Defcon is one of the world's largest annual computer hacker conventions held in Las Vegas, Nevada every year. The document discusses how to participate in the Defcon Capture the Flag (CTF) competition, including criteria for qualification, past winners, and strategies for attacks during the competition. It also provides an overview of some sample challenges from previous CTF events, explaining the problems and approaches to solving them. Finally, it describes aspects of participating in the CTF at the Defcon event in Las Vegas such as the setup, disposition rules, and strategies for attacking other teams' servers to capture flags.
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
[2012 CodeEngn Conference 06] posquit0 - Defcon 20th : The way to go to Las Vegas
1. 박 병진 (Posquit0) | B10S / POSTECH CSE | 2012.07
Defcon 20th :
The way to go to Las Vegas
pbj92220@postech.ac.kr
http://hackcreative.org
www.CodeEngn.com
CodeEngn ReverseEngineering Conference
2. 1-1 Who
1-2 What
1 WTF is Defcon?
2 For Las Vegas
2-1 Criteria
2-2 How About This Year?
2-3 No Money?
3 Interesting Problems
3-1 So Easiness
3-2 So Bombness
3-3 So Funniness
3-4 So Mathness
3-5 So Puzzlingness
4 In Las Vegas
4-1 Waiting For You
4-2 Capture The Flag
4-3 Advanced Tips
4-4 Conclusions
목차
6. Defcon
WTF is Defcon?
What
One of the world’s largest annual computer hacker conventions
The dream of many hackers
Every year in Las Vegas, Nevada
I love girl, casino and Las Vegas !!
7. Defcon CTF (Capture The Flag)
WTF is Defcon?
What
The best known contest among several Defcon Contests.
CTP(Capture The Packet), Open CTF, and etc...
The most prestigious network attack and defense competition in the world
To be best of best !!
9. If you want to participate in CTF
For Las Vegas
Criteria
+ =
10. Last Winners
For Las Vegas
Criteria
1 The returning winners from last Defcon CTF
It is the hardest way, but I want to do this way... And you?
History of Capture the Flag
Winners
• DDTEK: 2009 - Present
• KENSHOTO: 2005 – 2008
• GHETTO HACKERS: 2002 - 2004
Organizers
DC Winner OS N (Teams)
16 Sk3wl0fr00t FreeBSD 8 Teams
17 Vedagodz FreeBSD 10 Teams
18 ACME Pharm FreeBSD + Debian 10 Teams
19 The European Nopsled Team FreeBSD 12 Teams
20 WOWHACKER-PLUS or KAIST GoN!?? ????? 20 Teams
11. The Other Winners
For Las Vegas
Criteria
8 Winning teams from other CTF events (in DC 20)
May be, it is also good way :D
Other CTF Contests (be qualified in DC 20)
• UCSB iCTF 2011
• CodeGate 2012
• NCCDC
• Hack In The Box 2012 Amsterdam
• Positive Hack Days 2012
• Nuit Du Hack 2012 CTF
• Defcon 19 Open CTF
• RuCTF 2011
12. Qualification
For Las Vegas
Criteria
10 teams pre-qualify online
It is normal and best way.
For 48 hours. No limit the number of team members.
Making union with another team may possibly be good choice :-)
13. Qualification (in DC 20)
For Las Vegas
Criteria
Fields
• Grab bag – Web, Network, Programming and etc.
• /urandom – Trivial, Crypto, Algorithm and etc.
• binary l33tness – Reverse Engineering
• Pwnables – Remote Exploits
• Forensics – Digital Forensics
Solved
Not Solved
Not Solved (Any teams)
Solving
Not Opened
Total Score
• 1500 * 5 = 7500 pts
15. Last Winners
For Las Vegas
How About
This Year? Defcon 19th CTF Winner - European Nopsled Team
Oh, handsome guys :D
16. The Other Winners
For Las Vegas
How About
This Year?
