Monday, September 17, 2007

HITB 2007 CTF report

[Original link from vnSecurity]

We decided to join HITB 2007 CTF in Kualar Lumpur just after the VNSECON '07 in August. Our team, Sao Vang from vnSecurity, is the last (10th) team registered, and we had only 1 month to prepare for the competition. It's unbelievable that we win the game!

Day 1 - 05/09

The game, which had been planned to start at 10:30 AM, was delayed because the organizer had not completed setting it up. Teams had to find something fun to do while waiting. We sat on the ground playing bzflag. Other guys checked email, or set up the hardware. We felt a bit nervous because there was only one network cable on each team's table and other teams brought their own switch.

Finally, CTF crew announced the game would start at 2:00 PM. At 2:45pm, it really started. While the crew setting up vmware images (Gentoo 2007 hardened) for teams' servers, some guys looked over their shoulders and captured (guessed) the root's password. It's a bad password (qwe123). We got it too ;).

The organizer sent out crackme1 for Windows and the main switch would only be plumbed after it had been cracked. I changed our root's password, copied the vmware image for backup, tried to upload the tools to server with USB HDD, and ran the defense script while lamer and sieukhung were cracking the binary on their laptop. They took it down only within 20 minutes!

Then the game really started. The organizer announced the root password to all teams. Before that, one team (perhaps Qb1t?) had used it to accessed other servers, installed backdoor user (lalala?) and unwisely changed their root passwords. The organizer identified and removed it easily. We had also prepared a script just for this situation. Had we run install_backdoor script (silently, without changing root password), we could have owned most of the boxes. But then, where is the fun?

All teams started looking at the vulnerability daemons (01 to 08) and defending their servers. Some teams chown'd all the flags so that no other team could get it, even the score server ;-). There was glitches in the score server. Only Sao Vang got positive defensive score while the rest got negative. After crackme1 was done, the organizer sent out crackme2 binary. By the end of day 1, no daemon was exploited and we earned 350 bonus points for crackme1.

There was not much to say about day 1 because it just happened in less than 3 hours. We managed to crack crackme1 and identified the vulnerabilities in some daemons. Our dreaded vmware host running on WinXP hang 2 times and continued to hang 3 or 4 times on day 2.

Day 1.5

We got back to our place and continued the job overnight. crackme2 (md5 crack) was solved first by sieukhung. Then, we found the vuln in daemon05 (trivial buffer overflow; shamelessly, we weren't successful in exploiting it remotely) and daemon07 (trivial format string) but there were "bugs" that made them un-exploitable. After few hours, we could exploit daemon02 (vtable overwrite) and daemon04 (buffer overflow with multithreaded complication). We went to bed (and sofa ;)) at 4:30 AM and woke up at 7:30 AM. Crazyyy!

The next morning, while waiting for taxi, lamer managed to exploit daemon01 (reverse crc32 and buffer overflow). All of our exploits were coded by lamer with his excellent Python framework.

Day 2 - 06/09

The game started at 11:00 AM and ran smoothly.

It was more exciting on day 2. We continued to lead from the beginning by submitting crackme2 and getting flags from other servers. The organizer also sent out fixed binaries for daemon05 and daemon07.

After 2 hours, we raked in lots of points for captured flags from daemon 1, 2, 4, and 7. According to the detail score log, we should have gained breakthrough points for 5 daemons (daemon08 later) instead of 4 as displayed on the official score board and Padocon (from Korea) would have had no breakthrough. We guessed they just replayed our exploits. And maybe other teams did the same too. We raked in more than 3000 points while the next closest team 700.

After that, we settled down to work on daemon 3, 6 and 8. At 2:00 PM, the organizer sent out crackme3 and source code of daemon08. sieukhung cracked crackme3 in half an hour and we earned many bonus points (800). Right after that, lamer finished his work on daemon08 and we got breakthrough for it. We decided to take a break and have lunch with McDonald hamburgers (thanks BlueMood, and Valmont for your support). We intended to give up daemon 3 and 6 to play bzflag (hey, they had a crowded bzflag server there) till the game ended.

But WsLabi (from Switzerland) managed to decode daemon03 and got breakthrough for it. They also ran exploits for other daemons and earned many offensive points. We felt their hot breath when their offensive score was just one flag behind us. I thought there was something wrong with our exploits and reviewed them. We found out that exploit for daemon04 was stuck by blocking socket behavior. We changed it and got more points.

Team Army Strong had best defensive score at that time and it seemed like we could not get valid flags from them. When trying to run exploit for daemon08 against Army Strong, I found that the first byte of the flag changed from time to time. It inspired us to write a brute force script to submit score to the server and with just a few Python loops we successfully captured their flag (thank you Army Strong for this inspration ;)).

Some of our exploits were not really stable (e.g. daemon07), flag data sometimes were 40 bytes or more instead of 20 bytes (fixed flag's length). We modified the above brute force script to submit flag in any size and raked in more points. By 4:30 PM the organizer set new flags for some daemons (they set new flags only 1 time on day 2) and we easily gained more offensive points with our scripts.

When there was only 30 minutes left, the organizer announced bonus points for crackmes' and daemons' exploits write-ups (brief). It was quite rush. We decided to shutdown the server because score server did not check for defensive things anymore and focus on write-ups. We submitted write-ups for all challenges we solved and got more than 1000 bonus points.

