 Since the 28 C3 there has been at least one capture the flag every year so the next three speakers that we have are always organizing a capture the flag they are here representing all their team please welcome with a huge round of applause Andy Zaelou and Mahler. Hi everybody so yeah again welcome from our side to a talk what the flag is CTF this talk is going to be a foundation talk and we want to tell you what a CTF is how to play it what game modes there are this is the first part of the talk a bit of an introduction and after that we're going to show you three challenges that we prepared for this year's CTF so should you actually decide that you want to play a CTF in the future you know what to expect when you when you actually play it yeah so a few words about us our team is called Eat Sleep Pwn Repeat or ESPR for short we are a CTF team and I don't know how long we even exist it must have been like three or four years now maybe even five and we are all just people who in our free time were interested in IT security and we got together in hacker spaces or the university and we just started playing CTF and everybody participated and that's well how a group formed and now we are Eat Sleep Pwn Repeat yeah that's that's that's all there is to it I'm always talking about a CTF what you actually don't know maybe you actually don't know what a CTF actually is so CTF stands for capture the flag and for the older ones of you this has nothing to do with the Unreal Tournament game mode it except for the name and that there are flags a CTF is a contest between different teams where all the teams solve different challenges that are somehow related to the IT security domain a CTF usually can be played in two main game modes of course there are variations to them but these are the two modes that you generally have the first one is the attack and defense style and the second one is the is the Japanese style you see in the next slides what I mean by that over the years it's absolutely crazy how the community grew when we started playing they were just a handful of CTFs per year now if you check out how many CTFs there are you can actually play a CTF every weekend and all these CTFs are usually organized by other CTF teams so there's a lot of work but also done by other teams to organize these CTFs and it's essentially all completely community driven and if you want you can relatively easily be easily be part of that as well and that's that's what the the goal of this talk is essentially now I mentioned the Japanese style CTF that is the easiest game mode that you that you have and it's also the easiest to organize because it resembles a jeopardy game the game show the American game show where we have different categories of of puzzles with different difficulties and according to the difficulty you are awarded a certain amount of points when you solve that challenge and either the amount of points is fixed so you get I don't know 100 200 300 400 500 points for a challenge according to the difficulty or nowadays often we have dynamic scoring so the more people challenge the more often a challenge is solved by people the less points you're going to get because it's actually relatively hard to define what your challenge should be worth and to play that game it's actually really easy you just pick a challenge you look at it and you try to solve it you submit the flag on a web interface somewhere you get points and you just repeat that until you solved everything or you are in the first place and of course the winner is the team with the most points if there is a tie the the team that got first to that amount of points wins the typical category is that you have on a Japanese style CTF stuff like for example PON where you have classic binary exploitation you get some network service somewhere and you need to connect to that service and do some weird stuff to it to get code execution and run your own programs on that machine that you're that you're owning crypto custom crypto algorithms that are implemented or crypto algorithms that are used in a wrong way that you need to find out why that is and then you can use that to usually decrypt something or recreate a key or whatever web the usual stuff that's normally that's that's just web applications in all kinds of different frameworks and server side and client side and whatever there all is or if you're ESPR we we had a joke category once I think where we put browser exploits in there and so it's not really web but that was just just a joke and then stuff like reversing for example we have to reverse engineers some executable and try to find out what it does and reverse engineers some mathematics calculations and whatever the next game mode is attack and defense and that's the more classic mode there are just a few per year because it's very hard to organize because you heck in quote marks real services on real networks because every team gets a virtual machine image which contains which essentially is a server which contains services that are specifically crafted for that CTF where somebody placed box in there and all these machines are connected over VPN and the teams can reach each other and the goal is that everybody hacks the service services of everybody else and steals data from these from these vulnerable machines and then you can submit that to a game server and then you are awarded scores and of course if you have full control over the machine your task is also not only to exploit the other teams but also to fix your own stuff so that you don't get exploited anymore so there also you need to make sure that your services stay up because if they are down usually you don't get any points awarded for flags you steal and stuff like that so there are three main things you need to do you need to fix your stuff and remove the box you need to find the box and exploit them on other people's machines and you need to keep everything online yeah as I said the main scores there are usually offense defense and SLA that's what I mentioned either attack other people services defend your own services and keep them online this is usually played in rounds every round starts from scratch and you get points awarded per round and after that all the points are added and the team with the most points wins there are a few things that are different in every attack and defense CTF in terms of the rules but that's the