def con 27 capture the flag finals
play

DEF CON 27 Capture the Flag Finals Shortman The CTF Live - PowerPoint PPT Presentation

Oct 02, 2023 •299 likes •792 views

DEF CON 27 Capture the Flag Finals Shortman The CTF Live Attack/Defense CTF 16 Teams from all over the world Must qualify by either winning a qualifier or finishing in the top X in the Defcon qualifier CTF Pre-qualified Teams DEF CON 2018

  1. DEF CON 27 Capture the Flag Finals Shortman

  2. The CTF Live Attack/Defense CTF 16 Teams from all over the world Must qualify by either winning a qualifier or finishing in the top X in the Defcon qualifier CTF

  3. Pre-qualified Teams DEF CON 2018 CTF - 12 August 2018 - prequalified: DEFKOR00T HITCON CTF 2018 - 21 October 2018 - prequalified: Dragon Sector RuCTFE 2018 - 10 November 2018 - prequalified: saarsec C3CTF 2018 - 27 December 2018 - prequalified: mhackeroni PlaidCTF 2019 - 12 April 2019 - prequalified: HITCON

  4. Defcon Qualifiers

  5. Thursday (Day -1) We get an information “leak” from the Order of the Overflow, that instructed us to bring the following tools: - Microsoft Windows + Visual Studio - MacOS + XCode + iOS SDK - Any GNU/Linux distribution with proper toolchain + Android SDK - FreeBSD (comes with toolchain) - An extra monitor that supports HDMI...

  6. Thursday (Day -1) Arrived at 12:30am after delayed flight from JFK to Planet Hollywood

  7. Friday (Day 1) Game started at 10am (after ~5 hours of sleep) First challenges released: - TelOoOgram: iOS messaging app similar to telegram (Objective C) - AoOoL: Webserver, written in ?? - ROPShip: King of the Hill challenge

  8. Hackers Don’t Use Macs…. But I actually brought my UCSB Macbook Pro Hello TeloOogram!

  9. TeloOogram - First bug identified - Unused “VoIP” server with a trivial buffer overflow - Appeared to be unexploitable - Easily patched (patch deployed)

  10. TeloOogram - Second bug identified - The app requests avatar.png from contacts - Let’s try requesting other files… - Success. Stole other teams creds.txt (username/password) - Oh yeah, and their flags - Easily patched (patch deployed) - Saarsec getting more flags that us, but not exploiting us… - Hours pass… - Turns out other teams aren’t great at patching - Try ./flag instead of flag

  11. TeloOogram - Third bug identified - Objective C parser used that was deprecated for security reasons - This is a nasty one… - Goes unexploited by any team, despite our best efforts -

  12. TeloOogram - Removed from the game at the end of Day 1 - We rejoice

  13. AoOol Some webserver written in C/C++ - Responds to GET, UPLOAD, and CONFIG commands Looks like there are some funky bits with parsing of a config file I start getting spun up… then fall asleep.

  14. Saturday (Day 2) Game starts at 10am (again) - Actually a little bit late, but that’s normal - I start working on AoOol again, until...

  15. n

  16. n

  18. DoOom on an original XBOX

  19. DoOom on an original XBOX

  20. First, The Good The XBOX had been modded to download a .xbe file over the network It was downloading a version of Chocolate Doom Multiplayer game against other teams! Scoring: - Find OOO tiles and stand on them (1 point per second)

  21. The hard stuff We are told that the XBOX must be “pingable” (turns out to be a lie…) The original .xbe has shooting disable and username “sheeple” You can only score with the username of your team id E.g., [14]shellphish

  22. Let the pwning begin!

  23. Let the pwning begin!

  24. Let the pwning begin! Shooting enabled, points being scored… but… there’s more.. WE FIND A HIDDEN ROOM THAT IS COVERED IN OOO TILES The catch: you need to clip through walls to get there

  25. Becoming a God We patch the binary to enable no clipping IT WORKS! We freak!

  26. Becoming a God No points are being scored… - Actually we can’t tell if points are being scored OOO tells us everything is fine We fight for hours.. We don’t know if it’s working, or if we are scoring, but we are Gods.

