Capture The Flag evening - Part 4

• 13 January, 2014 - 8 PM
• Please bring along a laptop with you!!!

General CTF Info

• See the page for the Ctf-evenings
• Link to the Tech Inc Challenge Website Scoreboard

Our 1st CTF

• Positive Hack Days (PhD) qualifier
  • 48 hours: Jan. 25, 2014, 8 a.m. — Jan. 27, 2014, 8 a.m.
  • http://quals.phdays.ru/

• Let's meet at Tech Inc on Saturday
  • Jan 25 - 10 AM
  • TODO: Add to Tech Inc event list
  • Sunday is the Tech Inc ALV, so things won't be as organised that day..

• We are now registered for the Positive Hack Days, as team Knuffelhackers
• See: http://knuffelhackers.nl

• Stuff to prepare
  • Stepping stone box (for storing tools, and allowing lots of people access)
  • Edit pad - etherpad or https://quadpad.lqdn.fr
    • We will want to archive this afterwards, for write-ups and stuff
  • IRC channel - create a password-protected #techinc-ctf channel
• We have a mailing list already - http://technologia-incognita.nl/cgi-bin/mailman/listinfo/ctf

Web hacking!!!!

• Julius is talking about OWASP and Web Hacking this evening
  • Topics: brute force, SQL injections, Network eavesdropping, XSS, Session hijacking

• Afterwards, Stef did some web hacking demonstrations, using Certified Secure
  • Challenge: Herman Vluchtbeveiliging
    • Add a single quote at the end of a URL to see if it breaks
    • Can we request a specific page? Example: pagina=/etc/passwd
    • This doesn't work, but we get enough information to be able to see where it's located in the filesystem
    • With some directory traversal, we can dump the password file
  • Challenge: Security Shop
    • We can exploit the Search Product field
    • Once again, we want to cause an error that gets information from the backend.. we can use a single quote again
    • This indeed gives us the SQL query, including part of the database schema
    • You can use UNION to concatenate two adjacent tables
    • We can try using UNION SELECT 1 --
    • We can see from the error message that the UNION isn't matching up with a table w/ 5 columns
    • We can now try using UNION SELECT 1,2,3,4 --
    • Another query that works often is VERSION()
    • If we replace 3 with VERSION(), we can now see the Ubuntu version running
    • USER() also leaks information
    • Trial and error works pretty well here… we need to select things from other tables.. we can guess what these tables might be called
    • You can query the password this way

Informational Links

• https://www.owasp.org/index.php/Category:Attack
  • https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
  • http://w3schools.com
  • http://yehg.net/lab/#toolbox
• https://hackvertor.co.uk/public

Web-Hacking Wargames

• https://www.certifiedsecure.com - Start with this one!
• OWASP Web Goat (requires setting up a VM)
  • https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project - Web hacking stand-alone SW
  • http://tostercrums.blogspot.nl/2011/11/running-webgoat-owasp-in-ubuntu-vm.html - Installation advice
  • http://webappsecmovies.sourceforge.net/webgoat/ - solutions
• http://www.hackthissite.org