tag:blogger.com,1999:blog-53810196495045899312024-03-13T03:13:30.807-07:00Yet Another Security BlogYet another blog on computer security. I will be using this blog as a space to track my adventures in reverse engineering, exploit development, capture the flags (CTFs), conferences, and other things I find interesting.Anonymoushttp://www.blogger.com/profile/04583350421631995769noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-5381019649504589931.post-29952345772071165972016-05-05T19:13:00.001-07:002016-05-05T19:14:50.256-07:00PCDC 2016 RE Challenge Solutions - Part 2This is a continuation off of my previous <a href="http://www.samcappella.com/2016/04/pcdc-2016-re-challenge-solutions-part-1.html" target="_blank">post</a> detailing the solutions to the 2016 PCDC reverse engineering challenges 1 and 2. This post will go over the solutions for challenges 3 and 4. If you were a competitor in this year's PCDC competition, you may not have seen all of the RE challenges. Challenges 1 and 2 were made for high school students, challenge 3 was added for college students, and challenge 4 was added for professional day. As a result, only the professionals saw all 4 challenges. This was designed to help balance expected work load during the competition and provide increasing level so difficulty for increasing levels of skill. So let's look at the remaining two challenge solutions.<br />
<br />
<h3>
Challenge 3 - exclusive</h3>
<div>
Like with all the other challenges, let's run this one and get an idea of what it does.</div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6cv0gILUpHrhTCwIgHy69VS_rx4CQKtlQVioIkYpkqdzVP2H4m4JBfVMdWR8SjteoSSKyq5cvvs_P8EHDPofiZPZ8fSV9OkF0vAHluO-8yFtgazCz1686R4nCLhhw6qiXCCw7o2pjOes/s1600/exclusive_1.png" imageanchor="1"><img border="0" height="344" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6cv0gILUpHrhTCwIgHy69VS_rx4CQKtlQVioIkYpkqdzVP2H4m4JBfVMdWR8SjteoSSKyq5cvvs_P8EHDPofiZPZ8fSV9OkF0vAHluO-8yFtgazCz1686R4nCLhhw6qiXCCw7o2pjOes/s640/exclusive_1.png" width="640" /></a></div>
<div>
<br /></div>
<div>
So this looks a little bit like our previous challenges where we have to give it a valid input and it well tell us if that input is correct and print out the key. Let's open the challenge up in Immunity and take a look. </div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikj4-yk_Vmx-msmZUuW_q2UiZCfla7Ut9j_2IAMoIIjB0MQUpoL9mR9xhGruIosoqV7DSknaUFzd_MHa48gcq5sL6g_E40kG00ENcziVDzWEXQwlrY9lVlDtH6gCZ6ciHNrYRcuWm_aTU/s1600/exclusive_2.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikj4-yk_Vmx-msmZUuW_q2UiZCfla7Ut9j_2IAMoIIjB0MQUpoL9mR9xhGruIosoqV7DSknaUFzd_MHa48gcq5sL6g_E40kG00ENcziVDzWEXQwlrY9lVlDtH6gCZ6ciHNrYRcuWm_aTU/s1600/exclusive_2.png" /></a></div>
<div>
<br /></div>
<div>
After loading the binary and analyzing the modules just like the we did in the previous challenge, we can scroll down and see the instructions responsible for printing out the initial user prompt. We can also see how our input gets read into the program via the call to <b><span style="font-family: "courier new" , "courier" , monospace;">fgets()</span></b>. The important thing to note how <b><span style="font-family: "courier new" , "courier" , monospace;">fgets()</span></b> gets its parameters. In <span style="font-family: "courier new" , "courier" , monospace;">x86-32</span> bit assembly on Windows, which is what we are looking at, these parameters are passed on the stack in a standard called <a href="https://en.wikipedia.org/wiki/X86_calling_conventions#cdecl" target="_blank">CDECL</a> (C declaration). What this means is the <b><span style="font-family: "courier new" , "courier" , monospace;">PUSH</span></b> instructions are actually setting up the parameters to the <b><span style="font-family: "courier new" , "courier" , monospace;">fgets()</span></b> function. To understand what these parameters are, let's look at this function.</div>
<div>
<br /></div>
<div>
Using <a href="https://msdn.microsoft.com/en-us/library/c37dh6kf.aspx" target="_blank">MSDN</a> as a resource, we can see that <b><span style="font-family: "courier new" , "courier" , monospace;">fgets()</span></b> has the following signature:</div>
<div>
<span style="font-family: "consolas" , "courier" , monospace; font-size: 13px; line-height: 17.55px;"><br /></span></div>
<div>
<span style="font-family: "consolas" , "courier" , monospace; font-size: 13px; line-height: 17.55px;">char *fgets(char *str, int n, FILE *stream);</span></div>
<div>
<span style="font-family: "consolas" , "courier" , monospace; font-size: 13px; line-height: 17.55px;"><br /></span></div>
What this function is doing is reading in an <b><span style="font-family: "courier new" , "courier" , monospace;">n</span> </b>byte string, storing it in a memory buffer pointed to by <b><span style="font-family: "courier new" , "courier" , monospace;">str</span></b>, and reading the input from the file stream <b><span style="font-family: "courier new" , "courier" , monospace;">stream</span></b>. If you look at Immunity, it even tells you which <b><span style="font-family: "courier new" , "courier" , monospace;">PUSH</span> </b>instruction is responsible for setting up which parameter to the <b><span style="font-family: "courier new" , "courier" , monospace;">fgets()</span> </b>call and in this case, it tells you it is reading a string of length 0x16 (<b><span style="font-family: "courier new" , "courier" , monospace;">n = 16 (22.)</span></b>). Now for our purposes, the important parameter to consider is the address where this user defined input gets stored. If you looked at the link specifying the CDECL calling convention, you'll see that the first parameter listed in the function (<b><span style="font-family: "courier new" , "courier" , monospace;">char *str</span></b>) is the last one pushed onto that stack before the call to <b><span style="font-family: "courier new" , "courier" , monospace;">fgets()</span></b>. We don't need to understand all the instructions, we just need to see the use of <b><span style="font-family: "courier new" , "courier" , monospace;">DWORD PTR SS:[EBP-34]</span></b>. This is going to be a pointer to where our input will be stored. If we look through the disassembly a little more, we should see this address show up again. Specifically in the <span style="font-family: "courier new" , "courier" , monospace;"><b>0x00401397</b> - <b>0x004013CE</b></span> address range. Before we go any further, lets recap what we know:<br />
<br />
- The program expects to get a 'serial number' which it then validates<br />
- The program uses a call to <b><span style="font-family: "courier new" , "courier" , monospace;">fgets()</span></b> to read in our input<br />
- Our input is stored at <b><span style="font-family: "courier new" , "courier" , monospace;">DWORD PTR SS:[EBP-34]</span></b><br />
- We see our stored address used within the assembly address range <span style="font-family: "courier new" , "courier" , monospace;"><b>0x00401397 </b>- <b>0x004013CE</b></span><br />
<b><br /></b>
Now it's time to verify these. The best way to do this with a debugger is to set break points. At this point, <i>right-click</i> on the address <b><span style="font-family: "courier new" , "courier" , monospace;">0x00401397</span></b>, go down to<i><b> </b>breakpoints</i> and select <i>toggle</i>. Alternatively, click on the address and press <i>F2</i> to toggle the breakpoint. This is after we have entered the string to the program and before it looks like it's getting used. With the breakpoint turned on, our program will halt at that address when execution has gotten there. So with our breakpoint set, let's run the program. This can be done 3 different ways: 1. Press <i>F9</i>, 2. To to the top menu and press the red play button, 3. Go to <i>Debug</i> -> <i>Run</i>. The first thing that will happen is that the program will break at what is called the program entry point. This is basically the API the program exposes to the OS so that the program can start up. There are a lot of steps that go into getting from this point to the break point we set, but we don't care about those at this time. Just press <i>F9</i> again to continue. Now at this point, you should see the Windows command window. It should be waiting for you to enter in your input. Go ahead and enter is some string into this window like you did the first time you ran this challenge program.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnglaHCGly16m50GzEy4ZQ0zhFU7JKrRt8EscQcVmNNfi5gi3z-MglBL6cjfVHam_LbUTA_U_uEETLz9iZlgqLLbCxqWtztfj4jKbfxaufQ8IEAPT6XWZPQ3NZNkMclOi9ypTr90bGcHs/s1600/exclusive_3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnglaHCGly16m50GzEy4ZQ0zhFU7JKrRt8EscQcVmNNfi5gi3z-MglBL6cjfVHam_LbUTA_U_uEETLz9iZlgqLLbCxqWtztfj4jKbfxaufQ8IEAPT6XWZPQ3NZNkMclOi9ypTr90bGcHs/s1600/exclusive_3.png" /></a></div>
<br />
<br />
At this point it will look like your program hangs, but this is Immunity pausing it so you can being to dive deeper into the details of what's going on. Let's analyze the following snippet of code:<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7u-XYZii67Y6qd5wj2yn8bPXTywhL5FVyyj6DFqbEmaDd8XTTC9OgRLx0_YIK83Ho-34V9jdMYgUuF20zx8m0E9630boxPFoqCC1lmf_9ZscOX_C7Y2QNzkZ_m1i9CCEC4VicrtbDPP0/s1600/exclusive_4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7u-XYZii67Y6qd5wj2yn8bPXTywhL5FVyyj6DFqbEmaDd8XTTC9OgRLx0_YIK83Ho-34V9jdMYgUuF20zx8m0E9630boxPFoqCC1lmf_9ZscOX_C7Y2QNzkZ_m1i9CCEC4VicrtbDPP0/s1600/exclusive_4.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
If we look at the first instruction, we see a <b><span style="font-family: "courier new" , "courier" , monospace;">CMP</span></b> to <b><span style="font-family: "courier new" , "courier" , monospace;">0x16</span></b>. Remember from the first post that <b><span style="font-family: "courier new" , "courier" , monospace;">CMP</span></b> is used to make comparisons and remember from earlier in this post, that this challenge reads in a <b><span style="font-family: "courier new" , "courier" , monospace;">0x16</span></b> byte string. Now look at the second instruction, <b><span style="font-family: "courier new" , "courier" , monospace;">JNB SHORT exclusiv.004013D0</span></b>. It is a jump instruction to the address <b><span style="font-family: "courier new" , "courier" , monospace;">0x004013D0</span></b>. That target address is interesting, but not as interesting as the instruction before it at address <b><span style="font-family: "courier new" , "courier" , monospace;">0x004013CE</span></b>, <span style="font-family: inherit;">a</span> <b><span style="font-family: "courier new" , "courier" , monospace;">JMP SHORT exclusive.00401397</span></b>. That's the same address we set our breakpoint at! This is a loop! We compare some counter to <b><span style="font-family: "courier new" , "courier" , monospace;">0x22</span></b>, if it is less than <b><span style="font-family: "courier new" , "courier" , monospace;">0x22</span></b>, continue execution, otherwise, jump. It kind of looks like:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">int x = 0;</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">while (x < 0x16) {</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> loop_body();</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">}</span><br />
<br />
Now we haven't figured out the loop body yet. But let's step through this an instruction at a time by pressing the <i>F7</i> key and stop when we get to address <b><span style="font-family: "courier new" , "courier" , monospace;">0x004013A5</span></b>, the first <b><span style="font-family: "courier new" , "courier" , monospace;">XOR</span></b> instruction. If you're following along with my example and entered in <b>abcd1234</b> as your string to test, you should see something like this:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1d_Hq_4_SFDOMuF8etD4eyqxvw39ahtpyJ1LYy-IC1946hXMX4lzRU1D9AR4oABfax4JJqFcjOpuL1cdxSz3RHXAmpY-x6DimuTDjO8T2cRVLSbSHJZYdkWNnCPbPbD6CIucSKkqXgPA/s1600/exclusive_5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1d_Hq_4_SFDOMuF8etD4eyqxvw39ahtpyJ1LYy-IC1946hXMX4lzRU1D9AR4oABfax4JJqFcjOpuL1cdxSz3RHXAmpY-x6DimuTDjO8T2cRVLSbSHJZYdkWNnCPbPbD6CIucSKkqXgPA/s1600/exclusive_5.png" /></a></div>
<br />
Now I've added some circles to draw your attention to a few places. So the instruction we stopped at is <b><span style="font-family: "courier new" , "courier" , monospace;">XOR EAX, 9C</span></b>. This means we are performing the <a href="https://en.wikipedia.org/wiki/Exclusive_or" target="_blank">XOR</a> operations on whatever value is in the <b><span style="font-family: "courier new" , "courier" , monospace;">EAX</span> </b>register with the hex value <b><span style="font-family: "courier new" , "courier" , monospace;">0x9C</span></b>. I've circled the <b><span style="font-family: "courier new" , "courier" , monospace;">EAX</span></b> register, and we can see the value of <b><span style="font-family: "courier new" , "courier" , monospace;">0x61</span></b>. If you recall, our input string was <b>abcd1234</b>, the hexadecimal value for the ASCII character '<span style="font-family: "courier new" , "courier" , monospace;">a</span>' is <b><span style="font-family: "courier new" , "courier" , monospace;">0x61</span></b>. Interesting. Let's continue to the next <b><span style="font-family: "courier new" , "courier" , monospace;">XOR</span> </b>instruction at <b><span style="font-family: "courier new" , "courier" , monospace;">0x004013B9</span></b>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5wxnwzzpyiP4hUxBFtSjTfPTcxu0RVbZXoxBGOWWqt1LyoTIqpRLQUO-pLiftB1o52P8DzLvZw4CWSXgFaLv15n2oXOSW948KaZaaXpu1ihl7wY23ieivVvIkxHbx127GCE8HTAOedv0/s1600/exclusive_6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5wxnwzzpyiP4hUxBFtSjTfPTcxu0RVbZXoxBGOWWqt1LyoTIqpRLQUO-pLiftB1o52P8DzLvZw4CWSXgFaLv15n2oXOSW948KaZaaXpu1ihl7wY23ieivVvIkxHbx127GCE8HTAOedv0/s1600/exclusive_6.png" /></a></div>
<br />
Again, I've highlighted the value in the <b><span style="font-family: "courier new" , "courier" , monospace;">EAX</span> </b>register, <b><span style="font-family: "courier new" , "courier" , monospace;">0x62</span> </b>(ASCII value for '<span style="font-family: "courier new" , "courier" , monospace;">b</span>'), and the other value in the <b><span style="font-family: "courier new" , "courier" , monospace;">XOR</span> </b>operation is <b><span style="font-family: "courier new" , "courier" , monospace;">0xDC</span></b>. If you continue to step through, you'll see that we jump back to address <b><span style="font-family: "courier new" , "courier" , monospace;">0x00401397</span></b>, and loop through these series of instructions again. When you inspect the <b>EAX </b>register, you'll see the values <b><span style="font-family: "courier new" , "courier" , monospace;">0x63</span></b> and <b><span style="font-family: "courier new" , "courier" , monospace;">0x64</span></b> (ASCII '<span style="font-family: "courier new" , "courier" , monospace;">c</span>' and '<span style="font-family: "courier new" , "courier" , monospace;">d</span>' respectively). It is indeed our input string. Now, we know we are in a loop. In fact, we wrote out some pseudo-code for it. So let's update it a little:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">int x = 0;</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">while (x < 0x16) {</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> input[i] ^ 0x9C;</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> input[i+1] ^ 0xDC;</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> x++;</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">}</span><br />
<br />
Hmmm this doesn't seem quite right. So how is our loop being incremented and how to we know our index for our input? Let's looks at the following details:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjU77V2IjWAlsrAU-JZeoBxPrCanIFT7wSYhEVhfrRe55QgcHBoTIuMfnkf49j0DcznH2_AFBpQc2QA2umKC6eI8m_dQI8-J0t9WgkBw6CBL2WSXmEtP3Plo4j45478phsRWk65nn2Kv98/s1600/exclusive_7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjU77V2IjWAlsrAU-JZeoBxPrCanIFT7wSYhEVhfrRe55QgcHBoTIuMfnkf49j0DcznH2_AFBpQc2QA2umKC6eI8m_dQI8-J0t9WgkBw6CBL2WSXmEtP3Plo4j45478phsRWk65nn2Kv98/s1600/exclusive_7.png" /></a></div>
<br />
What we're looking at is how the input string is indexed using the <b><span style="font-family: "courier new" , "courier" , monospace;">EDX</span> </b>register, and how that register is incremented by 2 every loop iteration. So let's refine our code a little more:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">int x = 0;</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">while (x < 0x16) {</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> input[i] ^ 0x9C;</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> input[i+1] ^ 0xDC;</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> x += 2;</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">}</span><br />
<br />