  27. We were DoOomed

  28. We were DoOomed We needed to send our commands to the server as well, not just locally patch… Also, the XBOX didn’t need to be pingable… Lack of feedback killed us. We complained to the organizers, they promised to fix it next year.

  29. End of Friday Finally, some rest… What are the other challenges?

  30. The Bitflip Conjecture =============================================================================== Definition: A snippet of assembly code is `N-Flip Resistant` if its output remains constant (i.e., it produces the same output and exits with the same return value) even if ANY combination of N bits are flipped. One-flip Conjecture: The x86 architecture is such that it is possible to write any arbitrary program (of any length) in a way that is 1-flip resistant. - Balzaroth (Vegas 2019)

  31. The Bitflip Conjecture Points are assigned based on how close you are from a complete proof (i.e., based on how many bit flip your code was able to withstand) ------------------------------------------------------------------------------- But first, how do you want the registers initialized before executing the code? 1. I like all my registers set to zero 2. I want them pointing to the middle of a 64KB R/W region of memory) 3. Dont bother. Leave them as they are

  32. The Bitflip Conjecture We are allotted 200 bytes of shellcode This happens to be closely related to my research here… Game on!

  33. The Bitflip Conjecture Actually, the CTF is paused so we can’t score But we can still get our shellcode ready for morning

  34. The Bitflip Conjecture: Idea 1 Replicate shellcode, and do a checksum BITS 64 _start: lea rax, [rel copy2] lea rbx, [rax-(copy2 - copy1)] loop_start: dec al add cl, byte [rax] ; add cl, [rax] cmp eax, ebx jnz loop_start decide: cmp cl, 34 jnz copy2 copy1: db SHELLCODE copy2: db SHELLCODE

  35. The Bitflip Conjecture: Idea 1 Replicate shellcode, and do a checksum [--xxxxxx] [xxxxxxxx] [xxxxxxxx] [--------] [------xx] [xxxxxxxx] [xxxxxxxx] [---xxxxx] [-------x] [x-xxxxxx] [xxxxxxx-] [xxxx-xxx] [---xx-xx] [-xxx---x] [------x-] [-xxx-x-x] [--x-xxx-] [--x-xxx-] [------xx] [-----x-x] [--xxxxxx] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [xxxxxxxx] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------] [--------]

  36. The Bitflip Conjecture: Idea 2 Transactional Memory! If the transaction fails, it will reset everything PROBLEM 1: The xbegin instruction will always fail bitflips PROBLEM 2: We need to flush the instruction cache… cpuid fails too Still… Pretty good (~12 bits)

  37. The Bitflip Conjecture: Idea 3 What if we just fix the flipped bit…? RAX = ptr to shellcode RCX = offset to byte that was flipped The bit that was flipped is on the stack somewhere

  38. The Bitflip Conjecture: Idea 3 (Improved) Check offset CHECK Jump to uncorrupted portion of the code NOPS SHELLCODE 1 Now only our check needs to survive bit flips... NOPS SHELLCODE 2

  39. The Bitflip Conjecture: Idea 3 (Improved) 4 Bits!!! BITS 64 _start: sbb cl, (0x22 + copy2) jbe $+0x67 post_jump: copy1: db SHELLCODE buf: times (64 - (buf - post_jump)) db 0x90 copy2: db SHELLCODE

  40. Good, but not good enough 0 points scored

  41. Good, but not good enough nnnn!

  42. Good, but not good enough

  43. We can do better n

  44. Let’s just fuzz offsets P!

  45. 1 Bit!!! BITS 64 _start: add al, cl CHECK jns $+0x60 copy1: NOPS NOPS SHELLCODE 1 SHELLCODE NOPS NOPS jmp copy1 STRING 1 the_string1: db "I am Invincible!" NOPS buf: NOPS Copy2: NOPS STRING 2 SHELLCODE STRING