general stuff that always happens this is what a typical scoreboard looks like when you play an attack and defense CTF this for example was from Ruth CTFE and yeah I took the one where we were on the first place and you see in the different columns you see all the services that are available like for example a crash the bin weather cartographer and so on and the the red and yellow the red and blue boxes mean the services up or is down you can see how many flags we scored what the SLA was in percent so how many uptime versus downtime did we have how many flags we lost that's the the the the number in the bottom right corner in every box like minus 32 for crash so we lost 32 flags there and we stole 15,000 flags and then the FP is just the flag points yeah you add everything together and you get there like your your main score and a ranking of the teams so now that you know how to play a CTF why even why even do it I mean yeah so it's relatively obvious it's pretty cool to play because you can actually hack stuff completely legally because well that's part of the game it's fun it's fun to to to learn new stuff and you learn a lot of new stuff during the CTF but also after the CTF when you talk to other teams and try to find out what the solution was and everything and yeah you make friends during that for example we are one of our our our friends is the Polish stream team dragon sector and every time we meet we have some beers and we chat about the CTF and everything and we actually made made some good friends there and also you you may be able to travel around the world so CTFs are held locally sometimes you need to qualify for it and then you can fly around the world and play locally a CTF and maybe even win something so yeah our CTF that we organized we we do this as already announced every year since 28c3 I can see a few logos there from the past years we always try to match the the congress team and this year we had in the main CTF we had 636 teams that at least submitted one flag we had a small flag a small task that we called sanity check where you just needed to like paste a string into into the flag box just to see how many teams were online and yeah that was 636 teams we had 30 challenge and these 636 teams solved them 1457 times so 1457 flags were submitted by all the teams on all the tasks we also had a few guest challenges this year so not all challenges were made by us so we would like to thank Kokyo, Teteys, Jay Voizin, Kubaza and Jörnschen for for ideas or even a complete challenges that we were able to deploy and had the people solve and the three winners are KGC and Macaroni, Paaston on on the second place and Dragon Sector on the third so yeah congratulations again to them and because every year this CTF's got more and more complicated and very hard to solve for beginners last year we introduced the junior CTF with easier challenges that more closely matches the difficulty level when we started actually when we started playing CTF and there we have the same staff we had 520 teams so not that much teams but 33 challenges that we deployed and 2761 solves in total so they solved actually more stuff than the main CTF's in terms of raw numbers of challenges and again we had some guest challenges by Gehax, Dominuk, Prome and Trolldemorted so thank you and the winners are a mate in MIM the second place is SNO and the third one is Zahac and so now that you know what is going on during a CTF what do you need if you really want to play so the first one you need is actually you need a CTF there is a cool website that's called CTFTime.org you can check it out and get a listing of all upcoming CTF's and you can just register on that CTF and then once it goes live you can play in terms of skills you don't need that much you do you actually need to be able to program you need to know a scripting language to you to do all your dirty work like if you need to parse a file or if you I don't know dissect some network traffic stuff like that for reverse engineering and binary exploitation you absolutely unfortunately need to know assembly language and a bit of reverse engineering skills to tie all that together you need the basic Linux shell skills because the tools on the Linux are just well better suited than on Windows but of course you can on Windows you can just use the Linux subsystem nowadays it works the same and to learn pawning and binary exploitation you can play so called war games on the last slide there are a few links you can check them out there's one of there and so that's the war game is essentially a CTF that's always online and you can you can go through it at your own pace without any time restrictions you can check out older CTF challenges there are archives on the internet you can just download them and run them locally and try to exploit them and it has been so there are so-called write-ups by other CTF teams sometimes when another CTF team solved the challenge and they thought it was a cool challenge somebody's going to do a write-up on that and explain in a blog post or whatever how it was solved so you can read that and learn stuff if you're more of a video person there's somebody on YouTube called life overflow from the CTF scene and he's doing awesome videos on different CTF tasks and he goes through it like how he solved it and what the idea behind the challenge was and so on and of course you don't want to play this alone because it's more fun to do this with other people and just use the internet try to find a groups try to find like-minded people or just go to a hacker space and ask around to somebody's interested and every now and then you can play a CTF or do the war game stuff and so on like just like we did okay now that we explain to you what is going on and during a CTF I'd like to hand over to Molly who is going to show you some challenges we had okay hi I'm going to give you an idea how to approach such CTF challenges and I can highly recommend this book from G-polyer on how to solve problems and as an example I'll I took a challenge from the junior CTF called blind and this is the description hacking blind and then URL with the path to the flag and it's estimated as a medium difficulty challenge at least in the junior CTF and it's based on a bug found by Ripstack in 2017 and approaching a challenge to approach a challenge it is needed to understand the problem first right so when you go to this