sCTF '12

Round 1: Learning Round

I hear and I forget. I see and I remember. I do and I understand. Confucius

Introduction
One whose knowledge is confined to books and whose wealth is in the possession of others, can use neither his knowledge nor wealth when the need for them arises. - Chanakya

Welcome to sCTF 12, a national level CTF style hacking contest held along with the conference on Security of Internet of Things at Amrita Vishwa Vidyapeetham, Amritapuri. We are glad that you decided to participate. Our main aim in conducting this event is to spread awareness about cyber security and secure coding practices. We would like the participants to develop hands-on experience with secure coding practices and help generate interest in the field of cyber security. As you are aware the contest has three rounds. The first round is the learning round. We strongly encourage you to have 5 members in your team. Else, you will find it very difficult in the final round. This document lists the tasks to be done by each team. These tasks will help the teams to be successful in the next two rounds. Please note once again that this contest is meant ONLY for students from India who are currently enrolled in any university program. You must have a faculty mentor. During verification, if we find out that this is not true your registration will stand canceled.

Tasks
These tasks are designed to help you get started with security and learn about secure coding practices. These are not difficult tasks and you should be able to do them with the help of the Internet. If you still have problems or get stuck please feel free to get in touch with us.
Arise! Awake! and stop not till the goal is reached ! Swami Vivekananda

Task Set 1
Student 1 Download and install Virtual Box. Install any version of Ubuntu on the virtual box. If you are not familiar with using any Linux distro, do familiarize yourself with Linux. We can provide you with e-books and resources if you need them. You should be comfortable finding your way around the Linux environment. The final round will use a Linux distro. Student 2 Learn PHP from http://w3schools.com/. You should also be familiar with SQL. Learn to install LAMP.At the end of this exercise the student must be comfortable writing a small application with a login page that connects to a MySql database to retrieve data. Students must also be familiar with starting, stopping and restarting Apache and MySql, and know where these applications write their log files. Students 3 Register with http://hackthissite.org/. Your user name must be your TeamName_sCTF12 E.g if your team name is Crypto Nerds then your registration id must be CryptoNerds_sCTF12 Complete the basic missions. If you have already registered with another account you can quickly complete this. This will help us to track how much you have completed in the basic missions.

Task Set 2
There is no failure except in no longer trying. There is no defeat except from within, no insurmountable barrier except our own inherent weakness of purpose - Elbert Hubbard

Students 1 Using IP Tables, block pings from a particular IP address. Learn basic networking concepts and tools in Linux (e.g usage of

basic networking tools and commands like traceroute, ifconfig, top, whois, arp, restarting networking service, securely copying files from one linux machine to another, ftp, ssh, how to do IP forwarding etc). Students 2 How do I harden MySQL? (Basic steps to secure MySQL installation). How to back up data in MySQL? Where is the MySQL configuration file located? Student 3 How do I harden Apache? How do I know if Apache is running or not? How can I make it run on port 8090 instead of its default port?

Task Set 3
Satisfaction lies in the effort not the attainment. Full effort is full victory. M K Gandhi

Students 1 Study of Buffer Overflow attacks. Some resources http://www.owasp.org/index.php/Buffer_Overflow http://www.linuxjournal.com/article/2902 At the end of this the student must be able to identify a piece of code that is vulnerable to buffer overflow and patch it. (C, C++, PHP Java, etc) Students 2 Study of SQL Injection, Cross Site Scripting At the end of this the student must be able to identify a piece of code that is vulnerable to SQL Injection and Cross Site Scripting and should be able to patch it. Student 3 Learn the basic usage of Wireshark to capture packets. Open a browser and go to http://irctc.co.in/. Start Wireshark on the same machine and then enter any user id (need not be valid) and bogus password in the irctc.co.in website and submit it. As soon as you get the invalid user id message, stop the capture. Filter out only the communication between your browser to the irctc.co.in website. Go through the trace file and let us know what you conclude. Save the trace file using the file name TEAMNAME_IRCTC.PCAP and send it to us via email. At the end of this exercise students must be comfortable using wireshark to capture packets and be familiar with the some of the basic options of the tool.

