InCTF 2015

First Round Question

Welcome to first round of InCTF 2015, all the tasks listed here are mandatory unless specified not and will be

evaluated and graded. The grade obtained will be counted to decide the final winners. You can work as a team

in such a way that each team member focus on a particular area(like web or reversing or binary).

These exercises will be a great help for the beginners who have no prior experience in participating in Capture

the Flag(CTF) security competitions. So beginner make sure that you complete all the tasks.

You need to document your work, and can be done in latex. The documents should be submitted as pdf format. Getting Started !!!

In order to make your participation exciting, it would be great if you can familiarize yourself with Linux environment. First step towards that would be to try and install Linux(Any flavour of Linux like Ubuntu, Fedora etc will do) operating system on your machine and dont worry if you have not installed an operating system before, now it is your chance to do it. And if you have any worry that you will crash your computer, you can try installation on a virtual machine. So download virtual machine and install it in your computer so that it will provide you a virtual environment where you can try operating system installation. Do read more about virtual machine it will be of great help and Google is your friend to find the right resource for it. Hope that you have installed Linux operating system on a virtual machine or real machine and next you need to learn how to use it. Linux commands help us to use various features of the Linux operating system and make it easy for us to interact with it. You need not byheart all the Linux command but need to make yourself familiar with at least few important commands which are commonly used like creating a file, listing your running process, searching for files in a directory using grep etc. The best way to learn is by doing, bandit overthewire provide you a platform to workout various Linux commands through a challenge based approach. The challenges are distributed into various levels and you need to complete upto level 22, additional bonus points will be given to those who are able to crack all the challenges.

A good computer security engineer is the one who has mastered various computer skills. He need to understand

a software in and out to find out the flaws and fix it. Without being a good programmer you cannot become a

good computer security engineer. If you feel that you are not good in programming, dont worry we have a set of

task for you.

Programming Tasks

1. Login into Code Academy and start doing Python track(This is not a mandatory task) 2. Register yourself in Topcoder and do the following SRMs,

a. SRM-147: Caesar Cipher

b. SRM-249: Chat Transcript

c. SRM-405: Falling Factorial Power

d. SRM-425: Inverse Factoring

e. SRM-470: Linear Travelling Salesman

f. SRM-484: Number Magic Easy

g. SRM-505: Sentence Capitalizer Inator

h. SRM-506: Slime X Slime Rancher 2

i. SRM-519: WhichDay

j. SRM-526: 5 Magic Stone Stores

k. SRM-529: Pairing Pawns

l. SRM-537: KingXNewBaby

m. SRM-542: Working Rabbits

n. SRM-546: Contest Winner

o. SRM-548: Kingdom And Ducks

p. SRM-551: Colorful Bricks

q. SRM-557: Great Fairy War

Register yourself in Topcoder website and then download the topcoder arena to work on the SRM questions. The challenges are from DIV 2 of SRMs and are quite simple even though it will take a while to solve the first problem.

Web Application Security

Welcome to Web Application Security, to make yourself good in web application security concepts you need to

complete the following exercises,

Task 1: This task is for those who dont have any prior experience with web application development. In order to better understand web application security concepts, you need to know how to develop a good web application. Dont worry if you have not made one, there are lot of resources which will help you to learn it. Go to codecademy and complete the following tracks on PHP, Javascript and HTML. The estimated time to complete the following track is 21 hours and will give you basic knowledge that is need to develop a web application.

Task 2: Web applications use database to store its data and it is important to have a basic understanding about

databases. The security vulnerabilities like SQL injection are related to databases and without understanding

about it, you will find it hard to understand injection attacks on web applications. Complete the following SQL

tasks to get a basic understanding about Structure Query Language which is used to query the databases.

Task 3: You need complete few tasks from natas overthewire which will teach you some basic server side web security. There are total of 23 levels, you need to complete at least 10 levels and each additional level completed will be awarded bonus points.