Years Contests Winner
2011 UCSB iCTF We_0wn_You
2012 CodeGate KAIST GoN
2012 NCCDC Team Hillarious
2012 Hack In The Box Amsterdam SiBears
2012 Positive Hack Days More Smoked Leet Chicken
2012 Nuit Du Hack HackerDom
2011 Defcon 19 Open CTF Team Vand
2011 RuCTF 0ldEur0pe
17. Qualification
For Las Vegas
How About
This Year?
9%
9%
9%
9%8%
8%
8%
8%
8%
8% 8%
8%
Hates Irony
PPP
侍
sutegoma2
Shellphish
TwoSixNine
European Nopsled Team
More Smoked Leet
Chicken
4%
5%
6%
14%
20%
19%
32%
More than 4000 pts 3000 ~ 3900 pts
2000 ~ 2900 pts 1000 ~ 1900 pts
500 ~ 900 pts 200 ~ 400 pts
100 pts
Total 303 Teams
18. Qualification
For Las Vegas
How About
This Year?
Rank Team Score
1 Hates Irony 4900 Qualified!
2 PPP 4800 Qualified!
3 侍 4400 Qualified!
4 sutegoma2 4400 Qualified!
5 Shellphish 4400 Qualified!
6 TwoSixNine 4400 Qualified!
7 European Nopsled Team 4200 DC 19 Winner!
8 More Smoked Leet Chicken 4100 Positive Hack Days Winner!
9 Our name sucks 4100 Qualified!
10 ACME Pharm 4100 Qualified!
11 WOWHACKER-PLUS 4100 Qualified!
12 Routards 3900 Qualified!
Only one team is Korean – WOWHACKER-PLUS
Come back as Defcon 20th CTF Winner :D
20. Defcon CTF Prizes
For Las Vegas
No Money?
No prizes, only honor !
It’s so cool contest :D
Defcon CTF Support
Only support two hotel room for 4 days, not airfares :-(
Not good...
21. Airfares, Hotel bills and etc ...
For Las Vegas
No Money?
If you are qualified, don’t worry about money :D
May be, it is also good way :D
Sponsors
There are many Security Vendors
They will be your sponsor!
26. Binary l33tness 200
Introduction
• Running on 140.197.217.155:18703
• ELF 32-bit LSB executable for FreeBSD 9.0, stripped
• Username : grease
• Hash Collision challenge
Interesting Problems
So Bombness
27. How to solve – I. Binary Patch
Interesting Problems
So Bombness
For convenience, patch the SIGALARM code
I used Radare2 to fix binary.
Before the patch
28. How to solve – I. Binary Patch
Interesting Problems
So Bombness
For convenience, patch the SIGALARM code
I used Radare2 to fix binary.
After
29. How to solve – II. Code Analyze (1)
Interesting Problems
So Bombness
Recv Passcode 4 Times
30. How to solve – II. Code Analyze (2)
Interesting Problems
So Bombness
Get Input Size & Two Input
31. How to solve – II. Code Analyze (3)
Interesting Problems
So Bombness
If has collision, success :D
32. How to solve – III. Approach (1)
Interesting Problems
So Bombness
Is it a known Hash Algorithm?
Then, it’s so easy :D
33. How to solve – III. Approach (2)
Interesting Problems
So Bombness
Enter to Hash Function
Unknown table :D
34. How to solve – III. Approach (3)
Interesting Problems
So Bombness
Google is GOD :D
Found !!
The Tangle Hash Function !!
35. How to solve – III. Approach (4)
Interesting Problems
So Bombness
<Untangled> DTU Mathematics, Technical University of Denmark
Tangle Hash Collision
Collision!!
36. How to solve – IV. Attack (1)
Interesting Problems
So Bombness
I used Python :D
Lovely Python !!
4 Passcode for
entering Main-routine
37. How to solve – IV. Attack (2)
Interesting Problems
So Bombness
I used Python :D
Lovely Python !!
Length: 40
Tangle Hash Collision :D
38. How to solve – V. Result
Interesting Problems
So Bombness
Go! Go! Go!
My Precious :D
43. How to solve
Interesting Problems
So Funniness
Brute force attack!
I know, you did it, haha
Steve Ballmer in Techno Developers!
Omg, is it True !?
44. How to solve
Interesting Problems
So Funniness
Brute force attack!
