Fairgame • Fairgame is an introductory CTF • Runs until winter break • Covers five subjects: – pwn - binary exploitation – re - reverse engineering – crypto - cryptography – web - web applications – misc - puzzles, steganography, party tricks, etc.
RPISEC - 09/30/2022 RPISEC 2
Tooling • VM installation was covered at INTROSEC • Includes a variety of useful tools • Get it here: http://tools.rpis.ec/ • We’ll also assume you have some basic experience with the Linux command line – All important commands are shown, though!
RPISEC - 09/30/2022 RPISEC 3
Conventions $ commands are shown like this
RPISEC - 09/30/2022 RPISEC 4
misc • misc chals cover a variety of topics • Finding the right angle is key
RPISEC - 09/30/2022 RPISEC 5
misc100? - Our misc100 is somewhere on Slack this year (: - ...so we'll look at misc200 instead - (it's definitely not just the normal misc100)
RPISEC - 09/30/2022 RPISEC 6
misc200 - “Flag? What Flag?” • Download misc100.tar.gz • This is a gzipped tarball – gzip compresses files – tar puts files into a single archive - a “tarball” • Basically the .zip of Linux
RPISEC - 09/30/2022 RPISEC 7
misc200 - “Flag? What flag?” • We’re told it’s an ext2 disk image • ext2 is a predecessor of ext4 • We can mount the image to browse its contents like a flash drive
RPISEC - 09/30/2022 RPISEC 8
misc200 - “Flag? What Flag?” • Extract it with: tar -xf misc100.tar.gz • -x to extract • -f to specify the file
RPISEC - 09/30/2022 RPISEC 9
misc200 - “Flag? What Flag?”
RPISEC - 09/30/2022 RPISEC 10
misc200 - “Flag? What flag?” • One file comes out, misc100.img • .img files are usually disk images – Basically a snapshot of a storage device • We can find out what kind of image it is with: file misc100.img • The file command tries to identify a file
RPISEC - 09/30/2022 RPISEC 11
misc200 - “Flag? What flag?” • First, make a directory to mount to: mkdir mnt
RPISEC - 09/30/2022 RPISEC 12
misc200 - “Flag? What flag?” • Then, mount the image: sudo mount -o loop misc100.img mnt • mount requires root powers, hence the sudo • Root password on the Tools VM is rpisec • Now you can browse the files within: cd mnt
RPISEC - 09/30/2022 RPISEC 13
misc200 - “Flag? What flag?” • Let’s look around a bit ls • You’ll see the following files: bin dev etc lib linuxrc lost+found proc sbin tmp usr var • So this is a disk image of some Linux system
RPISEC - 09/30/2022 RPISEC 14
misc200 - “Flag? What flag?” • ...but where’s the flag? • Let’s take a closer look! ls -la • -l to show files in a list • -a to show all files
RPISEC - 09/30/2022 RPISEC 15
misc200 - “Flag? What flag?” • There’s a file called .flag in there! – Files with a . in front are hidden by default • So, what is it? file .flag • It’s gzip compressed data • We can extract it with...gzip, of course • The mounted image is read-only, though, so we’ll move the file first. RPISEC - 09/30/2022 RPISEC 16 misc200 - “Flag? What flag?” cp .flag /tmp/flag.gz cd /tmp gunzip flag.gz • Now we have a file called flag file flag • It’s a .tar again! tar -xf flag RPISEC - 09/30/2022 RPISEC 17 misc200 - “Flag? What flag?” • The .tar contained a file called flag, so it overwrote itself • Now we can just… cat flag
RPISEC - 09/30/2022 RPISEC 18
misc200 - “Flag? What flag?” • This sort of challenge becomes very easy once you’re used to the terminal • Always try to figure out what is you’re looking at! – file – binwalk
RPISEC - 09/30/2022 RPISEC 19
web • web challenges deal with...web stuff – Pretty much anything with a browser • Split into two big categories: – Client-side: attacking the browser – Server-side: attacking the server
RPISEC - 09/30/2022 RPISEC 20
web100 - “Client Page” • web100 presents us with a login screen • First, we should examine the page! • In Firefox, hit ctrl+u to view the page’s source
RPISEC - 09/30/2022 RPISEC 21
web100 - “Client Page” • auth.js sounds interesting! • Click on it to view the file
RPISEC - 09/30/2022 RPISEC 22
web100 - “Client Page” • Oh no! Client-side authentication! – The login is checked in your browser… – ...and not on the server • users sounds pretty interesting...
