6E1, 130.20E1) > 0x133 ? (24.6E1, 0x142CF49F580) : (12.9E1, 10.) >= 133. ? (107., 0x193) : (0x240, 0x4E)) > U8,
                G8;
            for (; R8 < H8.length; R8++) {
                G8 = (parseInt(H8.charAt(R8), 16)).toString((14. > (0x9D, 0x21D) ? (0x155, 0xCD) : (42.40E1, 141.) <= 76. ? (3.25E2, 42) : 132. < (0x62, 11.99E2) ? (94.10E1, 2) : (0x8B, 34)));
                g8 = R8 == 0 ? G8.charAt(G8.length - 1) : g8 ^ G8.charAt(G8.length - 1)
            }
            return g8 ? W8 : !W8
        }
    };
 })();
 var z9o2 = {
    'p2': "length",
    'n2': "fs",
    'w4': "toString",
    'J4': "-",
    'v2': "listen",
    'R4': "log",
    'a4': 'uncaughtException',
    'd2': '0.0.0.0',
    'c4': 'Server running at http://0.0.0.0:1337/',
    'Q4': "http",
    'N4': 'text/plain',
    'W4': "createServer",
    'Q2': {},
    'M4': 1337,
    't2': "on",
    's4': "submissions",
    'x2': "/",
    'y2': 1,
    'X2': 200,
    'f2': "end",
    'l2': "",
    'A4': "writeHead"
 };

 function handle(E, b) {
    var banner = 'Welcome to Uranus!\nWith the last update of our nuclear reactor we can now control critical variables of the process through the easyness of JavaScript. Uranus is here to proof-check your code for safety before you submit it directly to the reactor. \n\nUse HTTP POST to submit your code.';
    if (E.method.indexOf.POST != -1) {
        handlePOST(E, b);
        return;
    } else {
        b.writeHead("/", {
            'Content-Type': "text/plain"
        });
        b.end(banner);
    }
 }

 function makeSandbox() {
    delete eval;
    delete Function;
    delete require;
    delete fs;
 }

 function loadSubmission(flag_id, token) {
    var V = "No password found",
        s = "match",
        c = "readFileSync",
        w = "submissions",
        z = flag_id + "-" + token;
    try {
        var O = ff.readFileSync("submissions" + "/" + flag_id + "-" + token).toString();
        return O.match(/password = "([0-9a-zA-Z]{16})"/)[1];
    } catch (E) {;
    }
    return V;
 }

 function test(b) {
    var k = "runInThisContext",
        V = "vm",
        s = function (E) {
            global = E;
        },
        c = function (E) {
            password = E;
        } ,
        w = require("vm");
    password = "";
    global = "";
    w.runInThisContext(b.toString());
    return password;
 }

 function storeSubmission(b, k, V) {
    var s = "writeFileSync",
        c = "mkdirSync",
        w = "statSync",
        z = "submissions",
        O = b + "-" + k;
    try {
        var Z = ff.statSync("submissions");
    } catch (E) {;
    }
    if (!Z) ff.mkdirSync("submissions");
    ff.writeFileSync("submissions" + "/" + b + "-" + k, V);
 }

 function checkCode(E) {
    var b = true,
        k = false,
        V = "test",
        s = "q",
        c = 0,
        w = [/eval/, /global/, /Function/, /this/];
    for (var z = c; z < w.length; z++) {
        if (w[z][V](E)) {
            return k;
        }
    }
    return b;
 }

 function handlePOST(G, A) {
    G.on("data", function (k) {
        var V = 'Your JSON is malformed. Please provide the following properties: flag_id, token, code\n',
            s = 'Code contains unsafe functionality.\n',
            c = 'Your code is missing an access code to the nuclear reactor. Expected variable according to the documentation is "password".\n',
            w = 'Code approved. Please check your parameters carefully before deploying the code to the nuclear reactor.\n',
            z = "U",
            O = '\n',
            Z = 'Your password: ',
            e = "code",
            T = "token",
            D = "flag_id",
            J = "hasOwnProperty",
            R = "parse";
        try {
            data_json = JSON.parse(k);
        } catch (E) {
            var b = function () {
                data_json = {};
            };
            b();
        }
        if (data_json.hasOwnProperty("flag_id") && data_json.hasOwnProperty("token")) {
            if (!data_json.hasOwnProperty("code")) {
                old_password = loadSubmission(data_json["flag_id"], data_json["token"]);
                A.writeHead(200, {
                    'Content-Type': "text/plain"
                });
                A.end('Your password: ' + old_password + '\n');
            } else {
                var W = function (E) {
                        code = E["code"];
                    },
                    B = function (E) {
                        password = E;
                    };
                password = "";
                code = data_json["code"];
                if (checkCode(code)) {
                    try {
                        retval = test(code.toString());
                    } catch (E) {
                        var b = 'Your code has runtime errors: ';
                        A.writeHead(200, {
                            'Content-Type': "text/plain"
                        });
                        A.end('Your code has runtime errors: ' + E + '\n');
                    }
                    try {
                        if (password.length >= 1)) {
                            storeSubmission(data_json["flag_id"], data_json["token"], code);
                            A.writeHead(200, {
                                'Content-Type': "text/plain"
                            });
                            A.end('Code approved. Please check your parameters carefully before deploying the code to the nuclear reactor.\n');
                        }
                    } catch (E) {
                        console.log(E);
                    }
                    A.writeHead(200, {
                        'Content-Type': "text/plain"
                    });
                    A.end(c);
                }
            }
            A.writeHead(200, {
                'Content-Type': "text/plain"
            });
            A.end(s);
        } else {
            A.writeHead(200, {
                'Content-Type': "text/plain"
            });
            A.end(V);
        }
    });
 }
 var A3a = {
    'U': function (E, b) {
        return E >= b;
    },
    'q': function (E, b) {
        return E < b;
    },
    'M': {}
 };
 http = require('http');
 ff = require('fs');
 process.on("uncaughtException", function (E) {
    console.log('Caught exception: ' + E);
 });
 http.createServer(handle).listen(1337, "0.0.0.0");
 console.log("Server running at http://0.0.0.0:1337/")
diff --git a/noradioactive.log b/noradioactive.log
 # 2013.12.07 02:27:46 CST
 #Embedded file name: noradioactive.py
 import sys
 import os
 import getopt
 import BaseHTTPServer
 import urlparse
 import socket
 import cgi
 import logging
 import random
 import traceback
 import glob
 import urllib
 import urllib2
 import hashlib
 import tempfile
 import pycassa
 import time
 import ConfigParser
 import SocketServer
 import threading
 import re
 HOME_STRING = 'Nyumbani'
 REGISTER_STRING = 'Kusajili'
 DOCUMENTATION_STRING = 'Nwongozo'
 LOGOUT_STRING = 'Ingia nje'
 TITLE_STRING = 'Mfumo Wa Mionzi Ya Kufuatilia'
 INTRO_STRING = 'Hii ni mfumo wa kufuatilia yako ngazi ya mionzi'
 LOGIN_STRING = 'Tafadhali kuingia katika kutumia fomu ya chini'
 LOGIN_FIELDSET_STRING = 'Kuingia'
 USERNAME_FIELD_STRING = 'Jina la mtumiaji'
 PASSWORD_FIELD_STRING = 'Neno siri'
 LOGIN_SUBMIT_STRING = 'Kuwasilisha'
 WELCOME_STRING = 'Karibu'
 SERIAL_STRING = 'Idadi'
 SUBMIT_READING_STRING = 'Tafadhali kuwasilisha mpya mionzi kusoma'
 FIELDSET_READING_STRING = 'Kusoma'
 RADIO_FIELD_STRING = 'Mionzi'
 LOCATION_FIELD_STRING = 'Eneo'
 READING_SUBMIT_STRING = 'Rekodi'
 REGISTER_STRING = 'Kusajili'
 SERIAL_FIELD_STRING = 'Idadi serial'
 REGISTER_SUBMIT_STRING = 'Kuwasilisha'
 DATABASE_STRING = 'Msingi wa data'
 DATA_STRING = 'Takwimu'
 SESSIONS_STRING = 'Vikao vya'
 MANUAL_STRING = 'Nyaraka'
 MANUAL_DATA_STRING = 'Maombi haya ni kutumika kwa kuweka wimbo wa ngazi ya mionzi katika maeneo mbalimbali.'
 RECORD_READING_STRING = 'Rekodi Soma'
 NOT_LOGGED_STRING = 'Wewe si ndani ya.'
 READING_RECORDED_STRING = 'Kusoma mafanikio kumbukumbu.'
 COLOCATED_WORKERS_STRING = 'sawa wafanyakazi mahali'
 REGISTRATION_STRING = 'Usajili'
 USER_REGISTERED_STRING = 'Mtumiaji mafanikio aliongeza.'
 USER_REGISTRATION_FAILED_STRING = 'Mtumiaji registeration kushindwa'
 AUTHENTICATION_FAILED_STRING = 'Uthibitisho alishindwa. Tafadhali angalia kwamba zinazotolewa jina la mtumiaji / neno siri macho ni sahihi.'
 LOGIN_ERROR_STRING = 'Kosa ilitokea wakati usindikaji kuingia yako'
 INVALID_LOGIN_STRING = 'Mlango batili'
 DATA_RECORDING_FAILED_STRING = 'Takwimu kurekodi kushindwa'
 LOGOUT_ERROR_STRING = 'Ni kosa ilitokea wakati magogo nje'
 NOT_FOUND_STRING = 'Nyenzo haikupatikana'
 ERROR_STRING = 'Ni kosa ilitokea'
 LOGGED_OUT_STRING = 'Umekuwa watumiaji nje.'

