What the flag is CTF?

Video thumbnail (Frame 0) Video thumbnail (Frame 987) Video thumbnail (Frame 1832) Video thumbnail (Frame 2929) Video thumbnail (Frame 4268) Video thumbnail (Frame 6566) Video thumbnail (Frame 8791) Video thumbnail (Frame 11221) Video thumbnail (Frame 12196) Video thumbnail (Frame 13575) Video thumbnail (Frame 14890) Video thumbnail (Frame 16777) Video thumbnail (Frame 18752) Video thumbnail (Frame 20112) Video thumbnail (Frame 22399) Video thumbnail (Frame 23774) Video thumbnail (Frame 25011) Video thumbnail (Frame 27144) Video thumbnail (Frame 28163) Video thumbnail (Frame 29423) Video thumbnail (Frame 30236) Video thumbnail (Frame 31207) Video thumbnail (Frame 32012) Video thumbnail (Frame 32893) Video thumbnail (Frame 34287) Video thumbnail (Frame 35599) Video thumbnail (Frame 36580) Video thumbnail (Frame 38971) Video thumbnail (Frame 40582) Video thumbnail (Frame 42155) Video thumbnail (Frame 43134) Video thumbnail (Frame 44696) Video thumbnail (Frame 45568) Video thumbnail (Frame 46523) Video thumbnail (Frame 47701) Video thumbnail (Frame 50559) Video thumbnail (Frame 52623) Video thumbnail (Frame 53451) Video thumbnail (Frame 54701) Video thumbnail (Frame 55630) Video thumbnail (Frame 56595) Video thumbnail (Frame 58970) Video thumbnail (Frame 61628)
Video in TIB AV-Portal: What the flag is CTF?

Formal Metadata

What the flag is CTF?
Title of Series
CC Attribution 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Every year since 2011 on the 28C3 we organize a Capture the Flag contest for people on the Congress and from all over the world. This year we want to give you an overview about what a CTF is, the challenges, the players, the community and how much fun it is to play (not only our) CTF.
Keywords Security

Related Material

Video is cited by the following resource
Roundness (object) Video game Musical ensemble Semiconductor memory
Flag Bit Game theory Mereology Asynchronous Transfer Mode Flag
Word Group action Hacker (term) Information security Spacetime
Domain name Slide rule Asynchronous Transfer Mode Tournament (medieval) 1 (number) Motion capture Computer Mereology Time domain Different (Kate Ryan album) Game theory Information security Information security Bounded variation Game theory Asynchronous Transfer Mode Flag
Point (geometry) User interface Category of being Different (Kate Ryan album) Point (geometry) Flag Game theory Category of being Asynchronous Transfer Mode Flag
Algorithm Service (economics) Algorithm Code Virtual machine Code Binary file Cryptography Exploit (computer security) Computer programming Web 2.0 Category of being Web application Cryptography Software Different (Kate Ryan album) Calculation Software framework Game theory Category of being Asynchronous Transfer Mode Reverse engineering
Point (geometry) Asynchronous Transfer Mode Server (computing) Game controller Service (economics) Real number Virtual machine Rule of inference Medical imaging Roundness (object) Virtuelles privates Netzwerk Term (mathematics) Cuboid Damping Game theory Task (computing) Service (economics) Server (computing) Point (geometry) Computer network Control flow Software Game theory Asynchronous Transfer Mode Flag
Point (geometry) Information management Crash (computing) Service (economics) Flag Cuboid Menu (computing) Ranking Binary file Number Flag
Mobile app Multiplication sign Game theory Hacker (term) Mereology
Multiplication sign Flag Cuboid Statistics Sinc function Task (computing)
Information management Image resolution Simultaneous localization and mapping Raw image format 2 (number) Number Prime ideal Term (mathematics) Oval Energy level Hacker (term) Summierbarkeit Formal grammar
Reading (process) Mobile app Assembly language Multiplication sign Binary code Electronic mailing list Bit Exploit (computer security) Formal language Event horizon Internetworking Term (mathematics) Spacetime Gastropod shell Videoconferencing Hacker (term) Summierbarkeit Game theory Reverse engineering Buffer overflow
Slide rule Group action Link (knot theory) Multiplication sign Binary code Exploit (computer security) Internetworking Different (Kate Ryan album) Blog Videoconferencing File archiver Video game Game theory Window YouTube Buffer overflow Task (computing)
Execution unit Uniform resource locator Estimation Flag Hacker (term) Descriptive statistics Flag
Injektivität Computer font Injektivität Computer file Source code Menu (computing) Mereology Uniform resource locator Inclusion map Function (mathematics) Object (grammar) Local ring Vulnerability (computing)
Trail Slide rule Game controller Constructor (object-oriented programming) Code Mountain pass Sheaf (mathematics) Parameter (computer programming) Mereology Graph coloring Variable (mathematics) HTTP cookie Social class Default (computer science) Source code Block (periodic table) Boilerplate (text) Constructor (object-oriented programming) Data storage device Parameter (computer programming) Bit Line (geometry) Variable (mathematics) Uniform resource locator Green's function Function (mathematics) String (computer science) output Social class HTTP cookie Object (grammar)