URL you are presented with this source code it's PHP source code and we're gonna walk through it the first part of the source code is actually a hint it's not needed to exploit the challenge but it's hinting to a vulnerability called PHP object injection and this actually was a bug where you could include local files until PHP 5.3 but we use PHP 7.2 and the next block is a bit of boilerplate code so we have two classes called black and green and what they do is only setting the colors of the syntax highlighting and if you provide a store URL parameter you can save the theme in a cookie which comes which is important for later so the next section was an interesting part because it hints already at the path to exploitation the first one you get in the first step you get the theme URL get parameter and store it in this variable in the next slide in the next line you check if it's either the black class name or the green class name then you check if this class actual access you set the variables depending on the input in there from the URL parameters and this is the interesting part now you instantiate an object of the given class which could either be black or green and you have full control over the parameters you give to the constructor of this class the next part of the code was also storing the theme but this time from the cookie and then you check if the first part of the cookie is an existing class then sorry then you pass the parameters which are stored in the cookie to this to the constructor of the class and you instantiate an object of that class and the last part is just giving you some info what modules are loaded so the bug was simply that you could instantiate an arbitrary PHP object and you control the arguments for its constructor so the next step is to make a plan so we try to get together all the things we have given and what we want to do so we have fully control over the data in the cookie and we can instantiate a PHP object of an existing class and we control the arguments so what we have to do now is we have to find a class which does nice things like reading a file when giving specific arguments and there is this handy class called simple XML element which is able to read files XML files from a remote source if you set the option to 2 you it will even substitute entities in the XML file so this will come this will be important later and now we have to carry out the plan this is the easy exploit we set a cookie called theme the first part of the cookie is our class name simple XML element and the second part is the path to the flag and as you can see the flag is is is printed in the warnings right there so this only works because warnings were enabled so the next thing you do when solving problems is looking back and what what how could we approach the challenge in a different way or with different constraints and if the warnings weren't enabled we were kind of blind that's where the the challenge name comes from and we don't get output and with XML you can include external entities it works like that you declare an entity and give it a path name and then you yeah you include it in the XML and this is how you could exploit it so you you get in second XML file from your own server which is at the bottom of the slides and it gets the flag and sends it contents to your own server so when you execute a simple exploit like this you start a PHP server and then you you call this URL with curl you get presented with a request that looks like that and because we encoded the flag with base 64 we have to decode it and then you get the flag this way so next part is for the main CTF by Saelo yeah thank you okay yeah thanks so now you just saw an example of a rather typical web CTF challenge now and now we have a lot of teams that are really really skilled they have been playing CTF for many years they do computer security as their day-to-day job and so of course we also want to make very challenging and interesting CTF for these teams right and so one thing we do is we try to make somewhat realistic challenges based on real-world software and vulnerabilities so yeah on this slide you see some logos of of software that we base challenges on and in some way for this CTF here now one fun fact we actually this time had three different teams use zero days to instead of solving the challenge in the intended way they use zero days for the software which is fair game yeah I don't know what that says about our CTF but it's pretty interesting and so what I want to do is now is just we'll present two of these challenges I'm gonna present a browser exploitation challenge a little bit and talk a bit about this the setup how to host such a challenge etc yeah so we had browser exploitation challenges the last two years already now for some years now a browser is they come with a sandbox right so if you just have one vulnerability in the rendering stuff where it renders the html that's not enough to fully compromise the browser the last years we only had the rendering exploit part so the real browser stuff but no sandbox now this year we decided we should do a full like a real browser exploit challenge with two parts one part is the rendering exploit the webkit in this in this this time and the other part is the sandbox escape and we base that off of real exploit chains that were presented this year or last year so how do you how do you make such a browser challenge what what we did is we we took webkit this time last year we had chrome and the year before Firefox so this year we used webkit which is the browser engine powering safari for example and we changed we we implemented some some buggy optimization somewhere in the JavaScript part so this is the first thing that there's one vulnerability there in the webkit the next thing we did we wrote some some macOS system services again kind of based on real vulnerabilities that were presented this year and and so they were of course also buggy in some way they had some vulnerabilities and then we deployed both the modified safari and those system services to a macOS virtual machine and so then what users can do is they get on the top right you see that they get a website where they can submit a URL to their exploit right so it's a browser exploit so the exploit is going to be some web page they can here type in their the URL for the exploit and then what happens is on our servers it will boot up