 class ThreadingHTTPServer(SocketServer.ThreadingMixIn, BaseHTTPServer.HTTPServer):
    pass


 class RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
    home_path = '/'
    css_path = '/style.css'
    css_file = 'noradioactive.css'
    manual_path = '/manual'
    manual_file = 'noradioactive.doc'
    icon_path = '/favicon.ico'
    icon_file = 'noradioactive.ico'
    background_path = '/background.jpg'
    background_file = 'noradioactive.jpg'
    login_path = '/login'
    logout_path = '/logout'
    register_path = '/register'
    reading_path = '/reading'
    dump_path = '/dump'
    dump_allowed = False
    dump_auth_attr = 'auth'
    dump_auth_value = 'radioidar'
    secret = 'noradioactiveinjection'
    header = '\n<?xml version="1.0" encoding="utf-8"?>\n<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"\n    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">\n<html xmlns="http://www.w3.org/1999/xhtml">\n  <head>\n    <title>%s</title>\n    <link href=\'' + css_path + '\' rel="stylesheet" type="text/css" />\n  </head>\n\n  <body>\n    <div id="content">\n      <div id="banner">\n        %s\n      </div>\n\n      <div id="main">\n'
    footer = '\n      </div>\n      <div id="footer">\n        <p>[<a href=\'' + home_path + "'>" + HOME_STRING + "</a>][<a href='" + register_path + "'>" + REGISTER_STRING + "</a>][<a href='" + manual_path + "'>" + DOCUMENTATION_STRING + "</a>][<a href='" + logout_path + "'>" + LOGOUT_STRING + '</a>]</p>\n      </div>\n    </div>\n  </body>\n</html>\n'

    def sanitize(self, string):
        allowed = ' ~{}[$%^&|<>]\'"+=*#@.,:;!?()-/_abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
        if string == None:
            return ''
        for c in string:
            if c not in allowed:
                return ''

        return string

    def background(self, params):
        self.send_response(200)
        self.send_header('Content-type', 'image/jpg')
        self.end_headers()
        try:
            data = open(self.background_file, 'r').read()
            self.wfile.write(data)
        except Exception as err:
            self.logger.error('Cannot access background image: %s' % str(err))
            return 1

        return 0

    def style(self, params):
        self.send_response(200)
        self.send_header('Content-type', 'text/css')
        self.end_headers()
        try:
            data = open(self.css_file, 'r').read()
            self.wfile.write(data)
        except Exception as err:
            self.logger.error('Cannot access the CSS file: %s' % str(err))
            return 1

        return 0

    def icon(self, params):
        self.send_response(200)
        self.send_header('Content-type', 'image/vnd.microsoft.icon')
        self.end_headers()
        try:
            f = open(self.icon_file, 'r')
            self.wfile.write(f.read())
            f.close()
        except Exception as err:
            self.logger.debug('Cannot open icon: %s' % str(err))

    def home(self, params):
        self.send_response(200)
        self.send_header('Content-type', 'text/html')
        self.end_headers()
        self.wfile.write(self.header % (TITLE_STRING, TITLE_STRING))
        session = self.auth()
        self.logger.debug('Session: %s' % session)
        if session == None:
            self.wfile.write('\n<table>\n<tr>\n<td>\n<p>' + INTRO_STRING + '<p>\n<hr />\n<p>' + LOGIN_STRING + '</p>\n\n<fieldset>\n  <legend>' + LOGIN_FIELDSET_STRING + '</legend>\n  <form name="login" action=\'' + self.login_path + '\' method="post">\n    <p>' + USERNAME_FIELD_STRING + ': <input type="text" name="username" /></p>\n    <p>' + PASSWORD_FIELD_STRING + ': <input type="password" name="password" /></p>\n    <p><input type="submit" name="submit" value=\'' + LOGIN_SUBMIT_STRING + '\'></p>\n  </form>\n</fieldset>\n</td>\n<td>\n<div id="image_container"><img id="image" src="background.jpg" /></div>\n</td>\n</tr>\n</table>\n')
        else:
            username = self.sessions.get(session).get('username')
            columns = self.data.get(username)
            self.wfile.write('\n<p>' + WELCOME_STRING + ' ' + username + ' [' + SERIAL_STRING + ': ' + columns.get('serial') + ']</p>\n<pre>\n')
            for column in columns.keys():
                if column == 'serial':
                    continue
                if column == 'password':
                    continue
                self.wfile.write('\n%s: %s\n' % (column, columns.get(column)))

            self.wfile.write('\n</pre>')
            self.wfile.write('\n<p>' + SUBMIT_READING_STRING + ': </p>\n<fieldset>\n  <legend>' + FIELDSET_READING_STRING + '</legend>\n  <form name="reading" action=\'' + self.reading_path + '\' method="post">\n    <p>' + LOCATION_FIELD_STRING + ': <input type="text" name="location" /></p>\n    <p>' + RADIO_FIELD_STRING + ': <input type="text" name="radioactivity" /></p>\n    <p><input type="submit" name="submit" value=\'' + READING_SUBMIT_STRING + "' /></p>\n  </form>\n</fieldset>\n")
        self.wfile.write(self.footer)

    def register(self, params):
        self.send_response(200)
        self.send_header('Content-type', 'text/html')
        self.end_headers()
        self.wfile.write(self.header % (REGISTER_STRING, REGISTER_STRING))
        self.wfile.write('\n<fieldset>\n  <legend>' + REGISTER_STRING + '</legend>\n  <form name="register" action=\'' + self.register_path + '\' method="post">\n    <p>' + USERNAME_FIELD_STRING + ': <input type="text" name="username" /></p>\n    <p>' + PASSWORD_FIELD_STRING + ': <input type="password" name="password" /></p>\n    <p>' + SERIAL_FIELD_STRING + ': <input type="text" name="serial" /></p>\n    <p><input type="submit" name="submit" value=\'' + REGISTER_SUBMIT_STRING + "'></p>\n  </form>\n</fieldset>")
        self.wfile.write(self.footer)

    def manual(self, params):
        self.send_response(200)
        self.send_header('Content-type', 'text/html')
        self.end_headers()
        self.wfile.write(self.header % (MANUAL_STRING, MANUAL_STRING))
        self.wfile.write('<p>' + MANUAL_DATA_STRING + '</p>')
        self.wfile.write(self.footer)

    def dump(self, params):
        if not self.dump_allowed:
            return
        if not params.has_key(self.dump_auth_attr) or params[self.dump_auth_attr][0] != self.dump_auth_value:
            self.send_response(404)
            self.send_header('Content-type', 'text/html')
            self.end_headers()
            return
        self.send_response(200)
        self.send_header('Content-type', 'text/html')
        self.end_headers()
        self.wfile.write(self.header % (DATABASE_STRING, DATABASE_STRING))
        result = self.data.get_range()
        self.wfile.write('<p>' + DATA_STRING + '</p>')
        self.wfile.write('\n<pre>\n')
        for key, columns in result:
            self.wfile.write('\n%s:\n' % key)
            for column in columns:
                self.wfile.write('\n  %s: %s\n' % (str(column), columns[column]))

