Computer security CTFs seem to thrive in a fascinatingly near-professionalized space impermeated with high-tempo music and flashy visualizations. International teams fly across the world competing in dozens of contests every year for a chance to enter the de facto Cybersecurity Olympics at DEFCON. On the other hand, game environments (hardware, operating systems, rules) are intentionally kept secret and half the qualifying contests involve a fundamentally different type of competition (Jeopardy vs Attack-Defend). Top teams develop complex internal tool suites for Exploit Throwing, Flag Submission, Defensive Countermeasures, Service Patching, Network Superiority, Situational Awareness, and other familiar terms. Top teams then pray the game environment lottery doesn't render them all defunct.

The U.S. Chamber of Commerce created a metric in 2014 called the Regulatory Climate Index which aims to provide a single number summarizing the vast complexity of creating and operating a small business as it relates to government bureaucracy. Unfortunately, the detailed information and massaging required to produce the RCI restricts comprehensive data to several select cities.

The U.S. Census provides an overwhelming volume of surprisingly detailed data across the United States economy (among other sectors). I recently had the opportunity to work with some of the economic indicators, but found the data frequently inaccessible due to formatting and sheer volume (seriously, they make a TON of data available). Further discussion with several economically focused colleagues invited the creation of an interactive visualization on the Business Dynamic Statistics: Firm Statistics data set. These statistics present business creation and destruction on a state-by-state from 1977-2013.

Click to explore

Sudoku is a well-known puzzle involving a 9x9 grid filled with the digits 1-9 such that no row, column, or 3x3 subgrid contains any repeats. A Sudoku solver is a targeted constraint satisfiability solver (similar to boolean SAT solvers). In particular, such a solver relies heavily upon constraint propagation to identify solutions for every stage of the board. A board may be viewed as a grid of "solved" numbers and "potential" numbers for each position. At the start, every position is either "solved" (provided by the initial puzzle) or has the full range of digits (1-9) potentially available. The "solved" numbers are then iterated over to constrain the "potential" value of every position in the same row, column, or square. Any positions with only "potential" solution are then marked "solved" with the remaining number and the process is repeated. For example, the middle-most position is constrained in-row by [1,3,4,8], in-column [1,2,6,7,8,9], and in-square by [2,3,6,8] which leaves a potential set of [5].

Securely transferring files to a potentially compromised virtual machine is a well-known pain in the security community. Shared folders require guest additions, but historically that introduces virtual machine escape vulnerabilities. Host-only networking avoids that problem, but allows the virtual machine to attack the host more traditionally. Fortunately, there's a simple way to introduce files without either issue.

mkisofs -o filename.iso /path/to/dir

Add filename.iso as a cdrom image to the VM and enjoy secure file transfers without the extra attack surface.

The marathon development sessions leading up to DEFCON are complete and the CTF has closed for another year, although LegitBS has yet to release final scores. This blog has also had an overhaul of backend technologies to be discussed in a future update.

LegitBS recently announced that RuCTFE 2014 would be a pre-qualifier for the DEFCON 2015 CTF. We've previously competed in their sister competition, RuCTF, which was always a blast - so this should be great. In preparation for their 2014 CTF, let's take a look at one of last year's services.

As with most Attack-Defend CTFs, RuCTFE gives each team a set of services. Teams need to secure their services to maintain high Service-Levels and exploit vulnerabilities in other team's services to collect points. RuCTFE 2013 accomplished this with 3 virtual machines (Ubuntu OpenvPN Router, Ubuntu Access Point, and ArchLinux Hosting Server). Finding last year's Hosting Server was a bit of a pain - so we've mirrored them here.

Cryptoboard was a straight-forward service; users connect to the server and pass it commands to store/retrieve keys. The gotcha is that "get" requires a hash of the original data and "list" only sends a list of ID:EncryptedData. Fortunately, the decrypt function uses Cipher Block Chaining and fails differently with bad padding which makes for a trivial Padding Oracle Attack. Academic papers often leave these attacks difficult to conceptualize, but Ron Bowes wrote two excellent articles summarizing the details and even doing an example by hand. If you're at all unfamiliar with a Padding Oracle Attack, reading through those two links should really help.

