陳仲寬(bletchley)
outline
BambooFox簡介
比賽思路
CTF檢討與改進
BambooFox未來目標
很久很久以前
DSNS vs SQLab
攻擊專精實驗室
資安防守實驗室
大敵當前
國際級CTF好手參與
PPP
Dragon Sector
9447
Blue-lotus
Oops
More Smoked Leet Chicken
….
BambooFox
BambooFox
BambooFox = SQLab ∪ DSNSLab ∪CSCC ∪ Some Friends
SQLab 軟體品質實驗室
DSNSLab 網路安全實驗室
CSCC 交大資工系計中
不同團隊的專業不同,更可達到互補的效果
解題心得
時間有限,這次分享只能涵蓋部分題目
各題標明的組員為分享內容的提供者
每題皆是多位成員合作解的,都有相當的貢獻
大家忙著解題,所以本篇沒有太多照片….
我們計劃整理writeup讓大家參考
資訊交流平台
Trello + Skype
沒有人工智慧,只有強大的工人智慧
Maze, Puzzle
有時題目會有很多例外狀況,寫程式不一定會比較快
Maze 傳輸時有一些特殊字元,影響Parsing
部分成員比較沒有Security底子,可以先來做這部分題目
Use telnet connection to play a maze game
The whole maze map is actually a 91x91 QR code
To find the flag, we need to walk through all the
places, record them and show on the screen
By computer?
By hand?
Maze
maze - by hand
Why not just do by hand :D
- easy to convert into real QR code
- need to be very focus
with pictures
- can mark some routes when solving
- hard to decode for QR code reader
with words
Puzzle
找原圖來比較, 發現圖片內容沒差
Wiki
轉向header分析,發現有JFXX*100
JFXX放的圖片截取出來
Write simple tools to make things easy
If you want to try, click this link
http://people.cs.nctu.edu.tw/~chhhsu/puzzle/
24
Python的**(平方)和//(取整除數)
每個數字都可以在前面加上-變成負的
Permutation
強大的網頁組
兩位業界的前輩為網頁定下基礎
補強的學生缺乏的實務經驗
網頁題變化性大,相關的技術太多,需要快速學習吸收一些新的技術的能力
PY4H4SHER 題目一開始就讓你可以下載py4h4sher.pl原始碼,有附上下載的checksum,所以可以成功下載
下載後發現一共有四道關卡要越過1. 沒有secret 情況下怎麼滿足_md5( SECRET + query_str )
== checksum:2. if m_hash(stage1) != '4141414141414141': gotofail()3. _pbkdf2(plaintext) != _pbkdf2(stage2): gotofail()4. if _md5( stage3 ) !=
'90954349a0e42d8e4426a4672bde16b9': gotofail()
思路1. 參數改用 POST躲過 checksum檢查2. Stage1 利用MySQL old password collision解過3. Stage2 PBKDF2+HMAC collision (search by google)4. Stage3 直接google md5hash很快就能找出stage3是
enigma , 難是難在 stage3 = stage3[0]+stage3[1]+stage3[3]+stage3[5]這段,後來用stage3=en&stage3=i&stage3=X&stage3=gm& stage3=X&stage3=a閃過,最後得解如下圖
Easyinj
以下是3個初步的線索 這題的奧妙之處就在於那個錯誤訊息的賤樣,不偏不倚告訴我他是 mysql error-based injection
○ 一個最精簡的mysql error-based injection就長這樣' and (select 1 from(select count(),concat(@@version,
floor(rand(0)2))x from log group by x)a))#
另一個奧妙之處是當你輸入一些敏感字串例如 select, from他會被取代成 empty string
錯誤訊息裡面還有程式路徑,造成思路第一步就是下載程式碼下來看利用 load_file () ->又從錯誤訊息發現 .也會被取代所以改成load_file(0x433a5c5c57696e646f77735c5c7068702e696e6920) hex表示法
load_file 資料太長,會造成timeout_error,所以語法要再用substr去分段切 , 最後成功把程式碼下載下來
Easyinj 發現有寫檔權限,且可以stack QUERY,並從前面的程式碼發現有個
資料夾log_guess^2/是用來寫log的
於是一個讀檔寫檔的語法就能變成這樣54.238.22.67:10653/index.php?ip=');sselectelect%20LOload_fileAD_FILE(0x433a5c5c57696e646f77735c5c7068702e696e6920)%20INintoTO%20DUMPdumpfileFILE%20'Z:\\AppServ\www\log_guess^2\jpeanut9'%23
最後我們這邊其實不知道怎麼繞過. 的bypass,不過既然有人有辦法寫進來tedsdt.php ,不如我們就來看看他們寫了甚麼.php,LOAD出來看就看到這個怪怪的東西 z:\key_39uti2jb.txt
結果再去讀這個檔,裡面就有key XD
DIAGCGI
Core concept:
Curl : local file copy and rename
Download main perl cgi program
Check how the program identity user and verify
We can find how they apply the session argument
Eval() instead of parse it
Put code in that session file and get the flag
外援通常很強大
沒看到題目就被解掉了
團隊合作來解題
許多題目需要不同的思路才解的出來
溝通討論可以加速思緒的整理
眾人合力的 polyglot
從defcon 22的polyglot開始思考 Defcon polyglot write shellcode
compatible for differnet arches
This polyglot write script compatible for different langs
提出基本構想 讓程式碼互為註解 善用程式碼共通的語法 處理程式語言的歧異
大家瘋狂測試不同的語法 Use readfile in Haskell instead of
system.cmd 有時候換人做做看會有不同的思路
Polyglot
`cat flag` in Python, C, Ruby, Haskell
String is comment in Python and Ruby
Use “”” “ to distinguish Python and Ruby string
In Ruby, everything is comment after __END__
# is C preprocessor command and it is single line comment in both Python and Ruby
Polyglot
{- Block Comment in Haskell -}
Make {- legal in other language
x={-"""1".to_i=>"2""".count(‘1’)};
It means x = { -1 } in Python and x = { -1 => 0 } in Ruby
Make it mean x = { -’1’ }; in C by inserting#ifdef in it
Use readFile instead of import System.Cmd to avoid the rule of “import must at the beginning of code” in Haskell
x={-
#ifdef AAAAA
"""1".to_i=>"2""".count(
#endif
'1'
#ifdef BBBBB
)
#endif
};
#include <stdlib.h> /*
""" "
print `cat flag`
__END__
*/
int main(){ system("cat flag"); } /*
"""
import sys, subprocess
sys.stdout.write(subprocess.check_output(['cat', 'flag']).decode("utf-8"))
# */ // -}1; main = readFile "flag" >>= putStr
Ducky
c source code 不能用();<>[]{}
發現stack可以執行,嘗試構建個shellcode叫main
main[] = {“shellcode”}
○ Fail
utf8_t* main = “shellcode”
○ Fail
Main = first byte of shellcode
Main1 = second byte
……
一直做不出來的Binary
Binary的題目通常入門門檻高,要有一定程度才能解題
Stkof
Ty
Callme
Sha1lcode
….
