Sometimes you have to get dirty, sometimes it’s fun to get dirty. No it’s not what might come to mind, it’s about the dirty business of information security: you have to break things to see if they are secure enough and to learn about weak points. But what to break? Your own systems? Someone else’s systems? Best is to stay clean when selecting your target for the dirty business (we talked about offensive security recently).
Most fun are “Capture the Flags” challenges, also known as war-games, which are frequently offered to the security community to test abilities and learn new stuff. I recently found a CtF challenge that looked quite fun and we started a 2-day session at the Metalab, the Hackerspace in Vienna with a group of 6 or 7 people with different core areas, knowledge and background but all them creative, motivated and proficient in their special field. A perfect team to attack a Ctf!
Stripe has published a Capture the Flag on Feb 22nd and it will be open for still a while, so if you want to test your hacking-skills: try it out. It’s most fun if you do it in a team. I don’t want to spoil the fun others so there will be no details, just some teasers to make you curious:
This was quite easy, although I have to admit that the others showed me how to do it. A suid executable was provided and the source code was available.
Teaser: what will happen, if you enter “date” at the system prompt? Are you sure?
Again, simple: A web based attack with the source code available.
Teaser: Just look carefully, what information is sent to the server. Is it secured?
This one was tricky, it’s time to refresh your C-skills. Source code available.
Teaser: If you can’t jump forward then go back, just make sure you land on the right spot!
Looks simple but it’s not easy to exploit, a small C-program which allocates a buffer. Again your C-skills are helpful and your knowledge of the memory layout (oh darn when you notice). And seek help from your friends on the internet -they have something what you need.
Teaser: The longer the slide, the bigger the fun -and again and again and again.
Oh boy, oh boy: a python client/server web-application. Source provided, looks good and robust. We didn’t find any insecure handling of user provided data. Oh wait…
Teaser: Can I have a side of pickles with that?
That took longer than expected, C-source provided. Char by char password compare, a pretty short buffer to exploit, actually it’s not exploitable. Input length validated etc… robust code. This took us longer than expected. We developed four approaches, two of them were not leading anywhere. But the other two were successful and we made a little race.
Teaser 1: If the channel you are watching is boring switch to another.
Teaser 2: If everything is happening too fast, can you make it halt?
__ (__) ||______________________________ || | || _ _ | || ___| |_ _ __(_)_ __ ___ | || / __| __| '__| | '_ \ / _ \ | || \__ \ |_| | | | |_) | __/ | || |___/\__|_| |_| .__/ \___| | || |_| | || | ||~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ || || || || Please enter your preferred handle: MetalabLoungeTeam Welcome, MetalabLoungeTeam! the-flag@ctf4:
I hope you will have as much fun as we did, as soon as the CtF is closed we will discuss the steps in detail.
Thanks again to the Stripe team for the CtF. A must for pen-testers and red teams.