I know, you did it, haha
Steve Ballmer in Techno Developers!
Omg, is it True !?
Auth Key
46. Binary l33tness 400
Introduction
• No takebacks! Running on 140.197.217.239:11553
• ELF 64-bit LSB executable for FreeBSD 9.0, stripped
• Username : takeback
• Personally, the most interesting challenge
Interesting Problems
So Mathness
47. How to solve – I. Binary Patch
Interesting Problems
So Mathness
For convenience, patch the SIGALARM code
I used Radare2 to fix binary.
Before the patch
48. How to solve – I. Binary Patch
Interesting Problems
So Mathness
For convenience, patch the SIGALARM code
I used Radare2 to fix binary.
After
49. How to solve – II. Code Analyze (1)
Interesting Problems
So Mathness
Recv Passcode 4 Times
I referenced SapHeads’s pseudo code :D
50. How to solve – II. Code Analyze (2)
Interesting Problems
So Mathness
Get Count for Big Loop
51. How to solve – II. Code Analyze (3)
Interesting Problems
So Mathness
Important Big Loop
52. How to solve – II. Code Analyze (4)
Interesting Problems
So Mathness
Small Loop
53. How to solve – II. Code Analyze (5)
Interesting Problems
So Mathness
If you success
54. How to solve – III. Approach (1)
Interesting Problems
So Mathness
How to satisfy the following conditions?
r14 is 64-bit register :D
55. How to solve – III. Approach (1)
Interesting Problems
So Mathness
r14 register must be 0xFFFFFFFFFFFFFFFF
All of the bits must be switched on.
56. How to solve – III. Approach (2)
Interesting Problems
So Mathness
How to set bits of the r14 register to 1?
One looping makes one of the bits to be 1
57. How to solve – III. Approach (3)
Interesting Problems
So Mathness
Count for Big Loop must be at least 64 :D
Pick 64 !!
58. How to solve – III. Approach (4)
Interesting Problems
So Mathness
We have two restrictions :-(
How can traversal all of the bits?
1st restriction:
Offset
59. How to solve – III. Approach (4)
Interesting Problems
So Mathness
We have two restrictions :-(
How can traversal all of the bits?
2nd restriction:
modulo 8
60. How to solve – III. Approach (5)
Interesting Problems
So Mathness
Shift is signed int type !!
Very G00D :D
61. How to solve – III. Approach (6)
Interesting Problems
So Mathness
What happen if shift is negative ?
Bye~ modulo 8 :D
Negative % 8 =
Negative
62. How to solve – III. Approach (6)
Interesting Problems
So Mathness
What happen if shift is negative ?
Bye~ modulo 8 :D
We can freely pick some offsets:
-15, -6, +10, +17
63. How to solve – III. Approach (7)
Interesting Problems
So Mathness
How to select a sequence of numbers?
Think mathematically :D
GCD(-15, 64)
= GCD(+17, 64)
= 1
= generators of additive modulo 64
{X + [n*(-15) or n*(+17)]} mod 64
can generate
[0 .. 63]
64. How to solve – IV. Attack (1)
Interesting Problems
So Mathness
I used Python :D
Lovely Python !!
4 Passcode for
entering Main-routine
65. How to solve – IV. Attack (2)
Interesting Problems
So Mathness
I used Python :D
Lovely Python !!
My Choice:
-15
66. How to solve – V. Result
Interesting Problems
So Mathness
Go! Go! Go!
My Precious :D
69. Grab Bag 300
Introduction
• This is semi-real. :-(
• 140.197.217.85:10435
• Password: 5fd78efc6620f6
Interesting Problems
So Puzzlingness
70. How to solve – I. Analyze
Interesting Problems
So Puzzlingness
Same Positions :D
Timeout ...
71. How to solve – I. Analyze
Interesting Problems
So Puzzlingness
Same Positions :D
Timeout ...
72. How to solve – I. Analyze
Interesting Problems
So Puzzlingness
Same Positions :D
Timeout ...
73. How to solve – I. Analyze
Interesting Problems
So Puzzlingness
Same Positions :D
Timeout ...
