NorthSec - Applied Security Event

NORTHSEC
CANADA’S LARGEST NON-PROFIT CYBERSECURITY
CAPTURE-THE-FLAG & CONFERENCE
MAY 2017

View Slide

AGENDA
Our Capture-The-Flag (CTF)
Intro to the CTF
Previous scenarios
Balance a Competition
Scale an Infrastructure
MD5 Collision Challenge (bonus)
Scale Sourdough Bread
Build 600 hardware badges (bonus)
Coming in NorthSec 2017
Conference
Training
Social Events
Sponsorship

View Slide

View Slide

CAPTURE THE FLAG (CTF)
❏ Largest on-site CTF in the World*
❏ Scenario-driven
❏ Several types of challenges
❏ Forensics
❏ Cryptography
❏ Web Application Security
❏ Reverse Engineering
❏ Exploitation
❏ Lockpicking
*: according to our own non-scientific survey that consisted of asking on Twitter what is the “largest in-person CTF” and
verifying that our event was larger than the event we were told about

View Slide

PAST CTF SCENARIOS
❏ 2013: Onionotar
❏ 2014: Associated Nation Organization (ANO)
❏ 2015: Revolution against Rao’s Intricate Kingdom
❏ 2016: Marcus Madison Bakery
❏ 2017: ???

View Slide

2016 CTF IN NUMBERS
❏ 39 teams
❏ 8310 submitted flags
❏ 951 valid flags (11.4%)
❏ 330 participants
❏ 42 volunteers
❏ 500 liters of locally-roasted coffee
❏ 950 liters of craft beer on tap
❏ 768 Bottles of Prime Mate

View Slide

HOW TO BALANCE CHALLENGES
BETWEEN EXPERTS AND BEGINNERS
❏ Problem: Over 40 challenges per year!
❏ Problem: Over 20 challenge designers, different skills
sets, etc.
❏ Problem: Multiple crowds, different skill levels and
crowd (students, GOV, Enterprise, Professional testers)

View Slide

TESTS, TESTS, TESTS
❏ A good challenge is:
- Easy to understand WHAT to do
- Easy/Hard/Tough to know HOW to do it
- A good challenge is TESTED, in production by *other*
people than the designer

View Slide

AN EASY TRACK
❏ Solid Success: Every year, we have an “easy” track. This
allows for pros to warm up their elite muscles while
enabling more entry level people to learn.
❏ 1- Web4kids
❏ 2- N00bZone
❏ Mystery in 2017 :)

View Slide

MIXED AUDIENCE
❏ In the past, one team took the whole weekend to install
Kali Linux
❏ Other participants found 0-days in PhpSimpleCatcha,
Chrome and MongoDB

View Slide

CTF INFRASTRUCTURE

View Slide

EVERYONE LIKES NUMBERS, RIGHT?
❏ 41 Internet simulations
❏ 82 Windows virtual machines
2 per team
❏ 11387 Linux containers
277 per team + 30 infrastructure, about 2850 per host
❏ 10004 BGP routers
244 per team
❏ 3324895 IPv6 routing table entries
81095 per team

View Slide

WHAT
DOES
THAT
ALL
RUN
ON ?

View Slide

LXD - THE CONTAINER LIGHTERVISOR

View Slide

4432
containers
THE ACTUAL SETUP
SuperMicro
4432
containers
1108
containers
1108
containers
LXD API
SuperMicro HP HP
VM VM VM VM VM VM VM VM VM VM VM VM