of this virtual machine open safari with that URL and then the users will get back a video of that virtual machine booting up and then the goal of the task here is to read slash flag or slash flag dot txt so some file on the file system and so they what they could do is they could display it on the screen and so then they would see it in the video so yeah here's pretty much how it looked like from a player's perspective what they would do for this challenge is they would get from us a webkit patch and those macOS services as binary so they would have to reverse engineer them so then they go and audit for vulnerabilities hopefully find some and they would write exploits so in this case it's it's a malicious website they will host that on some server that they control with the public IP address and then submit this URL to our scoreboard servicing and then again that puts up this virtual machine records the video and shows that video to the players so here's how it looks like I hope it works yes so this is exactly what the players would get after typing in the URL into the scoreboard they would get this video feed so let's see what happened here yeah in the background you see the modified safari which is opening the players URL and it's printing some stuff from the exploit blah blah blah and then it so it does a web kit exploit so it can now run attackers code in the web kit process and then it's exploiting these system services that we wrote which are running outside of the sandbox and so then it can open or run any commands outside of the sandbox on the system so in this case the exploit starts this text editor app and lets it open slash flag dot txt and it's probably pretty small but in the top left you can see there's showing you the flag and now you have to type this into the scoreboard and then you get your points yeah so why why is this why do we think this is a nice challenge or why do you want to solve this of course I mean this gives you lots of points for the CTF this is actually not one challenge but three challenges so we made it so that you could solve the sandbox escape part regardless of whether you had this web kit exploit working so there was was one flag that you got if you only had the the web kit that's the safari part there was one other flag that you get if you only have the sandbox escape and then there's a third flag if you have both and you combine them into a single exploit yeah then you get the third flag but apart from CTF so we try to also make these challenges so that you maybe are able to learn something new maybe right so the web kit part it could hopefully teach you or hopefully you would learn a little bit more about JavaScript or just in time compiler vulnerabilities on the path to solving that or the macOS services yeah we made them so it's it gives you an easy entry into macOS security right so this is yeah something to keep in mind we will release source code so for this challenge here it's going to be up in some hours probably on my github and then yeah it it tries to make it easy to transition from the CTF and maybe go to the real world security scene with challenges like these that give yeah with source code give you a nice entry yeah and that's it from me and next up is Andy again thank you challenge or two and those are you those of you who are old enough you're going to remember this phone right so the story behind my challenge was that I privately was interested in GSM stuff and I just wanted to know how stuff works and so on so I set up a GSM network at home with a software defined radio and everything and used old Nokia phones and so on and then I got an idea and I built my own phone what you can see here is part of the challenge you can see that I reimplemented the UI of a Nokia phone essentially and it locks onto a GSM network which is not using radio waves but the the GSM traffic is sent over UDP multicast traffic in the core network and then I also have like my SDR on there so that my own phone can talk to the real phone that's what you just saw and I found this this this feature of that challenge where you don't have radio waves for communication with the GSM network is usually used for unit tests by the developers of the of the network services to run your own GSM network because they don't want to mess with radios and everything just to test their software so they implemented like this this Ethernet layer to do GSM and that was perfect for a CTF challenge because we don't have we don't only have local players so in theory I could just set up a few SDRs and transmit my own GSM network if you have the right licenses and so to do so in the RF spectrum that being another issue but in theory you could do that but somebody from the US or wherever else is not able to participate in the challenge and we always want to have the capability for remote players to play as well so I set up an open VPN tunnel essentially where the network lives in and your own phone this this target phone that you could exploit and just then I joined the network using this this this UDP multicast stuff so it was absolutely perfect for that so what I implemented actually is a bug in concatenated SMS the phone only has two features it can send SMS and it can it can receive SMS and your task was to have a phone somewhere on the network that you can only interact with over in the network so you can only send it SMS essentially and but you can send it arbitrary SMS you can send whatever you want you can adhere to the standard but you can also send whatever you want and not adhere to adhere to the standard and to weird stuff and on the old Nokia phones on the later ones SMS only have 160 characters and on the later Nokia phones you had this thing on the right where it told you how many characters you have left for the SMS and then a slash and then how many SMS you already wrote essentially because what it would do it would split is it would split the SMS message apart every few hundred characters and then put a header in front of the SMS sent one two or three SMS to the other phone and then the other phone would start to reassemble these SMS once they all arrive and yeah so in this case the SMS can be split up into up to three parts but the standards allows up to 254 SMS actually so and all these SMS contain some data as I said in front of the header and they also contain an index what part that actually is and it starts