1 / 52

The challenges, the hurdles and the solutions

September’s CTF recap. The challenges, the hurdles and the solutions. Presenter: Dolev Farhi | dolev@dc416.com. September’s online CTF overview.

samanthahadley
Download Presentation

The challenges, the hurdles and the solutions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. September’s CTF recap The challenges, the hurdles and the solutions Presenter: Dolev Farhi | dolev@dc416.com

  2. September’s online CTF overview Capture the Flag is a type of a game where security professionals compete, either individually or in a team, to try and solve different security challenges. Common ones are in domains such as: Web, Forensics, Reverse Engineering and more.

  3. DC416 Online CTF Overview • Time Limit: 8 hours • Participants: up to 3 per team • Number of challenges: 11 • Number of teams registered: 10 • Level of excitement: Over 9000 • Players write ups: VulnHub Team (Harold Rodriguez @superkojiman) • https://github.com/VulnHub/ctf-writeups/blob/master/2016/defcon416/solution.md Ckannada Team (Zack Mullaly @zsck_) • http://zsck.co/2016/09/11/defcon-toronto-ctf-1/

  4. Just before kick off - nerd party on Slack (Contact us for a Slack invitation)

  5. Let’s go! Teams receive an email with a URL

  6. Let’s go! Server has ports 22, 80 and 5000 open

  7. Webserver index greets with this message:

  8. Binary to text

  9. The web page sources an obfuscated javascript file named ‘ob.js’ When deobfuscated, reveals the string: synt1{z00ap4xr} Running this string against a ROT13 decoder, gives the correct flag form: flag1{m00nc4ke}

  10. Enumeration is the key

  11. Challenge 2 http://galahad.dc416.com/staff

  12. Challenge 2 html source reveals a hidden href: “s.txt” with a list of base64 strings

  13. Challenge 2 Decoding the base64 file

  14. Challenge 2 passphrase:edward ? hmm... remember the NSA picture? Using steghide we can extract steganography data which reveals flag2{M00nface} and an interesting link

  15. Challenge 3 galahad.dc416.com/cgi-bin/vault.py?arg=message

  16. Challenge 3 The HTTP request must include a ‘Referer’ header of the nsa website in order to proceed

  17. Challenge 3

  18. Challenge 3 galahad.dc416.com/cgi-bin/vault.py?arg=

  19. Challenge 4 Back to nikto Browsing to /admin downloads a compiled .pyc file using uncompyle2 we can decompile the file back

  20. Challenge 4 enc.py contents

  21. Challenge 4 solution

  22. Challenge 5 Remember we also had port 5000 opened?

  23. Challenge 5 SECURITY THROUGH OBSCURITY 34343434 UDP

  24. Challenge 5 Port knock! Ports 20/21 opened!

  25. Challenge 5 FTP allows anonymous access and exposes 2 pcap files First pcap leads to a pastebin GET request

  26. Challenge 6 second pcap is a GET request to a link that resulted in 404 ...the jpg must be reconstructed from the packet

  27. Challenge 6 A nuclear plant with 3 coordinates and a hint: uid=500(nitro)

  28. Challenge 6 Let’s SSH! USER: nitro PASS: zeus

  29. TIC TAC TOE???

  30. Challenge 6 We capture the 6th flag s1xfl4gs and a hint.

  31. Challenge 7

  32. Challenge 7

  33. Challenge 7

  34. Challenge 7

  35. Challenge 7

  36. Challenge 7

  37. Challenge 8 Back to nikto

  38. Challenge 8 Basic authentication

  39. Challenge 8 img is an ext3 filesystem

  40. Challenge 8 lost+found is full of directories But one is interesting in particular

  41. Challenge 9 - The SQL injection that went wrong http://lancelot.dc416.com/webmail

  42. Challenge 9 - The SQL injection that went wrong http://lancelot.dc416.com/webmail

  43. Challenge 10 – The missing link

  44. Challenge 10 – The forgotten hint Getting a list of all instantiated classes classes=().__class__.__bases__[0].__subclasses__()

  45. Challenge 10 – The forgotten hint Anarchy mode

  46. Challenge 11 – Let’s pentest

  47. Challenge 11 – Let’s pentest

  48. Challenge 11 – Let’s pentest

  49. Challenge 11 – Let’s pentest

  50. Challenge 11 – Let’s pentest

More Related