ructfe 2015 services write-ups
TRANSCRIPT
![Page 1: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/1.jpg)
ON
![Page 2: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/2.jpg)
SERVICES WRITE-UPSMikhail Vyatskov aka Tris and more
![Page 3: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/3.jpg)
MOTIVATION“The main goal of RuCTFE is to share experience
and knowledge in the computer security and to
have some fun together.”
— RuCTFE Rules
![Page 4: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/4.jpg)
RULES• Each team has an image
• There are some services on this image
• There are some vulnerabilities
• Hack em’ all!
![Page 5: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/5.jpg)
MINISTRY OF LOVEMaxim Muzafarov aka m_messiah
![Page 6: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/6.jpg)
ABOUT SERVICE• Python
• Tornado web server
• Momoko
• WebSockets
![Page 7: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/7.jpg)
WATCH CRIMES• image
![Page 8: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/8.jpg)
REPORT A CRIME• image
![Page 9: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/9.jpg)
AUTHENTICATE• image
![Page 10: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/10.jpg)
HACK IT!
![Page 11: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/11.jpg)
SQL INJECTION
![Page 12: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/12.jpg)
SQL INJECTION
![Page 13: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/13.jpg)
SQL INJECTION
![Page 14: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/14.jpg)
PROFILE SPOOFING
Bind profilewithout authentication
![Page 15: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/15.jpg)
PROFILE SPOOFINGProfile ids are visible
in open crimes
![Page 16: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/16.jpg)
SAME DATABASE• Each team has similar database
• Each team has all authentication data
![Page 17: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/17.jpg)
“BACKDOOR”
![Page 18: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/18.jpg)
bit.ly/ructfe_mol_sploit
![Page 19: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/19.jpg)
MINISTRY OF TAXESPavel Blinov aka pahaz
![Page 20: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/20.jpg)
ABOUT SERVICE• Node.js
• Koa web framework
• Custom router
![Page 21: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/21.jpg)
ADD PERSONAL DATA• image
![Page 22: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/22.jpg)
UPLOAD REPORT• image
![Page 23: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/23.jpg)
UPLOAD REPORT• image
![Page 24: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/24.jpg)
HACK IT!
![Page 25: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/25.jpg)
WEAK ID GENERATION
So what?
![Page 26: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/26.jpg)
WEAK ID GENERATION
![Page 27: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/27.jpg)
REMOTE CODE EXECUTION
![Page 28: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/28.jpg)
REMOTE CODE EXECUTION
![Page 29: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/29.jpg)
bit.ly/ructfe_tax_sploit
![Page 30: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/30.jpg)
ELECTIONS FOR E-DEMOCRACYKonstantin Plotnikov aka kost
![Page 31: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/31.jpg)
ABOUT SERVICE• C# + Mono
• Homomorphic encryption
![Page 32: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/32.jpg)
ELECTIONS• TODO
![Page 33: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/33.jpg)
NOMINATE• image
![Page 34: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/34.jpg)
VOTE• image
![Page 35: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/35.jpg)
GET ELECTED• image
![Page 36: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/36.jpg)
HACK IT!
![Page 37: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/37.jpg)
UNFILTERED INPUT• Client-side vote generation & encryption
• Vote – vector of integers
• Election result – sum of votes
![Page 38: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/38.jpg)
UNFILTERED INPUT
break & hack
![Page 39: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/39.jpg)
UNFILTERED INPUT• Calculations are made modulo 243
• Overflow competitor's value
• Let the battle begins!
![Page 40: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/40.jpg)
WEAK PRIVATE KEY GENERATOR
• Calculations are made modulo 243 = 35
• Private key – random number
• Chance of them being non-coprime
• 3 divides private key can decrypt⇒
![Page 41: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/41.jpg)
WEAK PRIVATE KEY GENERATOR
• image
![Page 42: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/42.jpg)
WEAK PRIVATE KEY GENERATOR
• image
![Page 43: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/43.jpg)
WEAK PRIVATE KEY GENERATOR
• image
…
![Page 44: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/44.jpg)
NASA RASAAndrey Gein aka andgein
![Page 45: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/45.jpg)
ABOUT SERVICE• PHP
• MySQL
![Page 46: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/46.jpg)
REPORT A PLANET• image
![Page 47: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/47.jpg)
BROWSE DISCOVERED PLANETS
• image
![Page 48: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/48.jpg)
BROWSE USERS• image
![Page 49: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/49.jpg)
HACK IT!