Team tasks
Coming together is a beginning. Keeping together is progress. Working together is success.

All team members are requested to be familiar with the below tasks. a) Learn Ethical hacking terminology using flashcards from http://samsclass.info/124/flashcards/index.html The site gives an idea of terminology and definitions used in ethical hacking. You can go through it quickly to get a very broad over view. (Need not go over in detail) b) Learn about Phishing attacks from http://www.phish-no-phish.com/ You should be easily be able to identify a website as genuine or fraudulent one after going through the above. Summarize how you will identify a phishing site. c) If you do not have a blog, create a blog for yourself (link to tutorials etc) using any service of your choice (wordpress, blogspot, rediff etc) . Write up an article based on what you have learned so far and publish it in your blog. For example, it could be - How to Install Virtual Box on Windows XP, or IP Tables Tutorial, Buffer Overflow, Hardening MySQL etc. Each team member must write an article (and must be different from the other team members). Please dont just copy paste but write in your own words and make it as descriptive as possible so that even a beginner can understand how to use your tutorial. This could also later help you in your resume if you continue with it later after the contest. You are required to email us the link to your article when done. (In a team of 5 we expect 5 separate links) Please note if there are five students in a team then we expect five different blogs and five different articles in each blog. Tutorials/ Articles (if it meets the quality standards) could get published in security and other magazines. Questions

When you are inspired by some great purpose, some extraordinary project, all your thoughts break their bonds: Your mind transcends limitations, your consciousness expands in every direction, and you find yourself in a new, great, and wonderful world. Dormant forces, faculties and talents become alive, and your discover yourself to be a greater person by far than you ever dreamed yourself to be- Patanjali

Part 1 (Topics - Linux, Networking, Network Tools)

Attack every problem with enthusiasm as if your survival depended upon it.

1. Shankar used my computer last night, and changed my password and the root user's password. Now he says he is smarter than me :( I want to prove that he is not, and I need your help. I want you to reset my debian Lenny's root password to "sctfroot" and user giri's password to "sctfgiri". Do you think you are up to it? Also, I want to know where and how my passwords are stored so that I can be smarter next time. Could you help me with it? 2. Even though you helped me to change my password, my brother somehow took physical control of my laptop and changed the password again, even though I had blocked unauthorized people from editing the grub menu by putting a grub password. How is that he had hacked in? How do I reset my root password to "sctfroot"? How do I prevent him from hacking my system even if he has physical access? 3. It has been a while since I have installed MySQL and I seemed to have forgotten my password. Is there any way to login to MySQL and reset the password to sctfmysql? 4. When I was chatting, some guy said "Dude, your ssh port is open. Close it already!" I couldn't understand a word of what he said. Is there a way to see what ports are open in my computer and what applications are running on them? I also want to know how to start and stop applications from running. Can you help me? 5. I want to connect three computers (named A, B, C) , as if they were in an internal network, I want all of them to access the internet, via a single ethernet cable which can assign only a single ip address to one computer only. I know it is possible, but don't know how. Can you help me do this task? 6. I have plugged in my USB pendrive, but it is not mounting automatically. I want to mount it manually. Where do I view the logs and how do I troubleshoot this issue? 7. A custom written service claims to run on my system on port 2290. How do I verify this? 8. When I went to /var/cache/apt/archives and tried moving some packages into this folder, it said Permission Denied. How do I view the permissions of a file/folder and how do I change it?

Did you know? The Turing award is recognized as the highest distinction in Computer Science and as the "Nobel Prize of Computing" - Read more about it http://en.wikipedia.org/wiki/Turing_Award

Part 2 (mysql, apache, hardening, log file, php log file etc)
1. I just made my own blog! Pretty cool huh? But my friend changes the URL and somehow gets my directory listing (it has got files & I don`t want to show anyone). I just don`t want him or anyone to see the listing! What would be the easiest way I could do something about this? 2. It has been a while since I have installed MySQL and I seemed to have forgotten my password. Is there any way to login to MySQL and reset the password to sctfmysql? 3. Do you think apache always runs as root user; if so how to set it to run as user xyz? 4. Where are the configuration files for apache2 and how do I change the document root for a site? 5. Where are the error logs for apache stored? 6. I have a web application written in php. How do I access and administer the MySQL database from the web application? 7. What is the program SSH used for? On which port does it run, and where is the configuration file stored?

