-
InCTF '14
Round 1: Learning Round
I hear and I forget. I see and I remember. I do and I
understand. Confucius
-
IntroductionOne whose knowledge is confined to books and whose
wealth is in the possession of others, can use neither his
knowledge nor wealth when the need
for them arises. - Chanakya
Welcome to InCTF 14, Indias National Level CTF style Hacking
contest.We are glad that you decided to participate. Our main aim
in conducting this event is to spread awareness about cyber
security and secure coding practices. We would like the
participants to develop hands-on experience with secure coding
practices and help generate interest in the field of cyber
security. As you are aware the contest has three rounds. The first
round is the learning round. We strongly encourage you to have 5
members in your team. Else, you will find it very difficult in the
final round.This document lists the tasks to be done by each team.
These tasks will help the teams to be successful in the next
tworounds.
Please note once again that this contest is meant ONLY for
students from India who are currently enrolled in any
universityprogram. You must have a faculty mentor. During
verification, if we find out that this is not true your
registration will standcanceled.
Tasks These tasks are designed to help you get started with
security and learn about secure coding practices. These are
notdifficult tasks and you should be able to do them with the help
of the Internet. If you still have problems or get stuck pleasefeel
free to get in touch with us.
Arise! Awake! and stop not till the goal is reached ! Swami
Vivekananda
Task Set 1
Students 1 & 2Download and install Virtualbox. Install any
version of Ubuntu on the virtual box.If you are not familiar with
using any Linux distro, do familiarize yourself with Linux. You
should be comfortable finding yourway around the Linux environment.
The final round will use a Linux distro.
Student 3Learn PHP from http://w3schools.com/. You should also
be familiar with SQL. Learn to install LAMP.At the end of this
exercise the student must be comfortable writing a small
application with a login page that connects to aMySQL database to
retrieve data. Students must also be familiar with starting,
stopping and restarting Apache and MySQL,and know where these
applications write their log files.
Students 4 & 5 Register with http://hackthissite.org/. Your
user name must be your TeamName_InCTF E.g if your team name is
Crypto Nerds then your registration id must be CryptoNerds_InCTF
Complete the basic missions. If you have already registered with
another account you can quickly complete this. This willhelp us to
track how much you have completed in the basic missions.
Task Set 2
There is no failure except in no longer trying. There is no
defeat except from within, no insurmountable barrier except our own
inherent weakness ofpurpose - Elbert Hubbard
Students 1 & 2Using IPTables, block pings from a particular
IP address. Learn basic networking concepts and tools in Linux (e.g
usage of basic networking tools and commands like traceroute,
ifconfig, top, whois, arp, restarting networking service, securely
copying files from one linux machine to another, ftp, ssh, how to
do IP forwarding etc).Students 3 & 4How do I harden MySQL?
(Basic steps to secure MySQL installation). How to backup data in
MySQL? Where is the MySQL configuration file located?
-
Student 5How do I harden Apache? How do I know if Apache is
running or not? How can I make it run on port 8090 instead of its
default port?
Task Set 3Satisfaction lies in the effort not the attainment.
Full effort is full victory. M K Gandhi
Students 1 & 2Study of Buffer Overflow attacks.Some
resources
http://www.owasp.org/index.php/Buffer_Overflow
http://www.linuxjournal.com/article/2902At the end of this the
student must be able to identify a piece of code that is vulnerable
to buffer overflow and patch it. (C,C++, PHP, Java, etc)
Students 3 & 4 Study of SQL Injection, Cross Site
ScriptingAt the end of this the student must be able to identify a
piece of code that is vulnerable to SQL Injection and Cross
SiteScripting and should be able to patch it.
Student 5Learn the basic usage of Wireshark to capture packets.
Open a browser and go to http://irctc.co.in/. Start Wireshark on
the same machine and then enter any user id (need not be valid) and
bogus password in the irctc.co.in website and submit it. As soon as
you get the invalid user id message, stop the capture. Filter out
only the communication between your browser to the irctc.co.in
website. Go through the trace file and let us know what you
conclude. Save the trace file using the file name
TEAMNAME_IRCTC.PCAP and send it to us via email. At the end of this
exercise students must be comfortable using wireshark to capture
packets and be familiar with the some of the basic options of the
tool.
