CTF on System Overlord

BSidesSF CTF 2023: Lastpwned (Author Writeup)

david@systemoverlord.com (David Tomaschik) — Sun, 23 Apr 2023 00:00:00 +0000

I was the challenge author for a handful of challenges for this year’s BSidesSF CTF. One of those challenges was lastpwned, inspired by a recent high-profile data breach. This challenge provided a web-based password manager with client-side encryption.

CTF 101: Just Try It!

david@systemoverlord.com (David Tomaschik) — Mon, 17 Apr 2023 00:00:00 +0000

Table of Contents {:toc}

As I’m helping to organize the BSides San Francisco CTF this weekend, I thought I’d share a little primer for CTFs for those who have not gotten into them before.

What is a CTF?

I suspect that most people in the information security (“cybersecurity”) space have already heard of Capture the Flag (or CTF) competitions, but in case you haven’t, I wanted to provide a short overview.

BSidesSF 2022 CTF: Login4Shell

david@systemoverlord.com (David Tomaschik) — Mon, 20 Jun 2022 00:00:00 +0000

Log4Shell was arguably the biggest vulnerability disclosure of 2021. Security teams across the entire world spent the end of the year trying to address this bug (and several variants) in the popular Log4J logging library.

The vulnerability was caused by special formatting strings in the values being logged that allow you to include a reference. This reference, it turns out, can be loaded via JNDI, which allows remotely loading the results as a Java class.

This was such a big deal that there was no way we could let the next BSidesSF CTF go by without paying homage to it. Fun fact, this meant I “got” to build a Java webapp, which is actually something I’d never done from scratch before. Nothing quite like learning about Jetty, Log4J, and Maven just for a CTF level.

BSidesSF 2022 CTF: TODO List

david@systemoverlord.com (David Tomaschik) — Thu, 09 Jun 2022 00:00:00 +0000

This year, I was the author of a few of our web challenges. One of those that gave both us (as administrators) and the players a few difficulties was “TODO List”.

Upon visiting the application, we see an app with a few options, including registering, login, and support. Upon registering, we are presented with an opportunity to add TODOs and mark them as finished:

If we check robots.txt we discover a couple of interesting entries:

BSidesSF 2022 CTF: Cow Say What?

david@systemoverlord.com (David Tomaschik) — Tue, 07 Jun 2022 00:00:00 +0000

As the author of the Cow Say What? challenge from this year’s BSidesSF CTF, I got a lot of questions about it after the CTF ended. It’s both surprisingly straight-forward but also a very little-known issue.

The challenge was a web challenge – if you visited the service, you got a page providing a textarea for input to the cowsay program, as well as a drop down for the style of the cow saying something (plain, stoned, dead, etc.). There was a link to the source code, reproduced here:

0x0G CTF: Authme (Author Writeup)

david@systemoverlord.com (David Tomaschik) — Thu, 12 Aug 2021 00:00:00 +0000

0x0G is Google’s annual “Hacker Summer Camp” event. Normally this would be in Las Vegas during the week of DEF CON and Black Hat, but well, pandemic rules apply. I’m one of the organizers for the CTF we run during the event, and I thought I’d write up solutions to some of my challenges here.

The first such challenge is authme, a web/crypto challenge. The description just wants to know if you can auth as admin and directs you to a website. On the website, we find a link to the source code, to an RSA public key, and a login form.

0x0G CTF: gRoulette (Author Writeup)

david@systemoverlord.com (David Tomaschik) — Thu, 12 Aug 2021 00:00:00 +0000

gRoulette is a simplified Roulette game online. Win enough and you’ll get the flag. The source code is provided, and the entire thing is run over a WebSocket connection to the server.

BSidesSF 2021 CTF: Net Matroyshka (Author Writeup)

david@systemoverlord.com (David Tomaschik) — Fri, 12 Mar 2021 00:00:00 +0000

Net Matroyshka was one of our “1337” tagged challenges for the 2021 BSidesSF CTF. This indicated it was particularly hard, and our players can probably confirm that.

If you haven’t played our CTF in the past, you might not be familiar with the Matryoshka name. (Yep, I misspelled Matryoshka this year and didn’t catch it before we launched.) It refers to the nesting Matryoshka dolls, and we’ve been doing a series of challenges where they contain layers to be solved, often by different encodings, formats, etc. This year, it was layers of PCAPs for some network forensics challenges.

BSidesSF 2021 CTF: CuteSrv (Author Writeup)

david@systemoverlord.com (David Tomaschik) — Mon, 08 Mar 2021 00:00:00 +0000

I authored the BSidesSF 2021 CTF Challenge “CuteSrv”, which is a service to display cute pictures. The description from the scoreboard:

Last year was pretty tough for all of us. I built this service of cute photos to help cheer you up. We do moderate for cuteness, so no inappropriate photos please!

Like my other write-ups, I’ll do this from the perspective of a player playing through and try not to assume internal knowledge.

BSidesSF 2021 CTF: Encrypted Bin (Author Writeup)

david@systemoverlord.com (David Tomaschik) — Mon, 08 Mar 2021 00:00:00 +0000

I was the author for the BSidesSF 2021 CTF Challenge “Encrypted Bin”, which is an encrypted pastebin service. The description from the scoreboard:

I’ve always wanted to build an encrypted pastebin service. Hope I’ve done it correctly. (Look in /home/flag/ for the flag.)

I thought I’d do a walk through of how I expected players to solve the challenge, so I’ll write this as if I’m playing the challenge.

Visiting the web service, we find an upload page for text and not much else. When we perform an upload, we see that we’re redirected to a page to view the encrypted upload:

BSides SF 2020 CTF: Infrastructure Engineering and Lessons Learned

david@systemoverlord.com (David Tomaschik) — Thu, 27 Feb 2020 00:00:00 +0000

Last weekend, I had the pleasure of running the BSides San Francisco CTF along with friends and co-conspirators c0rg1, symmetric and iagox86. This is something like the 4th or 5th year in a row that I’ve been involved in this, and every year, we try to do a better job than the year before, but we also try to do new things and push the boundaries. I’m going to review some of the infrastructure we used, challenges we faced, and lessons we learned for next year.

