We were given 6 binaries (4 on the first day, 2 on the second day) so it's doable by a team of 8 people (the limit) and hopefully doesn't benefit larger teams. We didn't have root, but a user ctf with sudo access to users running the binaries, which were run by xinetd, so the teams didn't have to keep a server running. Binaries had one or multiple vulnerabilities, and some of them had bugs which were patched during the CTF.
The nice part is that the OS had ASLR and NX enabled, and some binaries were PIE. Finally stepping up the game!
Binaries
- atmail: mail server
- lonetuna (+libc.a): a little game; v2 was provided on second day to fix the bug and introduce a new one
- bookworm: book review service
- reeses: signed MIPS emulator; teams had to find out that firmwares were sent over the network by the organizers (only them could sign), and that you had to reverse and exploit them
- echoserver: sending you back your input
- sha256: computing sha256 of your input
- strongkey: xoring data with a hardcoded key
- decompress:
a customLZSS decompression program - avoir: authenticated prompt with commands; v2 was provided after some time to fix a DoS
- trouver: same idea, different commands; v2 was provided after some time to fix a DoS
Environment
As said above, it was LXC container with Ubuntu and Linux 3.8 kernel on ODROID-U2 boards (ARMv7 CPU). It's very useful for dynamic analysis and exploit debugging to have an environment where to run the binaries. Since we didn't have ARMv7 hardware, we resorted to QEMU. Here is how to set up one similar to the organizer's machine:
- Install QEMU for ARM:
- Get an ARMv7 kernel from odroid.us community website:
- Get an Ubuntu 12.04 base image:
- Prepare it on a QEMU disk image:
- Start QEMU, with user networking and port forwarding on 2222 to SSH to it:
$ apt-get install qemu-system
$ wget http://odroid.us/odroid/users/osterluk/qemu-example/qemu-example.tgz $ tar zxf qemu-example.tgz ./zImage $ rm -f qemu-example.tgz
$ wget http://releases.linaro.org/12.04/ubuntu/precise-images/developer/linaro-precise-developer-20120426-86.tar.gz $ tar zxf linaro-precise-developer-20120426-86.tar.gz # creates binary/ $ rm -f linaro-precise-developer-20120426-86.tar.gz
$ qemu-img create -f raw rootfs.img 3G $ mkfs.ext3 rootfs.img $ mkdir mnt $ mount -o loop rootfs.img mnt $ rsync -a binary/boot/filesystem.dir/ mnt/ $ umount mnt $ rm -rf binary
$ qemu-system-arm -M vexpress-a9 -m 512 -kernel zImage -sd rootfs.img \ -append "root=/dev/mmcblk0 rw physmap.enabled=0 console=ttyAMA0" \ -net nic -net user,hostfwd=tcp:0.0.0.0:2222-10.0.2.15:22 -nographic [...] root@linaro-developer:~# uname -a Linux linaro-developer 3.2.0 #7 SMP Thu Feb 28 16:20:18 PST 2013 armv7l armv7l armv7l GNU/Linux
The link to avoir v2 goes to trouver v2 and the link to trouver goes to avoir v2. many thanks for the great explanation. At quals, we were using Raspberry Pi to debug because we didn't understand it well enough. Next year we'll understand it much better.
ReplyDeleteThx, fixed again :)
ReplyDeleteunfortunately, I can't login after installing.
ReplyDelete"root/password”is not accepted.
any help would be greatly appreciated..
You can add “init=/bin/bash” (single user mode) to get a root shell and change the password.
DeleteUpdated instructions with a linaro image, no root password needed.
ReplyDeleteA few stumbling blocks I encountered with the linaro image - eth0 is not set to use DHCP by default, and SSH is not installed. See https://developer.mozilla.org/en-US/docs/Mozilla/Developer_guide/Virtual_ARM_Linux_environment for more info on fixing these problems.
ReplyDelete