Pasten: Capture the Flag

hello everyone and and thank you all for coming I'm mad Danny I do security at sneak and this is evolve I'm from clarity cool and we both of us are from a team called past N and we are a much bigger team than the two of us and today we're here to tell you some stories about how we we started like about our journey in the in the CTF world and share some fun challenges that we encountered and hopefully encourage you if Gaea didn't do that enough encourage you to play the CTF and next time so let's start yes most of you are familiar with what the CTF and the different types of CTF there

are but still kind of doing some quick intro on on and what it is so CTF is a security competition capture the flag there are basically two types of competitions one is the Jeopardy style the other one is a tag defense so a jeopardy style CTF is when you have all the teams have a same set of challenges and so it challenges the kind of like something you need to solve and when you do you get a point so you submit the flag from the challenge to to the to the portal to the organiser system and you get at points so you compete against the team by by who solves more challenges there is no direct like door no other

interaction between the teams and yeah important thing is that you have six different categories in the challenges so you would have crypto challenges you would have phone which is like exploitation finding new vulnerabilities and exploiting them you would have various engineering challenges and web and miscellaneous just like weird challenges like hardware and things like that and the attack defense CTF and has limited number of groups because the thing is that the teams compete one against the other each team would have some source answer services that they operate and you would need to protect those services against attack coming from the other teams and in the same time attack the services of other teams so that's why in this type

of CTF you would have a limited number of teams and playing so now let us share some stories from the city elves and how how we started this journey right so we're going to talk about three CTF which are our favorites here are the logos the first one is a CCC CTF the second one is Google CTF and the last one is don't have enough time so I'll tell you the story behind our first CTF the few rules about the CCC CTF it's jeopardy style CTF it's its own site and but you can also play it remotely the our group that are that are not doing it from the CCC serve sorry I I haven't explained about the SEC I don't

know if everyone is familiar with CC is a conference going for like the 35 years in the world in Germany there are like 15 thousand attendees and it's growing issue and one event that that happens as part of this conference is the CCC CTF speak up okay there are no prizes and it takes 48 hours from the first day at 8 p.m. to the last day at 8 p.m. the only thing we knew when we started the CCC CTF was that the flags looks something like that we were four friends like five or six years ago we took vacation days from work to participate the CCC conference not even the CCC CTF and we saw their

ads for for the CTF and we decided to sign up and see if we can handle a challenge or maybe two when the CTF began we decided to take one challenge and to start with so we just choose the hardest challenge that wasn't on the on the CTF we had only two laptops so we couldn't do much more than one or two challenges a single thing yesterday but we started we started from the hardest one long story short three a.m. of that night we managed to be the first team to solve that 500 points challenge we didn't know if it was good or bad so we just went to sleep it's a we said okay it was fun but when

we woke up we looked at the scoreboard and we saw that we're still the only team to solve that challenge so we decided okay maybe we have a chance we'll take another one an easier one so we took a challenge which we're going to give a short walk through called pi x ik cool so pi x ik was in the category called sandbox which typically means means escaping out of the sandbox and and the difficulty was easy so that's after that hard one we we struggled with we chose a denied an easy one so we would get an IP address where we would go and see something like that this would be the interface there is an edit

box where we could write Python code and we could the press is exact and it would evaluate the pyrin code so we knew we need to run some some Python code that would read a flag file and they actually provided us with the app with the with the Python script itself so the application itself was available to us and then that's where we could see that they would blacklist all sorts of nasty things we could use and in part of our exploit so not anything you could anything interesting in Python you could think of you you could you wouldn't be able to do and they also have this white list so basically would be limited to

very specific set of characters and that would work when we when we played with it basically nothing worked except for some basic really basic and calculations any ideas what we can do here well I hope I heard the answer but the answer is Python encoding so apparently you can start a Python script with the following line and hashtag coding and then choose one of the following game coatings and then you can just encode your full Python script in one of those companies so in this case we could just use the raw Unicode escape and taking this simple line of Python code and that is opening a flag file and just reading it bringing and printing it