環境架設
將server架起來,動態分析
只用靜態分析不易找到問題
方便分析
測試自己的exploit
Ty
Ty – Arm64
Qemu
ARMv8 FVP Model
Debugging/Network
花了許多時間架設VM
先丟input再說
測試常見漏洞
Long string
Format string
看有沒有crash或其他線索
Rsbo
發現塞了長字串會crash
Read 0x80 into buffer size 80
DEP + ASLR
Buffer is random exchange
Fill zero into buffer
Make each byte of size exchange to 0x00
Bypass Randomize
Read more input
Try to call read_80_bytes again
Reverse Binary to Suedocode
沒有頭緒,先嘗試翻成suedo code來看
整理思緒
方便其他成員切入
Callme
找到bof,但遇到stack cookie
考慮讀出stack cookie
或使用 exception handler
hop – reverse
Windows 64bit PE
It will print “Key:” and get input from user
Use “String Reference” to locate
important code
The most import part is function
“sub_401590”
hop - reverse
The program will “hop” by indirect jump to many positions, every code section will looks like
Note that “pop rax” is each char of input key
Just like a “function table lookup”. If our answer is wrong, it will return 0. Otherwise, it will return 1.
hop - reverse
We first find all code sections by scanning the binary of the binary pattern. There are over 130 of them.
By analyzing these sections, we can find all destination section of each section.
These sections are just like an “automata”, which reminds me of “automata - Boston Key Party 2014”.
Find the correct “path (key)”, which will steps over 40 states and finally get to the “return 1” state.
比賽結果
CTF檢討與改進
Think your mistake and made it better
next time
比賽環境的事先準備
缺乏 arm, arm64的環境
怎麼可能會知道有HSA的題目…..
Girby
我們的Hsa專家出去度假了 T.T
加強pwn, reverse的訓練
門檻高並且費時,但往往是決勝的關鍵
1. 環境安裝架設
2. 逆向工程
3. 程式分析,找出弱點
4. 攻擊代碼撰寫
此次多個題目卡在2 3兩步
繞過防禦機制的訓練不足
適當的人力分配
由於人數眾多,且歧異度高
新竹, 臺北
資安背景, 無資安背景
早班,晚班
有發生資料沒同步好,多個人寫同個程式的狀況發生
BambooFox未來目標
交大學生資安社群
CTF, 資安相關訓練
分享資安研究
積極參與資安競賽
國內外競賽
thanks
Thanks these members help me to prepare this slide
Ddaa
jpeanut
ding
Benson chen
Nier
Adavis10006
Lucaus wei
Ensky
Appendix
心得
認知攻擊手法、瞭解手法的詳細內容,是增強資安防護面向與深度的根本,而打WARGAME就是一個很好的訓練方式,希望對資安有興趣的朋友多多來打WARGAME。(Ding)
跟其他強隊的分數差距主要來自於 pwn 題型未來會更加強這部分的練習(ddaa)
G8LA Oracle CVE-2012-3137
找到FLAG這位使用者 =>AUTH_SESSKEY, AUTH_VFR_DATA
https://github.com/magnumripper/JohnTheRipper
john爆出m3o3rt m3odha m3odha後來做m3o開頭的字典擋爆, 直到m3ow00才正確, 不曉得為啥跑出這麼多組
DIAGCGI 改/tmp/cookie後可以執行shell
搞半天Xatierlike Lee直接cmd injection /read_key/key.txt
Finger
This is a Rock-paper-scissorsgame
It do md5 every 16 chars that you input and sum it and check later
If we can bypass boss attack then it is possible to win
If guess wrong, cheat here
Finger
We don’t want to find collision XD
We just cheat when we know boss is
going to win, so boss cannot attack us
Boss win : our hp -1
Tie: both hp -0
We win: boss hp –rand(1..3)
Write ups (by xatierlike Lee)
http://pastebin.com/JqBFKfvu
Ey xatierlike Lee
http://ensky.logdown.com/posts/2014/08
/20/hitcon-ctf-2014-24
By ensky
http://ddaa.logdown.com/posts/221204-
hitcon-ctf-2014-pwn-150-rsbo
By ddaa