Capture the Flag (CTF) are information security challenges. They are fun, but they also provide a opportunity to practise for real-world security challenges. In this talk we present the concept of CTF. We focus on some tools used by our team, which can also be used to solve real-world problems.

1. A CTF Hackers Toolbox
Grazer Linuxtage 2016

2. $ who
mike/@f0rki
f0rki@hack.more.systems
CS/InfoSec Student
CTF Player since 2010
@stefan2904
stefan@hack.more.systems
CS/InfoSec/CI Student
CTF Player since 2014

3. CTF: Capture The Flag
Collaborative hacking competitions
Teams vs. Teams
The goal is to capture ags

4. CTF{THIS_IS_A_FLAG}

5. CTF Type: Jeopardy
Figure: Sharif CTF Challenge Board

6. CTF Type: Attack-Defense
Figure: RUCTFe 2015 Network Schema (source: RUCTF org)

7. CTF Type: Attack-Defense
Figure: FAUST CTF 2015 scoreboard

8. Why CTFs?
It's fun!
Gain experience in Information Security
Challenges modeled after real-world problems
Sometimes real-world bugs modeled after CTF bugs?

9. LosFuzzys: A CTF Team in Graz
We Like Bugs!

10. LosFuzzys: A CTF Team in Graz
A group of people interested in information security
Primarily CS/SW/ICE Students from TUGraz
But we welcome anyone interested and motivated :)
and maybe even you ;)
Irregular Meet-ups

11. Where to start?
Talk to us! :-)
https://hack.more.systems
twitter: @LosFuzzys
Read writeups!
Repo: github.com/ctfs
Ours: hack.more.systems/writeups

12. CTF Toolbox

13. CTF Toolbox
Great diversity of challenges
Some things turn up frequently
Knowledge of technology necessary
Experience helps a lot
Using the right tools is essential
assuming you know how to use them . . .

14. Scripting is your best Friend
Be comfortable in automating things
Use whatever works best
bash, zsh etc.
Python, Ruby etc.

15. Command-Line-Fu is very helpful
Standard utils grep, sed, awk, sort, cut, uniq, . . .
Network stu nc, socat, dig, nmap
Query json jq
HTTP curl
. . .
Pipe together to get your results!

16. Bash Password Guessing
f o r x in q w e r t y u i o p a s d f g h j k l z
x c v b n m Q W E R T Y U I O P A S D F G H J
K L Z X C V B N M 1 2 3 4 5 6 7 8 9 0 − _ ?
do
echo = $x =
# count s i g a c t i o n s y s c a l l s
s t r a c e ./ stage3 . bin Did_you_l$x$x$x$x$x$x$x$x 21
| grep s i g a c t i o n
| wc −l
done log
# get h i g h e s t count of s i g a c t i o n s and t r i g g e r i n g char
cat log | grep −B 1
$ ( cat log | grep −v = | s o r t | uniq | t a i l −n 1)

17. Automated Browsing python-requests
import r e q u e s t s
URL = ' http :// c t f . example . com '
s = r e q u e s t s . s e s s i o n ()
r = s . post (URL + ' / l o g i n ' ,
data={ ' user ' : ' fuzzy ' , ' pass ' : ' 1234 ' })
# GET http :// c t f . example . com/ vuln ?x=' or%201=1−−x
resp = s . get (URL + ' / vuln ' ,
params={ ' x ' : ' ' or 1=1 −−x ' })
# s e s s i o n cookie automagically used here
p r i n t resp . t e x t
# f l a g {some_flag_of_some_service}

18. Dirty Networking pwntools
from pwn import ∗
r = remote ( ' c t f . example . com ' , 1337)
# l i n e based
r . r e c v l i n e ()
r . s e n d l i n e ( 'HELO %s%s%s%s ' )
r . r e c v u n t i l ( ' 250 Hello ' )
data = r . recv (4)
# unpack LE uint32 from bin
i = u32 ( data )
log . i n f o ( ' r e c e i v e d uint32 {} ' . format ( i ))
# pack BE uint32 to bin
r . send ( p32 (1094795585 , endian=' big ' ))
r . r e c v l i n e ()

19. Finding Analyzing Vulnerabilities

20. Analyzing Java/.NET Apps
Great decompilers!
Java/Dalvik bytecode
intellij built-in decompiler (fernower), procyon
http://www.javadecompilers.com/
Android apps/Dalvik bytecode
apktool, smali/baksmali, jadx
Xposed
.NET bytecode
ILSpy, Jetbrains dotPeek

21. A wild binary appears!
$ f i l e ./ pwn
pwn : ELF 32− b i t LSB executable , I n t e l 80386 ,
v e r s i o n 1 (GNU/ Linux ) , s t a t i c a l l y linked ,
f o r GNU/ Linux 2 . 6 . 2 4 ,
not s t r i p p e d

22. $ objdump -d ./pwn | less

24. Keep Calm
And
Use radare2
From git

28. radare2 example commands
Search for functions containing exec
afl~exec
Show/search all strings in the le
izz
izz~FLAG
Compute CRC32 over next 32 byte
#crc32 32

29. Binary Decompilers
No really good open source binary decompilers :(
The radare guys are working on one
Commercial/Closed-Source
Hex-Rays/IDA Pro Decompiler ($$$)
Hopper ($)
retdec (free, webservice, no x86_64)

30. Debugging?

33. Debuggers
Use gdb with one of those:
PEDA
GEF
pwndbg
voltron
gdb-dashboard
gdb alternatives: lldb, radare2
Newer debugging approaches
qira
rr

34. Pwning!
$ mkfifo ./ f i f o
$ ./ pwn ./ f i f o python −c ' p r i n t (A∗4128) ' ./ f i f o
[ 1 ] 9391
The f i l e has been saved s u c c e s s f u l l y
[ 1 ] + 9391 segmentation f a u l t ( core dumped) ./ pwn ./ f i f o
$ dmesg | t a i l −n 1
pwn [ 9 3 9 1 ] : s e g f a u l t at 41414141 ip 0000000041414141
sp 00000000 ffb6d340 e r r o r 14

35. pwntools again!
from pwn import ∗ # NOQA
v e l f = ELF( ./ pwn )
r = ROP( v e l f )
r . c a l l ( e x i t , [ 4 2 ] )
payload = A ∗ 4124 + s t r ( r )
# launch process
vp = process ( [ ./ pwn , ./ f i f o ] )
gdb . attach ( vp )
# break ∗0 x8048f4e
with open ( ./ f i f o , w ) as f :
f . w r i t e ( payload )
# forward s t d i n / stdout to process s t d i n / stdout
vp . i n t e r a c t i v e ()

38. pwntools/binjitsu
I/O abstraction (called Tubes)
ELF parser/info
Return Oriented Programming (ROP)
Shellcode
plug'n'pwn
shellcode builder
Binary data parsing
. . .

39. Cryptography

40. Crypto Tools
Pen Paper
sage
CAS python
packages implementing attacks, e.g.
python-paddingoracle
hashpumpy (hash length extension attack)
. . .

41. Learn to Improvise
Premature optimization* is the root of all evil!
* also commenting code
* also clean code
(only true for attack during CTFs!)
If it works once, . . . it works!
Code-reuse between dierent CTFs!
Post-CTF code cleanup would be good . . .

42. A fool with a tool is still a fool!

43. https://hack.more.systems
Thanks to
all LosFuzzys members
tuflowgraphy.at
realraum
IAIK

44. Writeups of Used Examples
https://hack.more.systems/writeups
9447ctf: premonition (web)
NDH quals 2016: matriochka (reversing)
NDH quals 2016: secure le reader (pwn)
don't be eve!