to the screen and this would be encoding into this Unicode the escaped string and when we ran it we would get the flag so indeed was a nice and easy an easy challenge and and a really fun one ok another challenge we solved the same CTF was Big Data it was considered harder and the category is foam once again we need to execute code on the server when we got a challenge the first thing we saw was that meaningful description just big data and the file the charge is that file containing the binary that the server runs and an IP address and hosted that the server runs that binary on so we took the binary we started to reverse

engineering and ingenuity and understand what he does and we found a stack buffer overflow just like in the textbook they have a buffer with the limited size that is the size and they received the length of the of the buffer from the user from us and then they just read data according to the buffer rank that we sent sounds really easy to to exploit for everyone that they experience with with a stack buffer overflow well he knows what to do and in order to trigger that vulnerability all we need to do just sent some data that will be bigger than that buffer and it worked look locally on our machine when we tested it but we couldn't make it work on their

server the reason that we couldn't make it work was that we couldn't make the received call the receive right here that we see to return more than 100 elf 1,500 bytes of data and the reason that that we couldn't make it happen is because there was a really long network between us and and the server and the mechanism that our data was carried on was TCP TCP stream base is a stream based protocol meaning that you don't get to choose which data is being sent in in each chunk you just send data and the receiver would read it however it once and the segmentation is handled by the TCP stack so if you sent a big chunk

chunk of data and there was no network between you and the receiver then you will receive everything in one in one receive but if some network segment is segmented this buffer into smaller chunks then the the TCP stack is allowed to give you only smaller chunks one one another thing to understand about TCP is that is a reliable protocol so it must handle retransmission and key buffers for handling of out of orders packets and we will show that in a minute and we wanted to make sure that we wanted to to send some special messages that will make the TCP stack buffer all the data for us and return it in one chunk so whenever you send a big message this is

our big message that the TCP stack will segment it into one two three four five chunks and send them in that specific order but what we wanted to do was we wanted to to split the message into those five pieces but send the second message then the three four five message and only then we'll send the last message and the receiver side will understand that here is the complete chunk now I will forward it to the application to be processed and by this the receive will be in one big chunk we try to implement it we in order to do that we had to implement our own basic TCP stack and we did it for over two

hours it was late in the CTF and we hadn't heard that we haven't had much sleep that night we haven't almost any sleep at night so we just couldn't make it work any ideas of what to do jumbo frames is a nice idea but it was internet between us and the server so we drove the jungle friends so remember the the previous challenge the pie exact challenge we thought that maybe they host the challenges on the same that data center or maybe even on the same server so we thought maybe we would just run our exploit code through that interface so exactly just like running there our recording here we put our exploit code in here and it worked

cool so this was wasn't intent intended of course but but still we believe it was according to the rules so that was fine and by the way like this is that year we came in on the fifth place this is the first time we play the city yeah and and the nice thing about it is that this is the first challenge we solved we are the the baby blue chart here each step in this graph is is a salt challenge so first challenge we solved was the hardest one and then we went to sleep like no other team did that okay then we woke up and we sin like hey this is nice we're still kind of bleeding in the top

ten or something and then we had some friends join us on site but also in Tel Aviv and and then we're actually we're playing until the end of the competition and making it to the to the fifth place so a you later and we really got excited about all this CTF thing and and came back with more people we were 15 friends on site and five more home we had actually reserved the table which is the thing you can do in the CCC conference before that we were just kind of homeless and and and just grab some some some table there and we had a VPN and a VoIP so we can actually call our friends and and like

we had real infrastructure and we use slack which is today very obvious but back then most CTF teams had their own custom kind of knowledge sharing and challenge solving systems that they that they used but select was the laziest thing we could do it and it worked really well for us now this time we also have some some AWS machines that we could use for creep the challenges and some and some other things and of course most importantly we actually got some food and beers which says this is something that we really didn't have last time last year and so this is a photo with all the food and the beer and an egg what voice got matter yeah this

is the club matter but also had our own beers there and this is a phone like a real boy between us and their Tel Aviv bass so that year we we came in second and with quite a big gap I believe like there was it was a single challenge a really fun one but that would make the whole difference and then third year a year later we came back and this time we actually won the first place and and so so these are some photos of celebration but then the ego after we kept the first place as well and then another year later we so we will want the first first place three years in a row this is a the