        self.wfile.write('\n</pre>\n')
        self.wfile.write('<p>' + SESSIONS_STRING + '</p>')
        result = self.sessions.get_range()
        self.wfile.write('\n<pre>\n')
        for key, columns in result:
            self.wfile.write('\n%s:\n' % key)
            for column in columns:
                self.wfile.write('\n  %s: %s\n' % (str(column), columns[column]))

        self.wfile.write('\n</pre>\n')
        self.wfile.write(self.footer)

    def auth(self):
        cookies = self.headers.getheaders('Cookie')
        if cookies == None or len(cookies) == 0:
            return
        self.logger.debug('Received cookies: %s' % str(cookies))
        session = None
        for cookie in cookies:
            try:
                attr_vals = cookie.split(';')
                for attr_val in attr_vals:
                    attr_val = attr_val.strip()
                    self.logger.debug('Considering attribute/value pair: %s' % str(attr_val))
                    attribute, value = attr_val.split('=')
                    if attribute == 'session':
                        session = value

            except Exception as err:
                self.logger.debug('Error in parsing cookie %s: %s' % (str(cookie), str(err)))
                return False

        if session == None:
            return
        try:
            columns = self.sessions.get(session)
            username = columns.get('username')
        except Exception as e:
            self.logger.error('Authentication failed for session: %s (%s)' % (session, str(e)))
            return

        return session

    def reading(self, form):
        self.send_response(200)
        self.send_header('Content-type', 'text/html')
        self.end_headers()
        self.wfile.write(self.header % (RECORD_READING_STRING, RECORD_READING_STRING))
        session = self.auth()
        if session == None:
            self.wfile.write('<p>' + NOT_LOGGED_STRING + '</p>')
            self.wfile.write(self.footer)
            return
        username = self.sessions.get(session).get('username')
        try:
            location = self.sanitize(form.getfirst('location'))
            radioactivity = self.sanitize(form.getfirst('radioactivity'))
            if location == '' or radioactivity == '':
                raise Exception('empty parameter(s)')
            self.logger.debug('Requested recording: location [%s] -> radioactivity [%s]' % (location, radioactivity))
            if location != 'password' and location != 'serial':
                self.data.insert(username, {location: radioactivity})
            self.wfile.write('\n<p>' + READING_RECORDED_STRING + '</p>\n')
            result = self.data.get_range()
            colos = list()
            for key, columns in result:
                if key == username:
                    continue
                if columns.has_key(location):
                    colos.append(key)

            if len(colos) > 0:
                self.wfile.write('\n<p>' + COLOCATED_WORKERS_STRING + ':</p>\n<ul>\n')
                for u in colos:
                    self.wfile.write('\n<li>%s</li>\n' % u)

                self.wfile.write('\n</ul>\n')
            self.wfile.write(self.footer)
        except Exception as err:
            self.logger.error('An error occurred when recording your reading: %s' % str(err))
            self.wfile.write('\n<p>' + DATA_RECORDING_FAILED_STRING + ': %s.</p>\n' % self.sanitize(str(err)))
            self.wfile.write(self.footer)
            return

    def process_register(self, form):
        self.send_response(200)
        self.send_header('Content-type', 'text/html')
        self.end_headers()
        self.wfile.write(self.header % (REGISTRATION_STRING, REGISTRATION_STRING))
        try:
            username = form.getfirst('username')
            password = form.getfirst('password')
            serial = form.getfirst('serial')
            if username == '' or password == '' or serial == '' or username == None or password == None or serial == None:
                raise Exception('empty parameter(s)')
            username = self.sanitize(username.strip())
            password = self.sanitize(password.strip())
            serial = self.sanitize(serial.strip())
            self.logger.debug('Requested registration with username [%s], password [%s], and serial [%s]' % (username, password, serial))
            if password != '':
                md5 = hashlib.md5()
                md5.update(password)
                password = md5.hexdigest()
            self.data.insert(username, {'password': password})
            if serial != '':
                self.data.insert(username, {'serial': serial})
            self.wfile.write('\n<p>' + USER_REGISTERED_STRING + '</p>\n')
            self.wfile.write(self.footer)
        except Exception as err:
            self.logger.error('An error occurred when registering your account: %s' % str(err))
            self.wfile.write('\n<p>' + USER_REGISTRATION_FAILED_STRING + ': %s.</p>\n' % self.sanitize(str(err)))
            self.wfile.write(self.footer)
            return

    def login(self, form):
        try:
            username = self.sanitize(form.getfirst('username'))
            password = self.sanitize(form.getfirst('password'))
            self.logger.debug('Requested login with username [%s] and password [%s]' % (username, password))
            md5 = hashlib.md5()
            md5.update(password)
            password = md5.hexdigest()
            result = self.data.get(username)
            authenticated = True
            if not result.has_key('password'):
                authenticated = False
            if result['password'] != '' and result['password'] != password:
                authenticated = False
            if authenticated:
                md5 = hashlib.md5()
                md5.update(str(time.time()) + username + password + self.secret)
                session = md5.hexdigest()
                self.sessions.insert(session, {'username': username})
            else:
                self.send_response(200)
                self.send_header('Content-type', 'text/html')
                self.end_headers()
                self.wfile.write(self.header % (INVALID_LOGIN_STRING, INVALID_LOGIN_STRING))
                self.wfile.write('\n<p>' + AUTHENTICATION_FAILED_STRING + '</p>\n')
                self.wfile.write(self.footer)
                self.logger.error('Invalid login with username [%s] and password [%s]' % (username, password))
                return
        except Exception as err:
            self.send_response(200)
            self.send_header('Content-type', 'text/html')
            self.end_headers()
            self.wfile.write(self.header % (INVALID_LOGIN_STRING, INVALID_LOGIN_STRING))
            self.wfile.write(LOGIN_ERROR_STRING + ': %s' % self.sanitize(str(err)))
            self.wfile.write(self.footer)
            self.logger.error('An error occurred in processing the login: %s' % str(err))
            return

        self.send_response(303)
        self.send_header('Content-type', 'text/html')
        self.send_header('Location', '%s' % self.home_path)
        self.send_header('Set-Cookie', 'session=%s' % session)
        self.end_headers()

    def logout(self, params):
        try:
            self.send_response(200)
            self.send_header('Content-type', 'text/html')
            self.end_headers()
            self.wfile.write(self.header % ('Logout', 'Logout'))
            session = self.auth()
            if session == None:
                self.wfile.write('<p>' + NOT_LOGGED_STRING + '</p>')
                self.wfile.write(self.footer)
                return
            self.sessions.remove(session)
        except Exception as err:
            self.wfile.write(LOGOUT_ERROR_STRING + ': %s' % self.sanitize(str(err)))
            self.wfile.write(self.footer)
            self.logger.error('An error occurred in processing the logout: %s' % str(err))
            return

        self.wfile.write('\n<p>' + LOGGED_OUT_STRING + '</p>\n')
        self.wfile.write(self.footer)

    def do_GET(self):
        try:
            self.logger.debug('Received GET request with path: %s' % self.path)
            req = urlparse.urlparse(self.path)
            self.logger.debug('Received request resource: %s' % req.path)
            params = urlparse.parse_qs(req.query)
            self.logger.debug('Received parameters: %s' % str(params))
            self.data = pycassa.columnfamily.ColumnFamily(RequestHandler.pool, RequestHandler.data_family)
            self.sessions = pycassa.columnfamily.ColumnFamily(RequestHandler.pool, RequestHandler.session_family)
            if req.path == self.home_path:
                self.home(params)
                return
            if req.path == self.register_path:
                self.register(params)
                return
            if req.path == self.css_path:
                self.style(params)
                return
            if req.path == self.background_path:
                self.background(params)
                return
            if req.path == self.icon_path:
                self.icon(params)
                return
            if req.path == self.dump_path:
                self.dump(params)
                return
            if req.path == self.manual_path:
                self.manual(params)
                return
            if req.path == self.logout_path:
                self.logout(params)
                return
            self.send_error(404, NOT_FOUND_STRING + ': %s' % self.sanitize(self.path))
            return
            return
        except Exception as err:
            self.wfile.write(ERROR_STRING + ': ' + self.sanitize(str(err)))
            self.logger.error('An error occurred: ' + str(err))
            et, ev, tb = sys.exc_info()
            traceback.print_tb(tb)
            return

