PHDays 9: AI CTF Parsing
The topic of machine learning safety is rather hype lately and I wanted to touch on its practical side. And then the reason is cool - PHDays , where various experts from the world of information security gather and have the opportunity to draw attention to this topic.
In general, we have done task-based CTFs with tasks that affect some of the security risks of using machine learning techniques.
Our competition lasted a little more than a day. It was meant that it is individual - teams of one person. I wanted people to participate in it at the conference in order to meet in person. Therefore, tasks should be solved in a couple of hours, not require a lot of computing resources, however difficult tasks should also be - not everyone should win: D
As a result, we had 6 tasks (the seventh was just a fan), it seems that for one person per day is enough. The tasks themselves, unfortunately, are no longer available. But maybe after reading the analysis, you want to participate next time?
Immediately I would like to express my gratitude to the guys, without whom this CTF would not take place: @groke and @mostobriv . The coolest ideas, technical solutions and deploy-party on the night before the start - what could be more beautiful when it's in a great company ?! :)
tiny.cc/6fj06y
Dan dataset from 3 391 pictures of cats and dogs.
The quest was marked as “Stegano”. Tasks for quilted imply the concealment of some information. It seemed easy to guess that the seals and dogs - this is something binary. A little thought, we can assume that this sequence of cats and dogs may be some kind of binary message. Suppose, for example, the seals will be 1, and the dogs will be 0. If all of a sudden fails, you can simply swap them. Next, we find a trained model that classifies cats and dogs. There are many examples of lessons on classification of cats and dogs, as well as trained models after them - you can find trained models on the githaba. We take a trained model, in extreme cases, we train ourselves. We predict each image as 0 or 1. We translate this “byte” sequence into a string.
Get the text that contains the flag `AICTF {533m5_y0u_und3r574nd_4n1m4l5}`.
However, for some reason, several participants at different times tried to pass the strange flag with the word “Adopted”. We do not know where they took it from, if suddenly the participants explain, it will be cool: D
The service was a kind of “blog” where each user could post public and private posts. Since the functionality was small - it was not difficult to guess that you need to somehow get a private recording.
There was actually only one input field - the record id.
What to do?
The first thing a safe person comes to mind is to try sql injections. However, it is said that the service is protected by AI. And simple sql-injection could not be sent. Service responded to such an attack “Hacking attempt!”. Many tried to pass it as a flag, but did they really think that everything was so simple?
Under the hood, there was an LSTM network that analyzed id for sql-injection. However, the LSTM input must be of a fixed length. For simplicity, we have limited it to 20 characters. Ie the logic was as follows: take the request, if it is more than 20 characters - we cut it off and check the rest, if it is less, then we add 0.
Actually, therefore, simple sql-injection did not immediately work.
However, the chance to find such a vector that the network would not see and was taken as a good query.
It was necessary to recognize the QR-code:
Files for task are available here.
A few encrypted files were given. Among them was a pyc-file, reversing which it was obvious that there was a function by the code of which it was possible to understand that all the necessary files were encrypted with AES on the key that was obtained from the bytecode of this function and another one inside it.
There were two possible solutions: parse the pyc-file and get the implementation of the functions or make your own proxy hashlib module, which would output its argument and run it, you could get the key to then decrypt the files and run the QR Reader, which recognized the proposed image as a flag.
The service was something like a kaggle competition. It was possible to register, download data and load models, they were tested on private data and the result was recorded on the board.
And the goal seems obvious - to get 1.0 accuracy.
Was it difficult? Impossible: D
The data was generated randomly and, of course, it was implied that such accuracy needed to be typed in some other way. Service accepted models in the .pickle format. And it seems that everyone already knows, but it turns out that not everyone knows that RCE can be obtained through pickle, and what could be worse?
Actually it had to be done! Having received remote access to the server, it was possible to download the data on which the solution was tested, retrain the model and get 1.0 accuracy and with it the flag.
As you might guess from the name, the service does something with images.
Awesome application interface offered to upload a photo.
In response, you sent an image with a modified style and logo of the competition.
