EKOPARTY Conference 2015, one of the most important conferences in Latin America, took place in Buenos Aires three months ago. IOActive and EKOPARTY hosted the main security competition of about 800 teams which ran for 32 hours, the EKOPARTY CTF (Capture the Flag).
Teams from all around the globe demonstrated their skills in a variety of topics including web application security, reverse engineering, exploiting, and cryptography. It was a wonderful experience.
If you haven’t competed before, you may wonder: What are security competitions all about? Why are they essential for information security?
Competition, types, and resources
A security competition takes place in an environment where the contestants try to find a solution to specific problems through the systematic application of knowledge. Each problem (or challenge) is worth a different number of points. The number of points for each challenge is based on its level of difficulty and the time needed to reach the solution (or flag).
Security competitions help people to develop rare skills as it requires the use of lateral thinking and a low-level technical knowledge of many topics at once, this is a small list of some of their benefits:
-
Fun while learning.
-
Legally prepared environments ready to be hacked; you are authorized to test the problems.
-
Recognition and use of multiples paths to solve a problem.
-
Understanding of specialized attacks which are not usually detectable or exploitable by common tools.
-
Free participation, typically.
-
Good recruiting tool for information security companies.
You will find two types of competitions:
-
CTFs (Capture the Flag) are restricted by time:
-
Jeopardy: Problems are distributed in multiple categories which must be solved separately. The most common categories are programming, computer and network forensics, cryptography, reverse engineering, exploiting, web application security, and mobile security.
-
Attack – defense: Problems are distributed across vulnerable services which must be protected on the defended machine and exploited on remote machines. It is the kind of competition that provides mostly a vulnerable infrastructure.
-
-
Wargames are not restricted by time and may have the two subtypes above.
Two main resources can help you to get started:
Also, you can see solutions for many CTF problems in the following github repository:
EKOPARTY CTF 2015
We proposed thirty challenges across six categories:
-
Trivia problems: questions about EKOPARTY.
-
Web application security: multiple web application attacks.
-
Cryptography: classical and modern encryption.
-
Reversing: problems with the use of different technologies and architectures.
-
Exploiting: vulnerable binaries with known protections.
-
Miscellaneous: forensic and programming tasks.
To review the challenges, go to the EKOPARTY 2015 github repository.
| Category | Task | Score | Description and references |
| Trivia | Trivia problems |
~
|
Specific questions related to EKOPARTY |
| Web | Pass Chek |
50
|
PHP strcmp unsafe comparison using an array
|
| Custom ACL |
100
|
ACL bypass using external host | |
| Crazy JSON |
300
|
Esoteric programming language with string encryption
|
|
| Rand DOOM |
400
|
Insecure use of mt_rand, recover administrator token via seed leak
|
|
| SVG Viewer |
500
|
XXE injection with UTF-16 bypass and use of PHP strip_tags vulnerability to disclose source code
XXE injection UTF-16 bypass
|
|
| Crypto | SCYTCRYPTO |
50
|
Scytale message decryption
|
| Weird Vigenere |
100
|
Kasiski analysis over modified vigenere
|
|
| XOR Crypter |
200
|
XOR shift message decryption
Reversing shift XOR operation |
|
| VBOX DIE |
300
|
VBOX encrypted disk password recovery
VirtualBox Disk Image Encryption password cracking |
|
| Break the key |
400
|
Use of CVE-2008-0166 to get the plaintext from an encrypted message
|
|
| Reversing | Patch me |
50
|
MSIL code patching |
| Counter |
100
|
Dynamic analysis of a llvm obfuscated binary | |
| Malware |
200
|
Break RSA key to send malicious code to the C&C server | |
| Dreaming |
300
|
SH4 binary | |
| HOT |
400
|
Blackberry Z10 application and exploitation of a SQL injection which was protected through a modified HMAC algorithm | |
| Backdoor OS |
500
|
Custom kernel where you need to find the backdoor authentication key | |
| Exploiting | Baby pwn |
50
|
Buffer overflow with restricted input format |
| Frequency |
100
|
BSS buffer overflow with a directory traversal which leaks data from files through character frequencies | |
| OTaaS |
200
|
ARM syscall override which leaks information if appropriate parameters are passed | |
| File Manager |
300
|
Stack based buffer overflow produced by strncat while listing files inside a folder, need to bypass multiple protections such as ASLR, NX, PIE, and FULL RELRO | |
| Miscellaneous | Olive |
50
|
VNC client key event recovery
|
| Press it |
100
|
Scancodes recognition
|
|
| Onion |
200
|
Use of CVE-2015-7665 to leak user’s IP
|
|
| Poltergeist |
300
|
AM frequencies generator using screen waves
|
Example of reversing problem – HOT 400 points
Our Blackberry application can accurately show you the weather status of the city! may you be able to get something more?
