CSAW 2021 Capture The Flag (CTF) - Qualifiers

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video we're going to take a look at some of the challenges from the seesaw 2021 ctf this is the qualifying round running from the 10th to the 12th of september and then we've got the finals on the 12th to the 14th of november so let's go and take a look at some of the challenges we'll start off with this warm-up category and the first challenge is called poem collection it says hey i made a cool website which shows off my favorite poems can you find flag.txt somewhere and we have this url to go and visit so we'll take a look at that so we arrive at this page which says go check out my awesome poem selector and then we have this link to the poems directory so let's open that up and immediately we see this warning file get contents file name cannot be empty and we have the path to the index.php file you can see the error is on line four and we've got three poems here that we can select let's try and open up poem one and that opens up we can see that our url is now set to this query so we have this query and then we have this value let's try poem2 and poem 3. so we might want to go ahead and just see if there's any other poems which aren't linked here what if we try poem 4 and we get nothing so it failed to open this file there is no such file if we go back to our challenge description it says see if you can find flag.txt somewhere so if we've got a file inclusion vulnerability here we might be able to just say flag.txt in that case it failed to open but what if flag.txt isn't on this directory maybe it's on the next directory up so let's try and do dot dot slash and this time we get this flag local file inclusion for the win so that's our first challenge done the next challenge is called crack me and the description says can you crack this your hash is and it gives us a hash and it tells us the salt is the encryption method of the hash so if the hash is of the word example you need to submit flag example to score points and then we have an update here which i'd already solved it before this update came through but this is basically just clarifying how we need to specify the hash oh sorry how we need to specify the salt for the harsh so we basically need to crack this hash anyway let's go and have a look with hash id or you can use like hash analyzer or something and if you just google it you can then just get a list of some potential hashes it's given sniff route 256 is the most likely although note that sha256 is a far more common hashtag essentially what i did here was i created a hash file and tried to use john initially john the ripper to crack this so if you specify a word list as a user share wordless rock you and then pass in the hash it'll actually tell us that the let me minimize this it'll actually tell us that the most likely hashtag is ghost and then it gives us some other possibilities so i ran through this and tried some of these different possibilities in john but we need to specify the salt as well so we would need to specify like something like ghost and then or have a ghost at the end i also tried that um but we we then need to specify a dynamic format which will deal with the salt um i'm not gonna go through all that because it didn't work for me but essentially after failing to crack the hash for a while i moved over to hashcat if we go to hashcat we can have a look at some example hashes on the hashcat website and in here we've got some different formats so essentially what i did here is going to have a look for salt and if we start going through we'll quickly find that we have the sha256 and it can have some different formats we can pass it in as past.salt or salt.pass and then some some others availab available here as well and this is the mode that we would need to run it on so what i'm going to do is swap over to hashcat on my main pc just so you can use the gpu and we'll try and crack it using some of these some of these modes okay so what we have here is we have a hashes file which we can have a look at here hashes hashes.txt and you can see that i've put in the hash and then we've put in a colon with the sha256 there as well now i'm just going to copy in our hashcat command and i tried a couple here in fact let's try first of all the uh one four one zero was the first option and we're just running it with rock u again um one four one zero was basically this there we go pass.salt so we run that we get exhausted it doesn't find anything but if we try it again and do 1420 which instead of pass.salt it should be salt.pass i believe yeah salt.past you can see there and it very quickly cracks that as cat house so our hashtag was sha256 and the word that was hashed was cat house so we can just go back and submit flag cat house and that's the challenge solved the next challenge is called password checker and the description says charlie forgot his password so login to his office portal help him find it and it tells us that the challenge is written for a person on your team who has never solved a binary exploitation challenge before welcome to ponin so we've got a file to download which is going to be our binary to test locally once we get it working we'll connect to the server the netcat server here on port 5000 so with that downloaded let's go and take a look at it want to make it executable first of all we might want to have a look just to see if there's any interesting strings in here maybe we've got a password or something to enter in this case i can't see anything sticking out let's try and just run ltrace password checker try and put in a password hello and we'll see that it's comparing hello to password so let's go back and run that again and try and put in password and this time we get you got in you got in but that's not um we've not done any kind of binary exploitation there right so if we take this netcat um command try and connect to the server and just put in the same password we're going to get the same thing you got in if we put an incorrect password we're going to get that's not the password but whether we put in the correct password or not there's no route to us getting a flag there so we're going to want to go and have a look at the binary we could um check the binary protections as well let's do check sec file password checker and this will just tell us what protections are enabled so we don't have pi enabled so every time the program loads it's going to have predictable addresses for the functions and things like that you can see it starting at this address we have nx enabled which means if we are able to inject some shell code onto the stack it won't be executable we have no canaries so we don't need to worry about tripping off canaries if we do have to overflow a buffer in the case that the working air is there we might need to leak the canary and then overwrite the canary with the correct value if it's a buffer overflow challenge and then partial railroad which is just to do with the right ability of the global offset table and stuff but probably not too much um use for us here let's go ahead and create a new geardrop project and go and have a look at the assembly and decompiled code i'll just speed through this process it takes a little while and with this all loaded let's go and have a look at the functions available to us immediately we notice this backdoor function but let's go to our main function which we know is going to execute first it's going to execute it's going to call this password checker so double click on that to take a look at that as well and let's have a look through some of the code here we can see that we have some variables declared here we've got a buffer of 48 bytes and another one of 60. we have this local c variable and it's asking us to enter a password our password is going to be stored in this local 48 variable which you can see is 60 bytes and then it's going to do a string copy it's going to copy our 60 bytes into this 48 by buffer so we can instantly see that we've got a buffer overflow potentially there and next we have this local a8 which is set to this value let's go and have a look to see if we can convert that to so you can see the char showing up there is drow sap which reversed is password so this is where it was doing the comparison so it's comparing what we enter which is right here where was uh local 78 which is where our local 48 was copied to is comparing that with local a8 which is password and then if it's correct it's going to say you got in if it's not it's going to say this is not the password but as we know that's not much use to us we need to get to this backdoor function which is going to get a shell for us bin sh and looking at the main and the password checker there's no logical route to get to that pass to get to that backdoor function it's never called at any point so we need to try and overflow the buffer