Module (mathematics) Structural load Multiplication sign Constructor (object-oriented programming) Parameter (computer programming) Parameter (computer programming) Control flow Mereology String (computer science) Information HTTP cookie Object (grammar) HTTP cookie Social class
Computer file Constructor (object-oriented programming) Constructor (object-oriented programming) Planning Parameter (computer programming) Object (grammar) HTTP cookie Control flow HTTP cookie Social class
Source code Carry (arithmetic) Computer file Computer configuration Function (mathematics) Computer file Source code Planning Reading (process) Element (mathematics) Social class Substitute good
Constraint (mathematics) Different (Kate Ryan album) Flag HTTP cookie Mereology Social class Element (mathematics)
Slide rule Server (computing) Greatest element Computer file Content (media) Systemdatei Function (mathematics) Content (media) Element (mathematics) 2 (number) Data flow diagram Function (mathematics) Flag Process (computing) Physical system Data type
Server (computing) Server (computing) Decimal Exploit (computer security) Directory service Mereology Evolutionarily stable strategy Data model Root Error message Software Flag HTTP cookie
Modal logic Slide rule Multiplication sign Bit Web browser Exploit (computer security) Neuroinformatik Web 2.0 Data model Process (computing) Software Software Game theory Information security Vulnerability (computing)
Real number Multiplication sign Artistic rendering Chain Volumenvisualisierung Web browser Escape character Mereology Exploit (computer security) Web browser Vulnerability (computing)
Web page Server (computing) Service (economics) Computer file Multiplication sign Virtual machine Exploit (computer security) Maxima and minima Open set Web browser Mereology Time domain Uniform resource locator Virtual reality File system Videoconferencing Flag Computer worm Volumenvisualisierung Website Booting Mathematical optimization Vulnerability (computing) Physical system Task (computing) Source code Service (economics) Touchscreen Patch (Unix) Web page Computer file Web browser Virtual machine Graphical user interface Type theory Uniform resource locator Interface (computing) Website Right angle Physical system Booting Flag
Touchscreen Server (computing) Service (economics) Patch (Unix) Virtual machine Exploit (computer security) IP address Perspective (visual) Uniform resource locator Virtual reality Videoconferencing Website Sanitary sewer Vulnerability (computing) Service (economics) Patch (Unix) Image resolution Server (computing) Binary code Exploit (computer security) Web browser Virtual machine Uniform resource locator Personal digital assistant Website Row (database) Address space Booting
Point (geometry) Mobile app Service (economics) Code Web browser Uniform resource locator Plane (geometry) Type theory Uniform resource locator Process (computing) Personal digital assistant Flag Text editor Physical system Flag
Point (geometry) Group action Just-in-Time-Compiler Service (economics) Real number Mathematical singularity Source code Exploit (computer security) Compiler Mereology Uniqueness quantification Flag Information security Game theory Vulnerability (computing) Source code Vorwärtsfehlerkorrektur Vulnerability (computing) Execution unit Point (geometry) Bit Web browser Demoscene Computing platform Social class Right angle Escape character Information security Physical system Flag
Software Right angle Musical ensemble Software-defined radio
Duality (mathematics) Wave Software Core dump Software-defined radio
Wave Service (economics) Software Software developer Telecommunication Unit testing Open set Remote procedure call Theory Spectrum (functional analysis)
Trail Functional (mathematics) Code 1 (number) Control flow Spyware Web browser Mereology Number Gastropod shell Flag Task (computing) Standard deviation Email Information Content (media) Mereology Multilateration Control flow Subject indexing Message passing Uniform resource locator Software Personal digital assistant Buffer solution Right angle Text editor
Area Hacker (term) Authorization Table (information) Spacetime
Point (geometry) Link (knot theory) Multiplication sign Universe (mathematics) Gradient Video game Game theory Mereology Information security YouTube Number
Point (geometry) Video game
Goodness of fit Software Multiplication sign Control flow
Word Array data structure Software Internetworking Personal digital assistant Real number Ordinary differential equation Web browser Game theory Exploit (computer security) Number Software bug
Pulse (signal processing) Multiplication sign Cartesian closed category Musical ensemble Semiconductor memory
[Music] since the 2083 there has been at least one capture-the-flag every year so the next three speakers that we have are always organizing a captured of life they were here representing all their team please welcome with a huge round of applause and easy Lu and Malo and welcome from
our side to a talk what the flag is CTF this talk is going to be a foundation talk and we want to tell you what a CTF
is how to play it what game modes there are this is the first part of the talk a bit of an introduction and after that we're going to show you three challenges that we prepared for this year's CTF so should you actually decide that you want to play a CTF in the future you know