Running the BSides SF 2019 CTF

david@systemoverlord.com (David Tomaschik) — Sun, 10 Mar 2019 00:00:00 +0000

I’ve just written a post for the BSidesSF blog about running the BSidesSF 2019 CTF. Check it out and feel free to get in touch if you have feedback.

BSides SF CTF Author Writeup: Flagsrv

david@systemoverlord.com (David Tomaschik) — Fri, 08 Mar 2019 00:00:00 +0000

Flagsrv was a 300 point web challenge in this year’s BSidesSF CTF. The description was a simple one:

We’ve built a service for the sole purpose of serving up flags!

The account you want is named ‘flag’.

BSides SF CTF Author Writeup: Cloud2Clown

david@systemoverlord.com (David Tomaschik) — Thu, 07 Mar 2019 00:00:00 +0000

The Challenge

Sometimes you see marketing materials that use the word cloud to the point that it starts to lose all meaning. This service allows you to fix that with clowns instead of clouds. Note: there are 2 flags, they should be clearly labeled.

Pros vs Joes CTF: The Evolution of Blue Teams

david@systemoverlord.com (David Tomaschik) — Tue, 19 Jun 2018 00:00:00 +0000

Pros v Joes CTF is a CTF that holds a special place in my heart. Over the years, I’ve moved from playing in the 1st CTF as a day-of pickup player (signing up at the conference) to a Blue Team Pro, to core CTF staff. It’s been an exciting journey, and Red Teaming there is about the only role I haven’t held. (Which is somewhat ironic given that my day job is a red team lead.) As Blue teams have just formed, and I’m not currently attached to any single team, I wanted to share my thoughts on the evolution of Blue teaming in this unique CTF. In many ways, this will resemble the Blue Team player’s guide I wrote about 3 years ago, but will be based on the evolution of the game and of the industry itself. That post remains relevant, and I encourage you to read it as well.

BSidesSF CTF 2018: Coder Series (Author's PoV)

david@systemoverlord.com (David Tomaschik) — Sat, 21 Apr 2018 00:00:00 +0000

Introduction

As the author of the “coder” series of challenges (Intel Coder, ARM Coder, Poly Coder, and OCD Coder) in the recent BSidesSF CTF, I wanted to share my perspective on the challenges. I can’t tell if the challenges were uninteresting, too hard, or both, but they were solved by far fewer teams than I had expected. (And than we had rated the challenges for when scoring them.)

The entire series of challenges were based on the premise “give me your shellcode and I’ll run it”, but with some limitations. Rather than forcing players to find and exploit a vulnerability, we wanted to teach players about dealing with restricted environments like sandboxes, unusual architectures, and situations where your shellcode might be manipulated by the process before it runs.

Hacker Summer Camp 2017: Pros vs Joes CTF

david@systemoverlord.com (David Tomaschik) — Mon, 31 Jul 2017 00:00:00 +0000

I’ve returned from this year’s edition of Hacker Summer Camp, and while I’m completely and utterly exhausted, I wanted to get my thoughts about this year’s events out before I completely forget what happened.

The Pros vs Joes CTF was, yet again, a high quality event despite the usual bumps and twists. This was the largest PvJ ever, with more than 80 people involved between Blue Pros, Blue Joes, Red Cell, Grey Cell, and Gold Cell. Each blue team had 11 players between the two Pros and 9 Joes, making them slightly larger than in years past. (Though I believe that’s a temporary “feature” of this year’s game.)

DEF CON Quals 2017: beatmeonthedl

david@systemoverlord.com (David Tomaschik) — Sun, 30 Apr 2017 00:00:00 +0000

I played in the DEF CON quals CTF this weekend, and happened to find the challenge beatmeonthedl particularly interesting, even if it was in the “Baby’s First” category. (DC Quals Baby’s Firsts aren’t as easy as one might think…)

So we download the binary and take a look. I’m using Binary Ninja lately, it’s a great tool from the Vector35 guys, and at the right price compared to IDA for playing CTF. :) So I open up the binary, and notice a few things right away. This is an x86-64 ELF binary with essentially none of the standard security features enabled:

SANS Holiday Hack Challenge 2016

david@systemoverlord.com (David Tomaschik) — Thu, 05 Jan 2017 00:00:00 +0000

Table of Contents {:toc}

Introduction

This is my second time playing the SANS holiday hack challenge. It was a lot of fun, and probably took me about 8-10 hours over a period of 2-3 days, not including this writeup. Ironically, this writeup took me longer than actually completing the challenge – which brings me to a note about some of the examples in the writeup. Please ignore any dates or timelines you might see in screengrabs and other notes – I was so engrossed in playing that I did a terrible job of documenting as I went along, so a lot of these I went back and did a 2nd time (of course, knowing the solution made it a bit easier) so I could provide the quality of writeup I was hoping to.

Most importantly, a huge shout out to all the SANS Counter Hack guys – I can only imagine how much work goes into building an educational game like this and making the challenges realistic and engrossing. I’ve built wargames & similar apps for work, but never had to build them into a story – let across a story that spans multiple years. I tip my hat to their dedication and success!

HSC Part 2: Pros versus Joes CTF

david@systemoverlord.com (David Tomaschik) — Wed, 10 Aug 2016 00:00:00 +0000

Continuing my Hacker Summer Camp Series, I’m going to talk about one of my Hacker Summer Camp traditions. That’s right, it’s the Pros versus Joes CTF at BSidesLV. I’ve written about my experiences and even a player’s guide before, but this was my first year as a Pro, captaining a blue team (The SYNdicate).

It’s important to me to start by congratulating all of the Joes – this is an intense two days, and your pushing through it is a feat in and of itself. In past years, we had players burn out early, but I’m proud to say that nearly all of the Joes (from every team) worked hard until the final scorched earth. Every one of the players on my team was outstanding and worked their ass off for this CTF, and it paid off, as The SYNdicate was declared the victors of the 2016 BSides LV Pros versus Joes.

ASIS CTF 2016: 3magic

david@systemoverlord.com (David Tomaschik) — Sun, 08 May 2016 22:30:00 +0000

We’re directed to a web application that provides us with the ability to ping an arbitrary host. Like many such web interfaces, this one is vulnerable to command injection. We can provide flags like -v to get the version of ping being used, but inserting other characters, like |, ;, or $() result in a response of invalid character detected. Notably, so do spaces and tabs, significantly limiting the ability to run commands (we’ll see how to get around this shortly).

