Difference between revisions of "CTF-practice-evening:2014-01-27"

From Technologia Incognita
Jump to: navigation, search
 
(11 intermediate revisions by the same user not shown)
Line 15: Line 15:
 
* Link to the Tech Inc [[TechInc-CTF-Scoreboard | Challenge Website Scoreboard]]
 
* Link to the Tech Inc [[TechInc-CTF-Scoreboard | Challenge Website Scoreboard]]
  
= Comments about the PhDays CTF =
+
= Retrospective on the PhDays CTF =
  
 
* We think that our first CTF went fantastic!  :-)
 
* We think that our first CTF went fantastic!  :-)
Line 44: Line 44:
 
** If you go to sleep, or are unavailable, put your partial results in the Etherpad
 
** If you go to sleep, or are unavailable, put your partial results in the Etherpad
  
* knuffelhackers.nl - who owns itCan we use it?
+
* knuffelhackers.nl - The JinX owns it. Can we use it?
 
* @knuffelhackers on Twitter?  Is it available?
 
* @knuffelhackers on Twitter?  Is it available?
  
Line 64: Line 64:
 
= Walkthrough from PhDays (FreeBDSM - Dimitris) =
 
= Walkthrough from PhDays (FreeBDSM - Dimitris) =
  
* Gaining access to the VM: Put the box in single user mode, modify grub to add init=/bin/sh
+
* Gaining access to the VM:
 +
** Put the box in single user mode, modify grub to add init=/bin/sh
 +
** This gives us a root shell - we need to change the root PW, but there's a file preventing this from happening
 +
** /etc/shadow - there's the user 'user'
 +
** You can substitute the hash with a hash from your own box
 +
** But in this case, it was dumber than that -- the credentials were user, user
 +
**.pwd.lock was preventing the PW from being changed
 +
** Now we'll reboot and login as user
 +
 
 +
* Looking for a kernel module
 +
** Elevate the privileges with sudo -s
 +
** Find the process that is listening - this is where things get weird (netstat -antpo doesn't show anything!)
 +
** If you use net cat to connect to an arbitrary port, it asks for a "passport"
 +
** There's nothing listening that it related to the challenge
 +
 
 +
** He listed all of the kernel modules loaded in the system
 +
** lsmod - there's a module called root, that is weird!
 +
** modinfo root - didn't show any information, while this works for the other modules
 +
** modprobe -v root - -f(?) should return the path
 +
** He went to /sys/modules (has information about kernel objects) - root is there!
 +
** There's files directly hooked to the kernel there
 +
** We're interested in sections - there's all kinds of stuff in there for helping us debug
 +
** These are the segments of the kernel module
 +
** We get offsets from .data and .text
 +
** He needed to install openssh-server and gdb
 +
** He's sshing into the box now..
 +
** How he can see stuff running in netstat (but it's hiding port 12345)
 +
** He's attaching a debugger to the kernel
 +
** gdb /vmlinuz /proc/kcore
 +
 
 +
** He's opening another session to send some interesting symbols
 +
** grep root /proc/kallsyms (call all the symbols within the kernel)
 +
** You can see the symbols with the name of the module
 +
** All of the things w/ [root] are loading from the rootkit
 +
** We can guess what the root kit is doing from the names
 +
** You can view the strings in the data segment
 +
** There's data with the name 'key'
 +
** There's another interesting symbol in the bss section: 
 +
** He has to create a file called leave_me_alone
 +
** This reveals a binary phd_service_enc
 +
** The text section (you can view in the disassembly) is scrambled
 +
** When it's started it hooks nano sleep
 +
** (You can see this with strace)
 +
** He checked the plt section w/ objdump  (functions of the dynamic library used)
 +
** He included syslog in the implementation of strcmp, compiled it as a shared library, and copied it to /etc/ld.so.preload
 +
** We can do, ls and check in syslog that it's working
 +
** He rebooted the system and it will be writing a lot in the syslog now…
 +
** Now if you netcat to 127.0.0.1 12345, you can see tons of entries in the syslog
 +
 
 +
* Dimitris will post a proper writeup for this later!

Latest revision as of 21:30, 27 January 2014

CTF-practice-evening:2014-01-27
Date 2014/01/27
Time
Location Tech Inc
Type Workshop
Contact Melanie

Capture The Flag evening - Part 5

  • 27 January, 2014 - 8 PM
  • Please bring along a laptop with you!!!