74. How to solve – II. Approach
Interesting Problems
So Puzzlingness
Only 3 steps :D
Try it !!
Parsing
Number Table
Get
PIN Numbers
Calculate
Positions
75. How to solve – III. Attack (Demo)
Interesting Problems
So Puzzlingness
82. Defcon CTF (Capture The Flag)
In Las Vegas
Capture The Flag
This year, the 20 top qualifying teams are pitted against each other in an all out digital war
Last year, only 12 teams
Attack and defend custom services provided to each teams
It’s important
The Winning team will receive coveted Defcon Black Badges.
Hmm... Give me badge! lol
83. CTF Blueprint
In Las Vegas
Capture The Flag
Gateway
Team 2
Server
Team 1
Server
Team 3
Server
Auth
Server
Team 3
Team 2
Team 1
84. Defcon CTF Director & USB
In Las Vegas
Capture The Flag
Director provide USB for CTF
• root password
• Home Folder (vulnerable daemons)
• key, cert File for authentication
• readme
85. Defcon CTF Disposition
In Las Vegas
Capture The Flag
• Contest Room
• Lounge or Anywhere
Contest Room
Lounge or Anywhere
86. Defcon CTF Disposition
In Las Vegas
Capture The Flag
Contest Room
8 People
Lounge or Anywhere
• Contest Room – 8 Members
• Lounge or Anywhere – No limits :D
87. Defcon CTF Attack
In Las Vegas
Capture The Flag
Read Key
Steal information
Overwrite Key
Corrupt information
Keys are periodically updated by the contest organizers
Continue to attack
88. Defcon CTF Attack – Read Key
In Las Vegas
Capture The Flag
Read Other team’s ‘~/key’ file and auth it
Steal information
Team 1
Attacker
Team 2
Vulnerable Daemon
Auth
Server
Period : 600sPeriod : 600s
89. Defcon CTF Attack – Overwrite Key
In Las Vegas
Capture The Flag
Overwrite Other team’s ‘~/key’ file
Corrupt information
Team 1
Attacker
Team 2
Vulnerable Daemon
Period : 600sPeriod : 600s
Auth
Team1Key?
Auth
Team1Key?
Auth
Server
I don’t know
correctly :-(
I don’t know
correctly :-(
90. Defcon CTF Attack – Auth
In Las Vegas
Capture The Flag
How to auth?
• Using SSL (Secure Socket Layer)
• Files in USB for SSL
• server.cert
• team_X_key
• team_X_key.cert
93. Defcon CTF Defend
In Las Vegas
Capture The Flag
Patch daemon’s vulnerability
Don’t touch daemon’s service
Fix ‘/bin/’ permission
Prevent remote shell
94. Defcon CTF Defend – Binary Patch
In Las Vegas
Capture The Flag
Use Hex Editors, or etc.
010 Editors, WinHex, IDA, Radare2, etc.
Radare2 is Disassembler, Hex Editor, Dubugger, etc.