ASIS CTF 2016: Binary Cloud

david@systemoverlord.com (David Tomaschik) — Sun, 08 May 2016 22:30:00 +0000

Binary Cloud claims “Now you can upload any types of files, temporarily.” Let’s see what this means.

Rule one of web challenges: check robots.txt:

User-Agent: *
Disallow: /
Disallow: /debug.php
Disallow: /cache
Disallow: /uploads

So we have some interesting paths there. debug.php turns out to be a phpinfo() page, informing us it’s ‘PHP Version 7.0.4-7ubuntu2’. Interesting, pretty new version. I play around with the app briefly to see how it’s going to behave, and notice any file ending in .php is prohibited. No direct .php script upload for us.

ASIS CTF 2016: firtog

david@systemoverlord.com (David Tomaschik) — Sun, 08 May 2016 22:30:00 +0000

Firtog gives us a pcap file that you can quickly see features several TCP sessions containing the git server protocol. The binary protocol looks like this in the follow TCP stream mode:

Switching Wireshark to decode this as “Git” almost works, but there’s a trick. If we read the git pack protocol documentation, we’ll see there’s a special side-band mode here, where the length field is followed with a ‘1’, ‘2’, or ‘3’ byte indicating the type of data to follow. We only want the data from sideband ‘1’, which is the actual packfile data. So we’ll grab that data using Wireshark and write it to a file, fixing up the last byte with quick python work.

PlaidCTF 2016: Butterfly

david@systemoverlord.com (David Tomaschik) — Sun, 17 Apr 2016 00:00:00 +0000

Butterfly was a 150 point pwnable in the 2016 PlaidCTF. Basic properties:

x86_64
Not PIE
Assume ASLR, NX

It turns out to be a very simple binary, all the relevant code in one function (main), and using only a handful of libc functions. The first thing that jumped out to me was two calls to mprotect, at the same address. I spent some time looking at the disassembly and figuring out what was going on. The relevant portions can be seen here:

CSAW Quals 2015: Sharpturn (aka Forensics 400)

david@systemoverlord.com (David Tomaschik) — Mon, 21 Sep 2015 21:33:58 +0000

The text was just:

I think my SATA controller is dying.

HINT: git fsck -v

And included a tarball containing a git repository. If you ran the suggested git fsck -v, you’d discover that 3 commits were corrupt:

:::text
Checking HEAD link
Checking object directory
Checking directory ./objects/2b
Checking directory ./objects/2e
Checking directory ./objects/35
Checking directory ./objects/4a
Checking directory ./objects/4c
Checking directory ./objects/7c
Checking directory ./objects/a1
Checking directory ./objects/cb
Checking directory ./objects/d5
Checking directory ./objects/d9
Checking directory ./objects/e5
Checking directory ./objects/ef
Checking directory ./objects/f8
Checking tree 2bd4c81f7261a60ecded9bae3027a46b9746fa4f
Checking commit 2e5d553f41522fc9036bacce1398c87c2483c2d5
error: sha1 mismatch 354ebf392533dce06174f9c8c093036c138935f3
error: 354ebf392533dce06174f9c8c093036c138935f3: object corrupt or missing
Checking commit 4a2f335e042db12cc32a684827c5c8f7c97fe60b
Checking tree 4c0555b27c05dbdf044598a0601e5c8e28319f67
Checking commit 7c9ba8a38ffe5ce6912c69e7171befc64da12d4c
Checking tree a1607d81984206648265fbd23a4af5e13b289f83
Checking tree cb6c9498d7f33305f32522f862bce592ca4becd5
Checking commit d57aaf773b1a8c8e79b6e515d3f92fc5cb332860
error: sha1 mismatch d961f81a588fcfd5e57bbea7e17ddae8a5e61333
error: d961f81a588fcfd5e57bbea7e17ddae8a5e61333: object corrupt or missing
Checking blob e5e5f63b462ec6012bc69dfa076fa7d92510f22f
Checking blob efda2f556de36b9e9e1d62417c5f282d8961e2f8
error: sha1 mismatch f8d0839dd728cb9a723e32058dcc386070d5e3b5
error: f8d0839dd728cb9a723e32058dcc386070d5e3b5: object corrupt or missing
Checking connectivity (32 objects)
Checking a1607d81984206648265fbd23a4af5e13b289f83
Checking e5e5f63b462ec6012bc69dfa076fa7d92510f22f
Checking 4a2f335e042db12cc32a684827c5c8f7c97fe60b
Checking cb6c9498d7f33305f32522f862bce592ca4becd5
Checking 4c0555b27c05dbdf044598a0601e5c8e28319f67
Checking 2bd4c81f7261a60ecded9bae3027a46b9746fa4f
Checking 2e5d553f41522fc9036bacce1398c87c2483c2d5
Checking efda2f556de36b9e9e1d62417c5f282d8961e2f8
Checking 354ebf392533dce06174f9c8c093036c138935f3
Checking d57aaf773b1a8c8e79b6e515d3f92fc5cb332860
Checking f8d0839dd728cb9a723e32058dcc386070d5e3b5
Checking d961f81a588fcfd5e57bbea7e17ddae8a5e61333
Checking 7c9ba8a38ffe5ce6912c69e7171befc64da12d4c
missing blob 354ebf392533dce06174f9c8c093036c138935f3
missing blob f8d0839dd728cb9a723e32058dcc386070d5e3b5
missing blob d961f81a588fcfd5e57bbea7e17ddae8a5e61333

Well, crap. How do we fix these? Well, I guess the good news is that the git blob format is fairly well documented. The SHA-1 of a blob is computed by taking the string blob , appending the length of the blob as an ASCII-encoded decimal value, a null character, and then the blob contents itself: blob <blob_length>\0<blob_data>. The final blob value as written in the objects directory of the git repository is the zlib-compressed version of this string. This leads us to these useful functions for reading, writing, and hashing git blobs in python:

Blue Team Player's Guide for Pros vs Joes CTF

david@systemoverlord.com (David Tomaschik) — Sat, 15 Aug 2015 19:15:36 +0000

I’ve played in Dichotomy’s Pros v Joes CTF for the past 3 years – which, I’m told, makes me the only player to have done so. It’s an incredible CTF and dramatically different from any other that I’ve ever played. Dichotomy and I were having lunch at DEF CON when he said “You know what would be cool? A blue team player’s guide.” So, I give to you, the blue team player’s guide to the Pros v Joes CTF.