Where is the flag?
It seems that it’s quite common to see commonplace vulnerabilities on CTF - this time it was Image Tragick . However, few have guessed or exploited not everyone who tried.
Cherry on the cake and the unsolved task turned out to be this task. Although after talking with the participants, it turned out that they were very close to the answer.
Files to task can be found here.
The system accepts python bytecode and executes it. But, of course, it won't be just like that, as there is an “AI”. He checks the python version and does not allow the “wrong” one. If the code passed the test, it was launched on the server - which means it was possible to get a lot of information.
The baytkod that the interpreter gives could be diluted with the feet, and the neural network that would check would have missed (it was also LSTM), or it was still possible to add a lot of garbage to the end.
Further, when you are able to execute the Python code, it was possible to detect on the server the `flag_reader` binary, which was run from the root. In the binary there was a format string vulnerability through which the flag could be read.
Nikita's solution (konodyuk) can also be read here.
By the end of the competition, 130 registered, 14 passed at least one flag, and 5 out of 6 tasks were solved - it means that we succeeded in balancing difficult and easy tasks.
Considering that we did not disseminate much information, as we did for the first time and would not be ready for a heavy load, we still consider it a super well-conducted competition.
Prizes were taken by:
The winners were awarded at the end of the second day PHDays with honors and cool prizes: AWS DeepLens, Coral Dev Board and a backpack with the logo of the conference.
The guys who usually play classic CTF and are now fond of machine learning appreciated our competition, so we hope the next time datasaientists who are interested in security will join.
In general, we have done task-based CTFs with tasks that affect some of the security risks of using machine learning techniques.
What is CTF ???
Capture The Flag (CTF) is a very popular computer security competition (as popular as kaggle competitions for datasainists). There are two formats: jeorpady and service (attack-defense). We did the hacking.
')
Classic task competitions resemble the format of “Own game”. When there is a set of tasks in different categories that have different costs.
In CTF, traditional categories are: web - web vulnerabilities, reverse - reverse engineering, crypto - cryptography, stegano - steganography, pwn - binary exploitation.
Teams (from 1 to n people) solve tasks and who solves tasks for more points is that well done.
')
Classic task competitions resemble the format of “Own game”. When there is a set of tasks in different categories that have different costs.
In CTF, traditional categories are: web - web vulnerabilities, reverse - reverse engineering, crypto - cryptography, stegano - steganography, pwn - binary exploitation.
Teams (from 1 to n people) solve tasks and who solves tasks for more points is that well done.
Our competition lasted a little more than a day. It was meant that it is individual - teams of one person. I wanted people to participate in it at the conference in order to meet in person. Therefore, tasks should be solved in a couple of hours, not require a lot of computing resources, however difficult tasks should also be - not everyone should win: D
As a result, we had 6 tasks (the seventh was just a fan), it seems that for one person per day is enough. The tasks themselves, unfortunately, are no longer available. But maybe after reading the analysis, you want to participate next time?
Immediately I would like to express my gratitude to the guys, without whom this CTF would not take place: @groke and @mostobriv . The coolest ideas, technical solutions and deploy-party on the night before the start - what could be more beautiful when it's in a great company ?! :)
Stegano: Aww - 100
tiny.cc/6fj06y
Dan dataset from 3 391 pictures of cats and dogs.
The quest was marked as “Stegano”. Tasks for quilted imply the concealment of some information. It seemed easy to guess that the seals and dogs - this is something binary. A little thought, we can assume that this sequence of cats and dogs may be some kind of binary message. Suppose, for example, the seals will be 1, and the dogs will be 0. If all of a sudden fails, you can simply swap them. Next, we find a trained model that classifies cats and dogs. There are many examples of lessons on classification of cats and dogs, as well as trained models after them - you can find trained models on the githaba. We take a trained model, in extreme cases, we train ourselves. We predict each image as 0 or 1. We translate this “byte” sequence into a string.
Author's solution can be found here.
Get the text that contains the flag `AICTF {533m5_y0u_und3r574nd_4n1m4l5}`.
