ShmooCon 2017 CTF

February 4, 2017
Events

by Matt Barber, Alex Wilson, and Jonathan Smith of our newly formed and amazing CTF team.

Along with an exciting and fun time at our booth, ShmooCon 2017 provided our newly formed CTF team its first opportunity to compete in a CTF challenge. The challenge was an individual challenge so our team was not able to invoke as much teamwork as they would have liked but instead, everyone was able to solve interested challenges. We all competed for most of the weekend to solve the challenges.

The Kaizen ShmooCon CTF Event was a Jeopardy style CTF Comprising of 14 challenges. At least one of us solved all of them except for 3, (Heapy, Diet, and 1337cafe). Additionally we were the only ones that we know of to complete Don’t Need No Blocks, Start Your Engines and Joy. If you would like to use this blog and attempt the challenges yourself, they can be found on the Kaizen website!

Instead of boring you with paragraph after paragraph, we have condensed our experiences, thoughts and lessons learned into a more interesting outline! We are not posting the exact solutions or methodologies of how to solve each challenge, but rather offering some commentary you might find entertaining. Enjoy!

Overall Lessons Learned:

– Read the rules instead of relying on word-of-mouth.
– Get a food runner/ schedule food times / bring snacks and silverware.
– Coffee … lots of coffee. No but seriously. (Except for Alex. He doesn’t like coffee. I’m not even sure he’s a real hacker.)
– Bring a router/equipment.
– Ensure internet connectivity (hotel wifi as it turns out…isn’t very good)
– Update Virtual Machines beforehand.

Thoughts and Commentary for the event:

Matthew: Physically being at Shmoocon actually didn’t play much of a part, this would have been nice to know ahead of time because I think we could have done a lot better at home or in the lab. This being my first CTF I wasn’t really sure what to expect, but it was fun to see the variety of skills the challenges required. The team learned a lot and I think we know what we can do to improve. Time will tell, let this be the first win of many!

Alex: I had a great time! We need to schedule regular self-feedings though if we do this again; you guys are more stubborn than I am! I’ve decided I definitely enjoy the “Jeopardy” style of CTFs. Attack & Defend will be a whole ‘nother beast though, that’s for sure.

Jon: Unfortunately, I had just attended MAGfest the weekend prior to this and came down with MAGflu, so I was pretty sick half of Friday and all of Saturday. Despite that, this CTF was a lot of fun compared to one of the other ones I had participated in before this. And the challenges were all technical, too, as opposed to the last CTF I was in (ShakaCon, which was also pretty fun) which had a heap of hacker trivia thrown in, too. This made it easier for me to focus instead of having to exercise Google-fu for obscure references like the account number they displayed in the movie Hackers.

The Challenges:

QR Mania (200 pts)

Description: 5,000 png images of QR codes, flag hidden in 1
Hint: “I hid the flag in a QR code but now I can’t remember which file it was in. Please help me find the flag!”
Challenge: Finding the correct tool to do the job en masse

Thoughts and Commentary:

Matthew: There were so many images it was quite clear that scanning them one by one is not an option. Quick searches for scripted language libraries proved fruitful
Alex: While that and some basic scripting knowledge was almost all that was needed, it turned out that the library that I tried to use was trivially broken. The fix was simple, but having the courage to do it might be more daunting than the puzzle for those that were truly new to CTF.
Jon: I don’t really like Python so I didn’t even want to do this one. Especially based on the hint.

Lessons Learned: There are QR tools for Python? 😛 Google is your friend
Tools Used: Python

My Cool Wallpaper (400 pts)

Description: AES EBC Bitmap file decrypt to view image containing flag
Hint: “My forgetful coworker keeps his password as his wallpaper on his FHD monitor, but he encrypts all his files! I managed to grab an encrypted copy of his wallpaper last night, can you crack it?”
Challenge: Getting the resolution right, Replacing the bmp header

Thoughts and Commentary:

Matthew: This one was extremely interesting. You must know concepts of various encryption ciphers and modes, their weaknesses and the BMP file format. The hint is truly what got us to the finish line
Alex: Turned out that decrypting the entire BMP wasn’t even necessary! I thought that was cool.
Jon: The repeating data in the file was a pretty big hint. I knew I wouldn’t be able to decode the actual encryption key, but being able to actually see the flaw in EBC cipher mode with my own eyes was pretty cool.

Lessons Learned: The BMP header
Tools Used: HxD, Paint Brains.