Hacker Summer Camp 2015: DEF CON

david@systemoverlord.com (David Tomaschik) — Fri, 14 Aug 2015 03:11:12 +0000

So, following up on my post on BSides LV 2015, I thought I’d give a summary of DEF CON 23. I can’t cover everything I did (after all, what happens in Vegas, stays in Vegas… mostly) but I’m going to cover the biggest highlights as I saw them.

The first thing to know about my take on DEF CON is that DEF CON is a one-of-a-kind event, somewhere between a security conference and a trip to Mecca. It’s one part conference, one part party, and one part social experience. The second thing to know about my take on DEF CON is that I’m not there to listen to people speak. If I was just there to listen to people speak, there’s the videos posted to YouTube or available on streaming/DVD from the conference recordings. I’m at DEF CON to participate, meet people, and hack all the things.

Hacker Summer Camp 2015: BSides LV & Pros vs Joes CTF

david@systemoverlord.com (David Tomaschik) — Wed, 12 Aug 2015 00:13:58 +0000

I’ve just returned from Las Vegas for the annual “hacker summer camp”, and am going to be putting up a series of blog posts covering the week. Tuesday and Wednesday were BSides Las Vegas. For the uninitiated, BSides was founded as the “flip side” to Black Hat, and has spawned into a series of community organized and oriented conferences around the globe. Entrance to BSides LV was free, but you could guarantee a spot by donating in advance if you were so inclined. (I was.)

Getting Started in CTFs

david@systemoverlord.com (David Tomaschik) — Sun, 14 Sep 2014 20:07:10 +0000

My last post was about getting started in a career in information security. This post is about the sport end of information security: Capture the Flag (CTFs).

I’d played around with some wargames (Smash the Stack, Over the Wire, and Hack this Site) before, but my first real CTF (timed, competitive, etc.) was the CTF run by Mad Security at BSides SF 2013. By some bizarre twist of fate, I ended up winning the CTF, and I was hooked. I’ve probably played in about 30 CTFs since, most of them online with the team Shadow Cats. It’s been a bumpy ride, but I’ve learned a lot about a variety of topics by doing this.

Secuinside Quals 2014: Simple Login

david@systemoverlord.com (David Tomaschik) — Wed, 04 Jun 2014 02:08:25 +0000

In this challenge, we received the source for a site with a pretty basic login functionality. Aside from some boring forms, javascript, and css, we have this PHP library for handling the session management:

#!php
<?
	class common{
		public function getidx($id){
			$id = mysql_real_escape_string($id);
			$info = mysql_fetch_array(mysql_query("select idx from member where id='".$id."'"));
			return $info[0];
		}

		public function getpasswd($id){
			$id = mysql_real_escape_string($id);
			$info = mysql_fetch_array(mysql_query("select password from member where id='".$id."'"));
			return $info[0];
		}

		public function islogin(){
			if( preg_match("/[^0-9A-Za-z]/", $_COOKIE['user_name']) ){
	 			exit("cannot be used Special character");
			}

			if( $_COOKIE['user_name'] == "admin" )	return 0;

			$salt = file_get_contents("../../long_salt.txt");

			if( hash('crc32',$salt.'|'.(int)$_COOKIE['login_time'].'|'.$_COOKIE['user_name']) == $_COOKIE['hash'] ){
				return 1;
			}

			return 0;
		}

		public function autologin(){

		}

		public function isadmin(){
			if( $this->getidx($_COOKIE['user_name']) == 1){
				return 1;
			}

			return 0;
		}

		public function insertmember($id, $password){
			$id = mysql_real_escape_string($id);
			mysql_query("insert into member(id, password) values('".$id."', '".$password."')") or die();

			return 1;
		}
	}
?>

Some first impressions:

Secuinside Quals 2014: Shellcode 100

david@systemoverlord.com (David Tomaschik) — Mon, 02 Jun 2014 04:57:01 +0000

This is a level that, at first, seemed like it would be extremely simple, but then turned out to be far more complicated than expected. We were provided a zip file containing a python script and an elf binary.

Disassembling the binary reveals a very basic program:

/ (fcn) sym.main 165
| 0x0804847d 55 push ebp
| 0x0804847e 89e5 mov ebp, esp
| 0x08048480 83e4f0 and esp, 0xfffffff0
| 0x08048483 83ec30 sub esp, 0x30
| 0x08048486 8b450c mov eax, [ebp+0xc]
| 0x08048489 83c004 add eax, 0x4
| 0x0804848c 8b00 mov eax, [eax]
| 0x0804848e 890424 mov [esp], eax
| ; CODE (CALL) XREF from 0x08048376 (fcn.08048376)
| ; CODE (CALL) XREF from 0x08048370 (fcn.08048366)
| 0x08048491 e8dafeffff call 0x108048370 ; (sym.imp.atoi)
| sym.imp.atoi(unk)
| 0x08048496 89442428 mov [esp+0x28], eax
| 0x0804849a c7442424000. mov dword [esp+0x24], 0x0
| 0x080484a2 c7442408040. mov dword [esp+0x8], 0x4
| 0x080484aa 8d442424 lea eax, [esp+0x24]
| 0x080484ae 89442404 mov [esp+0x4], eax
| 0x080484b2 8b442428 mov eax, [esp+0x28]
| 0x080484b6 890424 mov [esp], eax
| ; CODE (CALL) XREF from 0x08048330 (fcn.0804832c)
| 0x080484b9 e872feffff call 0x108048330 ; (sym.imp.read)
| sym.imp.read()
| 0x080484be 8b442424 mov eax, [esp+0x24]
| 0x080484c2 c7442414000. mov dword [esp+0x14], 0x0
| 0x080484ca c7442410fff. mov dword [esp+0x10], 0xffffffff
| 0x080484d2 c744240c220. mov dword [esp+0xc], 0x22
| 0x080484da c7442408070. mov dword [esp+0x8], 0x7
| 0x080484e2 89442404 mov [esp+0x4], eax
| 0x080484e6 c7042400000. mov dword [esp], 0x0
| ; CODE (CALL) XREF from 0x08048350 (fcn.08048346)
| 0x080484ed e85efeffff call 0x108048350 ; (sym.imp.mmap)
| sym.imp.mmap()
| 0x080484f2 8944242c mov [esp+0x2c], eax
| 0x080484f6 8b442424 mov eax, [esp+0x24]
| 0x080484fa 89442408 mov [esp+0x8], eax
| 0x080484fe 8b44242c mov eax, [esp+0x2c]
| 0x08048502 89442404 mov [esp+0x4], eax
| 0x08048506 8b442428 mov eax, [esp+0x28]
| 0x0804850a 890424 mov [esp], eax
| 0x0804850d e81efeffff call 0x108048330 ; (sym.imp.read)
| sym.imp.read()
| 0x08048512 31c0 xor eax, eax
| 0x08048514 31c9 xor ecx, ecx
| 0x08048516 31d2 xor edx, edx
| 0x08048518 31db xor ebx, ebx
| 0x0804851a 31f6 xor esi, esi
| 0x0804851c 31ff xor edi, edi
\ 0x0804851e ff64242c jmp dword [esp+0x2c]

