Monday, August 12, 2013

Defcon 21 CTF - Binaries and environment

Vulnerable boxes were LXC containers with Ubuntu and Linux 3.8 kernel on ODROID-U2 boards (ARMv7 CPU). ARMv7 means you can't debug on your SheevaPlug (ARMv5) or RaspberryPi (ARMv6) so either you have an ARMv7 handy (e.g. Chromebook) or you need to use QEMU.

We were given 6 binaries (4 on the first day, 2 on the second day) so it's doable by a team of 8 people (the limit) and hopefully doesn't benefit larger teams. We didn't have root, but a user ctf with sudo access to users running the binaries, which were run by xinetd, so the teams didn't have to keep a server running. Binaries had one or multiple vulnerabilities, and some of them had bugs which were patched during the CTF.

The nice part is that the OS had ASLR and NX enabled, and some binaries were PIE. Finally stepping up the game!

Defcon 21 CTF

And here we are again in Vegas this year for Defcon 21 CTF!

New organizers this year: LegitBS, 8 people including members of Samurai (last year's winners).

In short, they did really good. Great game, good challenges, always on time and most of the things working.

Tuesday, September 4, 2012

Defcon 20 CTF - CTF Inside



Well, that was hell of a game.

Lollers would have bet that DDTEK would screw this up but guess what... After herding all year long, they invoked their sheep for rescue to save their bad ass' smelly screwing power reputation.

They ruled it! Special Kudos for running a game of 20 teams x 8 individuals so smoothly. This was a big "first time ever" for the "Capture the Flag" exercise. Not to tell that there wasn't some fuck up but DDTEK were back with good binaries quality, much harder and pretty well thought compared to last year. Almost no problem all game long except the traditional "We R in Late..."

Monday, August 6, 2012

Defcon 20 CTF - Semem

semem: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), 
statically linked, for FreeBSD 9.0 (900044), stripped

This service listens on port 6941 on interface em1 on the first ipv6 address found. For every connection, a child is forked, privileges are dropped to the semem user and this user home is used for the chroot.

Monday, June 4, 2012

Defcon 20 QUALS - urandom 300


Connect to the given host and port, with the provided password.

The problem is as follow:
  Here come 100000 uint16_t, please tell me how to sort them into
  ascending order by sending me pairs of indicies to exchange, one
  per line, in the format: <index1>:<index2>
  For example to exchange elements 123 and 9821 you should send:
  123:9821
  Valid indicies are in the range 0..99999 inclusive. Send a blank
  line when you are done. If you correctly sort the array in
  sufficiently few moves I will give you a key!
  You have about 10 seconds to finish, and a 5 minute wait between
  successive connections.

Defcon 20 QUALS - Grab Bag 200

We have a jpeg file and its __MACOSX AppleDouble encoded Macintosh friend:

  • 115e0ba3c3d72647fcb9a53ae90e47a6.jpg
  • __MACOSX/._115e0ba3c3d72647fcb9a53ae90e47a6.jpg

The second file tells us that the jpeg comes from http://ircimages.com/ircimages/1/1/115e0ba3c3d72647fcb9a53ae90e47a6.jpg

Defcon 20 QUALS - Forensics 400


Execute photorec on the memory dump:
$ photorec for400/memory.dmp
Scan for Intel/Whole Disk/Other

During the recovery, notice some gpg files recovered:
$ find . -name "*.gpg"
./recup_dir.5/f1459128.gpg

$ file ./recup_dir.5/f1459128.gpg
./recup_dir.5/f1459128.gpg: PGP key security ring

This seems very good!