Task 4: Read about OWASP Top 10 web application security vulnerability list. Task 5: Now you are good with som e of the top web application security vulnerabilities. But only theoretical

knowledge will not help, you need to practice few challenges from root-me.org, before you start, you need to

register with root-me.org.

a. http://www.root-me.org/en/Challenges/Web-Client/ b. http://www.root-me.org/en/Challenges/Web-Server/

Task 6: Setup DVWA in your local machine, DVWA( Damn Vulnerable Web Application) is an web application

which aids security professionals to test their skills and tools in an legal environment. There are various skill sets

that you can work on like SQL injection, Cross Site Scripting, File Upload vulnerabilities etc. Try out each and

analysis the code which has led to the vulnerabilities.

Details regarding setup is given here: https://github.com/RandomStorm/DVWA

Networking Tasks

1. Do learn the following tasks by trying them in your machine,

a. Create a linux virtual machine either using VMware or Virtualbox. Make sure you are able to ping

between the machines. Now you need to login into your guest machine from your host machine.

How will you do that? [Hint: ssh]

b. Now you are going to copy a file from your host machine to your guest machine. How are you

going to do that? [Hint : Install openssh-server in both machines and use scp]

c. In the above 2 tasks, when you did ssh or scp, it prompted for a password. How are going to login

without giving a password every time?

d. You are asked to block access to facebook.com from your machine! How are you going to do that?

Elaborate. (Hint: use iptables)

e. Now, without using scp how are you going to copy several files to your guest machine? Is it

possible to copy the files securely? (Hint: nc, ftp, sftp)

f. Try to capture the traffic from your machine using Wireshark. Now imagine this scenario, while

capturing the traffic, all of a sudden your GUI got crashed and you got access only to a controlling

terminal (tty). What are the tools necessary to capture the network traffic? Explain the steps.

2. Download the pcap and answer the questions

a. A fellow from SBI bank has uploaded a qr code image, which contains an authentication code to

access the vault. Somehow one of our secret agency was able to intercept the traffic which

includes the qr code as well. We are now struggling to retrieve the qr image to get the

authentication code. Can you help us?

b. I deleted a confidential file which Im supposed to hand it over to my officer. But 2 days back I

remember transferring it to one of my office machine using a FTP client. I have captured the

packets as well. Can you able to get the confidential file?

c. One of our clients reported to us saying that they have intercepted a conversation between one of

their employees and the adversary company. He is quite unclear about the employees intention.

Did he really leak any confidential information? Assuming the answer is yes, then, what is the secret

information transferred by the employee?

Other Resources:

Try to solve some of the challenges given in this link:

http://www.root-me.org/en/Challenges/Network/

Binary Tasks

Binary Exploitation: Binary exploitation is the art of bending a computer program to your will. Debuggers and

disassemblers are mostly used in this task. On completing these task, one will be able to understand the basics of

buffer overflow, format string, heap overflow and return oriented programming.

Part 0: Weaknesses and Vulnerabilities in GNU/Linux: GNU/Linux is a commonly used for program

development, InCTF wishes that the participants should have a reasonably thorough understanding of local

attacks against GNU/Linux systems.

Tasks:

1. Solve

2. Solve upto to level 10 in Nebula and upto level 5 in io.smashthestack.org

Part 1: Buffer Overflow: In computer security and programming, a buffer overflow, or bufferoverrun, is an

anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites

adjacent memory. This is a special case of violation of memory safety.

Tasks:

1. Read Aleph ones Smash The Stack article

2. Solve some of the Overflow challenges from 2013 picoCTF

Part 2: Format string attack: The Format String exploit occurs when the submitted data of an input string is

evaluated as a command by the application. In this way, the attacker could execute code, read the stack, or cause

a segmentation fault in the running application, causing new behaviors that could compromise the security or

the stability of the system.

