OvertheWire - Natas Wargame Level 0 and Level 1 Writeup

Introduction

The fantastic group at overthewire.org have created another wargame called Natas, the description of which is as follows:

 Natas teaches the basics of serverside web-security.  
 Each level of natas consists of its own website located at http://natasX.natas.labs.overthewire.org, where X is the level number. There is no SSH login. To access a level, enter the username for that level (e.g. natas0 for level 0) and its password.  
 Each level has access to the password of the next level. Your job is to somehow obtain that next password and level up. All passwords are also stored in /etc/natas_webpass/. E.g. the password for natas5 is stored in the file /etc/natas_webpass/natas5 and only readable by natas5.  

A big thank you goes out to this group for creating compelling and well-organized wargames for people of any skillset or experience level!

I decided to go ahead and pair the writeups for the first two levels together, since they are very similar, and both very easy.

So, without further introduction, let's get started.

"Damo" Web Security Challenge I Writeup

Introduction

I ran across some web-oriented security challenges, and thought I would take a quick break from the Stack the Smash writeups (more of which are coming soon) to create a writeup for these security challenges as they are solved. If you would like to try the challenges for yourself, you can find them here. Thanks to "damo" for setting these challenges up!

Smash the Stack IO Level 3 Writeup

Introduction

For the third level of Smash the Stack (IO), we are given both the source code and a binary to work with. As always, we will use the password obtained in the previous writeup to login to the server as 'level3'. Let's take a look and see if we can find a way to extract the password for level 4.

Smash the Stack IO Level 2 Writeup

Introduction

We can use the password found in the previous writeup to log in to the server as the 'level2' user. As always, the levels are in /levels. We can see that there are two possible levels for level2: level2, and level2_alt. For the sake of this post, I will focus on level2, but may update it with the solution for level2_alt later.

Smash the Stack IO Level 1 Writeup

Introduction

One of the best ways to either learn new exploitation techniques or practice ones you already understand is through events called Wargames, otherwise known as "Capture the Flags" (CTFs).  There are two common types of CTFs: a typical "Offensive/Defensive" strategy, in which teams are simultaneously attacking each other's networks in attempt to capture their flag, and a "Jeopardy", or "Offense Only", type in which all teams are trying to solve problems to obtain the same flag.

In addition to this, CTFs can be further classified as either 'ongoing', in which participation is not limited to a small time frame, or 'Event Based', in which participants have a limited time (usually a few days) to attempt to capture as many flags as possible. As an example, the recent CSAW CTF (for which there are writeups on this blog) is considered a Jeopardy-style Event CTF because participation was limited to a weekend.

Now, with the introduction out of the way (see the end of the post for misc. CTF resources), the following is a writeup for level 1 of the ongoing Jeopardy-style CTF called Smash the Stack - IO. I have tried to make the writeup comprehensive for those that may have never participated in a CTF, or do not have much experience reversing binaries.

CSAW CTF Quals 2012 Networking 100 and Networking 200 Writeup

As mentioned in a previous post, the CSAW CTF Quals also had Networking challenges, in which contestants were given a packet capture file in which to find the key.

There were four networking challenges which ranged from 100 to 400 points each. Here are the writeups for the only two that I finished during the CTF.

Networking 100 - telnet.pcap

For this challenge, we were given a packet capture containing a telnet session. The first thing we want to do is to open up this file in Wireshark. Once this file is open, we can see that we indeed have a Telnet session, from which we need to extract the key. This should be trivial, since Telnet does not encrypt data (including authentication credentials). This means that if we intercept Telnet traffic, we can harvest credentials with ease.

To do this, we can right-click on a packet in the session, and select 'Follow TCP Stream.' This is a feature of Wireshark that allows us to easily see all of the data that corresponds to a particular session.

Once we choose to follow the TCP steam, we immediately see the flag, which is the password used to establish the Telnet session:

Piece of cake!

Key: welcome to 1969

Networking 200 - lemieux.pcap

For this challenge, we play the role of a friend of some person who wants to gain access to a party. Our friend says that he/she knows someone who created an invitation for a party, but is really strict about who gets in. Our challenge is to find the password used to be let in to the party from the given pcap file.

