├── README.md ├── SUMMARY.md ├── binary_exploitation └── README.md ├── book.json ├── chapter └── README.md ├── cryptography └── README.md ├── forensics └── README.md ├── master.org └── web_exploitation └── README.md /README.md: -------------------------------------------------------------------------------- 1 | # Practical CTF Hacking 2 | 3 | This book covers the practical tools, tips, and references for CTF 4 | hacking contests. This book is the product of the Spring 2015 18739L 5 | class at Carnegie Mellon University. 6 | 7 | 8 | 9 | -------------------------------------------------------------------------------- /SUMMARY.md: -------------------------------------------------------------------------------- 1 | # Summary 2 | 3 | * [Introduction](README.md) 4 | * [Binary Exploitation](binary_exploitation/README.md) 5 | * [Web Exploitation](web_exploitation/README.md) 6 | * [Forensics](forensics/README.md) 7 | * [Cryptography](cryptography/README.md) 8 | 9 | -------------------------------------------------------------------------------- /binary_exploitation/README.md: -------------------------------------------------------------------------------- 1 | # Binary Exploitation 2 | 3 | One of the first challenges in binary exploitation is using the UNIX command line. While we assume basic UNIX experience, there are unique CTF-specific tasks often crop up. This is grab-bag of such tricks and tips. We use the program named `ctf` to stand in for any CTF program. 4 | 5 | ## Python one-liners 6 | 7 | Often you want to generate a specific string, e.g., a long string, a string with non-printable characters, etc. We can use python one liners to solve such tasks. 8 | 9 | The following command generates a 400 character string of A's. 10 | 11 | ``` 12 | $ python -c 'print "A"x400' 13 | ``` 14 | 15 | We can also use python to create strings based on hex encoding, such as a NOP sled where `0x90` is the x86 nop instruction: 16 | ``` 17 | $ python -c 'print "\x90"*400' 18 | ``` 19 | 20 | Be careful of endianness. For example, on x86 to encode the constant `0xdeadbeef`, you would do: 21 | ``` 22 | $ python -c 'print "\xef\xbe\xad\xde' 23 | ``` 24 | ## Perl one liners 25 | 26 | Some people prefer perl. Those people should fill in this part of the book. 27 | 28 | ## Shell Tricks 29 | 30 | ### Providing command-generated input 31 | Suppose you want to provide a long input to a program. We can use our one-liners from above to generate the input, and use the modern shell feature of using `$()`, e.g., 32 | 33 | ``` 34 | $ ctf $(python -c 'print "\x90"*400') 35 | ``` 36 | 37 | Note that `$()` is the modern method; you can also try your luck at using the older (and less easy to nest) backtick `` `` `` approach to launch a shell, i.e.,: 38 | ``` 39 | $ ctf ` python -c 'print "\x90"*400' ` 40 | ``` 41 | uses backticks and is equivalent to the above. 42 | 43 | ### cat trick for stdin 44 | One problem you may have in stdin closes when you cat an input to a program. For example, suppose you have a problem that already does `execve(/bin/sh, NULL, NULL)`, and the goal is to call this code, e.g., 45 | ``` 46 | 47 | void foo() 48 | { 49 | execve("/bin/sh", NULL, NULL); 50 | } 51 | 52 | code(){ 53 | overflow... 54 | } 55 | 56 | (note to self: look for pipe variant) 57 | ``` 58 | 59 | You prepare a buffer overflow that calls `foo`, spawns the shell, but closes right away. The problem is stdin closed. 60 | 61 | A trick is to use '-' to keep stdin open. Suppose your exploit string is in file ``, then you can do: 62 | 63 | ``` 64 | $ cat - | ./ctf 65 | ``` 66 | 67 | and type in yoru commands. 68 | 69 | ### Disable ASLR (sometimes) with ulimit -s unlimited 70 | 71 | You probably know you can [disable ASLR system-wide](http://www.commandlinefu.com/commands/matching/disable-aslr/ZGlzYWJsZSBhc2xy/sort-by-votes) as root with: 72 | ``` 73 | # echo 0 > /proc/sys/kernel/randomize_va_space 74 | ``` 75 | 76 | What do you do if you're not root? Suppose you have command line access to a binary, but it is protected with ASLR. One trick is to disable the maximum stack size limit, making it theoretically the maximum size. 77 | 78 | 79 | 80 | On 32-bit systems, this will also disable the randomization of the mmap()-ing. According to [Hexcellencts](http://security.cs.pub.ro/hexcellents/wiki/kb/exploiting/home), it is because of the following code in arch/x86/mm/mmap.c: 81 | 82 | ``` 83 | static int mmap_is_legacy(void) 84 | { 85 | if (current->personality & ADDR_COMPAT_LAYOUT) 86 | return 1; 87 | 88 | if (rlimit(RLIMIT_STACK) == RLIM_INFINITY) 89 | return 1; 90 | 91 | return sysctl_legacy_va_layout; 92 | } 93 | ``` 94 | ### Checking for binary protection 95 | 96 | The [checksec.sh](http://www.trapkit.de/tools/checksec.sh) tool checks for NX, PIE, and other things of interest to exploitation. 