and overwrite the return address with the address of that backdoor function so whenever it gets down here and tries to return to where it was before which is the main method the main function it's gonna instead see that the return address is set to this address right here back door which we can see we can just go and grab this address here and it'll then get us a shell so let's go and test this out we can go in let's go and run this in gdb first of all in fact just before we do that let's um let me do python 2-c and let's just print a times say 80. let's run the program again enter in this password you'll see you see that we get this is not the password and we also get this segmentation fault so the programs crashed because we've put in an invalid address it's four one four one four one four one or a's which isn't a valid memory address so we've got this segmentation fault so we could do that and if we let's go and try and take off a few you see that worked fine so we can see that it's somewhere around here that it's actually uh we're actually overflowing the the buffer let's open this up gdb phone debug and password checker so we could use gdb or many other tools to have a look at the code as well if you don't feel like opening up ida so we can have a look in here and see info functions where you can see we've got a different functions here we've got this back door and we've got the address of it as well which is useful we know that the addresses are going to stay the same so on the server these are all going to be hard-coded addresses as well and if we wanted to have a look at any of those we can like disassemble say password checker and we can go and have a look at the assembly code of that uh we can generate a cyclic pattern here anyway let's go and test out this buffer overflow so i'm gonna generate cyclic 100 i'm gonna take a copy of that click pattern i'm going to run the program and instead of entering a password i'm going to paste in that cyclic pattern we're going to get a crash here and essentially what i want to do what we want to do is have a look and see where it crashes so because it's the 64-bit application we don't see the um the characters here in the instruction pointer because it's an invalid address it won't even try to execute it so we want to take the first four bytes from the rsp these are the bytes which would have made it into the rip if it was uh or the eip if it was a 32-bit application and then we can do cyclic l to look up the offset and we'll see that the offset is actually 72 which would make sense because we know that we have 60 bytes here you know so it's going to be a bit of um space so let's go and have a look at the phone tools script for this um we could grab the backdoor address here let's do disassemble back door and we can grab this address and go and enter this into the phone tool script or we can do it another way let's open this up and take a look most of this script is kind of just a template to make it easy to swap between debugging and remote and local and set up a gdp script and stuff like that so the only thing you really need to do if you if you use this template which you have on github is insert the correct binary name in here and then just go and start working on the exploits we know that the offset is 72 we've calculated that manually although you can write a function here to calculate that automatically which i often do as well that's also in the template and essentially we're going to start the application we're going to send off a payload in this case let's go and send oops let's go and send this um we'll send the actual hard-coded address so we can just paste this in here because we're using flat and we've defined the architecture here so we've used context.binary and this is basically going to look at this binary and work out is it 64 bit is it linux is it little endian format and then whenever we use things like flat it'll take care of um flattening for us let me highlight that so we can explain it a little bit better so it flattens the argument into a string and it's based on the context that we have already set up so that means i can i don't need to actually specify this as a 64-bit address i can just remove those zeros and this will still know that it's a 64-bit address that we're dealing with so let's go back and just try and run that and see if it works it runs you can see we've got um debug mode on here rather than setting it to info or warning so we can actually see what's been sent and what's being re received and um it's essentially overflowed the buffer with these a's and then it's injected this address you can see here four zero one one seven two that's our backdoor address and that's caused it to launch the shell so now we're able to run commands so we can go ahead and just run this straight on the server now if i because i'm using that template i can just do python new and now we just add remote and we can just paste in the server and the port number paste that in run it and now we can just get straight into the server print out the flag.txt and there we go we could do this some other ways as well let me go back to the so originally i had this set to elf.symbols.backdoor because because we've defined the binary here it knows what functions are available so as long as this function address is hard-coded we can just reference it by name and that'll work fine for us as well so if we run that again against the server you see we've still got a shell we can still print out flag.txt and that's the challenge solved the next challenge is called checker it's a warm-up challenge on the description says what's up with all these zeros and ones where are my letters numbers we've got this checker dot py file to download so let's go and take a look at it it says it's a reversing challenge here as well so we'll copy this over from our downloads folder and let's open up in codium and we have this main method there's a flag redacted so obviously they had a flag in here and then they've run the encode function and then this is the result of the encode function so we want to try and decode it and see what the initial flag was so let me just take this out because that's just there to let us know what what happened also this print statement is not really important either and we have just the print encoded so what i initially tried to do here because we have these functions up down left right i was kind of hoping we might just be able to simply reverse it so i didn't before even really looking at what these functions did i simply tried to reverse the order of these so we know the last thing that's that occurs here is this left function so we could make that the first thing that occurs when decoding and let's take in it's going to take in encoded this one's going to be called decode and then the next thing was a down operation so that's right here and then before that we had a write operation which is right here and then before that we had our up operation so we can just try and swap these around and see if this works let's try and do decoded equals decode encoded and let's print that out we don't need to print out this encoded one so if we try and run this python checker we have a typo let's try it again okay so that prints that out we've got this long binary string so we could take this to cyber chef or ask you to hex dot com or something and try and convert it so let's go to from binary and although this didn't give us a result it kind of looked to me like it should be a binary result as well so if we go to substitute and try and just swap the tick and the b to a zero and a one and then convert that from binary but unfortunately we don't get anything we could try and swap these around as well still don't get anything um so what i also tried to do again before even looking at what these functions were doing here was because we have up down left right i was kind of thinking of just reversing the order of those so let's start off with a down on encoded and then instead of a right would do a we'll do the left and then instead of down we'll do the up and then finally instead of left we'll do the right so we could try that we'll get another binary string here let's go and paste it in nothing there let me okay so quite similar but we don't get any recognizable text anyway so we want to try and work out what's actually going on with these functions so let's go through these one by one we've got our up function which is doing a shift left here it's actually converting to binary and then doing the shift left we have uh well let's go in the order that they occur so then we have the right which is occurring and right is basically going to take so it's taking in our at this point a binary value because it's returned from up and it's going to say it wants to take from d onwards so this is basically grabbing like a substring splicing it so it's going to take