這是我的原始演講大綱,就一起送給大家了 XD
- What is CTF
- Why should we play CTF
- Jeopardy
- Attack & Defense
- CGC
- King of the Hill
- * Injection
- SQL
- XSS
- Commandline
- Race Condition
- SQL query without transaction
- Language feature (bug)
- PHP is fucking evil thing
unserialize
memory corruptionparse_url
bug
- PHP is fucking evil thing
- Crypto
- Bad signature
- Length extension attack
- Weak PRNG on critical things
- Bad signature
- CVE disclosed recently
- Trendy challenge
- SSTI
- Based on Organizer's research
- (Orange)
Give you a binary, try to understand how it works. You have to:
- Find password to decrypt flag
- Give a flag verifier, find out what is flag
- Reverse encryption algorithm, and decrypt flag
Advanced challenge:
- Obfuscated code
- Packed binary
- Handcrafted binary file
- or written in assembly
- C++ binary (I really hate this!)
- golang (or something else but not C lang) reversing
- VM reversing
- strange platform
- BIOS, driver reversing
Strange way to reverse things:
- Bruteforce
- Side channel attack
- Timing attack (instruction count by intel pintools)
- Side channel attack
- SMT solver
- Symbolic Execution
- gdb, ollydbg is basic
- if gdb is hard, try evan's debugger
- learn how to write debugger script
- qira
- strace, ltrace
- intel pintools
- Scripting language pwn
- Sandbox escalation
- Binary exploitation
- buffer overflow
- ret2stack
- DEP, stack canary
- code reuse attack
- ROP
- ebp overwrite leads to ROP
- ret2libc
- one gadget
- ret2dl_resolve
printf(controlable)
caused arbitrary read / write- heap overflow
- ptmalloc
- pointer overwrite
- function pointer overwrite leads to control flow hijack
- data pointer overwrite leads to arbitrary memory r/w
- buffer overflow
- hex
- base64
- urlencode
- rot13
- UUencode
- base85
- base32
- Vigenere Cipher
- Substitution Cipher
- frequency analysis
- symmetric cipher
- block cipher
- DES, AES, Blowfish
- block cipher operation mode
- CBC -> padding oracle attack
- stream cipher
- RC4, OFB-Mode
- block cipher
- hash
- md5, sha1, sha256, sha384, sha512, blake2
- length extension attack
- password hashing: scrypt, bcrypt, pbkdf2, argon2
- HMAC
- md5, sha1, sha256, sha384, sha512, blake2
- Diffie-Hellman key exchange
- asymmetric cipher
- RSA, ECC, ElGamal
- RSA basic knowledge
- finite field arithmetic
- Fermat's little theorem
- common attacks on RSA
- what is OAEP (random padding)
- xortool - automatic frequency analyze for xor encryption
- rsatool
- what's inside kernel?
- page table / TLB
- EPROCESS
vol.py
-- memory forensic tool with various plugin- process list
- dump process virtual memory
- dump executable from parsed virtual memory
- dump cached file
- dump registry (windows)
- network information
- dump password hash (mimikatz)
- dump AES key
- dump kernel module
- export coredump file
- registry hive forensic
- dump LM/NTLM hash or /etc/shadow for password cracking
- hunting malware / rootkit
- hidden disk partition (TrueCrypt)
- New challenge category: ACM
- HITCON, CSAW
- 通靈之術
- binary format
- PNG
- IHDR
- ZIP
- DER key format (ASN1)
- AMF, binary serialization format used by flash
- DEX (Android App, JAR alternative)
- PNG
- Stego
- Binary
- Append data at the end of file (zip after a png)
- printable string inside binary data
- Image
- LSB trick
- Padding
- base64 padding bits can hide data
- Binary
- Regular Expression Contest
- Linux System Programming Contest
- Morse code
- openstego
- stegosolver
- 010 Editor (binary template)
- every team have same vulnerable service running on their VM
- host will do service check to ensure your service is live
- find vulnerability and exploit/patch it
- steal flag from other team can add points
- flag got stolen will lose points
- service down, you points will be shared to other team
- sometimes, first blood of one service can get extra points
- you can not root gamebox (VM)
- pcap for every round
- flag submitting API -- you need to write your own script to submit flag
- General defense may not permitted
- WAF
- LD_PRELOAD harden libc
- ptrace, seccomp
- io wrapper, filter output and/or input
- some of general defense may be okey
inotify
andkill
- redirect network flow to other machine
- intel pintools
- built-in harden
- force full relocation
malloc
hardening environmentman ld.so
LD_BIND_NOW
since 2.1.1LD_BIND_NOT
since 2.1.95
- Long-live backdoor
crontab
backdoorattack other player's computer
- analyze packet
- find attack payload
- analyze payload
- attack other team
- pwntools, pwnbox
ja
/ jb
to jg
/ jl
- bigger stack buffer size
sub esp, 0x80
tosub esp, 0x100
read(fd, buff, n)
toread(fd, buff, n-1)
strcpy
tostrncpy
strcat
tostrncat
gets
tofgets
- randomize
malloc
- disable
free
memset
orbzero
LD_PRELOAD
- any hex editor
- IDA Pro
- keystone
- hteditor
- cheatengine
- how2heap by shellphish
- heap exploit, SROP, ret2dlresolve by angelboy
- Tricks by DragonSector
- ctftime for finding CTF and write-up