Challenge Text

Before sleeping, wooyaggo always read weird articles from internet. All you got is some binaries(not perfect) and network traffic from following command.

wooyaggo@genius_anncc:~$ python pillow_reader.pyc 10.0.8.24 5151 "secret" [AdminKey]

Follow instructions in the "secret" to get a flag.

Opening up the pcap shows a partially encrypted conversation:

Welcome to Pillow Reader. Here are some articles from online.
0x5cb94b9d25716136c6b880bf791f743ecfdf5a383b3aa27093c1673599cbd8a1c160e4a06f777c5b163f0fec50405944d9764bed8c7dd9eb19abc1225b322ed
0x86e05276d3c364cd6157e23cd972e0a662dff9ebf9ade83eae022c292c767bcd6cf528c7f6ae98af2f7811d99c9e45e7e4e6f1b9841aabf89a84dd0673099b61
binascii.unhexlify('1f59856dbbbe90995cf94975afd94dcf46bf2d16d8b8a3754685d3eb3765d6918462378a2f7e948182e84a857a25be057a122e9d65e32fb01a984f442e781fa02e8a4d2728b1a4c3ea3905aa95ab9fba7b7dfa3b39116d49c10d161725aa0beeac18b7a2a9c9d55a0bf6f1a2b2ca903eb15086995b2f77d77d3f01678708ee60')
binascii.unhexlify('1b40e26d29d5e296c23591064d98817ecc81ccae71eb8f3bcd1a5874e25f333e42dbeb4f1d8ecb94697b641e4a8e8037c14d24c0fcb52b0ed4694b23395efc4ca93c9ccb97ccfbb56a3ed931f9d269cb2494df411122bb99b42fc5393fba1140916946c2b381f4bf5677f23b630ef9a5e5915029c7124e683a71f0edea149')

Challenge Text

Although it seems like The Plague's messaging service is secure, there are bound to be bugs in any 20th century crypto system. We've recovered a version of the block cipher The Plague implemented. Use their online encryptor tool, at 54.82.75.29:8193, to break the cipher and figure out Plague's secret plans.

This was a really great challenge that required some extensive thinking to solve, but tackled some very interesting issues in cryptography. Normally on a CTF, I immediately dive into talking with the service before reading it's source code (when available). So let's jack in:

nc -vv 54.82.75.29 8193
Connection to 54.82.75.29 8193 port [tcp/*] succeeded!
We would first like some proof of work.
Send us a string starting with n7WzSynCCN5X5q7p, of length 21, such that its sha1 sum ends in ffffff
> no
Invalid proof of work!

Challenge Text

The Plague seems obsessed with internet memes, though we don't yet know why. Perhaps there is a clue to what he's up to on this server (epilepsy warning). If only you could break in.... Here is some of the source.

Reekee was a nice chance to explore and exploit a Django application. As the challenge suggests, the source code was provided (mirrored here). The webpage essentially just hosts user's content ("memes") for them to later peruse; typically a rich source for Path Traversal, File Inclusions, or (in the case of Django) Deserialization vulnerabilities.

A quick scan of views.py shows multiple instances of accessing "/tmp/memes/"+username (a potential path traversal vulnerability), but the register function explicitly blacklists ["..","/"]. These sorts of blacklists are notoriously easy to circumvent and are normally a great source for closer investigation. The function immediately after register contains an even worse vulnerability though that skips the need to dig into that risky code.

Part of a recent project involved sending HTTP connections over non-standard transportation networks. The problem is that all the usual offenders (urllib2, Requests, etc) don't provide an interface to either wrap the connection or extract the final product - but this is Python; we can monkeypatch it! The first step was figuring out how urllib2 requests actually get sent to a socket...