Team tasksComing together is a beginning. Keeping together is
progress. Working together is success.
All team members are requested to be familiar with the below
tasks.a) Learn Ethical hacking terminology using flashcards
fromhttp://samsclass.info/124/flashcards/index.htmlThe site gives
an idea of terminology and definitions used in ethical hacking. You
can go through it quickly to get a very broadoverview. (Need not go
over in detail)b) Learn about Phishing attacks from
https://www.staysecureonline.com/staying-safe-online/You should be
easily be able to identify a website as genuine or fraudulent one
after going through the above. Summarizehow you will identify a
phishing site.c) If you do not have a blog, create a blog for
yourself (link to tutorials etc) using any service of your choice
(wordpress, blogspot, rediff etc) . Write up an article based on
what you have learned so far and publish it in your blog. For
example, it could be - How to Install Virtualbox on Windows XP, or
IPTables Tutorial, Buffer Overflow, Hardening MySQL etc. Each team
member must write an article (and must be different from the other
team members). Please dont just copy paste but write in your own
words and make it as descriptive as possible so that even a
beginner can understand how to use your tutorial. This could also
later help you in your resume if you continue with it later after
the contest. You are required to email us the link to your article
when done. (In a team of 5 we expect 5 separate links)Please note
if there are five students in a team then we expect five different
blogs and five different articles in each blog.
Questions
When you are inspired by some great purpose, some extraordinary
project, all your thoughts break their bonds: Your mind transcends
limitations,your consciousness expands in every direction, and you
find yourself in a new, great, and wonderful world. Dormant forces,
faculties and talents
become alive, and your discover yourself to be a greater person
by far than you ever dreamed yourself to be- Patanjali
-
Part 1 (Topics - Linux, Networking, Network Tools)Attack every
problem with enthusiasm as if your survival depended upon it.
1. Dwarakesh used my computer last night, and changed my
password and the root user's password. Now he says he issmarter
than me :( I want to prove that he is not, and I need your help. I
want you to reset my debian Lenny's root passwordto "inctfroot" and
user hrishi's password to "inctfhrishi". Do you think you are up to
it? Also, I want to know where and howmy passwords are stored so
that I can be smarter next time. Could you help me with it?2. Even
though you helped me to change my password, my brother somehow took
physical control of my laptop andchanged the password again, even
though I had blocked unauthorized people from editing the grub menu
by putting a grubpassword. How is that he had hacked in? How do I
reset my root password to "inctfroot"? How do I prevent him
fromhacking my system even if he has physical access?3. It has been
a while since I have installed MySQL and I seemed to have forgotten
my password. Is there any way to login toMySQL and reset the
password to inctfmysql?4. When I was chatting, some guy said "Dude,
your ssh port is open. Close it already!" I couldn't understand a
word of whathe said. Is there a way to see what ports are open in
my computer and what applications are running on them? I also want
toknow how to start and stop applications from running. Can you
help me?5. I want to connect three computers (named A, B, C) , as
if they were in an internal network, I want all of them to access
theinternet, via a single ethernet cable which can assign only a
single ip address to one computer only. I know it is possible,
butdon't know how. Can you help me do this task?6. I have plugged
in my USB pendrive, but it is not mounting automatically. I want to
mount it manually. Where do I view thelogs and how do I
troubleshoot this issue?7. A custom written service claims to run
on my system on port 2290. How do I verify this?8. When I went to
/var/cache/apt/archives and tried moving some packages into this
folder, it said Permission Denied.How do I view the permissions of
a file/folder and how do I change it?
Did you know?The Turing award is recognized as the highest
distinction in Computer Science and as the "Nobel Prize of
Computing" - Readmore about it
http://en.wikipedia.org/wiki/Turing_Award
Part 2 (mysql, apache, hardening, log file, php log file
etc)
1. I just made my own blog! Pretty cool huh? But my friend
changes the URL and somehow gets my directory listing (it hasgot
files & I don`t want to show anyone). I just don`t want him or
anyone to see the listing! What would be the easiest way Icould do
something about this?2. It has been a while since I have installed
MySQL and I seemed to have forgotten my password. Is there any way
to login toMySQL and reset the password to inctfmysql?3. Do you
think apache always runs as root user; if so how to set it to run
as user xyz?4. Where are the configuration files for apache2 and
how do I change the document root for a site?5. Where are the error
logs for apache stored?6. I have a web application written in php.