View Slide

I SAID, WE SIMULATE THE INTERNET!
~ # mtr core01.tor.rednet.net.ctf --report
Start: Sat Aug 20 22:16:35 2016
HOST: bgp-ggs05 Loss% Snt Last Avg Best Wrst StDev
1.|-- gw.busan.toto.in.ctf 0.0% 10 0.5 0.6 0.4 1.5 0.0
2.|-- gw.shanghai.toto.in.ctf 0.0% 10 14.7 14.9 14.6 15.2 0.0
3.|-- gw.hongkong.toto.in.ctf 0.0% 10 32.6 32.9 32.6 35.1 0.6
4.|-- gw.singapore.toto.in.ctf 0.0% 10 70.7 70.8 70.6 71.4 0.0
5.|-- gw.kualalumpur.toto.in.ct 0.0% 10 74.8 74.9 74.7 75.1 0.0
6.|-- gw.yangon.toto.in.ctf 0.0% 10 94.9 95.0 94.7 96.5 0.5
7.|-- gw.kathmandu.toto.in.ctf 0.0% 10 119.6 120.5 118.9 131.4 3.8
8.|-- gw.karachi.toto.in.ctf 0.0% 10 149.3 150.0 149.1 156.6 2.3
9.|-- gw.dubai.toto.in.ctf 0.0% 10 167.3 167.2 167.1 167.5 0.0
10.|-- gw.doha.toto.in.ctf 0.0% 10 173.6 173.4 173.2 173.6 0.0
11.|-- gw.jerusalem.toto.in.ctf 0.0% 10 202.3 201.6 201.4 202.3 0.0
12.|-- gw.antalya.toto.in.ctf 0.0% 10 212.0 211.7 211.3 213.0 0.3
13.|-- gw.istanbul.toto.in.ctf 0.0% 10 219.8 219.8 219.5 220.5 0.0
14.|-- gw.bukarest.toto.in.ctf 0.0% 10 228.6 227.9 227.5 228.6 0.0
15.|-- gw.zurich.toto.in.ctf 0.0% 10 256.1 255.9 255.7 256.2 0.0
16.|-- pop11.zurich.tp.net.ctf 0.0% 10 255.6 255.8 255.6 256.0 0.0
17.|-- po7.london.tp.net.ctf 0.0% 10 273.1 273.3 273.1 273.9 0.0
18.|-- pop8.ny.tp.net.ctf 0.0% 10 392.9 393.1 392.9 393.8 0.0
19.|-- pop1.toronto.tp.net.ctf 0.0% 10 403.1 403.4 403.1 403.9 0.0
20.|-- gw01.tor.videopacman.net. 0.0% 10 402.8 403.1 402.8 403.5 0.0
21.|-- core01.tor.rednet.net.ctf 0.0% 10 402.8 405.4 402.8 415.5 4.3

View Slide

NORTHSEC 2017
❏ New servers
All our contest servers will now be identical
❏ New scoring system
Askgod is being rewritten to improve scalability
❏ Unified networks
The same setup will now be used for trainings, conference and CTF
❏ Even less IPv4
Even our guest network will be IPv6-only
❏ Upgrade to Ubuntu 16.04
Keeping up with the latest Ubuntu LTS releases

View Slide

GITHUB.COM/NSEC
❏ the-internet
❏ nsec_badge
❏ askgod

View Slide

CHALLENGE: MD5 COLLISION

View Slide

MD5 HASH COLLISION CHALLENGE
❏ In the context of the “Marcus Madison Bakery”,
You were hired as a pentesting consultant and asking to perform various
tasks.
❏ With regards to the “Strawberry Strudel Maker” challenge
You had to Code Review the update manager of the system.
❏ It was presented at MontréHack - Find it on GitHub
https://github.com/montrehack/challenges/tree/master/2016-06-20/Proulx-RC4-MD5_Collision

View Slide

CHALLENGE - MD5 COLLISION

View Slide

Hint #1 - The scenario
❏ It’s a Code Review challenge
Check the HTML source
❏ Notice some odd comment and debug trace
Try going to /?support=authorized
❏ Notice some new block with a POST
You can change CSS to display: block to show it
❏ Try uploading some file
Nothing happens
❏ Notice debug = false
Change to debug = true before uploading
❏ Notice the block with the exact name and file
hash

View Slide


View Slide

Hint #2 - The real challenge
❏ MD5 Collision to the rescue !
❏ Huh…
Very few practical attacks realistic within the span of a 2 day competition
NO, we are NOT expecting you buy 500$ worth of EC2 GPGPU cluster to
run some fancy tool like HashClash
❏ There are simpler, faster attacks
BUT, it requires some very “special conditions”
❏ Of course, this is a challenge meant to be cracked
So those “special conditions” are probably present
❏ You need one file that matches your target hash
Look under the rug…. Leftover static files maybe?

