Professional Documents
Culture Documents
pbj92220@postech.ac.kr www.CodeEngn.com
http://hackcreative.org CodeEngn ReverseEngineering Conference
1 WTF is Defcon? 4 In Las Vegas
1-1 Who 4-1 Waiting For You
1-2 What 4-2 Capture The Flag
4-3 Advanced Tips
4-4 Conclusions
2 For Las Vegas
2-1 Criteria
2-2 How About This Year?
2-3 No Money?
3 Interesting Problems
3-1 So Easiness
3-2 So Bombness
3-3 So Funniness
3-4 So Mathness
3-5 So Puzzlingness
WTF is Defcon? :
Who
WTF is Defcon?
The founder of the Black Hat and Defcon computer hacker conferences
Show me the money, bro ...
WTF is Defcon? :
What
WTF is Defcon?
What Defcon
The most prestigious network attack and defense competition in the world
To be best of best !!
For Las Vegas :
Criteria
For Las Vegas
+ =
For Las Vegas
Organizers
DDTEK: 2009 - Present
KENSHOTO: 2005 2008
GHETTO HACKERS: 2002 - 2004
Winners
DC Winner OS N (Teams)
Criteria Qualification
Fields
Total Score
Solved
Not Solved
Solving
Not Opened
For Las Vegas :
How About This Year?
For Las Vegas
This Year?
4% 8% 8%
5% Hates Irony
8%
6% 8% PPP
32%
8% 9% sutegoma2
14%
Shellphish
TwoSixNine
8%
9%
European Nopsled Team
8% 9%
3 4400 Qualified!
Only support two hotel room for 4 days, not airfares :-(
Not good...
For Las Vegas
Sponsors
So Easiness Introduction
How to solve?
So Bombness Introduction
After
Interesting Problems
Google is GOD :D
Found !!
Collision!!
Interesting Problems
I used Python :D
Lovely Python !!
4 Passcode for
entering Main-routine
Interesting Problems
I used Python :D
Lovely Python !!
Length: 40
Tangle Hash Collision :D
Interesting Problems
So Funniness Introduction
/Urandom 100
How many developers;) did it take to secure Windows 8?
Interesting Problems
Auth Key
Interesting Problems :
So Mathness
Interesting Problems
So Mathness Introduction
After
Interesting Problems
Small Loop
Interesting Problems
If you success
Interesting Problems
1st restriction:
Offset
Interesting Problems
2nd restriction:
modulo 8
Interesting Problems
Negative % 8 =
Negative
Interesting Problems
GCD(-15, 64)
= GCD(+17, 64)
=1
= generators of additive modulo 64
I used Python :D
Lovely Python !!
4 Passcode for
entering Main-routine
Interesting Problems
I used Python :D
Lovely Python !!
My Choice:
-15
Interesting Problems
So Puzzlingness Introduction
Same Positions :D
Timeout ...
Interesting Problems
Same Positions :D
Timeout ...
Interesting Problems
Same Positions :D
Timeout ...
Interesting Problems
Same Positions :D
Timeout ...
Interesting Problems
Only 3 steps :D
Try it !!
This year, the 20 top qualifying teams are pitted against each other in an all out digital war
Last year, only 12 teams
Team 1
Team 1
Server
Auth
Server
Gateway
Team 2
Team 3
Server
Team 3 Team 2
Server
In Las Vegas
Contest Room
Lounge or Anywhere
Lounge or Anywhere
Contest Room
In Las Vegas
8 People
Lounge or Anywhere
Contest Room
In Las Vegas
Read Key
Steal information
Overwrite Key
Corrupt information
Auth
Server
Team 1
Attacker
Team 2
Vulnerable Daemon
Period : 600s
In Las Vegas
Auth
Server
I dont know
correctly :-(
Team1 Key ?
Team 1
Auth
Attacker
Team 2
Vulnerable Daemon
Period : 600s
In Las Vegas
How to auth?