We start this challenge the same way we started Networking 100 - by opening up the provided pcap in Wireshark. We can see that this looks like a typical capture file of someone browsing the web, with multiple HTTP sessions listed. We can use the 'http' filter to help clean up the listed packets to only include those using the HTTP protocol.

From here we can start looking through the packet capture, and we start seeing requests to http://taproom307.com/. By visiting this site, we can see a link to 'Book a Party,' suggesting this may be the best way to proceed looking at the capture file. We can also guess that we are looking for a POST request, since the individual likely POSTed a form to book the party.

After some digging we finally come across this request which, after analyzing the data sent, shows us the password to attend the party.

Key: brooklyn beat box

That's all there is to it for these first two Networking challenges. Here are links to blog posts that write up the solutions to the other two challenges - Networking 300 and Networking 400:

Networking 300:
http://delogrand.blogspot.com/2012/10/csaw-ctf-quals-networking-300.html

Networking 400:
http://delogrand.blogspot.com/2012/10/csaw-ctf-quals-networking-400.html

Leave a comment below if you have any questions!

-Jordan

CSAW CTF Quals 2012 Trivia Writeup

As mentioned in the previous post, the CSAW CTF also had a Trivia section of challenges, with each solution worth 100 points. Each of these could be found with a little Google-fu and some work if needed. Here are the solutions to the Trivia challenges:

Trivia 1 - What is the first step in owning a target?

The answer to this one should be obvious to pentesters, as RECON is the first step in owning a target (you need information to work with). Also, one could possibly see the 'Recon' challenges listed under the Trivia section and assume that, which would work also.

Key: recon

Trivia 2 - What is the name of Google's dynamic malware analysis tool for Android applications?

I knew the answer to this one already since I had previously seen slides of a talk given by Charlie Miller and Jon Oberheide on exploiting the tool named Bouncer.

Key: Bouncer

Trivia 3 - What is the x86 opcode for and al, 0x24? Put your answer in the form 0xFFFF.

Since I don't have my x86 opcodes memorized, it was time to find a resource. This one served my purpose well. We can see that the and instruction called with al and an imm. value (constant) is 0x24. Therefore, the key to this is 0x2424, as the constant is listed after the first byte in the opcode.

Key: 0x2424

Trivia 4 - Who was the first security researcher to publish the DEP bypass that utilized WriteProcessMemory()?

A bit of Googling led me to this paper, written by Spencer Pratt, which is the answer.

Key: Spencer Pratt

Trivia 5 - What is the name of Microsoft's distributed fuzzing system that utilizes automated debugging, taint analysis, model building, and constaint solving? 

This one was the most difficult for me to find, partly because I kept getting hung up trying keys related to 'BlueHat'. It made sense to me, a community driven (distributed) system revolving around those topics. However, this wasn't the answer. After some more research, I found this article, which turned out to be the answer.

Key: SAGE

As mentioned, these challenges were all easily obtainable with a little research. I think these were meant to give new CTF-goers (like me!) the chance to quickly gain points and build confidence, which is a great idea.

More write-ups will be added soon!

-Jordan

CSAW CTF Quals 2012 Recon 1-3 Writeup

This weekend I participated in the CSAW 2012 Capture the Flag (CTF). Although I didn't have nearly the time I wish I had to spend on solving the problems, I wanted to make some writeups for those I did manage to solve in time.

The following problem categories were available to be solved:

• Trivia
• Recon
• Web
• Reversing
• Exploitation
• Forensics
• Networking

Solutions to the challenges were awarded points based off of how difficult the solution would theoretically be to obtain, ranging from 100 to 600 points per solution.

I wasn't able to solve the final two 400 point Recon challenges (for Yoda, and Dan Guido's favorite foods), so if anyone participated and managed to find those solutions, I would be interested to hear how you went about it!

Recon 100 - Jordan Wiens (psifertex)

For this challenge, we are simply given a Google Search link for 'Jordan Wiens', one of the judges for the CTF, and the only knowledge we have about the key is that it will most likely be in the format 'key{something}'. Not much to go on, but we'll see what we can do.