from the 24th bits onwards so everything after the first three bytes and it's going to put those to the beginning of the string and then it's going to put the first three bytes at the end so it's basically moving the first three bytes to the end and then we have a down function down is gonna inverse the bits so it's gonna anything that's a zero it's gonna set to one otherwise it'll be a one and it's gonna set it to a zero so it's just doing an inverse and then left is basically doing the same as right so it's calling right but it's passing in x and d so it's basically doing the opposite way around it's going to pass in the length of the string minus d and that's going to be d in this case so if you had a 50 character string it would take 26 onwards and then move those to the and then move those to the back or move those to the front uh rather it's a little confusing all right and then um we have the it's also then reversing that as well so unlike the right function which just returns x this is actually going to reverse the bits as well so to try and make this a little bit clearer what was actually going on and to help identify exactly what was happening in some of these functions i actually created just well duplicated this script and let's open this up working dot py essentially just added some comments here into the encoding section and we just run a basic test with abcd where we're going to try and encode abcd and we're just going to see what happens as it goes through so we have our initial binary for abcd and then we're going to print out what happens after we call up which is the shift left what happens after we call right which was going to move the first three bytes to the end or the last three bytes to the front should i say um and what's going to happen when we call down which is going to inverse the binary and then what's going to happen we call left which is going to be essentially the same as right but reverse it as well and in doing that let's run through python working and we can see then the results of these so this is our shift left and we could go and verify this as well we could go to let me clear this recipe let's put in here abcd and we can do shift left convert it to binary and this value here is going to be the same as we have here after the shift left so you can see instead of 0 1 1 which would we would have for a we have 1 1 0 which is what we have here and um we have our three zeros at the end instead of two zeros the next thing that would happen then would be the right where we would move some of those in fact let me let me copy over here some of my notes i went through this solving this manually to try and make a bit more sense of it so let me copy over some of the notes here so essentially this is what the functions were doing we were doing the shift left we're reversing the bytes we are swapping the first three bytes with the remaining so that chunk of three bytes and then the same with uh left but we're also reversing we have our initial value a b c d we do the shift left so this is just all the same values that we have right here we do the shift left then we do the swap the three byte block so you can see here if we take this let me just as an example just go through that so if we were to the we have our shifted left value and then we have what is going to be the value after the up occurs sorry after the right occurs which is going to be swapping the three bytes so we can take this same value here and we're just going to essentially move this to the front and then the result that we have these are the same two results right here so we know that we've got the correct result now we're on to the next part which is the inverse so we can take a copy of this and we can just have a look to see if these are the inverse which they are so you can see one zero one zero zero one zero one one zero you'll never get the same two bits there they're always inversed and then finally we have our swapping the last uh block and then resetting as well so what i'll actually do here is just copy over the example that i did earlier manually and this is exactly the what we've just been through there so we have our initial value we undo the uh sorry this is going in the reverse order so if we were trying to reverse our abcd encoded value here we have our result which is right here and first we would undo the reverse so we're just reversing these the opposite way around we can do that again in at cyber chef just clear this recipe we could do here reverse and that will give us the same value that we have here let me just copy that over just so you can see it so that's just the complete reverse string and next we need to move the last byte to the front which is just what we were doing here as well we inverse the bits which is our down operation and then we're going to do the undo the right which is going to be swapping the first three byte block with the remaining bytes and then we'll do the shift left but in this in this case we'll need to shift it right to go um to get it back to the original value and we basically get back to our original value here if we go and convert that to uh from [Music] binary we get our a b c d again so at this point i did actually try to basically just code that to decode the um the encoded flag for whatever reason i kept running into some problems and i ended up just going through and going through the same process of solving it manually here so let's take a look at that so let's just grab the little template that we have here to perform this manually and we'll go and grab the encoded flag first thing we need to do is undo the reverse because we know that the very final thing that happens when we're encoding is this left operation and the very final part of the left operation is to reverse the array so let's go and take this to cyber chef we can go and reverse it and get our reverse string that is step one done next we need to move the first three bytes let's take this right here move those to the end and then we need to inverse the bits which is going to swap the zeros and ones let's go back to cyber chef again you can do this in um you can write a script to do this or you can do this with like finding a replace in sublime or notepad or something as well we want to substitute then our zero and one with one and zero or the other way around it's fine and that's the inverse done now we want to move the last three bytes to the front okay so let me take this now move those to the front and then finally we have a shift but if we go to cyber chef and let's do from binary and we have our flag flag reversing warm up so i've just updated the script based on the solution we did there so if you don't want to do the painfully slow manual reversing um let's say this was something where you needed a reusable script or something like that uh one thing we could do for the decode is just to reverse it in this way so here we take in our encoded value and we're going to reverse it because we know that's the first thing we need to do is reverse and then we're calling this right operation but instead of doing the doing it we're doing it the other way around we're taking the last three and putting to the front and then putting the last first three to the end in opposite orders if that makes sense uh and then we're gonna inverse the bits just as usual and then yeah we do that other operation there that'll basically give us everything apart from the it still needs to be shifted so if we run python working.py we get this value here and we can just take that to cyber chef and then we can just do the shift bit shift right and that'll get us the same flag uh i think manually at least it kind of forces you to understand it a little bit better than the script where sometimes the script you can see i mean the way i started off by doing this was basically just reverse in the order of the function calls and um you know if you play around with that a little bit you could probably just kind of fluke it but um that's how i solved it anyway let's move on to the next challenge the next challenge is called weak password it's a misc challenge and the description says can you crack aaron's password hash he seems to like simple passwords i'm sure he'll use his name and his birthday in it then it gives us a hint saying that aaron writes important dates in this format so the year the month and the day rather than the year the month of the day separated by dashes or rather than day month year etc and once we crack the password we need to put it in the middle of the flag so the flag format so let's take a copy of this hash first of all and it looks like an md5 hash but we could go ahead and put it into hash id and see some possible hashes let's just assume it's md5 as that's the most likely possibility and we want to go and try and crack this so let me open up a link which i use whenever i was solving this initially