Tasks:

1. Read the white paper on Exploiting Format String Vulnerability from stanford.

2. Solve some of the Format string attack challenges from 2013 picoCTF

Part 3: Heap Overflow: A type of buffer overflow that occurs in the heap data area. Heap overflows are

exploitable in a different manner to that of stack-based overflows. Memory on the heap is dynamically allocated

by the application at runtime and typically contains program data. Exploitation is performed by corrupting this

data in specific ways to cause the application to overwrite internal structures such as linked list pointers.

Tasks:

1. Read this blog post

2. Solve some of the heap overflow problems in Protostar and Fusion

Part 4: Return Oriented Programming (ROP): is a computer security exploit technique that allows an attacker to

execute code in the presence of security defenses such as non-executable memory and code signing.

Tasks:

1. Read this tutorial on ROP

2. Solve some of the ROP challenges from 2013 picoCTF

Reverse Code Engineering Tasks

Reverse code engineering is the art of deducing what the program does by inspecting the assembly instructions

that are executed by the processor. Disassemblers and debuggers are particularly useful in this task. On

completing the following tasks, you will be able to read x86 assembly code and understand what higher level

statements(eg: conditionals, loops etc) particular sequences of instructions correspond to. There are 3 parts - x86

assembly programming, basic reverse code engineering and slightly advanced reverse code engineering tasks. A

few suggestions for what next are also provided.

Part 1: Assembly programming

1. Listen to the IntroX86 video lectures from Open Security Training.

2. Read the sample x86 assembly Hello World program(hello-world-libc.asm) provided. Ensure that you

understand the purpose of every statement in the program from the comments. Also, do the following

and explain what happened(if applicable).

a. Delete line 14, compile and run the program.

b. Delete line 21, compile and run the program.

c. Delete line 29, compile and run the program.

d. Delete line 32, compile and run the program.

e. Delete line 34, compile and run the program.

f. What do .text and .data signify? Are there others like these two?

3. Complete the following programming assignments. You are not required to submit solutions to these

assignments but we highly recommend completing them since you will learn valuable lessons that will be

useful in reverse code engineering.

a. Print the area of a rectangle whose dimensions are obtained from user.

b. Accept age from user and display if the person is eligible for voting. A person 18 years or older can

vote.

c. Accept a number from user and display if it is negative, zero or positive.

d. Accept 3 numbers from user and print the largest number.

e. Display all even numbers between 1 and 1000.

f. Print the Nth fibonacci number(N is user input).

g. Print sum of N numbers. User first specifies N and then provides each number.

h. Write a program that prints the following pattern. Accept the number of stars in the base of the

triangle from the user. The following is sample output for N = 5.

*

* *

* * *

* * * *

* * * * *

4. Read the sample Hello World program(hello-world-syscalls.asm) provided. Again, you could try the

following on the Hello World program and try to understand what happened.

a. Delete line 34, compile and run the program.

b. Delete line 39, compile and run the program.

c. Change 80h to 80, compile and run the program.

5. Optionally, you can rewrite the assignments to not depend on the C library and instead rely on the system

calls like the Hello World program. This is a difficult task and thus dont be disheartened if you cannot do

it easily!

Part 2: Reverse engineering (basics)

This section will give you some basic skills required in reverse code engineering.

1. Listen to the video lectures of the IntroRE course from Open Security Training (you can skip the last video

if you want). We recommend that you attempt each level of the binary bomb before listening to the

walkthrough in the video - the best learning happens when you try out things on your own first. The

videos also cover basics usage of IDA Pro free version and also cover some additional useful information

so we recommend listening to them even if you solved the level on your own.

2. Solve the RPI bomb lab and send us the solution and a writeup describing how you solved it.

3. Submit a brief description about the various function calling conventions (a one line description, a tabular

comparison or any other form of representation you prefer). The descriptions should contain essential

details (you decide what is essential and what isnt).

Do not plagiarize from any source - please submit original solutions. We do not condone plagiarism and will

take severe actions against the offending team (including disqualification and bans).

