Capture The Flag evening - Part 5

• 27 January, 2014 - 8 PM
• Please bring along a laptop with you!!!

General CTF Info

• See the page for the Ctf-evenings
• Link to the Tech Inc Challenge Website Scoreboard

Comments about the PhDays CTF

• We think that our first CTF went fantastic!  :-)
  • We should be proud of ourselves!!!!

• Repository of tools: VMs (Architectures: Linux and Windows, 64-bits), Tools: IDA Pro, Burp, Selenium)
  • (Brainsmoke has some VMs already prepared)
  • There's a few servers and shared storage here at Tech Inc
  • (Wizzup administers it.) - it's not really safe though. We're better off maintaining our own infra
  • We can run our own server w/ Etherpad, etc…
  • If I can't get a server, we can rent a VPS for 15 Euros/year.
  • Several people also have their own VPS systems and/or VMs

• For attack-defense CTFs, we still need a stepping stone server

• We need to structure the Etherpad better
  • We should setup our own Etherpad
  • You can create an Etherpad manager
  • We should archive the pads somehow in either case…

• Coordination
  • We should make a quick inventory of what challenges are available, and what skills they require
  • We should put our name next to the challenge that we're working on
  • IRC also helps with coordination
  • We could write up a quick skills DB of who knows what
  • Then we could use IRC to ask people if they can work on something
  • We can pass off partially finished challenges to other people with different skills when needed
  • If you go to sleep, or are unavailable, put your partial results in the Etherpad

• knuffelhackers.nl - who owns it? Can we use it?
• @knuffelhackers on Twitter? Is it available?

• Archiving
  • A git repository helps (for challenges almost solved, pads, etc…)

• Private mailing list and IRC, for single individual CTFs
  • A password protected IRC channel is low-hanging fruit

• It's also nice to have a blog for posting write-ups afterwards

Other ideas

• Team Knuffelhackers is registered on CTFtime.org now.. feel free to add yourselves!
• Brainsmoke should give a presentation on his taint tracker some evening
• We should have an evening where we play with Selenium
• Next CTF: Codegate Preliminary (Feb 22 4 PM - Feb 23 4 PM) - http://ctf.codegate.org/html/Main.html?lang=eng

Walkthrough from PhDays (FreeBDSM - Dimitris)

• Gaining access to the VM:
  • Put the box in single user mode, modify grub to add init=/bin/sh
  • This gives us a root shell - we need to change the root PW, but there's a file preventing this from happening
  • /etc/shadow - there's the user 'user'
  • You can substitute the hash with a hash from your own box
  • But in this case, it was dumber than that -- the credentials were user, user
  • .pwd.lock was preventing the PW from being changed
  • Now we'll reboot and login as user

• The Challenge
  • Elevate the privileges with sudo -s
  • Find the process that is listening - this is where things get weird (netstat -antpo doesn't show anything!)
  • If you use net cat to connect to an arbitrary port, it asks for a "passport"
  • There's nothing listening that it related to the challenge

• • He listed all of the kernel modules loaded in the system
  • lsmod - there's a module called root, that is weird!
  • modinfo root - didn't show any information, while this works for the other modules
  • modprobe -v root -