“A digital cyber attack and defense competition in detecting application security vulnerabilities.”

…but shhhhh! Don’t tell marketing, there is absolutely no defense involved! . I believe that attack has merits on its own, but that is a discussion for another time.

CSAW CTF started out in 2004 as a network-based game with dozens of virtual machines running known vulnerable software. The challenge was to discover and detect these issues and then find or tweak public exploits to work on them. This could have been a good way to run CTF, but we simply couldn’t afford the time to make it work properly. I ended up taking second place to Michael Aiello, now a close friend of mine, that year. Afterwards, Mike and I sacrificed our chances of winning the next year by helping develop the 2005 contest and, along with other members of the lab, changed the game’s format to how it remains to this day.

In CSAW CTF, participants are given a series of challenges divided into different categories and each challenge is worth a specified number of points. In reality, a “challenge” is a small bit of code with a single security vulnerability implanted in it. “Solving” the challenge means exploiting this vulnerability. The challenge spits out a secret password upon completion which the participant can redeem for points on the scoreboard. We relate this to events like the Defcon Pre-quals without the requirement that participants solve easier challenges first to reach the harder ones. We try to keep a similarly wide breadth of categories; this year we had Web Applications, Binary Exploitation, Reverse Engineering, Trivia, and Bug Hunting. If you’re interested in what the challenges were then pay attention to, what will likely be called, the OWASP CTF Project which this year’s CSAW CTF has been donated to. I expect all that to be ready within a week or two and I will definitely make a separate blog post about it.

This year’s CSAW CTF was our largest ever. We had 46 teams, over 150 individual players, and 50 different schools compete in it (all students too!), putting us at one of the largest CTF competitions world-wide. It’s gotten to the point where I can name a few, and only a few, other competitions that are larger than we are.

CSAW08 CTF started at 8pm EST on Friday, September 19th and it quickly become clear which teams would end up in the top 10. MyLittlePwnies, a team of 8 from NPS, methodically solved a majority of the challenges that very first night and got off to an early lead. To my surprise, a small handful of other teams trailed close behind and before the night was over RPISEC passed them by! This was not good news for me because between trying to work out the kinks people were finding and answering questions (it was basically a one-man-show this year), I didn’t have much time to put up new challenges. Let that be a lesson for everyone else planning CTFs out there: always work with a partner, no matter how smooth you think the scoring system is!

As a low-cost way of getting a binary exploitation challenge up, I gave everyone Lurene Grenier’s Advanced WIndows Buffer Overflow (AWBO) #2 to chew on. For a challenge that comes with the warning:

“This next test could take a very, very long time. If you become lightheaded from thirst, feel free to pass out. An intubation associate will be dispatched to revive you with peptic salve and adrenaline.”

… I expected this to buy me some time but 5 teams solved AWBO#2 and some did it within 2 hours. One team even solved it on Vista just because they had no other Windows installations available. Those teams were: TeamTefaye, RPISEC, MyLittlePwnies, teamSparta, and FluxFingers. Congratulations guys, that was really impressive!

The final trivia question for that night was: What does this code do? 31C04089460C89C34089460804048946108D4E08B066CD8089C231
C0C646080266C7460A358289460C8956118D4E08894E154389D980
C10E894E198D4E11B066CD80B0664343CD8031C043894615894619
B066CD8089C331C089460C89C1B03FCD8041B03FCD8041B03FCD80
EB1A5E31C08846098D1E895E0B89460FB00B89F38D4E0B8D560FCD80
E8E1FFFFFF2F62696E2F62617368

Right after I posted it, I made sure to remind MyLittlePwnies since they were asking me for something exploitation or reversing related. Here is my conversation with one of their team members (hint: check the timestamps).

(1:52:15 AM) dan: btw, you saw the trivia right?
(1:53:54 AM) blacksheep: yup, just saw that.
(1:54:34 AM) blacksheep: trivia answer is
(1:55:02 AM) blacksheep: bind port backdoor shell on port 13698 on a linux system with /bin/bash as the shell

I gave them extra points for such a fast answer . The second day ended with RPISEC in first, by a small margin, over Team Tefaye and Pwntatoes in a distant third.