what to expect when you when you actually play it yeah so if a few words about us our team is called eat sleep on
repeat or espr for short we are a CTF team and I know how long we even existed
must have been like three or four years now maybe in five and we are all just people who in our free time we're interested in IT security and we got together in hacker spaces or the University and we just started playing CTF and everybody participated and that's well how a group formed and now we are eat sleep on repeat yeah that's that's that's all there is to it I'm
always talking about a CTF what you actually don't know maybe you actually don't know what a CTF actually is so CT f stands for capture the flag and for the older ones of you this has nothing to do with the Unreal Tournament game mode it's except for the name and that there are flecks a city Ave is a contest between different teams where all the teams solve different challenges that are somehow related to the IT security domain a CTF usually can be played in two main game modes of course there are variations to them but these are the two modes that you generally have the first one is the attack and defense style and the second one is the Japanese style you see in the next slides what I mean by that over the years it's absolutely crazy how the community grew when we started playing they were just a handful of CTFs per year now if you check out
how many CTS there are you can actually play a city of every weekend and all these CTS are usually organized by other CTF teams so that there's a lot of work but I also done by other teams to organize these city IRB's and it's essentially all completely community driven and if you want you can relatively easily easily be part of that as well and that's that's what the goal of this talk is essentially now I
mentioned the japanese-style CTF that is the the easiest game mode that you that you have and it's also the easiest to organize because it resembles a Jeopardy game that the game show the American game show where we have different categories of of puzzles with different difficulties and according to the difficulty you are awarded a certain amount of points when you solve that challenge and either the amount of points is is fixed so you get I don't know 100 200 300 400 500 points for a challenge according to the difficulty or nowadays often we have dynamic scoring so the more people challenged the more often a challenge is solved by people the less points you're going to get because it's actually relatively hard to to define what your challenge should be worth and the to play that game it's
it's actually really easy you just pick a challenge look at it now you try to solve it you submit the flag on a web interface somewhere you get points and you just repeat that until you solved everything or you are in the first place and of course the winner is the team with the most points if there is a tie the the team that got first to that amount of points wins the typical
category is that you have on a japanese-style CTF are stuff like for example pone where you have classic binary exploitation you get some network service somewhere and you need to connect to that service and do some weird stuff to it to get code execution and run your own programs on that machine that you're that you're owning crypto custom crypto algorithms that are implemented or crypto algorithms that are used in the wrong way that you need to find out why that is and then you can use that to usually decrypt something or recreate a key or whatever web the usual stuff that's normally that's that's just web applications in all kinds of different frameworks and server-side and client-side and whatever they're all is or if your ESP are we we had a joke category once I think where we put browser exploits in there and so it's not really web but there was just just a joke and then stuff like
reversing for example we have to reverse engineers some executable and try to find out what it does and reverse engineer some mathematic calculations and whatever the next game mode is
attack and defense and that's the more classic mode there are just a few per year because it's very hard to organize because you hack in quote marks real services on real servers on real networks because every team gets a virtual machine image which contains which essentially is a server which contains services that are specifically crafted for that CTF where somebody plays box in there and all these machines are connected over VPN and the teams can reach each other and the goal is everybody acts the service services of everybody else and steals data from these from these vulnerable machines and then you can submit that to a game server and then you are awarded scores and of course if you have full control over the machine your task is also not only to exploit the other teams but also to fix your own stuff so that you don't get exploited anymore so there also you need to make sure that your services stay up because if they are down usually you don't get any points awarded for flex you steer and stuff like that so there are three main things you need to do you need to fix your stuff and remove the Box you need to find the box and exploit them on other people's machines and you need to keep everything online yeah as I said