View Slide

Hint #3 - The magic bytes!
❏ Look very very carefully at every byte in that special file
❏ Remember, Marcus asked you to do a Code Review
❏ Oh, look there’s a Command Injection vulnerability !
❏ But …. You cannot use it unless….
❏ And AGAIN, you don’t need 1000$ AWS cluster

View Slide

Hint #4 - The evil cryptographer
❏ In that special file, there’s the name of a person…
❏ Apparently it’s the person who designed the Strudel
Maker update manager cryptosystem…
❏ Xiaoyun Wang
❏ Look up his academic work…
❏ Maybe he published some tools along with his work?

View Slide

Hint #5 - The Ha Ha moment !
❏ Get the `fastcoll` tool by Marc Stevens
❏ Study very carefully how it actually works

View Slide


View Slide

$ ls
license_validator-NORMAL.py license_validator-SOLVED.py
$ md5 *
MD5 (license_validator-NORMAL.py) = 8280b4a5ea2300582e4590225ba415e4
MD5 (license_validator-SOLVED.py) = 8280b4a5ea2300582e4590225ba415e4
$ shasum *
c87a36ecd716906be60a6697492efa6467f10898 license_validator-NORMAL.py
ed4fd00b919abfc454cfeacbe626c96e6a677cec license_validator-SOLVED.py
$ xxd license_validator-NORMAL.py > 1 && xxd license_validator-SOLVED.py > 2
$ diff 1 2
6,8c6,8
< 00000050: 65ca a9c6 5ea2 dee0 46f2 82c1 eb1e 8c97 e...^...F.......
< 00000060: 141b bff3 70ec 5cc3 cbcf 4503 a181 7766 ....p.\...E...wf
< 00000070: fed8 0e68 ba7f ac56 f914 fe73 d425 892e ...h...V...s.%..
---
> 00000050: 65ca a946 5ea2 dee0 46f2 82c1 eb1e 8c97 e..F^...F.......
> 00000060: 141b bff3 70ec 5cc3 cbcf 4503 a101 7866 ....p.\...E...xf
> 00000070: fed8 0e68 ba7f ac56 f914 fef3 d425 892e ...h...V.....%..
10,12c10,12
< 00000090: 493e 7b57 df49 13ea 7e7b cb4b 5b61 a341 I>{W.I..~{.K[a.A
< 000000a0: a260 ad8e 8405 7316 9a8f eb90 c438 6b2f .`....s......8k/
< 000000b0: 9252 d7bb a50d 9a09 8467 677b 17ec 7248 .R.......gg{..rH
---
> 00000090: 493e 7bd7 df49 13ea 7e7b cb4b 5b61 a341 I>{..I..~{.K[a.A
> 000000a0: a260 ad8e 8405 7316 9a8f eb90 c4b8 6a2f .`....s.......j/
> 000000b0: 9252 d7bb a50d 9a09 8467 67fb 17ec 7248 .R.......gg...rH

View Slide

SOLUTION
❏ Get the “GOOD” the license_validator.py
❏ Get the `fastcoll` tool from Marc Stevens
❏ Study the code
❏ Notice that you can modify it slightly to do your bidding
❏ Change so that you can pass the GOOD file path as
`argv`
❏ If you want to modify the least amount of code, you may
need to massage the file before processing it.
❏ Boom - EVIL license_validator.py
❏ Upload evil

View Slide


View Slide

You got the flag!
Submit to AskGod for fun and profit $ !
The takeaway:
❏ Chosen-prefix MD5 collisions are trivial
❏ Similar collisions on SHA1 are possible
❏ This specific type of collision may not have much
relevance in practice though.

View Slide

OP MARCUS DEI

View Slide

NORTHSEC AND THE 10X THINKING

View Slide

2015 2016 2017
THE BADGE EVOLUTION
?