Great. Now when we exit our loop, our input has been <b><span style="font-family: "courier new" , "courier" , monospace;">XOR</span></b>'ed with the key <b><span style="font-family: "courier new" , "courier" , monospace;">0x9CDC</span></b>. A little further down we see a call to the function <b><span style="font-family: "courier new" , "courier" , monospace;">memcmp()</span></b>. Here is the <a href="https://msdn.microsoft.com/en-us/library/zyaebf12.aspx" target="_blank">MSDN</a> documentation for that function. What it does is look to see if 2 memory regions contain the same data for a given number of bytes. Again, Immunity has done some work for us and shows us that this <b><span style="font-family: "courier new" , "courier" , monospace;">memcmp()</span></b> is using 2 pointers, <b><span style="font-family: "courier new" , "courier" , monospace;">s1</span> </b>and <b><span style="font-family: "courier new" , "courier" , monospace;">s2</span></b>, and comparing them up to <b><span style="font-family: "courier new" , "courier" , monospace;">0x15</span></b> (21) bytes. Le't set a breakpoint at address <b><span style="font-family: "courier new" , "courier" , monospace;">0x004013DA</span></b> where <b><span style="font-family: "courier new" , "courier" , monospace;">memcmp()</span></b> gets called. So, by looking at the previous instructions and what we learned from the loop we reverse engineered, we see that <b><span style="font-family: "courier new" , "courier" , monospace;">s2</span></b> is the string we entered after it has been <b><span style="font-family: "courier new" , "courier" , monospace;">XOR</span></b>'ed. A good way to confirm this is we see that the address of this string got loaded into the <b><span style="font-family: "courier new" , "courier" , monospace;">EAX</span></b> register with the instruction at address <b><span style="font-family: "courier new" , "courier" , monospace;">0x004013D2</span></b>. So what we can do is <i>right-click</i><b style="font-style: italic;"> </b>on the <b><span style="font-family: "courier new" , "courier" , monospace;">EAX</span></b> register and click <i>Follow in Dump</i>. This will show a hex dump of our data:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLGYhyphenhyphenxp3nx2qp4NGf3AHkZSWIwuL5WvjU7Gl5ZJvRTsa7w6vq2BF4gL588DFAW9JSOXsxWciMJfk2fyEa0WphlWxwI6SQzf3ms35yaViYXr-qcBDT0iASLnlBt6xNW_QW0-zDsq_eHc0/s1600/exclusive_8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLGYhyphenhyphenxp3nx2qp4NGf3AHkZSWIwuL5WvjU7Gl5ZJvRTsa7w6vq2BF4gL588DFAW9JSOXsxWciMJfk2fyEa0WphlWxwI6SQzf3ms35yaViYXr-qcBDT0iASLnlBt6xNW_QW0-zDsq_eHc0/s1600/exclusive_8.png" /></a></div>
<br />
And indeed, those are our input bytes after being <b><span style="font-family: "courier new" , "courier" , monospace;">XOR</span></b>'ed. Check the first 2 bytes; <b><span style="font-family: "courier new" , "courier" , monospace;">0x6162 XOR 0x9CDC = 0xFDBE</span></b>. So what we are really interested in is the memory contents of the second pointer, <b><span style="font-family: "courier new" , "courier" , monospace;">s1</span></b>, being used in the <b><span style="font-family: "courier new" , "courier" , monospace;">memcmp()</span></b>. We can find that by doing the same thing we did in the previous step, but with the <b><span style="font-family: "courier new" , "courier" , monospace;">ECX</span> </b>register. So let's get the contents of that dump.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLZD7qdVgSMdo8e_WhC50u8-covidlXMKllLk3qwYlsO_NQo0ew0mYcJXq0InerEeL5caLTiHJxSw8vMyOCgscEvCNnB50whDjcAMwet77FWkApWUq1leVz0hf81g9hPK7rqO9gcUpmEw/s1600/exclusive_9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLZD7qdVgSMdo8e_WhC50u8-covidlXMKllLk3qwYlsO_NQo0ew0mYcJXq0InerEeL5caLTiHJxSw8vMyOCgscEvCNnB50whDjcAMwet77FWkApWUq1leVz0hf81g9hPK7rqO9gcUpmEw/s1600/exclusive_9.png" /></a></div>
<br />
This this is ultimately our goal. The <b><span style="font-family: "courier new" , "courier" , monospace;">0x15</span></b> (21) bytes of this memory segment. This is what our input string gets compared to after being <b><span style="font-family: "courier new" , "courier" , monospace;">XOR</span></b>'ed against the key <b><span style="font-family: "courier new" , "courier" , monospace;">0x9CDC. </span></b>So now let's update our pseudo-code:<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">char serial[0x15] = "\xff\xbd\xfa\xb9\xb1\xec\xad\xee\xaf\xe8\xb1\xe9\xaa\xeb\xa4\xe5\xb1\xbe\xf9\xb9\xfa"</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">char *input = (char *)malloc(0x16);</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">fgets(input, 0x16, STDIN);</span><br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">int x = 0;</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">while (x < 0x16) {</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> input[i] ^ 0x9C;</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> input[i+1] ^ 0xDC;</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> x += 2;</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">}</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">if (memcmp(key, input, 0x15) == 0) {</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> win();</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">} else {</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> fail();</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">}</span><br />
<br />
Now, we know this is what happens with the <b><span style="font-family: "courier new" , "courier" , monospace;">memcmp()</span></b> function by reading the documentation and seeing the <b><span style="font-family: "courier new" , "courier" , monospace;">TEST EAX, EAX</span></b> instruction and seeing successful jumps over the failure messages. So the only thing left to do is solve what the input string is. If you read the documentation on <b><span style="font-family: "courier new" , "courier" , monospace;">XOR</span></b>, you know that it is reversible. So all we have to do is <b><span style="font-family: "courier new" , "courier" , monospace;">XOR</span></b> our serial we dumped out of memory with the key of <b><span style="font-family: "courier new" , "courier" , monospace;">0x9CDC</span></b>. There are plenty of online tools to do this for you. Once you do it, you'll find that the input should be: <b>cafe-01234-56789-beef</b>. Let's give this a try.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDZgj7fw_FKM_lQwmP1PrdMue7beQDwZ4kxrVw4HTYRvttOG5dPw9IwfIevsAtMUTB_szcstwwhGlI8n2AT91j95UHCjw4d7vqiNtOEoQ-8BtvYvj9hdAGpM0jac6zbyn8cLFQmX-F87w/s1600/exclusive_10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDZgj7fw_FKM_lQwmP1PrdMue7beQDwZ4kxrVw4HTYRvttOG5dPw9IwfIevsAtMUTB_szcstwwhGlI8n2AT91j95UHCjw4d7vqiNtOEoQ-8BtvYvj9hdAGpM0jac6zbyn8cLFQmX-F87w/s1600/exclusive_10.png" /></a></div>
<br />
Success!<br />
<br />
Password: <b>cafe-01234-56789-beef</b><br />
Flag: <b>FLAG{XOR_Encryption_Is_Super_Safe!!!}</b><br />
<br />
<h3>
Challenge 4 - hashbrowns</h3>
<div>
This challenge was made specifically for the competition on professional day. As such, I'm going to assume a slightly more advanced level of readership. The last challenge solution really went in depth by stepping through the explanation. This solution write-up isn't going to go into as much detail describing how a particular section of code does something. Instead, it will be left up to the reader to figure out all the details.</div>
<div>
<br /></div>
<div>
So let's start by running this program like we did the ones before it.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZDV3FNiTxONmySm2osdewurGmFWtdsI7ZZ6Uk9hm-7X9nCJ1LSr6vF-Cmp9BxMirGKG1r0qtnpNTwbsg0wZVeQn2JBD5FWkdPDTEeDjr9os2S0RNIf-7o9rTJ6hgU9R0CC902LctVzis/s1600/hashbrowns_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZDV3FNiTxONmySm2osdewurGmFWtdsI7ZZ6Uk9hm-7X9nCJ1LSr6vF-Cmp9BxMirGKG1r0qtnpNTwbsg0wZVeQn2JBD5FWkdPDTEeDjr9os2S0RNIf-7o9rTJ6hgU9R0CC902LctVzis/s1600/hashbrowns_1.png" /></a></div>
<div>
<br /></div>
<br />
Ok. So we are given a hash and we have to find the input that matches this hash. So the way we do this is we need to find the hashing algorithm. Opening up the executable in Immunity, we should see the following:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxu2VrkOnno_p2bpRuXBpjTbcv9jrtmymLT6l3FMw5rayWOUDtQk7QdYbvGG1Tz6WPXmN67yC1x6U4I-d5SaQ3q2BmBj7OmC1P0Y9AFD6rxsGJMUO-xPRWUrQlFGqReV_x27VM3f_JlNs/s1600/hashbrowns_2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxu2VrkOnno_p2bpRuXBpjTbcv9jrtmymLT6l3FMw5rayWOUDtQk7QdYbvGG1Tz6WPXmN67yC1x6U4I-d5SaQ3q2BmBj7OmC1P0Y9AFD6rxsGJMUO-xPRWUrQlFGqReV_x27VM3f_JlNs/s1600/hashbrowns_2.png" /></a></div>
<br />
So with this challenge, we see that there are a couple of internal functions with the <b><span style="font-family: "courier new" , "courier" , monospace;">CALL</span></b> instructions to addresses within the <b><span style="font-family: "courier new" , "courier" , monospace;">hashbrowns</span></b> executable image. Notably, these can be seen at <b><span style="font-family: "courier new" , "courier" , monospace;">0x00401442</span> </b>and <b><span style="font-family: "courier new" , "courier" , monospace;">0x00401471</span></b>. Let's look at the first function starting at address <b><span style="font-family: "courier new" , "courier" , monospace;">0x00401310</span></b> by <i>right-clicking</i> on the address and choosing the <i>follow</i> option.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjblDEkGrzBocOaHS9sNELHY8WB1WUBvnawO_T358C0sQugkJpdlpnR73kRojGRiirW4EyWE6hAcGlebLxukhkJ_5YHiIeWs4Ez7RWxbDc-ttXAVTRo38xN-1K-tO80Snore4Xs1egRHsQ/s1600/hashbrowns_3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjblDEkGrzBocOaHS9sNELHY8WB1WUBvnawO_T358C0sQugkJpdlpnR73kRojGRiirW4EyWE6hAcGlebLxukhkJ_5YHiIeWs4Ez7RWxbDc-ttXAVTRo38xN-1K-tO80Snore4Xs1egRHsQ/s1600/hashbrowns_3.png" /></a></div>
<br />
I've gone ahead and annotated the interested aspects of this function. The first is that this is a loop and we see a call to <b><span style="font-family: "courier new" , "courier" , monospace;">strlen()</span></b> in the loop. This leads us to believe that we are looping through a string for the length of a string. The other interesting pieces of information about this loop are the <b><span style="font-family: "courier new" , "courier" , monospace;">CMP</span></b> instructions. We see each of them circled in the above picture and each comparison is to a hex value. The four values, <b><span style="font-family: "courier new" , "courier" , monospace;">0x41</span></b>, <b><span style="font-family: "courier new" , "courier" , monospace;">0x5A</span></b>, <b><span style="font-family: "courier new" , "courier" , monospace;">0x61</span></b>, and <b><span style="font-family: "courier new" , "courier" , monospace;">0x7A</span></b> correspond to the ASCII characters '<span style="font-family: "courier new" , "courier" , monospace;"><b>A</b></span>', '<span style="font-family: "courier new" , "courier" , monospace;"><b>Z</b></span>', '<span style="font-family: "courier new" , "courier" , monospace;"><b>a</b></span>', and '<span style="font-family: "courier new" , "courier" , monospace;"><b>z</b></span>' respectively. This loop looks like it is looking for upper and lowercase alphabetical characters. We can further confirm this by analyzing the string argument to the <b><span style="font-family: "courier new" , "courier" , monospace;">printf()</span></b> call at <b><span style="font-family: "courier new" , "courier" , monospace;">0x00401453</span></b>, "<i>Found a character I can't hash.</i>" This clue would indicate that the program only accepts alphabetical characters. Let's test this hypothesis.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJSsVD2HVJnOwUlJl970tZFvdz-xvtlDFDyn2Ypl15qmZZPmcMALuYMcxq3PoOl7fQjS5a8bFBMn2M95d73r0rlnZqqygYdRK5MPucw2mpXzRagqg5-ATaWa6Q1rIadOdLY2-DdC4E64g/s1600/hashbrowns_4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJSsVD2HVJnOwUlJl970tZFvdz-xvtlDFDyn2Ypl15qmZZPmcMALuYMcxq3PoOl7fQjS5a8bFBMn2M95d73r0rlnZqqygYdRK5MPucw2mpXzRagqg5-ATaWa6Q1rIadOdLY2-DdC4E64g/s1600/hashbrowns_4.png" /></a></div>
<br />
We have confirmed our hypothesis. Let's move onto the next internal function at <b><span style="font-family: "courier new" , "courier" , monospace;">0x00401390</span></b>. Here is a picture of that function.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2OZwfgIGIgfTxE6g355CW4V1QnR4R9FouDGXFn_CNZikuc3UtFRq-grXB3EJ6aUQ4jRtkWdWy05N4sb8HHJQl7GMcIPx7sZxOltmzALjp9uikVRl5ta4SfmIv_uxLm9nby3T8Q1-GaN4/s1600/hashbrowns_5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2OZwfgIGIgfTxE6g355CW4V1QnR4R9FouDGXFn_CNZikuc3UtFRq-grXB3EJ6aUQ4jRtkWdWy05N4sb8HHJQl7GMcIPx7sZxOltmzALjp9uikVRl5ta4SfmIv_uxLm9nby3T8Q1-GaN4/s1600/hashbrowns_5.png" /></a></div>
<br />
<br />
So again we can see can see we are looping through the length of the string character by character. This is in-fact the function that performs the hashing function. Now, there were a few ways to solve this. The difficult way was to manually reverse engineer the actual algorithm represented by the instructions at addresses <b><span style="font-family: "courier new" , "courier" , monospace;">0x004013C3</span></b> - <b><span style="font-family: "courier new" , "courier" , monospace;">0x004013D7</span></b>, or, look at the value <b><span style="font-family: "courier new" , "courier" , monospace;">0x1505</span></b> and do some research on hashing algorithms. If you convert <b><span style="font-family: "courier new" , "courier" , monospace;">0x1505</span></b> to decimal, you get <b><span style="font-family: "courier new" , "courier" , monospace;">5381</span></b>. A Google search with the keywords<i> hash</i> and <i>5381</i> should lead you directly to the DJB2 hashing algorithm. Here is what that algorithm looks like.<br />
<pre><span style="font-family: "courier new" , "courier" , monospace;">unsigned long djb2(unsigned char *str){
unsigned long hash = 5381;
int c;
while (c = *str++)
hash = ((hash << 5) + hash) + c;
return hash;
}</span></pre>
<br />
When looking at this algorithm, we see the constant <b><span style="font-family: "courier new" , "courier" , monospace;">0x1505</span></b> and the shift left 5 (<b><span style="font-family: "courier new" , "courier" , monospace;">SHL EDX, 5</span></b>). Now we need to make sure this is actually what were after. Going back to the main part of our challenge, we see the following section of code.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSIkSdmHN7ljKShbh5Q5t14QV37S4bWMpQ_avoVNyPk1rK0-x6pBn1JMiHJXTNDBThh7k1cDqB5wpXe5ND10sAMkl02YbVpHILoomnFmVr80Xow18lE7ih4rLIgMdhHb-CK2udTA0vgq8/s1600/hashbrowns_6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSIkSdmHN7ljKShbh5Q5t14QV37S4bWMpQ_avoVNyPk1rK0-x6pBn1JMiHJXTNDBThh7k1cDqB5wpXe5ND10sAMkl02YbVpHILoomnFmVr80Xow18lE7ih4rLIgMdhHb-CK2udTA0vgq8/s1600/hashbrowns_6.png" /></a></div>
<br />
What we see here is a call to our hashing function at <b><span style="font-family: "courier new" , "courier" , monospace;">0x00401390</span></b> then a series of <b><span style="font-family: "courier new" , "courier" , monospace;">CMP</span></b> instructions. Interestingly we see a <b><span style="font-family: "courier new" , "courier" , monospace;">CMP</span> </b> to a value of <b><span style="font-family: "courier new" , "courier" , monospace;">0x28C7FAE4</span> </b>which is the hash value the challenge asked us to match. If we look at it a little further, we can see that this <b><span style="font-family: "courier new" , "courier" , monospace;">CMP</span> </b>instruction calls a <b><span style="font-family: "courier new" , "courier" , monospace;">JMP</span></b> to a unique address not jumped to by any other <b><span style="font-family: "courier new" , "courier" , monospace;">CMP</span> </b>instruction. So these are the pieces we have so far:<br />
<br />
<ul>
<li>The input expects a string input that will be hashed</li>
<li>That string gets hashed through the DJB2 hashing algorithm</li>
<li>The result of the hash must match <b><span style="font-family: "courier new" , "courier" , monospace;">0x28C7FAE4</span></b></li>
</ul>
<div>
The way to solve this is to write a brute force script that enumerates through alphabetical strings and hashes them using the DJB2 hashing algorithm until a match is found with the value <b><span style="font-family: "courier new" , "courier" , monospace;">0x28C7FAE4</span></b>. </div>
<div>
<br /></div>
<div>
This is what the DJB2 algorithm looks like in Python.</div>
<br />
<div>
<span style="font-family: "courier new" , "courier" , monospace;">def djb2(string):</span></div>
<div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> hash = 5381</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> for x in string:</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> hash = (( hash << 5) + hash) + ord(x)</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> return hash & 0xFFFFFFFF</span></div>
</div>
<br />
The best way to solve this is to actually use a password list. Using the <i>rock-you</i> password list and a python script based on the previous snippet of code, you would have found that the hash value matches the input string of <b>cyberdragoon</b>. Here is the proof.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglgMJ87Iph0vwE_-NBkBpSXEDaRS-RvLKLinW5SwwvJeyvfEjznEoqOMRNMYASzPGnYreKaFFVP-h_z6p1zXT1vSLmNiAs8DIU0k3_LGonYeBmMJEH56kSE-ELtodygZtzfaBSxIXq7Dk/s1600/hashbrowns_7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglgMJ87Iph0vwE_-NBkBpSXEDaRS-RvLKLinW5SwwvJeyvfEjznEoqOMRNMYASzPGnYreKaFFVP-h_z6p1zXT1vSLmNiAs8DIU0k3_LGonYeBmMJEH56kSE-ELtodygZtzfaBSxIXq7Dk/s1600/hashbrowns_7.png" /></a></div>
<br />
<br />
So here is the summary for RE challenge 4:<br />
Password: <b>cyberdragoon</b><br />
Flag: <b>FLAG{alls_good_when_the_hashing_is_easy}</b><br />
<b><br /></b>
<br />
<h3>
Conclusion</h3>
<div>
I hope this year introduced an interesting new twist on the PCDC injects. If you're interested in working through the challenges on your own, I've put the executables on my GitHub account <a href="https://github.com/sjcappella/PCDC-RE-2016" target="_blank">here</a>. As always, I'm always interested in hearing feedback, so if you have anything you'd like to see improved for next year, don't hesitate to let me know. See you in 2017!</div>
<br />
<br />
<br />
<br />
<br />Anonymoushttp://www.blogger.com/profile/04583350421631995769noreply@blogger.com1tag:blogger.com,1999:blog-5381019649504589931.post-37354542515668730802016-04-24T19:38:00.000-07:002016-04-25T05:33:02.958-07:00PCDC 2016 RE Challenge Solutions - Part 1When we sit down and plan the next year's version of <a href="http://pcdc-sc.com/" target="_blank">PCDC</a>, the goal is to challenge competitors with new and specific learning objectives. This year, our goal was to push more reverse engineering and incident response type challenges for the competitors to complete as part of their injects. For this, I created 4 different reverse engineering challenges. The rules were simple: Use the tools provided to you or freely available for download to analyze the challenges and get the flag. Flags were in the format 'FLAG{}' with a custom string for each challenge in-between the '{}' characters. In order to get the points for the challenge, teams must submit the input to the challenge and the correct flag.<br />