so there's a post on the hashcat forum asking basically how to do this how can we create a password rule that will go through the days and the months and if we go and have a look here here's a specific example where they actually have an example here for the name the day the month and the year and they're using these custom character sets so we want to we want exactly this really we want aaron and then we want the year the month and the day so we just want to reverse this bit around so this is the mask that we'd want to use and um i basically just took this and reversed it a little bit so let's jump over to windows where we've got hashcat running and we'll try this out so we're over at the windows system and here's the full command so we've got hashcart we're running it on mode 0 for md5 and then we have our hash which is just i've just pasted the md5 hash into this text file and then we have these custom character sets so we have our first character set or second or third on a fourth and these are just taken directly from that hashcat site and then we have the mask here so essentially we want to try and crack a password that starts with aaron and then we're going to try and just loop through the different possibilities for the dates and you can see here that we have three we have four we have two we have one and that's telling them which character sets to use here we could just use decimal but just just to speed it up a little bit and if we run the if we run hash cut it will crack that very very quickly and we get this password aaron 1980 the third 21st so the 21st of march 1980 was his date of birth and then obviously his name is aaron so we just take this wrap it up in the flag and we can submit that uh yeah so that's that's that challenge solved the next challenge is called lazy leaks it's a forensics challenge and the description says someone at the company was supposedly using an unsecured communication channel a dump of company communications was created to find any sensitive information leaks see if you can find anything suspicious or concerning and we have this file lazy leaks dot pcap so we'll take a look at that and we'll just open it up straight away with wireshark and the first thing i did here was essentially going to have a look at the protocol hierarchy so typically when i'm opening a pcap i'll always do this i'll just go and have a look at the file properties get an idea how big the file is how many packets how long it was elapsed what the date was that it was captured etc and then go and have a look at the protocol hierarchy to see what kind of data we're looking at here i immediately thought ssh isn't going to be much use to us unless we need to extract a key from somewhere but we have this telnet um which is 7.4 of the packets let's select that and we can see we have our data here so we can go through and immediately if we go through and actually start looking this will see some information in the packets if we want to try and put this all together we can just right click on one of them and say we want to follow the conversation tcp stream sorry and right here we see that we've got this password flag too lazy for security and that's that challenge solved the next challenge is called mick or mike it's a forensics challenge and the description says my epson inkjet printer is mysteriously printing blank pages is it trying to tell me something so we've got the scan.pdf file to download so we'll take a look at that i'm going to save it to the local directory so we can go and run some tools on it as well let's go and move that from downloads to the desktop oops and if we just search pdf and hit tab here we've got a lot of different commands we can run so we can run like pdf id we might want to have a look at the exif data as well we can run exif tool scan.pdf don't see anything particularly interesting in there i don't see anything particularly interesting there either as well let's um go and open up the pdf and see does it look interesting now this took a while for me if you go through each of these pages they all look blank i was trying to kind of highlight stuff sometimes you have just hidden text on them but it took me a while to actually notice that these these little tiny yellow dots here i don't know whether you'll be able to see them in the video but there is little tiny yellow dots kind of going around in patterns and if we go and google here yellow dots printer code we'll quickly find this machine identification code which the challenge is called mic or mic so that makes sense and it tells us that is also known as printer steganography yellow dots tracking dots or secret dots is a digital watermark which certain color laser printers and copiers leave on every single printed page allowing for identification of the device on which the document was printed etc so um we can go and read up a little bit more information about that we know that we're dealing with an epson inkjet printer so we can go and try and find some specific information for that how can we decode this etcetera i did actually find that there was a previous write up of a similar challenge you can see here nsa whistleblower a pdf file and what they used here they use pdf top pm to convert to png images so that data can data can read them which can read data encoded using these dots so let's go and open that up and if we do something similar here uh hopefully we'll be able to extract this so we need to we can install this with pip so i'm going to go and activate my python 3 virtual environment i'll do pip install data and we know that we need to something else that i'd already tried by the way this pdf so if we go we can do other things here pdfpasser scan.pdf which will actually go through and pass each page um but yeah let's let's do the let's do this decoding let me go back and we'll do something very similar here pdf top pm let me close that down and we want to pass in scan.pdf and then what do we want to call it so we can call it anything here do we need to specify what is it png there as well okay so specify the png format that's going to run and you can see it's creating all these different png files for us and let's go back what did they do next so then they use data pass print and basically run that on each of the png images which is something similar here let's go back and do data pass print and then we'll do the first image it runs through it grabs these dots which would which are a lot more a lot easier to see now in the terminal and then we have our time stamp we have our serial number you can see our serial here is 102 so in this case these were decimal values which needed to be converted into ascii which they did on cyber chef so maybe we can do something similar you can use something else as well ask you to hex.com for example sometimes a little bit quicker i find cyber chef can be quite uh uh intensive on your pc um so the first one was 102 so we might want to go in here and enter 102 convert it from decimal and see does that match an ascii value it does is f so if we go and try this again with the second image and we've got 108 let's go and have a look at that we've got l so i think you can see where this is going we do the third one 97 which is we is a and do the fourth one is 103. so 97 103 and you can see here we've got flag so essentially we just need to keep going through and doing this the best way to do this really would be to i guess write a script which is just gonna loop through all of these pngs and extract the serial number maybe you could even convert write a script to convert this to ascii as well and make it a reusable script but i didn't do that in this case anyway i'm not going to go through the rest of the images but if you go through the rest of the images that will retrieve the full flag and that's the challenge solved the next challenge is called contact us it's a forensics challenge and the description says veronica sent a message to a client via the website's contactors page can you find the message and here we have a pcaps download called contactors.pcapp and then we've got this ssl key file as well so i'm going to download the peak up and open that first of all and as usual we might want to go and have a look at the file properties you can see here it's one minute 25 seconds to pick up it's got 3642 packets we can go and have a look at the protocol hierarchy and we'll see that most of the stuff here is encrypted um so we've got tls here if we go and just scroll through the packets we'll see that as well so we can see our key exchange at the beginning and then basically all the data here is encrypted so if we go and try and follow this we can have a look at the tcp or tls stream uh but it's not actually going to give we're not actually going to be able to read the data at the moment but we were given that ssl file so let's see if we can use this let's download that i'm