    def do_POST(self):
        try:
            self.logger.debug('Received POST request with path: %s' % self.path)
            req = urlparse.urlparse(self.path)
            self.logger.debug('Received request resource: %s' % req.path)
            form = cgi.FieldStorage(fp=self.rfile, headers=self.headers, environ={'REQUEST_METHOD': 'POST',
             'CONTENT_TYPE': self.headers['Content-Type']})
            self.logger.debug('Received parameters: %s' % str(form))
            self.data = pycassa.columnfamily.ColumnFamily(RequestHandler.pool, RequestHandler.data_family)
            self.sessions = pycassa.columnfamily.ColumnFamily(RequestHandler.pool, RequestHandler.session_family)
            if req.path == self.login_path:
                self.login(form)
                return
            if req.path == self.register_path:
                self.process_register(form)
                return
            if req.path == self.reading_path:
                self.reading(form)
                return
            self.send_error(400, NOT_FOUND_STRING + ': %s' % self.sanitize(self.path))
            return
            return
        except Exception as err:
            self.wfile.write(ERROR_STRING + ': ' + self.sanitize(str(err)))
            self.logger.error('An error occurred: ' + str(err))
            return


 def usage(fname):
    print '%s [-d (debug)] [-p <port>] [-b <server>] [-k <keyspace>] [-l <log file>] [-i <init file>]' % fname


 class Usage(Exception):

    def __init__(self, msg):
        self.msg = msg


 def main(argv = None):
    if argv is None:
        argv = sys.argv
    debug = False
    port = 9292
    keyspace = 'myspace'
    data_family = 'data'
    session_family = 'sessions'
    log_level = logging.INFO
    log_file = None
    log_format = '%(asctime)s %(levelname)s: %(message)s'
    initialize = False
    init_file = None
    db_hostname = 'localhost'
    db_port = 9160
    try:
        try:
            opts, args = getopt.getopt(argv[1:], 'dhp:k:l:i:')
        except getopt.error as msg:
            raise Usage(msg)

        for o, a in opts:
            if o == '-h':
                usage(os.path.basename(argv[0]))
                return 1
            if o == '-d':
                debug = True
            if o == '-p':
                port = int(a)
            if o == '-b':
                db_hostname, db_port = split(a, ':')
            if o == '-k':
                keyspace = a
            if o == '-l':
                log_file = a
            if o == '-i':
                initialize = True
                init_file = a

    except Usage as err:
        logging.error('%s -- for help use -h' % err.msg)
        return 1

    if debug:
        log_level = logging.DEBUG
    logging.basicConfig(level=log_level, filename=log_file, format=log_format)
    logger = logging.getLogger('noradioactive')
    RequestHandler.logger = logger
    logger.debug('Initialization...')
    try:
        logger.debug('Connecting to database %s:%s' % (str(db_hostname), str(db_port)))
        sysmgr = pycassa.system_manager.SystemManager('%s:%s' % (str(db_hostname), str(db_port)))
        logger.debug('Connection successful')
        keyspaces = sysmgr.list_keyspaces()
        logger.debug('Keyspaces: %s' % str(keyspaces))
        if initialize and keyspace in keyspaces:
            logger.debug('Dropping keyspace: %s' % keyspace)
            sysmgr.drop_keyspace(keyspace)
        keyspaces = sysmgr.list_keyspaces()
        if keyspace not in keyspaces:
            logger.debug('Creating keyspace: %s' % keyspace)
            sysmgr.create_keyspace(keyspace, pycassa.system_manager.SIMPLE_STRATEGY, {'replication_factor': '1'})
        families = sysmgr.get_keyspace_column_families(keyspace).keys()
        logger.debug('Families: %s' % str(families))
        if data_family not in families:
            logger.debug('Creating column family: %s' % data_family)
            sysmgr.create_column_family(keyspace, data_family, column_validation_classes=None)
        if session_family not in families:
            logger.debug('Creating column family: %s' % session_family)
            sysmgr.create_column_family(keyspace, session_family, column_validation_classes=None)
    except Exception as err:
        logger.error('Failed to initialize the database: %s' % str(err))
        et, ev, tb = sys.exc_info()
        traceback.print_tb(tb)
        return 1

    try:
        RequestHandler.pool = pycassa.pool.ConnectionPool(keyspace, ['%s:%s' % (str(db_hostname), str(db_port))])
        data = pycassa.columnfamily.ColumnFamily(RequestHandler.pool, data_family)
        session = pycassa.columnfamily.ColumnFamily(RequestHandler.pool, session_family)
    except Exception as e:
        logger.error('Missing or corrupted database %s: %s' % (keyspace, str(e)))
        return 1

    if initialize:
        try:
            config = ConfigParser.ConfigParser()
            config.read(init_file)
            for username in config.sections():
                password = config.get(username, 'password')
                serial = config.get(username, 'serial')
                md5 = hashlib.md5()
                md5.update(password)
                password = md5.hexdigest()
                data.insert(username, {'password': password,
                 'serial': serial})

        except Exception as err:
            logger.error('Failed to initialize the database: %s' % str(err))
            et, ev, tb = sys.exc_info()
            traceback.print_tb(tb)

    RequestHandler.data_family = data_family
    RequestHandler.session_family = session_family
    if debug:
        result = data.get_range()
        for key, columns in result:
            logger.debug('%s => %s' % (key, str(columns)))

        result = session.get_range()
        for key, columns in result:
            logger.debug('%s => %s' % (key, str(columns)))

    logger.debug('Listening on port %d' % port)
    try:
        logger.info('Starting noradioactive service...')
        httpd = ThreadingHTTPServer(('', port), RequestHandler)
        httpd.serve_forever()
    except KeyboardInterrupt:
        logger.info('Shutting down noradioactive...')
        httpd.socket.close()
    except Exception as e:
        logger.error('Error starting noradioactive: %s' % str(e))
        return 1


 if __name__ == '__main__':
    sys.exit(main())
 #+++ okay decompyling noradioactive.pyo
 # decompiled 1 files: 1 okay, 0 failed, 0 verify failed
 # 2013.12.07 02:27:47 CST
	[ctf-participants] IMPORTANT PARTICIPANT INFO: iCTF 2013 Game Rules

	Adam Doupé adamdoupe at gmail.com
	Wed Dec 4 22:09:27 PST 2013
	Previous message: [ctf-participants] Going on to the next goal and scoring
	Next message: [ctf-participants] IMPORTANT PARTICIPANT INFO: iCTF 2013 Game Rules
	Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
	THE GAME
	——————

	Your goal is to be the best country in the world, building up and unleashing a nuclear arsenal!

	WOULD YOU LIKE TO PLAY A GAME?
	./yes_but_how_does_it_work


	Your Machine
	——————

	You will be given non-root access to a virtualized server. On this server, there will be a number of services running.

	Your job is to keep the services up, detect attacks against the services, patch your services, and develop exploits to be used against other teams’ services.

	When patching your service, you must keep the original functionality. If any of the scripts that simulate a user using the service is unable to fully exercise your service, then the service is considered non-functional.

	You will gain Resources (to progress in the game) by keeping your services up and detecting attacks. You will gain Credits to spend on bonuses by developing exploits.

	To detect attacks, you will be able to use tcpdump on your machine’s interface. There will be a publicly-accessible web interface where you can specify if a netflow in the last round was an attack and you will instantly see the results of your detection (i.e., if the attack was correctly detected or if the detection represents a false positive).

	A netflow is identified by (source_ip, source_port, dest_ip, dest_port, timestamp). The timestamp that you see in the web interface will be when our side created the TCP connection. The timestamp you see from your vulnerable machine may differ slightly.


	The Levels
	—————

	There are four levels in the game. Everyone starts out on the first level, with zero Resources. At each level you generate a specific Resource, and once you generate enough Resources you will be promoted to the next level.

	You will only attack and be attacked by teams at your level.

	Your team’s ranking will be based on what level your team is in and how many Resources you’ve collected in your current level (that is, Resources collected in previous levels don't matter).
	Teams in level 4 will be ranked above teams in level 3, and so on.



