RESEARCH | January 26, 2016

More than a simple game

By Daniel Correa & NullLifeTeam

EKOPARTY Conference 2015, one of the most important conferences in Latin America, took place in Buenos Aires three months ago. IOActive and EKOPARTY hosted the main security competition of about 800 teams which ran for 32 hours, the EKOPARTY CTF (Capture the Flag).

 

Teams from all around the globe demonstrated their skills in a variety of topics including web application security, reverse engineering, exploiting, and cryptography. It was a wonderful experience.

 

If you haven’t competed before, you may wonder: What are security competitions all about? Why are they essential for information security? 

Competition, types, and resources

A security competition takes place in an environment where the contestants try to find a solution to specific problems through the systematic application of knowledge. Each problem (or challenge) is worth a different number of points. The number of points for each challenge is based on its level of difficulty and the time needed to reach the solution (or flag).
Security competitions help people to develop rare skills as it requires the use of lateral thinking and a low-level technical knowledge of many topics at once, this is a small list of some of their benefits:
  • Fun while learning.
  • Legally prepared environments ready to be hacked; you are authorized to test the problems.
  • Recognition and use of multiples paths to solve a problem.
  • Understanding of specialized attacks which are not usually detectable or exploitable by common tools.
  • Free participation, typically.
  • Good recruiting tool for information security companies.
You will find two types of competitions:
  1. CTFs (Capture the Flag) are restricted by time:
    1. Jeopardy: Problems are distributed in multiple categories which must be solved separately. The most common categories are programming, computer and network forensics, cryptography, reverse engineering, exploiting, web application security, and mobile security.
    2. Attack – defense: Problems are distributed across vulnerable services which must be protected on the defended machine and exploited on remote machines. It is the kind of competition that provides mostly a vulnerable infrastructure.
  2. Wargames are not restricted by time and may have the two subtypes above.
Two main resources can help you to get started:
Also, you can see solutions for many CTF problems in the following github repository:

EKOPARTY CTF 2015

We proposed thirty challenges across six categories:
  1. Trivia problems: questions about EKOPARTY.
  2. Web application security: multiple web application attacks.
  3. Cryptography: classical and modern encryption.
  4. Reversing: problems with the use of different technologies and architectures.
  5. Exploiting: vulnerable binaries with known protections.
  6. Miscellaneous: forensic and programming tasks.

To review the challenges, go to the EKOPARTY 2015 github repository.

 

Category Task Score Description and references
Trivia Trivia problems
~
 Specific questions related to EKOPARTY
Web Pass Chek
50
PHP strcmp unsafe comparison using an array

Type Juggling
Custom ACL
100
 ACL bypass using external host
Crazy JSON
300
Esoteric programming language with string encryption

JSON esoteric programming language
Rand DOOM
400
Insecure use of mt_rand, recover administrator token via seed leak

PHP mt_rand seed cracker
SVG Viewer
500
XXE injection with UTF-16 bypass and use of PHP strip_tags vulnerability to disclose source code
XXE injection UTF-16 bypass

PHP strip_tags bug
Crypto SCYTCRYPTO
50
Scytale message decryption

Scytale
Weird Vigenere
100
Kasiski analysis over modified vigenere

Beaufort cipher
XOR Crypter
200
XOR shift message decryption

Reversing shift XOR operation
VBOX DIE
300
VBOX encrypted disk password recovery

VirtualBox Disk Image Encryption password cracking
Break the key
400
Use of CVE-2008-0166 to get the plaintext from an encrypted message

CVE-2008-0166
Reversing Patch me
50
 MSIL code patching
Counter
100
 Dynamic analysis of a llvm obfuscated binary
Malware
200
 Break RSA key to send malicious code to the C&C server
Dreaming
300
 SH4 binary
HOT
400
 Blackberry Z10 application and exploitation of a SQL injection which was protected through a modified HMAC algorithm
Backdoor OS
500
 Custom kernel where you need to find the backdoor authentication key
Exploiting Baby pwn
50
 Buffer overflow with restricted input format
Frequency
100
 BSS buffer overflow with a directory traversal which leaks data from files through character frequencies
OTaaS
200
 ARM syscall override which leaks information if appropriate parameters are passed
File Manager
300
 Stack based buffer overflow produced by strncat while listing files inside a folder, need to bypass multiple protections such as ASLR, NX, PIE, and FULL RELRO
Miscellaneous Olive
50
VNC client key event recovery

VNC KeyEvent
Press it
100
Scancodes recognition

Key Scan Codes
Onion
200
Use of CVE-2015-7665 to leak user’s IP

CVE-2015-7665
Poltergeist
300
AM frequencies generator using screen waves

Tempest

Example of reversing problem – HOT 400 points

We provided competitors with a BlackBerry 10 binary with the following description:
Our Blackberry application can accurately show you the weather status of the city! may you be able to get something more?

