 Folks, I think most people are connected before class ends. I want to go through what's actually going to happen. So I'm recording this right now. I'll post it online so you can review it before Friday. And so you can make sure that everybody knows what's going on. OK, so you have 100% full access. You have root access to the server. In the email, every team is on a network 10.41.teamnumber.2. The team number is also in the name of your VM. It should be very clear what your team numbers are. It's 1 through 23, or 1 through 24 of the team numbers. OK, so there's actually some information behind the firewall here. So this is why I sent information to the group leaders about proxies. So this dash D8080 is saying, set up a SOX proxy. So SSH is going to listen on my local port 8080. And any traffic that it gets, it's going to send it out over that network. So I can do this. Now all of my traffic is going to be coming from that machine. Well, first you have to configure Firefox. I actually, since I've never used Firefox, I just keep Firefox always in proxy mode so that I can use it like that. Where are the settings for this? Firefox, forever, since there we go. Like, always change these things. Advanced, network, settings, settings. And you set the SOX proxy to be local host. I'm going to report you put there in the dash D command. So for me, it's 8080. This is because this is what I SSH, and I put dash D in 8080s. This is saying, open a SOX proxy, listen on port 8080. This way, I'm telling Firefox connect to the SOX proxy at local host on port 8080. So now once I do this, when I go to, let's say, we type in our team name or our team number here, I'm 10.41.23.2, and I'm accessing my team name, my team from here. So this is, what port is this accessing on my server? 80, port 80 on my server. So it has a list of all the services. Like you see, there's a test service, www, that is running on port 9,000. The machine I'm currently on is number 23. But I can change this. The whole point is, on my server, there are two services running. A web server, a web calendar web service on port 9,000, and a binary service listening on port 8,000. Every single machine, every other team, so if you're one team, there's 23 other teams, every other team is running identical copies of these services. So by changing the IP, I can access deep ones test service, deep twos test service, and so on, all the way up to 23. So this is how you can access all the other teams. You can't SSH if you have a machine, but you can access them through the services. So the question is, where do these services live on the actual machine, right? So this is my server, now I'm on. Oh, I'll say, OK, there is, oh, crap. I didn't send you guys the passwords. That's right. Yes, for the scoreboard. OK, yes, I'll do that after this. So there is a scoreboard. There'll be a username and password, and I need to send that to you. I'm sorry, I forgot. Because otherwise, if this is how you submit flags, so if another team has your password, they'll submit a flag as you, or, I guess, would be good for you, whatever, we don't want to allow that. So there's a scoreboard that shows you the services, it shows you how a routine is doing, everything like that. But where does everything live, right? That's the important thing. So first off, the first thing you should check out is what users are present on our system, right? Or what users have home directories on our system. To check out the users, we checked out an EDC password, right? So we have several users here. We have the WWW user, which is the default at 480 page that we saw, so that's actually not interesting. Or maybe it is, maybe I put it back over there, but I have it intentionally. The Ubuntu is the user I use to administer the servers, so don't mess with this. CTF is your account, right? This is how you're playing with these things. Scorebot is also incredibly important. So there are, so we'll talk about the scorebot in a second, do not mess with the scorebot directory. These other two, test service binary and test service WWW, right, these are the very important ones. So if we look in home test service binary, we'll see we actually have to be pseudo-wide because the permissions here are that it's, we are in the other group right here and we have zero permissions, right? Three cents because we have multiple binaries running, so you wouldn't want binaries to be messing with each other. So if we look in here, we see that there is a test service, there's testservice.c. So I can look at this, I can see, please enter a command, read in the 100 magnetic characters in a command, enter an argument, and then some things happen. But I said that these are running on some of these on our, on Fort what? What does that mean? 8,000, yeah, or like, yeah, 8,000, right? So I can use netcap, 8,000, and now I'm interacting with this service, so I can enter a command, and it'll give me output, right? So you can all do this, and when I'm accessing local hosts, I'm really accessing 10.41.23.2, and I can access anybody else's binary service by changing my IP address, right? So we're accessing these things over the network. But is this actually a network service? Any networking commands in here? It fits in one page. No, it's just printing stuff out, right? It's printing things out, it's using print app and scan app. So we're using the magic of a functionality program called XINETD, it's a daemon that listens on certain ports that we tell it to, and then invokes programs whenever it gets input from there. So it's actually a super cool, easy way to turn a binary application into a network application. So if we look at, all of you should look at your XINETD directory, there is a test service binary thing in