It takes a single argument, an integer, which it uses as a file descriptor for input. It then reads 4 bytes from the file descriptor, mmap’s an anonymous block of memory of that size with RWX permissions, then reads that many bytes from the file descriptor into the mapped region, and finally jumps to the map region. So, in summary, read shellcode length, read shellcode, then jump to shellcode.

Secuinside Quals 2014: Javascript Jail (Misc 200)

david@systemoverlord.com (David Tomaschik) — Mon, 02 Jun 2014 03:43:33 +0000

The challenge was pretty straightforward: connect to a service that’s running a Javascript REPL, and extract the flag. You were provided a check function that was created by the checker function given below:

#!javascript
function checker(flag, myRand) {
 return function (rand) {
 function stage1() {
 var a = Array.apply(null, new Array(Math.floor(Math.random() * 20) + 10)).map(function () {return Math.random() * 0x10000;});
 var b = rand(a.length);

 if (!Array.isArray(b)) {
 print("You're a cheater!");
 return false;
 }

 if (b.length < a.length) {
 print("hmm.. too short..");
 for (var i = 0, n = a.length - b.length; i < n; i++) {
 delete b[b.length];
 b[b.length] = [Math.random() * 0x10000];
 }
 } else if (b.length > a.length) {
 print("hmm.. too long..");
 for (var i = 0, n = b.length - a.length; i < n; i++)
 Array.prototype.pop.apply(b);
 }

 for (var i = 0, n = b.length; i < n; i++) {
 if (a[i] != b[i]) {
 print("ddang~~");
 return false;
 }
 }

 return true;
 }

 function stage2() {
 var a = Array.apply(null, new Array((myRand() % 20) + 10)).map(function () {return myRand() % 0x10000;});
 var b = rand(a.length);

 if (!Array.isArray(b)) {
 print("You're a cheater!");
 return false;
 }

 if (b.length < a.length) {
 print("hmm.. too short..");
 for (var i = 0, n = a.length - b.length; i < n; i++) {
 delete b[b.length];
 b[b.length] = [Math.random() * 0x10000];
 }
 } else if (b.length > a.length) {
 print("hmm.. too long..");
 for (var i = 0, n = b.length - a.length; i < n; i++)
 Array.prototype.pop.apply(b);
 }

 for (var i = 0, n = b.length; i < n; i++) {
 if (a[i] != b[i]) {
 print("ddang~~");
 return false;
 }
 }

 return true;
 }

 print("stage1");

 if (!stage1())
 return;

 print("stage2");

 if (!stage2())
 return;

 print("awesome!");
 return flag;
 };
}

As you can tell, there are two nearly identical stages that create an array of random length (10-30) consisting of random values. The only difference is in how the random values are generated: once from Math.random, and, in stage 2, from a function provided by the factory function. This function was not available to us to reverse the functionality of.

Weekly Reading List for 5/23/14

david@systemoverlord.com (David Tomaschik) — Fri, 23 May 2014 07:00:00 +0000

###Radare2 Book Maijin on GitHub is in the process of putting together an online book for Radare2. I’ve been looking for a good resource for using Radare2, and this is a great start.

###Reverse Engineering for Beginners Dennis Yurichev has a free eBook on Reverse Engineering. I haven’t gotten through it yet, but it looks interesting, and you can’t beat the price.

###Hacker Playbook Finally, I finished up The Hacker Playbook: Practical Guide To Penetration Testing this week. You can find my full review here.

DEF CON 22 CTF Quals: 3dttt

david@systemoverlord.com (David Tomaschik) — Wed, 21 May 2014 14:07:02 +0000

Unlike most of the challenges in DC22 quals, this one required no binary exploitation, no reversing, just writing a little code. You needed to play 3-D Tic Tac Toe, and you needed to play fast. Unfortunately, I didn’t record the sessions, so I don’t have the example output.

Basically, you just received an ASCII representation of each of the 3 boards making up the 3d-tic-tac-toe environment, and were prompted to provide x,y,z coordinates for your next move. However, you had only a very short period of time (fractions of a second) to send your move, so playing by hand was impossible. The winner of each board was the player with the most rows won, and it did go to the full 27 moves each time. Also, it’s important to note that the player always goes first, and that you have to win 50 rounds in order to receive the flag.

DEF CON 22 CTF Quals: Hackertool

david@systemoverlord.com (David Tomaschik) — Mon, 19 May 2014 03:32:11 +0000

Hackertool was one of the Baby’s First challenges in DEF CON CTF Quals this year, and provided you with a .torrent file, and asked you to download the file and MD5 it. Seems easy enough, so I knew there must be more to it. The torrent file itself was a whopping 4 MB in size, very large for a torrent file. Looking at it, we see it contains just one file, named every_ip_address.txt, and the file is ~61GB in size. Hrrm, there must be an easier way than torrenting 61GB, especially at <1k/s.

Announcement: PwnableWeb Released

david@systemoverlord.com (David Tomaschik) — Fri, 09 May 2014 00:11:58 +0000

In addition to my primary interest in the technical aspects of information security, I’m also a big fan of wargames & CTFs as educational tools, so a while back, I decided I wanted to build a web-based wargame and CTF scoreboard system. Today I am releasing the results of that, dubbed PwnableWeb, under the Apache 2.0 License. It includes web-based wargame-style challenges and an accompanying scoreboard.