<br />
Since PCDC is run for high schools, colleges, and professionals, the challenges were created with increasing levels of difficulty. Additionally, the competition only runs for about 8 hours and these challenges are not the only tasks the Blue Teams must complete. With that in mind, here is Part 1 of the RE solutions.<br />
<br />
<h3>
Challenge 1 - strungout</h3>
<div>
<br />
The first challenge is called '<b>strungout</b>'. Let's run it and see what it does.<br />
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8eOM_m2N04WMXY4W1k3t0Ft6DALG3hSyiCREVhCRUKPZkYcydKi5tkC8uWMtr_GSjU6AjHHG1eiah_fTYM305NuDzFe-tyav8t4Pa8pCla-m2l6QAvM3s-txhmAaIFUwFzH9kAsyoC2k/s1600/strungout_1.PNG" imageanchor="1"><img border="0" height="328" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8eOM_m2N04WMXY4W1k3t0Ft6DALG3hSyiCREVhCRUKPZkYcydKi5tkC8uWMtr_GSjU6AjHHG1eiah_fTYM305NuDzFe-tyav8t4Pa8pCla-m2l6QAvM3s-txhmAaIFUwFzH9kAsyoC2k/s640/strungout_1.PNG" width="640" /></a></div>
<div>
<br />
Ok. Looks like we need to figure out the password. Let's just guess something and see what happens.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgt8aghl6WlBVBcNxT7h74S3RWl-_wHcEsXpsCK_ZHAu7HVfYXiW0rqKq5S-qi5BPtmnY_W11Dkq9ZhNusb1tC_KDNdxMb6xJyALdevnyuRPrlrbhTI4DnCNMg4l87-SfQascwJOndne6U/s1600/strungout_2.PNG" imageanchor="1"><img border="0" height="328" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgt8aghl6WlBVBcNxT7h74S3RWl-_wHcEsXpsCK_ZHAu7HVfYXiW0rqKq5S-qi5BPtmnY_W11Dkq9ZhNusb1tC_KDNdxMb6xJyALdevnyuRPrlrbhTI4DnCNMg4l87-SfQascwJOndne6U/s640/strungout_2.PNG" width="640" /></a><br />
<br />
So <b>password</b> wasn't the password.<br />
<br />
In an attempt to provide some insight to the challenges, each challenge had a name that hinted at its solution. This first challenge was meant to be a gentle introduction to reverse engineering. In order to reverse engineer any target, the goal is to gather as much information about that target as you can. The defacto go to is to extract some form of human readable text, aka, strings. As it happens, the Microsoft <span id="goog_1619702972"></span><span id="goog_1619702973"></span><a href="https://technet.microsoft.com/en-us/sysinternals/" target="_blank">SysInternals</a> suite has a tool called <a href="https://technet.microsoft.com/en-us/sysinternals/strings" target="_blank">strings</a> that does exactly what we want. If we run <b>strings</b> on the challenge, we can see the human readable strings embedded in the executable.<a href="https://www.blogger.com/"></a><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3j7ptSao0CBQYqRTdMGW_y3bgfFLsd6DUyOGXeXun60rPE7Fm6EBmVQXAM9hpk-S2LEmZ788uB4fShY7FGJ4KlBqWQ42ur80LlsKoBl95poXrM-Dn2EHweP4P34P1cq6z6hhPLQ7RTgg/s1600/strungout_3.png" imageanchor="1"><img border="0" height="282" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3j7ptSao0CBQYqRTdMGW_y3bgfFLsd6DUyOGXeXun60rPE7Fm6EBmVQXAM9hpk-S2LEmZ788uB4fShY7FGJ4KlBqWQ42ur80LlsKoBl95poXrM-Dn2EHweP4P34P1cq6z6hhPLQ7RTgg/s640/strungout_3.png" width="640" /></a><br />
<br />
And if we scroll down...<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiy902BKnEVoMigx30A6HP9dzKeRw1jl0ffLjHTNOiqWxLuaS_p8FagHP5h7ns9oSBaD0hITTQNli_z5eA-DTGBazvapUYLFZS5MGtYmSbwb0KPt5btZdwVYdvrDoBymNkkstcg6ckU-V8/s1600/strungout_4.png" imageanchor="1"><img border="0" height="382" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiy902BKnEVoMigx30A6HP9dzKeRw1jl0ffLjHTNOiqWxLuaS_p8FagHP5h7ns9oSBaD0hITTQNli_z5eA-DTGBazvapUYLFZS5MGtYmSbwb0KPt5btZdwVYdvrDoBymNkkstcg6ckU-V8/s640/strungout_4.png" width="640" /></a><br />
<br />
We see the 2 strings we saw before, "<b>Sorry. Can haz password??</b>" and "<b>Ouch. Try again!</b>". Interestingly, we see a different string that looks suspicious! "<b>I_Love_PCDC_RE_Challenges!!!</b>". Let's see what happens if we try this for a password.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4uT2lctUQRAAA5RAQBHKFy1ha_2Z0CwDjxpmyxrGuMwY_xJCXuZqYvAck2M5p2HIIXiea6kKwBGc61QjOMfKr1saXfLDAypBHtc1WlRKpNamNGpUV0WG1ucvTFAqJcedrS_zZCeetteE/s1600/strungout_5.png" imageanchor="1"><img border="0" height="560" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4uT2lctUQRAAA5RAQBHKFy1ha_2Z0CwDjxpmyxrGuMwY_xJCXuZqYvAck2M5p2HIIXiea6kKwBGc61QjOMfKr1saXfLDAypBHtc1WlRKpNamNGpUV0WG1ucvTFAqJcedrS_zZCeetteE/s640/strungout_5.png" width="640" /></a><br />
<br />
So the answer to the first RE challenge would have been:<br />
Password: <b>I_Love_PCDC_RE_Challenges!!!</b><br />
Flag: <b>FLAG{playing_with_strings_iz_easy!!!}</b><br />
<b><br /></b>
<br />
<h3>
<b>Challenge 2 - maths</b></h3>
</div>
<div>
This next challenge increases the difficulty a little bit. The goal was to introduce new students to debugging and x86 assembly. For the competition, we made sure that there were copies of <a href="https://www.immunityinc.com/products/debugger/" target="_blank">Immunity Debugger</a> installed on Blue Team computers already. Additionally, the free version of <a href="https://www.hex-rays.com/products/ida/support/download_freeware.shtml" target="_blank">IDA Pro</a> was installed. For this write-up I'm going to be using IDA to just show off the control flow graph of a program. This helps layout a program into a diagram that makes understanding how different parts of the program get executed. The remaining details will use Immunity debugger just because it is more easily available for people to use. </div>
<div>
<br /></div>
<div>
So opening up <b>maths</b> in IDA will produce a diagram similar to this:</div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisg2JPOzHX64nLrseUojGWHs0-r-wb8i2dweodIeuVBRBLOUdsUSZPiOR9mIhqGfmQwAahS46I0pgS92765AL5L0KnY1ZECjV1M1a407rNn9Pgelq0tvRq9_ASKZm_qG-6IG2vfHscws4/s1600/maths_1.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisg2JPOzHX64nLrseUojGWHs0-r-wb8i2dweodIeuVBRBLOUdsUSZPiOR9mIhqGfmQwAahS46I0pgS92765AL5L0KnY1ZECjV1M1a407rNn9Pgelq0tvRq9_ASKZm_qG-6IG2vfHscws4/s1600/maths_1.png" /></a></div>
<div>
</div>
<div>
What we see here is it looks like a number is being read into the program, some math is happening on it, and if it's right, we fall a specific part of the program, otherwise we get the message "<b>Knew you couldn't guess it!!</b>". Let's see if this is true.</div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgql7yemSXVxby07JAiJiY8xaJs5AUnAnkuiNKZcoOtSune1epWEwOwxXVrd6i8U2oTeD2tdfd0U7sfZ5o8k0po-t343jDIpR7li9w8OhVmpiI-DaJgRHidhcVmyNa8kcbU5hPcNf_ODiQ/s1600/maths_2.png" imageanchor="1"><img border="0" height="344" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgql7yemSXVxby07JAiJiY8xaJs5AUnAnkuiNKZcoOtSune1epWEwOwxXVrd6i8U2oTeD2tdfd0U7sfZ5o8k0po-t343jDIpR7li9w8OhVmpiI-DaJgRHidhcVmyNa8kcbU5hPcNf_ODiQ/s640/maths_2.png" width="640" /></a></div>
<div>
<br /></div>
<div>
Ok. Let's open this program up in Immunity debugger and figure out what's going on.</div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSt2n5Bv57GrvniW30qA9uhPw6HDdmzZ2n9Vb-VGd7eHo7fGRUtF7nf-fOZXoi9xHKOughzGcNbCyLvH6tAiDuzkOwQhvNvKbeLnBHUlD8QuGCH7oZQCPBt7vM9wg7dMotGojBY-FW-Is/s1600/maths_3.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSt2n5Bv57GrvniW30qA9uhPw6HDdmzZ2n9Vb-VGd7eHo7fGRUtF7nf-fOZXoi9xHKOughzGcNbCyLvH6tAiDuzkOwQhvNvKbeLnBHUlD8QuGCH7oZQCPBt7vM9wg7dMotGojBY-FW-Is/s1600/maths_3.png" /></a></div>
<div>
<br /></div>
<div>
So things look a little different in Immunity, but that's OK. What we want to do first is look at the executable modules of this program. This can be done by clicking the '<b><span style="font-family: "courier new" , "courier" , monospace;">e</span></b>' in the top bar of the previous picture or by pressing <b><span style="font-family: "courier new" , "courier" , monospace;"><Alt + e></span></b>. This should bring up the following screen:</div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi32pO-RHvjnKsIcT2f0q9luIZM1vCm8r4CrfOWNwSdhRhbOaUG4dspp49bToLblV8d6rNI4X98c1s8aRymF1LcR-QKKpCQEIOFUzvA2HsoMw9FMmjixaQhPrkNlij6VepF0EaCGNs8IVE/s1600/maths_4.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi32pO-RHvjnKsIcT2f0q9luIZM1vCm8r4CrfOWNwSdhRhbOaUG4dspp49bToLblV8d6rNI4X98c1s8aRymF1LcR-QKKpCQEIOFUzvA2HsoMw9FMmjixaQhPrkNlij6VepF0EaCGNs8IVE/s1600/maths_4.png" /></a></div>
<div>
<br /></div>
<div>
From here, right click on the list and choose the option "<b><span style="font-family: "courier new" , "courier" , monospace;">Analyze all modules</span></b>" to invoke some of Immunity's built in analysis tools. Once the analysis completes, double click on the line with <b>maths</b> to get taken to the code we want to look at. You should see a picture like the one below.</div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLXoYsOxl0DQqEX93eoFcreHcYY7Ow8hyphenhyphen5uus2gZG-sJrJRN-LCZGMMGzAuXxx_HL0MgoE_vhiC74BRmAheSRjAySsvjTVKFUN4p70DTrREdWlqUp3ltrVpqNPG71M4JypdEfUuFJm8ps/s1600/maths_5.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLXoYsOxl0DQqEX93eoFcreHcYY7Ow8hyphenhyphen5uus2gZG-sJrJRN-LCZGMMGzAuXxx_HL0MgoE_vhiC74BRmAheSRjAySsvjTVKFUN4p70DTrREdWlqUp3ltrVpqNPG71M4JypdEfUuFJm8ps/s1600/maths_5.png" /></a></div>
<div>
<br /></div>
<div>
At first this doesn't look too interesting, but scroll down and we will see some details that should look familiar.</div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1RsVxC6WzjHBZdJxjI0iS0_HV0KwyVOTjsOlwP8T8nIBA4ZLeWGo0Xzh5-kl-TK6-2eTJbnSTli_9f4B-Us4aRjA7tYKrhDqBkd-GScG9sQaooDxcnXPNXksfOZnTzyJlmimPK8LpHiA/s1600/maths_6.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1RsVxC6WzjHBZdJxjI0iS0_HV0KwyVOTjsOlwP8T8nIBA4ZLeWGo0Xzh5-kl-TK6-2eTJbnSTli_9f4B-Us4aRjA7tYKrhDqBkd-GScG9sQaooDxcnXPNXksfOZnTzyJlmimPK8LpHiA/s1600/maths_6.png" /></a></div>
<div>
<br /></div>
<div>
Now. Before we go any further, let's talk about what we are actually looking at. The large window with the multicolored text is showing us the output of a program called a <a href="https://en.wikipedia.org/wiki/Disassembler" target="_blank">disassembler</a>. What a disassembler does is take raw bytes in a program and print them out as an easier to understand and analyze form called assembly. Modern x86 assembly is incredibly complicated and is comprised of over 1,000 instructions! For these challenges, though, we won't need to know anywhere near that many. The understand this assembly, the left most column is the address in the program that the assembly sits at, the next column shows the raw bytes of the assembly, the third column shows the human readable mnemonics of the assembly, and for some lines, there is a 4th column generated by Immunity that shows some comment that may provide you with more information. The window to the right of the disassembly shows the register values of the CPU while you're debugging the program. This is helpful to keep track of values as they move from the CPU to memory and back again. Below the disassembly and register windows are the listing for the program's <b><span style="font-family: "courier new" , "courier" , monospace;">.data</span></b> section and <b>stack</b>. We don't need to go into too much detail about each of them, but the <b><span style="font-family: "courier new" , "courier" , monospace;">.data</span></b> section is on the left and it shows data built into the program such as the strings. The bottom right window is the <b>stack</b> that is used by the program for various memory operations.</div>
<div>
<br /></div>
<div>
OK. We can see the messages that we saw in IDA and our tests before in our disassembly window. Let's review what we know so far:</div>
<div>
<ol>
<li>The program wants us to guess its secret number</li>
<li>The name of the program is called <b>maths</b></li>
<li>If we get it wrong, the program will print out "<b>Knew you couldn't guess it!!</b>"</li>
</ol>
</div>
<div>
Now let's look at the assembly. We know that we need to guess a magic number. In x86 assembly, values are compared with the <b><span style="font-family: "courier new" , "courier" , monospace;">CMP</span></b> instruction. If we look at the assembly at address <b><span style="font-family: "courier new" , "courier" , monospace;">0x00401365</span></b>, we see the instruction <b><span style="font-family: "courier new" , "courier" , monospace;">CMP DWORD PTR SS:[EBP-4],DEADBEEF</span></b>. Now, this looks a little scary, but the <b><span style="font-family: "courier new" , "courier" , monospace;">CMP</span> </b>instruction performs comparison checks. This is just comparing some variable with the hexadecimal value <b><span style="font-family: "courier new" , "courier" , monospace;">0xDEADBEEF</span></b>. Since we see the string "<b>Knew you couldn't guess it!!</b>" right below the <b><span style="font-family: "courier new" , "courier" , monospace;">CMP</span> </b>at address <b><span style="font-family: "courier new" , "courier" , monospace;">0x00401375</span></b>, this seems like it may be be a good candidate for our password. Let's try!</div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyRHpa8Vw6De-AOHIwAZA5YdllrAux1tD2pCD6R0apUrgu4mtizfsH93l3op9bk1Bsh1IB32rSZOcJHf08JaY0F_G5UiShj56aURDgo6tP4N97xall8IsA_WOGG4I3jZfVKoS4rZezuzc/s1600/maths_7.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyRHpa8Vw6De-AOHIwAZA5YdllrAux1tD2pCD6R0apUrgu4mtizfsH93l3op9bk1Bsh1IB32rSZOcJHf08JaY0F_G5UiShj56aURDgo6tP4N97xall8IsA_WOGG4I3jZfVKoS4rZezuzc/s1600/maths_7.png" /></a></div>
<div>
<br /></div>
<div>
Hmmm...didn't work. Remember. The name of the program is actually a clue how to solve it. If we look up a couple of instruction from the <b><span style="font-family: "courier new" , "courier" , monospace;">CMP</span></b>, we can see some instructions that sound like math operations operating on the same variable that's used in the <b><span style="font-family: "courier new" , "courier" , monospace;">CMP DWORD PTR SS:[EBP-4],DEADBEEF</span> </b>instruction. Those math instructions are <b><span style="font-family: "courier new" , "courier" , monospace;">SUB</span></b>, <b><span style="font-family: "courier new" , "courier" , monospace;">ADD</span></b>, and <b><span style="font-family: "courier new" , "courier" , monospace;">IMUL</span></b>. Working backwards from the <b><span style="font-family: "courier new" , "courier" , monospace;">CMP</span></b> instruction, we can see that there is math being performed on the variable before it gets compared to <b><span style="font-family: "courier new" , "courier" , monospace;">0xDEADBEEF</span></b>. Here is a summary of what those instructions are:</div>
<div>
<ol>
<li>Read 'magic number' from user</li>
<li>Multiply (<b><span style="font-family: "courier new" , "courier" , monospace;">IMUL</span></b>)<b> </b><span style="font-family: "courier new" , "courier" , monospace;">0x0a</span> to the 'magic' number at <b><span style="font-family: "courier new" , "courier" , monospace;">0x00401345</span></b></li>
<li>Add (<b><span style="font-family: "courier new" , "courier" , monospace;">ADD</span></b>)<b> </b><span style="font-family: "courier new" , "courier" , monospace;">0x0a</span> to the 'magic number' at <b><span style="font-family: "courier new" , "courier" , monospace;">0x0040134E</span></b></li>
<li>Subtract (<b><span style="font-family: "courier new" , "courier" , monospace;">SUB</span></b>) <span style="font-family: "courier new" , "courier" , monospace;">0x01</span> from the 'magic number' at <b><span style="font-family: "courier new" , "courier" , monospace;">0x0040135F</span></b></li>
</ol>
</div>
<div>
So if we do the opposite of this, we should be able to get our original input:</div>
<div>
<br /></div>
<div>
<b><span style="font-family: "courier new" , "courier" , monospace;">(((0xdeadbeef + 0x01) - 0x0a) / 0x0a) = 0x16449317</span></b></div>
<div>
<br /></div>
<div>
Let's try that!</div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikgDicX6Sl9yU5Droq9AgIYuxNREnCTj9WjnBdzhQ2hHHmnkhmkUbmmQQrTngIXPJleCklAL2ZoU-QhlJHG5dXgE67sxiSL_X69CyBETu3-4ob0kei6pHismc1ZKuAS29lR5UsTqLufdg/s1600/maths_8.png" imageanchor="1"><img border="0" height="344" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikgDicX6Sl9yU5Droq9AgIYuxNREnCTj9WjnBdzhQ2hHHmnkhmkUbmmQQrTngIXPJleCklAL2ZoU-QhlJHG5dXgE67sxiSL_X69CyBETu3-4ob0kei6pHismc1ZKuAS29lR5UsTqLufdg/s640/maths_8.png" width="640" /></a></div>
<div>
<br /></div>
<div>
Still not right! What did we miss! Well, we did miss something. There is another instruction that operates on the variable where our input is stored. This instruction is <b style="font-family: 'Courier New', Courier, monospace;">SHL</b><span style="font-family: inherit;"> at </span><b style="font-family: 'Courier New', Courier, monospace;">0x00401357</b>. This instruction does a binary shift left which effectively multiplies the number by 2 for the size of the shift. In this case, there is a shift left of 1, so the value is doubled. So to get our answer, we need another divide by 2. Here is the new equation:</div>
<div>
<br /></div>
<div>
<b><span style="font-family: "courier new" , "courier" , monospace;">((((0xdeadbeef + 0x01) / 2) - 0x0a) / 0x0a) = 0xB22498B</span></b></div>
<div>
<b><br /></b></div>
<div>
Ok. Let's try this one.</div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyvDthcjT1UPPfmQjdgzziuM6XPLGiAQ8aJVu0dctsgA6Il60XjF6_FRCPI7LVDVrkr-RkRR-vPBeb1pyM4wd6fCu85KurDCUflCz_T5ZXsN5PdtqxsKD5kB-qIVBP3cG-3xIPfM1FdQk/s1600/maths_9.png" imageanchor="1"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyvDthcjT1UPPfmQjdgzziuM6XPLGiAQ8aJVu0dctsgA6Il60XjF6_FRCPI7LVDVrkr-RkRR-vPBeb1pyM4wd6fCu85KurDCUflCz_T5ZXsN5PdtqxsKD5kB-qIVBP3cG-3xIPfM1FdQk/s1600/maths_9.png" /></a></div>
<div>
<br /></div>
<div>
