The first CTF (1996-2001) has no clear rules, no. Now it was time to find and speak to Redis… Well, I will skip this part, as it led us to a dead-end from which we would never escape. CTF originated from the competition game between hackers in the fourth DEFCON in 1996. Consequently, we can call / and would pass the internal IP check. ![]() From this point, we have a request initiated by the internal browser. The html is called by a headless chrome that executes the JS. Registration for the DEF CON 22 CTF season is open To accomodate international competitors, the qualifying weekend has been moved to May 17-19. Next, we tested by replying an html document (below) executing JS to request our server - XSS. When we submitted our server domain in the form, a request appeared in our nginx access log. from worker import task url = re.sub(r'http*://', '', ) job = q.enqueue(task,url) Next, we wondered what the workers job is. if ("X-Forwarded-For"): client_ip = ("X-Forwarded-For") else: client_ip = request.remote_addr if isIP(domain): protocol = “http” if client_ip != “172.25.0.100”: (f”Internal IP address not allowed.” ) return “Internal IP address not allowed”, 400 The server checks if the request is sent from 172.25.0.100, a local IP, and since our origin address is from our own PC, the request is blocked. CUJO AI Labs are sharing another write up about the DEF CON CTF Quals 2022. Getting to the finals was an incredible achievement in itself, finishing as the highest ranked European team and scoring 10 th place overall shows how talented our team is and is the icing on the cake. However, as soon as we tried to redirect to an internal IP, we received the error “ Internal IP address not allowed”. DefCon CTF in Las Vegas is considered to be the most prestigious event of the year, it’s the ‘World Cup’ of Capture the Flags, Payer said. So, we set up a nginx server which replied with a redirect to / and it worked. The first idea that we had was to use SSRF to communicate with Redis. The whole service is hidden behind a proxy. It uses a Redis queue to schedule the tasks. The feedback path is used to give feedback about a broken page. The domain/path URL uses python requests to GET the requested website and modifies all links to work with the proxy. The website uses Flask and provides the following endpoints: Hope this helps someone else in the future.The index page (left) and the feedback form (right) In CTF, this is done through cut-throat competition. But the trick, of course, is figuring out who these hackers are. This enables the event to explore the cutting edge of the amazing things that the world’s hackers are capable of. I have an in depth write-up of the problem and how I ended up solving it here: Only the world’s top teams make it to DEF CON. So I set a goal to solve it after the competition so that I could focus on understanding all the different aspects of it without the time constraints. I didn't fully understand the problem on that first day. For the past six years, Security Innovation has been honored to have our award-winning CMD+CTRL Basecamp cyber ranges featured as a CTF (capture the flag). The challenge was quickly retired after that since all the teams started doing the same thing. We extracted the working exploit image from a PCAP and started deploying it against other teams as well. ![]() I wasn't nearly fast enough to solve it during the competition, before I knew it, another team deployed a working version against us. It doesn't have the usual peripherals that you'd usually see in a machine, and the challenge was to grab the flag that was located on the host file system. This image is attached to a VM created specifically for the challenge. The challenge provided a container that runs a web server that allows you to upload a virtual hdd image. In a CTF, flags are placed in an exercise environment and the participating teams are tasked to capture as many flags as possible by exploiting the environment. So I figured I'd jump right on it while others were distracted with a really fun KingOfTheHill challenge call zero-is-you. For those not familiar with CTF challenges, usually if they have "baby" in the name, they are meant to be pretty simple. One of the challenges released early on was called ooows-flag-baby. I'll be honest and say that I didn't feel like I contributed much to the overall team, but I learned a lot. I got to meet team members in person, put faces to slack handles, and learn by watching people do what they do best. Unlike other years, I was physically on-site this year which was really great. I had the opportunity and pleasure to participate in DefCon CTF finals this year, I played with team Samurai (侍).
0 Comments
Leave a Reply. |