Finally, we won the 1st place with a total of 8900 points, with best offensive (5280), second-best defensive (510) and highest bonus (3110). WsLabi won the 2nd place with a total of 5540 points and Padocon came next with 3165.

Conclusion

  • The CTF this year was very interesting and attracted a lot of people (though it started late as normal)
  • Some teams had more than 3 players (4 to 6) and played in turn. It is more fun this way.
  • Best defensive strategy is to keep the daemons running and modify nothing.
  • Because defensive score is far lower than offensive score, "good" defensive strategy is to remove read permission from flags so that no other team can get it. "Best" defensive strategy is to follow Army Strong.
  • Capturing then replaying is a good offensive strategy and can help team win if they do it effectively.
  • python rox!
  • Team must plan and prepare well to have good result.

References

Credits

To all vnSecurity members

More detailed write ups will be posted at http://www.vnsecurity.net.

Saturday, September 08, 2007

HITBSecConf2007 Kuala Lumpur Capture the Flag is over!

HITBSecConf2007 Kuala Lumpur Capture the Flag game đã kết thúc, team SaoVang của nhóm VNSECURITY đã thắng giải nhất, các đội về nhì và ba là WsLabi (Switchzerland) và Padocon (Korea). Tường thuật của BTC, có thể xem ở đây, và ở đây, chi tiết bảng điểm cũng được công bố ở http://ctf2007.security.org.my/. Báo Tuổi Trẻ online cũng khá nhanh tay có bài đưa tin. Vẫn chưa kịp hồi phục sau chặng đường di chuyển liên tục tàu lửa, đi bộ và máy bay Malaysia-Singapore-Vietnam nên mình không bàn đến chi tiết kỹ thuật cuộc thi, chỉ kể vài chuyện bên lề CTF.


Thời điểm bắt đầu game bị trễ, do BTC chưa setup kịp các server cho các đội và score server (tính điểm), cuộc thi phải bị hoãn từ 10h30 đến 14h30 (giá mà biết sớm thì buổi sáng đã tranh thủ đi tháp đôi Petronas chơi) làm các đội rất bồn chồn chạy ra chạy vào hoặc ngồi la liệt ra nền nhà mở laptop chuẩn bị hoặc chơi game.


Một số đội tranh thủ vào chuẩn bị thiết bị trước làm các đội khác nhấp nhổm không yên.Do bắt đầu trễ nên ngày đầu tiên (kéo dài khoảng 3h) các đội chỉ kịp chuẩn bị server và phân tích các daemon một chút, score server bị lỗi nên điểm ra sai tùm lum.

Chuẩn bị cho CTF không chỉ có phần mềm và chiến lược, cần phải chuẩn bị cả phần cứng. Do lần đầu tiên tham gia, một số đội (SaoVang, WsLabi) chắc mẩm BTC sẽ cung cấp switch cho team để gắn laptop nhưng khi đến nơi mới kêu trời khi thấy trên bàn chỉ có một sợi dây mạng chỏng chơ. Chưa kể ổ cắm điện ở Malaysia đều xài loại 3 chân, không có apdapter để chuyển đành chịu chết, phải nhờ đến universal adapter của BlueMood và Luois mới đủ hết cho 3 cái laptop của đội. Các đội khác đã từng tham dự chuẩn bị phần cứng khá "hầm hố", như maeT t1n@cs (chơi chữ của ScanIT Team) mới đến đã quăng ngay lên bàn một cái Nortel switch 24 port, cả bó dây mạng, Army Strong cũng quăng lên bàn switch, wireless access point và bố trí dây nhợ ngay. Cũng may mà ngày đầu tiên chỉ có 3h chơi, nếu không thì team 3 người mà chỉ có 1 người vào mạng được.


Một đội CTF chỉ được 3 người ngồi vào bàn chơi nhưng thực tế thì một số đội có ... người chơi phụ ngồi bên ngoài game zone, chạy ra chạy vào thế chỗ hoặc debug/reverse offline. Ngoài ra còn có một số "gián điệp" chạy lòng vòng xem đội này đội kia làm được gì để về mách nước cho đội mình. Vì vậy khu vực bên ngoài game zone rất náo nhiệt, sôi động, Team SaoVang được bố trí ngồi trong cùng nên cũng đỡ bị quấy rầy. Các "gián điệp" này cũng chôm được password root (do BTC đặt quá tệ ;)) trước khi crackme1 được giải ra (là lúc password được công bố).


Sau khi nhận tấm bảng tượng trưng cho giải thưởng 3,000 USD cả nhóm phải lật đật về nhà để đi tàu lửa về lại Singapore nên không biết tiền thưởng giờ ở đâu :) vì chưa thấy BTC liên hệ gì cả. Lần sau chắc phải bay thẳng (nhờ tài trợ? ;)) cho đỡ vất vả.


Kinh nghiệm là để có cơ hội chiến thắng ở CTF phải chuẩn bị đầy đủ: chiến lược, phần mềm (công cụ của NamNT đánh bại mọi đối thủ khác về tốc độ viết exploit, tốc độ gửi các flag lấy được lên score server và khả năng chống việc lấy flag, team SaoVang không mất một flag nào vào tay đối thủ nhờ công cụ này), phần cứng (switch, dây mạng, ổ cắm điện, universal adapter), tinh thần và cả thể lực (để chiến đấu trong 2 ngày và có thể cả đêm).