97 | 98 | ## GDB tips and tricks. 99 | 100 | 101 | ### gdb -tui 102 | 103 | Did you know gdb has a [text user interface](https://sourceware.org/gdb/onlinedocs/gdb/TUI.html)? Try it -- you might like it. 104 | 105 | ``` 106 | $ gdb -tui 107 | ``` 108 | 109 | ### Use PEDA 110 | 111 | [PEDA](https://github.com/longld/peda) stands for Python Exploit Development Assistance for GDB. It puts gdb on steroids. It is also worth looking at the source to understand more about scripting in gdb. 112 | 113 | When you run an application in PEDA, you'll notice (by default) a much more informative screen that includes the disassembly of the current instruction, status of registers, memory image, and so on. It also has `checksec` to check for security options (similar to `checksec.sh`), tools for searching for ROP gadgetry, and a number of other useful tidbits. 114 | 115 | ### Software breakpoints 116 | 117 | Software breakpoints work by dynamically inserting the software breakpoint, e.g., `INT 3` (0xcc) on x86. One anti-debugging trick is for a process to look for [software breakpoints in its process image](http://www.stonedcoder.org/~kd/lib/14-61-1-PB.pdf). 118 | 119 | If you find such checks, one solution is to nop them out. Another is to use hardware breakpoints. 120 | 121 | ### Hardware breakpoints 122 | 123 | In gdb, you can use the [`hbreak` command](https://sourceware.org/gdb/onlinedocs/gdb/Set-Breaks.html) to set a hardware-assisted breakpoint. As mentioned above, hardware breakpoints are useful for circumventing software breakpoint anti-debugging techniques. 124 | 125 | Some of us have had difficulty using `hbreak` directly after starting a running binary. One workaround we have found is to first set a software breakpoint, delete it, and then set a hardware breakpoint. 126 | 127 | ### Python and gdb interfaces 128 | subclass breakpoint. 129 | 130 | 131 | ## TODO 132 | 133 | ### Ropgadget tool 134 | 135 | ### mona.py 136 | 137 | ### metasploit framework. msfinput, msfelfscan 138 | 139 | 140 | 141 | ### ropshell.com 142 | 143 | 144 | -------------------------------------------------------------------------------- /book.json: -------------------------------------------------------------------------------- 1 | { 2 | "plugins": ["math"] 3 | } -------------------------------------------------------------------------------- /chapter/README.md: -------------------------------------------------------------------------------- 1 | # Chapter 2 | -------------------------------------------------------------------------------- /cryptography/README.md: -------------------------------------------------------------------------------- 1 | # Cryptography 2 | 3 | 4 | ## libnum 5 | 6 | ## xortool 7 | 8 | ## z3 9 | 10 | ## padbuster 11 | 12 | ## sage python library 13 | 14 | 15 | -------------------------------------------------------------------------------- /forensics/README.md: -------------------------------------------------------------------------------- 1 | # Forensics 2 | 3 | 4 | ## scalpel 5 | 6 | ## binwalk 7 | 8 | ## autopsy 9 | 10 | ## orgamaipdf tools 11 | 12 | ## audacity 13 | 14 | ## foremost 15 | File carving 16 | 17 | ## recoverjpeg 18 | 19 | 20 | 21 | -------------------------------------------------------------------------------- /master.org: -------------------------------------------------------------------------------- 1 | #+TITLE: Practical CTF Hacking 2 | #+AUTHOR: David Brumley and the 18739L Spring 2015 Class 3 | 4 | 5 | * Tasks 6 | ** DONE Write outline 7 | ** TODO Figure out title page setup 8 | ** DONE Figure out how to do code blocks in babel mode 9 | First, customize the variable org-babel-load-languages, save, and then 10 | you can work as normal 11 | 12 | ** DONE Find out how to run a web browser in emacs 13 | You can do this with eww 14 | 15 | ** TODO Figure out how to get org-beautify-theme to load 16 | 17 | 18 | * Introduction 19 | This book covers the practical tools, tips, and references for CTF 20 | hacking contests. I assume you have what I call the "hacker spirit", 21 | where you can do self-directed exploration of a subject. If you are 22 | the type of person who needs an instructor to point you to the next 23 | thing to learn, then computer security is probably not the right field 24 | for you. 25 | 26 | 27 | ** Audience and Assumptions 28 | In this book we assume you already have a working knowledge of: 29 | 1. UNIX and the command line. Personally years ago I learned reading 30 | [[http://www.amazon.com/Sams-Teach-Yourself-Hours-Edition/dp/0672328143][UNIX in 24 hours]]. 