The obvious sources of information as seen from the Google Search are his Twitter account, and Linkedin Accounts. From here, we can see the alias 'psifertex' commonly used. This may come in handy. On a hunch, we can check to see on which sites the name 'psifertex' is taken using a common tool called namechk.com. Using this tool, we see that psifertex is taken on quite a few websites, but none of these yield great results.

The next step would be to simply perform a Google Search for 'psifertex' and see if we find anything new. Fortunately, we notice the first result is psifertex.com, which only contains the string 'Nothing to see here, move along.' Not buying it, the next step of recon I like to perform on a domain is to try and brute force the subdomains. To do this, I use a tool called subbrute.py. This tool performs multithreaded DNS lookups to a configurable list of DNS resolvers, searching through a list of possible subdomains. It should be noted that I have tweaked and modified my own version of subbrute, and have added subdomains as I've found them, so the standard install may not work in this case.

However, I find the following output from subbrute.py for psifertex.com:

Checking psifertex.com

74.125.45.121 calendar.psifertex.com

74.125.45.121 docs.psifertex.com

69.163.249.183 ftp.psifertex.com

173.236.129.17 key.psifertex.com

69.163.249.183 ssh.psifertex.com

74.125.45.121 start.psifertex.com

69.163.249.183 www.psifertex.com

Obviously, the first subdomain of interest is 'key.psifertex.com', which indeed yields the key: 'secret sonambul1st'

Recon 100 - Jeff Jarmoc (jjarmoc)

For this challenge we were simply given a Google Search for 'jjarmoc'. Again, not too much to work with. Many teams had trouble with this challenge, yet I found this to be one of the easiest (most likely because I had performed the same recon with Jordan Wiens). From Jeff's Twitter page, we can see that he links offenseindepth.com as his homepage. Let's perform the same recon as before, and run subbrute. Here is the output:

Checking offenseindepth.com

107.21.146.162 finger.offenseindepth.com

173.201.193.71 imap.offenseindepth.com

74.125.45.121 mail.offenseindepth.com

107.21.146.162 www.offenseindepth.com

The only subdomain that seems out of the ordinary is finger.offenseindepth.com. Using the subdomain name as a clue, we can attempt to enumerate information about users on the host using the Finger service. Sure enough, by using jjarmoc as the username, we receive the following information:

jordan@crux:/pentest/recon/subbrute$ finger jjarmoc@finger.offenseindepth.com

Debian GNU/Linux      Copyright (C) 1993-1999 Software in the Public Interest

-----------------------------------------------------------------------------

Username: jjarmoc                   In real life:                       

Plan:

This is my .plan.  There are many more like it, but this one is mine.

{key:does anyone still use finger?}

-----------------------------------------------------------------------------

We can use the key 'does anyone still use finger' and we are awarded 100 points. Moving right along.

Recon 100 - Julian Cohen (HockeyInJune)

I actually found Julian's recon challenge to be the most difficult, only by my own oversights. All we are given is a Google Search for 'HockeyInJune'. This, like the other recon challenges, does not provide much information. However, using namechk.com, I can see that HockeyInJune has a reddit profile, which is consistently posting about the CSAW CTF, so we know it's the right guy. I mentioned my own oversights on this one, and it was simply because I checked every Reddit post except the one that had the key. After finally checking the link posted on the comment (cockcab.com), we can see that it clearly lists the key (although I didn't manage to write it down for this post, and now it looks have been removed).

So there you have it! Those were the first 3 recon challenges for the CSAW CTF. As mentioned, two more 400 point challenges were posted later in the weekend (Dan Guido's two favorite foods and Yoda), but I didn't have time to really look to much into them. If anyone managed to find the solutions, I'd be interested to hear how much work it took to found them!

A big thank you goes out to the organizers of the CTF. Everything went smoothly, and appeared to be well organized with interesting challenges. Hopefully next year I will have more time to work on the challenges, and won't be so bogged down with school projects.

I will post more writeups for the challenges as I create them.

-Jordan

Edit: Dan Guido gave a comment on Reddit that the solution to his Recon challenge could be found here. Thanks, Dan!