Again it didn't work! Why not?! Well, the answer is found by looking at how the number is actually read in. Look at <b><span style="font-family: "courier new" , "courier" , monospace;">0x00401334</span></b>, we can see in the comments section <b><span style="font-family: "courier new" , "courier" , monospace;">ASCII "%d"</span></b> and the next line has a <b><span style="font-family: "courier new" , "courier" , monospace;">CALL</span></b> to <b><span style="font-family: "courier new" , "courier" , monospace;">MSVCR90.scanf_s</span></b>. This means that the routine reading in the user input is looking for the input to be in decimal form. So converting <b><span style="font-family: "courier new" , "courier" , monospace;">0xB22498B</span></b><b> </b>to decimal is <b><span style="font-family: "courier new" , "courier" , monospace;">186796427</span></b>. Finally, let's try this.</div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglx105h-HA_oESo2dD0LJ0IpNeEvrsyqQrglEg-pGq5uSpgML9gTI7aaZPKf9AbJMina_dTFr9KH_N5dTm3f4Alpvz5ZlHztdm91eTCKQd3YZArlI4tHrdr0IxhkO8DzxvFobSFHen5d4/s1600/maths_10.png" imageanchor="1"><img border="0" height="344" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglx105h-HA_oESo2dD0LJ0IpNeEvrsyqQrglEg-pGq5uSpgML9gTI7aaZPKf9AbJMina_dTFr9KH_N5dTm3f4Alpvz5ZlHztdm91eTCKQd3YZArlI4tHrdr0IxhkO8DzxvFobSFHen5d4/s640/maths_10.png" width="640" /></a></div>
<div>
<br /></div>
<div>
There we go! So the answer to this one is:</div>
<div>
Password: <b>186796427</b></div>
<div>
Flag: <b>FLAG{deadbeef_is_best_beef!!!}</b></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<b>Alternatives:</b></div>
<div>
Now, this may seem a little complicated for people just entering the RE world. It would be much easier if we had the original source code for this program to actually figure out what's going on. Unfortunately, the process from going a binary to source code is incredibly difficult. A <a href="https://en.wikipedia.org/wiki/Decompiler" target="_blank">decompiler</a> will never be able to give you the original source. Too much information is lost. There are decompilers out there that can give you something resembling the source, however. Let's look at a few.</div>
<div>
<br /></div>
<div>
<b>RetDec</b></div>
<div>
Found <a href="https://retdec.com/" target="_blank">here</a>, RetDec is an online trial of a decompiler. Here is the function we are interested in once decompiled by RetDec:</div>
<div>
<br /></div>
<div>
<span style="background-color: white;"><span style="font-family: "courier new" , "courier" , monospace;"><span class="cm-comment" style="font-size: 14px; line-height: 18.2px; white-space: pre;">// Address range: 0x401310 - 0x40138a</span><br style="font-size: 14px; line-height: 18.2px; white-space: pre;" /><span class="cm-keyword" style="font-size: 14px; line-height: 18.2px; white-space: pre;">int32_t</span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;"> </span>function_401310<span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;">(</span><span class="cm-keyword" style="font-size: 14px; line-height: 18.2px; white-space: pre;">char</span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;"> </span><span class="cm-operator" style="font-size: 14px; line-height: 18.2px; white-space: pre;">*</span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;"> </span><span class="cm-variable" style="font-size: 14px; line-height: 18.2px; white-space: pre;">a1</span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;">)</span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;"> </span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;">{</span><br style="font-size: 14px; line-height: 18.2px; white-space: pre;" /><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;"> </span><span class="cm-keyword" style="font-size: 14px; line-height: 18.2px; white-space: pre;">int32_t</span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;"> </span><span class="cm-variable" style="font-size: 14px; line-height: 18.2px; white-space: pre;">v1</span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;">;</span><br style="font-size: 14px; line-height: 18.2px; white-space: pre;" /><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;"> </span><span class="cm-variable" style="font-size: 14px; line-height: 18.2px; white-space: pre;">g2</span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;"> </span><span class="cm-operator" style="font-size: 14px; line-height: 18.2px; white-space: pre;">=</span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;"> </span><span class="cm-operator" style="font-size: 14px; line-height: 18.2px; white-space: pre;">&</span><span class="cm-variable" style="font-size: 14px; line-height: 18.2px; white-space: pre;">v1</span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;">;</span><br style="font-size: 14px; line-height: 18.2px; white-space: pre;" /><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;"> </span><span class="cm-variable" style="font-size: 14px; line-height: 18.2px; white-space: pre;">printf</span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;">(</span><span class="cm-string" style="font-size: 14px; line-height: 18.2px; white-space: pre;">"I bet you can't guess my secret number...\n\n"</span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;">)</span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;">;</span><br style="font-size: 14px; line-height: 18.2px; white-space: pre;" /><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;"> </span><span class="cm-variable" style="font-size: 14px; line-height: 18.2px; white-space: pre;">printf</span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;">(</span><span class="cm-string" style="font-size: 14px; line-height: 18.2px; white-space: pre;">"Enter your guess --> "</span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;">)</span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;">;</span><br style="font-size: 14px; line-height: 18.2px; white-space: pre;" /><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;"> </span><span class="cm-variable" style="font-size: 14px; line-height: 18.2px; white-space: pre;">scanf_s</span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;">(</span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;">)</span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;">;</span><br style="font-size: 14px; line-height: 18.2px; white-space: pre;" /><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;"> </span><span class="cm-keyword" style="font-size: 14px; line-height: 18.2px; white-space: pre;">if</span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;"> </span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;">(</span><span class="cm-number" style="font-size: 14px; line-height: 18.2px; white-space: pre;">20</span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;"> </span><span class="cm-operator" style="font-size: 14px; line-height: 18.2px; white-space: pre;">*</span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;"> </span><span class="cm-variable" style="font-size: 14px; line-height: 18.2px; white-space: pre;">g3</span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;"> </span><span class="cm-operator" style="font-size: 14px; line-height: 18.2px; white-space: pre;">==</span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;"> </span><span class="cm-operator" style="font-size: 14px; line-height: 18.2px; white-space: pre;">-</span><span class="cm-number" style="font-size: 14px; line-height: 18.2px; white-space: pre;">0x21524124</span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;">)</span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;"> </span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;">{</span><br style="font-size: 14px; line-height: 18.2px; white-space: pre;" /><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;"> </span>// 0x40136e<br style="font-size: 14px; line-height: 18.2px; white-space: pre;" /><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;"> </span>function_401240<span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;">(</span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;">)</span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;">;</span><br style="font-size: 14px; line-height: 18.2px; white-space: pre;" /><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;"> </span>// branch -> 0x401383<br style="font-size: 14px; line-height: 18.2px; white-space: pre;" /><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;"> </span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;">}</span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;"> </span><span class="cm-keyword" style="font-size: 14px; line-height: 18.2px; white-space: pre;">else</span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;"> </span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;">{</span><br style="font-size: 14px; line-height: 18.2px; white-space: pre;" /><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;"> </span>// 0x401375<br style="font-size: 14px; line-height: 18.2px; white-space: pre;" /><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;"> </span><span class="cm-variable" style="font-size: 14px; line-height: 18.2px; white-space: pre;">printf</span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;">(</span><span class="cm-string" style="font-size: 14px; line-height: 18.2px; white-space: pre;">"\nKnew you couldn't guess it!!\n"</span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;">)</span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;">;</span><br style="font-size: 14px; line-height: 18.2px; white-space: pre;" /><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;"> </span>// branch -> 0x401383<br style="font-size: 14px; line-height: 18.2px; white-space: pre;" /><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;"> </span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;">}</span><br style="font-size: 14px; line-height: 18.2px; white-space: pre;" /><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;"> </span>// 0x401383<br style="font-size: 14px; line-height: 18.2px; white-space: pre;" /><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;"> </span><span class="cm-variable" style="font-size: 14px; line-height: 18.2px; white-space: pre;">exit</span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;">(</span><span class="cm-number" style="font-size: 14px; line-height: 18.2px; white-space: pre;">1</span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;">)</span><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;">;</span><br style="font-size: 14px; line-height: 18.2px; white-space: pre;" /><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;"> </span><span class="cm-comment" style="font-size: 14px; line-height: 18.2px; white-space: pre;">// UNREACHABLE</span><br style="font-size: 14px; line-height: 18.2px; white-space: pre;" /><span class="cm-null" style="font-size: 14px; line-height: 18.2px; white-space: pre;">}</span></span></span></div>
<div>
<br /></div>
<div>
<b>IDA Pro - Hexrays</b></div>
<div>
IDA Pro also has a decompiler plugin, but it is very expensive. Here is some of its output:</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">//----- (00401310) -------------------------------------------------------</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">int __cdecl __noreturn main(int argc, const char **argv, const char **envp)</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">{</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> int v3; // ecx@0</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> int v4; // [sp+0h] [bp-4h]@1</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> v4 = v3;</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> printf(aIBetYouCanTGue);</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> printf(aEnterYourGuess);</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> scanf_s(aD, &v4);</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> v4 = 2 * (10 * v4 + 10) - 1;</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> if ( v4 == -559038737 )</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> sub_401240();</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> else</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> printf(aKnewYouCouldnT);</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"> exit(1);</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">}</span></div>
</div>
<div>
<br /></div>
<div>
<b>Snowman</b></div>
<div>
Another free decompiler is <a href="https://github.com/yegord/snowman" target="_blank">Snowman</a>. It is integrated into the also free debugger, <a href="http://x64dbg.com/#start" target="_blank">x64dbg</a>. Here is the function decompiled by Snowman:</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">int32_t g4020a4 = 0x73cd20c1;</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">int32_t g402098 = 0x73cd2719;</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">void fun_401240();</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">int32_t g40209c = 0x73cc2455;</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">void fun_401311(int32_t ecx, int32_t a2) {</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> g4020a4("I bet you can't guess my secret number...\n\n");</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> g4020a4("Enter your guess --> ");</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> g402098("%d", reinterpret_cast<int32_t>(__zero_stack_offset()) - 4);</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> if ((ecx * 10 + 10 << 1) - 1 != 0xdeadbeef) {</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> g4020a4("\nKnew you couldn't guess it!!\n");</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> } else {</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> fun_401240();</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> }</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> g40209c(1);</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"> goto a2;</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">}</span></div>
<div>
<br /></div>
<div>
As you can see, the outputs from these decompilers are pretty different and this is just for a relatively simple function. None of which, look like the original code:</div>
<div>
<br /></div>
<div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">// Main function</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">int main(int argc, char *argv[]) {</span></div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"><span style="font-family: "courier new" , "courier" , monospace;"> </span></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>// Integer to store user input</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>unsigned int user_input;</span></div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"><span style="font-family: "courier new" , "courier" , monospace;"> </span></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>// Print info and read input</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>printf("I bet you can't guess my secret number...\n\n");</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>printf("Enter your guess --> ");</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>scanf_s("%d", &user_input);</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>// Obfuscate, answer == 186796427</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>user_input *= 10;</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>user_input += 10;</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>user_input *= 2;</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>user_input -= 1;</span></div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"><span style="font-family: "courier new" , "courier" , monospace;"> </span></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>// Check for valid input</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>if (user_input == 0xdeadbeef) {</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>get_flag();</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>}</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>else {</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>printf("\nKnew you couldn't guess it!!\n");</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>}</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>// Exit</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><span class="Apple-tab-span" style="white-space: pre;"> </span>exit(1);</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">}</span></div>
</div>
<div>
<br /></div>
<div>
But with these different outputs, it was easier to see the mathematical comparison and check for the magic number. One thing you'll notice is that each decompiler treated the final number, <span style="font-family: "courier new" , "courier" , monospace;"><b><span style="font-family: "courier new" , "courier" , monospace;">0xDEADBEEF</span><span style="font-family: inherit;">,</span></b></span> differently. This is because type information is lost at this lower level and each decompiler uses different algorithms and heuristics to recover this information. The numbers produced by the decompilers are all technically correct, you just have to interpret it in the appropriate way.</div>
<div>
<br /></div>
<h3>
Conclusion</h3>
<div>
These challenges were meant to get competitors thinking about different areas of cyber security. Hopefully we were successful. In my next post, I'll detail the answers for the remaining 2 RE challenges, <b>exclusive</b> and <b>hashbrowns</b>. If you have any questions or want more clarity on how to solve either of these two challenges, please don't hesitate to ask!</div>
Anonymoushttp://www.blogger.com/profile/04583350421631995769noreply@blogger.com1tag:blogger.com,1999:blog-5381019649504589931.post-79594586294355354312015-06-30T20:03:00.000-07:002015-06-30T20:09:11.649-07:00Review of SANS SEC760 - Advanced Exploit Development for Penetration TestersA little over a week ago I wrapped up taking SANS Advanced Exploit Development for Penetration Testers (<a href="https://www.sans.org/course/advance-exploit-development-pentetration-testers">SEC760</a>) at SANSFire 2015 in Baltimore, MD. This class is a 6 day long class that covers advanced Linux exploitation, patch-diffing and one day exploits, Windows kernel exploitation, advanced Windows client exploitation, and a variety of other topics. The end of the class, in typical SANS penetration testing class fashion, culminates in a capture the flag (CTF). So far I think this has been the best SANS class that I've taken. Prior to SEC760, I took SEC560, and SEC660 (course review <a href="http://www.samcappella.com/2015/01/gxpn-review-sans-sec660-advanced.html">here</a>). The material is extremely technical, relevant, educational, and interesting. The course's author and instructor, Stephen Sims, has really put a lot of time and effort into making this class very challenging yet approachable.<br />