the main scores there are usually offense defense and SLA that's what I mentioned either attack other people's services defend your own services and keep them online this is usually played in rounds every round starts from scratch and you get points awarded per round and after that all the points are added and the team with the most points wins there are a few things that are different in every attack and defense CTF in terms of the rules but that's the general stuff that always happens this
is what a typical scoreboard looks like
when you play an attack and defense CTF this for example was from russi TFE and yeah I took the one where we were in the first place and you see in the different columns you see all the services that are available like for example a crash the bin weather cartographer and so on and the the the red and yellow at the red and blue boxes mean the services up or is down I can see how many flags we scored what the SLA was and percent so how many uptime there's downtime that we have how many flags we lost that's the the the the number in the bottom right corner in every box like minus 32 for crash so we lost 32 Flags there and we stole 15,000 flags and then the FP is just the flag points now you add everything together and you get the lecture of your main score and a ranking of the teams so now that you
know how to play a CTF why even why even do it I mean yeah so it's relatively obvious it's pretty cool to play because you can actually hack stuff completely legally because well that's part of the game it's fun it's fun to to to learn new stuff and you learn a lot of new stuff during the CTF but also after the CTF when you talk to other teams and try to find out what a solution was on everything and then yeah you make friends during that for example we are one of our our friends is the the Polish dream team Dragan sector and every time we meet we have some beers and we chat about the CTF and everything and we actually made made some good friends there and also you you may be able to
travel around the world so city apps are held locally sometimes you need to qualify for it and then you can fly around the world and play locally a CTF and maybe even win something so yeah our
CTF that we organized we we do this as
already announced every year since 28c 3 I can see a few logos there from the past years we always try to match the Congress team and this year we had in the main CTF we had 636 teams that at least submitted one flag we had a small flag a small task that we call sanity check we just needed to paste a string into into the flag box just to see how many teams were online and there that was 636 teams we had 30 challenge and these 636 teams solved them 1457 times so 1457 flags were submitted by all the teams on all the tasks we also had a few guest challenges this year so not all channels were made by us so we would like to thank Co Quixote's je vois in cabeza and un chien for for
ideas or even complete challenges that we were able to deploy and had the people solve and the three winners are KGC and macaroni pasta non on the second place and Dragons sector on the third so
yeah congratulations again to them and
because every year this this ETF's got
more and more complicated and very hard to solve for beginners last year we introduced a junior CTF with easier challenges that more closely matches the difficulty level when we started actually when we started playing CTF and there we have the same stuff we had 520 teams so not that much teams but 33 challenges that we deployed and 2761 solves in total so they solved actually more stuff than the main CTF in terms of raw numbers of challenges and again we had some guests a guest joining us gets challenges by Huck's Dominic prohm and troll demoted so thank you and the winners are a mate in M I am the second place is Sno and the third one is an egg
and so now that you know what is going
on during a city of what do you need if you if you really want to play so the
first one you need is actually you need a CTF there is a cool website that's called CTF time the Roark you can check it out and get a listing of all upcoming city apps and can just register on that CTF and then once it goes live you can play in terms of skills you don't need that much you do you actually need to be able to program you need to know a scripting language to do all your dirty work like if you need to parse a file or if you know dislike some network traffic stuff like that for reverse engineering and binary exploitation you absolutely unfortunately need to know assembly language and a bit of reverse engineering skills to tie all that together you need to basically in Excel skills because the the tools under Linux