The last day of the competition was a short one, the game was over at 3pm EST on Sunday, September 21st. The only challenges any teams really had time to do were some of the more open-ended ones like the “Client-side Challenge” which I’ll now explain. In the Client-side Challenge, you are taking a class with “Joe the TA” and you really want to break into either his e-mail or his local computer for advance information about tests and homeworks. He handed out his e-mail to you at the beginning of the semester and you know that he logs in to a webmail installation conveniently hosted on the CTF server. “Joe” also tends to click on any link that looks convincing. Teams were given 500 points for access to his mail spool, 1000 points for access to his filesystem, and 400 points if they could persist that access across the “semester” (a rootkit, an email forward, a persistent XSS, etc). Let me tell you, NEVER click on a link from Team Tefaye! Their first try set up an e-mail forward, a persistent XSS, and stole my session cookies while forwarding me to the intended link target described in their e-mail all in a single action. They returned later and trojaned the box for an extra 1000 points. Damn! This finally put Team Tefaye in a solid lead over RPISEC which they were able to maintain until the end of the contest.

Here’s the final scoreboard:

Team Tefaye took first, RPISEC took second, and Pwntatoes took third. The Down Ownerz got the bonus prize for being the youngest team playing. Congratulations guys!

There was a lot of great stuff that went on last weekend and I’m sorry I couldn’t get to all of it in this blog post. If any of the people who played have more to say, post it in a comment.

rgov from RPISEC: “(Bonus: I was able to use cross-site scripting to RickRoll most of the players and some of the organizers.)” Yep, NoScript doesn’t work so well when you whitelist the domain

Rob Escriva from RPISEC: “This weekend I’ll be doing a writeup on a bug I found in the “leaky” challenge of the 2008 CSAW contest.”

I almost forgot, I have a few people to thank for helping out in various ways with CTF: Alicia Bozyk, Aleksey, Dean De Beer, Stephen Ridley, Michael Aiello, and Eric Hulse. Thanks guys!

Today, that is going to change. I uploaded my hand-picked favorites from the last 3 years to my web site for the entire web to enjoy! I tried to mark who made what poster in the title but please leave me a message if I missed yours.

Amanda Morante's 1st place entry from 2006

View the full library of awareness poster images here.

Registration for CSAW 2008 is still open and we will be having the Security Awareness Poster contest again, in addition to 6 other contests. If you know any graphic designers, convince them to join!

The link below will take you to a Web site which contains numerous vulnerabilities but is being defended by the Fortify Real-Time Analyzer (RTA). When you conduct an attack, Fortify RTA will block your efforts and redirect you to a separate page. However, if you conduct a particularly impressive attack, Fortify RTA will redirect you to a different page, with a code word. There are three code words available.

Fortify RTA had a tight lock on that website! I probably came up with a hundred separate attacks against their website, but they were only looking for a very specific 3. Every so often, I’d come up with what I thought was an impressive attack but it wouldn’t give me any points! Here’s one example:

I found an authorization problem when viewing account details that let me enumerate the database for and grab the account details of every client in the bank. I used Burp Intruder to automate harvesting this data, making over 10,000 requests to the server to gather the info. Then I manipulated client-side parameters on the ‘transfer funds’ page to steal money from other clients and deposit it into my account. This wasn’t an attack they were looking for and didn’t get me any points! Grrr..

I took screenshots of all the actual attacks below.

You had to recognize that they set an AuthType cookie when you logged in. Changing this cookie to 0 let you view and access a hidden admin panel.

Once in the admin panel, RTA triggered on a command injection vulnerability:

… and on cross-site-scripting the other admins:

The last attack was a SQL injection on the account details page:

My biggest problem was that I overthought the attacks they were looking for. Once I calmed down and stopped trying to become a millionaire/root-shell-0wner I realized they were probably looking for the basic web vuln trifecta: command injection, xss, and sqli. All in all, a really fun challenge. Thanks Fortify!

Our website with descriptions of the contests as well as winning entries from previous years is located here: http://isis.poly.edu/csaw

Also to note: many of the makers and hardware hackers in this crowd will be happy to know that we have a new embedded systems challenge this year. Check it out!