Posted on Phrack :D
95. Defcon CTF Defend – Binary Patch with Radare2 (1)
In Las Vegas
Capture The Flag
Open binary file with ‘-w’ option
‘-w’ : write mode
96. Defcon CTF Defend – Binary Patch with Radare2 (2)
In Las Vegas
Capture The Flag
Set address for edit
s : set address
97. Defcon CTF Defend – Binary Patch with Radare2 (3)
In Las Vegas
Capture The Flag
Analyze Function & Print Disassembled Function
af : Analyze function
pdf: Print disassembled function
98. Defcon CTF Defend – Binary Patch with Radare2 (4)
In Las Vegas
Capture The Flag
Enter to Visual Mode -> Look like VIM Editor
V : Visual Mode
h, j, k, l : Scroll key
99. Defcon CTF Defend – Binary Patch with Radare2 (5)
In Las Vegas
Capture The Flag
Change Disassemble Mode : input ‘p’ for changing View-mode
p : Change view mode
100. Defcon CTF Defend – Binary Patch with Radare2 (6)
In Las Vegas
Capture The Flag
Search a position for patch using cursor : input ‘c’ for enabling cusror
c : Enable cursor
101. Defcon CTF Defend – Binary Patch with Radare2 (7)
In Las Vegas
Capture The Flag
Edit Code : input ‘w’ for hex or ‘a’ for assembled opcode
w : Change code with hex value
a : Change code with assembled opcode
102. Defcon CTF Defend – Binary Patch with Radare2 (8)
In Las Vegas
Capture The Flag
Patched :D
103. Defcon CTF Scoring
In Las Vegas
Capture The Flag
How to calculate
• Each daemon has 100 points
• For a given attacker, V – victim, S – service,
The attacker’s partial score for the service =
their percentage (0-100) of all keys stolen from V via service S
• Overwrite is also same
104. Defcon CTF Scoring
In Las Vegas
Capture The Flag
How to calculate
Attack : steal or overwrite key
Team 2
Vulnerable Daemon
Team 1
Attacker
Team 3
Attacker
Team 4
Attacker
Team 5
Attacker
Team Auth Score
Team1 10 times 10 pts
Team3 40 times 40 pts
Team4 20 times 20 pts
Team5 30 times 30 pts
105. Defcon CTF Scoring
In Las Vegas
Capture The Flag
How to calculate
Attack : steal or overwrite key
Team 2
Vulnerable Daemon
Team 1
Attacker
Team 3
Attacker
Team 4
Attacker
Team 5
Attacker
Team Auth Score
Team1 2 times 100 pts
Team3 0 times 0 pts
Team4 0 times 0 pts
Team5 0 times 0 pts
106. Defcon CTF Scoring
In Las Vegas
Capture The Flag
How to calculate
Attack : steal or overwrite key
Team 2
Vulnerable Daemon
Team 1
Attacker
Team 3
Attacker
Team 4
Attacker
Team 5
Attacker
Team Auth Score
Team1 3 times 75 pts
Team3 1 times 25 pts
Team4 0 times 0 pts
Team5 0 times 0 pts
107. Defcon CTF Scoring
In Las Vegas
Capture The Flag
How to calculate
Attack : steal or overwrite key
Team 2
Vulnerable Daemon
Team 1
Attacker
AttackAttack
Team Auth Score
Team1 1 times for each 1900 pts
AttackAttack
Total 19 Teams
Breakthrough !!
Team 20
Vulnerable Daemon
108. Defcon CTF Scoring
In Las Vegas
Capture The Flag
How to calculate
Attack : steal or overwrite key
Team 2
Vulnerable Daemon
Team 1
Attacker
AttackAttack
Team Auth Score
Team1 1 times for each 3800 pts
AttackAttack
Total 19 Teams
Breakthrough !!
Team 20
Vulnerable Daemon
Read & Overwrite
109. Defcon CTF Scoring
In Las Vegas
Capture The Flag
How to calculate
Attack : steal or overwrite key
Team 2
Vulnerable Daemon
Team 1
Attacker
AttackAttack
Team Auth Score
Team1 1 times for each 3800 pts
AttackAttack
Total 19 Teams
Breakthrough !!
Team 20
Vulnerable Daemon
Read & Overwrite
110. Defcon CTF Scoring
In Las Vegas
Capture The Flag
+ =
Total Score
• Sum(Steals Score + Defaces Score) * SLA
• SLA - Service Level Availability
• SLA = Average number of daemons running (cumulative)
= Sum(number of daemons running) / Sum(number of daemons)
111. Defcon CTF Scoring
In Las Vegas
Capture The Flag
VIP (Very Important Points)
• Breakthrough
• SLA(ServiceLevelAvailability)–NoShutdown!