# urllib2 module
class AbstractHTTPHandler(BaseHandler):
    def do_open(self, http_class, req):
        h = http_class(host, timeout=req.timeout) # will parse host:port
        try:
            h.request(req.get_method(), req.get_selector(), req.data, headers)
        except socket.error, err: # XXX what error?
            raise URLError(err)

class HTTPHandler(AbstractHTTPHandler):
    def http_open(self, req):
        return self.do_open(httplib.HTTPConnection, req)
    http_request = AbstractHTTPHandler.do_request_

# httplib module
class HTTPConnection:
    def request(self, method, url, body=None, headers={}):
        """Send a complete request to the server."""
        self._send_request(method, url, body, headers)
    def _send_request(self, method, url, body, headers):
        if body is not None and 'content-length' not in header_names:
            self._set_content_length(body)
        for hdr, value in headers.iteritems():
            self.putheader(hdr, value)
        self.endheaders(body)
    def endheaders(self, message_body=None):
        """Indicate that the last header line has been sent to the server."""
        self._send_output(message_body)
    def _send_output(self, message_body=None):
        """Send the currently buffered request and clear the buffer."""
        self.send(msg)

Challenge Text

The Plague is using his tremendous talent for web applications to build social websites that will get bought out for billions of dollars. If you can stop his climb to power now by showing how insecure this site really is, (on IPv6 at 2001:470:8:f7d::1) maybe we will be able to stop his future reign of terror. Here's some of his source.

As the challenge says this is a web-based problem which provides source code and an IPv6 red herring. A quick review of the source code reviews two potential SQLi vulnerability in the password reset mechanism...

  elseif (isset($_POST["reset"])) {
    $q = mysql_query(sprintf("select username,email,id from users where username='%s'", mysql_real_escape_string($_POST["name"])));
    $res = mysql_fetch_object($q);
    $pwnew = "cat".bin2hex(openssl_random_pseudo_bytes(8));
    if ($res) {
      echo sprintf("<p>Don't worry %s, we're emailing you a new password at %s</p>", $res->username,$res->email);
      echo sprintf("<p>If you are not %s, we'll tell them something fishy is going on!</p>", $res->username);
      $details = gethostbyaddr($_SERVER['REMOTE_ADDR']).print_r(dns_get_record(gethostbyaddr($_SERVER['REMOTE_ADDR'])),true);
      mail($res->email,"whatscat password reset",$message.$details,"From: whatscat@whatscat.cat\r\n");
      mysql_query(sprintf("update users set password='%s', resetinfo='%s' where username='%s'",$pwnew,$details,$res->username));
    }

This was one of the very interesting challenges brought back for us from the Codegate Finals - sans challenge text. Using a php vuln, a copy of the source code was acquired - here's the relevant piece

<form method=get action="index.php"><div><h1>Login</h1>
ID <input type=text name=id> PW <input type=text name=pw> <input type=submit value='Submit'> <input type=button onclick=location.href='index.phps' value='Source'>
</form>
<?php
$q=@mysql_fetch_array(mysql_query("select id,pw from mem where id='$_GET[id]'"));

if($_GET['id'] && $_GET['pw'])
{
    if(!$q['id']) exit();
    if(md5($q['id'])==md5($_GET['id']))
    {
        echo("<br>hi! ".htmlspecialchars($q['id'])."<br><br>");
        $q['pw']=trim($q['pw']);
        $_GET['pw']=trim($_GET['pw']);
        if(!$q['pw']) exit();
        if($q['pw']==md5($_GET['pw'])) { echo("<p class=msg>Password is ????</p>"); }
        else { echo("<p class=error>Wrong pw</p>"); }
    }
}
?></div>

Challenge Text

H4x0r is making a new website and has decided to give you beta access! Head over here to register. Flag format: md5_string
http://backdoor.cognizance.org.in/problems/web300/register.php

This was an interesting challenge due to a nice trick for detecting automated tools - see below

$ curl 'http://backdoor.cognizance.org.in/problems/web300/register.php'

<html>
<head>
  <title>Register Here</title>
</head>
<body>
  <h3 class="text-center">Register Now!</h3>
  <form action="./register.php" method="POST">
    <input type="text" name="username" placeholder="Select Username"><br>
    <input type="password" name="password" placeholder="Select Password"><br><br>
    <input type="submit" value="Register">
  </form>
</body>