going to save that to our downloads we'll just go to preferences here in wireshark and into protocols and let's go to straight down to tls which we want to try and decrypt using the ssl file we were given i should probably try and have a look at that ssl file as well let me just show you what's in there so you can see here we basically have these secrets um we can import these directly into wireshark so right here we have our pre master secret log file so if i just go browse open it up from the downloads and hit ok and then you'll instantly see that all of those encrypted things we've seen before are basically gone so the first thing i tried to do here was then try to change this to http we change it to http and try and see what has been decrypted here we can also go to file export objects we can just go ahead and export the http objects see if there's anything of use in here but if we go back to our description we'll see that the description says we're looking for the contactors page let's go back there again to our http traffic and we'll actually see that we have the contact dot submit form down here so we could go and have a look at that in the http stream so i did actually go through and try to url decode some of these requests and see if there was a flag or any useful information in there but they didn't seem to be let's clear that out of the way again and we could filter by protocol again let's go up to our statistics protocol hierarchy now this is decrypted we can actually see a lot more information one of which is this javascript object notation let's apply that as a filter and select it and here we have this data javascript object notation let's try and follow it as a http 2 stream and that doesn't look too useful let me go back go back to json we have another stream down here and if we have a look at this one this one has a site key in it okay but still no flag let's try that again let's go and have a look at the next one this might be part of the same stream actually it's not no okay there we go so this one has the flag marshmallows in it so actually whenever i was solving this initially i didn't solve it by going through the protocol hierarchy i was i was kind of just scrolling through here and it happened to be one of the first things that i noticed which is quite um surprising considering the amount of packets they're here but that's how i solve this challenge anyway the next challenge is called the magic modbus it's an ics or industrial control system challenge and the description says climb on the magic modbus and see if you can find some of the messages being passed around so we've got a peak app to open up here let's download that and take a look actually i'm also going to let me save that to a local directory and again we might want to just go and have a look at the file properties it's a 30 second peak up there's 228 packets in it go and have a look at the protocol hierarchy and see that it's all modbus packets so there's nothing really to do there uh let's see can we apply as a filter we can't let's follow the tcp stream and this doesn't look much use i can't see any ways to convert that to a flag but if we go and just start looking through some of the packets and see what we've actually got in the data you'll see here we have this register one mutant which is the first thing i noticed i noticed that it was 108 and as we go through them there's one that's 97 which is a in ascii we've got 102 so it looked to me like these were ascii values they were all in the ascii range so essentially i went through this i went through to extract these so what we could do as well we could um apply this as a column and then we can go and actually just have a look at um where is the column oh it didn't apply as a column this register value let's apply that as a column and you can see here so we could actually go and have a look at these and just go and verify that they're all in the right range and all looking correct obviously we're going to need them in the correct order but we can see here if we right click this as well we'll see that the it's the modbus dot reg file underscore u in 16 so what i'm going to do is extract those values with t sharp instead so we can go here and say t sharp dash r we'll pass in the modbus dot p cub do dash t fields and the field we want is modbus dot reg file u in 16 let's try and run that you can see it's extracting these values which is looking pretty good let's send that to a file we'll open up the file and we might want to replace backslash r backslash n with a space no it's just backslash n here maybe yeah place that with a space and let's replace spaces greater than one with a single space okay and that's looking better so if you're going to take this to cyber chef just paste this in here and we'll say convert this from decimal and you can see that we've got some strings here it looks like we've got part of our flag but it's not looking easily decipherable we can see here the keyword answers so if we go back to our pickup i'm going to have a look at these let's just go by the packet capture number if we were in fact let me also say modbus oops modbus dot reg val uint16 so we can just filter this and say we only want to look at packets which have this value in them and if we do that we'll see that we have some different sources and some different destinations so we could go back here and run this again but this time say that as well as extracting that we want to make sure that ip.dest equals and we have 238.0.0.1 238.01 we can send that to our file again let's reload it let's do the same replace again replace backslash n with a space we've got our values here i'm not sure why this box is at the top of my sublime but um let's go and paste that in we get ok bus do your stuff so it wasn't that one and i basically went through and did this um repeatedly if we do it with three as well let's see what that gives us reload that let's do the same replace and it says if you keep asking questions you'll keep getting answers so it's not that one either and i think the final one then is the 0.5 so we've done 0.1.3 if we go back and do 0.5 do that same replace new lines and you can do that in cyber chef as well though and there we go we get our flag miss frizzle would be so proud and that's that challenge solved the next challenge is called a pain in the bacnet it's ics challenge and the description says attached as a packet capture taken from a building management network one of the analog sensors reported values way outside of its normal operating range can you determine the object name of this analog sensor so we need to find a sensor in this pcapp which which is reporting anomalous values basically and we're told that we only have two attempts because there's a limited number of sensors in the pcub so let's open this up and let's also just go over to google and quickly search for bacnet and get an idea what it is um so what is a bacnet system it's a standard that specifies a common communication protocol that allows building systems to communicate with each other using a common language by implementing a bacnet system systems made by different companies can communicate with each other so we can go and just have a look at some basic questions and info about this but i'm going to jump straight over to the pcap even without understanding too much about it or anything about it let's go and see if we can work out what these values are let me just take out this hid data as well i have the setup for previous challenge looking at keyboard data but um we'll go in and have a look we could have a look at the file properties the protocol hierarchy in this case it's a hundred percent uh bacnet packets i guess um so let's just go and start scrolling through these and have a look and see what properties we have if we do that we'll find that we have we have here present value let's let's scroll through these and see if these change all try and make this a bit clearer um so essentially i just went through here to try and work out what the value was that it was actually talking about let's see if we can find it we have this present value real which looks pretty good let's keep going through so it's only coming up in a few packets we've got it there again so what we might want to do is go and set this to be a column if we apply that as a column then we'll just be able to go and scroll through the pickup and have a look and see what these values are what we can also do now as well is quite easily see what the value what the key value uh thing is here so we can go and filter so if i do now uh backup dot value was it what was it dot present value and then we'll select this reel and this will just mean that if we filter this way all of the values that we see here will have this present value so we could go through here and just try and work out what's um what doesn't look normal and if we do