CTF floor from year 2017 and this is our team here in the front so from that year from 2017 a really a fun fun challenge which was they gave it a difficulty medium but I think they regretted it because it was kind of super hard and and it was really interesting so that's why we will share some some of this and now so we got like many of the web challenges you just get an IP address so we received this this IP address where we would go to it and it will see the secure file extraction service and you can provide it so you can provide it a URL pointing to a zip file and it would

extract it for you and let you download the files from the zip file nothing fancy but there is some things that happened here first we've seen that it extracts all the files in a flat in a root directory so if you have some folders in it or some some kind of like folder structure it just ignores it and all the files fall into a single directory it supports multiple formats like seven zip zip tar and and probably others and it deletes all the folders and all the symbolic links and that you had inside the zip so we just again flattens all the files out but just the files and there is some limitation they do they have like they limit you not

more than five files in a zip archive and not more than ten K of data so you can I cannot deny of like do an engine out of service so first thing we do is create a symbolic link inside a zip archive and that would point to a root folder and what we get back is a warning from the system saying that we have detected sound folders from in the leaders and folders from your archive and they use some cyber-enabled filtering system so this would be a link so when we click on the link of the cyber-enabled filtering system we would have this code this is a PHP code basically showing us that they traverse

through all the files in the zip archive and delete and the anything that is not a file basically a folder or a symbolic link any ideas how we can bypass the cyber-enabled filtering system louder so the the answer is around this function the globe function this is like like a listing final function but it's it doesn't take into account and hidden files so anything that starts with a dot wouldn't be captured by the blob function meaning that all we need to do is create that same link to symbolic links to the root folder but this time we can just use a dot in the beginning and voila we actually get now to list the root folder and we can just travel

in the filesystem and find some stuff so the first thing we find is in the folder of a home folder and as a script called create backup of my super secret flag so this is a script that all it does is reads the flag from the standard in input and writes it into the into this nice QL database so the flag is not here we hoped that we will find this flag many of the challenges and in this stage you can you cannot find the secret file you find the flag and you submit it to the system not in this case we actually see that they just read the the flag from from the standard input somewhere

here yeah from here and just send it in a save it into the MySQL database so this is sort of a hint to us that the flag is stored in a MySQL database running as an on the same on the same machine so we think so what do we know we we look at the OE and we find another file index.php this is the core like the functionality of the actual challenge so it does all sort of checks on the URL basically blocking you from from accessing localhost and some weird other with things it gets the content of the file using lip curl so this is a PHP code but it uses lip curl to download

the file we provided the URL it saves it to this it checks saved archive is valid and if it's like has less than five files and 10k extracted and then we have seen it deletes all everything that is not a file so so we know that we control the URL we need to access MySQL server that runs on that same machine and and but but we see that they block us from connecting to localhost so basically what we want is somehow to connect to local hosts run some SQL query and then get the flag so we after a lot of tinkering we realize this thing we realize that the library the curl the lip curl library

treats URLs differently than all the PHP runtime but also all the other runtimes so basically if you take this weird-lookin URL and provide it to lip curl lip curl will take this part but if you use the URL parsing of any of those runtimes you would it they would see google so that's how we could bypass the first check that prevented us from connecting to localhost which is like the actual database so they think we connect to Google but in reality we actually go to a local host so again this is like we're exploiting a server-side request forgery vulnerability because they fetch the the URL we provide and so yeah so this in this example we use this URL so PHP see

is google.com curls is localhost so that's good now as some of you might know lip curl supports much more than HTTP protocol they support all those product protocols including a protocol named gopher so gopher is an interesting one if you use this URL basically a provide lip curl with this URL what it do it will connect to localhost to port 3306 and will send open a TCP connection and will sent this data that everything that is after the underscore and the underlined would to the to the server so basically they give us a way to connect to a MySQL server and send and send up one packet to that server and and and so what we need to do now is