###The Framework Each vulnerable site is built on top of a small framework that provides common functionality, and also provides a framework for building a client for interactive exploitation. (It provides a target to exploit XSS and XSRF against.)

PlaidCTF 2014: Conclusion

david@systemoverlord.com (David Tomaschik) — Mon, 14 Apr 2014 17:30:42 +0000

The 2014 edition of PlaidCTF was excellent, but I wish we’d been able to make it through more challenges. We cleared about 7 challenges, but really only two of them felt worth writing up. The others have been well documented elsewhere, no sense in rewriting the same thing.

I liked how the challenges often required a series of exploits/techniques, this is much like what happens in the real world. I do wish I had spent more time on binary exploitation, attempting to get a solution to _nightmares_ burned a lot of time.

PlaidCTF 2014: ReeKeeeee

david@systemoverlord.com (David Tomaschik) — Mon, 14 Apr 2014 06:46:01 +0000

ReeKeeeeee was, by far, the most visually painful challenge in the CTF, with a flashing rainbow background on every page. Blocking scripts was clearly a win here. Like many of the challenges this year, it turned out to require multiple exploitation steps.

ReeKeeeeee was a meme-generating service that allowed you to provide a URL to an image and text to overlay on the image. Source code was provided, and it was worth noting that it’s a Django app using the django.contrib.sessions.serializers.PickleSerializer serializer. As the documentation for the serializer notes, If the SECRET_KEY is not kept secret and you are using the PickleSerializer, this can lead to arbitrary remote code execution. So, maybe, can we get the SECRET_KEY?

PlaidCTF 2014: mtpox

david@systemoverlord.com (David Tomaschik) — Mon, 14 Apr 2014 05:13:12 +0000

150 Point Web Challenge

The Plague has traveled back in time to create a cryptocurrency before Satoshi does in an attempt to quickly gain the resources required for his empire. As you step out of your time machine, you learn his exchange has stopped trades, due to some sort of bug. However, if you could break into the database and show a different story of where the coins went, we might be able to stop The Plague.

Weekly Reading List for 4/4/14

david@systemoverlord.com (David Tomaschik) — Fri, 04 Apr 2014 07:00:00 +0000

It’s been a while where I’ve been too busy even for any good reading, but we’re back to the reading lists!

Return-Oriented Programming (ROP)

Code Arcana has an excellent introduction to ROP exploitation techniques. In addition to providing an introduction to the concept, it takes it through detailed implementation and debugging. I look forward to getting an opportunity to try it during the next CTF with a ROP challenge. (I’m guess PlaidCTF will offer such a chance.)

Boston Key Party: Mind Your Ps and Qs

david@systemoverlord.com (David Tomaschik) — Mon, 10 Mar 2014 21:29:13 +0000

About a week old, but I thought I’d put together a writeup for mind your Ps and Qs because I thought it was an interesting challenge.

You are provided 24 RSA public keys and 24 messages, and the messages are encrypted using RSA-OAEP using the private components to the keys. The flag is spread around the 24 messages.

So, we begin with an analysis of the problem. If they’re using RSA-OAEP, then we’re not going to attack the ciphertext directly. While RSA-OAEP might be vulnerable to timing attacks, we’re not on a network service, and there are no known ciphertext-only attacks on RSA-OAEP. So how are the keys themselves? Looking at them, we have a ~1024 bit modulus:

Codegate 2014 Quals: 120

david@systemoverlord.com (David Tomaschik) — Wed, 26 Feb 2014 06:51:10 +0000

From Codegate 2014 quals comes “120”. Provided is a web interface with a single text box and a link to the source, reproduced below:

#!php
<?php
session_start();

$link = @mysql_connect('localhost', '', '');
@mysql_select_db('', $link);

function RandomString()
{
 $filename = "smash.txt";
 $f = fopen($filename, "r");
 $len = filesize($filename);
 $contents = fread($f, $len);
 $randstring = '';
 while( strlen($randstring)<30 ){
 $t = $contents[rand(0, $len-1)];
 if(ctype_lower($t)){
 $randstring .= $t;
 }
 }
 return $randstring;
}

$max_times = 120;

if ($_SESSION['cnt'] > $max_times){
 unset($_SESSION['cnt']);
}

if ( !isset($_SESSION['cnt'])){
 $_SESSION['cnt']=0;
 $_SESSION['password']=RandomString();

 $query = "delete from rms_120_pw where ip='$_SERVER[REMOTE_ADDR]'";
 @mysql_query($query);

 $query = "insert into rms_120_pw values('$_SERVER[REMOTE_ADDR]', ".
 "'$_SESSION[password]')";
 @mysql_query($query);
}
$left_count = $max_times-$_SESSION['cnt'];
$_SESSION['cnt']++;

if ( $_POST['password'] ){
 
 if (eregi("replace|load|information|union|select|from|where|" .
 "limit|offset|order|by|ip|\.|#|-|/|\*",$_POST['password'])){
 @mysql_close($link);
 exit("Wrong access");
 }

 $query = "select * from rms_120_pw where ".
 "(ip='$_SERVER[REMOTE_ADDR]') and " .
 "(password='$_POST[password]')";
 $q = @mysql_query($query);
 $res = @mysql_fetch_array($q);
 if($res['ip']==$_SERVER['REMOTE_ADDR']){
 @mysql_close($link);
 exit("True");
 }
 else{
 @mysql_close($link);
 exit("False");
 }
}

@mysql_close($link);
?>

<head>
<link rel="stylesheet" type="text/css" href="black.css">
</head>

<form method=post action=index.php>
 <h1> <?= $left_count ?> times left </h1>
 <div class="inset">
 <p>
 <label for="password">PASSWORD</label>
 <input type="password" name="password" id="password" >
 </p>
 </div>
 <p class="p-container">
 <span onclick=location.href="auth.php"> Auth </span>
 <input type="submit" value="Check">
 </p>
</form>

The TL;DR of this code is that it uses your PHP session to store a 30 character lowercase letter token, and a counter of how many tries you’ve made against it. You’re given 120 total tries, then a new code will be generated, meaning any data you’ve been able to glean is useless. For what it’s worth, not all letters are equally likely – the source of the data is Aleph One’s “Smashing the Stack for Fun and Profit.” The code contains a blacklist to protect against certain types of SQL injection, but certainly doesn’t cover all SQL injection possibilities.