	Collecting Resources
	—————————

	Here’s what a sample level looks like (specifics like color and so on could change):


	Red states are active, Blue states are inactive, and the smaller light blue nodes are services that are associated with each state.

	In the example, “Mine Uranium” is the active state. Service dexware is active, because it is associated with “Mine Uranium.”

	We will only generate traffic against active services. This traffic will consist of “benign” traffic and “attack” traffic. Part of your job is to decide which is which.

	Each change of the level is called a “tick.” The tick will change (almost) every 3 minutes.

	So, how do you create Resources?

	Resources are allocated every “round.” A round is a complete traversal of the level, with the XMAS state being the last state.

	The XMAS state is special, it will last for 1 minute, and there will be no traffic. This will give you time to identify attack traffic in the previous states.

	So, there will be a round every 10 minutes, as every level has 3 states and 1 XMAS state. After the XMAS state, a round is complete and Resources are awarded to each team.


	Calculating Resources
	——————————

	Every round you will be awarded Resources for how well you performed in that round.

	The maximum Resources you can receive in a round is 500. The lowest is 0 (but you’re not going to be that team).

	300 of the 500 Resources are rewarded for having the active services up.

	So for N active services on the round, if you had Nup of those services up and functional, you will receive 300 * (Nup / N) Resources.

	The remaining 200 of 500 resources are awarded based on how many attacks you detected. A successful undetected attack is an attack that:
	1) correctly captures your flag
	2) has not been marked as an attack (more precisely, NONE of the associated netflows have been marked).

	You will also lose Resources for each incorrectly marked benign netflow.

	So for Na number of successful attacks, Nd number of attacks you detected, and Nw number of incorrectly marked netflows, you will receive 200 * ((Nd - Nw) / Na) resources. Of course, if there are no attacks, you will receive 200 Resources.

	So, for the math types, here’s the whole formula:
	Total_Score_Of_The_Round = max(0, 300 * (Nup / N) + 200 * ((Nd - Nw) / Na))

	Let’s look at an example.

	For one round of the example level above there are two services involved (dexware and mathconsole),
	which are active each in two states. In total, there are 4 instances of a service being up and "attackable" in a round.

	Let’s say that, out of the 4 service instances, you had 2 services up. And, during the round there were 2 successful attacks, and you correctly marked one netflow as an attack, but you also incorrectly marked two benign netflows as an attack.

	How many Resources would you receive in this round? Go ahead, I’ll wait.

	50

	N = 4, Nup = 2, Na = 2, Nd = 1, Nw = 2

	(300 * (2 / 4)) + (200 * ((1 - 2) / 2) = 150 + -100 = 50

	Now let’s say that you do better. Out of the 4 active services, you had 4 services up. And, during the round there were 4 successful attacks, and you correctly marked four netflows as an attack, but you also incorrectly marked one benign netflow as an attack.

	N = 4, Nup = 4, Na = 4, Nd = 4, Nw = 1

	(300 * (4 / 4)) + (200 * ((4 - 1) / 4) = 300 + 150 = 450


	Promotion
	—————

	To be promoted to the next level, you must generate enough Resources at the current level.

	Here is our current idea of the limits for each level (subject to change before and possibly during the competition):

	L1: 6,000 resources
	L2: 4,500 resources
	L3: 3,000 resources

	Therefore, you must generate 6,000 resources to be promoted from level 1 to level 2, and once there you must generate 4,500 of level 2’s resources to be promoted to level 3. And so on.

	If you are the first team to be promoted to a level, you will not start generating Resources, which means that there will be no traffic to any of your services. Use this time to develop elite exploits. Once another team is promoted, you will both start generating Resources.


	Services, Exploits, and flag_id. Oh My.
	——————————————————

	In the CTFs of old, each service had a single flag.

	Our services have multiple flags, and these flags are part of the service. A flag could be user passwords, the status of the user, or nuclear launch codes, depending on the service.

	Don’t steal all the flags; you’re supposed to be stealthy.

	Your exploit should only steal a specific flag. But how will your exploit know which flag to capture?

	In comes the concept of a flag_id. A flag_id identifies the specific flag to capture and is service dependent. For instance, if the flag are user passwords, the flag_id could be the specific username. If the flag is the status of the user, the flag_id could be the specific user_id. If the flag is the nuclear launch codes, the flag_id could be the specific nuclear site.

	Imagine the following database table for a fake service:

	\| user_name \| user_password \| status \|
	\| adam \| 9cb4afde731e9eadcda4506ef7c65fa2 \| ICTFFTW \|
	\| test \| 098f6bcd4621d373cade4e832627b4f6 \| FLG47M9glVIWW3AG \|
	\| l33t \| 11119102f1634c7967cc1b58947295d8 \| FLGmBSlIkZoWSy2p \|
	\| vigna \| 9cb4afde731e9eadcda4506ef7c65fa2 \| FLG4V2tHkaodSy2p \|

	The flag_id for this service is the user_name. The flags are clearly the status.

	If your exploit is given “l33t” it will be expected to return “FLGmBSlIkZoWSy2p” (of course by exploiting the service).
	If your exploit is given “vigna” it will be expected to return “FLG4V2tHkaodSy2p”

	Unlike those poor souls who competed in the 2012 iCTF, you will not have to guess what the flag_id is for a service. The web interface will clearly state, for each service, a description of the flag_id.

	So, your exploit will accept, as a parameter, the ip and port to exploit, and the flag_id to capture the specific flag. Your exploit will return only that flag.

	Your exploit will either be a single Python script or a .tgz bundle.

	So that you can test your exploits, your vulnerable machine will have a script that will run exploits exactly as we will run them. You’ll only be able to run the exploits against yourself.

	Specific exploit interface details and examples will be released Thursday.


	Submitting Exploits
	—————————

	You will submit your exploit for a specific service through the web interface. Only your latest exploit for each service will be run. This information will also be shown on the web interface.

	We will test your exploit to make sure that it can successfully capture the flag from an unpatched service. You will get automatic feedback from this process that will be shown in the web interface.

	Any team caught messing with or trying to evade the testing service and automated feedback will be banned from the competition. Exploit each other, not us.

	Your exploit should steal the flag. DOSing the teams’ service is also grounds for banning. Play fair, win fair, write dirty exploits.


	Running Exploits
	———————

	Each tick ZDI (aka us) will run at most one exploit against each active service for each team. Eligible exploits are ones that have passed the exploit submission process (see previous section), and are from teams in your level.

	The specific exploit to run against a particular team’s service will be randomly chosen between all eligible exploits from teams in that level.

	Every time one of your team’s exploit script successfully captures the correct flag for the service, AND DOES SO UNDETECTED by that team, you receive one Credit.

	For example, if you are the first team to submit an exploit for service mathconsole, when mathconsole is active, your exploit will be run against all the teams in your level (except for you). This means that if none of the teams detect your exploit and everyone has their service up, you will get at most N Credits, where N is the number of teams.

	However, once another team submits an exploit for the service, the most credits you can get is N/2, and so on.

	You will know from the scoreboard who has submitted an exploit for what service.


	Spending Credits
	———————

	You worked hard to write those stealthy exploits, and we want to reward you for it.

	Welcome to the auction house.

	Here, you can spend your hard earned Credits on bonuses to help your team. Or hurt your competitors.

	Each auction starts at the beginning of a tick, and ends 30 seconds before the end of the tick.

	During the action, you can place a bid on one of the bonuses. Each bonus will have a different minimum bid. You cannot revoke a bid, and you cannot place more bids than you have credits.

	Each bonus item can only be won by a limited number of teams, specifically the teams that bid the most.

	You will not know what the bids are for the current auction, but you will know the winning bids for the previous auctions.

	If you successfully win the bid, you will receive the bonus and your credits are deducted. If you loose a bid, you get back your credits.

	What are these bonuses, you ask?

	1. Protection for the next tick. If you win this bonus, you will not be attacked during the next tick.

	2. Mute a team’s exploits. If you win this bonus, we will NOT run exploits from a given team for the next tick. You tell us which team when you make the bid.

	3. Show attack netflow. If you win this bonus, we will tell you one netflow id of an attack in the current tick (the current tick that you’re placing a bidding). It’s your job to identify this netflow as an attack.

	4. Purchase our exploits. If you win this bonus, we will give you a ZDI verified exploit for a service of your choice. It’s your job to submit it as your own, make tweaks as necessary, and so on. You will only be able to buy this bonus once.