31 | 2. You have access to a UNIX system. For example, you can rent a server for 32 | $5/month at [[http://digitalocean.com][Digital Ocean]], or you can install a virtual machine, 33 | e.g., via [[http://vagrantup.com/][vagrant]]. 34 | 3. The ability to use a UNIX text editor. Some get by on =nano=, I 35 | recommend learning =vim= as well. (Real programmers know =emacs=; 36 | consider learning it eventually.) 37 | 4. Some python experience. I've found that really good CTF hackers 38 | are also typically very experienced with python. You can use 39 | [[http://learnpythonthehardway.org/][Learn Python the Hard Way]] as a good introduction. 40 | 41 | In addition, to solve many reversing and binary exploitation 42 | challenges you must know: 43 | 5. The C Programming Language. (Note: C++ is a related, but different 44 | language. I recommend C). I do not have any experience 45 | recommending books. One possibility is the [[https://en.wikibooks.org/wiki/A_Little_C_Primer][free wikibooks Little C Primer]]. 46 | 6. Compilation and basic debugging of compiled programs on x86. We 47 | call compilied programs "binaries". At CMU, we require most 48 | students to take [[http://www.cs.cmu.edu/~213/][Introduction to Computer Systems]]. As part of that 49 | course, students read [[http://csapp.cs.cmu.edu/][Computer Systems:A Programmers Perspective]]. 50 | I *highly* recommend this book. In particular, you should be an 51 | expert in material at least up to Chapter 3. In particular, I 52 | assume you know the GNU debugger ~gdb~, and the ~objdump~ utility. 53 | 54 | ** Credits 55 | This book is the product of the Spring 2015 18739L class at Carnegie 56 | Mellon University. 57 | 58 | This e-book is mostly written and edited in [[https://www.gnu.org/software/emacs/][emacs]] [[http://orgmode.org/][org-mode]]. This is 59 | my first time using org-mode for a book. Most of the links and tools 60 | were provided by students in the [[http://www.cmu.edu][18-739L]] course in Spring 2015. 61 | 62 | * Binary Exploitation 63 | ** Learning 64 | ** Tools 65 | *** gdb 66 | *** peda 67 | [[https://github.com/longld/peda][peda]] is a GDB plugin that provides enhanced UI and python integration. 68 | Highlights disassembly. searchmem is useful for 69 | searching for your input string. checksec also checks general 70 | security properties of the executable. 71 | 72 | *** IDA Pro 73 | [[https://www.hex-rays.com/products/ida/][IDA Pro]] is the DE factor standard tool for navigating binaries. The 74 | free version is adequate for most needs. You should get use to 75 | solving problems without the decompiler plugin. The full decompiler 76 | is nice, but don't make it a crutch. 77 | 78 | The most common tasks, by shortcut, are: 79 | - =x= to see what calls a function. 80 | - =n= to rename (usually to something memorable) 81 | 82 | Spending a few days with the [[http://www.amazon.com/The-IDA-Pro-Book-Disassembler/dp/1593272898][IDA Pro book]] is worthwhile, especially 83 | Section 2 on basic IDA usage. 84 | 85 | *** use pwntools to set up connection 86 | Reliability in connections. 87 | *** shellcraft 88 | 89 | *** fuzzers 90 | Fuzzers tend to have less value in CTF problems that real world 91 | security scenarios. However, it is still useful to know how to 92 | fuzz. In practice, =zzuf= and =afl-fuzz= tend to be the most popular 93 | currently for quick, black-box fuzzing. 94 | 95 | ** Useful shell commands 96 | While we assume basic UNIX experience, there are unique CTF-specific 97 | tasks often crop up. This is grab-bag of such tricks and tips. We use 98 | the program named `ctf` to stand in for any CTF program. 