Challenge Text

Markdown to HTML Convertor

Our special markdown convertor supports yaml-frontmatter and underscore style templating.
https://backdoor-web250.herokuapp.com/

This problem is almost identical to another BackdoorCTF web100 challenge and also povides its source code.

curl 'https://backdoor-web250.herokuapp.com/'

<html>
    <head>
        <title>Markdown to HTML Convertor</title>
        <style rel="stylesheet" type="text/cs" href="//cdnjs.cloudflare.com/ajax/libs/normalize/3.0.0/normalize.min.css"></style>
    </head>
    <body>
        <h1>Markdown to HTML Convertor</h1>
        <form action="/convert" method="POST">
            <p>Our special markdown convertor supports yaml-frontmatter and underscore style templating.</p>
            <textarea name="markdown" rows="30" cols="70" placeholder="Enter markdown here">...</textarea>
            <br>
            <input type="submit" value="Convert!">
        </form>
        <p>Source code for this is available at https://github.com/backdoor-ctf/web250</p>
    </body>
</html>

In this problem, the challenge text just provided us a URL to the page, https://backdoor-web100.herokuapp.com/, which linked us to the source code on github.

curl 'https://backdoor-web100.herokuapp.com/'

<html>
    <head>
        <title>Underscore Template Tester</title>
        <style rel="stylesheet" type="text/cs" href="//cdnjs.cloudflare.com/ajax/libs/normalize/3.0.0/normalize.min.css"></style>
    </head>
    <body>
        <h1>Underscore Template Tester</h1>
        <form action="/templatize" method="POST">
            <p>This app takes in JSON data and a template and mashes them together using underscore.js</p>
            <textarea name="json" rows="10" cols="30" placeholder="Enter JSON data">{"package":"underscore_test","version": "2.9.12"}</textarea>
            <br>
            <textarea name="template" rows="10" cols="30" placeholder="Enter your template here">The name of the package is <%=package%> and its version is <%=version%></textarea>
            <br>
            <input type="submit" value="Convert!">
        </form><br>
        <p>Source code for this is available at https://github.com/backdoor-ctf/web100</p>
    </body>
</html>

Challenge Text

H4x0r, tired of his hacking attempts is hosting a simple contest to rate the images of every user. Head on here to take part in the contest and impress him. http://backdoor.cognizance.org.in/problems/web100-1/submit.php

This challenge involved a pretty straight-forward web service which leaked referrer information. Here's the landing page:

$ curl 'http://backdoor.cognizance.org.in/problems/web100-1/submit.php'

<html><head>
  <title>Upload Image</title>
</head>
<body>
  <h3>Give the link for your profile picture</h3>
  <form action="./submit.php" method="POST">
    <input name="url" placeholder="Enter link" type="url"><br>
    <input value="Submit" type="submit">
  </form>
</body></html>

Challenge Text

In this era, block ciphers hadn't even been invented. The Plague created this system based on problems he knew to be NP hard, but there must be something you can do to decode his messages.

Encrypts a message using super secure, NP-hard graph stuff.

Encryption works like this: take a graph, split your message up into
N numbers, such that the sum of all the numbers is equal to your message.
Assign each vertex to one of these N numbers.

Then ciphertext[v] is the sum of v's N, and all of the N's from v's neighbors

This Defcon 16 (2008) challenge came without flavor text, just a binary in need of some remote code execution. A quick check w/ file and checksec show a 32-bit FreeBSD binary with symbols. That never happens! We'll take advantage of that pretty soon!

$ file kryptod
kryptod: ELF 32-bit LSB  executable, Intel 80386, version 1 (FreeBSD), dynamically linked (uses shared libs), for FreeBSD 6.3, not stripped

$ checksec.sh --file kryptod
RELRO		STACK CANARY	NX		PIE	RPATH		RUNPATH		FILE
No RELRO	No canary found	NX enabled	No PIE	No RPATH	No RUNPATH	kryptod

$ ldd kryptod
kryptod:
	libcrypto.so.4 => /lib/libcrypto.so.4 (0x2806a000)
	libc.so.6 => /lib/libc.so.6 (0x281f5000)

...and it looks like some crypto!