The binary uses a SOAP-based web service to retrieve weather information from the selected city (either Buenos Aires or Mordor), so we need to reverse the binary and find out if we are able to retrieve more information.
First, let see how the binary is composed:
Great, the binary is not stripped and it seems to contain debug information, so we can use an ARM disassembler and see its behavior:
-
The main execution flow starts within the requestWeatherInformation method from WeatherService class, and city zipcode is its unique argument. It is converted from QString to QByteArray for further processing:
-
QByteArray key is filled with a loop, key[i] = i:
-
Then a message authentication code is calculated using the key and zipcode MAC(key, zipcode):
-
The binary is using a slightly modified version of HMAC-SHA1 as a message authentication code, and outer and inner padding are now 0x13 and 0x37 respectively (instead of 0x5c and 0x36):
-
Then a SOAP message is built using the following data:
-
Host: ctfchallenges.ctf.site
-
Port: 10000
-
Action: http://ctfchallenges.ctf.site:1000/ekoweather/GetCityWeatherByZIP (no longer active)
-
Argument 1: ZIP
-
Argument 2: verification
-
You can see an HTTP request with a valid SOAP message for the web service:
And its response:
Now let’s take a look at the web service source code (which was not available to the contestant):
You can notice two important things:
-
Zip argument is vulnerable to SQL injection.
-
Description is always trimmed to 16 chars.
The contestant need to be able to reverse engineer the binary and then inject SQL sentences to retrieve information from the database using valid verification codes within the SOAP message.
The answer for this problem is stored as the description for the city FLAG, however it exceeds 16 chars, so the web service only shows the first 16 chars (an incomplete answer):
Request:
-
ZIP: -1 or 1=1– –
-
verification: biNa0y7ngymXd6kbGMmNhOYiNQM=
Response:
-
Success: true
-
ResponseText: City Found
-
Description: EKO{r3v_with_web
After getting the correct number of columns and the tables and columns used by the database, you need to identify the column used as the description:
Request:
-
ZIP: -1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14– –
-
verification: B2LDiOPSSCOCK0tJvidyyo1d1HI=
Response:
-
Success: true
-
ResponseText: City Found
-
Description: 7
At last, an injection to get the other half of the flag could be as follows:
Request:
-
ZIP: -1 union select 1,2,3,4,5,6,substr(description,16),8,9,10,11,12,13,14 from data where zipcode != 1010 and zipcode != 1337– –
-
verification: r7WuMbNcbvncnJc8HwKnqM4q9kA=
Response:
-
Success: true
-
ResponseText: City Found
-
Description: b_is_the_best!}
The final answer for this problem was: EKO{r3v_with_web_is_the_best!}. It was solved by one team. Amazing job, More Smoked Leet Chicken team!
Some numbers
From the summary below of solves and failed attempts per each problem, we can infer three things:
-
Trivia challenges often involves guessing; failed attempts are higher on trivia problems.
-
The most difficult problems contain fewer failed attempts, and the number of solves are somehow proportional to failed attempts.
-
In this CTF, reversing and exploiting were the most difficult problems.
We also have some results from the competition:
Scoreboard
After 32 hard hours, we had the winners:
-
More Smoked Leet Chicken, from Russia, who led during the competition!
-
!SpamAndHex, from Hungary.
-
samurai, from United States.
-
Shellphish, from United States.
-
SecuritySignal, local winner from Argentina.
As you have seen, CTFs are more than a simple game. From the point of view of the organizer, they involve a lot of planning and monitoring, and from the point of view of the contestant they involve a lot of applied knowledge and fun. CTFs are getting harder and harder. Do not miss the chance to learn from them!
We hope you have enjoyed this and we hope to see you next year at EKOPARTY CTF 2016!