there. And so if we look at that, we can see that this is what's actually configuring our service. So it's saying that it's running, it's expecting TCP connections on port 8,000. It will accept connections from any host, and it is using the user test service binary. And when it gets executed, it executes this test service program. And every time a connection comes in, it spawns a new test service process. And then that test, the cool thing is this test service process thinks that it's using standard in and standard out, but it's really happening over a network. So it makes writing it from my perspective a lot easier and understanding what's going on through your perspective also easier. Questions on that? Yes. So to patch that, all you have to do is just recompile the code and then everything goes to magic. Yes. So if you recompile whatever the executable is in, let's see, where's the config? Right, wherever you, whatever executable you put in here is test service, it will treat any incoming connection to 48,000. We'll do that. So if you want to patch test service, you change it from file to code and then put it here. Make sense? So during the competition, so one of the things is how do I find out what services are running? Well, A, you look at on port 80 of your machine will be the list of all the services and all the ports. All right, you will also be able to see inside the xinatd.d directory, there will be all the service descriptions there. So you'll know exactly what files are being executed based on what ports. Now the question is where does the web stuff live? What is the test service, duh, duh, duh? So if you look inside here, it's got something in here, it's got a flag, it's got a public html directory, so if you look at the public html directory, it's got a CGI bin, and it's got an index.thp page. So this is the content of whatever's running on port 9,000 here, and there's kind of other stuff in here, so you don't have to play around with it. So the configuration for this, if you want to know what maps, specifically what port to what user, I believe, was ETC, Apache, sites enabled. Yes, so inside sites enabled, there's a test service www.configuration, so looking at that tells you that on port 9,000, it gets mapped to test service www.publichtmlcgi bin. And the important thing is to not mess with the public htmlcgi because it's set up, Apache is set up specially such that the incoming request executes as this user not as any other user. So that way it's not executing as root permissions or www, it's executing specifically as this user when it gets executed. Questions on how to map ports to services? So what's the goal? So inside the home directories, inside test service www, we have a flag, and the flag is owned by root, but readable by the test service www group. And the same thing in test service binary, there's also a flag, that's readable and writable by root, but readable by, oh, that's wrong. Should be legible by test service binary. And so the idea is, so this one's broken, but if we go here, so what did the code look like for the index.php page? What is this doing? If there is a test parameter that we can get ready, and based on that either, if it is not set, then return this aloha per page, or else it actually includes the code. So test can be a php file. Right? Yeah, could be. So here's my page, right? So what case is this? It's equal to yes, so this has a test get parameter, and that's equal to no. Yeah, so here there's no parameter here in the URL. So it outputs this page, and I'm going to go to the aloha per, I try a test, I go here, and it outputs yes. So why does it output yes? So there's a php file that's having the same name as the test parameter, that's including that file to it. Is it a php file? Yes. So how do you explain this to get the flag? Like creating our own file, and creating our own file. Yeah, that would be creating the flag. How are you going to create your own file though, with this service? I can do it on my server, I can't do it on your server, right? Yeah, but we would change the link of the yes file, of the yes file. How do you change the link? I don't have access to your machine, I only have access to mine. Directory traversal, because we are here at CGI did, we go up one directory, up one directory. So we're trying to access test service www flag. So we see that flag there, that flag here, we submit this on the submission system, and we get some flag points. We get some points. Questions on kind of basic operations, I have to fix the scoreboard and stuff so I can show you how you would submit things. The gamebot is broken at the moment, it's not actually distributing flags, it's a fake flag, go ahead and play. Can you create a video on it? I'm creating it right now. All this is being recorded. Other questions? Yes, where are the other services gonna be? What side are they? This is one service and one flag. Yes. So we're gonna have many services work, are they gonna be? They will be depending on what they are and what I'm gonna call them. They will have a user and they'll either be web pages or they will be binary services. So it should be clear the mapping including ports and services and what they are. So are all the flags supposed to be just like in random place or anywhere? Hey guys, just a minute, let me answer these questions so we're not all talking over the recording. So there are multiple, so there's gonna be, there'll be flags set every 10 minutes, let's say. So new flags will be set. Each service has its own flag. So you should not be able to break into one service and access the other services flags. So every service has its own flag, it will be named flag and everything will start with the letters FLG so it will