520 likes | 541 Views
September’s CTF recap. The challenges, the hurdles and the solutions. Presenter: Dolev Farhi | dolev@dc416.com. September’s online CTF overview.
E N D
September’s CTF recap The challenges, the hurdles and the solutions Presenter: Dolev Farhi | dolev@dc416.com
September’s online CTF overview Capture the Flag is a type of a game where security professionals compete, either individually or in a team, to try and solve different security challenges. Common ones are in domains such as: Web, Forensics, Reverse Engineering and more.
DC416 Online CTF Overview • Time Limit: 8 hours • Participants: up to 3 per team • Number of challenges: 11 • Number of teams registered: 10 • Level of excitement: Over 9000 • Players write ups: VulnHub Team (Harold Rodriguez @superkojiman) • https://github.com/VulnHub/ctf-writeups/blob/master/2016/defcon416/solution.md Ckannada Team (Zack Mullaly @zsck_) • http://zsck.co/2016/09/11/defcon-toronto-ctf-1/
Just before kick off - nerd party on Slack (Contact us for a Slack invitation)
Let’s go! Teams receive an email with a URL
Let’s go! Server has ports 22, 80 and 5000 open
The web page sources an obfuscated javascript file named ‘ob.js’ When deobfuscated, reveals the string: synt1{z00ap4xr} Running this string against a ROT13 decoder, gives the correct flag form: flag1{m00nc4ke}
Challenge 2 http://galahad.dc416.com/staff
Challenge 2 html source reveals a hidden href: “s.txt” with a list of base64 strings
Challenge 2 Decoding the base64 file
Challenge 2 passphrase:edward ? hmm... remember the NSA picture? Using steghide we can extract steganography data which reveals flag2{M00nface} and an interesting link
Challenge 3 galahad.dc416.com/cgi-bin/vault.py?arg=message
Challenge 3 The HTTP request must include a ‘Referer’ header of the nsa website in order to proceed
Challenge 3 galahad.dc416.com/cgi-bin/vault.py?arg=
Challenge 4 Back to nikto Browsing to /admin downloads a compiled .pyc file using uncompyle2 we can decompile the file back
Challenge 4 enc.py contents
Challenge 4 solution
Challenge 5 Remember we also had port 5000 opened?
Challenge 5 SECURITY THROUGH OBSCURITY 34343434 UDP
Challenge 5 Port knock! Ports 20/21 opened!
Challenge 5 FTP allows anonymous access and exposes 2 pcap files First pcap leads to a pastebin GET request
Challenge 6 second pcap is a GET request to a link that resulted in 404 ...the jpg must be reconstructed from the packet
Challenge 6 A nuclear plant with 3 coordinates and a hint: uid=500(nitro)
Challenge 6 Let’s SSH! USER: nitro PASS: zeus
Challenge 6 We capture the 6th flag s1xfl4gs and a hint.
Challenge 8 Back to nikto
Challenge 8 Basic authentication
Challenge 8 img is an ext3 filesystem
Challenge 8 lost+found is full of directories But one is interesting in particular
Challenge 9 - The SQL injection that went wrong http://lancelot.dc416.com/webmail
Challenge 9 - The SQL injection that went wrong http://lancelot.dc416.com/webmail
Challenge 10 – The forgotten hint Getting a list of all instantiated classes classes=().__class__.__bases__[0].__subclasses__()
Challenge 10 – The forgotten hint Anarchy mode