are just well better suited then on Windows but you of course you can own Windows you can just use the window the Linux subsystem nowadays it works the same and so to learn pawning and binary exploitation you can play so-called war games in the last slide there are a few links you can check them out and there's one of there and so that's war game is essentially a CTF that's always online and you can you can go through it at your own pace without any time restrictions you can check out older CTF to learners there are archives on the internet you can just download them and run them locally and try to exploit them and it has been so there are so called write-ups by other CTF teams sometimes when another city of team solved the challenge and they thought it was a cool challenge somebody's going to do a write up on that and explained in a blog post or whatever how it was solved so you can read that and learn stuff if you're more of a video person there's somebody on YouTube called life overflow from the city I've seen and he's doing awesome videos on different CTF tasks and he goes through it like how he solved it and what the idea behind the challenge was and so on and of course you don't want to play this alone because it's more fun to do this with other people and just use the internet try to find the groups try to find like-minded people or just go to a hackerspace and ask around somebody's interested and every now and then you can play a CTF or do the war game stuff and so on like just like we did okay now that we
explained to you what was going on and during a CTF I'd like to hand over to Molly who is going to show you some challenges we had she okay I'm going to
give you an idea how to approach such CDF challenges and I can highly recommend this book from chip oh yeah on how to solve problems and as an example I'll I took challenge from the Junior
CTF called blind and this is the description yeah hacking blind and then URL with the path to the flag and it's estimated as a medium difficulty challenge at least in a junior CDF and it's based on a park found by RipStik in 2017 and approaching a challenge to
approach a challenge it is needed to understand the problem first right so
when you go to this URL you are
presented with this source code it's PHP source code and we're going to walk through it the first part of the
source code is actually a hint it's not needed to exploit the challenge but it's hinting to a vulnerability called PHP object injection and this actually was a the back way could include local files until PHP 5.3 but we use PHP 7.2 and the
next block is a bit of boilerplate code so we have two classes called black and green and what they do is only setting the colors of the syntax highlighting and if you provide store URL parameter you can save the theme in a cookie which comes which is important for later so
the next section was an interesting part because it hints already at the path to exploitation the first one you get in the first step you get the theme URL get parameter and store it in this variable in the next slide in the in the next line you check if it's either the track class name or the cream class name then you check if this class actually exists you set the variables depending on the input and the from the URL parameters and this is the interesting part now you instantiate an object of the given class which could either be black or Korean and you have full control over the parameters you give to the constructor of this class the next part of the code
was also storing the theme but this time from the cookie and then you check if the first part of the cookie is an
existing class then sorry then you pass
the parameters which are stored in the cookie to this to the constructor of the class and you instantiate a object of that class and the last part is just giving you some info what modules are loaded so the back was simply that you
could instantiate an arbitrary PHP object and you control the arguments for its constructor so the next step is to
make a plan so we try to get together
all the things we we have given and what you want to do so we fully control over the data in the cookie and we can instantiate a PHP object of an existing class and we control the argument so what we have to do now is we have to find a class which does nice things like reading a file when giving specific arguments and
there's this handy class called simple XML element which is able to read files XML files from a remote source if you set the option to to you it will even substitute entities in the XML file so this will come this will be important later and now we have to carry out the
plan this is the easy exploit we set a
cookie called theme the first part of the cookie is our class name simple XML element and the second part is the path to the flag and as you can see the flag is con is is printed in the warnings right there so this only works because warnings were enabled so the next thing
you do when solving problems is looking back and what what how could we approach the challenge in a different way or with different constraints and if warnings
weren't and they enabled we were kind of blind that's where the the challenge name comes from and we don't get output and with XML you can include external entities and it works like that you declare an entity and give it a path name and then you yeah you include it in the XML and this is how you could
exploit it so you you get in second XML file from your own server which is at the bottom of the slides and it gets the flag and sends it contents to your own server so when you execute a
simple exploit like this you start a PHP server and then you you call this URL with curl you get presented with request
that looks like that and because we encoded the flag with base64 we have to decode it and then you get the flag this way so next part is for the main CTF by