to construct that single packet we can send and we just looked at the MySQL protocol and constructed this thing basically this is the first packet you send to MySQL and which does the authentication and then we can send the SQL query so this would be result in something like that what you see here is a gopher and this is the localhost the MySQL and instance we are connecting this is the port and this is all this would include a valid and MySQL protocol that would open a connection do the needed authentication with the with the username and then all this part is an SQL statement that fetches the flag so the tricky part here is that this thing

when we when we take this and provide it to our service and the service expects to get a zip file not and not a string of with a flag so because the next step that would happen is that the zip file needs to be extracted so we had to encode in into the SQL statement the actual format of a valid zip file what you would see here is that pkzip like it's it's it's an actual zip file and somewhere here would be this flag ok here we can see inside we would we would build a zip file and place a flag inside that zip file so now when we do this when we provide all this here what we

get is this is a file is a valid file that one extract that contains a valid and when it's a valid zip and extract it contains a file named give me a flag that's how we called it and when when we open the flag we would get this this nice string and that's the flag we would submit to the and the system and get some point so in summary really also like a lot of credit for for the crazy people that created this challenge because it's it had so many things in it it had like you know the the symbolic link trick that we've seen with the dot it had the inconsistency between the different URL parsers it had the

necessary for our ability that you know we need to exploit it you need to do this and there is this funky thing with the SQL so this was yeah this was the last the 2017 I think and again this is when we actually won the first place again yeah and this time we're moving to Google City yeah so Google City F once again jeopardy style it has today it has two stages the first one is qualifiers which are totally remote the top ten qualified teams will go to an on-site CTF where you are allowed to to get assistance from home and for the first time in our experience with CTFs we get money when we were today we know that is

considered its level it's a complexities is a pretty high Google are really really good engineers and they invest a lot of time on those challenges and we want to tell her to talk to you about the challenge called slot machine this time from a category called how go or reversing and it's an actual challenge that it's a challenge that is actually based on on on a real story of Russian hackers that file found basically a random episode around the vulnerability in in one of the slot machines in in Vegas and in the casinos and basically use that crypto vulnerability to to to win the and to win some real money so Google and created a challenge based on this story

we didn't know that back at a time but the challenge because this was an CTF final so this was actually on site so all the ten teams the ten finalists were on site in London and that's why it was possible to provide each and every team with with an actual hardware so they gave us this little toy toy slot machine and the first thing we did is open it up and we found this chip and this was an atmel atmega chip a micro controller and that's where they also provided us with some basic equipment to read the food firmer from the chip so we did that and and then we got to the actual River so

that's where the reverse engineering part started and and basically after some reverse engineering the two kind of interesting thing that we found was this two secret kind of key combinations so if you if you would on this screen let me show you on this balance if you would press the secret combination you would get to two secret screens first is that debug screen so we will see it later what it allows us to do but the other one is is flag and screen which would provide us with the first flag so when we would press this combination we would actually get the first flag it's important to say that and while they provided us with the with a toy slot

machine the actual attacks would be run against the center slot machine so every team would need to do the reverse engineering to understand the process to understand the vulnerability but then they would need to go to an actual central slot machine and execute the attack so so this would helped us get the first flag and on the second flag let you go talk about so on the second flag when we entered the second code we get to this screen which is the developer menu enter Delta we try to reverse engineer what he does and we came into a PRNG mechanism PRNG is absolutely random number generator I hope you're sitting down there are no random numbers on cheap microcontrollers

they are actually generated using some short typically 32 bits random number that will be generated on the boot time and since then they will they will advance the random state using some simple formula such as this so we were reverse engineer that that formula and we came into conclusion that here this is the mechanism that that handles the random number generator for that machine it's really simple simulator this is the random number generator whenever whenever you call the run function it will just advance the random number generator in state and it will return some part of that state for the machine to choose which symbols to display to draw and on the screen it uses that code

it says okay if it's above some value it's a seven otherwise it's it's a long if it's Bob of some other value it's lemon or otherwise it's a bar those are the three symbol that this machine drew on the screen what we wanted to do any idea how to exploit that okay we wanted to play the slot machine five times why five times because within five times if we will write down what science we got on the screen we will be able to understand where we are in that random number generator State and we will be able to recover that state and whenever we recover that state were able to understand not only where we are but