	Oh yeah, one more thing: you’ll be able to set a message that will be shown to everyone if you win a bonus. We’re a university, so keep it clean.


	Important Note
	—————————

	We reserve the right to change the parameters of the game. But at least we’ll update you when we do.

	Please ask if you have any questions, but understand that we are working on getting the game up and running and stable and scalable. If you think you can answer another team’s question, please do so.


	-------------- next part --------------
	An HTML attachment was scrubbed...
	URL: <https://lists.cs.ucsb.edu/pipermail/ctf-participants/attachments/20131204/66f7b4bf/attachment-0001.html>
	-------------- next part --------------
	A non-text attachment was scrubbed...
	Name: latest-screenshot.png
	Type: image/png
	Size: 14085 bytes
	Desc: not available
	URL: <https://lists.cs.ucsb.edu/pipermail/ctf-participants/attachments/20131204/66f7b4bf/attachment-0001.png>
	-------------- next part --------------
	A non-text attachment was scrubbed...
	Name: signature.asc
	Type: application/pgp-signature
	Size: 203 bytes
	Desc: Message signed with OpenPGP using GPGMail
	URL: <https://lists.cs.ucsb.edu/pipermail/ctf-participants/attachments/20131204/66f7b4bf/attachment-0001.bin>
	Previous message: [ctf-participants] Going on to the next goal and scoring
	Next message: [ctf-participants] IMPORTANT PARTICIPANT INFO: iCTF 2013 Game Rules
	Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
	More information about the ctf-participants mailing list
	iCTF2013合作文档

	基本信息
	关于本文档
	何使用本文档
	比赛时间
	大赛主题(必读)
	队伍名称
	IRC
	openvpn配置文件
	网络拓扑
	Exploit 模板
	工作流程
	比赛前20分钟工作流程
	服务初步分析（有登录权限的同学）
	搭建流量分析环境以及上线Threat Center（流量分析组同学）
	比赛20分钟后工作流程
	每个同学进行服务深入分析、防御和攻击
	网络流量分析
	服务分析
	Service: driller- Working:
	Service: mathconsole - Working:
	Service: temperature - Working:
	Service: secretvault - Working:
	Service: poipoi - Working:
	基本信息
	关于本文档
	使用本文档来促进线上的队员和在比赛基地的队员之间的合作，并记录整个比赛的过程。
	何使用本文档
	请在开始分析某个服务之前，把你的名字加入Working列表
	如果你卡在某一到题上了，请及时更新对这个服务分析的进度
	服务状态：
	OPEN - 服务已经开放
	CLOSED - 服务挂了，开不起来
	MUTABLE
	请勿将key直接贴在本文档中
	重中之重：请及时更新每个服务的状态！更新之后请刷新页面最上方的目录
	比赛时间
	12月6日（周五）晚上12点-次日（周六）早上9点共9小时
	官网：http://www.ictf2013.net/
	大赛主题(必读)

	比赛场景：https://lists.cs.ucsb.edu/pipermail/ctf-participants/20131130/000488.html

	比赛规则(更重要)：https://lists.cs.ucsb.edu/pipermail/ctf-participants/20131204/000499.html
	队伍名称
	blue-lotus
	IRC
	Host: irc.ictf2013.net
	Port: 6667
	Channel: #ictf
	openvpn配置文件
	https://docs.google.com/file/d/0B4YTS247Op0iRnhiamg5MVVLZWc/edit
	连上之后，测试是否ping通大网关10.14.0.1和我们的GameBox10.14.11.2
	Windows用户请用管理员权限运行Openvpn-gui，否则没权t限push进路由表
	网络拓扑

	大网关：10.14.0.1

	Threat Center(Web Server): http://192.168.137.1:20607

	GameBox: 10.14.11.2
	SSH登陆请使用public key认证方式登录，私钥不向全体队员公开，防止误操作，有修补漏洞的同学请联系kelwin获取

	其他对手的GameBox都位于10.14.{Team_ID}.2，我们队伍的Team_ID是11

	Exploit 模板
	class Exploit():

	def execute(self, ip, port, flag_id):

	# Your exploit gets as parameters the IP/PORT of the service to
	# attack. The IP is a string, the PORT is an integer. The FLAG_ID's
	# role has been described in a previous email.

	# Put your awesomeness here. You are free to import/use whatever
	# standard Python library you want.

	self.flag = [ ... ]

	def result(self):
	return {'FLAG' : self.flag }

	工作流程
	比赛前20分钟工作流程
	服务初步分析（有登录权限的同学）
	第一时间找出服务名称、端口号、服务类型、数据库类型、编程语言并记录在合作文档中
	把服务的文件下载下来，供大家离线分析、调试
	搭建流量分析环境以及上线Threat Center（流量分析组同学）
	服务初步分析结果出来之后，立刻开启tcpdump监听记录所有对应端口和流量，用tcpflow分流，用flag进行过滤，自动检查攻击，攻击发生后立刻发邮件通知

	[email protected]
	Subscribe邮件列表名单：
	[email protected]
	比赛20分钟后工作流程
	每个同学进行服务深入分析、防御和攻击
	人工分析、挖掘服务漏洞、找到漏洞后首先想办法修补，修补之后再考虑攻击
	网络流量分析
	如果有攻击流量，从Threat Center下载流量进行分析，找到漏洞后立刻补上
	服务分析

	Service: driller- Working:

	Service: mathconsole - Working:

	Service: temperature - Working:

	Service: secretvault - Working:

	Service: poipoi - Working:
	* Connecting to irc.ictf2013.net (6667)
	-
	-irc.ictf2013.net- *** Looking up your hostname...
	-
	-irc.ictf2013.net- *** Could not resolve your hostname: Domain name not found; using your IP address (166.111.132.124) instead.
	-
	Welcome to the ictf IRC Network [email protected]
	Your host is irc.ictf2013.net, running version InspIRCd-2.0
	This server was created 22:29:59 Mar 18 2013
	-
	irc.ictf2013.net InspIRCd-2.0 ioswx biklmnopstvy bklovy
	-
	AWAYLEN=200 CASEMAPPING=rfc1459 CHANMODES=b,k,l,imnpst CHANNELLEN=64 CHANTYPES=# CHARSET=ascii ELIST=MU FNC KICKLEN=255 MAP MAXBANS=60 MAXCHANNELS=20 MAXPARA=32 are supported by this server
	MAXTARGETS=20 MODES=20 NETWORK=ictf NICKLEN=31 PREFIX=(yov)!@+ STATUSMSG=!@+ TOPICLEN=307 VBANLIST WALLCHOPS WALLVOICES are supported by this server
	289AAAAOK your unique ID

	message of the day, irc.ictf2013.net
	-
	- _________ _______ _________ _______ _______ _______ __ ______
	- \__ __/( ____ \\__ __/( ____ \ / ___ )( __ ) / \ / ___ \
	- ) ( \| ( \/ ) ( \| ( \/ \/ ) \|\| ( ) \| \/) ) \/ \ \
	- \| \| \| \| \| \| \| (__ / )\| \| / \| \| \| ___) /
	- \| \| \| \| \| \| \| __) _/ / \| (/ /) \| \| \| (___ (
	- \| \| \| \| \| \| \| ( / _/ \| / \| \| \| \| ) \
	- ___) (___\| (____/\ \| \| \| ) ( (__/\\| (__) \| __) (_/\___/ /
	- \_______/(_______/ )_( \|/ \_______/(_______) \____/\______/
	-
	-
	- ___ _____ __ _______ _ _______
	- / _ \_ _\| \ \ / / _ \| \| \| \| ___ \
	- / /_\ \\| \| \ V /\| \| \| \| \| \| \| \|_/ /
	- \| _ \|\| \| \ / \| \| \| \| \| \| \| /
	- \| \| \| \|\| \| \| \| \ \_/ / \|_\| \| \|\ \
	- \_\| \|_/\_/ \_/ \___/ \___/\_\| \_\|
	-
	-
	- _ _ _ _ _ _ _ ___________ ___ ______ _ _____
	- \| \| \| \| \| \| \| \| \| \ \| \| ___\| ___ \/ _ \\| ___ \ \| \| ___\|
	- \| \| \| \| \| \| \| \| \| \\| \| \|__ \| \|_/ / /_\ \ \|_/ / \| \| \|__
	- \| \| \| \| \| \| \| \| \| . ` \| __\|\| /\| _ \| ___ \ \| \| __\|
	- \ \_/ / \|_\| \| \|___\| \|\ \| \|___\| \|\ \\| \| \| \| \|_/ / \|___\| \|___
	- \___/ \___/\_____\|_\| \_\|____/\_\| \_\_\| \|_\|____/\_____\|____/
	--
	- _____ ___________ _ _ _____ _____ _____
	- / ___\| ___\| ___ \ \| \| \|_ _/ __ \ ___\|
	- \ `--.\| \|__ \| \|_/ / \| \| \| \| \| \| / \/ \|__
	- `--. \ __\|\| /\| \| \| \| \| \| \| \| \| __\|
	- /\__/ / \|___\| \|\ \\ \_/ /_\| \|_\| \__/\ \|___
	- \____/\____/\_\| \_\|\___/ \___/ \____\|____/
	-
	-
	-
	End of message of the day.
	-
	There are 91 users and 57 invisible on 1 servers
	2 operator(s) online
	10 channels formed
	I have 148 clients and 0 servers
	-
	Current Local Users: 148 Max: 148
	Current Global Users: 148 Max: 148
	-
	ictf2013-pck.lgs.givfot.IP is now your displayed host
	-
	* hellok sets mode: +x
	-
	Local host: root-PC (166.111.132.124)
	-
	* hellok sets mode: +i
	-
	Service News Service
	from desk of the Service Description Squad Desk