that let's filter by let's do it in ascending order so it starts off at about 6.7 it works its way up to 1604 so pretty much all the values are within that range and then we have these four here which are 99999 which is way outside the range of the other values so let's um we might want to try we need to try and find out what sensor this is referring to so we could go here and follow the udp stream the thing is we do that it's going to show us the whole udp stream with all of the sensors so let me actually go back and just find out so we're at packet 1803 so let's just close this off let's filter normal 1803 and we can basically go through here and try and find out what is the sensor that's referring to let me see if i can actually just see it here um so somewhere there's going to be the name there it is object name sensor 1 2 3 4 5 so we could also apply this as a column and that would make it even easier to go through and work out the values but essentially this was it so if we take this value sensor underscore one two three four five and submit that as the flag that will get us the points the next challenge is called ninja it's a web challenge on the description says hey guys come check out this website i made to test my ninja coding skills so i've got this url to visit the title of the challenge called ninja which rhymes with ginger which is a hint for this challenge if we go here anyway without maybe guessing from the title we might want to try and enter some things in here we could try and enter an apostrophe we could try and enter some commands to see if we have like command injection and things like that which we don't so let's try and see if we can run some ginger commands let me go to the cheat sheet here this is actually um there's plenty of cheat sheets out here for server side template injection and here let's go to basic injection so first wanna see do we actually have execution so let's take a copy of this let's go and submit that there and we get the result that we should so we get the seven seven sevens we could go back and try that again with something else let's do seven times seven and we should get 49 and we do so we know that we have execution there so what we might want to do here is have a look at the config.item let's go and submit that as well and we run into this problem the problem is sorry the following keywords are not allowed and we're not allowed to use underscores we're not allowed to use config we're not allowed to use os run command or base if we go back to our cheat sheet here we'll see that they're actually used quite a lot you can see the underscores are used here we can see that base is used um if we're actually going to try and read a flag or something like that quite often you'll see the os is used here where to import os as you can see here uh so we're not able to do any of that stuff let's go straight down to the filter bypass then to see what we might be able to do here so we can use backslash xf5 to represent the underscores that'll bypass that part and um this is telling us how to bypass most filters telling us how to bypass base mro join the underscore but if we take a copy of this and go and submit that let's see what this is actually trying to do first of all so it's trying to open it's going to import os and it's going to use process open and it's going to call id and then read it but if we submit that we're going to run in the same problem because it's using os so we need to take this os bit out and if we do that i was still still something else in there that's not allowed maybe it's the run command um so i didn't actually solve this a team mate solve this challenge so let me go to the command that was used to solve it and we'll take a look at this so we have here global's built in it's just directly calling open flag.txt and read and if we submit that we get back our flag flag mummy see i'm a real ninja so that was just a server-side template injection with ginger and some filter bypasses that were needed the next one is called no pass needed it's a web challenge and the description says it's all about who you know and i know admin and we've just got this web address to visit so let's go and take a look at it we've got a login form here and so we might just want to just try immediately and log in with admin admin or admin password something like that we can go and have a look at the post request in burp suite and see uh was there anything interesting here we can see there was a cookie set connect.sid so we might want to go and try and url decode that and see what that's um if that's referencing anything interesting we could go and try a basic sql injection here so we're going to say or one equals one something like that try the same sort of thing and put comments in there what i actually did here i was working on some other challenges and i just threw this into sql map if we do sql map dash r to take in a request and we can just copy and paste this request let's go and do subwool.new new dot request i'm going to paste this request in here and then we could just uh pass that into sql map and just i just went through all the default options but um that's one thing to try i also um tried just throwing in a word list of sql login bypass strings so we can take a copy of this we could go into our burp suite we could send this to the intruder and we can go and say that we want to i think battering ram will will um put the same value in the username on the password so we could either loop through username admin and then just change the password or we could try and change both so if we go into the payloads here paste that not paste that in um paste these in yeah paste those in i might want to take some of these out so let's just start straight off here and then we can just start the attack this will quickly start running quite slowly uh because of the throttling so because there's a particularly long list of 796 values but we can see here then if we have a look at our requests each time it's sending the same value in the username and the password field and we might just want to go and have a look and see do we get a different length response do we get a different response code maybe 200 instead of 302 um or we could try and grep for successful login or for flag or something like that in our response to do that we could just go into um options you see here grep match so we might want to clear this and add in here flag and then it'll just basically let me go back to the attack any responses that have the word flag in will then come up with a tick on them so we can filter it that way so this is a couple of things i just had running in the background while i was working on the challenges but and this didn't solve it for me actually as a teammate who solved this challenge so i'll just go through um the steps that they took to solve it so the challenge name no pass needed kind of hints that we need to focus on the username field although it could mean that you know we need to inject the right sql query into the password field in order to bypass the password check but in this case um it's the username field we want to focus on so if we enter here or let's do so we could try some different i've closed down that ask sql cheat sheet but we could try some different values in here depending on the version of sql that's running on the server and any validation but if we try to log in with this you'll notice that it's removed everything after the space let's try and put in here hello test and log in and you'll see it's again it's removed everything after that space so let's try and put in hello plus test and in that case it didn't remove the everything after the space so um this is essentially how my teammate solved it let's go to the query that they used if we enter or and then one semicolon let me just copy this because we're going to need it again but if you try to log in it's going to remove everything after the or but if we try this again and replace the space with a plus and log in this time we get the flag here's your flag who needed a password anyway or who needs a password anyway so we don't need to enter anything at all into the password field here in order to bypass the authentication the final challenge we're going to take a look at is called alien math it's a pwn challenge and description says brush off your flurb garpool textbooks so we've got a service connect to once we get things working locally so we'll download this local binary to start off with this is the only phone challenge that we solved and we didn't solve any of the reversing challenges and to be honest i probably wouldn't have solved this alien math on my own but let's go and take a look at the solution anyway so let's start by moving our file from the downloads directory to the desktop and make it executable we might want to have a look at the security protections are enabled on the binary so