8. I am using a system running Ubuntu 11.10. I have a C program's executable, but I want it to execute automatically during startup and also in the background. How do I do this?

Did you know? The words most widely used Sorting algorithm is the QuickSort algorithm invented by Sir Tony Hoare at the age of 26. Read more about him from http://en.wikipedia.org/wiki/C._A._R._Hoare

Part 3 (crypto, phishing)

Note: The files for questions 1 and 4 can be obtained by running the following command git clone https://bitbucket.org/zubin71/inctf-crypto-2012.git 1. My friend Varrun once left his laptop in my hands which was running debian Lenny, unsecured. I hacked in, and started viewing some of his personal data. I then stumbled upon an interesting file named "Varrun_Personal". I wondered what it was, but couldn't retrieve the data as the file was encrypted. There was a also a text file next to it titled "README" and had the following contents: Mechanism - DES-EDE3-CFB Filename - Varrun_Personal Passphrase- varrun I have no idea what it means! Could you please get the data from the encrypted file for me? (file available in the git repository) 2. You are downloading a file httpd-2.2.14.tar.gz from http://httpd.apache.org/download.cgi. What is the use of the [PGP] [MD5][SHA1] link that you see on the site? Explain how you can use it. 3. Generate the MD5 hash of the file ls (ls linux binary file). 4. The below file is encrypted with our private key. Decrypt it with the public key available in the repository. (file available in the git repository) 5. What is the CIA triad? What are the current methods available to ensure CIA? 6. How do I get the public key of the website https://www.verisign.com (There are more than one way to get it, list all the ways you can think of) Did you know? Vinton Cerf is the person most referred to as the father of internet for his contributions to the development of Internet. http://en.wikipedia.org/wiki/Vint_Cerf This is the link to the original 1974 paper that is the birth of the TCP protocol. http://www.cs.princeton.edu/courses/ archive/fall06/cos561/papers/cerf74.pdf Part 4 (secure coding, attacks) 1. I have a custom written "echo" program in C, running on port number "1220" which echoes back the first 16 characters of whatever is given as the first command line argument. But somehow, my brother had got unauthorized remote root access. The program is given below. How did he do it? Please give the exploit code and explain how it works. <------------ C PROGRAM STARTS HERE ------------> #include <stdio.h> #include <string.h> void echo(char* input) { char buf[16]; // buffer to limit the input size to 16 characters strcpy(buf, input); // copying first 16 characters to the buffer printf("%s\n", buf); // printing back the first 16 characters } int main(int argc, char **argv) {

echo(argv[1]); return 0;

// call the function to print the first 16 characters // denote that the program has finished executing successfully

} <------------ C PROGRAM ENDS HERE -------------> 2. Ok, since the previous echo program was vulnerable, I had simply modified it and removed that vulnerability. But still, my brother had got unauthorized remote root access. The program is given below. How did he do it? Please give the exploit code and explain how it works. <------------ C PROGRAM STARTS HERE ------------> #include <stdio.h> #include<stdlib.h> #include<string.h> int main(int argc, char **argv) { char command[50] = "echo "; strcat(command,argv[1]); // concatenate the input so that the final command is "echo <input>" system(command); // call the system() function to print the input return 0; // denote that the program has finished executing successfully } <------------ C PROGRAM ENDS HERE -------------> 3. I was just going through some php code yesterday; Whats "magic_quotes()" all about? 4. Yeah, I took it from the tone of your last reply that Im bothering you too much with all these questions; Im really sorry but no one seems to know better that you about this! I just read that php attacks can be used to change the DOM of a page. Whats that all about? 5. A site that I frequently visit is songs.pk. I was told recently that this site is distributing malwares which could infect my computer and as a result my computer could become a part of a botnet. How do I verify if this is true? (How do I find if a website is distributing malwares). There is more than one way to find this out. List all the possibilities you can find out about. 6. Submit the Level 10 password to the wargame IO in the site http://smashthestack.org/ Did you know? Adi Shamir was one of the inventers of the RSA algorithm - http://en.wikipedia.org/wiki/Adi_Shamir He was the author of the paper titled How to share a secret? A must read for all CS students http:// www.caip.rutgers.edu/~virajb/readinglist/shamirturing.pdf