we are able to to expect the next values that would return from that state actually if you remember the screen that screen then the enter Delta is basically the Machine asking us how many advances of the pure energy state you would like to do and we could say okay instead of like pulling the lever 100 times we could just write down 100 and it will advance that state for us so our plan was to understand our current state based on playing the machine for like five times and now and now when we have the stage we can calculate the distance between our current state and where we want to be to advance it right to the

point where we would expect that three times this the seven symbol will we'll get out of the random and on the next pull of the lever we will just win the slot machine yeah you can press and it should play yeah yeah yeah it work so basically yeah that's where that's after you would enter the Delta and we basically jumped to the place where it's beta the next play would give you seven seven seven so that's that's the solution and then the flag and then the flag [Applause] cool so so so that's our Google City of history we actually the first time Google started doing the city of Zoar 2016 so that's where we won the first

place and then a year after then we took the third place and another Israeli team and took the second one so five BC is an awesome Israeli team that gives us always gives us a good fight and and this year we just this night we had the qualifiers so anyone here played the Google CTF qualifiers okay some hands here cool so it is this morning 3 a.m. this morning and qualifiers ended so we actually took the first place in the qualifiers all of the 10 teams I believe right this is the 10th 10 teams would go to the finals and yeah there's also another Israeli team down there so actually and we thought that we would

finish here but we have some time so I'll skip we have some hidden slides at the end of the door of the deck so I think we have some time to talk about DEFCON CTF as well so and then I'll go back to the to the final slide so since we won since we want the CCC CTF and we automatically got qualified to have to play in the DEFCON CTF which is the biggest attack defense type CTF it's it's different it's completely different from what we experienced before it's as I said it's a type defence it's on site on in Vegas during the DEFCON conference it runs three days so basically it while the transferee does it's it's it's only

a day time so starts in the morning and then and and in the evening for three days in a row it has 15 teams no prices and and the level is is super super high so the idea with the attack-defence CTF is that all the 15 teams have their own services if they start in the same state everybody has the same services and to operate and then all you need to do is to reverse-engineer those services find vulnerabilities attack the other teams with the viability as you found and at the same time protect your services from being attacked while all this happens everybody could see everyone's and network traffic so you could steal vulnerabilities you could see if

somebody attacks you and you know still vulnerability so and then patch it or for example if you find a vulnerability you have a dilemma whether you go and attack with it or you first patch yourself or do both so it's it's it's like a completely different challenge and and there is some really different skills that are needed beyond the finding and exploiting a vulnerability so so yeah that I mentioned you oh and one important thing is that when you protect your service so for example you can you know you can add some protection mechanism to your service but the idea is if it becomes too slow you start losing points so you cannot just go and

implement all the possible buffer overflow protection in your code and then and just around the service because it just becomes slow they dope the the the organizers constantly ping in your service to make sure it functions so you like in the real world you need to find the balance between protecting your service and keeping it functional so this is how it looks like in the actual ctrl this is this is our table here I think they are they limit the number of players on the actual tables to eight and they really have some nice visualization when one team managed to exploit a vulnerability for the first time so they have this first blood visuals running all over this the the

screens there and yeah and that the first time we came there was I think 2016 and that's where the FIR also the first time when they ran what's called the cyber Grand Challenge which is a different type of CTF ran between machines computers only no humans involved the humans are involved only in building those machines and so this is also a type defence CTF so so each machine needs to try to attack other services and protect the service from from the attacks of other teams and it runs for several hours if there were eight teams and the price was two million dollars so this is a serious serious price so this is how it looks

like it is this is beggars day they know how to put a show and what you see here on the screen also is like the actual visualizations of the attacks so pretty cool like it you could actually see how each machine would try to find the vulnerability and and to touch against it or to exploit it so all the machines are here they look like those super computers which are they are and did super-strong and all the arena here all this area is fully air-gapped the only thing that goes inside is electricity and water cooling that's all and then the operation computer inside the arena produces logs that they burn into a DVD and there is like this robotic arm that

