Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DC416 2016 CTF Recap

DC416 2016 CTF Recap

Recap and solutions to the DefCon Toronto 2016 CTF.

Harold Rodriguez

April 13, 2017

More Decks by Harold Rodriguez

Other Decks in Technology


  1. Shout outs Cycura (http://www.cycura.com) for being awesome sponsors Verkspace (http://verk.space)

    for hosting the event Zack for the kick-ass scoreboard that had a hidden flag Nick for orchestrating the whole thing Dolev for building the CTF infrastructure
  2. Recap CTF ran on Dec 3, 2016 12 hour event

    11 teams 4 vulnerable VMs, multiple challenges of varying difficulty Winners: 1st SomeRandomName, 2nd and aleph-0
  3. Flag 0 Hint: It's OK to sniff the network Capture

    ICMP packets to get the first flag hidden in the ICMP data field
  4. Flag 2 admin.php: if you can login, you can whitelist

    your IP and use the IRC bot to give you a reverse shell Use report.php link to steal admin's encoded credentials in PHPSESSID
  5. Flag 3 User rasta has sudo rights to run /usr/local/sbin/util.py

    as vulnhub Command injection vulnerability can be used to read the flag
  6. Flag 1 Port 10000 Hint: Python errors when you enter

    junk Python jail! Escape it to get the shell and flag
  7. Flag 2 Hint: Use ps to see what's running: flag.mpg

    streamed on port 8090 The audio plays the ASCII values of the flag
  8. Flag 3 Port 8080 Hint: HTTP response header contains Brainfuck

    Send URI request in Brainfuck to read any file, like ~/tyler/.ssh/ id_rsa
  9. Flag 4 Hint: No one asked for one... it's XOR

    + ZIP XOR encrypted file Password protected zip file Password protected SSH keys belonging to marla
  10. Flag 5 Data sent to port 10001 will be executed;

    but only the first 10 bytes Use 2-stage payload: 1st to call sys_read for larger input, 2nd to send in shellcode
  11. Flag 1 Find .git repo and grab with wget or

    DVCS-Pillage Diff commits 7edc and 0648 to get the flag
  12. Flag 2 Commit d38c has a Base-64 encoded binary (let's

    call it CTFTP) Reverse it; use its read request to get the flag
  13. Flag 3 Need to get a shell first! Exploit service

    on port 6969 to get a shell as alice Vanilla buffer overflow, ASLR, no NX Buffer stored in non- randomized address
  14. Flag 3 Need authentication code for ~/bob/binz/flag_vault to get bob's

    SSH key and flag Has ASLR + NX + SSP, vulnerable to buffer overflow Authentication code is stored in a buffer; use SSP leak to get it Flag is also bob's SSH password
  15. Flag 4 Exploit ~/bob/binz/ctfingerd to get charlie's flag ctfingerd reads

    ~/.plan but we control the username Get flag using charlie//////// flag.txt
  16. Flag 5 Exploit ctfingerd to get a shell as vulnhub

    /home/vulnhub/flag.txt is fake, so previous trick won't work Has ASLR + NX + SSP Uses fork(); child process inherits parent's stack canary and memory. Brute force stack canary! Leak function from GOT by returning to write@plt and calculate libc base address. Let's us find the address of any function in libc. ASLR defeated! Return to mprotect(), make a memory region RWX, store shellcode there. NX defeated! Return to shellcode and profit!
  17. Flag 1 FreeBSD with no outbound connections Command injection in

    scanner.php Use ICMP exfil to find the flag
  18. Flag 2 /usr/local/www/apache24/data/k1ngd0m_k3yz has master and passwd files Hint to

    crack them is in /home/craven/hint.txt and / home/craven/reminders.txt SSH in as craven to get the flag
  19. Flag 3 Flag in /home/vulnhub but not readable except through

    /home/ vulnhub/reader reader binary ignores files with "flag" and symlinks vulnerable to a race condition; we can trick it into opening a legit filename and switching it to a symlink to the flag