How do I access and administer the MySQL database from the web
application?7. What is the program SSH used for? On which port does
it run, and where is the configuration file stored?8. I am using a
system running Ubuntu 12.04. I have a C program's executable, but I
want it to execute automatically duringstartup and also in the
background. How do I do this?
Did you know?The words most widely used Sorting algorithm is the
QuickSort algorithm invented by Sir Tony Hoare at the age of 26.
Readmore about him from
http://en.wikipedia.org/wiki/C._A._R._Hoare
-
Part 3 (crypto, phishing)
Note: The files for questions 1 and 4 can be obtained by running
the following command git clone
https://bitbucket.org/inctf/inctf-round-one-crypto.git
1. My friend Varrun once left his laptop in my hands which was
running debian Lenny, unsecured. I hacked in, and startedviewing
some of his personal data. I then stumbled upon an interesting file
named "Varrun_Personal". I wondered what itwas, but couldn't
retrieve the data as the file was encrypted. There was a also a
text file next to it titled "README" and hadthe following contents:
Mechanism - DES-EDE3-CFB Filename - Varrun_Personal Passphrase-
varrun I have no idea what it means! Could you please get the data
from the encrypted file for me?
(file available in the git repository)2. You are downloading a
file httpd-2.4.6.tar.gz from http://httpd.apache.org/download.cgi.
What is the use of the [PGP][MD5][SHA1] link that you see on the
site? Explain how you can use it.3. Generate the MD5 hash of the
file ls (ls linux binary file).4. The below file is encrypted with
our private key. Decrypt it with the public key available.
(file available in the git repository)5. What is the CIA triad?
What are the current methods available to ensure CIA?6. How do I
get the public key of the website https://www.verisign.com (There
are more than one way to get it, list all theways you can think
of)
Did you know?Vinton Cerf is the person most referred to as the
father of internet for his contributions to the development of
Internet.http://en.wikipedia.org/wiki/Vint_CerfThis is the link to
the original 1974 paper that is the birth of the TCP
protocol.http://www.cs.princeton.edu/courses/archive/fall06/cos561/papers/cerf74.pdf
Part 4 (secure coding, attacks)1. I have a custom written "echo"
program in C, running on port number "1220" which echoes back the
first 16 characters ofwhatever is given as the first command line
argument. But somehow, my brother had got unauthorized remote root
access.The program is given below. How did he do it? Please give
the exploit code and explain how it works.
#include #include
void echo(char* input){ char buf[16]; // buffer to limit the
input size to 16 characters strcpy(buf, input); // copying first 16
characters to the buffer printf("%s\n", buf); // printing back the
first 16 characters}int main(int argc, char **argv){ echo(argv[1]);
// call the function to print the first 16 characters return 0; //
denote that the program has finished executing successfully}
-
2. Ok, since the previous echo program was vulnerable, I had
simply modified it and removed that vulnerability. But still,
mybrother had got unauthorized remote root access. The program is
given below. How did he do it? Please give the exploitcode and
explain how it works.
#include
#include#includeint main(int argc, char **argv){ char
command[50] = "echo "; strcat(command,argv[1]); // concatenate the
input so that the final command is "echo " system(command); // call
the system() function to print the input return 0; // denote that
the program has finished executing successfully}
3. I was just going through some php code yesterday; Whats
"magic_quotes()" all about?4. Yeah, I took it from the tone of your
last reply that Im bothering you too much with all these questions;
Im really sorry butno one seems to know better that you about this!
I just read that php attacks can be used to change the DOM of a
page.Whats that all about?5. A site that I frequently visit is
songs.pk. I was told recently that this site is distributing
malwares which could infect mycomputer and as a result my computer
could become a part of a botnet. How do I verify if this is true?
(How do I find if awebsite is distributing malwares). There is more
than one way to find this out. List all the possibilities you can
find out about.6. Submit the Level 10 password to the wargame IO on
http://smashthestack.org/.
