Dillon Korman

Running SIGPwny's First Recruiting CTF

Dillon Korman — Mon, 16 Sep 2019 19:13:13 GMT

As part of improving the University of Illinois' security club, SIGPwny, the senior and lead members decided to host a capture the flag event near the start of the fall semester to recruit new students, particularly freshmen, to the club.

We had improved attendance and member involvement the previous year primarily because of a changed meeting format, expansion of club activities, and delegation of work to additional members. Additional membership allows us to teach security to more people and acquire resources that increase what we can do. Reaching freshmen is essential because it will enable them to develop into excellent and knowledgeable leaders for the club, ensuring the club will be well-run in the future. It may also lead them to discover a passion for security, creating more talent for the security community.

Hosting any CTF is no easy feat, but ours was especially challenging since it was intended to be large-scale (100+ students), in-person, and easily accessible to first-time players. Even though we knew it would be a difficult undertaking, and it did end up taking a lot of hard work from many members, we felt it would all be worth it in the end.

First, we needed sponsors. Although all the members did work for free and we used open-source software on our existing infrastructure, we needed money for food and prizes, like any other computer science competition at our school. Fortunately, we could leverage the connections of students and alumni to obtain sponsorships that gave us the requisite cash to run the event well. We invited security engineers to help us walk around and teach the students. The engineers were great since they could help beginners with challenges, test our problems to see if they worked as intended, and expose our students to job opportunities in security.

Logistically, there were many things we had to worry about since we were hosting this in person. The time, date, and location of the event were crucial. We decided that the weekend afternoon near the start of the fall semester was ideal. Students would have learned about our club through an open house, wouldn't have much homework or any exams, and likely would be awake and free to work.

Our best options for a room location were in the CS or ECE buildings. We managed to secure the main lecture hall in our CS building, which was great since there would be ample space. However, since "the architects just screwed up," in the words of one CS professor, this room had very few outlets. Fortunately, we obtained many power strips right before the event to help deal with the issue and let people hack for hours on end.

The food of choice for any CS event is pizza since everyone loves pizza and you can get it delivered to you quickly. We used the ACM discount to order a large number of pizzas shortly before the event, but with enough lead time for the order. There was one wave of pizzas at the start and another in the middle. We also provided cookies (including some in Illini blue and orange) and soda. The prizes were ordered online and picked up before we distributed them.

The CTF was five hours, which provided enough time to solve many challenges. We decided to have short presentations of around ten minutes each for our main CTF categories: web, pwn/reverse engineering, crypto, recon, and forensics. Since our regular meetings are a short presentation followed by work on challenges, it was like five meetings in one event. These presentations were intended to teach students some of the basics of each category and help them solve the challenges.

Since there were beginners, and we wanted to encourage learning, we needed the members who were running the CTF and the security engineers to help people through problems. In our usual meetings, we have fewer people trying to solve the challenges, and collaboration among everyone is encouraged. Because of this and the more intimate environment, we can help everyone without much issue.

However, since we were at a larger scale than usual and there were different categories that not every member knew well, I thought using our school's website for queues would be nice. We had mixed thoughts on this since we believed walking up to people or responding to raised hands would be best. We were able to create the queue and start it before the event. We briefly mentioned it in one of the introduction slides but didn't put the queue up on the large projected screen since someone scrapped the idea shortly after.

Students were still using the queue, however, so we responded to requests. It worked well overall, especially since members knew which questions they could answer. Sometimes we couldn't figure out where the person in the room was given their description, and we couldn't follow up with a question. It is worth trying again in the future for large-scale events.

We needed to decide if we would allow teams, and if so, what would be the maximum team size allowed? There were two opposing forces at play here. As a club, we care about learning and want members to work together to solve problems. This mindset is behind why we help members extensively during a regular meeting and encourage collaboration then. However, we can't allow unlimited collaboration for this event since we wouldn't have a fair way of handing out prizes.

If people participated by themselves, prize distribution would be more straightforward, but there would be no one to work with on challenges. If there were relatively large team sizes, it would be challenging to figure out how to split a physical prize with different people on the team. Fixing this issue would require every team member to get a prize, resulting in just a few groups winning anything. Since we wanted some teamwork but many teams to win and participants to get exposure to different categories, we decided to let people work as partners.