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SPRITZ_PLAYGROUND spritzers - CTF team spritzers play Capture The Flag competitions (not these)

SPRITZ_PLAYGROUND spritzers - CTF team spritzers play Capture The Flag competitions (not these)

SPRITZ_PLAYGROUND spritzers - CTF team spritzers play Capture The Flag competitions (not these) (not these) (not these) spritzers play Capture The Flag competitions - Cybersecurity competitions - Goal is to find the CTF{funny_l33tsp34k_flAg}

261 views • 10 slides
Pride flags Sadie, Yael, & Yossi Original Pride Flag Traditional Gay Pride Flag Philly

Pride flags Sadie, Yael, & Yossi Original Pride Flag Traditional Gay Pride Flag Philly

Pride flags Sadie, Yael, & Yossi Original Pride Flag Traditional Gay Pride Flag Philly Pride Flag Transgender Flag Progress Pride Flag Lesbian Flag Non-binary Flag Gender Fluidity flag Bisexual flag Pansexual Flag Asexual flag THANK

563 views • 13 slides
And going through to the National Finals are.

And going through to the National Finals are.

Care Chef 2017 Regional Finals Rugby College And going through to the National Finals are.

533 views • 17 slides
Flag Basics Agenda A1. The Pledge of Allegiance A2. The National Anthem A3. Flag

Flag Basics Agenda A1. The Pledge of Allegiance A2. The National Anthem A3. Flag

California Cadet Corps Curriculum on The Flag Flag Basics Agenda A1. The Pledge of Allegiance A2. The National Anthem A3. Flag Smarts A4. Folding the Flag A5. History of the Flag A6. Raising the Flag A7.

1.78k views • 158 slides
Benefits and Pitfalls of Using Capture the Flag Games in University Courses Jan Vykopal , Valdemar

Benefits and Pitfalls of Using Capture the Flag Games in University Courses Jan Vykopal , Valdemar

Benefits and Pitfalls of Using Capture the Flag Games in University Courses Jan Vykopal , Valdemar vbensk, Ee-Chien Chang vykopal@ics.muni.cz A part of this work was done during a stay of the first author at National University of

507 views • 22 slides
Experiences In Cyber Security Education: The MIT Lincoln Laboratory Capture-the-Flag Exercise*

Experiences In Cyber Security Education: The MIT Lincoln Laboratory Capture-the-Flag Exercise*

Experiences In Cyber Security Education: The MIT Lincoln Laboratory Capture-the-Flag Exercise* Joseph Werther, Michael Zhivich, Timothy Leek, Nickolai Zeldovich Cyber Security Experimentation And Test 2011 8 August 2011 This work is

313 views • 15 slides
Capture the Flag & Related Topics Strategies? Offensive strategies, defensive

Capture the Flag & Related Topics Strategies? Offensive strategies, defensive

Capture the Flag & Related Topics Strategies? Offensive strategies, defensive strategies, others? Q: Where is a good place for blue to lie in wait? F 2 Patrol the border Wait in blue zone just on edge of neutral areas

539 views • 27 slides
Midterms/Finals Study Tips Evidenced-Based Solutions Midterms/Finals Study Tips Why do we

Midterms/Finals Study Tips Evidenced-Based Solutions Midterms/Finals Study Tips Why do we

Midterms/Finals Study Tips Evidenced-Based Solutions Midterms/Finals Study Tips Why do we have midterms/finals? What are ineffective strategies? What works? Why? How to implement it? Why do we have midterms/finals? Why do we

381 views • 34 slides
Flemish Aerospace Group (FLAG) Together for a stronger Flemish aviation industry FLAG Members

Flemish Aerospace Group (FLAG) Together for a stronger Flemish aviation industry FLAG Members

