DC416 2016 CTF Recap

Transcript

1. DC416 2016 CTF Recap by Harold Rodriguez (superkojiman)

2. Who are we? Rasta Mouse, barrebas, superkojiman We built the

   challenges

3. Shout outs Cycura (http://www.cycura.com) for being awesome sponsors Verkspace (http://verk.space)

   for hosting the event Zack for the kick-ass scoreboard that had a hidden flag Nick for orchestrating the whole thing Dolev for building the CTF infrastructure

4. Recap CTF ran on Dec 3, 2016 12 hour event

   11 teams 4 vulnerable VMs, multiple challenges of varying difficulty Winners: 1st SomeRandomName, 2nd and aleph-0

5. Pics or it didn't happen

6. –Rasta Mouse “Dick Dastardly”

7. Flag 0 Hint: It's OK to sniff the network Capture

   ICMP packets to get the first flag hidden in the ICMP data field

8. Flag 1 Use your favourite tool to enumerate the website

   Flag is in HTTP response header

9. Flag 2 admin.php: if you can login, you can whitelist

   your IP and use the IRC bot to give you a reverse shell Use report.php link to steal admin's encoded credentials in PHPSESSID

10. Flag 3 User rasta has sudo rights to run /usr/local/sbin/util.py

    as vulnhub Command injection vulnerability can be used to read the flag

11. –barrebas “Basement”

12. Flag 1 Port 10000 Hint: Python errors when you enter

    junk Python jail! Escape it to get the shell and flag

13. Flag 2 Hint: Use ps to see what's running: flag.mpg

    streamed on port 8090 The audio plays the ASCII values of the flag

14. Flag 3 Port 8080 Hint: HTTP response header contains Brainfuck

    Send URI request in Brainfuck to read any file, like ~/tyler/.ssh/ id_rsa

15. Flag 4 Hint: No one asked for one... it's XOR

    + ZIP XOR encrypted file Password protected zip file Password protected SSH keys belonging to marla

16. Flag 5 Data sent to port 10001 will be executed;

    but only the first 10 bytes Use 2-stage payload: 1st to call sys_read for larger input, 2nd to send in shellcode

17. –superkojiman “Baffle”

18. Flag 1 Find .git repo and grab with wget or

    DVCS-Pillage Diff commits 7edc and 0648 to get the flag

19. Flag 2 Commit d38c has a Base-64 encoded binary (let's

    call it CTFTP) Reverse it; use its read request to get the flag

20. Flag 3 Need to get a shell first! Exploit service

    on port 6969 to get a shell as alice Vanilla buffer overflow, ASLR, no NX Buffer stored in non- randomized address

21. Flag 3 Need authentication code for ~/bob/binz/flag_vault to get bob's

    SSH key and flag Has ASLR + NX + SSP, vulnerable to buffer overflow Authentication code is stored in a buffer; use SSP leak to get it Flag is also bob's SSH password

22. Flag 4 Exploit ~/bob/binz/ctfingerd to get charlie's flag ctfingerd reads

    ~/.plan but we control the username Get flag using charlie//////// flag.txt

23. Flag 5 Exploit ctfingerd to get a shell as vulnhub

    /home/vulnhub/flag.txt is fake, so previous trick won't work Has ASLR + NX + SSP Uses fork(); child process inherits parent's stack canary and memory. Brute force stack canary! Leak function from GOT by returning to write@plt and calculate libc base address. Let's us find the address of any function in libc. ASLR defeated! Return to mprotect(), make a memory region RWX, store shellcode there. NX defeated! Return to shellcode and profit!

24. –superkojiman “Fortress”

25. Flag 1 FreeBSD with no outbound connections Command injection in

    scanner.php Use ICMP exfil to find the flag

26. Flag 2 /usr/local/www/apache24/data/k1ngd0m_k3yz has master and passwd files Hint to

    crack them is in /home/craven/hint.txt and / home/craven/reminders.txt SSH in as craven to get the flag

27. Flag 3 Flag in /home/vulnhub but not readable except through

    /home/ vulnhub/reader reader binary ignores files with "flag" and symlinks vulnerable to a race condition; we can trick it into opening a legit filename and switching it to a symlink to the flag

28. Links VMs: https://www.vulnhub.com/entry/dc416-2016,168/ Twitter: @_RastaMouse, @barrebas, @superkojiman