There remained another crucial issue with teams and prize distribution. We intended the CTF to be for beginners, but we also wanted more advanced students to play. We wanted to ensure that beginners had a fair chance at earning prizes and that we prioritized when appropriate, so we split the teams into beginner and advanced categories. If either player on a team was advanced, then the team was considered advanced.

Advanced players were those who completed our school's main security course or the primary systems courses in CS or ECE, attended several SIGPwny meetings, or were otherwise advanced at either their own or the event leads' discretion. During the event, we noticed a couple of beginner teams at the top in the beginning. After talking with them, we put them in the advanced category since they had experience. The top four beginner and advanced teams were awarded prizes in a back-and-forth manner, with the best beginner team getting to pick first. Each team member could choose whatever they wanted from the available prizes. We had a few extra prizes that we awarded to the fifth and sixth-best beginner teams.

We needed to do some marketing for our event to ensure people would come, so we posted about the event on Facebook, Twitter, and Reddit. We also printed lovely flyers and posted them in various buildings near the engineering quad. The most important aspects of our event that would get people to come were free food, prizes, and the beginner-friendly environment, so all of our ads mentioned them. The event was advertised as a "HACKathon" since more people were familiar with that term than "capture the flag," and it's one of the only hackathons with actual hacking.

Our wonderful poster

Operationally, we needed to create and host challenges. Most of the problems were required to be accessible to first-time players, but we also wanted more difficult ones that advanced players could try. We had the typical CTF categories, but pwn and reverse engineering were one combined category since they are hard for new players. We also added recon and shell, since they are more accessible, and a scavenger hunt category with flags hidden inside the room and building to motivate people to move around.

Club members submitted challenges to a Git repository, and we tried to track them on a spreadsheet. We could have done a better job of having a standardized challenge format and keeping track of all the challenges on the spreadsheet. Some challenges repeated the solve techniques of other problems, which wasn't a big deal for a beginner CTF, but we should coordinate each category's challenges next time. I think we had a solid mix of each challenge type, but we could have made the number of problems per category more balanced.

An unexpected difficulty was deciding on the points for each challenge and a scoring system. There's the traditional CTF point system where every problem has a static point value, but there's another system where the point value can decrease based on the number of solves. There are some advantages to the latter model, namely that point values adjust nicely if one challenge is more straightforward than anticipated. However, we chose static because I think it would be confusing and demoralizing for beginners to see their team losing points in the middle of the competition. They should be worried about the challenges, not continually monitoring their score.

It was hard to come up with reasonable point values for each challenge because we designed them for beginners, and we had many problems to compare each challenge against. Ultimately, we just reviewed each challenge and put what we thought was okay. The unsolved challenges got 4x the points halfway through the competition to encourage solving them, but that definitely shouldn't be done in the future. A few crypto problems were likely unsolved because of how many crypto challenges we created. Teams needed to solve all of them to earn a top spot since they were now worth a ton of points.

For our infrastructure, we ran everything off of one physical server. We used two virtual machines, one running the CTFd site and another hosting the challenges, typically web and pwn. Docker was used extensively since it makes infrastructure more flexible. CTFd can easily be installed using Docker and just requires modification of the Nginx reverse proxy for our specific configuration. Our challenge server had another reverse proxy to proxy requests to the particular web app or pwn process.

Challenges each ran in their own Docker container. It's easier to write problems if you know the execution environment. There's also no need to worry about typical security configurations since you shouldn't be able to break out of a standard container. If we decide to use a different server in the future or want to share the challenge, it's much easier to deploy again. Containers are also easier to maintain and set up compared to virtual machines or physical servers.

Despite all the logistical and operational challenges, the CTF went great overall. We had 112 players, and it seemed like most people stayed for the entire event, which is awesome. There was plenty of food, and I even got to take home a pizza. The security engineers were impressed it went so well, especially since this was our first event of its kind, and undergrads organized it.