Syed oh yeah thank you okay yeah thanks
so now you just saw an example of a rather typical web CTF challenge now I know we we have a lot of teams that are really really skilled they have been playing CTF for many years they do computer security as their day-to-day job and so of course we also want to make very challenging and interesting to CTF for these teams right and so one
thing we do is we try to make somewhat realistic challenges based on real-world software and vulnerabilities so yeah on this slide you see some logos of software that we based challenges on in some way for this CTF here now one fun fact we actually this time had three different teams use zero days to two instead of solving the challenge in the intended way they use zero days for the software which is fair game yeah I don't know what that says about our CDF but it's pretty interesting and so what I want to do is now is just or will present two of these challenges I'm gonna present a browser exploitation challenge a little bit and talk a bit about this the set up how to hole such challenge etc yeah so we had
browser exploitation challenges the last two years already now for some years now a browser is they come with the sandbox right so if you just have one vulnerability in the rendering stuff with renders the HTML that's not enough to fully compromised the browser the last years we only had the rendering exploit parts or the real browser stuff but no sandbox now this year we decided we should do a full like a real browser exploit challenge with two parts one part is the rendering exploit the WebKit in this in this this
time and the other part is the sandbox escape and we base that off of real exploit chains that were presented this year or last year so how do you how do you make such a browser challenge what
what we did is we we took where peer this time last year we had chrome and the year before Firefox so this year we used WebKit which is the the browser engine powering Safari for example and we changed we implemented some some buggy optimization somewhere in the JavaScript part so this is the first thing that there's one vulnerability there in the WebKit the next thing we did we wrote some some Mac OS system services again kind of based on real vulnerabilities that were presented this year and and so they will of course also buggy in some way they had some vulnerabilities and then we deployed both the modified Safari and our system services to a Mac OS virtual machine and so then what users can do is they get on the top right here you see that they get a website where they can submit a URL to their exploit right so it's a browser exploit so the exploit is going to be some web page they can here type in there the URL for the exploit and then what happens is on our servers it will boot up virtual machine open Safari with that URL and then the users will get back a
video of that virtual machine booting up and then the goal of the task here is to read slash flag or slash flector txt so some file on the file system and so that what they could do is they could display it on the screen and so then they would see it in the video so yeah here's
pretty much how it looked like from a player's perspective what they would do for this challenge is they would get from us a WebKit patch and those Mac OS services as binary so they would have to reverse-engineer them so then they go and audit for vulnerabilities hopefully find some and they would write exploits so in this case it's it's a malicious website they will host it on some server that they control with the public IP address and then submit this URL to to our yeah scoreboard servicing and then again that would self this virtual machine records the video and shows the video to the players so here's how it
looks like I hope it works yes so this is exactly what the players
would get after typing in the URL into the scoreboard they would get this video feed so let's see what happened here
yeah in the background you see the the modified Safari which is opening the players URL and it's printing some stuff from the exploit blah blah blah and then it so it does a WebKit exploit so it can now run attackers code in the WebKit process and then it's exploiting these system services that we wrote which are running outside of the sandbox and so then it can open or run any commands outside of the sandbox on the system so in this case the exploit starts this text editor app and lets it open slash flector txt and it's probably pretty small but in the top left you can see there it's showing you the flag and now you have to type this into the scoreboard and then you get your points
yeah so why why is this why do we think this is a nice challenge or why do you want to solve this of course I mean this gives you lots of points for the CTF this is actually not one challenge but three challenges um so we made it so that you could solve the sandbox escape part regardless of whether you had this WebKit exploit working so there was was one flag that you got if you only had the the WebKit the Safari Safari part there was one as a flag that you get if you only have the sandbox escape and then there's a third flag if you have post and you combine them into a single exploit yep then you get the third flag
