Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

RuCTFE 2015 Services Write-Ups

2,915 views

Published on

This is a brief description of the RuCTFE 2015 services, dedicated to point to the solutions and knowledge required to hack those services and exploit these kind of vulnerabilities in the future.

Published in: Education
  • Be the first to comment

RuCTFE 2015 Services Write-Ups

  1. 1. ON
  2. 2. SERVICES WRITE-UPS Mikhail Vyatskov aka Tris
  3. 3. MOTIVATION “The main goal of RuCTFE is to share experience and knowledge in the computer security and to have some fun together.” — RuCTFE Rules
  4. 4. RULES • Each team has an image • There are some services on this image • There are some vulnerabilities • Hack em’ all!
  5. 5. MINISTRY OF LOVE Maxim Muzafarov aka m_messiah
  6. 6. ABOUT SERVICE • Python • Tornado web server • Momoko • WebSockets
  7. 7. WATCH CRIMES • image
  8. 8. REPORT A CRIME • image
  9. 9. AUTHENTICATE • image
  10. 10. HACK IT!
  11. 11. SQL INJECTION
  12. 12. SQL INJECTION
  13. 13. SQL INJECTION
  14. 14. PROFILE SPOOFING Bind profile without authentication
  15. 15. PROFILE SPOOFING Profile ids are visible in open crimes
  16. 16. SAME DATABASE • Each team has similar database • Each team has all authentication data
  17. 17. “BACKDOOR”
  18. 18. bit.ly/ructfe_mol_sploit
  19. 19. MINISTRY OF TAXES Pavel Blinov aka pahaz
  20. 20. ABOUT SERVICE • Node.js • Koa web framework • Custom router
  21. 21. ADD PERSONAL DATA • image
  22. 22. UPLOAD REPORT • image
  23. 23. UPLOAD REPORT • image
  24. 24. HACK IT!
  25. 25. WEAK ID GENERATION
  26. 26. WEAK ID GENERATION
  27. 27. REMOTE CODE EXECUTION
  28. 28. REMOTE CODE EXECUTION
  29. 29. bit.ly/ructfe_tax_sploit
  30. 30. ELECTIONS FOR E-DEMOCRACY Konstantin Plotnikov aka kost
  31. 31. ABOUT SERVICE • C# + Mono • Homomorphic encryption
  32. 32. ELECTIONS • TODO
  33. 33. NOMINATE • image
  34. 34. VOTE • image
  35. 35. GET ELECTED • image
  36. 36. HACK IT!
  37. 37. UNFILTERED INPUT • Client-side vote generation & encryption • Vote – vector of integers • Election result – sum of votes
  38. 38. UNFILTERED INPUT break & hack
  39. 39. UNFILTERED INPUT • Calculations are made modulo 243 • Overflow competitor's value • Let the battle begins!
  40. 40. WEAK PRIVATE KEY GENERATOR • Calculations are made modulo 243 = 35 • Private key – random number • Chance of them being non-coprime • 3 divides private key ⇒ can decrypt
  41. 41. WEAK PRIVATE KEY GENERATOR • image
  42. 42. WEAK PRIVATE KEY GENERATOR • image
  43. 43. WEAK PRIVATE KEY GENERATOR • image…
  44. 44. NASA RASA Andrey Gein aka andgein
  45. 45. ABOUT SERVICE • PHP • MySQL
  46. 46. REPORT A PLANET • image
  47. 47. BROWSE DISCOVERED PLANETS • image
  48. 48. BROWSE USERS • image
  49. 49. HACK IT!
  50. 50. HARDCODED DB CREDENTIALS Remember about RCE?
  51. 51. PADSPACE COLLATION • todo ⇒2
  52. 52. bit.ly/ructfe_collations
  53. 53. HEALTH MONITOR Polina Zonova aka Klyaksa
  54. 54. ABOUT SERVICE • Go • SQLite
  55. 55. REPORT YOUR HEALTH • todo
  56. 56. BROWSE YOUR PROGRESS • todo
  57. 57. HACK IT!
  58. 58. AUTHENTICATION
  59. 59. HARDCODED SALT Plan: 1. Set up vulnbox 2. Change all passwords & keys 3. Win
  60. 60. LENGTH EXTENSION ATTACK • uids are serial – we can guess • Over 9k tools to perform MD5 LEA
  61. 61. INTERPLANETARY MIGRATION AUTHORITY Dmitry Titarenko aka dscheg
  62. 62. ABOUT SERVICE • Nim • Redis
  63. 63. KNOW CITIZENS • TODO
  64. 64. FILL MIGRATION FORM… • фы
  65. 65. …BUT NOT QUITE • фыв
  66. 66. HACK IT!
  67. 67. HARDCODED DB CREDENTIALS And again
  68. 68. HMAC USING EXTERNAL LIBRARY zero-padded user has the same HMAC
  69. 69. HMAC USING EXTERNAL LIBRARY • Login as one of citizens • Steal flag from the filled form
  70. 70. MODIFYING LOCAL DATA • Form data stored on client side • Form data is encrypted • AES encryption in CBC mode • No integrity checks
  71. 71. MODIFYING LOCAL DATA • We know plaintext – JSON with filled data • We can modify ciphertext
  72. 72. MODIFYING LOCAL DATA • todo
  73. 73. MITM • On step 3 we need to sign up a random value • Only checker has the private key • Let’s hack value generation function • Check will sign everything for us
  74. 74. bit.ly/ructfe_mig_sploit
  75. 75. THE BANK Alexander Bersenev aka bay
  76. 76. ABOUT SERVICE • C • Mongoose • Custom dictionary
  77. 77. CREATE ACCOUNTS • todo
  78. 78. TRANSFER MONEY • todo
  79. 79. HACK IT!
  80. 80. ACCESS LOGS bank.teamX.e.ructf.org/access.log
  81. 81. DICTIONARY Binary Search Tree Position Independent Code
  82. 82. DICTIONARY • Key in BST – SHA256 from key in dict • Value – amount of money (8 bytes) • BST stored in array
  83. 83. DICTIONARY Buffer overflow Remote code execution
  84. 84. DICTIONARY Shell jmp to shell
  85. 85. bit.ly/ructfe_bank_sploit
  86. 86. RECOMMENDATIONS • Always change keys and passwords • Learn Linux administration • Stay positive & have fun!
  87. 87. Questions?
  88. 88. Thanks!

×