CTFs

As the beginner's method for developing basic computer security skills

A bit about me

Security researcher;
Pentester and Infosec CTF player;
ISEF 2020 finalist & alumni;
Alpinist (sometimes :D).

What are CTFs?

Types of CTFs

Jeopardy;
Attack and Defense (or hackme-s);
King of the Hill;
Linear;
Mixed.

Overview of Jeopardy

Now, the fun part!

But some theory first...

Binary: What is the Stack?

Data #1

Data #2

First in Last Out (FILO) Data Structure

Entered first, will exit last

Entered last, will exit first

Data #0

Binary: What is the Stack?

#include <stdio.h>

int main(){
  char input[500];

  int deadbeef = 0xdeadbeef;

  scanf("%600s",&input);

  return 0;
}

Return address

Base pointer

input[500]

0xdeadbeef

The stack of a basic C program

Binary: What is shellcode?

main:
    xor eax, eax
    mov rbx, 0xFF978CD091969DD1
    neg rbx
    push rbx
    ;mov rdi, rsp
    push rsp
    pop rdi
    cdq
    push rdx
    push rdi
    ;mov rsi, rsp
    push rsp
    pop rsi
    mov al, 0x3b
    syscall

Basically, assembler code

\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48
\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05

Binary: Vulnerabilities & Exploits

Buffer overflow to overwrite variable

#include <stdio.h>

int main(){
  char buffer[500];

  int deadbeef = 0xdeadbeef;

  scanf("%600s",&input);

  return 0;
}

Return address

Base pointer

input[500]

0xdeadbeef

The user inputs more than 500 characters

Binary: Vulnerabilities & Exploits

Buffer overflow with shellcode

#include <stdio.h>

int main(){
  char buffer[500];

  int deadbeef = 0xdeadbeef;

  scanf("%600s",&input);

  return 0;
}

Return address

Base pointer

input[500]

0xdeadbeef

The user inputs more than 500 characters with shellcode.

Shellcode

Web: How a basic web app works?

Client

External Firewall

Internal Firewall

Secured Resource

Web App

Web App Resource

Web: Vulnerabilities & Exploits

Server-Side Request Forgery (SSRF)

Client

External Firewall

Internal Firewall

Secured Resource

Web App

Web App Resource

No more theory... Let's get it on!

Try it yourself:

Binary: tinyurl.com/y4uhekk7

Web: tinyurl.com/yxq6d96k

Web: tinyurl.com/rs2zaqv

A few words of general advice

Never assume that something is secured until you have tested it;
Always check for insecure or unfiltered input on small or side services;
Delete all the important legacy;
Never trust client-side filtering or security;
Always hash with cryptographically secure random.

CTFs

By Ivan Zlatanov

CTFs

A bit about me

What are CTFs?

Types of CTFs

Overview of Jeopardy

Now, the fun part!

But some theory first...

Binary: What is the Stack?

Binary: What is the Stack?

Binary: What is shellcode?

Binary: Vulnerabilities & Exploits

Binary: Vulnerabilities & Exploits

Web: How a basic web app works?

Web: Vulnerabilities & Exploits

No more theory... Let's get it on!

Try it yourself:

Binary: tinyurl.com/y4uhekk7

Web: tinyurl.com/yxq6d96k

Web: tinyurl.com/rs2zaqv

A few words of general advice

Never assume that something is secured until you have tested it;

Always check for insecure or unfiltered input on small or side services;

Delete all the important legacy;

Never trust client-side filtering or security;

Always hash with cryptographically secure random.

CTFs

More from Ivan Zlatanov