OSU Cybersecurity Club’s CTF (Capture the Flag)
This weekend I participated in Ohio State’s Cybersecurity Club remote CTF. I was really lucky to work with three brilliant friends, who taught me a lot about CTFs and what kind of skillset I have to offer.
0. (Tools and resources)
First and foremost, I picked up a lot of tools that I’ve never used before. I want to document them here (mostly for myself). So in no particular order:
- Radare2 (
r2): helps to disassemble binaries.
- Modern Binary Exploitation by RPISEC: I never used the tools directly, but this material seemed useful if I ever wanted to do a more formal dive into reverse engineering binaries.
objdump -d: a simpler version of Radare that comes installed on macOS with the developer tools.
- veracode.com: Veracode had some free labs that really helped me understand how SQL injections and reverse-engineered session IDs work. Very good for an introduction.
binwalk: checks if a file contains other files, and even extracts them (
binwalk --dd='.*' <filename>[I think]).
strings: looks for any strings with length >4 in a file.
- Python: Still the easiest way to write a script. Who needs bash?
1. SQL Injection
This was my first time doing any sort of SQL injection. The big thing for me was thinking about how the query was written, and how I can verify if a query is written a particular way. For example, if the query is written as:
Then I can put
' to finish the first
'% and then whatever I want afterwards. Somethings I really liked to do:
' ORDER BY name DESC;--: This query just changes the order of the results. It was an easy way to confirm if comments (
--) work, column names (
name) and whether the quotes are single or double.
- To find the table names, there’s a different way for MySQL/SQL Server, Oracle databases, and SQLite. For each, you have a specialized table name to ask about:
-- Suppose our original query is SELECT * FROM Employee WHERE name LIKE %name%; -- we can any of the following after a quote: -- Oracle UNION SELECT table_name FROM all_tables -- MySQL/SQL Server UNION SELECT 1 FROM information_schema.tables -- SQLite UNION SELECT name FROM sqlite_master WHERE type LIKE 'table'
It’s also important to remember that
UNION needs the same number of columns on both sides. Just keep adding columns to the
UNION until it works. There might be more columns in the original
SELECT than are showing on the webpage.
Then, because it was a SQLite database, I used the following query to find the SQL commands that created the tables:
(@me: remember that each of these would need a leading quote (
') and end with
;-- to make the rest of the query useless.)
2. Binary exploitations
Binary exploitations were also new for me. I understood the idea from my Systems I and II courses, but I’d never implemented it in practice. We ended up bruteforcing most of them since we were unable to reason about what was on the stack and in what order, but the base understanding was there.
One we had to overwrite a integer by overflowing a buffer. Not too difficult. The other we had to overwrite a
ret address by overflowing a buffer. Both required some thought about how to spam the actual bytes into the program, but once we figured that out, it was very doable to find the right length sequence to set the bits we needed. Surprisingly, Radare was only useful for finding the new target address of the
ret instruction. I wasn’t able to use the tool well enough to help further, but I could tell it was very powerful.
Some of my teammates had done CTFs before, and knew what kind of thinking was needed. I often struggled to make the creative leaps needed to understand what the goal was, but once we had established how to solve the problem, I often wrote the Python script to solve the problem.
I guess the lesson is that I do much better with well-defined constraints and goals, which is something to keep in mind when I am setting goals and tasks for myself.
Big thanks to OSU Cybersecurity Club for hosting this CTF remotely, and to my teammates for explaining things to me all weekend!
Please email me if you have any comments or want to discuss further.
Sam Stevens, 2020