99 | 100 | *** Providing command-generated input 101 | Suppose you want to provide a long input to a program. We can use our 102 | one-liners from above to generate the input, and use the modern shell 103 | feature of using ~()~. 104 | 105 | For example, the following command will run ~python~ in a subshell 106 | with a small one-liner that prints 40 ~A~ characters in a row. 107 | 108 | #+NAME: print40 109 | #+begin_src sh 110 | echo $(python -c 'print "A"*40') 111 | #+end_src 112 | 113 | The results are: 114 | 115 | #+RESULTS: print40 116 | : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 117 | 118 | Of course you can run any unix command. The following echos ~/bin/ls~ 119 | to ~objdump~, which then pipes to ~head~ to print the first 5 results: 120 | 121 | #+name: objdumpls 122 | #+begin_src sh 123 | objdump -D $(echo /bin/ls) | head -5 124 | #+end_src 125 | 126 | #+results: objdumpls 127 | | | | | | 128 | | /bin/ls: | file | format | mach-o-x86-64 | 129 | | | | | | 130 | | | | | | 131 | | Disassembly | of | section | .text: | 132 | 133 | Another (and older) method is to use backticks: 134 | 135 | #+name: backtick40 136 | #+begin_src sh 137 | echo `python -c 'print "B"*40'` 138 | #+end_src 139 | 140 | The results are: 141 | #+results: backtick40 142 | : BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB 143 | 144 | Using the ~()~ syntax is newer and the recommended method for 145 | invoking a command. The backticks have been deprecated in favor of ~$()~ 146 | for command substitution because $() can easily nest within itself as 147 | in ~$(echo foo$(echo bar))~. There are also minor differences such as 148 | how backslashes are parsed in the backtick version[fn:1]. 149 | 150 | [fn:1] See [[http://stackoverflow.com/questions/4708549/shell-programming-whats-the-difference-between-command-and-command][Shell Programming: What's the difference between $(command) and `command`]] 151 | 152 | ** Python one-liners 153 | 1. tjis is an item 154 | 155 | ** Random things 156 | *** Analyzing binaries when you don't have read permissions 157 | On level 13 of IO, you are not given read access to the binary. The 158 | trick here is to use =ptrace=. =ptrace= allows a parent process to 159 | step through a child. You can also use =xobinary= potentially. 160 | 161 | * Web Exploitation 162 | ** Learning 163 | ** Tools 164 | ** Useful shell commands 165 | ** Python one-liners 166 | 167 | * Forensics 168 | ** Papers 169 | ** Tools 170 | ** Useful shell commands 171 | ** Python one-liners 172 | 173 | * Cryptography 174 | ** Learning 175 | ** Tools 176 | 177 | *** SAGE 178 | SAGE. Nice example is rsa picoctf problem. tjbecker has the example. 179 | (need to implement your own gcd) 180 | 181 | 182 | ** Useful shell commands 183 | ** Python one-liners 184 | 185 | 186 | 187 | atm: 188 | -------------------------------------------------------------------------------- /web_exploitation/README.md: -------------------------------------------------------------------------------- 1 | # Web Exploitation 2 | 3 | ## Browsers 4 | 5 | ### Chrome 6 | In web exploitation, a beginner will probably rely heavily on Google Chrome developer tools, as well as several Chrome plugins. Some basic plugins to install are: 7 | 8 | * Chrome Developer Tools. Become familiar with them. You can reach them by right-clicking and choosing `Inspect Element`, as well as under View->Developer->Developer Tools. Note that developer tools are almost always more useful than viewing source. 9 | * [Edit This Cookie](http://www.editthiscookie.com/start/) for changing cookie data. 10 | 11 | 12 | ### Firefox. 13 | 14 | It is also handy to have firefox installed (We've also been told the 3d DOM view of FireFox is fun to look at.) 15 | . One particular plugin we use is the [Tamper Data](https://addons.mozilla.org/en-US/firefox/addon/tamper-data/) plugin. Tamper Data is a proxy that inserts itself between the user and web site, and allows one to change data sent to the server. 16 | 17 | 18 | 19 | 20 | 21 | ## SQL Exploitation 22 | 23 | ## sqlmap 24 | 25 | 26 | 27 | 28 | ## burpsuite 29 | 30 | ## webscarab 31 | Intercept request and edit. Similar to burpsuite 32 | 33 | ## wireshark and mac still sucks 34 | 1. use cloushark and tcpdump native. 35 | 2. Boot into linux 36 | 3. Go and install the xquartz stuff. 37 | 38 | ## vagrant 39 | 40 | 41 | ## TODO 42 | 43 | ### burpsuite 44 | --------------------------------------------------------------------------------