Archive

Posts Tagged ‘ctf’

Capture the Captcha – The Game

October 26th, 2010

Capture the Captcha FlagA Captcha is a type of challenge-response test used in computing to ensure that the response is not generated by a computer. It is a contrived acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart.”

The process usually involves one computer asking a user to complete a simple test (Captcha) which the computer is able to generate and grade. Because other computers are unable to solve the Captcha, any user entering a correct solution is presumed to be Human.There are a lot of Captcha implementations out there, written in JSP, PHP, ASP, .NET which are very poorly implemented and introduce serious bugs in Web applications they are supposed to protect.

We developed 10 different Captcha implementations, each with its own weakness, for participants to break using automation and hacking techniques with the objective of bypassing the human verification process.

Captcha BotCaptcha Human

Teams (or a single participant) are scored on their success in breaking the security behind every presented Captcha on the game.

This CTC contest is designed to serve as an educational exercise to give participants experience in securing Web Applications from automated attacks, as well as conducting and reacting to the sort of Captchas found in the wild.

nahuel bonsai, conferences, security , , , , ,

CONFidence and OWASP CtF

June 3rd, 2009

For the 2009 edition of CONFidence and OWASP Europe, Bonsai helped with the development and organization of the Capture the Flag event. This post is a general description of the capture the flag, and a “statistical analysis” of the results.

The game

The CtF levels were divided into three different categories: Web, Networking and Forensics. Each category had 5 levels with increasing difficulty that awarded the player with 300 to 750 points. One of the features of this CtF was that players were able to play any level at any time, if players got stuck with the second level of the Web challenge but had a good idea about how to solve the fifth level of the same category, they were able to do it.

In order to be awarded with the points, players had to solve each level to get the magic_token: a twelve character long password that proves they solved the level. Magic tokens had then to be entered in the CtF scoring system together with the player’s username and password created at sign up.

The access to the CtF was open during the whole conference time, giving the players the opportunity to play at any time and place (WiFi access was provided also). In most cases CtF players created teams and solved the different levels together to have more chances to win the prices. In most cases you would think that creating a big team increases your chances of winning, which was true for OWASP conference where first and second place were awarded to teams of more than five players; but in CONFidence a team of two managed to win the CtF!

scores

The servers

To be able to run the CtF game, Andrzej Targosz provided us with two different servers:

  1. CtF scoring system: A simple Pentium IV box with 512MB of RAM, where we installed a stable Debian.
  2. CtF vmware server: A much more robust server, with 3GB of RAM and two dual 2.4Ghz core processors, where we installed a stable Debian with VMware server to be able to run all the different levels that gave the user some kind of interaction with the operating system.

The VMware server was needed in order to host the different levels. In some levels the players had to get remote command execution and we wanted to be totally sure that there was no way to read the source code of other levels or gain any other advantage by getting root in the servers.

At the end we had a total of seven virtual machines running smoothly in the VMware server. The levels that required a virtual machine were Web 2, 3, 4, 5 and Networking (1,2,3), 4 and 5.

The results

For each conference we had three winners. The material prices aren’t important, what these guys care about are the bragging rights, so here are the names of the winning teams at the OWASP conference:

  1. defrag_brains (6150)
  2. tripkaci (4900)
  3. FluxReiners (4200)

And the winners from CONFidence conference:

  1. the0wners (6000)
  2. yellowfrogs (5700)
  3. korzen (5284)

The following statistics were created from the joint results of both CtF games:

Easiest levels

Easiest levels

Hardest levels
Harder Levels

Stay tuned, more information about the different levels, including the source code is going to be posted here!

The conclusion

The whole experience of organizing the CtF was excellent. I learned a lot of nice technical tricks from the players, who interacted with me at all times ( I think they were trying to social engineer me to give them tips) and I made a couple of new friends.

I would like to thank Jaroslaw Sajko, the co-organizer of the CtF for all his hard work on the servers.

andres.riancho conferences , , , , ,

CONFidence and OWASP – Poland

May 25th, 2009

CONFidence and OWASP Europe were great. The venue was amazing (it was my first time in Poland) and both conferences were perfectly organized. I would like to thank Andrzej Targosz, the CONFidence organizer, for all his help and support during both conferences, without his help, nothing of this would have happen.

This trip was completely different from my previous ones, because (among other things) I slept in a hostel in the same room with six guys from Slovakia, one from Singapore and one from Austria; and run the Capture the Flag for both conferences together with Jaroslaw Sajko.

In my previous posts I listed the talks that I was interested in, so now I’m going to use that as a base to talk about the conferences. Here are my thoughts about CONFidence:

  • Social engineering for penetration testers, by Sharon Conheady. It was one of the most interesting talks I’ve attended  in both conferences. She works as a social engineer, and her talk was interesting from the beginning to the end (hmm, maybe she social engineered me to blog this?).
  • Public transport SMS ticket hacking, by Pavol Luptak. At first I was expecting something related to hardware hacking, but Pavol (one of the six Slovaks from the hostel) showed us a way to cheat the SMS ticketing system using some easy software based tricks. Good job!
  • VAASeline: VNC Attack Automation Suite, by Rich Smith. Some friends attended this talk, and told me it was really good, but I had to be at the CTF booth because some bugs were found in one of the levels.

About OWASP Europe:

  • The Truth about Web Application Firewalls: What the vendors do not want you to know by Wendel Guglielmetti Henrique, Trustwave & Sandro Gauci, EnableSecurity. This was by far the best talk in OWASP, I was really interested in this subject, and the speakers gave a great presentation. Sandro and Wendel showed the audience different ways to bypass WAF’s, and performed a demo of some tools that the have been working on.
  • Advanced SQL injection exploitation to operating system full control by Bernardo Damele the creator of sqlmap.    Bernardo’s presentation was both detailed and technical, he showed the audience how to gain OS access from SQL injections in different DBMS. Note to self: update the sqlmap version that runs in w3af.
  • When Security Isn’t Free: The Myth of Open Source Security by Rob Rachwald, Fortify. Failed to attend, this time, I think that I was talking with Sandro and Wendel about wafw00f ;)
  • Exploiting Web 2.0 – Next Generation Vulnerabilities by Shreeraj Shah, Blueinfy. Failed to attend (one more time).
  • I thought you were my friend Evil Markup, browser issues and other obscurities by Mario Heiderich, Business-IN. His presentation was awesome, he showed the audience a lot of little tricks that can be used to bypass different types of filters and execute javascript in the victim browser.

The talks were amazing, but as I always say… the real value of the these conferences is not in the talks, is in the people you meet there.

andres.riancho conferences, security, w3af , , , , , , ,