 

The binary uses a SOAP-based web service to retrieve weather information from the selected city (either Buenos Aires or Mordor), so we need to reverse the binary and find out if we are able to retrieve more information.

 

First, let see how the binary is composed:

 

Great, the binary is not stripped and it seems to contain debug information, so we can use an ARM disassembler and see its behavior:
  1. The main execution flow starts within the requestWeatherInformation method from WeatherService class, and city zipcode is its unique argument. It is converted from QString to QByteArray for further processing:

 

  1. QByteArray key is filled with a loop, key[i] = i:

 

  1. Then a message authentication code is calculated using the key and zipcode MAC(key, zipcode):

 

  1. The binary is using a slightly modified version of HMAC-SHA1 as a message authentication code, and outer and inner padding are now 0x13 and 0x37 respectively (instead of 0x5c and 0x36):

  1. Then a SOAP message is built using the following data:
    • Host: ctfchallenges.ctf.site
    • Port: 10000
    • Action: http://ctfchallenges.ctf.site:1000/ekoweather/GetCityWeatherByZIP (no longer active)
    • Argument 1: ZIP
    • Argument 2: verification

You can see an HTTP request with a valid SOAP message for the web service:

 

And its response:

 

Now let’s take a look at the web service source code (which was not available to the contestant):

 

You can notice two important things:
  1. Zip argument is vulnerable to SQL injection.
  2. Description is always trimmed to 16 chars.
The contestant need to be able to reverse engineer the binary and then inject SQL sentences to retrieve information from the database using valid verification codes within the SOAP message.
The answer for this problem is stored as the description for the city FLAG, however it exceeds 16 chars, so the web service only shows the first 16 chars (an incomplete answer):
Request:
  • ZIP: -1 or 1=1– –
  • verification: biNa0y7ngymXd6kbGMmNhOYiNQM=
Response:
  • Success: true
  • ResponseText: City Found
  • Description: EKO{r3v_with_web
After getting the correct number of columns and the tables and columns used by the database, you need to identify the column used as the description:
Request:
  • ZIP: -1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14– –
  • verification: B2LDiOPSSCOCK0tJvidyyo1d1HI=
Response:
  • Success: true
  • ResponseText: City Found
  • Description: 7
At last, an injection to get the other half of the flag could be as follows:
Request:
  • ZIP: -1 union select 1,2,3,4,5,6,substr(description,16),8,9,10,11,12,13,14 from data where zipcode != 1010 and zipcode != 1337– –
  • verification: r7WuMbNcbvncnJc8HwKnqM4q9kA=
Response:
  • Success: true
  • ResponseText: City Found
  • Description: b_is_the_best!}
The final answer for this problem was: EKO{r3v_with_web_is_the_best!}. It was solved by one team. Amazing job, More Smoked Leet Chicken team!

Some numbers

From the summary below of solves and failed attempts per each problem, we can infer three things:
  1. Trivia challenges often involves guessing; failed attempts are higher on trivia problems.
  2. The most difficult problems contain fewer failed attempts, and the number of solves are somehow proportional to failed attempts.
  3. In this CTF, reversing and exploiting were the most difficult problems.

 

We also have some results from the competition:

 

Scoreboard

After 32 hard hours, we had the winners:
  1. More Smoked Leet Chicken, from Russia, who led during the competition!
  2. !SpamAndHex, from Hungary.
  3. samurai, from United States.
  4. Shellphish, from United States.
  5. SecuritySignal, local winner from Argentina.

 

As you have seen, CTFs are more than a simple game. From the point of view of the organizer, they involve a lot of planning and monitoring, and from the point of view of the contestant they involve a lot of applied knowledge and fun. CTFs are getting harder and harder. Do not miss the chance to learn from them!
We hope you have enjoyed this and we hope to see you next year at EKOPARTY CTF 2016!