Weekly Reading List for 1/25/14

david@systemoverlord.com (David Tomaschik) — Sat, 25 Jan 2014 08:00:00 +0000

This week, we’re focusing on binary exploitation and reversing. (Thanks to Ghost in the Shellcode for making me feel stupid with all their binary pwning challenges!)

Basic Shellcode Examples

Gal Badishi has a great set of Basic Shellcode Examples. It’s almost two years old, but a good primer into how basic shellcode works. x86 hasn’t changed (yes, I’m ignoring x64 for now), so still quite a relevant resource for those of us who have leaned on msfvenom/msfpayload for our payload needs.

Ghost in the Shellcode 2014

david@systemoverlord.com (David Tomaschik) — Tue, 21 Jan 2014 04:57:33 +0000

A quick Ghost in the Shellcode 2014 summary. Great CTF, but you better know your binary exploitation. I’m pretty happy with the overall 27th finish Shadow Cats managed. Here’s a summary of our team writeups, the first 3 by me, the last one by Dan.

Ghost in the Shellcode 2014: Radioactive

david@systemoverlord.com (David Tomaschik) — Sun, 19 Jan 2014 20:21:46 +0000

Radioactive was a crypto challenge that executed arbitrary python code, if you could apply a correct cryptographic tag. Source was provided, and the handler is below:

#!python
class RadioactiveHandler(SocketServer.BaseRequestHandler):
 def handle(self):
 key = open("secret", "rb").read()
 cipher = AES.new(key, AES.MODE_ECB)

 self.request.send("Waiting for command:\n")
 tag, command = self.request.recv(1024).strip().split(':')
 command = binascii.a2b_base64(command)
 pad = "\x00" * (16 - (len(command) % 16))
 command += pad

 blocks = [command[x:x+16] for x in xrange(0, len(command), 16)]
 cts = [str_to_bytes(cipher.encrypt(block)) for block in blocks]
 for block in cts:
 print ''.join(chr(x) for x in block).encode('hex')

 command = command[:-len(pad)]

 t = reduce(lambda x, y: [xx^yy for xx, yy in zip(x, y)], cts)
 t = ''.join([chr(x) for x in t]).encode('hex')

 match = True
 print tag, t
 for i, j in zip(tag, t):
 if i != j:
 match = False

 del key
 del cipher

 if not match:
 self.request.send("Checks failed!\n")
 eval(compile(command, "script", "exec"))

 return

So, it looks for a tag:command pair, where the tag is hex-encoded and the command is base64 encode. The command must be valid python, passed through compile and eval, so you’ll need to send a response back to yourself via self.request.send.

Ghost in the Shellcode 2014: Lugkist

david@systemoverlord.com (David Tomaschik) — Sun, 19 Jan 2014 19:43:56 +0000

Lugkist was an interesting “trivia” challenge. We were told “it’s not crypto”, but it sure looked like a crypto challenge. We had a file like:

Find the key.

GVZSNG
AXZIOG
YNAISG
ASAIUG
IVPIOK
AXPIVG
PVZIUG
AXLIEG

Always 6 letters, but no other obvious pattern. I did notice that the 4th character always was S or I and the final character G or K, but couldn’t make anything of that. I realized the full character set was ‘AEGIKLONPSUTVYXZ’. Searching for this string revealed nothing, but searching for the characters space separated revealed that this was the same character set as used by the codes for the original Game Genie. And Game Genie codes were 6 characters long.

Ghost in the Shellcode 2014: Pillowtalk

david@systemoverlord.com (David Tomaschik) — Sun, 19 Jan 2014 19:11:27 +0000

Pillowtalk was a 200 point crypto challenge. Provided was a stripped 64-bit binary along with a pcap file. I started off by exercising the behavior of the binary, looking at system calls/library calls to see what it was doing.

Client connects to server
Server reads 32 bytes from /dev/urandom
Server sends 32 bytes on the wire (not same bytes as read from /dev/urandom)
Client does same 32 byte read/send
Loop:
- Server reads a line from stdin
- Server sends 4 byte length
- Server sends encrypted line
- Client does the same steps

My first approach was by trying to use scapy to replay the pcap to the server, but this only gave complete noise, so I decided the two 32 byte values must be significant. I even tried controlling /dev/urandom (via LD_PRELOAD) to see if putting in the 32 bytes from the pcap would get to the right key. It didn’t.

Weekly Reading List for 1/18/14

david@systemoverlord.com (David Tomaschik) — Sat, 18 Jan 2014 05:00:00 +0000

I’ve decided to start posting a weekly reading list of interesting security-related articles I’ve come across in the past week. They’re not guaranteed to be new, but should at least still be relevant.

Using a BeagleBone to bypass 802.1x

Most security practitioners are already aware that NAC doesn’t provide meaningful security. While it’ll keep some random guy from plugging in to an exposed ethernet port in the lobby (shouldn’t that be turned off?), it won’t stop a determined attacker. You can just MITM the legitimate device, let it perform the 802.1x handshake, then send packets appearing to be from the legitimate device. To make it easier, ShellSherpa has put together a BeagleBone-based device to automatically MITM the NAC connection.

LD_PRELOAD for Binary Analysis

david@systemoverlord.com (David Tomaschik) — Mon, 13 Jan 2014 02:18:16 +0000

During the BreakIn CTF, there were a few challenges that depended on the return value of of libc functions like time() or rand(), and had differing behavior depending on those return values. In order to more easily reverse those binaries, it can be nice to control the return values of those functions. In other cases, you have binaries that may call functions like unlink(), system(), etc., where you prefer not to have those functions really called. (Though you are running these untrusted binaries in a VM, right?)

BreakIn CTF 2014

david@systemoverlord.com (David Tomaschik) — Mon, 13 Jan 2014 01:20:08 +0000

The Threads BreakIn CTF hosted by IIIT Hyderabad has just wrapped up. Shadow Cats did pretty well, placing 16th overall, completing 22/33 challenges, especially considering we only had 2 guys playing this CTF. Mad props goes out to Dan, and here’s hoping for a bigger team turnout next week for Ghost in the Shellcode.

I’m going to be doing some writeups of a couple of the challenges I thought were particularly interesting, as well as some topical information inspired by the CTF. I’ll be linking to the writeups below as they get published.