RPISEC - 09/30/2022 RPISEC 23
web100 - “Client Page” • Open the dev console with F12 or ctrl-shift-I • Now we can look at users by typing… users • It’s an array of two things, so view the first one: users[0] • Looks like a username and password to me! • Log in and get the flag RPISEC - 09/30/2022 RPISEC 24 web100 - “Client Page” • That was easy. • The rest are harder! • Web challenges cover a lot of territory: – SQL injection to abuse badly written database queries – XSS (cross-site-scripting) to make other users run code – Uploading malicious files and viewing those we shouldn’t
RPISEC - 09/30/2022 RPISEC 25
crypto • crypto challenges fall into two camps: – Classic ciphers, which are extremely weak ∘ Caesar ciphers ∘ Vigenere ciphers – Modern ciphers, but with a deliberate mistake ∘ RSA ∘ DES
RPISEC - 09/30/2022 RPISEC 26
crypto100 - “Classic” • This one is a classical cipher – The title is a pretty big hint – The cipher clearly didn’t hide the flag
vbqw{0bt1u_rkj_d0j_i0_we0t1u} • So, we just need to identify the cipher
RPISEC - 09/30/2022 RPISEC 27
crypto100 - “Classic” • Tools exist online for all of these • Two of my suggestions: – https://gchq.github.io/CyberChef/ – https://cryptii.com/
RPISEC - 09/30/2022 RPISEC 28
crypto100 - “Classic” • It was a Caesar cipher. – A=K – Shift of 10
RPISEC - 09/30/2022 RPISEC 29
crypto100 - “Classic” • Classical ciphers can be broken easily: – Guessing all the keys (Caesar) – Exploiting language patterns (Vigenere) ∘ E shows up way more than Z • Attacking modern ciphers like this does not work: – Huge keys, expensive operations – The universe dies before you find the flag • Crypto challenges will always have a trick – Implementation errors, bad parameters, etc.
RPISEC - 09/30/2022 RPISEC 30
re and pwn • re and pwn are two sides of the same coin – re: figure out how a system works – pwn: figure out how a system breaks
RPISEC - 09/30/2022 RPISEC 31
re100 - “Milk Run” • Reversing is an incredibly deep subject – static analysis! – dynamic analysis! – decompilation! • Fortunately, re100 is pretty simple – The program has a secret. – We want the secret. – Hey, isn’t this basically web100?
RPISEC - 09/30/2022 RPISEC 32
re100 - “Milk Run” • First, try running the program ./re100 • We type some gibberish, it says no
RPISEC - 09/30/2022 RPISEC 33
re100 - “Milk Run” • A great place to start is strings • Shows readable text in a file strings re100 • That’s a lot of text...
RPISEC - 09/30/2022 RPISEC 34
re100 - “Milk Run” • We don’t want to read all of that • We can use grep to filter it down – grep takes a string to look for
strings re100 | grep flag
• The | is a pipe – strings writes some stuff – grep reads that stuff • And there’s the flag! RPISEC - 09/30/2022 RPISEC 35 re100 - “Milk Run” • re is a huge puzzle • There are many powerful tools out there: – IDA/Ghidra/Binary Ninja/r2 for pulling apart a program – strings and hexdump to peek at data – objdump to find function names – gdb to see what happens at runtime
RPISEC - 09/30/2022 RPISEC 36
pwn100 - “Rewards Program” • pwn is what our motto is all about: – Break it – Hack it – Own it
RPISEC - 09/30/2022 RPISEC 37
pwn100 - “Rewards Program” • First, run the program chmod +x rewards-program ./rewards-program • It asks for your name. Type something short.
RPISEC - 09/30/2022 RPISEC 38
pwn100 - “Rewards Program” • Darn :(
RPISEC - 09/30/2022 RPISEC 39
pwn100 - “Rewards Program” • What if we had a longer name? • Let’s say our name is… AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
RPISEC - 09/30/2022 RPISEC 40
pwn100 - “Rewards Program” • That’s...interesting
RPISEC - 09/30/2022 RPISEC 41
pwn100 - “Rewards Program” • Our input made some weird stuff happen: – It messed up the point counter ∘ 1094795585 is not 0 – It crashed the whole program! ∘ Segfault! • (we accessed invalid memory)
• We just broke it
RPISEC - 09/30/2022 RPISEC 42
pwn100 - "Rewards Program" • The program stores our name next to the point counter int points = 0; char foo[20];
• But it only has room for 20 characters
• Our name was 32 characters long
RPISEC - 09/30/2022 RPISEC 43
pwn100 - “Rewards Program” • This is a buffer overflow – The program didn’t have room for our name • 20 bytes of A's fit correctly • The next 4 bytes clobbered the point counter • The rest screwed up C's bookkeeping
RPISEC - 09/30/2022 RPISEC 44
pwn100 - “Rewards Program” • So, how exactly did we get 1094795585 points? • Let’s look at that number in a different way: – Decimal: 1094795585 – Hex: 0x41414141 • That looks familiar. • What was A in ASCII, again?