we can do check sec file alien math and we'll find that pi is disabled again so the memory addresses of functions and things like that are going to be predictable so it'll be the same on the server we don't need to worry about that changing we have nx enabled so if we're able to inject any shell code it won't be executable we have no stacking arrows we don't need to worry about tripping those off if we have a buffer overflow to exploit and partial railroad is just to do with the right ability of the global offset table and stuff so with that out of the way let's just try and run the program see what we get it asks us what is the square root of zotnull so let's just try and enter a value we could try entering a couple of different values and see do we get anything interesting we don't seem to let's try and run l trace and do the same again one two three just to see if we get an actual comparison here that we can see but there's no string compare we have this rand function which is being called and we have the output here 6b8b4567 we might want to try that again and let's put in some a different value and see if we get anything different and we'll see that the memory address here which is given to rand is different but the output is exactly the same which is interesting but let's let's open up geardrive and go and have a look at the code before we go any further i'm going to open this up and create a new project i'll just speed through it a little bit okay and with gear open let's go and take a look at the functions we have here and before we even click on the main function see that we have a print flag function right below it and the print flag function is going to open flag.txt it's basically going to give us print out the flag for us so this is going to be our goal is to get to this function but let's try and trace the logical flow of the program here we've got our main function we're going to start off we have some variables declared in this buffer 36 bytes and we it asks us for the square root which is what we just saw there it's calling the rand function it's going to do a comparison then with the input that we provide so we have this local 14 which we're going to enter it's going to compare that with local 10 which is retrieved from ivar so that's this rand function and we know that around function is coming back with the same value each time so before we go through any further of the code let's just go and grab this hex value i'm going to take this over to you take it to cyber chef or something ask it hex and i'm just going to paste this in here and we'll get the decimal value of this and see if we can enter it so if i try to run the program again let's do it with ltrace we can see what's going on in the background let's enter in that decimal value because we know that around value isn't changing and you'll see that it did get through that stage so we got correct and now we get onto the next part of the question where it's calling getchar and it's asking us for whatever question this is so just trying to put in abc it's checking string length and it came back in valid input so it looks like we need to first enter a string of the correct length before it's going to go any further so let's go and take a look at the code again so we've made it through the first question this was the second question that we were asked here and we can see that it's actually going to pass our input to the second question function so let's go and take a look at that and in here we have some variables declared we have a loop which is running repeatedly and we have some values which are placed in here 38 running down through to 28 we can go in and have a look at these and see do these uh convert to anything so we go and have a look at them in characters or we could convert them to decimals or something like that and this might be something that we want to try and submit as our as of as our second question so you can see here it's doing the string length that we just saw and then it's doing the strn compare so this will compare n number of characters and so obviously we want to try and make our input match what we have here so if we were doing that we could go and convert these to let me actually go and take these to ascii to hex again i'm going to take this whole string of hex values and just try and see what it is in decimal and can we just enter that in again so here's the oh that's not the decimal the decimal value is going to be too big for us to convert we could try this text value here let me just let me just run through the program again we need to enter in our decimal value that we got previously just copy and pasted that there and now let's try and enter in this text value that we got and you'll see that the string length has come back okay so it made it went through that check all right um but whenever it gets the string and compare it's not getting the correct value and it's actually telling us that the correct value that's looking for is seven seven five nine and this is the value that we have so i want you just why don't we just take a copy of this string instead and we'll run through this again well first we need to do our square root again so i'm just going to copy that and let's paste that in and let's try and enter in the string that they're looking for we paste that in and although we've entered in the correct string it's compared it to this string here which they look the same right there but whenever it's doing that our strings changed a bit so we now have seven six six one two eight seven which is not correct um essentially this is down to an overflow so the values not going to fit inside a 64-bit variable the number a decimal number which we saw as well here's on uh ascii to x if we have a look at the code from here we have so we know that we want to try and get this to match and this will get gets the final question if the string comparison comes back and says that it didn't match which for us it didn't we're in a while loop here so it's going to go down to the bottom and then it's going to go through this loop right here so we can see here it's actually going to check if the each of the values is between 0 and 9 so it has to be decimal values and then we have a second question function here which is doing some stuff as well so we need to try and work out what's what's going on here and this is the bit that i really struggled with so a good idea if you're doing stuff like this engine is to go and try and rename some of these variables to try and make it make a little bit more sense i might change the param to user input we might want to change the loop counter just depending on what you used to see in loop size i'm going to change that to i uh we have our local 38 here this is the correct password so we could say correct part one and do the same here part two part three we have our string length so we can update that and say there is the past length and we can basically keep going through in this fashion some of them we have to be a little bit careful about for example this ivar 2 is going to be the result of the string compare so we might say here um correct and then if it's zero it's correct if it's one it's incorrect but if we do that you'll see it also modifies these down here because that's essentially used as a temporary variable variable so you could just leave that as it is you could change it something else if you used to see it if you're used to using like a temp variable as your placeholder but really or the important part is this function down here there's not too much happening in this second question function so you could you know what i actually did here was take some of this code over to initially if we take some of this code here and copy it to let's open up codium paste that in and you could go through here and we know that the second question function is taken in this user input why don't we just go back to just so we can keep this all on one screen we could take this here and say instead of calling second question function we'll call that function and we'll pass in the same parameters so you can see here param one and param two that would actually be this one right here and then this one right here would be the param two and that means we can just get rid of that line altogether you could take away some of these things the in conversions just to try and make it a bit cleaner so it's a bit more readable and then similarly you have some things here like plus minus 0x30 so you might want to just change that to minus um we could do the same sort of thing around here get rid of that plus uh etc you might also want to convert these from hex to decimal if you're used to seeing them more like that and you could go through in that fashion i was having some problems even after decoding this i decoded this or created some pseudo code for this quite a bit simpler than what we have here