View Slide

HW FEATURES
❏ 2 ARM uControllers
Nordic nRF51
STM32
❏ Bluetooth Low
Energy (BLE)
❏ Full-stack USB
❏ Touch buttons
❏ OLED display
nRF51
STM32
USB

View Slide

WHY HAVE AN ELECTRONIC BADGE ?
❏ Identify participants, but also...
❏ Nice way to have a conference schedule handy
❏ Educative approach to the embedded security
❏ Using modern technology (USB, BLE, ARM)
❏ Low cost solution to hack the badge software
❏ Badge software source code available
❏ Make interesting challenges for the CTF competition
❏ Promotional item for the event

View Slide

IMPROVE YOUR SKILLS
❏ Use all those fancy embedded security tools that you
bought over the years
❏ Applied electronic
❏ Reverse engineer and write exploits
❏ Gain code execution to dump the chip
❏ Play with the USB stack
❏ Bluetooth security
❏ ...keep your tamagotchi alive

View Slide

View Slide

1. Plan the features you want for your badge
2. Sum the price of all the components you need
3. If it’s too expensive for your budget GOTO 1
4. Make schematics and a cool design
5. Create prototypes
6. Test prototypes
7. Write the challenges
8. Press the button to make N copies
9. Profit! Stress so it arrives on-time for the conference...
BADGE - THE MAKING OF
1. Plan the features you want for your badge
2. Sum the price of all the components you need
3. If it’s too expensive for your budget GOTO 1
4. Make schematics and a cool design
5. Create prototypes
6. Test prototypes
7. Write the challenges
8. Press the button to make N copies
9. Profit! Stress so it arrives on-time for the conference...

View Slide

View Slide

CONFERENCE
❏ Why another infosec conference?
Vision
❏ What’s new this year?
* Workshops * and talks
❏ Keynote: Richard Thieme
❏ James Kettle (Burp)
❏ Babak Javadi (Toool / Alarm Systems)
❏ Thomas Pornin (Infosec StackExchange)
❏ Analysts from priv.gc.ca

View Slide

TRAINING
❏ Malware and Memory Forensics
by Michael Ligh
Author of The Art of Memory Forensics and Malware Analyst Cookbook
Core contributor of the Volatility Framework
❏ Advanced Web Application Security
by Philippe Arteau
Author of static code analysis tools Find-Security-Bugs and Roslyn Security
Guard
Presented at BlackHat USA, JavaOne and more
Found vulnerabilities in Google Chrome, Dropbox, Paypal, RunKeeper and
Jira
❏ Training sessions includes
Full access to the conference
Lunch, coffee, refreshments and networking event

View Slide

SOCIAL EVENTS
❏ Hacker Jeopardy
6th edition May 20th
Open to the public
❏ Arcade MTL Party

View Slide

SPONSORS & PARTNERS

View Slide

SPONSORS & PARTNERS
What we do for our participants in regards of sponsorship &
partnership:
❏ NorthSec is presented by our awesome volunteers,
there will be no “NorthSec presented by __sponsor__”.
❏ We do not exchange emails/contact info for $$$ (every
year someone will ask for it)
❏ Call-For-Papers for everyone, no sponsored talk
❏ talks are selected based on merit only

View Slide

❏ Yearly voting process by all the volunteers on
acceptable sponsors & partners types, corresponding to
our values and mission.
❏ Chill room and limited vendor area mixed together to
create a perfect ambiance.
❏ No vendor area and limited visitors access during the
CTF, concentration is everything!
❏ Sponsored local fresh croissants and bagels for
everyone (we get them at 5am for you)
❏ Contact [email protected]
SPONSORS & PARTNERS

View Slide

THE TEAM (PART OF)

View Slide

Gabriel Tremblay
Président, Delve Labs
Pierre-David Oriol
VP Conférences, Delve Labs
Olivier Bilodeau
VP Formations, GoSecure,
Co-fondateur MontréHack
Benoit Guérette
VP Partenaires, Desjardins
Laurent Desaulniers
Flag Weaver, $largeISP
YOUR SPEAKERS
François Proulx
Senior Advisor to the Board,
Intel Security / McAfee
Stéphane Graber
Infrastructure, Canonical
Marc-Etienne M. Léveillé
Badge Team, ESET
Benjamin Vanheuverzwijn
Badge Team, Google

View Slide

MERCI OWASP MONTRÉAL
HTTPS://NORTHSEC.EVENTBRITE.COM
YOUR FIRST FLAG - 10% OFF EVERYTHING
you had to be there ;) >
5th EDITION MAY 2017
TRAINING 15th, 16th and 17th
CONFERENCE 18th and 19th
CTF 19th, 20th and 21st

View Slide

NorthSec - Applied Security Event

NorthSec - Applied Security Event

OWASP Montréal

More Decks by OWASP Montréal

Other Decks in Programming

Featured

Transcript