but yeah apart from CTF so we try to also make these challenges so that you maybe are able to learn something new maybe right so the WebKit part it could hopefully teach you or hopefully you would learn a little bit more about JavaScript or just-in-time compiler vulnerabilities on the path to solving that or the Mac OS services yeah we made them so it's it gives you an easy entry into Mac OS security right so this is yeah something to keep in mind we will release source code so for this challenge here it's gonna be up in some hours probably on my github and then yeah it it tries to make it easy to transition from the CTF and maybe go to the real world security scene with challenges like these that give yeah with source code give you a nice entry yeah and that's it from me and next up
is Andy again thank you
[Music] I also did a challenger 2 and dosa you
those of you who are old enough you're going to remember this phone right so the story behind my challenge was that I privately was interested in GSM stuff and I just wanted to know how stuff works and so on so I set up a GSM network at home with the software-defined radio and everything and used old Nokia phones and so on and then I got an idea um I built my own
phone what you can see here is part of
the challenge you can see that I reimplemented the UI of a Nokia phone essentially and it locks on to a GSM network which is not using radio waves but the the GSM traffic is send over UDP multicast traffic in the core network and then I also have like my SDR on there so that my own phone can talk to the real phone as what you just saw and I found this this this feature of that challenge where you don't have radio
waves for communication with the GSM network is usually used for unit tests by the developers of the of the network services to run your own GSM network because they don't want to mess with radios and everything just to test their software so they implemented that this this Ethernet layer to do GSM and that was perfect for a CTF challenge because we don't have we don't only have local players so in theory I could just set up a few STRs and transmit my own GSM network if you have the right licenses and so to do so in the RF spectrum that being another issue but in theory you could do that but somebody from the US or wherever else is not able to
participate in the challenge and we always want to have the capability for remote players to play as well so I set up an open VPN tunnel essentially where the network lives in and your own phone this this target phone that you could exploit I just then join the network using this this-this-this UDP multicast stuff so it was absolutely perfect for that so what
I implement it actually is a barking concatenated SMS the phone only has two features it can send SMS and it can it can receive SMS and your task was to have a phone somewhere on the network that you can only interact with over the network so you can only send it as a mess essentially and but you can send it arbitrary SMS you can send whatever you want you can adhere to the standard but you can also send whatever you want and not adhere to the standard and to weird stuff and on the old Nokia phones on the later ones SMS only have 160 characters and only later Nokia phones you have this thing on the right where it told you how many characters you have left for the SMS and then a slash and then how many SMS you already wrote essentially because what it would do it would split is it would split the SMS message message apart every few 100 characters and then put a header in front of the SMS sent one two or three SMS to the other phone and then the other phone would start to reassemble these SMS once they all arrived and yeah so in in this case the SMS can be split up into up to three parts but the standards allows up to 250 for SMS actually so and all these SMS contains some data as a set in front in the header and they also contain an index
what part that actually is and it starts from one and it goes up to 254 in this case you can well use one two or three and then the SMS content that I'm going to reassemble is somewhere in a local stack buffer and the location where they decoded text from the from that one SMS part is copied to when reassembled is based on the number of the part of that SMS and I in my challenge I'm never checking if that numbers actually one two or three so you can set it to four five six seven eight whatever and you would write out side of that buffer and because the buffer is on a stack the way how processes work is they save some information on the stack to keep track of where they were before they call the function to return that location once they are done with certain tasks and you can override that value and hijack the control flow and then use a technique called Rob to gain code execution on the phone and execute some some code there much like zalo showed with the with the browser where you open the text editor you can connect to another host and get a linux shell essentially on the phone and then you can open the flag with that