Part 3: Reverse engineering (slightly advanced stuff)

In this section, you will learn some basics of using a debugger(gdb) and some other tools to get useful

information from an executable. Use the file part3.out for the following tasks.

1. What is the address of the first instruction of function main?

2. How many hard-coded strings are present? How many are actually useful?

3. What is address of the instruction that is executed first when the process starts? Is it the same as the first

instruction of main? Hint: The first instruction is also referred to as entry point.

4. Can you determine the first two arguments passed to main when the program is executing?

Hint: Set a breakpoint at function main and recall function calling conventions.

5. The second argument of main seems to be some kind of pointer. How can you view the values it is

pointing to from within the debugger?

6. How can you view the current values of all the registers?

7. The function main seems to be calling some other function. Can you determine which one it is?

Hint: Try to view the assembly code for main from within gdb.

8. How can you view only the first 3 instructions of the function main?

9. Gdb displays the disassembly in AT&T syntax but you probably learnt the Intel syntax earlier. How do you

ask gdb to use the Intel syntax?

10. What is the return value of the function that is invoked in main?

Hint: Recall function calling conventions.

11. If you run the binary from within gdb, you will notice that it complains about a debugger being used. How

did the process find out it is being debugged?

12. Can you modify the binary to not complain about a debugger being used? You will have to modify some

instructions in order to achieve this.

13. What is the return value of the function main after finishing step 12?

Part 4: Next steps

Here are some possible next steps that could be done after completing the above tasks. They are not listed in any

particular order.

1. Learn the x86-64 and ARM assembly language from Open Security Training.

2. There are some interesting resources and exercises available from Hack-Night run by the ISIS lab, NYU

Polytechnic School of Engineering.

3. radare is a excellent suite that aids in reverse code engineering. It consists of a disassembler, a debugger

and a scripting interface. rasm2 is an extremely useful tool that can be quickly used to assemble and

disassemble instruction. See documentation on the radare website for more on these.

4. Sometimes, executables are obfuscated or packed when distributed for various reasons. While these

operations can be undone, they slow down the process of reverse engineering the binaries. Explore some

commonly used packers and obfuscators and how to undo their changes.

5. Solve crackmes and unpackmes in websites like crackmes.de.

Additional resources for reverse code engineering and x86 assembly programming

1. SecurityTube x86 assembly megaprimer

2. Hack-Night run by ISIS Lab, NYU Polytechnic.

3. Skull security x86 assembly tutorial.

Digital Forensics Tasks

1. Learn about the following topics,

a. Disk Forensics

b. Timestamp analysis

c. Log analysis

d. Memory Forensics

e. Network Forensics

f. File signatures

2. Learn to use the following tools,

a. Autopsy and Sleuthkit

b. Foremost and Photorec

c. Volatility

d. Encase, FTK

e. Wireshark

f. Steghide, Stegdetect

3. Submit the solutions for the following tasks from picoctf

a. Pickle Jar ( Pico 2014 )

b. Intercepted Post ( Pico 2014 )

c. Grep is still your friend ( Pico 2014 )

d. Redacted ( Pico 2014 )

e. Spoof proof ( Pico 2014 )

f. Snapcat ( Pico 2014 )

g. First Contact ( Pico 2013 )

h. Space Port Map ( Pico 2013 )

i. NAVSAT ( Pico 2013 )

j. Pilot Logic ( Pico 2013 )

k. Second Contact ( Pico 2013 )

l. DDos Detection ( Pico 2013 )

Other Resources:

1. Cyfor run by ISIS lab, NYU Polytechnic

2. Rootme

Note:

You may also have to take a look into other tools and problems which is not listed above.

Other Resources:

You may probably find the writeups for the recent CTFs from the following links,

1. https://ctftime.org/

2. https://github.com/ctfs/write-ups

Contact Us!

Email: contact@inctf.in

IRC: #inctf