Challenge Text

The Plague is running a betting service to build up funds for his massive empire. Can you figure out a way to beat the house? The service is running at 54.197.195.247:4321.

This was a great challenge that demonstrated just how thoroughly and completely researchers have broken MD5. The challenge is to make bets at a cryptographic gambling house to win a billion dollar. That's pretty straight-forward, so let's dig into the details a little bit.

Assume an arbitrary sized buffer of arbitrary data, how should the length be encoded? Is it small (<256)? Prepend with an 8-bit length field! Will it always be below 16,000? A 16-bit field should suffice. What about 4 billion? 32-bits then. What if we start combining transmissions though? We better be safe and use 64-bits (18 billion billion), but now we're using 8x more space per number. Someone also noted the normal case would have a lot of 0-bytes in each size field providing easier cryptanalysis, but you did remember to compress THEN encrypt, right? Deciding how many bytes to use to describe a field is always a tradeoff between flexibility (large numbers) and resource constraints (small representations). What if we made the length field arbitrary size too?

Smart folks have looked at this problem and found many ways to represent Variable-Length quantities, including 645,000 patents. elicarter (via retracile.net) provided a sample implementation and a good decription of the problem including the risk of non-unique representations. Taking a similar tack, we've developed simple C/C++ and python encoder/decoders to tackle the problem.

One of Python's best kept secrets is the ability to regain an interactive console in the middle of non-interactive code. Using code.interact, we've saved thousands of development hours by instantly checking assumptions and playing with data in ways logging just can't match. It's been particularly effective inside error handling routines to quickly identify what went wrong and develop a fix on the spot. Here's what we've been using:

def interactiveShell(local, banner='interactive shell'):
    import code
    local = dict(globals(),**local) if local else globals()
    code.interact(banner,local=local)

The previous article addressed working around Exclusive File Locks in Windows XP by directly accessing a target's in-memory file handle. This quick solution meant minimal development time and immediate results, but also guaranteed periodic crashes due to the potential race condition. Specifically, we couldn't ensure the application didn't read or write while we were reading/writing with its file handle.

As recap from last article, .NET System.IO.File.Open opens files exclusively locks by default. This has made a lot of people very angry and been widely regarded as a bad move. We previously presented three routes to workaround the problem, relisted below,  but today we'll take option 1 and go beneath the Exclusive Lock to access our data.

1. Ignore the lock via raw disk access
2. Ignore the lock via custom kernel driver
3. Borrow the exclusively locked file handle

By default, .NET System.IO.File.Open exclusively opens and NO_SHARE locks files. While not regularly a problem for developers, this can frustrate interested parties down the line, and here we are. There are essentially three ways to get around an exclusive file lock and they all suck.

1. Ignore the lock via raw disk access
   

This solution sucks; writing raw disk access applications requires substantial development overhead and brings an entire universe of gotchas with it. The Win32 API provides access to this option via CreateFile on an MS-DOS device name [technically, it returns a Direct Access Storage Device handle usable by DeviceIoControl and standard Win32 APIs like WriteFile]. Note: 2008/Vista+ restrict direct disk access

2. Ignore the lock via custom kernel driver

This approach sucks less, but writing an entire kernel driver as a workaround  to an exclusive lock sucks, not to mention security implications or signing requirements. That said, Eldos apparently recognized this problem and provide a commercial solution, RawDisk, which doesn't look terrible.

3. Borrow the exclusively locked file handle

How much this approach sucks depends on the operating environment. A truly generic solution is extremely difficult and will probably flag antivirus someday. A highly specific solution can be quick and pretty easy, but any changes in the program/environment risk breakage.

Minification helps developers protect their intellectual property and reduce bandwidth, but gets in the way of finding high-quality XSS or other-code-injection holes like indirect evals off XmlHttpRequests. This article adds a new hammer to the toolbox to assist against the problem; an integrated HTTP/HTTPS proxy (w/o ssl strip), inline beautifier, and local caching.