However, for some reason, several participants at different times tried to pass the strange flag with the word “Adopted”. We do not know where they took it from, if suddenly the participants explain, it will be cool: D
Notes
The service was a kind of “blog” where each user could post public and private posts. Since the functionality was small - it was not difficult to guess that you need to somehow get a private recording.
There was actually only one input field - the record id.
What to do?
The first thing a safe person comes to mind is to try sql injections. However, it is said that the service is protected by AI. And simple sql-injection could not be sent. Service responded to such an attack “Hacking attempt!”. Many tried to pass it as a flag, but did they really think that everything was so simple?
Under the hood, there was an LSTM network that analyzed id for sql-injection. However, the LSTM input must be of a fixed length. For simplicity, we have limited it to 20 characters. Ie the logic was as follows: take the request, if it is more than 20 characters - we cut it off and check the rest, if it is less, then we add 0.
Actually, therefore, simple sql-injection did not immediately work.
However, the chance to find such a vector that the network would not see and was taken as a good query.
New edge QR reader
It was necessary to recognize the QR-code:
Files for task are available here.
A few encrypted files were given. Among them was a pyc-file, reversing which it was obvious that there was a function by the code of which it was possible to understand that all the necessary files were encrypted with AES on the key that was obtained from the bytecode of this function and another one inside it.
There were two possible solutions: parse the pyc-file and get the implementation of the functions or make your own proxy hashlib module, which would output its argument and run it, you could get the key to then decrypt the files and run the QR Reader, which recognized the proposed image as a flag.
A detailed decision of the participant who took the 3rd place can be read here:
Prediction Challenge
The service was something like a kaggle competition. It was possible to register, download data and load models, they were tested on private data and the result was recorded on the board.
And the goal seems obvious - to get 1.0 accuracy.
Was it difficult? Impossible: D
The data was generated randomly and, of course, it was implied that such accuracy needed to be typed in some other way. Service accepted models in the .pickle format. And it seems that everyone already knows, but it turns out that not everyone knows that RCE can be obtained through pickle, and what could be worse?
Nikita's decision (konodyuk)
Actually it had to be done! Having received remote access to the server, it was possible to download the data on which the solution was tested, retrain the model and get 1.0 accuracy and with it the flag.
Photogram
As you might guess from the name, the service does something with images.
Awesome application interface offered to upload a photo.
In response, you sent an image with a modified style and logo of the competition.
Where is the flag?
It seems that it’s quite common to see commonplace vulnerabilities on CTF - this time it was Image Tragick . However, few have guessed or exploited not everyone who tried.
New age antivirus
Cherry on the cake and the unsolved task turned out to be this task. Although after talking with the participants, it turned out that they were very close to the answer.
Files to task can be found here.
The system accepts python bytecode and executes it. But, of course, it won't be just like that, as there is an “AI”. He checks the python version and does not allow the “wrong” one. If the code passed the test, it was launched on the server - which means it was possible to get a lot of information.
The baytkod that the interpreter gives could be diluted with the feet, and the neural network that would check would have missed (it was also LSTM), or it was still possible to add a lot of garbage to the end.
Further, when you are able to execute the Python code, it was possible to detect on the server the `flag_reader` binary, which was run from the root. In the binary there was a format string vulnerability through which the flag could be read.
Nikita's solution (konodyuk) can also be read here.
Results
By the end of the competition, 130 registered, 14 passed at least one flag, and 5 out of 6 tasks were solved - it means that we succeeded in balancing difficult and easy tasks.
Considering that we did not disseminate much information, as we did for the first time and would not be ready for a heavy load, we still consider it a super well-conducted competition.
Prizes were taken by:
- 1 place - silent
- 2 place - kurmur
- 3rd place - konodyuk
The winners were awarded at the end of the second day PHDays with honors and cool prizes: AWS DeepLens, Coral Dev Board and a backpack with the logo of the conference.
The guys who usually play classic CTF and are now fond of machine learning appreciated our competition, so we hope the next time datasaientists who are interested in security will join.
Source: https://habr.com/ru/post/454206/
All Articles