Did you know?Adi Shamir was one of the inventers of the RSA
algorithm - http://en.wikipedia.org/wiki/Adi_ShamirHe was the
author of the paper titled How to share a secret? A must read for
all CS
studentshttp://www.caip.rutgers.edu/~virajb/readinglist/shamirturing.pdf
Part 5 (cyber laws, misc, reporting crimes, spam etc)
1. Is there any site where I can get approximate statistics on
how many web defacements are happening in India? I just readthis.
It is sad really, a country with so many talented people and very
few of them paying attention to security.2. You get the below
email
Subject: Dear Gmail Subscriber Confirm Your Account.
From: "Gmail Web Support Team"
Dear Webmail Account Owner,
This message is from web mail admin messaging center to all web
mail account owners. We are currently upgrading our data base and
e-mailaccount center. We are canceling unused web mail email
account to create more space for new accounts.
To prevent your account from closing you will have to update it
below so that we will know it's status as a currently used
account.
CONFIRM YOUR EMAIL IDENTITY BELOW
Email Username : .............Email Password :
................Date of Birth : .................
Warning!!! Any account owner that refuses to update his or her
account within Three days of this update notification will lose his
or her accountpermanently.
-
Thank you for using web mailSupport TeamWarning Code
:ID67565434
What would you do? Explain.
Reverse Engineering:General Instructions: Finish up all the
tasks, group the solutions in folders named as a1, a2 ... etc, zip
the whole thingand send it over to us when you are done. Clone the
binary file and executable file ,from the repository, which
areneeded for the questions: git clone
https://bitbucket.org/inctf/inctf-round-one-reversing.git
1. Question: Find the key? (Download the file from the
repository)Hint : check out the hexdump
2. You are to use either the Ollydbg/Immunity Debugger; you
could use IDA pro's debugger but we think Ollydbg could bemore
simple for debugging purposes. You could always use IDA for
disassembly. However, in the exercises below you willbe doing more
of debugging than disassembly - hence, I recommend a debugger
rather than a disassembler.
[ ] Download Lena's tutorials from
http://tuts4you.com/download.php?list.17 and go through sections 1,
2, 3, 4, 5, 19, 20,21, 22. You might have to go through other
intermediate sections/other reading material.
3. You are to use either OllyDbg/Windbg for the following. Send
us screenshots of what the tasks you have completed.
[ ] Use calc.exe on 32bit XP Professional for this lab.[ ] Show
the memory map of the executable.[ ] Show the imported dlls and its
memory map(not the imported functions).[ ] PE header of calc.exe[ ]
Import Table address of calc.exe inside its PE header
4. Use the executable present for this lab. As before, you are
to send screenshots. (Download the file from the repository.)
[ ] Find the type of packing used.[ ] Unpack using
OllyDbg/Immunity
5. Create an executable which prints if a debugger is present or
not by checking the NtGlobalFlags field, in programminglanguage of
your choice. Send us the executable.
6. Hola!From this point on, you are all by yourself. Work on
crackmes, unpackmes and build up your skill.
Did you know?The paper by Saltzer and Schroeder titled
Protection of Information in Computer Systems is a classic paper by
published in1974. It is a must read for students aspiring to study
securityPDF Version:
http://www.ece.cmu.edu/~ece732/readings/protection_information.pdfHTML
Version: http://www.cs.virginia.edu/~evans/cs551/saltzer
Did you know?
-
The first compiler was written by Grace Hopper, in 1952, for the
A-0 programming language.http://en.wikipedia.org/wiki/Grace_Hopper
The Grace Hopper Woman In Computing award is named after
herhttp://gracehopper.org/2010/
ContactIn case you have any questions please feel free to
contact us via email or chat. If you are stuck we can help you to
get theanswers.
EmailOfficial email: [email protected]
IRC Chat #inctf at irc.freenode.net
Thank you! We hope you enjoyed solving these questions as much
as we enjoyed preparing them for you. We sincerelyhope that you
have learned lots of new things and gained new confidence. We would
love to hear from you about yourexperience, please do share it with
us. This will help us to do better next time.