be super, super, super clear. We'll have different services with different applications, right? Yes, there'll be different services. They will each be different. You will, that's why you have teams so you can kind of all work on different things. Yeah, please. Are the services gonna be there from the beginning? Yes, services, all services will be there from the beginning. They'll access to source probably, yeah, source. They'll access to source code and everything so that should be good. Are we allowed to use any tools? Okay, so let's talk about this. So we need to establish some ground rules. Okay, so A, so part of what we're doing is we're actually checking that your services are available, right? Like I said, the scoreboard will tell you which ones of your services are up. So you can't just, for instance, for this, for the one we just saw, right, the index.php page, did we just completely remove this functionality? Have we gotten rid of the vulnerability? Yes, have we removed significant functionality from the application? Also yes, right? So the test scripts are testing to make sure that you don't remove the functionality. It also means that you can't walk traffic into your machine from the other machines. So you can't just firewall off access to these IPs, so your ports need to be accessible from every other team. So that's out of bounds. You can't just firewall off your ports to the other teams, that's super lame. Okay, some other rules. You can pretty much do, I think, almost anything you want. The other big thing that I have to ask, because I've been trying to figure out something aside, and I don't think there's a really good technical way we can do this, but the binaries, like we've been seeing, right, we've been playing with binaries that have ASLR disabled and that have all these security features disabled, right? So just compiling those with the correct flags is super lame. I mean, we haven't really gone over how to do more advanced exploits that get around ASLR and all of those things, right? So, you know, enabling ASLR in your system or doing something like that is super lame, so let's all agree we're not going to do that, right? It's much cooler to actually fix the vulnerability than to just recompile it and hope that things go away, right? So I will change, I'll set it up so that when you do GCC, it automatically does all the flags for you, so you don't have to worry about that when you're compiling everything. So that way you don't have to think about it, but don't be that person that tries to get around it like that, right? It's only an hour and 15 minutes, right? So the challenges have to be quite small enough that you're not going to spend an eight or 10 or 12 hours that took you to break one level on the homework assignments. I may be one crazy level, we'll see, but, you know, so it's just like, because it has to be simple enough that you can exploit it without all these defensive techniques. So I think that'll be fun for everyone. Everyone agree with those? Okay, third option, it is super easy. Sometimes you can mess up things. If you change something, you've changed something, maybe a set you ID root or something. So if you do get root on somebody else's system, I don't know, let me know, send me an email, send me a screenshot of something, but don't, you know, it's only an hour and 15 minutes, it's like hard to recover from that. So don't, you know, don't do anything malicious and ruin the fun for everyone else, right? Because they're competing just like you. Come with me. No, that's super lame. We change our values or environmental variables that the program holds. In one way, so you can't change any of the input-output because that's part of the specification of the program. I think that's probably all I'll say. But remember, right, remember, so patching, fixing yourself is important, but you're gonna get way more points by exploiting. Like every time you submit a flag, it's gonna be 50 or 100 points, right? So like, developing a new exploit and being able to exploit all the other teams that submit their flags, right? You get significantly more points than if you just spend your time doing defense. Well, now you've just limited what other people can get, but you have really increased your score. So it's only gonna come out if you're like neck and neck with another team, you'll geek out the way. How do we submit the flags? The flags will be submitted through the scoreboard. So I don't have that working right now, and I want to get through all of this. So what I'll do is I'll leave this test environment open until Sunday, let's say, and then I'll kill it on Sunday. I'll send out emails and everything, so that way. And I'll send out emails when the flag system is running and putting new flags in because I have to update some configuration options because I messed up on the level. So I have to make sure that's all working. So when everything's working, you can practice submitting flags, all that stuff, which should be pretty cool. All right, any other questions before we go? Yes? The flag is going to help you. Obviously, you're just not having anybody help you, right? No, no, it's definitely available. Yeah, yeah. So other teams get credit for that, too. And one of the things you should not be able to do the system is supposed to be designed so that when you do exploit a level, you can't change the flag or anything else. Also, you should be able to remove your own flags, right? That's also super lame. The flags are just going to prove that you've won, that you've solved the challenge, right? You just change it to flag one, don't just gonna find that, but that's fine. All right, good. Sweet. All right, see y'all on Friday, Monday. We'll be in touch.