Shout outs Cycura (http://www.cycura.com) for being awesome sponsors Verkspace (http://verk.space) for hosting the event Zack for the kick-ass scoreboard that had a hidden flag Nick for orchestrating the whole thing Dolev for building the CTF infrastructure
Recap CTF ran on Dec 3, 2016 12 hour event 11 teams 4 vulnerable VMs, multiple challenges of varying difficulty Winners: 1st SomeRandomName, 2nd and aleph-0
Flag 2 admin.php: if you can login, you can whitelist your IP and use the IRC bot to give you a reverse shell Use report.php link to steal admin's encoded credentials in PHPSESSID
Flag 5 Data sent to port 10001 will be executed; but only the first 10 bytes Use 2-stage payload: 1st to call sys_read for larger input, 2nd to send in shellcode
Flag 3 Need to get a shell first! Exploit service on port 6969 to get a shell as alice Vanilla buffer overflow, ASLR, no NX Buffer stored in non- randomized address
Flag 3 Need authentication code for ~/bob/binz/flag_vault to get bob's SSH key and flag Has ASLR + NX + SSP, vulnerable to buffer overflow Authentication code is stored in a buffer; use SSP leak to get it Flag is also bob's SSH password
Flag 5 Exploit ctfingerd to get a shell as vulnhub /home/vulnhub/flag.txt is fake, so previous trick won't work Has ASLR + NX + SSP Uses fork(); child process inherits parent's stack canary and memory. Brute force stack canary! Leak function from GOT by returning to write@plt and calculate libc base address. Let's us find the address of any function in libc. ASLR defeated! Return to mprotect(), make a memory region RWX, store shellcode there. NX defeated! Return to shellcode and profit!
Flag 2 /usr/local/www/apache24/data/k1ngd0m_k3yz has master and passwd files Hint to crack them is in /home/craven/hint.txt and / home/craven/reminders.txt SSH in as craven to get the flag
Flag 3 Flag in /home/vulnhub but not readable except through /home/ vulnhub/reader reader binary ignores files with "flag" and symlinks vulnerable to a race condition; we can trick it into opening a legit filename and switching it to a symlink to the flag
superkojiman
antimon2
hankehly
dahatake
kazumax55
pf_businessdivision
teruterubohz_ibm
coe
kawajiritakayuki
yukin01
linedevth
yamasatimi
mkwrd
afnizarnur
speakerdeck
kneath
paulrobertlloyd
jennybc
chrislema
sonatard
samanthasiow
maggiecrowley
keathley
robhawkes
philhawksworth