Sunday, September 17, 2017

CSAW CTF 2017 - Write-up

CSAW CTF 2017 - Write-up

Challenge: Misc, Serial

This challenge had to do with Serial, just like it’s name.
This is what we get when we connect to the server:
You can already guess that it has to do with parity checking. When you research 8N1 Parity, you’ll learn that the format is:
We’re asked to evaluate the data and respond with 1 or 0.
Even parity is explained pretty well here
Basically, you want to end up with even amount of 1’s. If your data contains three 1 bits then you need 1 as your parity bit. If your data contains eight 1 bits then you need 0 as your parity bit.
We’re asked to respond with 1 if parity bit is correct and respond with 0 if parity bit is incorrect.
I used pwntools and binascii to implement my solution.
It looks something like this:

First my checkparity function is defined, which will tell me what I need to transmit back to csaw server (either 1 or 0).
I make a connection to the server then read the data (All 11 bits). I send the data to my checkparity function.
Checkparity will look at only the byte value (actualdata) and parity bit. I also count the number of 1 bits I’ve received.
If I have even number of 1 bits then parity bit should be 0, if I have odd number of 1 bits then parity should be 1. If that isn’t the case then I have bad data and I retransmit 0.
The good bytes can be converted to ascii and that’s our flag!
This is what it looks like when ran:

Challenge: Pwn, Pilot

This was an exploitation challenge and the goal was to get a shell.
In this case, the tools I’ve used were gdb with peda and pwntools and struct libraries.
This was a 64-bit binary. I don’t I’ve done overflow on 64-bit before in any CTF so it was kinda new to me. The concept is still the same as 32-bit though.
I use ‘pattern create 50 out’ to generate a file named out with 50 bytes. ‘run < out’ takes bytes from the out file and inputs them after running the program. As you can see in the image above, there is a crash.
I can run pattern search to look at offsets. I also look at backtrace and look at the offset for the pattern find there. It is 40. This means that we need 40 bytes + address and whatever the address is should land in RIP and the application will jump to that address.
I test this out below:
In the screenshot above, you can see that BBBBAAAA is where the application jumps to.

When we connect to the server, this is the output:
Notice the location address it returns. This is where our code will be placed. The downloaded application also does this, obviously. Our goal is have some code at that address to obtain shell.

This is what my code ends up looking like:
First I make a connection then read the input. I extract the address that I need to jump to then pack it. I found shellcode that executes /bin/sh and I’ve added that as well.
\x90 is a nop, however, when testing, I was using \xcc (int3) which makes the debugger break (as in breakpoint) and lets me do step by step execution.
My data I will be inputting will be SHELLCODE (execute /bin/sh) + nop * (40-lenth of SHELLCODE)
I then send the data and interact with the socket connection.
Below is how I got the flag.

Challenge: Forensics, Best Router

This was 200 points but rather easier than other ones I did previously.
There is a file associated with the challenge, which I have downloaded.
Visiting the URL looks like this:
File that you download is called: best_router.tar.gz, I untarred it and ran the file command to find more information about it.
We can guess that this is an image for the router. We can mount the partitions and examine the insides. I used kpartx.
Partition 1 didn’t have anything useful.
Partition 2 on the other hand has linux file system.
We know the title of the site is BEST ROUTER, we can just use grep to find it.
And looking at the files in var/www gives us the username and password:
The username and password allow us to log in and get the flag:

That’s all. I attempted other challenges but didn’t obtain flags. :-(

Friday, September 8, 2017

CTF Tips and Resources

This post has tips and resources for doing a CTF...

Tips and Resources:
First read Trail of Bits CTF guide. It’s very good.
Also watch these:

If you’re playing CTF with a team, you can do different type of tasks (web, crypto, reversing, exploitation, etc) or focus on one category. Either way, you should aim to learn more of whatever you’re trying to learn.

Prepare your tools. I recommend setting up a virtual machine with Kali Linux. Kali should contain many of the tools you need. Remnux is also a good VM to have. You can also run a VM on a remote system. I personally have a machine setup on Vultr with docker and ctf-tools ( I highly recommend installing ctf-tools. You can also install tools such as Pwntools ( Depending on what you’re trying to do, you’ll need different tools.

I highly recommend writing your own tools as well. You can keep them to yourself or share them. You might participate in more CTFs and you might get challenges where you can reuse the scripts or tools you ended up writing.

Document all of the things you do. While you’re doing a CTF, you should be documenting how you’ve been solving challenges. I recommend using a tool such as KeepNote. KeepNote also lets you export to HTML. Keeping notes of what you’ve done will help you in the future and you can also share them so other people can learn. Typically, some people will publish write-ups from CTFs on how they solved challenges. When documenting, keep the files you were given for challenges and save the challenge text as well so your audience knows what you were actually trying to solve.

Read write-ups! Read write-ups that other people have written. Everyone approaches problems differently. You’ll notice that people have solved a same challenge differently. You can pick up these techniques to use next time. This github page has organized write-ups from different CTFs Write-ups get posted on too. Stuff gets posted on securityCTF subreddit too

Here are some useful sites: