Differences
This shows you the differences between two versions of the page.
|
isc:labs:01 [2021/03/08 07:47] mihai.chiroiu |
isc:labs:01 [2024/10/07 08:29] (current) |
||
|---|---|---|---|
| Line 5: | Line 5: | ||
| ===== Objectives ===== | ===== Objectives ===== | ||
| * Simple CTF tasks | * Simple CTF tasks | ||
| + | * Introduction to Python scripting | ||
| * Introduction to basic security-related tools | * Introduction to basic security-related tools | ||
| - | * Simple program compiling tools | + | |
| - | * Basics of networking related monitoring tools | + | ===== Useful Tools ===== |
| + | * man | ||
| + | * find | ||
| + | * base64 | ||
| + | * hexedit | ||
| + | * Binwalk | ||
| + | * john, zip2john | ||
| + | * xxd | ||
| + | * gzip, bzip2, tar | ||
| ===== Preparation ===== | ===== Preparation ===== | ||
| - | You will solve this lab inside a virtual machine on [[https://cloud-controller.grid.pub.ro|openstack]]: | + | You may use the UPB's OpenStack cloud to spawn a Virtual Machine to be used for this lab! |
| - | + | [[:isc:info:virtualmachine|Read this guide]]. | |
| - | - Log in with your LDAP credentials | + | |
| - | - Create a RSA key pair on //fep.grid.pub.ro// (ssh LDAP-username@fep.grid.pub.ro; ssh-keygen -t ed25519 -C "your_email@example.com") | + | |
| - | - Make sure you have the public key configured on openstack in Project -> Compute -> Key Pairs | + | |
| - | * Passphrase authentication will be disabled on the SSH server | + | |
| - | * The key that you provide will be automatically registered in //.ssh/authorized_keys// | + | |
| - | - Create a new Instance with the following parameters: | + | |
| - | * Flavor: m1.small | + | |
| - | * Instance Boot Source: Boot from image | + | |
| - | * Image Name: ISC 2020 | + | |
| - | * Key Pair: the one you just added | + | |
| - | * **NOTE:** if you have //only one// key pair configured, it will be chosen by default; otherwise, make sure you don't skip this step | + | |
| - | - From the fep console (ssh) login into the newly created VM (ssh student@VM-IP) | + | |
| {{page>:isc:rec&nofooter&noeditbutton}} | {{page>:isc:rec&nofooter&noeditbutton}} | ||
| - | ===== CTF local tasks ===== | + | Download the {{:isc:labs:isc-lab01.zip|task archive}} for this section. Each exercise will have a corresponding folder. |
| - | Download the {{:isc:labs:isc-01.zip|task archive}} for this section. Each exercise will have a corresponding folder. | + | ===== Python Warmup ===== |
| - | ==== 01. [10p]B64 encoding ==== | + | ==== 01. Decode 'til You Drop ==== |
| - | * The flag is in b64.txt. It should look something like this: **FLAG{...}**. | + | * One of your friends gave you this string which looks encoded... Figure out what encoding was used and decode it. Be patient, it may take a couple of decoding rounds :) |
| - | * **Hint:** python3, base64 | + | |
| - | ==== 02. [10p]EXIF ==== | + | ==== 02. Zip it good ==== |
| - | * The flag is hidden somewhere within this image. Remember its format. | + | * The archive contains the flag. What is the password? |
| - | * **Hint:** it's not steganography; don't look at the pixels | + | * **Hint:** the password is in the wordlist |
| - | ==== 03. [10p]From Manchester with love ==== | + | ===== CTF tasks ===== |
| - | * Remember RL? Remember [[https://en.wikipedia.org/wiki/Manchester_code#Encoding|Manchester]]? | + | |
| - | ==== 04. [10p]Corrupted file ==== | + | ==== 03. Find the impostor ==== |
| - | * The header seems to be damaged... | + | * The flag for this exercise is found in a file under the inhere directory. The file has the following properties: |
| + | * human-readable | ||
| + | * 987 bytes in size | ||
| + | * not executable | ||
| - | Up for more? | + | ==== 04. Unknown File Type ==== |
| - | * [[https://ctflearn.com|CTFlearn]] | + | |
| - | * [[https://overthewire.org/wargames/|OverTheWire]] | + | |
| - | * [[https://cryptopals.com/|Cryptopals Challenges]] | + | |
| - | * [[https://picoctf.com/|PicoCTF]] | + | |
| - | ===== OS Management ===== | + | * We've found this file on a confiscated machine, but we can't figure what it is. Can you help us? |
| - | ==== 05. [10p]Web server & console browser ==== | + | |
| - | * Install and configure **apache2** and **links**. Use the latter to connect to http://localhost | + | ==== 05. Corrupted File ==== |
| - | * **Hint:** use the distro specific package manager. | + | |
| - | <solution -hidden> | + | * During a transmission, one of our files got corrupted. Take a look and see if you can do something about it. |
| - | <code bash> | + | Maybe there is something wrong with the header. |
| - | $ sudo apt-get install apache2 links | + | * **Hint:** use a hex editor to check the file's header |
| - | $ sudo /etc/init.d/apache2 start | + | |
| - | $ links http://localhost | + | ==== 06. Hidden File ==== |
| - | $ sudo /etc/init.d/apache2 stop | + | * There is something wrong with the size of this image. Is there anything else there? |
| - | </code> | + | * **Hint:** use Binwalk. "-e" option is buggy sometimes. |
| - | </solution> | + | |
| - | ==== 06. [10p]Disk space & usage ==== | + | ==== 07. Waiting for eternity ==== |
| - | * Display the disk space usage for each individual directory (. and .. excluded) in the first two hierarchical levels of ///usr/include/ // in a human readable format | + | * We stared at this gif for the last hour but nothing is happening. Would you like to join us and stare at it for the next hour? |
| - | * **Hint:** find, du | + | |
| - | * Sort the list in ascending order, by size | + | |
| - | <solution -hidden> | + | ==== 08. The great file squeeze ==== |
| - | <code bash> | + | * You are being given a file which is a hexdump of the flag that has been repeatedly compressed. Reverse the process and get the flag :) |
| - | $ find /usr/include -maxdepth 2 -type d ! -name "." -exec du -sh {} \; | sort -rh | + | * **Hint:** hexdump, man |
| - | </code> | + | |
| - | </solution> | + | |
| - | ===== Program compilation tools ===== | + | ==== 09 [bonus]. Web Fuzzer ==== |
| - | + | * Start this task by opening a specific docker container on your VM: <code bash> | |
| - | ==== 07. [10p]Program compilation ==== | + | docker run -d -p 8080:80 ghcr.io/cs-pub-ro/isc-lab-intro-web |
| - | * Download the following [[https://curl.haxx.se/libcurl/c/simple.html|program]] and compile it using **gcc**. | + | |
| - | * What is the program intended for? | + | |
| - | * Modify the program such that it connects to "http://localhost" (i.e. your local apache server) and prints the response (apache's default HTML test page) to stdout, just like standard curl. | + | |
| - | * **Hint:** you need to install libcurl's development libraries. | + | |
| - | * **Hint:** you need some flags for the compiler to know where libcurl is installed (see [[https://curl.haxx.se/libcurl/c/libcurl-tutorial.html|library's documentation]]) | + | |
| - | + | ||
| - | <solution -hidden> | + | |
| - | <code bash> | + | |
| - | $ sudo apt install gcc | + | |
| - | $ sudo apt install libcurl4-gnutls-dev | + | |
| - | $ # Replace in simple.c "http://example.com" with "http://localhost" | + | |
| - | $ gcc ./simple.c -lcurl -o simple | + | |
| </code> | </code> | ||
| - | </solution> | + | * You can now access a webserver on local port 8080 (try it with ''curl localhost:8080''). Your task is to retrieve the hidden flag by trying all web paths inside the given wordlist (write your own fuzzer in Python, check the lab archive for resources!). |
| + | * //Hint//: use the [[https://requests.readthedocs.io/en/latest/|Python requests]] library to issue web requests! Check their HTTP status code to know when you successfully found an existing web file ;) | ||
| - | ==== 08. [10p]Static compilation ==== | + | ===== Feedback ===== |
| - | * Statically compile the program (but keep a copy of the old, shared executable). | + | {{page>:isc:lab-feedback&nofooter&noeditbutton}} |
| - | * **Hint:** curl-config %%--%%static-libs | + | |
| - | * **Hint:** Note that you'll need even more development libraries: libidn11-dev librtmp-dev libssl-dev libidn11-dev librtmp-dev libssl-dev libcrypto++-dev libkrb5-dev libldap2-dev libnghttp2-dev libpsl-dev | + | |
| - | * **Hint:** Getting a pthread-related linker error? Try //-lpthread// at the end of the gcc command! | + | |
| - | * Check the size difference. What does it mean? | + | |
| - | * **Hint:** ldd | + | |
| - | * Uninstall libcurl and see which of the executables successfully run now! | + | |
| - | * Reinstall curl again if you need it ;) | + | |
| - | |||
| - | |||
| - | <solution -hidden> | ||
| - | <code bash> | ||
| - | $ gcc -o simple_static simple.c $(curl-config --static-libs) -lpthread | ||
| - | </code> | ||
| - | </solution> | ||
| - | |||
| - | ===== Networking related tools ===== | ||
| - | |||
| - | ==== 09. [10p]Traffic sniffing ==== | ||
| - | |||
| - | * Use the tcpdump suite to save all the traffic from interface ens3/eth0 to a file. | ||
| - | * **Hint:** Tcpdump may complain that it has no privileges to write the log file. Use "-Z student" (man!) to reacquire them. | ||
| - | |||
| - | <solution -hidden> | ||
| - | <code bash> | ||
| - | $ tcpdump -Z student -i eth0 -w tcpdump_capture | ||
| - | |||
| - | $ tcpdump -r tcpdump_capture | ||
| - | </code> | ||
| - | </solution> | ||
| - | |||
| - | ==== 10. [10p]Logging & Auditing ==== | ||
| - | |||
| - | * Write an **iptables** rule that logs all the traffic generated by curl. | ||
| - | |||
| - | <solution -hidden> | ||
| - | <code bash> | ||
| - | $ iptables -I OUTPUT 1 -p tcp --dport 80 -j LOG --log-prefix " iptables_logs: " --log-level 7 | ||
| - | |||
| - | $ grep "iptables_logs: " /var/log/kern.log | ||
| - | </code> | ||
| - | </solution> | ||
| - | |||
| - | ===== OS Management ===== | ||
| - | |||
| - | {{page>:isc:lab-feedback&nofooter&noeditbutton}} | ||