<br />
<h3>
Day 1 - Threat Modeling, Reversing, and Debugging with IDA</h3>
<div>
Day 1 of the class starts you off with a dive into the world of threat modeling. I'm sure that many people who end up taking SEC760 looking to learn how to advance their exploit writing game aren't exactly interested in talking about threat modeling. I was one of those individuals, but I completely see the value of threat modeling from the stand point that you as an individual can provide an extremely valuable resource to your company when correctly implementing processes like the Microsoft Security Development Lifestyle (<a href="https://www.microsoft.com/en-us/sdl/">SDL</a>). Not to mention, an individual that can provide effective threat modeling stands to make decent money with that skill.</div>
<div>
<br /></div>
<div>
Following the threat modeling, the technical aspects of the class begin to pick up. The rest of the first day is spent on going over the process of reverse engineering binaries and becoming familiar with <a href="https://www.hex-rays.com/products/ida/">IDA</a>. For those who haven't used IDA, this day provides you with the opportunity to become familiar with the interface and capabilities of the tool. I should caution, however, that if you've never used IDA, you will not be able to take the first day to learn it. IDA is an extremely complex tool that requires a lot of time to learn. Having experience with other debuggers such as <a href="http://www.ollydbg.de/">OllyDBG</a>, <a href="http://debugger.immunityinc.com/">Immunity</a>, or <a href="http://x64dbg.com/#start">x64dbg</a> certainly helps (and is expected for this class), but there is no replacement for actual experience.</div>
<div>
<br /></div>
<h3>
Day 2 - Advanced Linux Exploitation</h3>
<div>
Moving on to Day 2 of the course, the class explores advanced exploitation concepts for Linux. The first topic of the day is focused on getting the students more use to heap based exploitation techniques by learning about the original exploitable flaw in the dl-malloc unlink() macro implementation. From here, the day progresses to learning about exploitation examples in custom memory management implementation, function pointer overwrites, and format string vulnerabilities.</div>
<div>
<br /></div>
<div>
I personally would have liked to have seen more Linux exploitation topics, but given the focus on modern exploit development, I understand why Stephen decided to focus more on Windows exploitation for days 3 - 5. To be fair, a lot of the vulnerability and exploit categories taught on days 3 and 5 can be applied to Linux, albeit with some modifications. This opinion is nothing more than a personal bias.</div>
<div>
<br /></div>
<h3>
Day 3 - Patch Diffing, One-Day Exploits, and Return Oriented Shellcode</h3>
<div>
Day 3 starts off with a refresher into ROP based exploit development (a pre-requisite for the class). In these refreshers, you use ROP to disable exploit mitigations. With return oriented shellcode, you learn how to make all of your shellcode execute via a series of ROP gadgets. This has the added benefit of being able to bypass certain exploit mitigations even in instances where common bypass techniques are not available. </div>
<div>
<br /></div>
<div>
From Day 3 on, Stephen puts a lot of focus on the art of patch diffing. Patch diffing is the process of looking at an original un-patched binary, and comparing the old version with a newly patched version. By using these diffing techniques, it makes it easier for a researcher to pin-point the area within the binary that changed. This is extremely helpful in developing 1-day exploits. For this part of the class, I used a new tool, <a href="https://github.com/joxeankoret/diaphora">Diaphora</a>, to perform my diff-analysis. Diaphora worked out great for me. Diaphora is able to perform patch diffs at the control flow graph, assembly, and pseudo-source code levels (if you have the Hex-Rays decompiler plugin). And the best part, Diaphora is free, open source, and actively maintained.</div>
<div>
<br /></div>
<h3>
Day 4 - Windows Kernel Debugging and Exploitation</h3>
Moving along the Windows exploitation ecosystem, Day 4 focuses purely on Windows kernel debugging and exploitation. I really enjoyed this section of the class. A recommendation I would make for those who are considering taking this class: if you take this class, make your life a little easier and install Windows as your host OS and use <a href="http://virtualkd.sysprogs.org/">VirtualKD</a> by SysProgs to communicate with your target Windows virtual machine. This class has a lot of moving parts and the more you can simplify those pieces, the more time you can spend actually working on the exercises and by consequence, the more you learn.<br />
<br />
This is the day when students will become much more familiar with Microsoft's WinDBG. Prior to taking this class, I had never touched WinDBG. Although I found the learning curve rather steep, I came to appreciate the power provided by the debugger. Day 4 culminates in an exercise where you will learn how modern privilege escalation works on Windows via a technique known as token stealing.<br />
<br />
<h3>
Day 5 - Windows Heap Overflows and Client-Side Exploitation</h3>
<div>
Day 5 of the class zeros in on the area of advanced Windows client side exploitation. After getting a deep dive into the internals of Windows heap management, the entire day is spent learning how to find, identify, confirm, and eventually, exploit modern use-after-free bugs. After going through this day you will be equipped with the knowledge of how to perform modern exploit development on Windows 7 and 8 on applications such as Internet Explorer. Additionally, Stephen goes over the next steps to take when developing exploits for Windows 8.1, exploits that bypass Microsoft's <a href="https://support.microsoft.com/en-us/kb/2458544">EMET</a>, and exploit tricks that still work with the latest preview version of Windows 10.</div>
<div>
<br /></div>
<div>
I will caution the reader, however, that during my time taking the class, we didn't actually perform any exercises on exploit development for Windows 8.1 or above, and for good reason. Even with the normal class hours of 9am-5pm and the extended boot-camp hours, there simply isn't enough time to go from just learning what a use-after-free exploit is to developing exploits that work on all versions of Windows and making those exploits bypass any new exploit mitigations that may be in place. Overall, Day 5 is where you really begin to have all the pieces from earlier in the week align. I found this day to be the most interesting and I'll definitely be returning to the material in order to ensure I've mastered the techniques presented.</div>
<div>
<br /></div>
<h3>
Day 6 - Capture the Flag</h3>
<div>
For the final day of the class, the class is split into teams to compete against each other in a Jeopardy style CTF. There are 16 challenges with a total of 4000 points up for grabs. I won't go into detail of the challenges themselves, but the competition requires your team to exercise all of the skills gained through the previous 5 days. In the end, our team successfully completed 14 out of the 16 challenges to earn a score of 3200. Although the game was very competitive, 3200 points was enough for our team to come out on top. As a result, we earned the coolest coin offered in the SANS series of challenge coins. The 760 skull coin.</div>
<div>
<span id="goog_558963454"></span><span id="goog_558963455"></span><br /></div>
<div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6GJC55CyjzpO1ZVtHKj8S3LaHyJPEygqPk9AOK28bEdDFemBPDPTkBWOP7uytrP9TmBME_i8r1XNPRuk5Y3689uDhGsXvvJzGPFFXFO6ZttqsclnS60zGwwTyS5lljjo4tAg6JDsXRw0/s1600/skull_coin.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6GJC55CyjzpO1ZVtHKj8S3LaHyJPEygqPk9AOK28bEdDFemBPDPTkBWOP7uytrP9TmBME_i8r1XNPRuk5Y3689uDhGsXvvJzGPFFXFO6ZttqsclnS60zGwwTyS5lljjo4tAg6JDsXRw0/s640/skull_coin.jpg" width="360" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Team ROPNOP Wins the Skull Coin</td></tr>
</tbody></table>
<h3>
Conclusion</h3>
Overall, I loved this class, It was an absolutely great experience. I encourage any individual looking to take their exploit development skills to the next level to take this class. I will warn you, however, that this is not an easy class, You can expect to be up late into the night after each day of class if you want to finish all of the exercises. Go into this class expecting to work hard, get frustrated, and exercise your patience. This is not a class for beginners. If the term Return Oriented Programming (ROP) is something you aren't familiar with, GDB is a foreign and feared tool, the heap sounds scary, and kernel debugging is shrouded in a fog of wizardry, you may want to consider taking SANS <a href="https://www.sans.org/course/advanced-penetration-testing-exploits-ethical-hacking">SEC660</a> first. Otherwise, embrace the challenge and I'm sure you'll finding it very rewarding!</div>
<div>
<br /></div>
Anonymoushttp://www.blogger.com/profile/04583350421631995769noreply@blogger.com2tag:blogger.com,1999:blog-5381019649504589931.post-73933975700033415472015-05-31T20:47:00.000-07:002015-06-01T12:13:36.484-07:00Palmetto Cyber Defense Competition - 2015Last month my fellow employees and I wrapped up our third annual Palmetto Cyber Defense Competition (PCDC). Inspired by the Collegiate Cyber Defense Competitions, PCDC has been a computer security competition for high schools and colleges in South Carolina. I've written about the event itself in the past <a href="http://www.samcappella.com/2014/04/palmetto-cyber-defense-competition-2014.html">PCDC-2014</a> so I won't go into detail about what the event actually is. Those details can be found at the official <a href="http://pcdc-sc.com/">PCDC</a> site. Instead I wanted to focus on a couple of the things that make PCDC unique, lessons learned from putting on a computer security competition, and where we are going in the future. For those of you looking for a detailed Red Team write up, that can be found <a href="http://pcdc-sc.com/docs/PCDC_2015_Red_Team_Report.docx">here</a>. I took the time after the competition to create an in-depth analysis of the Red Team's process for those looking to learn from their mistakes at this year's competition. The rest of this blog post is a few of my thoughts from an organizer's perspective and not from the perspective of the Red Team lead.<br />
<br />
First off, PCDC is unique in that for the first two years, both high schools and colleges competed. Each group had their own dedicated competition day which meant that the PCDC competition was actually run twice. This means that after the first day, all the machines must get reset, re-imaged, and configured slightly different for the next day. This year, we had a third day added; a professional day. For the first time, PCDC was to be run three times. The schedule of events was as follows: first day was high school, second day was college, and the third day was for professionals. For the professional day, we had groups representing a mixture of government and private industry. From the government side teams were comprised of members from the 24th Air Force and U.S. Cyber Command while the industry teams had members from Scientific Research Corporation (SRC), and SPARC. All in all, we had 4 government teams and 4 teams from industry.<br />
<br />
Our goal from the beginning was to design the competition network to be believable and realistic. Since it was not known to us during the planning and design phase of the competition that there would be a professional day, this year's theme was based around an online game development company. Each of the Blue Teams would be responsible for making sure their development company continued to function through the course of the day and deliver the latest version of their game to their user base through audience accessible tablets connected to each Blue Team via a dedicated wireless connection. One of the things that we quickly realized was that our ambitions greatly eclipsed the amount of time we had available to create the network. Remember, a decent portion of our time goes into infrastructure development so that the competition can be rerun the next day. To add to that pressure, we do not have control over the facility in which the competition is hosted. As a result, or preparation time from the end of one day the beginning of the next is usually around 3 hours.<br />
<br />
To put it simply, there was a lot of different attributes that we wanted to include into this year's competition, but we ran out of time. One of the biggest things we feel these types of competition lack when trying to simulate real world networks is realistic user activity. This year we attempted to remedy that by developing simulated users. We got all the code developed and tested for the user simulators, but due to a hardware failure, we were unable to deploy them to the competition network this year. In the interest of education and sharing, I have opened sourced the code for the user simulators on <a href="https://github.com/sjcappella/PCDC-UserSim">GitHub</a>. We'd really like to hear back from anyone that is doing something similar.<br />
<br />
A few of us have been involved in multiple CCDCs and PCDCs and every year, we make the comment that the scoring system needs to be altered. Although this was in the works before this year's competition even took place, we haven't had time to finalize what fixing the scoring means. At this point, I think we have a much better idea of how we are going to fix the scoring. To highlight why scoring is such an issue, I want to talk about how winning Blue Teams typically approach this competition. Within the first few minutes, the strategy includes removing all unnecessary accounts, changing all the default passwords, and for some, unplugging their entire network while they continue to harden. Now, from a strategic perspective with the goal to win a game in mind, I can't argue with this approach. The issue that I do have, however, is that this leaves the networks in a pretty unrealistic state.<br />
<br />
Each Blue Team is given an information packet at the beginning of the competition. In that packet includes the names of the accounts that the automated scoring engine will use to log into their systems and perform service checks to make sure the Blue Teams still have their services up and running. Once these account names have been identified, the Blue Teams will delete every other account off the workstation or server. This means you could have 3 or 4 domain joined Windows workstations with zero user accounts and only the scoring engine account. It is important to note, that the Red Team is not allowed to leverage the scoring engine account to gain access to the Blue Team's networks. It's also not realistic. A computer security competition should force the students and competitors to perform real security tasks with the presence of real users. Now, since this is a competition and getting that many unbiased volunteer users is unrealistic, we need simulated users.<br />
<br />
Other areas where improvements to scoring need to be made is in the way the scoring engine actually evaluates successful checks. Up to this point, a common service to check for is a functioning MySQL database. Typically the scoring engine will login to the MySQL database, make a query, and check for a specific key-value pair or for the presence of a specific table. This simply isn't good enough. For a real company, the database needs to have constant transactions generated by realistic activity. Right now, Blue Teams get away with making a backup of the database in the beginning of the day and just restoring it anytime the Red Team deletes the database. As long as the Blue Team restores the database in between scoring engine rounds, the scoring engine gives that Blue Team a perfect service check score. Now, this is slightly cured by the fact that the Red Team reports incidents to the Gold Team and the Gold Team can decide to take away points, but these types of scenarios need to have bigger impact on the 'day to day' operations of the Blue Teams' networks.<br />
<br />
Where we plan to go in the future will attempt to combine 3 facets of scoring. The first being financial. The scoring engine will no longer add points, but will score the Blue Teams' companies in a financial sense. The second facet is from an internal employee and systems perspective. Employees must be able to perform their job related duties and interdependent systems must be able to communicate with each other. Finally, the third facet is from the Red Team. This year we tried something new by giving the Red Team specific targets/flags to capture when we gained access to the the Blue Teams' networks. This included the credit card numbers in their customer database, the source code to their latest game, and a few other things.<br />
<br />
Now, I know some people will argue that the CCDCs and even PCDC already take these things into consideration with the scoring engine, but we argue, it is not taken into account enough. The example we like to use is the one where the Blue Team unplugs their network. Now sure, they aren't getting any points from the scoring engine, but in the real world, you can't just go and unplug your entire company from the network. Not only would you be losing sales, but you're paying your employees to do a job that they can't accomplish. And not to mention, the security or IT department has no authority to make that type of decision.<br />
<br />