	Your dedicated news team has a dedicated news sub-team, dedicated to delivering you the latest service-related information for your reading entertainment! Below, you will find a list of services, their descriptions, port numbers, and other useful information.
	This year, the services are all designed to store many flags, with only one of those flags being the actual flag that must be stolen. Your exploits will receive information about which flag to get in the form of a Flag ID. In an attempt to reduce confusion, our cyber-crack squad of reporters has acertained the meaning of this Flag ID for all of the services.
	Service: dexware
	Description: This is a Dalvik-based firmware that handles secret chemical formulas. It's not like other firmwares, no backdoors here.
	Port: 8085
	Flag ID hint: The flag_id is the formula ID.
	Active in: Level 3 (Strap On A RocketSpread Propoganda)Level 4 (Select Populated TargetENTER LAUNCH CODE 00000000Pray)
	Service status:
	This service is not currently active.
	This service has not yet been exploited!
	Teams have managed to keep this service up -1% of the time.

	Service: driller
	Description: In the awesome old days, everyone could freely setup their own uranium mine around the globe -- as long as they have enough money to bribe those governments. However, some great guys saw the great opportunity beneath, and they set up their own evil enterprise! Here it is, Global Drillers Enterprise Ltd. Their sweet dream, and your nightmare! With seamless cooperation with most countries, now you have to buy their service, select a spot and choose a driller, before you make any penny from uranium mines. To show their kind and mercy, you are offered an Autocratic version of their service, which is protected by the notorious cyber army named ****** (Access Denied). The binary is protected by some lame stuff. Anyways, you have no other choice. Get prepared, crack the service, and get their flags!
	Port: 9091
	Flag ID hint: Please use name of the spot as flag ID.
	Active in: Level 3 (Strap On A Rocket)Level 4 (Select Populated TargetENTER LAUNCH CODE 00000000Pray)
	Service status:
	This service is not currently active.
	This service has not yet been exploited!
	Teams have managed to keep this service up -1% of the time.

	Service: mathconsole
	Description: A powerful calculator with an on-the-cloud file storage service
	Port: 9898
	Flag ID hint: the flag_id is the name of a file in the folder service_files
	Active in: Level 3 (Enrich UraniumStrap On A Rocket)Level 4 (Select Populated TargetENTER LAUNCH CODE 00000000Pray)
	Service status:
	This service is not currently active.
	This service has not yet been exploited!
	Teams have managed to keep this service up -1% of the time.

	Service: noradioactive
	Description: The service allows workers to store radioactivity readings in a large-scale, distributed nosql database.
	Port: 9292
	Flag ID hint: The flag_id is the user account name.
	Active in: Level 1 (Drill Baby Drill)Level 4 (Select Populated TargetENTER LAUNCH CODE 00000000Pray)
	Service status:
	This service is not currently active.
	This service has not yet been exploited!
	Teams have managed to keep this service up 100% of the time.

	Service: poipoi
	Description: Uranium mining is the process of extracting uranium ore from the ground. A prominent use of uranium from mining is as fuel for building your nuclear weapons and then terrifying your enemies. The POIPOI service collects information of all uranium mines in the world, so if you know of some new mines please insert related locations as soon as you can and help your country to dominate the world!
	Port: 3335
	Flag ID hint: the flag_id is the user_id returned by the server after successful registration.
	Active in: Level 1 (Suppress Environmental Group)Level 4 (Select Populated TargetENTER LAUNCH CODE 00000000Pray)
	Service status:
	This service is not currently active.
	This service has not yet been exploited!
	Teams have managed to keep this service up 100% of the time.

	Service: secretvault
	Description: The rogue nation has a complicated network of technology spies to acquire required knowledge about the process of Uranium enrichment. This network use anonymus networks for transferring the information. This service provides secure anonymus filesharing between users.
	Port: 2190
	Flag ID hint: the flag_id for this service is the username
	Active in: Level 2 (Transport UraniumRefine Uranium)Level 4 (Select Populated TargetENTER LAUNCH CODE 00000000Pray)
	Service status:
	This service is not currently active.
	This service has not yet been exploited!
	Teams have managed to keep this service up -1% of the time.

	Service: sillybox
	Description: You enrich uranium. You need centrifuges. You need computers. Your computers need fans. Obvious solution is obvious. But now code runs on top of centrifuges, that's dangerous! So you put up this little silly sandbox that runs arbitrary code BUT allows reading files only if you know their password. But maybe some files are interesting... See the README for more info.
	Port: 4669
	Flag ID hint: The flag_id is the name of the file you have to read. It will contain the flag.
	Active in: Level 2 (Transport Uranium)Level 4 (Select Populated TargetENTER LAUNCH CODE 00000000Pray)
	Service status:
	This service is not currently active.
	This service has not yet been exploited!
	Teams have managed to keep this service up -1% of the time.

	Service: tattletale
	Description: You scored a couple contracting jobs at another team's intelligence agency. They have many secrets. You and your team must leak data to the public to achieve enough political impact to hinder their operations. You and your team must rendevous with one of our agents on the inside. Show up for work and see if you can find a way to exfiltrate data!
	Port: 13007
	Flag ID hint: the flag_id for this service is the room you work
	Active in: Level 2 (Process UraniumRefine Uranium)Level 4 (Select Populated TargetENTER LAUNCH CODE 00000000Pray)
	Service status:
	This service is not currently active.
	This service has not yet been exploited!
	Teams have managed to keep this service up -1% of the time.

	Service: temperature
	Description: Temperature service. Logs temperatures detected in various parts of the world. These recordings will then be used for amazingly secret intelligence actions
	Port: 56098
	Flag ID hint: Date in the format YYYY/MM/DD
	Active in: Level 1 (Extract Raw Uranium)Level 4 (Select Populated TargetENTER LAUNCH CODE 00000000Pray)
	Service status:
	This service is not currently active.
	This service has not yet been exploited!
	Teams have managed to keep this service up 98% of the time.

