InCTF 2015 First Round Question Welcome to first round of InCTF 2015, all the tasks listed here are mandatory unless specified not and will be evaluated and graded. The grade obtained will be counted to decide the final winners. You can work as a team in such a way that each team member focus on a particular area(like web or reversing or binary). These exercises will be a great help for the beginners who have no prior experience in participating in Capture the Flag(CTF) security competitions. So beginner make sure that you complete all the tasks. You need to document your work, and can be done in latex latex.. The documents should be submitted as pdf format. Getting Started !!! In order to make your participation exciting, it would be great if you can familiarize yourself with Linux environment. First step towards that would be to try and install Linux(Any flavour of Linux like Ubuntu, Fedora etc will do) operating system on your machine and don’t worry if you have not installed an operating system before, now it is your chance to do it. And if you have any worry that you will crash your computer, you can try installation on a virtual machine. machine. So download virtual machine and install it in your computer so that it will provide you a virtual environment where you can try operating system installation. Do read more about virtual machine it will be of great help and Google is your friend to find the right resource for it. Hope that you have installed Linux operating system on a virtual machine or real machine and next you need to learn how to use it. Linux commands help us to use various features of the Linux operating system and make it easy for us to interact with it. You need not byheart all the Linux command but need to make yourself familiar with at least few important commands which are commonly used like creating a file, li sting your running process, searching for files in a directory using grep etc. The best way to learn is by doing, bandit overthewire provide you a platform to workout various Linux commands through a challenge based approach. The challenges are distributed into various levels and you need to complete upto level 22, additional bonus points will be given to those who are able to crack all the challenges. A good computer security engineer is the one who has mastered various computer skills. He need to understand a software in and out to find out the flaws and fix it. Without being a good programmer you cannot become a good computer security engineer. If you feel that you are not good in programming, don’t worry we have a set of
task for you.
Programming Tasks 1. Login into Code Academy and start doing Python track(This is not a mandatory task) 2. Register yourself in Topcoder and do the following SRMs, a. SRM-147: Caesar Cipher b. SRM-249: Chat Transcript c. SRM-405: Falling Factorial Power d. SRM-425: Inverse Factoring e. SRM-470: Linear Travelling Salesman f.
SRM-484: Number Magic Easy
g. SRM-505: Sentence Capitalizer Inator h. SRM-506: Slime X Slime Rancher 2 i.
SRM-519: WhichDay
j.
SRM-526: 5 Magic Stone Stores Stores
k. SRM-529: Pairing Pawns l.
SRM-537: KingXNewBaby
m. SRM-542: Working Working Rabbits Rabbits n. SRM-546: Contest Winner o. SRM-548: Kingdom And Ducks p. SRM-551: Colorful Bricks q. SRM-557: Great Fairy War Register yourself in Topcoder website and then download the topcoder arena to work on the SRM questions. The challenges are from DIV 2 of SRM’s and are quite simple even though it will take a while to solve the first problem.