passes the DVD into to the common taters they take the DVD they put it in their computer and kind of show and analyze what's going on inside the arena and so so the interesting thing is that this CTF was held one day before our like the big DEFCON CTF and the winner of this competition like the comedy machine that would win this competition would also compete against the human teams so so so the machine that this is the mini the winning machine mayhem from a company named for all secure and and so in the actual DEFCON CTF again reminding you first time there is a machine competing against humans and so they lost they was they were in the last

place but there were some challenges that they did like best really outplayed all the human teams including in fetching vulnerabilities but also exploiting so there is like some really really crazy and awesome things to see in there and so that's yeah that's the cyber Grand Challenge and I'll jump back to the slides and I believe we actually have some some time for questions so finally and yeah CTFs are awesome and this this desert this became very popular every every conference now now has them and you don't have to be actually on site to play those are now everywhere in and you know like google CTF and many others actually you just can join and play from your home really

an amazing place in an amazing community to to to engage with and learn from so really if you haven't had ever played a CTF or solve the single channel a challenge really really encourage you to do so yeah and we basically started our journey mistake like we didn't plan to become a real CTF fair team but we really found out that how amazing it is and and how fun it is so really would encourage you all to do the same and really it this is the time to thank our amazing team we're the two of us are here but behind us is an amazing team that and it played with us all this time so thank you

to the CTF organisers creating a CTF is a tough tough tough job it's much harder than solving challenges and and really they put a lot of time into intuition every challenge and into creating the idea implementing it and then testing it and they making sure that you don't find any ways around it so usually the teams that are competing there are also the ones creating those challenges so these are really top-notch security experts of the world and doing that in all the cities out there so big thanks to them and and also to all the teams that are competing and special shout out to 5dc that is really the other israeli team that we met all the time in in the city

Ebsen probably there are many others that we just don't know so thank you all

we have we have some time for questions actually quite a lot of time eight minutes some day so the question is when are we organizing our own yep yeah someday we just we know it's hard we know it takes a lot of time and we do play now for like for fun and but definitely on the horizon to to create our own sphere

yeah good question so the question is since we got the access to the to the file system of the of the challenge we could just go to the bar something director of mice QL and just download special stories of the my skill and the answer is that the the service run says it's an Apache service and in France with the permissions of web or web booth or something like that and it's not the permissions like we were in route to access those files this is actually the first thing we tried with oh we went to those folders and try to take the files and [Music]

No

last question otherwise we'll have to drink so we're we're all in this area like we were doing research in our in our work in our background that's what we do but I think we never we never we never played the sit here before 2013 and there is a lot of things we learn while playing CTF so yeah one more thing to understand it the city of Zoar for every one you have challenges for every level that you're in so from beginners to to the most advanced researchers yeah so so we did learn some things about how to play the CTF games for example and it's we had we had some challenge where we actually didn't have that wanted but

didn't have the time to show where it was a simple web challenge with some cross-site scripting but we didn't find the cross-site scripting vulnerability and there was some operational problem with the challenge it wasn't running at some point so by mistake we we took over the whole server like we found a different ability that they didn't want to us to find and now we understand that we like now we have some better gut feeling of where this shouldn't happen because when x challenge is in the web category and it's like you know marked easy and and we just can solve it probably there is something basic we're missing and not some crazy vulnerabilities so so the fun thing

about this crazy vulnerability we did find that wasn't intended is that the next year they actually turned it in turned it into a real challenge Howard won and so that when we got the score for free because we already knew it but but that's the kind of thing will you learn when you play CTF you kind of learn this like the mindset and the things you should do and you shouldn't do and while playing so that's that's a skill kind of like the muscle we develop

preferences the very either works well in Windows but everything else is not yeah it really depends really like yeah we have a like we're quite a diverse group of people were around 25 people everybody has their own preference and machine yeah what makes a bad challenge Wow I would say the guy is listening I would say that when you have to guess more than to get the information out of the of the server out of the challenge then it's really frustrating because it's really easy to not get it right and there are channel they go yeah yeah basically when yeah basically when that when you're not measured by your skill but more by your guessing capabilities

all right so