Skip to content

Latest commit

 

History

History
75 lines (44 loc) · 11 KB

readme.md

File metadata and controls

75 lines (44 loc) · 11 KB

BraekerCTF 2024

This is the source code from the BraekerCTF 2024 by spipm (Sipke). It is a jeopardy-style hacking competition, and it ran from 23 February 2024 to 24 February 2024. Over 700 teams participated (see stats), and 508 made it to the scoreboard.

Winners

Congrats to the teams thehackerscrew, KITCTF and TeamMidwayAtoll for winning the first, second and third place! They are awarded €769, €539 and €151!

Background

Background - Binaries and reversing

This CTF started while reading Practical Binary Analysis by Daniel Andriesse. I wanted to create an ELF that's as small as possible, to test techniques for evading analysis. Luckily there was the awesome article "Creating Really Teensy ELF Executables for Linux" by Brian Raiter. Porting Brian's binary to 64 bit already broke some disassembly tools. With a few more edits, objdump and GDB said "file format not recognized", ltrace, Radare2 and Angr lost track, Ghidra and Binja stopped functioning, ReDasm segfaulted and even IDA forfeited. After a few weeks the binary_shrink challenge was born. Embryobot and fetusbot use the same kind of tricks as binary_shrink, and I can now tweak them to disallow debugging with gdb, or to enable NX for the ROP challenge.

After playing with ELFs I continued with the PE format. As a base I used Alexander Sotirov's tinyPE and found that you can also easily jump into headers to confuse analyzers. At that time I took three malware development courses from Sector7 which I can highly recommend. Mixing tinyPE with the courses created a small but nasty binary that is hard to analyze. It does cool things like resolve functions from kernel32 via PEB while checking IsBeingDebugged. It also creates a thread and it uses the Beep function for timing across threads. This is the Computer says Beep challenge.

After PEs it was time for the Macho file format. A neat base was this code from Kamil.S on StackOverflow. Playing with code that exists only in the header commands (it's a Macho thing) caused all sorts of weirdness. Creating bogus LC_THREADs confuses Binja and IDA about the code's entry point. Other tools also have trouble finding the binary's entry point, and MacOViewer segfaults. The end result Injecting commands is a work of madness.

Recently I was granted access to a testing environment of an IBM mainframe, so I got to play around with z/OS. It has this Unix subsystem called USS that can run IBM's REXX scripting language. This access was used to build and run the challenge The mainframe speaks, which is a pain to reverse, because of IBM's EBCDIC encoding. Mainframes are far from dead, and knowledge about them is scarce. They are neat research targets, but the learning curve is steep.

Background - Crypto and hashcracking

With the help of Axel Koolhaas (Shoaloak) we created messengesus, a variation on the clever babypad challenge by plonk from the TastelessCTF 2019.

The challenge Flag-based key expansion was inspired by multiple things. First of all, some colleague dumped half his AD NTLM hash in Confluence, claiming that "you can't crack half a hash", and secondly because I made this Depix tool a couple of years ago. The tool was immensely overhyped on socials, but it's more neat than useful, just like deconvolution for the eye doctor challenge (see below).

The challenge Thus spoke machine is just a Book cipher variation, which is a cipher I remembered from skimming Codebreaking: A Practical Guide. Block construction is a trivial ECB decryption attack based on Set 2 from the Cryptopals challenges.

Background - Programming and misc

While in the library, waiting for someone, I browsed C++ en Numerieke Wiskunde (C++ and numerical maths) and found a part about how you should sort an array of floats before summing it, so I made e, which stands for Epsilon, the weird thing that makes floats weird.

Microservices got started because I wanted to mimic the Mitnick attack, as a tribute to his passing, but it was hard to make this work over the internet. The initial challenge code was changed into a programming challenge that required contestants to catch packets that had sequence numbers that did not match their normal TCP stream.

Some challenges were taken from nominations for best web hacking techniques of 2023 from Portswigger's James Kettle. Adnan Khan's article on supply chain attacks via Github Actions was the basis for the Workspace challenge.

Last week I extracted blurred PII from a manual, which I thought was some neat Hollywood CSI stuff, so I created the Eye doctor challenge around it. The idea is that blurring techniques, like a linear motion blur, are simple image convolution operations that sometimes can be reversed with a script like this.

Background - Webservices

After reading about phone number injections and unicode normalization on Carlos Polop's Hacktricks, I made the SQL-Injection challenge a beacon dialing home to combine the two.

Inspiration for the Leaderbot dashboard came from d4d's article about memcache injection. The challenge variant used signed cookies for which the secret had to be brute forced.

The Empty execution challenge is derived from a code execution vulnerability found in the wild, for which I also made a little spot-the-bug challenge on Twitter.

For a client I needed to check the security of a Java application that uses a JAXB unmarshaller. The Marshallsec paper only says "JAXB implementations generally require that all types used are registered, " but it wasn't clear when an application is vulnerable or not. I found that if a class unmarshalls an Object from user input, the deserialization process allows the user to use setters from all registered classes, even when they don't have the XmlAccessorType set. The challenge Node calculator was created as an example to show what a vulnerable application could look like.

Stuffy is just a Request Smuggling challenge, because it's all the rage these days.

Credits

Special thanks to Axel Koolhaas (Shoaloak) and Gerard Arall for their enthusiasm about the project, which was very motivating.

Ctfd.io was used as a CTF platform. Both their service and their customer service are amazing, so I can highly recommend it.

AI images were generated with DreamStudio, and ChatGPT was used for a bunch of things. For the mascot banner I used the Infinite image tool from Runwayml.

I'd also like to thank the creators of the XMAS CTF 2022 for making their CTF open source, which made getting Docker to work a lot easier.

Write-ups and notes