but still uh we're struggling to identify how to solve it essentially what we know here is that it's taking the user input but it's also taking our user input plus one so it's taking the first character and then it's using the second character in our in our input to update the character so each character that we put in our input is going to affect the the next character if that makes sense um so i didn't actually get past this part of the question it was a teammate who solved this who identified the correct string to enter here they used ida pro which they found a little bit easier to recreate the code in python so you can have a look at the ida pro code here we have our second question function you can see in here we've got a second question function to me it's still not particularly um easy to read or understand but um let's go and have a look at how this was turned into some python code again this was a teammate who did this i've just renamed some variables to make it a little bit clearer let's go and take a look so we have a crack.py file here we know that the value we need this to equal is this value right here because that's a string comparison that's being done and essentially what we're going to do is we're going to start off with a seven and we're just going to try and brute force this so we get the rest of our characters built up and that's exactly what's happening here so we're going through the loops we have our current character and the next character and then this condition here is basically just running through what we have in uh ida pro so if we if we execute this we can run python crack dot py it comes back with this value here and it's telling us that this value is what we need to enter in order to is what we need to enter here in order to produce this target value so let's go and try it let's do uh um alien math let's put in our first value which was the random value let's grab our cracked value that we need to put in here for the second part and that gets us to the final question so you can see that the string comparison went through and there was no issues and the last question then let's go to our gear draw again if we go to our final question here there's not too much happening so it's basically just taking an input and this is where our buffer overflow is so there's no conditions or anything that we need to meet here what we want to do is we want to force this to jump to our print flag function which there's nowhere this is actually called if we have a look at show references too we'll see that it's not called anywhere in a program uh so what we need to do let me go back to the third final question so we need to overflow the buffer here so it's taken an input from us it's not checking whether the input that we're going to provide is going to fit into the variable and we want to make sure that we overwrite the return address so whenever it gets down to this return instead of returning to the function which called it it's going to return to this function which we're going to provide not that function the print flag function which we're going to provide the address of so you could provide the address you can go in here and just look for the address we could open up um let's open up gdb actually open up gdb phone debug and in here we could have a look at info functions we could see that this let me make this a little bit clearer we could see that the print flag function is 4014 fb and that's the that's where we want to jump to we could even test this out locally so if we go run locally go ctrl and c and just say jump to zero x oh jump to star zero x that jumps to that function but obviously we don't have the flag locally so we're not going to be able to control the execution in gdb whenever we're testing this remotely um what we need to do now is identify how many bytes do we need to write here in order to where's the final question how many bytes we need to write here to overflow the buffer and actually overwrite this return address so let's calculate that offset in gdb if we go back and i'm going to run this i'm going to put in the correct value for the first part i'm going to put in the correct value for the second part and now i'm going to do is i'm going to hit ctrl and c to pause it i'm going to generate a cyclic pattern of 100 bytes and i'm going to copy that i'm going to continue the execution i'm going to paste in those bytes and we've crashed the program so now we want to find out what made it crash where were the where did the bytes that we entered end up and you can see right here that although we don't have the address here in the rip we have the these first four bytes are going to be the bytes which would end up in the in the rip if it was a valid address so now we can try and identify where those those are so we'll do cyclic l to look them up paste that in and we'll see that it's 24 bytes so we need to write 24 bytes and then the address of the print flag function and that should give us the buffer overflow and it does so let me open up the code that we have to do that we'll open up solve.py and this is the usual template that i use for phone challenges let me just talk through this a little bit before we jump down into the exploit code essentially we provide our binary file name here and this is just going to take care of making sure that any payloads we set up will use the correct format so that it's going to find out the architecture the bits the operating system etc this is going to set our login levels we can change this from warning to info to debug depending how much info we want to see and here is just our starting function so to make it quite easy to swap between running the program locally running it with gdb and running it remotely we just have this helper function here and then we have a script that we can set up so i was actually trying to debug this previously you can see a setup breakpoint at the second question function and i was trying to step through with gdb to try and see if it was any easier than manually going through that uh that code but it really wasn't for me anyway um so without the way let's have a look at the actual code here we start the program it's going to ask us what's the square root and we know that the square root is this value right here it's going to ask us the second question we've just calculated that we could actually go and just take this code here and paste this into our solve script to make it all all in one but i've just copied that over and then we identified already that our offset was 24 bytes we did that in gdb so now we can just say we want to create a payload and at 24 bytes in we want to inject the address of the print flag function which we don't have to actually put the print flag function we could go and copy and paste the actual address but um since pwntools has access to our binary it's able to go and find out what functions are there and what addresses they resolve to and that's it it's going to ask us final question and we're going to provide the payload as an answer and then we're just going to go into interactive mode and see if we've got a shell in this case it's actually just printing out the flag so we could just set this up just to read and print the flag but this will be fine let's go and try it so if you run python solve dot py you can see because we have debug mode on it's given us plenty of information let me actually just show you if we go back and set that to info and run it again we get a lot less information but if you want to see what's going back and forward between the server we can change that to debug and change that back and now because we've got this handy template which is going to allow us to swap between gdb and local and remote very easily all we have to do to go and test this remotely is going to grab the server address and port number and then we can just run the exact same command python solve but we'll put in remote putting the server in the port and then run that and we'll get back our flag and that's been the seesaw qualifying round of the limited challenges that we managed to solve hope you enjoyed the video any questions comments leave them down below thanks

Info

Channel: CryptoCat

Views: 1,772

Rating: undefined out of 5

Keywords: csaw, CSAW, csaw21, OSIRIS, NYU, Tandon, jinja2, ssti, sqli, ICS, modbus, bacnet, johntheripper, hashcat, salt, lfi, wireshark, tshark, network traffic, traffic analysis, buffer overflow, ret2win, ctf, capture the flag, hacking, wargames, writeup, walkthrough, tutorial, infosec, reversing, reverse engineering, assembly, reveng, crypto, stego, misc, forensics, web, pwn, exploit, security, cyber-security, ida, ghidra, pwntools, malware, learn, hacker, cyberchef, debugging, gdb, pwndbg, pen-testing, disassembly, python, hackathon, offsec, oscp

Id: 1Dw21NoxXjE

Channel Id: undefined

Length: 81min 20sec (4880 seconds)

Published: Mon Sep 13 2021