RPISEC - 09/30/2022 RPISEC 45
pwn100 - “Rewards Program” • 0x41 = ‘A’ • 0x41414141 = ‘AAAA’ • So, what if we want 322424845 points?
RPISEC - 09/30/2022 RPISEC 46
pwn100 - “Rewards Program” • Just go from decimal to hex: – Decimal: 322424845 – Hexadecimal: 0x1337D00D • very leet, d00d • That’s hard to type! – 0x13 is “device control 3” – 0x0D is a carriage return – 0xD0 is a Unicode Ð
RPISEC - 09/30/2022 RPISEC 47
pwn100 - “Rewards Program” • python is great for this. – Specifically, python 2, because it's nicer for binary data – This prints out AAAAAAAAAAAAAAAA - sixteen A’s
python2 -c "print 'A'*16"
• We can pipe that into the program like this: python2 -c "print 'A'*16" | pwn100
RPISEC - 09/30/2022 RPISEC 48
pwn100 - “Rewards Program” • Experiment with this until you just barely corrupt the counter
RPISEC - 09/30/2022 RPISEC 49
pwn100 - “Rewards Program” • We needed 21 A’s to change our points to 65 – Decimal: 65 – Hexadecimal: 0x41 • So, let’s send 20 A’s, then 1337D00D! python2 -c "print 'A'*20 + '\x13\x37\xd0\x0d'" | pwn100
RPISEC - 09/30/2022 RPISEC 50
pwn100 - “Rewards Program” • Hang on, that gave us 231749395 points – Decimal: 231749395 – Hexadecimal: 0x0dd03713 • It’s...backwards?
RPISEC - 09/30/2022 RPISEC 51
pwn100 - “Rewards Program” • The program’s variables are stored on the stack. • The stack grows downward, from the largest address. • In pwn100, it looks something like this: – reward points (4 bytes) – name (20 bytes) • name is before reward points in memory
RPISEC - 09/30/2022 RPISEC 52
pwn100 - “Rewards Program” • If we make our name too long, it messes up the points counter. • This goes from low to high memory • The first byte is the least significant byte – 21 A’s gave us 65 points, remember?
pwn100 - “Rewards Program” • So, by putting the four bytes in reverse order... python2 -c "print 'A'*20 + '\x0d\xd0\x37\x13'" | nc chals.fairgame.rpis.ec 5001
• ...we have the right number of points!
RPISEC - 09/30/2022 RPISEC 55
pwn100 - “Rewards Program” • Now we just need to do it remotely. • Most pwn challenges work like this – Can’t just give you the program with the flag! – Remember re100? • We’ll use netcat, or nc for short nc chals.fairgame.rpis.ec 5001 • Try talking to the program again
pwn100 - “Rewards Program” • It worked! • ...wait, we can’t do anything • The program executes a shell when you win • We can’t type anything – nc is getting its input from Python – Python isn’t doing anything with keyboard input • This sucks
• cat will just repeat whatever we type – ...which gets piped into netcat!
RPISEC - 09/30/2022 RPISEC 59
pwn100 - “Rewards Program” • pwn is a staple of CTFs • Creativity and patience are a must • Too many techniques to count!
RPISEC - 09/30/2022 RPISEC 60
Review We’ve covered the basics of five CTF categories: • misc - the potpourri category • web - browser and web server tricks • crypto - uncovering ciphered data • re - figuring out how a program works • pwn - figuring out how to break a program
RPISEC - 09/30/2022 RPISEC 61
Coming Soon... ● Next week: web! ● Get involved with RPISEC @ https://rpis.ec/contact ○ Slack can be found on https://rpisec.slack.com ■ Come chat with RPISEC members and alumni! ○ Mailing list invite can be found on contact page