Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DC416 2016 CTF Recap

DC416 2016 CTF Recap

Recap and solutions to the DefCon Toronto 2016 CTF.

Harold Rodriguez

April 13, 2017

More Decks by Harold Rodriguez

Other Decks in Technology


  1. DC416 2016 CTF Recap by Harold Rodriguez (superkojiman)

  2. Who are we? Rasta Mouse, barrebas, superkojiman We built the

  3. Shout outs Cycura (http://www.cycura.com) for being awesome sponsors Verkspace (http://verk.space)

    for hosting the event Zack for the kick-ass scoreboard that had a hidden flag Nick for orchestrating the whole thing Dolev for building the CTF infrastructure
  4. Recap CTF ran on Dec 3, 2016 12 hour event

    11 teams 4 vulnerable VMs, multiple challenges of varying difficulty Winners: 1st SomeRandomName, 2nd and aleph-0
  5. Pics or it didn't happen

  6. –Rasta Mouse “Dick Dastardly”

  7. Flag 0 Hint: It's OK to sniff the network Capture

    ICMP packets to get the first flag hidden in the ICMP data field
  8. Flag 1 Use your favourite tool to enumerate the website

    Flag is in HTTP response header
  9. Flag 2 admin.php: if you can login, you can whitelist

    your IP and use the IRC bot to give you a reverse shell Use report.php link to steal admin's encoded credentials in PHPSESSID
  10. Flag 3 User rasta has sudo rights to run /usr/local/sbin/util.py

    as vulnhub Command injection vulnerability can be used to read the flag
  11. –barrebas “Basement”

  12. Flag 1 Port 10000 Hint: Python errors when you enter

    junk Python jail! Escape it to get the shell and flag
  13. Flag 2 Hint: Use ps to see what's running: flag.mpg

    streamed on port 8090 The audio plays the ASCII values of the flag
  14. Flag 3 Port 8080 Hint: HTTP response header contains Brainfuck

    Send URI request in Brainfuck to read any file, like ~/tyler/.ssh/ id_rsa
  15. Flag 4 Hint: No one asked for one... it's XOR

    + ZIP XOR encrypted file Password protected zip file Password protected SSH keys belonging to marla
  16. Flag 5 Data sent to port 10001 will be executed;

    but only the first 10 bytes Use 2-stage payload: 1st to call sys_read for larger input, 2nd to send in shellcode
  17. –superkojiman “Baffle”

  18. Flag 1 Find .git repo and grab with wget or

    DVCS-Pillage Diff commits 7edc and 0648 to get the flag
  19. Flag 2 Commit d38c has a Base-64 encoded binary (let's

    call it CTFTP) Reverse it; use its read request to get the flag
  20. Flag 3 Need to get a shell first! Exploit service

    on port 6969 to get a shell as alice Vanilla buffer overflow, ASLR, no NX Buffer stored in non- randomized address
  21. Flag 3 Need authentication code for ~/bob/binz/flag_vault to get bob's

    SSH key and flag Has ASLR + NX + SSP, vulnerable to buffer overflow Authentication code is stored in a buffer; use SSP leak to get it Flag is also bob's SSH password
  22. Flag 4 Exploit ~/bob/binz/ctfingerd to get charlie's flag ctfingerd reads

    ~/.plan but we control the username Get flag using charlie//////// flag.txt
  23. Flag 5 Exploit ctfingerd to get a shell as vulnhub

    /home/vulnhub/flag.txt is fake, so previous trick won't work Has ASLR + NX + SSP Uses fork(); child process inherits parent's stack canary and memory. Brute force stack canary! Leak function from GOT by returning to [email protected] and calculate libc base address. Let's us find the address of any function in libc. ASLR defeated! Return to mprotect(), make a memory region RWX, store shellcode there. NX defeated! Return to shellcode and profit!
  24. –superkojiman “Fortress”

  25. Flag 1 FreeBSD with no outbound connections Command injection in

    scanner.php Use ICMP exfil to find the flag
  26. Flag 2 /usr/local/www/apache24/data/k1ngd0m_k3yz has master and passwd files Hint to

    crack them is in /home/craven/hint.txt and / home/craven/reminders.txt SSH in as craven to get the flag
  27. Flag 3 Flag in /home/vulnhub but not readable except through

    /home/ vulnhub/reader reader binary ignores files with "flag" and symlinks vulnerable to a race condition; we can trick it into opening a legit filename and switching it to a symlink to the flag
  28. Links VMs: https://www.vulnhub.com/entry/dc416-2016,168/ Twitter: @_RastaMouse, @barrebas, @superkojiman