Archives (500 pts)

Description: 3 Uncompressed “Archives”, get the md5sum of flag.bin
Hint: “We think these files we found are archive files, but we don’t have an extractor. Analyze these files and find the MD5 hash of flag.bin.”
Challenge: Identify that the archive was uncompressed, ignore trying to repair the archive. Reverse engineer non standard file headers

Thoughts and Commentary:

Matthew: This one really tested knowledge of file formats and hex editing abilities. VERY fun
Alex: I thought it was more “easy” than “fun”, personally. I think this one was worth too many points; it didn’t test analytic thought processes nearly as much as some of the others. Kudos to the designers on thinking up a “pure” challenge that didn’t require any programming knowledge, though!
Jon: I love binwalk.

Lessons Learned: Don’t overthink it. Get a good view of the problem space before starting.
Tools Used: HxD, Hexeditor (Linux)

Blood Lizard (500 pts)

Description: PNG Image, with a second PNG hidden within rip out the second image to get the flag
Hint: “You have to rip up a blood lizard before you can take on a blood dragon.”
Challenge: Identifying the chunks of data that do not belong in the image and extracting them

Thoughts and Commentary:

Matthew: Having the right tools in your arsenal really makes all the difference, we spent a lot of time trying to crack this one by hand, knowing what needed to be done, in the end google got us to the right tools for the job
Alex: Having read the PNG spec closely enough after coming across this problem allowed us to recognize a pattern that they were using here. Being able to figure out what was going on quickly was definitely a prerequisite for this one.
Jon: Did I mention I love binwalk?

Lessons Learned: Find the right tool for the job. A lot of free Linux hex editors are terrible.
Tools Used: HxD, GIMP, pngsplit

Don’t Need No Blocks! (300 pts)

Description: Go compiled webapp. Craft a cookie to login as admin to get the flag
Hint: “Blocks? We Don’t Need No Stinkin’ Blocks! Login as the admin user to get the flag.”
Challenge: New language, reversing the cookie encryption method

Thoughts and Commentary:

Matthew: This one was both fun and extremely frustrating at the same time, It incorporated a lot of different knowledge sets with a language that none of us were familiar with.
Alex: Knowing about AES in CTR mode beforehand would have made this one pretty simple, I think. Not knowing about AES in CTR mode beforehand meant that I did a lot of research here. It was definitely the problem that I learned the most from. I didn’t actually learn much Go, though; mostly I just fiddled with the supplied source code. Don’t let an unknown language intimidate you – it might not even be relevant for the answer. Knowing Go definitely wasn’t needed for this one!
Jon: The coolest thing about this one was learning that 1) AES was capable of being used as a stream cipher, and 2) it isn’t a whole lot better than using the EBC cipher mode.

Lessons Learned: All about AES
Tools Used: python, go compiler, web browser with cookie editing

Pickled Beets (100 pts)

Description: Python pickle vulnerability to get remote shell, cat the flag file on the remote system
Hint: “I’m a big fan of beets, so I made an application so people could send me their best beets.”
Challenge: Python + Pickle

Thoughts and Commentary:

Matthew: I’ve never been a big fan of python, but did have some knowledge here, the trick to this one honestly was experience with python and pickle.
Alex: … and using the right search terms. I spent longer than necessary trying to get Python to generate the right pickle strings for me before I gave up and looked for “python pickle shellcode”.
Jon: Why does serialization in Python require the use of a domain-specific language?

Lessons Learned: Google is your friend, seriously
Tools Used: Python and Google

CS101 (200 pts)

Description: Binary with a buffer overflow, with source, exploit to get a remote shell, cat the flag file on the remote system
Hint: “My professor made us learn some simple algorithms for my CS101 class, so I thought I would share it with you! We didn’t go over secure coding yet, so there might be a bug.”
Challenge: Buffer overflow was reversed

Thoughts and Commentary:

Matthew: This one is just about as basic as an overflow can get.
Alex: The string reversing was a nice touch, though.
Jon: I do like buffer overflows. No matter how basic. It’s all about balancing both sides of the equation.

Lessons Learned: gdb is still clunky
Tools Used: gdb

Start Your Engines! (200 pts)

Description: Binary with a buffer overflow, with source, DEP enabled, exploit with ROP to get remote shell, cat the flag file on the remote system
Hint: “I think this challenge is easy, do you?”
Challenge: ROP chaining with a limited number of ROP Gadgets

Thoughts and Commentary:

Matthew: Ahh ROP chains, this is my love, the comments in the source code layout the attack for you fairly easily, the trick is finding the right gadgets in the right order. I usually ROP against windows targets so an ELF binary was truly refreshing
Alex: I still have nightmares about this one. I think either we made it harder than it needed to be, or the point values for this one and “Archives” were swapped 🙂
Jon: These were not the ROP chains I’m used to. Good to know there’s still more out there to learn.