Flemish Aerospace Group (FLAG) Together for a stronger Flemish aviation industry FLAG Members FLAG Member Locations FLAG growth path FLAG ambition 2,5 2030: 2 Turnover + 100% 1,5 Employment + 50% 1 0,5 0 Turnover Employment 2016

498 views • 7 slides
P ERFORMANCE C ENTRE (P (PC) A DD DDRESS : : R UA UA G ODOFREDO M AR N 58 58 C AM ARQUES

P ERFORMANCE C ENTRE (P (PC) A DD DDRESS : : R UA UA G ODOFREDO M AR N 58 58 C AM ARQUES

T EAM G OALS LS Improved Nations Ranking (2012 rank - 34 th ) 2-3 medals More athletes in Finals and Semi Finals 2012 2016 Top 3 2.4% 7.5% Top 8 14.3% 20% Top 12 9.5% 30% Top 16 14.3% 50% K EY EY D ATES Qualifying Periods DATE

867 views • 43 slides
The Flag Known as Big Red All of the evidence presented in this report is sourced, proven fact.

The Flag Known as Big Red All of the evidence presented in this report is sourced, proven fact.

The Flag Known as Big Red All of the evidence presented in this report is sourced, proven fact. The issues: 1. Is the Big Red flag in question the same flag that posted on Morris Island on 9 Jan 1861? 2. What is the link between Cpl Bakers

515 views • 22 slides
Finals are just around the corner. DO YOU REMEMBER HOW TO Factor? Review Session: (all levels)

Finals are just around the corner. DO YOU REMEMBER HOW TO Factor? Review Session: (all levels)

Finals are just around the corner. DO YOU REMEMBER HOW TO Factor? Review Session: (all levels) Date: Monday, May 9 th When: 2:00 3:00pm 3 27= ? Where: MS 413 Finals are just around the corner. DO YOU

306 views • 12 slides
Memory Model COS 597C 10/5/2010 Example a = Flag = 0 Thread a = 26; Flag = 1; 2

Memory Model COS 597C 10/5/2010 Example a = Flag = 0 Thread a = 26; Flag = 1; 2

Memory Model COS 597C 10/5/2010 Example a = Flag = 0 Thread a = 26; Flag = 1; 2 Memory Model COS 597C, Fall 2010 Example a = Flag = 0 Thread a = 26; Flag = 1; Compiler Transformation Flag = 1; a =

1.09k views • 69 slides
Table of Contents SECTION 11. FINALS AND PRESENTATION EVENTS. 1 11.1 F INALS 2 11.1.1

Table of Contents SECTION 11. FINALS AND PRESENTATION EVENTS. 1 11.1 F INALS 2 11.1.1

Section 11. Finals and Presentation Events. If printed, may NOT be the latest version; please check B&DSA Handbook section of www.ballaratsoccer.com.au Table of Contents SECTION 11. FINALS AND PRESENTATION EVENTS. 1 11.1 F INALS 2 11.1.1

224 views • 11 slides
FLAG-ERA Presentation FLAG-ERA JTC 2017 Project Kick-off Seminar March 21-22, 2018 Edouard

FLAG-ERA Presentation FLAG-ERA JTC 2017 Project Kick-off Seminar March 21-22, 2018 Edouard

Seminar Introduction FLAG-ERA Presentation FLAG-ERA JTC 2017 Project Kick-off Seminar March 21-22, 2018 Edouard Geoffrois, FLAG-ERA Coordinator French National Research Agency (ANR) edouard.geoffrois@agencerecherche.fr Supported by the

327 views • 22 slides
WEL ELS S Fl Flag Pre g Presen sentati tation Introduction to Flag Presentation The face of

WEL ELS S Fl Flag Pre g Presen sentati tation Introduction to Flag Presentation The face of

WEL ELS S Fl Flag Pre g Presen sentati tation Introduction to Flag Presentation The face of missions is changing, and the LWMS would like to reflect some of those changes in our presentation of flags . As women who have watched our sons and