from one and it goes up to 254 in this case you can well use one two or three and the SMS content that I'm going to reassemble is somewhere in a local stack buffer and the location where the decoded text from the from that one SMS part is copied to when reassembled is based on the number of the part of that SMS and in my challenge I'm never checking if that number is actually one two or three so you can set it to four five six seven eight whatever and you would write outside of that buffer and because that buffer is on a stack the way how processes work is they save some information on the stack to keep track of where they were before they called a function to return that location once they are done with certain tasks and you can override that value and hijack the control flow and then use a technique called Rob to gain code execution on the phone and execute some some code there much like Zahilo showed with the with the browser where you open the text editor you can connect to another host and get a Linux shell essentially on the phone and then you can open the flag with that that's that that was the talk I would like to thank the whole CTF community the players that played our CTF other teams that organize the CTFs and everybody in the CTF community for like being that cool and putting that much effort into not only playing our CTF but also organizing CTFs for us to play and another I also want to thank the assembly team here at the C3 because it we got our own area this year where all the CTF teams that were locally could gather around and it was absolutely perfect it looked so cool seeing like 200 hackers sitting on the tables and a space together and just solving our challenges what it was absolutely amazing and yeah thanks again to our guest authors for the challenges and yeah we would be open for questions and answers now oh and one one other thing if you are interested in playing CTF here are a few links with the resources that I mentioned earlier check them out this is wargaming CTF time and its life overflows YouTube channel check it out if you're interested and yeah we hope that you're part of the CTF community soon maybe I can already see that there are some questions in the audience so I would like to start with microphone number two thanks for the talk actually my university security course was a graded CTF we got the grades based on our points on the CTF what are your opinions about this kind of grading how do you feel about university learning places doing CTFs for grades I mean for us it's it's a hobby and also for us it's a it was a great way to learn new things so I'm personally not completely opposed to that I don't know if I would maybe make the grading dependent on the points but I think it's a it's a great thing to do just as a learning experience so no matter if that's on a university or if you do it in a private life you if you if you just play you're always like we we also when we solve some challenges from other teams we always learn we are always learning new tricks new stuff and so on so I don't think it's a bad idea thank you for that question the next question is coming from microphone we over there what do you do when you are stuck on it on it at all at the task good question often it helps to get somebody else from the team just take a break and go with somebody who is completely unaware of what the challenge looked like through your findings and just talk about the challenge either the other person still has some more ideas to try even though that person might have never looked at the challenge or you are reiterating everything that you have done over the last few hours to but by just explaining it to somebody else and maybe then you get another idea where to look out or I don't know start googling stuff maybe maybe there was a similar bug in some other software that there are multiple things to do but it also happens a lot of times that we are not able to solve the challenge so cta playing CTF can actually also be frustrating because you're sitting for 12 hours on a challenge and you just can't make this thing work and you have no idea how to solve it that happens as well because you're just missing a trick but what you then do afterwards is you you ask other teams you ask in the IC channels of the of the CTF you how that was solved you ask for write ups you read the write ups you ask other people from the team when you when you see each other next time in person for example here at the congress and so on and that's how you gain more and more knowledge and experience over time and learn your stuff we can take one more question is someone waiting at microphone number two again I first of all I think is this working yeah okay sorry first of all thank you very much for hosting the CTF it's highly appreciated also that you're doing browse exploitation challenges given that it's really hard to set them up and host them for everyone my question is what's your take on on having people solve challenges in real-world software that you didn't modify as in like this implicitly disclosing bugs in in software I'm not sure if I got the question so you mean people using zero days for solving our challenges it's no we're not I mean all the challenges had modifications that so they had an intended solution that's not an Ode it's real-world challenges right so it doesn't really get more real world than using an Ode so we are not against it except if it's against challenge infrastructure which is which is not the case here so it's very game for us I guess the players they trust us and they trust that nothing happens to their Ode's that's why they do it or some of them but yeah so also I think I think we can all agree that even if we have an Ode it's still the right thing to do would still be to responsibly disclose and not put it out on the internet to put other people in danger I mean that's that's just I mean I never saw that actually happened during a CTF that that there was some some leaked Ode that suddenly got in the wild and and endangered like normal users that so far this never happened let's hope that stays that way I mean it would be bad if it if it would happen your eyes thank you very much unfortunately the time for our question and answer is over but I'm pretty sure the speakers will answer all your other questions after the talk please give a large round of applause for Andy Malle and Saelo thank you