Difference between revisions of "CTF-practice-evening:2014-01-27"
| (11 intermediate revisions by the same user not shown) | |||
| Line 15: | Line 15: | ||
* Link to the Tech Inc [[TechInc-CTF-Scoreboard | Challenge Website Scoreboard]] | * Link to the Tech Inc [[TechInc-CTF-Scoreboard | Challenge Website Scoreboard]] | ||
| − | = | + | = Retrospective on the PhDays CTF = |
* We think that our first CTF went fantastic! :-) | * We think that our first CTF went fantastic! :-) | ||
| Line 44: | Line 44: | ||
** If you go to sleep, or are unavailable, put your partial results in the Etherpad | ** If you go to sleep, or are unavailable, put your partial results in the Etherpad | ||
| − | * knuffelhackers.nl - | + | * knuffelhackers.nl - The JinX owns it. Can we use it? |
* @knuffelhackers on Twitter? Is it available? | * @knuffelhackers on Twitter? Is it available? | ||
| Line 64: | Line 64: | ||
= Walkthrough from PhDays (FreeBDSM - Dimitris) = | = Walkthrough from PhDays (FreeBDSM - Dimitris) = | ||
| − | * Gaining access to the VM: Put the box in single user mode, modify grub to add init=/bin/sh | + | * Gaining access to the VM: |
| + | ** Put the box in single user mode, modify grub to add init=/bin/sh | ||
| + | ** This gives us a root shell - we need to change the root PW, but there's a file preventing this from happening | ||
| + | ** /etc/shadow - there's the user 'user' | ||
| + | ** You can substitute the hash with a hash from your own box | ||
| + | ** But in this case, it was dumber than that -- the credentials were user, user | ||
| + | **.pwd.lock was preventing the PW from being changed | ||
| + | ** Now we'll reboot and login as user | ||
| + | |||
| + | * Looking for a kernel module | ||
| + | ** Elevate the privileges with sudo -s | ||
| + | ** Find the process that is listening - this is where things get weird (netstat -antpo doesn't show anything!) | ||
| + | ** If you use net cat to connect to an arbitrary port, it asks for a "passport" | ||
| + | ** There's nothing listening that it related to the challenge | ||
| + | |||
| + | ** He listed all of the kernel modules loaded in the system | ||
| + | ** lsmod - there's a module called root, that is weird! | ||
| + | ** modinfo root - didn't show any information, while this works for the other modules | ||
| + | ** modprobe -v root - -f(?) should return the path | ||
| + | ** He went to /sys/modules (has information about kernel objects) - root is there! | ||
| + | ** There's files directly hooked to the kernel there | ||
| + | ** We're interested in sections - there's all kinds of stuff in there for helping us debug | ||
| + | ** These are the segments of the kernel module | ||
| + | ** We get offsets from .data and .text | ||
| + | ** He needed to install openssh-server and gdb | ||
| + | ** He's sshing into the box now.. | ||
| + | ** How he can see stuff running in netstat (but it's hiding port 12345) | ||
| + | ** He's attaching a debugger to the kernel | ||
| + | ** gdb /vmlinuz /proc/kcore | ||
| + | |||
| + | ** He's opening another session to send some interesting symbols | ||
| + | ** grep root /proc/kallsyms (call all the symbols within the kernel) | ||
| + | ** You can see the symbols with the name of the module | ||
| + | ** All of the things w/ [root] are loading from the rootkit | ||
| + | ** We can guess what the root kit is doing from the names | ||
| + | ** You can view the strings in the data segment | ||
| + | ** There's data with the name 'key' | ||
| + | ** There's another interesting symbol in the bss section: | ||
| + | ** He has to create a file called leave_me_alone | ||
| + | ** This reveals a binary phd_service_enc | ||
| + | ** The text section (you can view in the disassembly) is scrambled | ||
| + | ** When it's started it hooks nano sleep | ||
| + | ** (You can see this with strace) | ||
| + | ** He checked the plt section w/ objdump (functions of the dynamic library used) | ||
| + | ** He included syslog in the implementation of strcmp, compiled it as a shared library, and copied it to /etc/ld.so.preload | ||
| + | ** We can do, ls and check in syslog that it's working | ||
| + | ** He rebooted the system and it will be writing a lot in the syslog now… | ||
| + | ** Now if you netcat to 127.0.0.1 12345, you can see tons of entries in the syslog | ||
| + | |||
| + | * Dimitris will post a proper writeup for this later! | ||
Latest revision as of 21:30, 27 January 2014
| CTF-practice-evening:2014-01-27 | |
|---|---|
| Date | 2014/01/27 |
| Time | |
| Location | Tech Inc |
| Type | Workshop |
| Contact | Melanie |
Contents
Capture The Flag evening - Part 5
- 27 January, 2014 - 8 PM
- Please bring along a laptop with you!!!