Part 5 (cyber laws, misc, reporting crimes, spam etc)

1. Is there any site where I can get approximate statistics on how many web defacements are happening in India? I just read this (http://tinyurl.com/ykffm9b) It is sad really, a country with so many talented people and very few of them paying attention to security . 2. You get the below email
Subject: Dear Gmail Subscriber Confirm Your Account. From: "Gmail Web Support Team" Dear Webmail Account Owner, This message is from web mail admin messaging center to all web mail account owners. We are currently upgrading our data base and e-mail account center. We are canceling unused web mail email account to create more space for new accounts. To prevent your account from closing you will have to update it below so that we will know it's status as a currently used account. CONFIRM YOUR EMAIL IDENTITY BELOW

Email Username : ............. Email Password : ................ Date of Birth : ................. Warning!!! Any account owner that refuses to update his or her account within Three days of this update notification will lose his or her account permanently. Thank you for using web mail Support Team Warning Code :ID67565434

What would you do? Explain.

Reverse Engineering:
General Instructions: Finish up all the tasks, group the solutions in folders named as a1, a2 ... etc, zip the whole thing and send it over to us when you are done. Clone the binary file and executable file ,from the repository, which are needed for the questions: git clone git@bitbucket.org:inctf/inctf-2012-round-one-questions.git 1. Question: Find the key? Hint : check out the hexdump Download the file from the repository 2. You are to use either the Ollydbg/Immunity Debugger; you could use IDA pro's debugger but we think Ollydbg could be more simple for debugging purposes. You could always use IDA for disassembly. However, in the exercises below you will be doing more of debugging than disassembly - hence, I recommend a debugger rather than a disassembler. [ ] Download Lena's tutorials from http://tuts4you.com/download.php?list.17 and go through sections 1, 2, 3, 4, 5, 19, 20, 21, 22. You might have to go through other intermediate sections/other reading material. 3. You are to use either OllyDbg/Windbg for the following. Send us screenshots of what the tasks you have completed. [ ] Use calc.exe on 32bit XP Professional for this lab. [ ] Show the memory map of the executable. [ ] Show the imported dlls and its memory map(not the imported functions). [ ] PE header of calc.exe [ ] Import Table address of calc.exe inside its PE header 4. Qn. Use the executable present for this lab. As in the previous case, you are to send screenshots. [ ] Find the type of packing used. [ ] Unpack using OllyDbg/Immunity Download the file from the repository. 5. Qn. Create an executable which prints if a debugger is present or not by checking the NtGlobalFlags field, in programming language of your choice. Send us the executable. 6. Hola!

From this point on, you are all by yourself. Work on crackmes, unpackmes and build up your skill.

Did you know? The paper by Saltzer and Schroeder titled Protection of Information in Computer Systems is a classic paper by published in 1974. It is a must read for students aspiring to study security PDF Version: http://www.ece.cmu.edu/~ece732/readings/protection_information.pdf HTML Version: http://www.cs.virginia.edu/~evans/cs551/saltzer Did you know? The first compiler was written by Grace Hopper, in 1952, for the A-0 programming language. http://en.wikipedia.org/wiki/ Grace_Hopper The Grace Hopper Woman In Computing award is named after her http://gracehopper.org/2010/

Contact
In case you have any questions please feel free to contact us via email, phone or chat. If you are stuck we can help you to get the answers.

Email
Arvind S.Raj : sraj.arvind@gmail.com Bithin : bithin2007@gmail.com Seshagiri Prabhu : seshagiriprabhu@gmail.com Aghoshlal Nakulan : aghoshlal.nakulan@gmail.com

IRC Chat
#inctf at irc.freenode.net

Thank you! We hope you enjoyed solving these questions as much as we enjoyed preparing them for you. We sincerely hope that you have learned lots of new things and gained new confidence. We would love to hear from you about your experience, please do share it with us. This will help us to do better next time.