We have thought long and hard about the scoring and we think we have something new and exciting for next year. I don't want to give away too much here until things are more settled. Additionally, we want to find a way to make the audience understand what is going on. PCDC is free and open for the community to come in and view. This year we attempted to show what was taking place by visualizing the the traffic between the Blue Teams and Red Team in real time. I wrote the code for this and am also releasing it on <a href="https://github.com/sjcappella/PCDC-Display">GitHub</a>. You can see a video demo of it on <a href="https://www.youtube.com/watch?v=VnnHz2Izbz0">YouTube</a>.<br />
<br />
We have a lot of exciting things planned for next year's PCDC! Stay tuned for more, and if you have any feedback from this year's we'd love to hear it.Anonymoushttp://www.blogger.com/profile/04583350421631995769noreply@blogger.com5tag:blogger.com,1999:blog-5381019649504589931.post-77141668485554707842015-04-15T21:34:00.003-07:002015-05-31T20:49:15.273-07:00South East Regional CCDC 2015 - Red TeamThis time last week I wrapped up Red Teaming for the South East regional Collegiate Cyber Defense Competition (SECCDC) for 2015. The SECCDC is special for me for a few reasons. It was my first exposure to the whole CCDC arena, many of my close friends form the Red Team, and the CCDC national champs from last year are from this region.<br />
<br />
This year's scenario was similar to last year's. The Blue Teams were responsible for maintaining the operational status of the HAL business network while completing a series of business related injects. The network layout changed a bit from last year, however. This year all the Blue Teams had a few machines that were public facing, and a group of privately networked workstations. The public facing images were comprised of a pfSense software firewall, 2 SuSe Linux boxes, and a Windows 2012 R2 server. The SuSe boxes were used for backup DNS, MySQL database, and the e-commerce web server while the Windows box was primarily performing the normal functions of Domain Controller and primary DNS.<br />
<br />
After scanning the networks, we quickly determined that the Blue Teams were running all of their public facing services off of an ESXi server. Additional investigation revealed that the ESXi servers were version 5.5.0 and vulnerable to Heartbleed. This vulnerability became our primary attack vector. By leveraging Heartbleed, we could force the ESXi servers to leak the login credentials in clear-text whenever the Blue Teams logged in. Once gaining root access to the ESXi servers, my goal was to gain access to the domain controller. This is a little tricky when you want to go unnoticed. We were able to jump on a couple of domain controllers that Blue Teams logged into, but left the console open and unattended. The Linux boxes were much easier to compromise. Either they were logged into as root and we could change the password, add users, start SSH, lock the console, and log in remotely, or, we reboot the machine into single user mode, changed the root password, and rebooted. Finally, by leveraging a combination of default credentials and unattended console sessions, we leveraged the pfSense firewalls to lock the Blue Teams out of their networks by turning off the internal interface, but allowed us in via the external interface.<br />
<br />
Throughout the course of the competition, the Blue Teams started to slowly kick us out of their networks. This forced us to start getting more creative with our access methods. The first area we looked at was the WordPress site running the e-commerce server. Although we couldn't take advantage of any vulnerable plugins, we could take advantage of the fact that the WordPress configuration let anyone register an account. Now, registering an account in and of itself isn't exciting, but what is exciting, is the fact that WordPress emails you your password. This is important because we had read/write access to the MySQL database backend of WordPress. In the database we could clearly see the administrator's hashed password. Now that we created our own user, we could also see our hashed password in the database. The next step was just receiving the password generated by WordPress. With the Blue Team's network configuration, the WordPress instance couldn't email out to a public email address. But what it could do, was pass the email along to a local Python SMTP server that we controlled. During the user account creation process, we simply specified our email address as 'user@<ipaddress>' rather than providing a public domain name. This worked like a charm. Now that we had a clear-text password and a corresponding WordPress password hash, we leveraged our read/write access to the MySQL database to overwrite the administrator's password hash. Now we could log into the WordPress administrator's account with a password that we knew.<br />
<br />
Our other attack vector was actually found by digging through the pfSense source code. For a few of the teams we still had authentication access to the firewalls, but the web administration had been shutoff. It turns out that there is an XML RPC in pfSense. Like I said, we had the username and password, but couldn't turn on the web console and not all the routers had SSH enabled. So we created our own shell. Using the XML RPC and a little PHP voodoo, we pulled down a PHP shell and created our own web console. In most of the Red Team's opinion, this was one of our coolest finds of the event.<br />
<br />
One of the largest differences I noticed this year was how a couple of Blue Teams were able to almost completely block out the Red Team. The teams that were quick to correctly configure their routers and whitelists on their ESXi servers removed the largest holes in their network, and their service scores showed it. As a Red Team we really took advantage of Heartbleed and default pfSense credentials. Without those footholds, we weren't able to really do much. Smaller attack surfaces seemed to be a trend for a few of the CCDC regional events this year. My previous blog post talked about how at the Pacific Rim regional, the Red Team really only had 2 targets, and the vulnerabilities were default credentials. This was definitely not the case for South East, but the Red Team definitely noticed a lack of attack surface. I've been talking to a lot of people about some of these observations and we all agree that we want modern systems and network configurations, but how do you open up the attack surface without making it unrealistic?<br />
<br />
All in all, I had an absolute blast at SECCDC. I'm already looking forward to next year. I know all the organizers of the SECCDC work incredibly hard to put on this event every year. Their efforts have been noticed and I thank them for all the time and effort they put forth to make this event a reality. And congratulations to UCF for winning a second year and a row! Good luck at Nationals and bring keep the championship in the South East!!Anonymoushttp://www.blogger.com/profile/04583350421631995769noreply@blogger.com0tag:blogger.com,1999:blog-5381019649504589931.post-43516031148927413262015-03-31T20:51:00.001-07:002015-05-31T20:49:44.659-07:00Pacific Rim Regional CCDC 2015 - Red TeamA week and a half ago I got to participate in the 2015 Pacific Rim (Pac-Rim) Collegiate Cyber Defense Competition as a member of the Red Team. My more experienced friend Dan has already written a couple of posts about this season's CCDC events (<a href="http://lockboxx.blogspot.com/2015/03/red-teaming-at-prccdc-2015.html">lockboxx</a>) including Pac-Rim. I wanted to use this post not to talk about what I did as a member of the Red Team, but my developing opinions of CCDC and these types of "cyber defense" competitions.<br />
<br />
To give context to this post, I'll give a brief description of Pac-Rim's scenario. The Blue Teams were tasked as the IT/Security department of The Center for Disease Control (CDC) while the world experienced a zombie outbreak. While trying the manage their network, they must also address the growing scare of zombies and how that impacted their jobs at the CDC.<br />
<br />
As far as network design, the Blue Teams were given an external/public facing network, and a couple of internal networks with varying security levels. From the Red Team perspective we saw 3 primary targets, a VyOS router (<a href="http://vyos.net/wiki/Main_Page">VyOS</a>), a Windows 2012 R2 exchange server, and a Fedora 20 web server. Initial scans for vulnerabilities turned up very little. These were pretty modern systems that weren't running a lot of services. Not a lot to attack. The VyOS router did have port forwarding rules set to proxy through connections to servers on the internal network. With this we could see a couple of services beyond the router such as MySQL. For the Red Team, the only way we actually got access to any of these machines was by default credentials.<br />
<br />
Leaving default credentials is such a silly thing for Blue Teams to pass up and it is such an easy vector for Red Teams to leverage. Default credentials are usually the very first thing Blue Teams change. That being said, once default credentials have been changed, the Red Team has to be more cunning to find another way into the Blue Team's networks. Unfortunately, for the Pac-Rim event, it seemed that more than half of the teams separated themselves because they changed their passwords quicker than the other teams. I want to focus on this point a little bit more.<br />
<br />
When I say that a Blue Team was quicker in changing their default password, I mean they were quicker by a minute, to seconds. This year, we split the Red Team up into cells. Each cell was tasked with attacking a specific Blue Team for the duration of the event. Each cell was to stay in sync with all the other Red Team cells. This sounds like a great concept because it seems very fair. And I agree that it is fair in theory. The issue you run into is the very opening few minutes. This entire event was determined by the first five minutes. The Blue Teams that changed their passwords on the Win2012 Exchange server before their router did better than the students that changed their router's password first. The reason being that the Win2012 Exchange server could be used to pivot all around the internal domain. The router did not provide this type of access. We even had a couple of teams that changed both the router and Exchange server passwords extremely quickly. The result, the Red Team really couldn't do much to them. Now, this isn't meant to be a Red Team sob story. I love when the students lock the Red Team out. That means they are learning, and they are equipped with the skills to make our industry safer. That to me is an amazing thing. The issue I have is that changing 2 default passwords and locking the Red Team out for a day and half is not a learning experience. Further more, since all the Red Team cells are staying in-sync with each other, A Blue Team could get away with leaving a gaping whole in their systems as long as the Red Team cells weren't attacking that particular issue at that time.<br />
<br />
The primary point of CCDC is to provide the students with a unique learning experience that they will never get in the class room. At the end of the competition, I got to sit down with the Blue Team I attacked all weekend. They were so full of questions and eager to learn from their experience. The problem was, I couldn't answer all of their questions. Due to a scheduling issue, I had to work alone as a Red Team cell so my focus was extremely stretched. My Blue Team changed their Exchange server password right away and I never got access to it. I only got access to their router and MySQL database. Since most of the Blue Teams' networks was comprised of a majority of Windows systems, I was asked a lot of questions regarding how well they did configuring the workstations, domains, and other Windows related services. Unfortunately I had to tell them that because they changed 1 default password, I wasn't able to give them an accurate perspective. They could have had a terribly configured domain. I wouldn't know. And this was the case for a lot of Blue Teams. They simply didn't get all the feed back that the Red Team could have provided had there been more access.<br />
<br />
I go back to the point that CCDC is suppose to be a learning experience. It's hard to find the balance between giving the students unrealistically insecure systems that the Red Team can stomp all over, and modern secure systems where the Red Team still has decent access. I also want to emphasize the point of these competitions is to focus on cyber security. One of my Blue Team members told me that they spent the entire first day (more than 8 hours) dealing with customer phone calls from the Orange Team. What?! Customer service has very little to do with developing cyber security skills. I understand that the Orange Team is there to act as real world customers, but this is a competition. Blue Teams are obviously going to put their best 'people person' on the phone. They probably won't learn anything in terms of how to deal with people and they'll miss out on the actual technical education.<br />
<br />
In the end if my Blue Team was able to learn 1 thing, than in my opinion, the experience was worth it. I love doing these types of events as a way to connect with students and provide guidance in a way that it was provided to me. Next week I'll be participating in the South East CCDC regional and my company's own cyber defense competition (<a href="http://pcdc-sc.com/">PCDC</a>) so I should have a lot more stuff to report on.<br />
<br />Anonymoushttp://www.blogger.com/profile/04583350421631995769noreply@blogger.com2tag:blogger.com,1999:blog-5381019649504589931.post-51479984031621755982015-01-01T12:51:00.000-08:002015-05-31T20:50:12.578-07:00GXPN Review: SANS SEC660 - Advanced Penetration Testing, Exploit Writing, and Ethical HackingSo this blog update is incredibly overdue, but I guess better late than never. Back in August I was fortunate enough to be able to attend a session of the SANS Advanced Penetration Testing, Exploit Writing, and Ethical Hacking (<a href="http://www.sans.org/course/advanced-penetration-testing-exploits-ethical-hacking">SEC660</a>) course. Overall, I can say that this course was an absolutely fantastic learning experience and a training event that I would highly recommend to anyone that is looking to further their penetration testing and exploit development skills.<br />
<br />
Prior to taking 660, I took the SANS course Network Penetration Testing and Ethical Hacking (<a href="http://www.sans.org/course/network-penetration-testing-ethical-hacking">SEC560</a>) back in January of 2013. Although I'm not going to write about that course in this post, 560 is another fantastic penetration testing course offered by SANS. My day-to-day job and personal interest has me focus more on the vulnerability and exploit development based research more so than the hands on penetration testing. As a result, a lot of the network based attack topics covered in this class were fairly new to me. Every day had so much content that the normal hours of the class were augmented with additional bootcamp labs. To make things even more interesting, I attended 660 during the SANS Virginia Beach conference which hosted their NetWars tournament. So I was spending pretty much every waking moment during the week hacking in some way, shape, or form.<br />
<br />
The class is broken up into 6 days. Days 1-5 are content based learning days with frequent lab exercises. Day 6 wraps up the class with a capture the flag (CTF) challenge. Since there is so much content associated with this class, each day is fully packed. The instructor, Stephen Sims, did an absolutely amazing job at teaching this class. The following sections give a high level impression of each day. For more detailed topics covered during each day, I highly recommend checking out the course description on the SANS website.<br />
<br />
<b>Day 1 - Network Attacks for Penetration Testers</b><br />
<br />
Day 1 was admittedly the most difficult for me. To start off the course, students are introduced to an extremely diverse set of advanced network attacks. Networking is one of my weaker areas, and as a result, I did need to spend a little more time completing some of the labs and studying this material. One of the best things I enjoyed about day 1 is the focus on obtaining access to a network that has security access controls. Many times, penetration testing descriptions start off with, 'assume you've been given initial access to the target network'. This is not always the case and it is extremely valuable to the customer when a penetration tester can bypass whatever network access controls may be in place.<br />
<br />
<b>Day 2 - Crypto, Network Booting Attacks, and Escaping Restricted Environments</b><br />
<b><br /></b>
Personally, I felt that Day 2 was the most unique content from course in the sense that the topics covered during this day are probably not areas immediately thought of when performing penetration tests. For example, cryptography. Often times as penetration testers, we'll look for a known implementation flaw online if we discover a particular crytographic algorithm being used, or defer the cryptanalysis to another time so that our testing event isn't consumed by trying to break cryptographic implementations. One of the take aways from this day is a methodology for efficiently evaluating a cryptographic implementation. Immediately with this skill set, your ability to provide a more comprehensive penetration test for you client greatly increases. Other notable topics covered in this class are delivering hypervisor boot images across a network (as a means to silently shim in between your victim's OS and hardware) and breaking out of kiosk style restricted environments.<br />
<br />
<b>Day 3 - Python, Scapy, and Fuzzing</b><br />
<b><br /></b>