We solicited some feedback about the event on a Google Forms questionnaire via email and a Discord announcement. Respondents overwhelmingly said they enjoyed the competition, thought the prizes were cool, and found the club members and engineers helping to be useful. About half agreed the presentations were useful, and many had neutral thoughts. I agree that they could be improved, and it's worth asking for more detailed feedback on that. Players generally thought the prize distribution was fair, and the event length was about right.

I thought the event length was solid since there were always plenty of challenges to work on, but we were pretty tired by the end, so I don't believe we should extend it. The favorite CTF categories were actually split pretty evenly, so it's nice we had every category. Someone thought it wasn't beginner-friendly enough since there was no cross-team collaboration, and some of the assistance wasn't specific enough. These are valid points, and we should consider standardizing how we assist players.

In conclusion, I'm happy we had this event. People seemed to enjoy it, and there were a lot of thankful comments as feedback, which made our effort worth it. All the members who helped run the event learned a ton too. Interest in the club and meeting attendance is at an all-time high, so we're able to teach many more people now. SIGPwny is in an excellent state, and I know all will be well when I graduate.

CSAW 2018 WhyOS Writeup

Dillon Korman — Mon, 17 Sep 2018 05:17:04 GMT

This is a forensics challenge worth 300 points.

We are given an iPhone application and a debug log with 185k lines.

My team originally solved this challenge by running the application on a jailbroken iPhone and observing the debug log from that session, but the prompt said that no device was needed, so I set out to find an alternative but reasonable solution method based on information I already had.

I spent a lot of time searching for certain strings, but I instead could have searched simply for an uncommon logging format. There was an hint released later that I didn't see but definitely would have helped. However, this method works without that hint.

I first wanted to take a look inside the application, so I extracted it and looked at the extracted files.

dpkg-deb -x com.yourcompany.whyos_4.2.0-28debug_iphoneos-arm.deb app

root@kali:~/csaw/app# ls */*/*
Library/MobileSubstrate/DynamicLibraries:
whyOS.dylib  whyOS.plist

Library/PreferenceBundles/whyOSsettings.bundle:
Info.plist  Root.plist  whyOSsettings

Library/PreferenceLoader/Preferences:
whyOSsettings.plist

There appeared to be two binary files and four property list files. Two strings from those files that appeared interesting were com.yourcompany.whyossettings and CSAWRootListController along with those in Root.plist more generally.

However, when I searched for whyOS in the debug log, I was very surprised to only find two lines that contained that term, considering how important and broad it seemed.

I searched for CSAWRootListController along with other interesting terms in Root.plist, but I had no results. There were too many instances of flag for me to browse.

I looked for several hundred lines above and below the whyOS matches because I thought that's where the activity happened, but I did not find anything useful.

I ran strings on the binaries, but didn't find anything that would lead to the flag, so I decided to take a look closer look in IDA, even though this wasn't a reversing challenge, which made me unsure if I was on the right track.

I looked at whyOS.dylib, but it basically didn't contain anything, so I moved on to the other file.

There are two functions, specifiers and setflag. I decompiled them with IDA to get a better look at what they do.

id __cdecl -[CSAWRootListController specifiers](struct CSAWRootListController *self, SEL a2)
{
  void *v2; // r0@2
  struct CSAWRootListController *v4; // [sp+10h] [bp-Ch]@1

  v4 = self;
  if ( !*(_DWORD *)&self->PSListController_opaque[OBJC_IVAR___PSListController__specifiers] )
  {
    v2 = objc_msgSend(self, "loadSpecifiersFromPlistName:target:", CFSTR("Root"), self);
    *(_DWORD *)&v4->PSListController_opaque[OBJC_IVAR___PSListController__specifiers] = objc_msgSend(v2, "retain");
  }
  return *(id *)&v4->PSListController_opaque[OBJC_IVAR___PSListController__specifiers];
}

This method just looks like it loads specifiers from Root.plist, which may be useful for the program but isn't that interesting for us since that's all it does.