![Page 50: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/50.jpg)
HARDCODED DB CREDENTIALS
Remember about RCE?
![Page 51: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/51.jpg)
PADSPACE COLLATION• todo
⇒2
![Page 52: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/52.jpg)
bit.ly/ructfe_collations
![Page 53: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/53.jpg)
HEALTH MONITORPolina Zonova aka Klyaksa
![Page 54: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/54.jpg)
ABOUT SERVICE• Go
• SQLite
![Page 55: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/55.jpg)
REPORT YOUR HEALTH• todo
![Page 56: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/56.jpg)
BROWSE YOUR PROGRESS• todo
![Page 57: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/57.jpg)
HACK IT!
![Page 58: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/58.jpg)
AUTHENTICATION
![Page 59: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/59.jpg)
HARDCODED SALT
Plan:1. Set up vulnbox2. Change all passwords & keys3. Win
![Page 60: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/60.jpg)
LENGTH EXTENSION ATTACK• uids are serial – we can guess
• Over 9k tools to perform MD5 LEA
![Page 61: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/61.jpg)
INTERPLANETARY MIGRATION AUTHORITYDmitry Titarenko aka dscheg
![Page 62: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/62.jpg)
ABOUT SERVICE• Nim
• Redis
![Page 63: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/63.jpg)
KNOW CITIZENS• TODO
![Page 64: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/64.jpg)
FILL MIGRATION FORM…• фы
![Page 65: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/65.jpg)
…BUT NOT QUITE• фыв
![Page 66: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/66.jpg)
HACK IT!
![Page 67: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/67.jpg)
HARDCODED DB CREDENTIALS
And again
![Page 68: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/68.jpg)
HMAC USING EXTERNAL LIBRARY
zero-padded userhas the same HMAC
![Page 69: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/69.jpg)
HMAC USING EXTERNAL LIBRARY
• Login as one of citizens
• Steal flag from the filled form
![Page 70: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/70.jpg)
MODIFYING LOCAL DATA• Form data stored on client side
• Form data is encrypted
• AES encryption in CBC mode
• No integrity checks
![Page 71: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/71.jpg)
MODIFYING LOCAL DATA• We know plaintext – JSON with filled data
• We can modify ciphertext
![Page 72: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/72.jpg)
MODIFYING LOCAL DATA• todo
![Page 73: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/73.jpg)
MITM• On step 3 we need to sign up a random value
• Only checker has the private key
• Let’s hack value generation function
• Check will sign everything for us
![Page 74: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/74.jpg)
bit.ly/ructfe_mig_sploit
![Page 75: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/75.jpg)
THE BANKAlexander Bersenev aka bay
![Page 76: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/76.jpg)
ABOUT SERVICE• C
• Mongoose
• Custom dictionary
![Page 77: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/77.jpg)
CREATE ACCOUNTS• todo
![Page 78: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/78.jpg)
TRANSFER MONEY• todo
![Page 79: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/79.jpg)
HACK IT!
![Page 80: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/80.jpg)
ACCESS LOGSbank.teamX.e.ructf.org/access.log
![Page 81: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/81.jpg)
DICTIONARY
Binary Search TreePosition
Independent Code
![Page 82: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/82.jpg)
DICTIONARY• Key in BST – SHA256 from key in dict
• Value – amount of money (8 bytes)
• BST stored in array
![Page 83: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/83.jpg)
DICTIONARYBuffer overflow
Remote code execution
![Page 84: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/84.jpg)
DICTIONARYShell
jmp to shell
![Page 85: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/85.jpg)
bit.ly/ructfe_bank_sploit
![Page 86: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/86.jpg)
RECOMMENDATIONS• Always change keys and passwords
• Learn Linux administration
• Stay positive & have fun!
![Page 87: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/87.jpg)
Questions?
![Page 88: RuCTFE 2015 Services Write-Ups](https://reader034.vdocuments.net/reader034/viewer/2022042619/58efb2891a28abff718b4643/html5/thumbnails/88.jpg)
Thanks!