This day of class was a lot of review for me. I've used Scapy for work projects, and I've been coding in Python for a few years now. I've also used a variety of fuzzers for both personal and work projects. The best part of this day, however, is getting some automagic scripts built by the SANS team for helping alleviate the pains that are associated with installing certain fuzzing platforms (I'm looking at you Sulley...). I love making things as simple as possible and having these new setup scripts eliminate the pains that come with installing some of these platforms is almost worth the entire cost of the class by itself ;).<br />
<b><br /></b>
<b>Day 4 - Exploiting Linux for Penetration Testers</b><br />
<b><br /></b>
I really enjoyed days 4 and 5. I've worked through all the exercises in <i>Hacking: The Art of Exploitation </i>(<a href="http://en.wikipedia.org/wiki/Hacking:_The_Art_of_Exploitation">ref</a>) a couple of times and I've participated in a few CTFs requiring exploitation of Linux binaries. As a result, a lot of the information presented in this day was review for me. It was still a great lecture and lab day, however, because the best way to improve your exploit skills is to write exploits! I also find that relearning a topic taught by another knowledgeable instructor (in this case Stephen Sims) only helps solidify your understanding of a specific topic.<br />
<b><br /></b>
<b>Day 5 - Exploiting Windows for Penetration Testers</b><br />
<b><br /></b>
Moving on from day 4, day 5 was all about Windows. Admittedly, I have a much greater understanding of low level Linux internals than I do Windows. That is something I'm currently working on. As a result of day 5, I came away with a much better understanding of the Windows linking and loading procedure and the in-memory process structure. Day 5 also focuses more on return-oriented programming (ROP) exploitation. To facilitate this, the class learned about the Immunity Debugger plugin, mona.py (<a href="https://github.com/corelan/mona">source</a>, <a href="https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/">manual</a>), from the amazing Corelan team. Learning about this tool was the best part of Day 5 in my opinion.<br />
<b><br /></b>
<b>Day 6 - Capture the Flag Challenge</b><br />
<b><br /></b>
After 5 intense days of instruction, it was time for us to put our new knowledge to use during the CTF event. Our class broke up into 4 teams of about 4 to 5 members per team. We had 6 uninterrupted competition hours. I focused mainly on the Linux exploitation challenges in the beginning and then moved on to Windows exploitation and a particularly tricky fuzzing challenge. After an absolutely thrilling competition, our team came out on top, taking home the SEC660 challenge coin!<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwHG2aJz9S8ojEAknE_J_4xz_di08dxuBKchFLWSBL_gtzhNzVtOi_7EuA_d4F90Bqg_K7a7wbXj3dXg6znkCewCZHWcbM-pMa0kYYs6Gdw3mZ9D2OnC2_nKX9j2X70ITmsFlVjwdpQns/s1600/IMG_20140829_155727892_HDR.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwHG2aJz9S8ojEAknE_J_4xz_di08dxuBKchFLWSBL_gtzhNzVtOi_7EuA_d4F90Bqg_K7a7wbXj3dXg6znkCewCZHWcbM-pMa0kYYs6Gdw3mZ9D2OnC2_nKX9j2X70ITmsFlVjwdpQns/s1600/IMG_20140829_155727892_HDR.jpg" width="180" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Challenge Coin</td></tr>
</tbody></table>
<br />
<b>Certification and Closing Thoughts</b><br />
<div>
<b><br /></b></div>
<div>
In November I successfully acquired my GXPN certification by taking the test associated with this class. I procrastinated studying much longer than I wanted to, but sometimes things come along that you can't plan for. In the end everything worked out. Additionally, I'd like to advocate this class for anyone seriously considering doing more exploit development in their career. Shortly after earning my GXPN, I was given an amazing job offer to be a full time exploit developer. I can honestly say that this class gave me the confidence and edge I needed during my interviews. Right now I'm currently transitioning into a fantastic opportunity within my current job so I didn't end up taking the new offer. Someday down the road, though, things might be different.</div>
<div>
<br /></div>
<div>
Overall I thought SEC660 was an absolutely amazing class and Stephen Sims did a fantastic job teaching. I'm already trying to plan out when I can take SEC760 - Advanced Exploit Development for Penetration Testers. </div>
<div>
<br /></div>
<div>
<br /></div>
Anonymoushttp://www.blogger.com/profile/04583350421631995769noreply@blogger.com2tag:blogger.com,1999:blog-5381019649504589931.post-25840620352967489852014-04-20T20:07:00.000-07:002015-03-31T21:02:28.471-07:00Palmetto Cyber Defense Competition - 2014<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Last weekend (April 12-13) was the second annual Palmetto Cyber Defense Competition (PCDC). Inspired by the national Collegiate Cyber Defense Competition (<a href="http://www.nationalccdc.org/" target="_blank" title="CCDC">http://www.nationalccdc.org/</a>), PCDC is a computer security and business competition open to schools in South Carolina. On Saturday, college teams compete while Sunday is reserved for high schools. Unlike CCDC competitions which usually span a couple of days, PCDC competitors are pressured into one fast and furious day of competition. I was fortunate enough to be a part of the Red team this year. I wanted to make this blog post to supplement the short Red team presentation given to the students at the end of their competition day. Since PCDC competition sessions are only a day long, there is so much to do in that timeframe. As a result, the Red team doesn't really get to talk with the students as much as we would like.<br />
<br />
For this year's PCDC, we had a relatively small Red team. At any given time, we were between 7-8 members. As a result, we decided it would be most effective if we each took a team to focus on. If anyone of us would find a way into a system, we'd shout it out and each Red team member would try that method on their target Blue team. We wanted to keep things as even as possible. In addition to all of our technical tools, the Red team was allowed to use social engineering this year. The Red team had access to a VOIP phone which we could use to call the Blue teams. In addition, the Blue teams' competition area was in a large reception style room. This meant that the Red team could walk around the Blue teams to try and pick up what was going on.<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
From a social engineering perspective, the Red team kept things pretty simple. We stole a couple of Blue team 'mentor' name badges that would have been used to help identify individuals who could provide the Blue teams with some extra technical support. One of the defining differences with PCDC is its goal in encouraging STEM outreach. As a result, Blue team mentors work with the competing high school teams months in advance to help prepare them for the competition. As a result, the Blue teams grow to trust the mentors. Although I personally offered my Linux subject matter expertise to the Blue teams, I was not asked to help. I felt completely under-utilized. This is a positive note to point out. All the Blue teams for both college and high school were extremely cautious with allowing personal access to their space. As a result, very few of the Red team members got information via personal interaction. But we had other plans.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
One of the Red team members brought a high quality camera with him. Equipped with nothing more than a collared shirt and good personality, he set out to film the Blue teams as a member of the 'local news station'. He was successful in taking a picture of every single Blue team's password lists for both college and high school days. Only one team reported his actions. As you can see by the following picture, the results were awesome:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbxEIor89-4cxq80mj8gku-P5lbzk1y7M05JPNvrj4qH44RZA7CHhZB0xeYc_jv38xo2YECfZ1Z4zF1cJ4OT0B-VrbpeR4zAx02fZw-doBiX7vK0V2FPRYa3JuODy79wFumcaluesPIZs/s1600/passwords.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbxEIor89-4cxq80mj8gku-P5lbzk1y7M05JPNvrj4qH44RZA7CHhZB0xeYc_jv38xo2YECfZ1Z4zF1cJ4OT0B-VrbpeR4zAx02fZw-doBiX7vK0V2FPRYa3JuODy79wFumcaluesPIZs/s1600/passwords.png" height="451" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Blue Team Passwords</td></tr>
</tbody></table>
<br />
<div style="text-align: left;">
In addition to pictures, we also tried to add our own business inject. Prior to the competition, one of our Red team members made a fake tax calculator program and accompanying inject form. The inject stated that the students were to report the error code given by the tax software as the upgrade from Windows XP to Windows 7 has caused some unanticipated errors. What really happened is the program would crash every single time but open up a reverse shell to our waiting machines. We had some success with this approach including one team that send us over 30 shells back! Other notable events include a team that redialed their phone immediately following a Blue team runner who called the Red team asking to clarify if the weird behavior on the team's system was the Red team or an actual technical issues. The Blue team runner was not a competitor, but one of the helpers there for the Blue teams. Because we are a friendly Red team and we want to help everyone out, we would always pick up our phone pretending to be the Gold team. As a result, this particular Blue team thought we were the Gold team for most of the day.</div>
<br />
The Red team's game plan for attacking the Blue teams was simple. Get access, establish persistence, then have fun. This is true with pretty much every Red team for all the CCDC style events. I will say that for both college and high school days, every team was pretty good at keeping us out by changing their default passwords. The only way we got their default passwords was with our photographer. What the Blue teams weren't told was that the default passwords given to them were not all their default passwords. One of the services the Blue teams had to keep up was a Kunagi server. Kunagi is deployed on a Java application server like Tomcat or JBoss. For this event, the Blue teams were running JBoss. What every single one of them failed to notice, however, was that their JBoss admin console was publicly available and still had default admin credentials. This is how we got our initial access for every team.<br />
<br />
Through the admin console we were able to upload our own WAR file (the deployable version of the Java applications that run on JBoss) which would start a reverse meterpreter session back to our machines. With this we would establish simple persistence by using meterpreter's run persistence module. From here, I no longer needed my custom deployed WAR, so I deleted is. This would hopefully hide the fact that I had compromised their system. With this initial access, the next step is to try and move laterally through the network. It turns out, these system were all part of a domain. So, our next step was to pull credentials from the machine. We did this with mimikatz. For those of you that don't know what mimikatz is, it is a tool that allows for plaintext recovery of cached Windows credentials. The following is a screenshot of what mimikatz output looks like:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWYY8IB9i39cXk6XpARQXHIyOFKJRJlcx5PvZcuIwN7wrwPIYC-KpvL3RR8GpJwf-319m4O8LKMT_LN_ymBAyEqIim-dOxNkTu670pTtkcUECOe8dffHDcGDbO_4-vcEOl05DzusGhvn4/s1600/mimikatz+creds.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWYY8IB9i39cXk6XpARQXHIyOFKJRJlcx5PvZcuIwN7wrwPIYC-KpvL3RR8GpJwf-319m4O8LKMT_LN_ymBAyEqIim-dOxNkTu670pTtkcUECOe8dffHDcGDbO_4-vcEOl05DzusGhvn4/s1600/mimikatz+creds.png" height="446" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Plaintext credentials with mimikatz</td></tr>
</tbody></table>
<br />
Now, lucky for the Red team (and consequently, unlucky for the Blue teams), these credentials belong to the domain administrator. From here, we were able to use the psexec command to log into the other Windows boxes and consequently establish persistence on all the Windows machines.<br />
<br />
In addition to Windows, the Blue teams also had a couple of Linux servers and an ESXi server. As a team, we really didn't have too much luck on getting on the Linux servers except with a default SSH credential and through the ESXi console. But let's talk about how we got to the ESXi servers. For those of you who have used ESXi and connected through a browser, you know that it uses HTTPS. It turns out, ESXi is using OpenSSL. Hmmm. PCDC 2014 was on the weekend of April 12th and 13th. Not even a week before, the security community was thrown on its head with the HeartBleed vulnerability present in most modern versions of OpenSSL. On a hunch, we decided to try HeartBleed on the ESXi servers. We set up a simple script that would constantly ping the Blue team's ESXi servers and look for a HeartBleed response that contained a password field. About an hour later, one of our Red team members jumps up yelling, "it worked!" And there on his terminal, was a username and password field. It turns out that HeartBleed will work on an ESXi server and spit out usernames and passwords after a login attempt. Here is a screenshot of was our output looked like:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_pXcB8onRU2H-jZQCj-OwSNp_M3dbpeUTe30v9xBjLfn609Ic040kq2O48LYgaAQeX-iSl-OUULEI7KrlP3TfpbWM2tcCP01RB6U1e6sdUs9LcIySXn-1PrQOzfDLThgoO0RFsP5kMz8/s1600/heartbleed-password.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_pXcB8onRU2H-jZQCj-OwSNp_M3dbpeUTe30v9xBjLfn609Ic040kq2O48LYgaAQeX-iSl-OUULEI7KrlP3TfpbWM2tcCP01RB6U1e6sdUs9LcIySXn-1PrQOzfDLThgoO0RFsP5kMz8/s1600/heartbleed-password.png" height="458" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">HeartBleed works on standard ESXi 5.5</td></tr>
</tbody></table>
<br />One of the goals of PCDC is to give students a taste of the real world. How much better could be get than launching an attack against a critical service that exploits a vulnerability less than a week old? Needless to say this certainly caught some buzz with the spectators. Unfortunately, we did not discover the effectiveness of HeartBleed until the second day. As a result, the college students missed out on this. With these credentials we could point vSphere ESXi clients at the ESXi servers and help the Blue team's administer their VMs. My favorite is when I open up the console to a Linux machine and just see a # sitting there. For my Blue team, I was a little quicker on the keyboard than they were. I opened the console and saw the root prompt. I quickly changed the root password, turned on SSH, and then quit the user session through the vSphere client. This effectively locks the Blue team out of their root account and allows me to login remotely via SSH. My favorite result of this was having the Gold team call up the Red team with the response, "One of the Blue teams just said they saw their root password change right before their eyes and then lock them out. Was that you?"<br />
<br />
At this point, it was time to start having fun with the students. A couple of the Red team member came very prepared for fun. In the year leading up to PCDC 2014, we have been hearing a lot about ransom-ware in the news. Software that gets on your computer, encrypts important files, and then demands a ransom for the decryption key. Inspired by this, one Red team member made some hilarity-ware. This combined the ransom-ware with some amusing side effects. Let me introduce Ponyware:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLGTMkKxyCZMBGWtai-rYejK3qEAuin-QrjlaGw3UoJHflmtsqBPB79uhIdYTKEI-7ktKnmq3Qz9vVrTLBBKXCVLimtxVneShkyk8ORwCEOH8X1K5nn3YYjnuKzIMS2cAIML6Owot4l7k/s1600/ponies2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLGTMkKxyCZMBGWtai-rYejK3qEAuin-QrjlaGw3UoJHflmtsqBPB79uhIdYTKEI-7ktKnmq3Qz9vVrTLBBKXCVLimtxVneShkyk8ORwCEOH8X1K5nn3YYjnuKzIMS2cAIML6Owot4l7k/s1600/ponies2.png" height="400" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Ponies demand a ransom</td></tr>
</tbody></table>
<br />Ponyware would encrypt a lot of the folders found on the computer and then insert a small ransom program in the front of every legitimate program it could find. The goal was to get the Blue teams to call the Red team for the decryption key after they paid a ransom with some of their points they had earned throughout the day. We successfully deployed Ponyware, but no Blue team called us for the decryption key. Instead, most of them either opted to leave it on and have it play its music, leave the desktop background a checkered board of ponies, and enjoy the custom mouse cursor. Others opted to take a large point deduction and request a Gold team re-image. Ironically, the re-image cost more points then the ransom would have.<br />
<br />
Our next trick was pretty nasty. Originally, we were planning to deploy this uniformly at 3:30pm, but our plans didn't really work out. The plan was to overwrite all the master boot records (MBRs) on as many Blue team machines as possible. What we wrote the the MBRs was an awesome 512 byte program that displayed an animation on Nyan cat.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvhXJ7rvE_iQJeqlUZ7XILtWqTXZMHw3n6G8IQ9M_e1wghJ7CJ9gwT_8ZNEQfdT6KJVDclw29OKWihUCoCQGKQJSs5_jOKn3kaveMLJwKcMC-1_SSBxIq0cNnEpQi42gF6ndahJK1CzII/s1600/NYAN-Cat.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvhXJ7rvE_iQJeqlUZ7XILtWqTXZMHw3n6G8IQ9M_e1wghJ7CJ9gwT_8ZNEQfdT6KJVDclw29OKWihUCoCQGKQJSs5_jOKn3kaveMLJwKcMC-1_SSBxIq0cNnEpQi42gF6ndahJK1CzII/s1600/NYAN-Cat.png" height="454" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Nyan cat animation written to boot sector</td></tr>
</tbody></table>