Lessons Learned: ROP can make calls to full functions without altering the stack or key registers
Tools Used: Python, gdb, edb

Heapy (300 pts)

Description: Binary without source, exploit unknown vulnerability (expected heap overflow), cat the flag file on the remote system
Hint:”Other CTF competitions have custom heap challenges with trivial overflows. Here at Kaizen, we ensure that our custom heaps contain 0% overflowable buffers.”

Thoughts and Commentary:

Matthew: This one we all assumed was some sort of heap vulnerability, with none of use particularly experienced in that area we left this one for dead last. It will be fun to see what we can do with it when we have some time to study up
Alex: Yeah, you guys said “heap overflow” and so I didn’t even look at it!
Jon: Indeed. This is an area where I certainly need more practice. Although looking at the binary, it looks like it might actually be an arbitrary write vulnerability instead of a heap overflow. I wish I had taken a closer look at it while the competition was happening.

NOTE: We were unable to complete this challenge in time.

Diet (400 pts)

Description: Binary without source, exploit unknown vulnerability, cat the flag file on the remote system
Hint: “Diet and exercise are the keys to a small executable.”

Thoughts and Commentary:

Matthew: This one was one of the ones that we pushed to the end, without source code, time that would have been spent finding the vulnerability was just time we didn’t have.
Alex: Interestingly, I wound up prioritizing things I didn’t know anything about rather than things I knew would be difficult. Weird, right?
Jon: Again, maybe I’ll give this one a closer look when I get more free time.

NOTE: We were unable to complete this challenge in time.

1337cafe (500 pts)

Description: Binary without source, exploit unknown vulnerability, cat the flag file on the remote system
Hint: “Bob, Alice, and Eve decided to set aside their differences and open up a cafe. The authentication scheme looks solid on paper but they aren’t used to coding in C…”

Thoughts and Commentary:

Matthew: This one, like diet, was one that we just needed more time for. With the number of challenges available we had to prioritize what we could beat in the shortest amount of time
Alex: I poked around the input on this one a little bit. Nothing jumped out and bit me.
Jon: Like what has already been said, we could have done this one if we had more time and I wasn’t sick. The vulnerabilities were visible; it’s just that they had to be put together in a very specific order with very specific timing.

NOTE: We were unable to complete this challenge in time.

There Can Only Be One (100 pts)

Description: Python lambda one liner. Figure out the password to get the flag
Hint: “Find a password that the program accepts.”
Challenge: Incredible amounts of lambdas, Eye-gougingly painful to read.

Thoughts and Commentary:

Matthew: I already said how I don’t care for python right? This one just made me cringe
Jon: This one just felt like Javascript malware. Except in Python.

Lessons Learned: Google is your friend
Tools Used: Chrome, python, calc.exe

Loud (200 pts)

Description: Windows executable, without source. Figure out the password to get the flag
Hint: “Quit being so loud!”
Challenge: None

Thoughts and Commentary:

Matthew: Yay! another crypto challenge!
Alex: You know what? I don’t even remember what this one was about. Oops! Next time I should take a lesson from Dr. Jones, Senior and “write it down so I don’t have to remember”, I suppose.
Jon: The ubiquitous XOR. I love writing decryptors for these things and having the flag just appear in my console window when I run it.

Lessons Learned: Don’t use XOR
Tools Used: IDA and Visual Studio

Joy (300 pts)

Description: Linux executable (highly optimized), without source. Figure out the password to get the flag
Hint: “I’m so chock full of joy, I can’t wait to let you in!”
Challenge: Binary was stripped, statically linked and highly optimized, making reverse engineering difficult

Thoughts and Commentary:

Matthew: This one was all about narrowing down and identifying functions. Lots of reverse engineering. Oh and bring IDA she’s a pro!
Alex: After Jon had a good idea of what the primary functions did, I was able to deduce the properties of the password, so it only took me three tries to guess it. Now, that’s what you call “targeted fuzzing”!
Jon: One of the most important things to do when dealing with statically linked, stripped binaries is to identify the leaf functions. I didn’t have any FLIRT signatures so it took some manual digging. And then remembering that atoi() doesn’t do any error checking. And then realizing this would have been easier with a debugger instead of just pure static analysis.

Lessons Learned: Identify Standard functions as soon as possible
Tools Used: IDA, then more IDA, some IDA. and python