The setflag method obviously sounds more interesting for us.

void __cdecl -[CSAWRootListController setflag](struct CSAWRootListController *self, SEL a2)
{
  void *v2; // r0@1
  __CFString *v3; // [sp+4h] [bp-34h]@2
  void *v4; // [sp+20h] [bp-18h]@1

  v2 = objc_msgSend(&OBJC_CLASS___NSMutableDictionary, "alloc");
  v4 = objc_msgSend(v2, "initWithContentsOfFile:", CFSTR("/var/mobile/Library/Preferences/com.yourcompany.whyos.plist"));
  if ( objc_msgSend(v4, "objectForKey:", CFSTR("flag")) )
    v3 = (__CFString *)objc_msgSend(v4, "objectForKey:", CFSTR("flag"));
  else
    v3 = &stru_8044;
  NSLog(CFSTR("%@"), v3);
}

It looks like the function creates a dictionary from the whyos.plist file and looks for the value for the key flag. If it exists, it sets a string variable to that value. Otherwise, that string is set to what is actually an empty string.

Finally, and most importantly, it logs the string to the console.

I looked online for the default NSLog output format and discovered the format.

Date Time OurApp[] output

Since the NSLog call is just printing out the string, which is the flag, with no extra parameters, we can expect our output to be in a known format.

X Y Z flag

Looking through the debug log, the lines are incredibly verbose, so having just one word might stand out. Additionally, we know the flag is not in the standard flag{} format from the description.

I would say flags are generally at least 10 characters long, and since there are no curly brackets, may just contain alphanumeric characters, although there could still be underscores.

We can take a look at some example lines from console log.

default 18:59:15.308337 -0400   nsurlsessiond   [5757  stream, bundle id: mobileassetd, pid: 386, url...
default 18:59:15.308698 -0400   nsurlsessiond   0.000s [5757 E6368DF7-4A60-45CF-A579-4C1AF76AE40E  ...
error   18:59:15.308772 -0400   nsurlsessiond   Task .<29> finish...
default 18:59:15.308823 -0400   nsurlsessiond   0.000s [5757 E6368DF7-4A60-45CF-A579-4C1AF76AE40E  p...
default 18:59:15.309335 -0400   nsurlsessiond   0.000s [5757 E6368DF7-4A60-45CF-A579-4C1AF76AE40E  p...
default 18:59:15.309412 -0400   nsurlsessiond   0.000s [5757 E6368DF7-4A60-45CF-A579-4C1AF76AE40E  ...
default 18:59:15.309464 -0400   nsurlsessiond   10.801s [5757] path:cancel

We want to get the part that the application actually logs, not the metadata at the start. We can use cut to get that part, but first we need to remove the extra spaces using tr before the application logging so we can easily make a single space as a delimiter for cut.

tr -s '[:space:]' < console.log | cut -d" " -f5-

Now that we have the application part, we are only interested in what might be our flag. Based on our previous criteria, we search for 10 or more alphanumeric characters at the start of a line followed by the end of a line.

tr -s '[:space:]' < console.log | cut -d" " -f5- | grep -E '^[[:alnum:]]{10,}$'

We see that there are only 296 lines of one word as output, which we can easily look at quickly for anything interesting.

root@kali:~/csaw# tr -s '[:space:]' < console.log | cut -d" " -f5- | grep -E '^[[:alnum:]]{10,}$' | wc -l
296

There are a lot of technical and repeated terms, but in the noise we see a clear outlier.

postPearlInterlockFollowUpItem
DeviceDiscoveryActivate
DeviceDiscoveryActivate
DeviceDiscoveryUpdate
postPearlInterlockFollowUpItem
postPearlInterlockFollowUpItem
keybagDidUnlock
ca3412b55940568c5b10a616fa7b855e
postPearlInterlockFollowUpItem
Invalidating
Invalidated

There appears to be a hash!

If we search for this in the debug log, we find the line.

root@kali:~/csaw# grep -n 'ca3412b55940568c5b10a616fa7b855e' console.log 
97190:default 19:12:18.884704 -0400   Preferences ca3412b55940568c5b10a616fa7b855e

The application is Preferences, which makes sense since this appears to be a settings or preferences related application.

The flag is ca3412b55940568c5b10a616fa7b855e.

Overall, I did not really enjoy this challenge. The moderator of the challenge on chat noted that the application was "littered with hints" about where to look, but I disagree.