General CTF Info

Retrospective on the PhDays CTF

  • We think that our first CTF went fantastic!  :-)
    • We should be proud of ourselves!!!!
  • Repository of tools: VMs (Architectures: Linux and Windows, 64-bits), Tools: IDA Pro, Burp, Selenium)
    • (Brainsmoke has some VMs already prepared)
    • There's a few servers and shared storage here at Tech Inc
    • (Wizzup administers it.) - it's not really safe though. We're better off maintaining our own infra
    • We can run our own server w/ Etherpad, etc…
    • If I can't get a server, we can rent a VPS for 15 Euros/year.
    • Several people also have their own VPS systems and/or VMs
  • For attack-defense CTFs, we still need a stepping stone server
  • We need to structure the Etherpad better
    • We should setup our own Etherpad
    • You can create an Etherpad manager
    • We should archive the pads somehow in either case…
  • Coordination
    • We should make a quick inventory of what challenges are available, and what skills they require
    • We should put our name next to the challenge that we're working on
    • IRC also helps with coordination
    • We could write up a quick skills DB of who knows what
    • Then we could use IRC to ask people if they can work on something
    • We can pass off partially finished challenges to other people with different skills when needed
    • If you go to sleep, or are unavailable, put your partial results in the Etherpad
  • knuffelhackers.nl - The JinX owns it. Can we use it?
  • @knuffelhackers on Twitter? Is it available?
  • Archiving
    • A git repository helps (for challenges almost solved, pads, etc…)
  • Private mailing list and IRC, for single individual CTFs
    • A password protected IRC channel is low-hanging fruit
  • It's also nice to have a blog for posting write-ups afterwards

Other ideas

  • Team Knuffelhackers is registered on CTFtime.org now.. feel free to add yourselves!
  • Brainsmoke should give a presentation on his taint tracker some evening
  • We should have an evening where we play with Selenium
  • Next CTF: Codegate Preliminary (Feb 22 4 PM - Feb 23 4 PM) - http://ctf.codegate.org/html/Main.html?lang=eng

Walkthrough from PhDays (FreeBDSM - Dimitris)

  • Gaining access to the VM:
    • Put the box in single user mode, modify grub to add init=/bin/sh
    • This gives us a root shell - we need to change the root PW, but there's a file preventing this from happening
    • /etc/shadow - there's the user 'user'
    • You can substitute the hash with a hash from your own box
    • But in this case, it was dumber than that -- the credentials were user, user
    • .pwd.lock was preventing the PW from being changed
    • Now we'll reboot and login as user
  • Looking for a kernel module
    • Elevate the privileges with sudo -s
    • Find the process that is listening - this is where things get weird (netstat -antpo doesn't show anything!)
    • If you use net cat to connect to an arbitrary port, it asks for a "passport"
    • There's nothing listening that it related to the challenge
    • He listed all of the kernel modules loaded in the system
    • lsmod - there's a module called root, that is weird!
    • modinfo root - didn't show any information, while this works for the other modules
    • modprobe -v root - -f(?) should return the path
    • He went to /sys/modules (has information about kernel objects) - root is there!
    • There's files directly hooked to the kernel there
    • We're interested in sections - there's all kinds of stuff in there for helping us debug
    • These are the segments of the kernel module
    • We get offsets from .data and .text
    • He needed to install openssh-server and gdb
    • He's sshing into the box now..
    • How he can see stuff running in netstat (but it's hiding port 12345)
    • He's attaching a debugger to the kernel
    • gdb /vmlinuz /proc/kcore
    • He's opening another session to send some interesting symbols
    • grep root /proc/kallsyms (call all the symbols within the kernel)
    • You can see the symbols with the name of the module
    • All of the things w/ [root] are loading from the rootkit
    • We can guess what the root kit is doing from the names
    • You can view the strings in the data segment
    • There's data with the name 'key'
    • There's another interesting symbol in the bss section:
    • He has to create a file called leave_me_alone
    • This reveals a binary phd_service_enc
    • The text section (you can view in the disassembly) is scrambled
    • When it's started it hooks nano sleep
    • (You can see this with strace)
    • He checked the plt section w/ objdump (functions of the dynamic library used)
    • He included syslog in the implementation of strcmp, compiled it as a shared library, and copied it to /etc/ld.so.preload
    • We can do, ls and check in syslog that it's working
    • He rebooted the system and it will be writing a lot in the syslog now…
    • Now if you netcat to 127.0.0.1 12345, you can see tons of entries in the syslog
  • Dimitris will post a proper writeup for this later!