DerbyCon CTF

david@systemoverlord.com (David Tomaschik) — Sun, 29 Sep 2013 22:38:19 +0000

While at Derbycon last weekend, I played in the Derbycon Capture the Flag (CTF). I played with some people from the DefCon Group back in Atlanta (DC404) – and we had a great team and that lead to a 5th place finish out of more than 80 teams with points on the board. Big shout out to Michael (@decreasedsales), Aaron (@aaronmelton), Dan (@alltrueic), and all the others who helped out.

Boston Key Party -- MITM

david@systemoverlord.com (David Tomaschik) — Mon, 10 Jun 2013 00:54:54 +0000

Boston Key Party is the latest CTF I've played in (this time playing with some local friends as part of our team 'Shadow Cats'). The first challenge we cleared (actually, first blood in the CTF) was MITM.

Now, you might think a challenge named "MITM" was some sort of Man-In-The-Middle exercise, but it's actually crypto! We're given five base-64 encoded messages: two plaintext/ciphertext pairs, and a ciphertext (which we're presumably supposed to decrypt).

PlaidCTF Compression

david@systemoverlord.com (David Tomaschik) — Tue, 30 Apr 2013 05:26:20 +0000

PlaidCTF 2013 had a level called "Compression". Here's the provided code for this level:

#!/usr/bin/python
import os
import struct
import SocketServer
import zlib
from Crypto.Cipher import AES
from Crypto.Util import Counter
 
# Not the real keys!
ENCRYPT_KEY = '0000000000000000000000000000000000000000000000000000000000000000'.decode('hex')
# Determine this key.
# Character set: lowercase letters and underscore
PROBLEM_KEY = 'XXXXXXXXXXXXXXXXXXXX'
 
def encrypt(data, ctr):
    aes = AES.new(ENCRYPT_KEY, AES.MODE_CTR, counter=ctr)
    return aes.encrypt(zlib.compress(data))
 
class ProblemHandler(SocketServer.StreamRequestHandler):
    def handle(self):
        nonce = os.urandom(8)
        self.wfile.write(nonce)
        ctr = Counter.new(64, prefix=nonce)
        while True:
            data = self.rfile.read(4)
            if not data:
                break
 
            try:
                length = struct.unpack('I', data)[0]
                if length > (1<<20):
                    break
                data = self.rfile.read(length)
                data += PROBLEM_KEY
                ciphertext = encrypt(data, ctr)
                self.wfile.write(struct.pack('I', len(ciphertext)))
                self.wfile.write(ciphertext)
            except:
                break
 
class ReusableTCPServer(SocketServer.ForkingMixIn, SocketServer.TCPServer):
    allow_reuse_address = True
 
if __name__ == '__main__':
    HOST = '0.0.0.0'
    PORT = 4433
    SocketServer.TCPServer.allow_reuse_address = True
    server = ReusableTCPServer((HOST, PORT), ProblemHandler)
    server.serve_forever()

So there's a few interesting things of note here:

Lessons From the Nebula

david@systemoverlord.com (David Tomaschik) — Sun, 24 Mar 2013 00:46:59 +0000

Exploit-Exercises.com's Nebula, that is. I just spent a good 8 hours or so working through the levels there, and I'm pretty sure I took much longer than I should have. In any case, there were a couple of things I was disappointed by: running "getflag" to get a flag (or otherwise being delivered a token) didn't provide you with anything to really validate what you were doing. You can actually jump directly to any level (which is good when you reset your VM) but not so interesting for "progression" or the sense of accomplishment -- at least for me.

BSides SF CTF by MAD Security, Conclusion

david@systemoverlord.com (David Tomaschik) — Wed, 06 Mar 2013 05:51:21 +0000

This is the conclusion to my write-up of the awesome BSides SF CTF by MAD Security/The Hacker Academy. You can find the other parts here: Levels 1-2, Levels 3-4, Levels 5-7.

What I Learned

Don't overthink things -- work from the simplest case.
Internet access during a CTF may be spotty (or nonexistent) -- be prepared to work fully offline. (Download a copy of exploit-db, etc.)
Keep meticulous notes -- otherwise you'll find yourself revisiting avenues you've exhausted, forgetting things, etc.

What I Wish I'd Done

BSides SF CTF by MAD Security, Part 3

david@systemoverlord.com (David Tomaschik) — Sun, 03 Mar 2013 19:41:47 +0000

This is a continuation of my write-up of the BSides SF 2013 CTF.

Level 5: Phone Work
This level required that we find a phone number on the Absurdistani snoop's computer and gain access to the voicemail box associated with the number. Finding the number was straightforward -- there was an email draft that contained the signature of the snoop, and in that signature was his phone number and voice mail box number. (This also lets us know his name is Marco.) Calling the phone number and entering the VM box number, we're asked for the PIN of the voicemail box. After trying some obvious things (the VM box number, the last 4 digits of the phone number, 1234, 0000, etc.) I started looking through his machine for any clues, but his machine was very sparsely populated with files. So, off to the internet for a list of the most common pins. Yeah, humans are predictable... the top 20 PINs (20/10000 =~ 0.2% of pins) represent a whopping 27% of PINs in use. Turns out Marco was that predictable too. One of the top 10 and we're in! The voicemail tells Marco that his new secure key is available on the secure keyserver, which he can retrieve using the 15 digit project access code.

BSides SF CTF by MAD Security, Part 2

david@systemoverlord.com (David Tomaschik) — Sun, 03 Mar 2013 00:43:10 +0000

This is a continuation of my write-up of the BSides SF 2013 CTF.

Level 3: Disk Forensics
A professional cleaner who has done some work for Nick provides you with an image of a flash drive, and you're to find the most "interesting file" on the drive and provide its md5sum. The first thing I do is run file on the image to get an idea of what we're working with:

BSides SF CTF by MAD Security, Part 1

david@systemoverlord.com (David Tomaschik) — Sat, 02 Mar 2013 07:47:38 +0000

Last weekend I was at BSides SF and had the opportunity to participate in the Capture the Flag competition run by MAD Security/The Hacker Academy. I was able to clear 6 of the levels, and thought I'd write them up here to share my experience. Most of this is from my memory, so there might be a few inaccuracies, but the intent is to share the general concepts, not the specifics.