113. Network Setting
In Las Vegas
Advanced Tips
Dummy HubDummy Hub
Team Server
(running
daemons)
Team Server
(running
daemons)
Laptop for
masquerading
Laptop for
masquerading
GatewayGateway
Laptop for
Server
Laptop for
Server
Member’s LaptopsMember’s Laptops
Provided
Must Prepare
114. Network Setting
In Las Vegas
Advanced Tips
Dummy HubDummy Hub
Team Server
(running
daemons)
Team Server
(running
daemons)
Laptop for
masquerading
Laptop for
masquerading
GatewayGateway
Laptop for
Server
Laptop for
Server
Member’s LaptopsMember’s Laptops
Provided
Must Prepare
Route for Attack
Connected to
other teams
Connected to
other teams
115. Network Setting
In Las Vegas
Advanced Tips
Dummy HubDummy Hub
Team Server
(running
daemons)
Team Server
(running
daemons)
Laptop for
masquerading
Laptop for
masquerading
GatewayGateway
Laptop for
Server
Laptop for
Server
Member’s LaptopsMember’s Laptops
Provided
Must Prepare
Route for Defend
Connected to
other teams
Connected to
other teams
116. Network Setting
In Las Vegas
Advanced Tips
Dummy HubDummy Hub
Team Server
(running
daemons)
Team Server
(running
daemons)
Laptop for
masquerading
Laptop for
masquerading
GatewayGateway
Laptop for
Server
Laptop for
Server
Member’s LaptopsMember’s Laptops
Provided
Must Prepare
Connected to
other teams
Connected to
other teams
Masquerading (Packet capture)
Routing (Use both Internet & Intranet)
Masquerading (Packet capture)
Routing (Use both Internet & Intranet)
VM Server (FreeBSD)
Web Server (Share Information)
IRC Server (Chat with members)
VPN Server (For other members)
VM Server (FreeBSD)
Web Server (Share Information)
IRC Server (Chat with members)
VPN Server (For other members)
Wireless InternetWireless Internet
117. Masquerading (Packet Capture)
In Las Vegas
Advanced Tips
Capture the incoming attack packet of the other team
Repeat the other team’s payload against enemy
Capture the outgoing packet that includes key
Modify key in the packet or Drop the packet
Team Server
(running
daemons)
Team Server
(running
daemons)
Laptop for
masquerading
Laptop for
masquerading
GatewayGateway
Capturing Packet
118. Disposition for Efficiency
In Las Vegas
Advanced Tips
Server Manager (1), Network Manager (2), Global Hogu Finder (1),
Exploit Manager (1), Reverser & Exploiter (∞)
Global Hogu Finder is very very important :D
Contest Room
Lounge or Anywhere
Position N
Server Manager 1
Network Manager 2
Global Hogu Finder 1
Reverser & Exploiter 3
Exploit Manager 1
Total 8
Position N
Reverser & Exploiter ∞
Total ∞
119. Positions – Server Manager
In Las Vegas
Advanced Tips
Team Server is only managed by Server Manager
Important position :D
Test daemon’s services
For high SLA (Service Level Availability)
Manage Daemon’s version
Change daemon, set version
Ex. tomato -> tomato.1
120. Positions – Network Manager
In Las Vegas
Advanced Tips
Capture & Filter incoming packets Team, Share to other members
Very Important :D
Drop or Modify outgoing packet that contains key
Depend !
Manage Web Server, IRC Server, VPN Server, Masquerading Server
Once in a while, Check Server Log
121. Positions – Global Hogu Finder
In Las Vegas
Advanced Tips
Social Hacking the other team’s member ?
If you can :D
Analyze the other team’s server environments
Hacking other team’s server or labtop
Brute Forcing or Guessing Password for the other team’s daemon server
Get root, then you can read all of the keys.
122. Positions – Exploit Manager
In Las Vegas
Advanced Tips
Manage exploit codes from other members
Is it works correctly?
Modify exploit codes on the other team’s situations
Different from all the team's defense
Authenticate to Auth-Server
Get Points :D
123. Positions – Reverser & Exploiter
In Las Vegas
Advanced Tips
Find Vulnerabilities in Daemons
Mostly, BOF or FSB vulnerabilities :D
Patch Vulnerability & Give to Server Manager
As soon as possible
Analyze the other team’s packet and Get their payload
Lovely :D
Programming Exploit Code & Give to Exploit Manager
Pwn! Pwn! Pwn! HolyPwner !