245 views • 8 slides
Modeling Safe and Efficient Tumbles of an Acrobatically Inclined Robot Rachel Cleaveland

Modeling Safe and Efficient Tumbles of an Acrobatically Inclined Robot Rachel Cleaveland

Modeling Safe and Efficient Tumbles of an Acrobatically Inclined Robot Rachel Cleaveland December 10, 2019 October 19th, 2019 - Simone Biles takes the world record for the most medals won by a single gymnast at the world championships

232 views • 20 slides
Chapter 5 Synchronous Sequential Logic 5-1 Outline ! Sequential Circuits ! Latches ! Flip-Flops

Chapter 5 Synchronous Sequential Logic 5-1 Outline ! Sequential Circuits ! Latches ! Flip-Flops

Chapter 5 Synchronous Sequential Logic 5-1 Outline ! Sequential Circuits ! Latches ! Flip-Flops ! Analysis of Clocked Sequential Circuits ! State Reduction and Assignment ! Design Procedure 5-2 1 Sequential Circuits ! Consist of a

595 views • 30 slides
Lesson 9 Clocks, Memory elements, (Flip-flops, Latches and Registers) And Processors A A basic

Lesson 9 Clocks, Memory elements, (Flip-flops, Latches and Registers) And Processors A A basic

Lesson 9 Clocks, Memory elements, (Flip-flops, Latches and Registers) And Processors A A basic MIPS implementation We examine implementation of the following instructions o The memory-reference instructions load word (lw) and store word

885 views • 19 slides
State Prof. Hakim Weatherspoon CS 3410 Computer Science Cornell University [Weatherspoon,

State Prof. Hakim Weatherspoon CS 3410 Computer Science Cornell University [Weatherspoon,

State Prof. Hakim Weatherspoon CS 3410 Computer Science Cornell University [Weatherspoon, Bala, Bracy, and Sirer] Goals for Today State How do we store one bit? Attempts at storing (and changing) one bit - Set-Reset Latch - D Latch

736 views • 38 slides
Flipper: Fault-Tolerant Distributed Network Management and Control Subhrendu Chattopadhyay ,

Flipper: Fault-Tolerant Distributed Network Management and Control Subhrendu Chattopadhyay ,

Introduction SDN Flipper Properties of Flipper Simulation Results Emulation Results Conclusion Flipper: Fault-Tolerant Distributed Network Management and Control Subhrendu Chattopadhyay , Niladri Sett, Sukumar Nandi, and Sandip Chakraborty

334 views • 30 slides
Supervised Learning via Decision Trees Lecture 8 Supervised Learning via Decision Trees March

Supervised Learning via Decision Trees Lecture 8 Supervised Learning via Decision Trees March

Wentworth Institute of Technology COMP3770 Artificial Intelligence | Spring 2017 | Derbinsky Supervised Learning via Decision Trees Lecture 8 Supervised Learning via Decision Trees March 27, 2017 1 Wentworth Institute of Technology

546 views • 52 slides
Supervised Learning via Decision Trees Lecture 9 Supervised Learning via Decision Trees March

Supervised Learning via Decision Trees Lecture 9 Supervised Learning via Decision Trees March

Wentworth Institute of Technology COMP3770 Artificial Intelligence | Spring 2016 | Derbinsky Supervised Learning via Decision Trees Lecture 9 Supervised Learning via Decision Trees March 22, 2016 1 Wentworth Institute of Technology

542 views • 52 slides
Pinball Wizardry Youre a wizard, Harry Historical Stuff (OG machines) Quick History

Pinball Wizardry Youre a wizard, Harry Historical Stuff (OG machines) Quick History

Pinball Wizardry Youre a wizard, Harry Historical Stuff (OG machines) Quick History 1930s: Baffle Ball! 1933: Electrification 1947: First flippers introduced 1970s: Solid state electronics: circuit boards,

596 views • 37 slides

More recommend