Web Application Security Welcome to Web Application Security, to make yourself good in web application security concepts you need to complete the following exercises, Task 1: This task is for those who don’t have any prior experience with web application development. In order to better understand web application security concepts, you need to know how to develop a good web application. Don’t worry if you have not made one, there are lot of resources which will help you to learn it. Go to codecademy and complete the following tracks on PHP PHP,, Javascript and HTML HTML.. The estimated time to complete the following track is 21 hours and will give you basic knowledge that is need to develop a web application. Task 2: Web applications use database to store its data and it is important to have a basic understanding about databases. The security vulnerabilities like SQL injection are related to databases and without understanding about it, you will find it hard to understand injection attacks on web applications. Complete the following SQL tasks to get a basic understanding about Structure Query Language which is used to query the databases. Task 3: 3: You need complete few tasks from natas overthewire which overthewire which will teach you some basic server side web security. There are total of 23 levels, you need to complete at least 10 levels and each additional level completed will be awarded bonus points. points. Task 4: Read about OWASP Top 10 web application security vulnerability list. Task 5: Now you are good with som e of the top web application security vulnerabilities. But only theoretical knowledge will not help, you need to practice few challenges from root-me.org, before you start, you need to register with root-me.org. a. http://www.root-me.org/en/Challenges/Web-Client/ b. http://www.root-me.org/en/Challenges/Web-Server/ Task 6: Setup DVWA in your local machine, DVWA( Damn Vulnerable Web Application) is an web application which aids security professionals to test their skills and tools in an legal environment. There are various skill sets that you can work on like SQL injection, Cross Site Scripting, File Upload vulnerabilities etc. Try out each and analysis the code which has led to the vulnerabilities. Details regarding setup is given here: https://github.com/RandomStorm/DVWA
Networking Tasks 1. Do learn the following tasks by trying them them in your your machine, a. Create a linux virtual machine machine either using VMware VMware or Virtualbox. Make sure you are able able to ping between the machines. Now you need to login into your guest machine from your host machine. How will you do that? [Hint: ssh] b. Now you are going to copy copy a file from your host machine to your guest machine. machine. How are you going to do that? [Hint : Install openssh-server in both machines and use scp] c. In the above 2 tasks, tasks, when you did ssh or scp, it prompted prompted for a password. password. How are going to login without giving a password every time? d. You are asked to block access to facebook.com from your machine! How are you going to do that? Elaborate. (Hint: use iptables)
e. Now, without using using scp how are are you going to copy copy several files to your guest machine? machine? Is it possible to copy the files securely? (Hint: nc, f tp, sftp) f.
Try to capture capture the traffic traffic from your machine using Wireshark. Now Now imagine this this scenario, while while capturing the traffic, all of a sudden your GUI got crashed and you got access only to a controlling terminal (tty). What are the tools necessary to capture the network traffic? Explain the steps.
2. Download the pcap and answer the questions a. A fellow from SBI bank bank has uploaded a qr code image, which which contains an an authentication code to access the vault. Somehow one of our secret agency was able to intercept the traffic which includes the qr code as well. We are now struggling to retrieve the qr image to get the authentication code. Can you help us? b. I deleted a confidential file which I’m supposed to hand it over to my officer. But 2 days back I remember transferring it to one of my office machine using a FTP client. I have captured the packets as well. Can you able to get the confidential file? c. One of our clients reported reported to us saying that they have intercepted intercepted a conversation conversation between between one of their employees and the adversary company. He is quite unclear about the employee’s intention.
Did he really leak any confidential information? Assuming the answer is yes, then, what is the secret information transferred by the employee?
Other Resources: Try to solve some of the challenges given in this link: http://www.root-me.org/en/Challenges http://www .root-me.org/en/Challenges/Network/ /Network/
Binary Tasks Binary Exploitation: Binary Exploitation: Binary exploitation is the art of bending a computer program to your will. Debuggers and disassemblers are mostly used in this task. On completing these task, one will be able to understand the basics of buffer overflow, format string, heap overflow and return oriented programming.
Part 0: Weaknesses and Vulnerabilities in GNU/Linux: GNU/Linux : GNU/Linux is a commonly used for program development, InCTF wishes that the participants should have a reasonably thorough understanding of local attacks against GNU/Linux systems. Tasks: 1. Solve 2. Solve upto to level 10 in Nebula and upto level 5 in io.smashthestack.org
Part 1: Buffer Overflow: In computer security and programming, a buffer overflow, or bufferoverrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety. Tasks: 1. Read Aleph one’s Smash The Stack article 2. Solve some some of the the Overflow Overflow challenges from 2013 picoCTF
Part 2: Format string attack attack:: The Format String exploit occurs when the submitted data of an input string is evaluated as a command by the application. In this way, the attacker could execute code, read the stack, or cause a segmentation fault in the running application, causing new behaviors that could compromise the security or the stability of the system.