The hint that it was a hex string made it more reasonable, but that hint came late and the challenge still remained a "grepping" challenge. We had to use a jailbroken iPhone before the hint to find the flag, which should not have felt like it was important when the challenge explicitly said a device was not needed.

Anyway, I'm glad I came up with an alternative way, but I think I was too focused looking for a keyword or something else in the debug log that would hint at the location to think of a method of filtering by format.

CSAW 2018 🐼 Rewind Writeup

Dillon Korman — Sun, 16 Sep 2018 20:48:22 GMT

This is a forensics challenge worth 200 points.

We are given a tar archive for the challenge that we can extract.

root@kali:~/csaw/rewind# tar -xvf rewind.tar.gz 
rewind.zip

We can now extract this zip archive.

root@kali:~/csaw/rewind# unzip rewind.zip 
Archive:  rewind.zip
  inflating: rewind-rr-nodent.log    
  inflating: rewind-rr-snp

We can take a look at what these files are with the file utility.

root@kali:~/csaw/rewind# file *
rewind-rr-nodent.log: data
rewind-rr-snp:        QEMU suspend to disk image

We can first try to search for the flag within the image with a regular expression.

root@kali:~/csaw/rewind# grep -a "flag{.*}" rewind-rr-snp
...
flag{RUN_R3C0RD_ANA1YZ3_R3P3AT}
...

Success! That was all that was required to complete this challenge.

Overall, this was an extremely simple challenge that only required extracting two archives and performing a simple search for the flag in the image.

CSAW 2017 Missed Registration Writeup

Dillon Korman — Mon, 18 Sep 2017 04:01:13 GMT

This is a forensics challenge worth 150 points.

We are given a pcap file to analyze. After opening it up in Wireshark, we can follow the TCP streams to get a feel of what's going on.

Browsing through the streams, we notice there is a lot of HTTP traffic for school registration. The requests are mostly the same with random fields for names, schools, and courses. The responses all appear to be the same.

Briefly looking at the other traffic in the pcap suggests there is not anything else too interesting for this challenge. The challenge description mentions registration and these forms, so it's very likely the answer is in this HTTP traffic somewhere.

Since the responses all appear the same, let's focus on the requests. The headers change slightly for some of the requests. Most of the requests have these headers:

POST / HTTP/1.1
Host: 192.168.0.21:8080
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.11.1
Content-Length: 506
Content-Type: application/x-www-form-urlencoded

While some of the requests have these headers.

POST / HTTP/1.1
Host: 192.168.0.21:8080
Accept-Encoding: identity
Content-Length: 493
Content-Type: application/x-www-form-urlencoded

Basically, one request is asking for compression and one isn't. This could be something of note, but these headers don't contain the flag, so we can go back to it later.

Switching over to the values in the request, we see "n" and "s". The former is a long string of hex values and the latter is a single letter from A-F. I think the latter could be for grades. At this point I thought the flag must be in "n", but then I noticed that there was an "x" value in certain requests, those with the "Accept-Encoding" header of "identity."

The hex values for "n" and "x" did not decode into ASCII. What else could they be? Well, there are enough values for a small file, so we can try looking for that.

I need to extract these values together into a file, turn them into a binary, and then use a tool like foremost to identify any potential files.

I used the following command to extract the values cleanly:

strings cap.pcap | grep -o -f expression | sed 's/&x=//g' | tr -d '\n' | sed 's/[^A-Fa-f0-9]//g' > output.txt

where "expression" is a file with contents (here, it's "x", but it could be "n" as well):

&x=.*

Broken down, strings is grabbing the text of the pcap, grep is only extracting content that matches the regular expression in the file "expression," which is just the value syntax "&x=" followed by a regular expression, ".*", to match whatever comes after that syntax. Next, sed is removing the value syntax, "&x=", tr is removing new lines, and sed is removing any non-hex values.

To convert these hex values from a string to values in a binary, we can use a short Python script.

string_hex_file = open("output.txt", "r")
hex_as_string = string_hex_file.read()

hex_as_binary = hex_as_string.decode("hex")
binary_hex_file = open("binary", "w+")
binary_hex_file.write(hex_as_binary)

string_hex_file.close()
binary_hex_file.close()

We simply open our output file, read the bytes as hex, and write them to a new file.

