Defcon Decompression, Part 2
Message from 2022
This post is pretty old! Opinions and technical information in it are almost certainly oudated. Commands and configurations will probably not work. Consider the age of the content before putting any of it into practice.
Once we actually got into the CTF game image (running on FreeBSD 6.2), we hit a brick wall, hard. While there were a few web services with possible SQL injections, the majority of it was all binary services.
(A continuation of Defcon Decompression, Part 1)
I’ve never done binary reversing, never really buffer overflowed anything, so basically I felt really unprepared for 90% of the challenges in the game. However, I did start sorting through the two web services, one on a custom binary web server with PHP support, and the other a PHP website on Apache.
The first one had an easy exploit:
s = TCPSocket.new("10.0.n}.1", 8081) s.puts("GET /../key HTTP/1.1") s.puts puts s.read
The fix was easy too: move the web server’s htdocs directory deeper a level to break the obvious/scripted attack. Breaking an attack wtihout improving security’s actually a technique supported by Chris Eagle of Sk3wl0fr00t (they crushed us) and presented at Defcon last year. We knew there would be other problems in that service, but really our binary guys were spread pretty thin.
The second service was much more complicated, and somewhere while looking through it we missed a couple SQL injections that we didn’t notice again until Sunday (long after they’d been patched). What we were able to do, however, was use the makeuser service to make shell accounts on remote machines, and then go steal their database credentials for easy access to flags and overwrites. I also started running attention-depletion attacks that created fake users and fake profiles in the second web service for grins.
The biggest scores for our team came from breakthroughs, but not the service-centric ones:
Late Friday night, Z3x was hanging out near Kenshoto’s skybox where the game server was stored, and basically got the guard to let him in. We received a call from him asking what to do to their server. After some deliberation, we said he should just put a sticky note on it saying “Breakthrough! 500 points, 0x28 Thieves.” After doing that, somebody else got in the room (turns out it was somebody from another team doing the same thing XD) and he quickly left, returning triumphant to the hotel room we were hanging out in with a handful of the Kenshoto guys’ name tags (warning: swears).
On Saturday night, Jim was hanging out with the Kenshoto guys, and they soon realized that they locked the closet and desperately needed something out of it. After the Lockpicking Convention guys tried on the door for about 15 minutes, Jim cut a notch out of his room key and opened the door in about 20 seconds total.
We got rewarded for both of these handsomely, and on Sunday morning we jumped up from 8th to 6th in the rankings. However, the (very friendly) Korean Song of Freedom got back ahead of us in the last hour, leaving us in 7th.
After the awards ceremony (including hearing about the amazingly complicated Mystery Box Challenge), we walked down to the Wynn for the buffet, which had a sizable line. Forging ahead, I was pleased to find that it was not only much better than TI’s buffet (making it the best buffet I’ve ever been to), but it also had the nicest bathrooms I’ve ever been in.
After that, had a couple beers with Zap to finish off the big jug he bought Thursday afternoon, and retired in anticipation of the 7am flight home.