Tasks: 1. Read the white paper on Exploiting Format String Vulnerability from stanford. 2. Solve some of the Format string attack attack challenges challenges from 2013 picoCTF
Part 3: Heap Overflow Overflow:: A type of buffer overflow that occurs in the heap data area. Heap overflows are exploitable in a different manner to that of stack-based of stack-based overflows. overflows. Memory on the heap is dynamically allocated by the application at runtime and typically contains program data. Exploitation is performed by corrupting this data in specific ways to cause the application to overwrite internal structures such as linked list pointers. Tasks: 1. Read this blog post 2. Solve some of the heap overflow problems problems in Protostar and Fusion
Part 4: Return Oriented Programming (ROP): (ROP) : is a computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as non- executable memory and code signing. Tasks: 1. Read this tutorial on ROP 2. Solve some some of the the ROP ROP challenges challenges from 2013 picoCTF
Reverse Code Engineering Tasks Reverse code engineering is the art of deducing what the program does by inspecting the assembly instructions that are executed by the processor. Disassemblers and debuggers are particularly useful in this task. On completing the following tasks, you will be able to read x86 assembly code and understand what higher level statements(eg: conditionals, conditionals, loops etc) particular sequences of instructions correspond to. There are 3 parts - x86 assembly programming, basic reverse code engineering and slightly advanced reverse code engineering tasks. A few suggestions for what next are also provided.
Part 1: Assembly programming 1. Listen to the IntroX86 video lectures from Open Security Training. 2. Read the sample sample x86 assembly assembly Hello World program(hello-world-libc.asm) program(hello-world-libc.asm) provided provided.. Ensure that you understand the purpose of every statement in the program from the comments. Also, do the following and explain what happened(if applicable). a. Delete line 14, compile compile and run the program. program. b. Delete line 21, compile compile and run the program. program. c. Delete line line 29, compile and run the program. d. Delete line 32, compile compile and run the program. program. e. Delete line 34, compile compile and run the program. program. f.
What do “.text” and “.data” signify? Are there others like these two?
3. Complete the following programming programming assignments. assignments. You are not required to submit submit solutions to these assignments but we highly recommend completing them since you will learn valuable lessons that will be useful in reverse code engineering. a. Print the area of a rectangle rectangle whose dimensions are are obtained from user. b. Accept age from from user and display if the person person is eligible for voting. voting. A person 18 years or older can vote. c. Accept a number from user and display if it is negative, zero or positive. positive.
d. Accept 3 numbers from user and print the largest number. number. e. Display all all even numbers between 1 and 1000. f.
Print the Nth fibonacci number(N is user input).
g. Print sum of N numbers. User first specifies specifies N and then provides each number. h. Write a program that prints the following pattern. pattern. Accept the number of stars in the base of the triangle
from
the
user.
The
following
is
sample
output
for
N
=
5.
* ** *** **** ***** 4. Read the sample Hello World program(hello-world-syscalls.asm) program(hello-world-syscalls.asm) provided provided.. Again, you could try the following on the Hello World program and try to understand what happened. happened. a. Delete line 34, compile compile and run the program. program. b. Delete line 39, compile compile and run the program. program. c. Change 80h to 80, compile compile and and run the program. 5. Optionally, you can can rewrite the assignments assignments to not not depend on the C library and instead rely on the system system calls like the Hello World program. This is a difficult task and thus don’t be disheartened if you cannot do
it easily!
Part 2: Reverse engineering (basics) This section will give you some basic skills required in reverse code engineering. 1. Listen to the video video lectures lectures of the IntroRE course from Open Security Training (you can skip the last video if you want). We recommend that you attempt each level of the binary bomb before listening to the walkthrough in the video - the best learning happens when you try out things on your own first. The
videos also cover basics usage of IDA Pro free version and also cover some additional useful information so we recommend listening to them even if you solved the level on your own. 2. Solve the RPI bomb lab and send us the solution and a writeup describing how you solved it. 3. Submit a brief description description about the various function function calling conventions conventions (a one line description, description, a tabular tabular comparison or any other form of representation you prefer). The descriptions should contain essential details (you decide what is essential and what isn’t).
Do not plagiarize from any source - please p lease submit original solutions. We do not cond one plagiarism and will take severe actions against the offending team (including disqualification and bans).