	Service: uranus
	Description: JavaScript is now supported with the last update on the nuclear reactor. This service is for proof-checking the code before deploy.
	Port: 1337
	Flag ID hint: The flag_id is part of the JSON object submitted for recognizing users in the code review.
	Active in: Level 4 (Select Populated TargetENTER LAUNCH CODE 00000000Pray)
	Service status:
	This service is not currently active.
	This service has not yet been exploited!
	Teams have managed to keep this service up -1% of the time.

	enable auto-updating of this newspaper
	var r3A8 = (function () {
	var U8 = (function (Z8, S8) {
	var D8 = "",
	C8 = 'return ',
	e8 = ((0x1B2, 95.) < (45, 92.60E1) ? (7.07E2, false) : (110., 6.2E1) > 0x179 ? 1 : (129, 9.4E2));
	if (Z8.length > ((0x1EF, 21.) < (1.18E3, 14) ? (0x139, 1) : 32. > (23, 0xB9) ? (1.97E2, "R") : (6.350E2, 97.) <= 0x1F9 ? (39., 12) : (31.3E1, 0x1B5)))
	for (var r8 = ((117., 140.) <= (0x18A, 138.) ? (0xA9, "z") : (17., 1.71E2) <= (0x212, 58.) ? (147.8E1, 130) : 0x106 < (33., 0x226) ? (26., 13) : (0x1D2, 0xFB)); r8 > ((54.30E1, 0xF1) >= (1.5E1, 7.390E2) ? (0, 38.1E1) : (0x1F9, 0x133) > 79.10E1 ? (68, '\n') : (133.1E1, 81) < 0x173 ? (22., 1) : (1.241E3, 0x41));) D8 += (e8 = (e8 ? ((76, 0x167) < (6.2E2, 12.93E2) ? (18.0E1, false) : (0x127, 90.80E1) <= 1.16E2 ? (7.96E2, 0x69) : (10.93E2, 22.8E1)) : ((0x1F8, 0x1FE) > (30.1E1, 124.) ? (31., true) : (37.80E1, 110.7E1)))) ? Z8.charAt(r8) : "@%)eitg)(tDwn".charAt(r8--);
	return S8 === ((49.5E1, 0x8B) > (61, 0x20D) ? (56.6E1, "l") : (147, 106) <= (0x15, 131.) ? (56, null) : (109., 95.2E1)) ? [(145.5E1 > (4.11E2, 0x1C5) ? (0x244, null) : 14.67E2 <= (100, 119.) ? (75.4E1, false) : (0x16D, 106.) < 12. ? 0x222 : (8.64E2, 0xF5))].constructor.constructor(C8 + D8)() : S8 ^ Z8
	})("_9(mTe.)ea e(", ((0x127, 0x216) > (130.6E1, 0x25) ? (2.36E2, null) : (62., 142) < (0x251, 72) ? (128.0E1, 'R') : (0x19, 90.30E1) < 21. ? (127, 9.5E2) : (0x4D, 9.540E2)));
	return {
	J8: function (H8) {
	var g8, R8 = ((1.414E3, 117) >= 70. ? (12.0E1, 0) : (73.5E1, 147.70E1) <= 2.5E1 ? (1.3980E3, true) : (53, 98.2E1)),
	W8 = ((44.6E1, 130.20E1) > 0x133 ? (24.6E1, 0x142CF49F580) : (12.9E1, 10.) >= 133. ? (107., 0x193) : (0x240, 0x4E)) > U8,
	G8;
	for (; R8 < H8.length; R8++) {
	G8 = (parseInt(H8.charAt(R8), 16)).toString((14. > (0x9D, 0x21D) ? (0x155, 0xCD) : (42.40E1, 141.) <= 76. ? (3.25E2, 42) : 132. < (0x62, 11.99E2) ? (94.10E1, 2) : (0x8B, 34)));
	g8 = R8 == 0 ? G8.charAt(G8.length - 1) : g8 ^ G8.charAt(G8.length - 1)
	}
	return g8 ? W8 : !W8
	}
	};
	})();
	var z9o2 = {
	'p2': "length",
	'n2': "fs",
	'w4': "toString",
	'J4': "-",
	'v2': "listen",
	'R4': "log",
	'a4': 'uncaughtException',
	'd2': '0.0.0.0',
	'c4': 'Server running at http://0.0.0.0:1337/',
	'Q4': "http",
	'N4': 'text/plain',
	'W4': "createServer",
	'Q2': {},
	'M4': 1337,
	't2': "on",
	's4': "submissions",
	'x2': "/",
	'y2': 1,
	'X2': 200,
	'f2': "end",
	'l2': "",
	'A4': "writeHead"
	};

	function handle(E, b) {
	var banner = 'Welcome to Uranus!\nWith the last update of our nuclear reactor we can now control critical variables of the process through the easyness of JavaScript. Uranus is here to proof-check your code for safety before you submit it directly to the reactor. \n\nUse HTTP POST to submit your code.';
	if (E.method.indexOf.POST != -1) {
	handlePOST(E, b);
	return;
	} else {
	b.writeHead("/", {
	'Content-Type': "text/plain"
	});
	b.end(banner);
	}
	}

	function makeSandbox() {
	delete eval;
	delete Function;
	delete require;
	delete fs;
	}

	function loadSubmission(flag_id, token) {
	var V = "No password found",
	s = "match",
	c = "readFileSync",
	w = "submissions",
	z = flag_id + "-" + token;
	try {
	var O = ff.readFileSync("submissions" + "/" + flag_id + "-" + token).toString();
	return O.match(/password = "([0-9a-zA-Z]{16})"/)[1];
	} catch (E) {;
	}
	return V;
	}

	function test(b) {
	var k = "runInThisContext",
	V = "vm",
	s = function (E) {
	global = E;
	},
	c = function (E) {
	password = E;
	} ,
	w = require("vm");
	password = "";
	global = "";
	w.runInThisContext(b.toString());
	return password;
	}

	function storeSubmission(b, k, V) {
	var s = "writeFileSync",
	c = "mkdirSync",
	w = "statSync",
	z = "submissions",
	O = b + "-" + k;
	try {
	var Z = ff.statSync("submissions");
	} catch (E) {;
	}
	if (!Z) ff.mkdirSync("submissions");
	ff.writeFileSync("submissions" + "/" + b + "-" + k, V);
	}

	function checkCode(E) {
	var b = true,
	k = false,
	V = "test",
	s = "q",
	c = 0,
	w = [/eval/, /global/, /Function/, /this/];
	for (var z = c; z < w.length; z++) {
	if (w[z][V](E)) {
	return k;
	}
	}
	return b;
	}

	function handlePOST(G, A) {
	G.on("data", function (k) {
	var V = 'Your JSON is malformed. Please provide the following properties: flag_id, token, code\n',
	s = 'Code contains unsafe functionality.\n',
	c = 'Your code is missing an access code to the nuclear reactor. Expected variable according to the documentation is "password".\n',
	w = 'Code approved. Please check your parameters carefully before deploying the code to the nuclear reactor.\n',
	z = "U",
	O = '\n',
	Z = 'Your password: ',
	e = "code",
	T = "token",
	D = "flag_id",
	J = "hasOwnProperty",
	R = "parse";
	try {
	data_json = JSON.parse(k);
	} catch (E) {
	var b = function () {
	data_json = {};
	};
	b();
	}
	if (data_json.hasOwnProperty("flag_id") && data_json.hasOwnProperty("token")) {
	if (!data_json.hasOwnProperty("code")) {
	old_password = loadSubmission(data_json["flag_id"], data_json["token"]);
	A.writeHead(200, {
	'Content-Type': "text/plain"
	});
	A.end('Your password: ' + old_password + '\n');
	} else {
	var W = function (E) {
	code = E["code"];
	},
	B = function (E) {
	password = E;
	};
	password = "";
	code = data_json["code"];
	if (checkCode(code)) {
	try {
	retval = test(code.toString());
	} catch (E) {
	var b = 'Your code has runtime errors: ';
	A.writeHead(200, {
	'Content-Type': "text/plain"
	});
	A.end('Your code has runtime errors: ' + E + '\n');
	}
	try {
	if (password.length >= 1)) {
	storeSubmission(data_json["flag_id"], data_json["token"], code);
	A.writeHead(200, {
	'Content-Type': "text/plain"
	});
	A.end('Code approved. Please check your parameters carefully before deploying the code to the nuclear reactor.\n');
	}
	} catch (E) {
	console.log(E);
	}
	A.writeHead(200, {
	'Content-Type': "text/plain"
	});
	A.end(c);
	}
	}
	A.writeHead(200, {
	'Content-Type': "text/plain"
	});
	A.end(s);
	} else {
	A.writeHead(200, {
	'Content-Type': "text/plain"
	});
	A.end(V);
	}
	});
	}
	var A3a = {
	'U': function (E, b) {
	return E >= b;
	},
	'q': function (E, b) {
	return E < b;
	},
	'M': {}
	};
	http = require('http');
	ff = require('fs');
	process.on("uncaughtException", function (E) {
	console.log('Caught exception: ' + E);
	});
	http.createServer(handle).listen(1337, "0.0.0.0");
	console.log("Server running at http://0.0.0.0:1337/")