Using SSL (Secure Socket Layer)
Files in USB for SSL
server.cert
team_X_key
team_X_key.cert
In Las Vegas
Capture The Flag Defcon CTF Defend Binary Patch with Radare2 (1)
Capture The Flag Defcon CTF Defend Binary Patch with Radare2 (2)
Capture The Flag Defcon CTF Defend Binary Patch with Radare2 (3)
Capture The Flag Defcon CTF Defend Binary Patch with Radare2 (4)
Capture The Flag Defcon CTF Defend Binary Patch with Radare2 (5)
Capture The Flag Defcon CTF Defend Binary Patch with Radare2 (6)
Search a position for patch using cursor : input c for enabling cusror
c : Enable cursor
In Las Vegas
Capture The Flag Defcon CTF Defend Binary Patch with Radare2 (7)
Capture The Flag Defcon CTF Defend Binary Patch with Radare2 (8)
Patched :D
In Las Vegas
How to calculate
Each daemon has 100 points
For a given attacker, V victim, S service,
The attackers partial score for the service =
their percentage (0-100) of all keys stolen from V via service S
Overwrite is also same
In Las Vegas
How to calculate
Attack : steal or overwrite key
How to calculate
Attack : steal or overwrite key
How to calculate
Attack : steal or overwrite key
How to calculate
Attack : steal or overwrite key
Team 1 Team 20
Attack
Attacker Vulnerable Daemon
Attack
Breakthrough !!
Total 19 Teams
Team 2
Vulnerable Daemon
Team Auth Score
Team1 1 times for each 1900 pts
In Las Vegas
How to calculate
Attack : steal or overwrite key
Team 1 Team 20
Attack
Attacker Vulnerable Daemon
Breakthrough !!
Total 19 Teams
Team 2
Vulnerable Daemon
Team Auth Score
Team1 1 times for each 3800 pts
In Las Vegas
How to calculate
Attack : steal or overwrite key
Team 1 Team 20
Attack
Attacker Vulnerable Daemon
Breakthrough !!
Total 19 Teams
Team 2
Vulnerable Daemon
Team Auth Score
Team1 1 times for each 3800 pts
In Las Vegas
Total Score
Sum(Steals Score + Defaces Score) * SLA
SLA - Service Level Availability
SLA = Average number of daemons running (cumulative)
= Sum(number of daemons running) / Sum(number of daemons)
+ =
In Las Vegas
Laptop for
Server
Members Laptops
Provided
Must Prepare
In Las Vegas
Laptop for
Server
Members Laptops
Provided
Must Prepare
In Las Vegas
Laptop for
Server
Members Laptops
Provided
Must Prepare
In Las Vegas
Laptop for
Server
Members Laptops
Capturing Packet
Gateway
Team Server Laptop for
(running masquerading
daemons)
In Las Vegas
Server Manager (1), Network Manager (2), Global Hogu Finder (1),
Exploit Manager (1), Reverser & Exploiter ()
Global Hogu Finder is very very important :D
Position N
Server Manager 1 Position N
Lounge or Anywhere
Contest Room
In Las Vegas
Brute Forcing or Guessing Password for the other teams daemon server
Get root, then you can read all of the keys.
In Las Vegas
Authenticate to Auth-Server
Get Points :D
In Las Vegas
Reverse Shellcode
Fork process
Open Socket & Connect to listening server
dup2 about stdin, stdout and stderr
execve /bin/sh
If enemy do masquerading
OMG ...?
Payload Loader
Vulnerable
Attacker
Daemon
In Las Vegas
Payload Loader
Daemon
Payload
In Las Vegas
Payload Loader
Vulnerable
Attacker
Daemon
In Las Vegas
Payload Loader
New Connection
&
Read Payload
Vulnerable
Attacker Binary Loader
Daemon
In Las Vegas
Payload Loader
New Connection
&
Read Payload
Vulnerable
Attacker Binary Loader
Daemon
Read Data
Executable Binary
In Las Vegas
Shellcode Generator
In Las Vegas :
Conclusions
In Las Vegas
www.CodeEngn.com
CodeEngn ReverseEngineering Conference If you have questions, contact me :D
pbj92220@postech.ac.kr