Wednesday night – InfoSec study time at ISIS Lab. I’m going to be working on a paper on Web Authentication.

Friday-Sunday – The Last HOPE at the Hotel Pennsylvania. Only $80 at the door! We’ll have a booth in the vendor area, come say hi!

The agenda ending up being:

• Blackhat presentation dry-run.
• Aleksey reversed some storm malware, found a carding forum, and broke into it! He showed us some of the things he learned about their community by looking through the forum.
• Aleksey talked about his experience competing in the Defcon CTF prequals this weekend. All the questions from the competition are already up at Nops R’ Us but Aleksey was kind enough to upload his own work to the ISIS webserver.
• Erik and I made fun of Synology for all the bugs we found in their webapps this weekend. I’m waiting to release anything publicly until I have proof of concept exploits.

• Dan Kaminsky interview – link
• w3af demo – link
• Unusual Web Bugs – video – slides
• Social Engineering presentations – link

We’re having another meeting next week and I’m taking suggestions for topics. An [obligatory] brief overview of the Debian OpenSSL bug will be done.

I’ll show up in the lab and hook up our gigantic LCD TV to show a different video each week and host a discussion. Afterwards, I’ll do a review of each meeting on this blog. We will default to a FreeBSD Kernel Internals DVD course if no other videos are suggested (I need to brush up on my Operating Systems). If you have a specific video you’d like to see/discuss from Defcon, ShmooCon, HITBSecConf, Blackhat, RECon, or elsewhere then please suggest watching it!

Meetings will take place in the ISIS Lab (Room 219) located in Polytechnic University. The street address is 6 Metrotech Center, Brooklyn, NY 11201. If you’re not a regular, then I’m going to need to sign you in so call the lab phone at (718) 260-3986 when you get here (regulars get the sekret c0deword). I’ll keep a bunch of menu’s in the lab and we’ll make an order for takeout shortly after everyone gets here.

This event is open to the public (duh) so please invite your friends. Send all comments, suggestions or videos you’d like to watch to me, Dan, at dguido@gmail.com.

The first meetup is this Wednesday, May 14th. See you there!

Add this event and others to your calendar: ISIS Meetings.

I’ll try and keep you informed as to how the contest is going, what it’s like to compete in one of these things, and if we are winning by live-blogging the event from our hotel room each night. I don’t see that banned in any of the dozens of rules we’ve been made aware of so far!-26 hours: It’s 2 hours before we leave for Rochester and I’ve come down with a cold, it has started snowing throughout Northern NY, and the team collectively realized we don’t have a GPS unit for the 6 hour drive. Instead, we will be navigating via iPhone. Make sure to keep an eye on CNN tonight for reports of a van full of computer nerds barreling off I-80 into a ditch.

-12 hours: We made it, and not a single wrong turn! But you see this? That’s a 4-seater. We had 5 people. Oops! I think one of Mike, Alex, or Brad is going to bill Prof. Memon for a butt-massage after sitting 6 hours on a bunch of cup holders. Thanks guys for not complaining!

Strat is coming up by train tomorrow and I think someone will be going home with him the same way .

We still have no idea what to expect for this competition. The only thing we’ve seemed to agree on so far is that it’s impossible for the Red Team not to have some advance knowledge of the competition machines. We can’t see how this will be much of a challenge once we put our uber-firewall in place. We’ll see.

+10 hours: see the comments below

Attached files:

• NECCDC Policy Docs
• Security Approach/Philosophy

NYSEC 5 is Feb 19th, 2007. A Monday. 6:30PM. We’ll stay until people get tired of hanging out. We’re guessing 2-3 hours. Located at Pound and Pence. That’s downtown Manhattan, on the corner of Liberty and Nassau. If you don’t like it, show up and suggest somewhere else!

We are usually upstairs by the pool table.

For the uninitiated, NYSec is a casual get together of a bunch of InfoSec people that happens as often as they feel like it.  I wasn’t able to make the first 4 gatherings (grrrr) but I’m definitely going to this one!  See you there!