124. Shellcode
In Las Vegas
Advanced Tips
Reverse Shellcode
Fork process
Open Socket & Connect to listening server
dup2 about stdin, stdout and stderr
execve ‘/bin/sh’
Read Key Shellcode
Open the key file
Read the key
Write the key to socket
Write Key Shellcode
Open the key file
Write auth key to key file
Read & Write Key Shellcode
Open the key file
Read the key
Write auth key to key file
Write the key to socket
125. Shellcode – Read Key Shellcode
In Las Vegas
Advanced Tips
Read Key Shellcode Example
Should be made shellcode to suit the situation
126. Shellcode
In Las Vegas
Advanced Tips
If enemy do masquerading
OMG ...?
EnemyEnemy
Laptop for
masquerading
Laptop for
masquerading
GatewayGateway
Drop or Modify Packet
My TeamMy Team
127. Shellcode
In Las Vegas
Advanced Tips
How to avoid Masquerading?
• Shellcode Encryption
• Packing
• Obfuscating
• …
• Key Encryption
• XOR (Very easy and convenient)
• ROT
• …
128. Shellcode – Read XOR Key Shell Code
In Las Vegas
Advanced Tips
XOR Key Encryption Shellcode Example
Also, should be XOR operation on the server side
129. Shellcode
In Las Vegas
Advanced Tips
How to avoid Repeating my payload?
• Read Key using UDP Shellcode
• Staged loading Shellcode
• …
130. Shellcode – Staged Loading Shellcode
In Las Vegas
Advanced Tips
Why use Multi-Stage Loading Shellcode?
• Small buffer for Shellcode
• Avoid Masquerading
• Avoid repeating payload
• Excute Binary File using binary loader
• …
131. Shellcode – Staged Loading Shellcode (1)
In Las Vegas
Advanced Tips
Stage 1 – minimum shellcode for connection
• must be small
• free of NULLs
• new connection and read additional data
• jumps to the data and execute it
Vulnerable
Daemon
Payload LoaderPayload Loader
Attacker
132. Shellcode – Staged Loading Shellcode (1)
In Las Vegas
Advanced Tips
Stage 2 – Payload to execute
• Other Shellcodes
• Read Key Shellcode
• Reverse Connection Shellcode
• ...
Vulnerable
Daemon
Payload LoaderPayload Loader
Attacker
New Connection
&
Read Payload
New Connection
&
Read Payload
PayloadPayload
133. Shellcode – Staged Loading Shellcode (2)
In Las Vegas
Advanced Tips
Stage 1 – minimum shellcode for connection
• must be small
• free of NULLs
• new connection and read additional data
• jumps to the data and execute it
Vulnerable
Daemon
Attacker
Payload LoaderPayload Loader
134. Shellcode – Staged Loading Shellcode (2)
In Las Vegas
Advanced Tips
Stage 2 – Binary Loader for executing binary
Vulnerable
Daemon
Attacker
Payload LoaderPayload Loader
New Connection
&
Read Payload
New Connection
&
Read Payload
Binary LoaderBinary Loader
135. Shellcode – Staged Loading Shellcode (2)
In Las Vegas
Advanced Tips
Stage 3 – Executable Binary for executing on Binary Loader
Vulnerable
Daemon
Payload LoaderPayload Loader
Attacker
New Connection
&
Read Payload
New Connection
&
Read Payload
Binary LoaderBinary Loader
Read DataRead Data
Executable BinaryExecutable Binary
138. Look at the big picture :D
There are many things to cheat other teams
Attack is not only way to be winner
In Las Vegas
Conclusions
139. I wanna see the result below :D !!!
Participate Defcon CTF Qualification, and Go to Las Vegas !!
In Las Vegas
Conclusions
Rank Team Score
1 KimchiMan 7900 Qualified!
2 Since1999 7800 Qualified!
3 Unji 7400 Qualified!
4 Little H4ma 7400 Qualified!
5 Phantom: Secret between 0 and 1 7400 Qualified!
6 Be5t of B3st 7400 Qualified!
7 SW M4e5tro 7200 Qualified!
8 H4nGukSaRam 7100 Qualified!
9 H4des 7100 Qualified!
10 RolyPoly 7100 Qualified!