Now, we can use a tool like foremost to extract any files that might be in there.

root@kali:/opt/ctf/csaw17# foremost -i binary
Processing: binary
|*|

It looks like it found a bmp file, which could be an image with the flag. Let's check it out!

root@kali:/opt/ctf/csaw17/output# ls
audit.txt  bmp
root@kali:/opt/ctf/csaw17/output# ls bmp
00000000.bmp
root@kali:/opt/ctf/csaw17/output# eog bmp/00000000.bmp

Success!

It was pretty apparent quickly that the flag was likely somewhere in the HTTP requests, but it took time to spot the "x" value (since it was only in some requests and somewhat hidden after the "n value") and then to realize there could be a file header inside. Overall, this was a fun and interesting challenge.

CSAW 2017 Best Router Writeup

Dillon Korman — Sun, 17 Sep 2017 23:02:54 GMT

This was a simple forensics challenge worth 200 points.

We are given an archive which we can easily extract.

root@kali:/opt/ctf/csaw17/best_router# tar -xvf best_router.tar.gz 
tar: Ignoring unknown extended header keyword 'LIBARCHIVE.creationtime'
tar: Ignoring unknown extended header keyword 'SCHILY.dev'
tar: Ignoring unknown extended header keyword 'SCHILY.ino'
tar: Ignoring unknown extended header keyword 'SCHILY.nlink'
best_router.img

We can now run binwalk on it to analyze the firmware.

root@kali:/opt/ctf/csaw17/best_router# binwalk best_router.img

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
4886543       0x4A900F        Copyright string: "copyright does *not* cover user programs that use kernel"
...
4905514       0x4ADA2A        Copyright string: "Copyright (c) 2015, Raspberry Pi (Trading) Ltd"

Looking at this output, we can see that it's a Raspberry Pi device, which we can mount by following this guide.

root@kali:/opt/ctf/csaw17/best_router# fdisk -l best_router.img
Disk best_router.img: 14.6 GiB, 15640559616 bytes, 30547968 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x7f39f284

Device           Boot Start      End  Sectors  Size Id Type
best_router.img1       8192    93813    85622 41.8M  c W95 FAT32 (LBA)
best_router.img2      94208 30547967 30453760 14.5G 83 Linux

We can now mount the device after calculating the offset.

root@kali:/opt/ctf/csaw17/best_router# mount -v -o offset=48234496 -t ext4 best_router.img /mnt/img/router
mount: /dev/loop0 mounted on /mnt/img/router.

After we have mounted it, we can go exploring. I first looked at the /home/ directory and found the "pi" user. We can take a look at the bash history.

root@kali:/mnt/img/router/home/pi# cat .bash_history 
ls
sudo su

It looks like they switched to root, so let's check there.

root@kali:/mnt/img/router/root# cat install.sh 
sudo apt-get update
sudo apt-get install apache2 -y
sudo a2enmod cgid

sudo cp 000-default.conf /etc/apache2/sites-available/000-default.conf
sudo service apache2 restart

sudo rm -rf /var/www/*
sudo mv www/* /var/www
chmod 755 /var/www/*.pl

It looks like there is an installation script to install a website. Let's check what's in that directory.

root@kali:/mnt/img/router/var/www# ls -l
total 16
-rw-r--r-- 1 root root    0 Sep 10 00:43 flag.txt
-rwxr-xr-x 1 root root  472 Sep 10 00:51 index.pl
-rwxr-xr-x 1 root root 1238 Sep 10 00:50 login.pl
-rw-r--r-- 1 1000 1000   23 Sep 10 00:49 password.txt
-rw-r--r-- 1 1000 1000    5 Sep 10 00:49 username.txt

There is an empty flag file, but there are username and password files.

root@kali:/mnt/img/router/var/www# cat username.txt
admin
root@kali:/mnt/img/router/var/www# cat password.txt 
iforgotaboutthemathtest

These look useful. Let's try them on the website they gave us in the challenge prompt.

Authenticated

flag{but_I_f0rgot_my_my_math_test_and_pants}

Success!

Overall, this was a pretty simple forensics problem that required mounting the image and exploring the file system for the value content.