Part 3: Reverse engineering (slightly advanced stuff) In this section, you will learn some basics of using a debugger(gdb) and some other tools to get useful information from an executable. Use the file part3.out for the following tasks. 1. What is the address of the first first instruction instruction of function function main? 2. How many many hard-coded strings are present? How How many are actually actually useful? 3. What is address address of the instruction instruction that is executed executed first when when the process starts? Is it the same as the first instruction of main?
Hint: The first instruction is also referred to as “entry point”.
4. Can you determine the first two arguments passed to main when the program is executing? Hint: Set a breakpoint at function main and recall function call ing conventions. 5. The second argument argument of main seems to be some kind of of pointer. How can can you view the values it is pointing to from within the debugger? 6. How can you view the the current values of of all the registers? 7. The function main seems to be calling some other function. Can Can you determine which one it is? Hint: Try to view the assembly code for main from within gdb. 8. How can can you view only the first 3 instructions instructions of of the function function main? 9. Gdb displays the the disassembly in AT&T AT&T syntax but but you probably probably learnt the Intel syntax earlier. How do you ask gdb to use the Intel syntax?
10. What
is
the
return
value
of
the
function
that
is
invoked
in
main?
Hint: Recall function calling conventions. 11. If you run the binary from within gdb, you will notice that it c omplains about a debugger being used. How did the process find out it is being debugged? 12. Can you modify the binary to not complain about a debugger being used? You will have to modify some instructions in order to achieve this. 13. What is the return value of the function main after finishing step 12?
Part 4: Next steps Here are some possible next steps that could be done after completing the above tasks. They are not listed in any particular order. 1. Learn the x86-64 and ARM assembly language from Open Security Training. 2. There are some interesting resources and exercises available from Hack-Night run by the ISIS lab, NYU Polytechnic School of Engineering. 3. radare is a excellent excellent suite that aids in reverse code engineering. It consists of a disassembler, a debugger and a scripting interface. rasm2 is an extremely useful tool that can be quickly used to assemble and disassemble instruction. See documentation documentation on the radare website for more on these. 4. Sometimes, executables are obfuscated or packed packed when distributed for various reasons. While these operations can be undone, they slow down the process of reverse engineering the binaries. Explore some commonly used packers and obfuscators and how to undo their changes. 5. Solve crackmes crackmes and and unpackmes unpackmes in websites like crackmes.de. crackmes.de.
Additional resources for reverse code engineering and x86 assembly programming 1. SecurityTube x86 assembly megaprimer 2. Hack-Night run by by ISIS Lab, NYU Polytechnic. Polytechnic. 3. Skull security x86 assembly tutorial.
Digital Forensics Tasks 1. Learn about the following topics, a. Disk Forensics b. Timestamp analysis c. Log analysis d. Memory Forensics e. Network Forensics f.
File signatures
2. Learn to use the following tools, a. Autopsy and Sleuthkit b. Foremost and Photorec c. Volatility d. Encase, FTK e. Wireshark f.
Steghide, Stegdetect
3. Submit the solutions for the following tasks tasks from picoctf a. Pickle Jar ( Pico 2014 ) b. Intercepted Post ( Pico 2014 ) c. Grep is still your friend ( Pico 2014 ) d. Redacted ( Pico 2014 )
e. Spoof proof ( Pico 2014 ) f.
Snapcat ( Pico 2014 )
g. First Contact ( Pico 2013 ) h. Space Port Map ( Pico Pico 2013 2013 ) i.
NAVSAT ( Pico 2013 )
j.
Pilot Logic ( Pico 2013 )
k. Second Contact ( Pico 2013 ) l.
DDos Detection ( Pico 2013 )
Other Resources: 1. Cyfor run by ISIS lab, NYU Polytechnic 2. Rootme
Note: You may also have to take a look into other tools and problems which is not listed above.
Other Resources: You may probably find the writeups for the recent CTFs from the following links, 1. https://ctftime.org/ 2. https://github.com/ctfs/write-ups
Contact Us! Email:
[email protected] IRC: #inctf