<br />Once the MBR was overwritten, we would bounce the boxes and this would be the only thing the Blue teams would see. Nyan cat was a huge hit with just about everyone. Although the Blue teams would have preferred not having their MBRs overwritten, they appreciated the humor. By the end of the day, a couple of computers were just sitting there completely useless counting down till 3:30pm:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhISg_6d6j1x5nzTeBGa0W9P58iwzZrQt1SKDQNEUedYJykxzhINfbHkba8pv_RazwaiP_a44LIqurfbcLLOkDR7VlWJUPivfH5dC7XZCOOB-kKeOwWEZBBF6Lvh4MJI6ioDYjSwNCz5YE/s1600/Waiting+until.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhISg_6d6j1x5nzTeBGa0W9P58iwzZrQt1SKDQNEUedYJykxzhINfbHkba8pv_RazwaiP_a44LIqurfbcLLOkDR7VlWJUPivfH5dC7XZCOOB-kKeOwWEZBBF6Lvh4MJI6ioDYjSwNCz5YE/s1600/Waiting+until.png" height="400" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Waiting until 3:30pm</td></tr>
</tbody></table>
<br />From a Red team member's perspective, there are a couple of things I would have suggested to the Blue teams. In general, most teams did a very good job, but no matter how many times we say it, default passwords are going to kill you. As a Blue team member, you need to be aware of every service you have running and if/what those service's default passwords are. You must be aware of service that come out-of-the-box with default credentials. Now, I have only been a Red teamer on 2 CCDC style events, but both times I've bean able to access the ESXi servers with my vSphere client. In the case of PCDC, every Blue team was provided an adaptive security appliance (ASA). This can be used to restrict the IP addresses allowed to access the ESXi servers. Blue team's should also be aware of authentication mechanisms that are required and not required. The Blue team I focused on for day 2 only allowed SSH login via key authentication. This is a great move, except when the Gold team needs to be able to login via SSH to score your service and they don't have an authorized key because Gold team is using a password. Over and over again the Gold team remarked about how the Blue teams did not read their information packets thoroughly. The information packets usually have detailed information about your network and systems. As a result, you should know what is on your network. It shouldn't be towards the end of the day when I see this as I'm watching your session..<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdAJayXivoHArR_gieBZ2pYS7zUEbGTeUpdD2qhyphenhyphen4Tu0deFhFeMvKeWWk9PRzGWfSl0E1yn6PsRVRYlLu-U74sl9H0Zi0Id40Snx4frb669ipyQSfVfQxVSdiiMMYchXZAU0qnFDSU1Lo/s1600/Purpose+of+ESXi.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdAJayXivoHArR_gieBZ2pYS7zUEbGTeUpdD2qhyphenhyphen4Tu0deFhFeMvKeWWk9PRzGWfSl0E1yn6PsRVRYlLu-U74sl9H0Zi0Id40Snx4frb669ipyQSfVfQxVSdiiMMYchXZAU0qnFDSU1Lo/s1600/Purpose+of+ESXi.png" height="400" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">What is an ESXi?</td></tr>
</tbody></table>
<br />At almost 1:30pm, the competition has been going on for about 5 hours. Just now trying to learn what an ESXi server is might mean you're a little behind the game. Another lesson learned (the hard way) by some Blue teams is if you know something bad is going to happen at a specific time (say 3:30pm), do not try and adjust your system clock past that time. Trying this trick quite literally blew up in some teams' faces.<br />
<br />
I just want to note that some individuals on the Blue teams felt that we were a little hard on them. It was our intention as the Red team to not be complete jerks. Our goal is to educate the students while having fun with them. As we tried to tell the Blue teams, we do this because we care about education. So, if you're a current or future member of a Blue team, know that we don't do what we do to be mean. We do it to help you. If you're competing and the frustration is building, just remember, Red team loves you!<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVTgK5m0dcUUwiP0TvmbG1YtU9YM3rULIBGIwM_iaMmOkWn-MTwFiXzhgu1T_oleP9qiQiycnJUh3KgXkZ9PLQI_fL6eYCw8tRVAihLCOWLs8q4HBhaL6eqalu_WzCJ75EOkIUwv2ff4M/s1600/redTeamLovesYou.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto; text-align: center;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVTgK5m0dcUUwiP0TvmbG1YtU9YM3rULIBGIwM_iaMmOkWn-MTwFiXzhgu1T_oleP9qiQiycnJUh3KgXkZ9PLQI_fL6eYCw8tRVAihLCOWLs8q4HBhaL6eqalu_WzCJ75EOkIUwv2ff4M/s1600/redTeamLovesYou.PNG" height="346" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Red Team <3's you!</td></tr>
</tbody></table>
<br />
<br /><div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
Anonymoushttp://www.blogger.com/profile/04583350421631995769noreply@blogger.com1tag:blogger.com,1999:blog-5381019649504589931.post-31562555715329826922014-04-03T18:49:00.000-07:002015-03-31T21:05:08.282-07:00Red Team SE-CCDC 2014Earlier this week I had the fantastic opportunity to participate in the South East regional Collegiate Cyber Defense Competition (CCDC). If you've never heard of CCDC before, here's the short and sweet. Teams of college students represent their schools by assuming the role of a Blue team which represents a business's IT branch. They are dropped into a preconfigured network after the previous IT employees were let go. They have no knowledge of what the systems, configurations, software, or even hardware look like before they get there. The Blue teams' goal is to ensure the daily operational aspects of the business remain up and operational. Here's the catch. The entire time they are trying to ensure their business stays online and available, the Red team (a team of security professionals playing the part of hackers) actively attack the Blue team's systems and try to take them offline. Not only must the Blue teams defend their networks, they must also complete a series of timed tasks administered by the judges (White team). The White teams gives the Blue teams business injects like opening up file sharing for the organization's employees or responding to potential incident response requests. Needless to say, the competition is a fast and furious exercise in information security and I was excited. Not only was this my first time as a CCDC Red team member, it was my first time at a CCDC period.<br />
<br />
On Monday, a coworker and I drove out to this years location at Kennesaw State University. After the long drive, we setup in the Red team room and began scanning and enumeration. The rules for the first day were simple. We could scan the Blue teams all we wanted, but we were not allowed to perform any attacks. Our scans showed that there were a lot of systems and most of them looked pretty up to date. Every team had Windows 7 desktop boxes, a couple of Fedora 20 and CentOS Linux boxes, a Windows Server 2012 R2, and a couple of ESXi servers. By the end of the night, our best lead at an attack vector was an eCommerce site. I found a small SQL injection vulnerability in the search functionality and a couple other Red teamers found what looked to be a neat way of overwriting configurations by leveraging a misconfigured install directory. While we did our scanning, the Blue teams were hard at work configuring, administering, and hardening their infrastructure. To make things a little more interesting, the Red team worked with the competition's organizers (Gold team) to tip the scales a little bit more in our favor :).<br />
<br />
Raphael Mudge (the creator of Armitage and Cobalt Strike - <a href="http://blog.strategiccyber.com/" target="_blank" title="Strategic Cyber">http://blog.strategiccyber.com/</a>) worked with the Gold team to drop 2 of his Beacon backdoors on every team's network. This was used to simulate the insider threat left behind by the old IT employees that use to operate the networks that each Blue team inherited. Beacons act as an advanced persistence agent capable of 'beaconing' back on a timed interval. Each time Beacon checks back, it will query the Red team's attack server looking for a queue of commands to act on. These Beacons are heavily embedded on the Blue team's systems and have multiple fall back communication channels. In my opinion, it is one of Cobalt Strike's best features.<br />
<br />
Sure enough, the next morning as soon as the competition started, the Beacons started calling back. The Red team decided that the best way to play the game was to split up into pairs and every pair would focus on a team. Every time a pair found something with one team, we would yell it out the rest of the Red team to try on their target Blue team. I got to pair up with Mudge and get a first hand education on Cobalt Strike and collaborative Red teaming. Mudge and I had Team 5 (team Echo) who we affectionally referred to as our children for the next 2 days. We decided early on, like good parents, we would watch over our children very carefully. As soon as we got our first Beacon, we queued up the 'keylogger' command. Now, with every checkin, Beacon would dump a series of cached keystrokes. Almost immediately we got a sequence that looked like 'root [TAB] @D4#c.L8'. SWEET! Root creds! But to what?! I tried a couple of the Linux boxes but it didn't work. So I saved them for a little bit and moved on. A couple minutes later, another Red team member shared that they pulled the competition rules off another Blue team's box. The rules detailed all the default user names and passwords for the Blue team's systems. Good news for us! And it was still early in the day.<br />
<br />
Using a nifty feature of Cobalt Strike, we attempted a mass login with default credentials. SUCCESS! We got a couple of successful logins including a Linux box. Mudge went to work securing our foothold on the Linux system. Thankfully for us, this was made easier by the default user being in the '/etc/sudoers' file. So a quick 'sudo /bin/sh' and we were good to go! A little later I remembered that there were ESXi servers on the Blue team's network so I popped open my vSphere client and pointed it at the ESXi server's IP address. Hmmm, usually the user name is root. Lets give our first sniffed password a try...SUCCESS again! A couple minutes later I logged into the second ESXi server with the default password 'changeme'! It was less than an hour into the competition on Day 2 and we had root on 2 ESXi servers, a Linux box, and 2 Windows boxes hooked. It looked like it was going to be a good day.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJDR7-O53k40ji9VvPgOtZbTwwRMiNmC4wDIpRL-rkJCy4fUR6ZAt6sKiX7158w9q7HEHVHmQMjdWX6LaN8tTDFsHf3AY2D7uVYPVDy4mrnuu9s4ai2RiEkHTi3WA1O-iRxLdgJi7nXgo/s1600/Screen+Shot+2014-04-01+at+1.54.34+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJDR7-O53k40ji9VvPgOtZbTwwRMiNmC4wDIpRL-rkJCy4fUR6ZAt6sKiX7158w9q7HEHVHmQMjdWX6LaN8tTDFsHf3AY2D7uVYPVDy4mrnuu9s4ai2RiEkHTi3WA1O-iRxLdgJi7nXgo/s1600/Screen+Shot+2014-04-01+at+1.54.34+PM.png" height="412" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Root on both ESXi servers</td></tr>
</tbody></table>
<br />To maintain my foothold on the servers, I added a new user (vm-admin) with full administrative privileges. Then I sat and watched. Slowly it looked like the Blue team was moving more of their assets to the ESXi servers. How nice of them! I decided that I wouldn't make myself known till the very end, after they had given me all of their VMs. This was a little risky. If they would find my user account, I could be booted from the server. Luckily for me, they didn't know I was there until I wanted them to. Between getting root and the end of the day though, we managed another big win for the Red team.<br />
<br />
One of Metasploit's features in meterpreter is the ability to grab screen shots. Using Cobalt Strike, we configured the screen shot functionality to snag a capture every 10 seconds. This was a slow, sneaky way of spying on team Echo. Eventually, we saw a member of Echo open up Internet Explorer to administer a spiffy new pfSense box through the browser administration client. Mudge lit up when he saw this. It was time to test browser pivot in a real scenario! Cobalt Strike's browser pivot essentially allows you to spawn a process inside of a current Internet Explorer browser session and then proxy the session back to the Red team's local browser all unknowingly to the victim. This means that the browser has already authenticated and we can piggy back off of that. So now we can help administer the pfSense box for team Echo :).<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXzWabDr1QsvfTIwYWgnRFouq8VihCqEAfqYHauxZv58dFO17WedMmuXZH2t-13P-KZIy1QcQi_b4cjIVREp5vV55P6waJVITEM2JbmRHloxpcsWNEx1bJZf-BLNVg91U-_lRgg5eo3RQ/s1600/Screen+Shot+2014-04-01+at+12.41.41+PM.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXzWabDr1QsvfTIwYWgnRFouq8VihCqEAfqYHauxZv58dFO17WedMmuXZH2t-13P-KZIy1QcQi_b4cjIVREp5vV55P6waJVITEM2JbmRHloxpcsWNEx1bJZf-BLNVg91U-_lRgg5eo3RQ/s1600/Screen+Shot+2014-04-01+at+12.41.41+PM.png" height="392" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Helping team 'Echo' administer their pfSense box via a browser pivot</td></tr>
</tbody></table>
<br />
With this capability we quickly configure pfSense to allow SSH and best yet, we could inject commands via the pfSense web admin console's 'execute' feature. So we added our SSH key for easy access. Later on, we would keylog the root password to the pfSense box as well. It was ours.<br />
<br />
After all of this the end of the day was approaching quickly. At 6:00pm, the Blue teams must be hands off keyboards. Team Echo had a pretty solid run all through the day by keeping most of their services up and running. But, at 5:55pm I decided to change that. The first thing I did was change the root passwords on both ESXi servers. This is not enough to boot the root user off if they are logged in, however. So I saved the state of all the VMs and quickly bounced the physical servers. Team Echo would be kicked off and after the reboot, their passwords wouldn't be correct. It worked. To put the servers further out of reach I changed the passwords for all the users (1 server had 3 default users and the other had 4) and made sure SSH was disabled. The next morning they would have physical access to the box, but no way in. Now, I saved the state of the VMs for a reason. If I would have bounced the ESXi server without saving VM state, then the VMs would have to reboot and more than likely, require a valid login. But, if I saved their state and they were already logged in, then I wouldn't need to authenticate at all. Lucky for me, this was absolutely the case for a Linux and Windows box.<br />
<br />
The next morning the competition's director came into the Red team room and asked which one of us owned team Echo's ESXi servers. Mudge and I gladly took credit. He asked us to reset the root passwords to both ESXi servers and give it back to team Echo. Since all of their services were on the servers, they literally couldn't do anything. Mudge and I agreed on one condition. We could backdoor the VMs we had access to. So after backdooring the Windows and Linux box and deleting team Echo's VM snapshots and replacing them with our own, we handed team Echo their new root passwords. Since today was a much shorter day, Mudge and I focused on trying to figure out why our Beacons stopped calling out to us. After a couple of hours we determined that team Echo had found the Beacons and removed them. Good for them, bad for us. About half an hour before the very end of the competition I attempted to login to the ESXi servers with my old account I created when I first got on the box. I only gave team Echo the root account passwords, nothing else. To my surprise, I still had complete admin access with my vm-admin account!<br />
<br />
Since it was the end of the day, it was time to go all it. I took all permissions away from root, deleted the other users, deleted all the VMs and datastores, and dropped the servers into maintenance mode. Literally game over.<br />
<br />
Here's the recap. From all that I just wrote, it would seem like team Echo might have been off their game. This is simply not true. I only described our successes. Not failures. Team Echo seemed to boot us off the Linux boxes every time we gained access. Every. Time. Our Beacons stopped calling back on both Windows boxes. Really the only things we had were the ESXi servers and the pfSense box. But guess what. We didn't even truly have the pfSense box. Team Echo knew we were there and they weren't even using it! Now, Mudge and I noticed a lack of activity with the firewall, but overall, a great move by team Echo. In the end, it was a couple of critical mistakes that cost team Echo.<br />
<br />
Team Echo's first mistake was not changing the default password on the second ESXi server. Next, there was a lack of user auditing on the ESXi servers and the principle of least privilege was not enforced. All administrative/root accounts on a system should be documented and accounted for. If a new one shows up, say vm-admin, action needs to be taken. Team Echo still had root, so they should have immediately changed their password and deleted my account. By doing that, they would have effectively locked me out of the system. Finally, in a situation like CCDC, the Blue teams can't always prepare for curve balls like judges allowing Mudge to install Beacons on their systems, but they can protect against other things. An ESXi server should never be available outside of a local management network. This is were the pfSense box should have been stood up. A simple firewall rule to deny access from any IP address (except ScoreBot which is off limits to the Red team) would have prevented me from accessing the ESXi servers with my vSphere client even if I had the root password. And finally, never, ever leave default usernames and passwords on your system. The Red team WILL find them and they will take advantage of them.<br />
<br />
All in all I had a lot of fun and learned a lot. Mudge was awesome to work with and I appreciate the time he took to help show me the ropes. In the next week or so I'll be ramping up for a local CCDC called Palmetto Cyber Defense Competition (PCDC). Hopefully I'll have more to share (I'll try to do more screen shots and less text) from that event shortly after.<br />
<br />Anonymoushttp://www.blogger.com/profile/04583350421631995769noreply@blogger.com0