General CTF Info
- See the page for the Ctf-evenings
- Link to the Tech Inc Challenge Website Scoreboard
Retrospective on the PhDays CTF
- We think that our first CTF went fantastic! :-)
- We should be proud of ourselves!!!!
- Repository of tools: VMs (Architectures: Linux and Windows, 64-bits), Tools: IDA Pro, Burp, Selenium)
- (Brainsmoke has some VMs already prepared)
- There's a few servers and shared storage here at Tech Inc
- (Wizzup administers it.) - it's not really safe though. We're better off maintaining our own infra
- We can run our own server w/ Etherpad, etc…
- If I can't get a server, we can rent a VPS for 15 Euros/year.
- Several people also have their own VPS systems and/or VMs
- For attack-defense CTFs, we still need a stepping stone server
- We need to structure the Etherpad better
- We should setup our own Etherpad
- You can create an Etherpad manager
- We should archive the pads somehow in either case…
- Coordination
- We should make a quick inventory of what challenges are available, and what skills they require
- We should put our name next to the challenge that we're working on
- IRC also helps with coordination
- We could write up a quick skills DB of who knows what
- Then we could use IRC to ask people if they can work on something
- We can pass off partially finished challenges to other people with different skills when needed
- If you go to sleep, or are unavailable, put your partial results in the Etherpad
- knuffelhackers.nl - The JinX owns it. Can we use it?
- @knuffelhackers on Twitter? Is it available?
- Archiving
- A git repository helps (for challenges almost solved, pads, etc…)
- Private mailing list and IRC, for single individual CTFs
- A password protected IRC channel is low-hanging fruit
- It's also nice to have a blog for posting write-ups afterwards
Other ideas
- Team Knuffelhackers is registered on CTFtime.org now.. feel free to add yourselves!
- Brainsmoke should give a presentation on his taint tracker some evening
- We should have an evening where we play with Selenium
- Next CTF: Codegate Preliminary (Feb 22 4 PM - Feb 23 4 PM) - http://ctf.codegate.org/html/Main.html?lang=eng
Walkthrough from PhDays (FreeBDSM - Dimitris)
- Gaining access to the VM:
- Put the box in single user mode, modify grub to add init=/bin/sh
- This gives us a root shell - we need to change the root PW, but there's a file preventing this from happening
- /etc/shadow - there's the user 'user'
- You can substitute the hash with a hash from your own box
- But in this case, it was dumber than that -- the credentials were user, user
- .pwd.lock was preventing the PW from being changed
- Now we'll reboot and login as user
- Looking for a kernel module
- Elevate the privileges with sudo -s
- Find the process that is listening - this is where things get weird (netstat -antpo doesn't show anything!)
- If you use net cat to connect to an arbitrary port, it asks for a "passport"
- There's nothing listening that it related to the challenge
- He listed all of the kernel modules loaded in the system
- lsmod - there's a module called root, that is weird!
- modinfo root - didn't show any information, while this works for the other modules
- modprobe -v root - -f(?) should return the path
- He went to /sys/modules (has information about kernel objects) - root is there!
- There's files directly hooked to the kernel there
- We're interested in sections - there's all kinds of stuff in there for helping us debug
- These are the segments of the kernel module
- We get offsets from .data and .text
- He needed to install openssh-server and gdb
- He's sshing into the box now..
- How he can see stuff running in netstat (but it's hiding port 12345)
- He's attaching a debugger to the kernel
- gdb /vmlinuz /proc/kcore
- He's opening another session to send some interesting symbols
- grep root /proc/kallsyms (call all the symbols within the kernel)
- You can see the symbols with the name of the module
- All of the things w/ [root] are loading from the rootkit
- We can guess what the root kit is doing from the names
- You can view the strings in the data segment
- There's data with the name 'key'
- There's another interesting symbol in the bss section:
- He has to create a file called leave_me_alone
- This reveals a binary phd_service_enc
- The text section (you can view in the disassembly) is scrambled
- When it's started it hooks nano sleep
- (You can see this with strace)
- He checked the plt section w/ objdump (functions of the dynamic library used)
- He included syslog in the implementation of strcmp, compiled it as a shared library, and copied it to /etc/ld.so.preload
- We can do, ls and check in syslog that it's working
- He rebooted the system and it will be writing a lot in the syslog now…
- Now if you netcat to 127.0.0.1 12345, you can see tons of entries in the syslog
- Dimitris will post a proper writeup for this later!