that's that that was the talk I would like to thank the whole CTF community that the players that played or CTF other teams that organized the CTF and everybody in the city F community for like being that cool and putting that much effort into not only playing our CTF but also organizing CTFs for us to play and another I also want to thank the assembly team here at the c3 because it's we got our own area this year where
all the CTF teams that were locally could gather around and it was absolutely perfect it looked so cool seeing like 200 hackers sitting on the tables and a space together and just solving our chairs what it was absolutely amazing and yeah thanks again to our guest authors for the challenges and yeah we would be open for questions and answers now
oh and one other thing if you are interested in playing CTF here are a few links with resources that I mentioned earlier check them out this is war game is CTF time and its life overflows YouTube channel check it out if you're interested and yeah we hope that you're part of the CDF the community soon maybe
I can already see that there are some questions in the audience so I would like to start with microphone number to you thanks hold talk actually my university security course was a great CTF we got the grades based on our points on the CTF what are your opinions about this kind of grading how do you feel about university learning places doing CTF for grades I mean for asses
it's it's a hobby and also for us it's a it was a great way to learn new things so I'm personally not completely opposed to that I don't know if I would maybe make the grading dependent on the points but I think it's a it's a great thing to do just as a learning experience so no matter if that's on a university or if you do it in a private life you if you if you just play you're always like we we also when we solve some challenges from other teams we always we are always learning new tricks new stuff and so on so I I don't think it's a bad idea thank you for that
question the next question is coming from microphone three over there what do you do when you were stuck on me on the
toilet at the Tusk oh good question um
often it helps to get somebody else from the team just take a break and go with somebody who is completely unaware of what the challenge looked like through your findings and just talk about the challenge either the other person still has some more ideas to try even though that person might have never looked at the challenge or you are reiterating everything that you have done over the last few hours choose but by just explaining it to somebody else and maybe then you get another idea where to look out or I don't know you start googling stuff maybe maybe there was a similar buck and in some other software that there are multiple things to do but it also happens a lot of times that we are not able to solve a challenge so ct8 playing CTF can actually also be frustrating because you're sitting for 12 hours on a challenge and you just can't make this thing work and you have no idea how to solve it that happens as well because you're just missing a trick but what you then do afterwards is you ask other teams you're asking the IRC channels of the of the CTF you how that was solved you ask for write-ups you read the write-ups you ask other people from the team when you when you see each other next time in person for example here at the Congress and so on and that's how you gain more and more knowledge and experience over time and learn your stuff we can take
one more question there's someone waiting at microphone number two again I first of all I think is this working yeah okay sorry first of all thank you very much for seeing the CDF it's highly appreciated also that you're doing browser exploitation challenges given that it's really hard to set them up and host them for everyone my question is
what's your take on on having peoples of challenges in real world software that you didn't modify as in like this implicitly disclosing bugs in in software I'm not sure if I got the question so you mean people using 0 days for solving our challenge I said yes no we're not I mean all the challenges had modifications that so they had an intended solution that's not an all-day it's it's real-world challenges right so it doesn't really get more real words than using an ode a so we are not against it except if it's against challenged infrastructure which is which is not the case here so it's very game for us I guess the the players say trust us and they trust that nothing happens to their arrays so that's why they do it or some of them but yes also I think I think we can all agree that even if we have an all day it's still the right thing to do would still be to responsibly disclose and not put it out on the internet to put other people in danger I mean that's that's just I mean I never saw that actually happened during a CTF that that there was some some leaked or a that some be got in the wild and and and in the endangered like normal users that so far this never happened let's hope this stays that way I mean it would be bad if it if it would happen you're right thank you very much
unfortunately the time for our question and answer is over but I'm pretty sure the speakers will answer all your other questions after the talk please give a large role of a pulse for undie male and sailor thank you [Music] [Music]