Usage:

$ openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mycert.pem -out mycert.pem
$ #add browser CA (Firefox: Preferences -> Advanced -> Encryption -> View Certificates -> Import -> Trust CA to identify websites
$ #set browser proxy (Firefox: Preferences -> Advanced -> Network -> Settings -> Manual Proxy -> HTTP Proxy 127.0.0.1 Port 8080
$ python proxy.py 8080 mycert.cert

A DLL proxy stands in for, or interfaces to, a normal DLL. In security, these tend to be custom-made DLLs which reimplement key functionality of application or system DLLs. They might do so to enhance games (DirectX overlay), cheat at games (Direct3D proxy), subvert the browser (IE proxy), or just gain execution (Fax Malware). As the interaction between callee and caller, in practice, relies on assembly-level calls; building a DLL proxy tends to be a highly specialized task.

Some folks have generously made publicly available ones though, such as Michael Chourdakis. These make it a lot easier to make a DLL proxy! They don't make it much easier to actually Man-in-the-Middle (MITM) individual calls though. The latter requirement tends to be much more challenging. This DLL proxy generator provides a mirror copy of exports with scaffolding to mitm calls in, and results from, the original DLL.

Usage:

$ python dllproxy.py
usage: dllproxy.py <TargetDLL> <ProxyFileBase> [<TargetFunctions>]
$ python dllproxy.py inetcfg.dll InetProxy InetSetProxy ConfigureSystemForInternet

A friend of mine, enthralled with her new tablet, took to scanning each of the books in my little library. The app takes a snapshot of the ISBN and looks up the book online to get all the other details (author, title, category, etc). I figured that, given a huge CSV, it'd be an interesting experiment to figure out how much all my books were worth - were I to get market price for them, today.

Usage:

$ #acquire .csv of books w/ 4th element being ISBN
$ #fill AWS account credentials into AmazonLookup.py
$ python AmazonLookup.py

When cloning a Linux virtual machine, reinitializing the MAC address renames the network interfaces. For example, "eth0" stops referencing a valid device and "eth1" now references the first ethernet device. This doesn't work well with clones though; I like reinitializing MAC addresses for concurrency, but I dislike new names and particularly dislike waiting 120+ seconds for "new" interfaces to "start".

Legal precedents oft lead down weird paths.

Greene v. McElroy essentially forced due process upon the DoD when adjudicating access / security clearances. The Defense Office of Hearings and Appeals now handles all those adjudications and even publishes them online, but they're difficult to search in any comprehensive manner.

Others have recognized this problem in the past and at least one person, Dino Beslagic, has made a much better interfaces. Unfortunately, one of the questions I wished to ask (how prolific are several clearance-specialized lawyers) wasn't possible at that time. That seemed readily resolvable and provided an excuse to play with Rails, an old itch I've been meaning to scratch. And here's the result: it isn't particularly pretty, but does expose a fairly thorough [if syntactically limited] search interface.

DOHA Search

Phuby was introduced to an unsuspecting world by two programmers back in 2009. This has made a lot of people very angry and been widely regarded as a bad move. The developers do a great job explaining why, but as they point out the product is engineered quite well. The GoSmart Clip fills a similar niche; a driving companion that makes txting behind the wheel a snap! So inspired, my friends and I stumbled upon a similarly counter-productive, useless, yet programmatically interesting project (thanks Kurt). Thus was the Ping Filesystem born. PingFS is like holding up the clouds by swatting the rain back up.

PingFS is a set of python scripts which, in Linux, provide virtual disk storage on the network. Each file is broken up into 64-1024 byte blocks, sent over the wire in an ICMP echo request, and promptly erased from memory. Each time the server sends back your bundle of joy, PingFS recognizes its data and sends another gift [the data]. Download at the bottom of the page.

Usage:
[drop all the files in one directory (via unzip or individual download)]

# mkdir mount_dir/
# python ping_fuse.py mount_dir
# ls mount_dir
# echo cats > mount_dir/reddit
# cat mount_dir/reddit