Jump to content
Nytro

Video #92: picoCTF 2019 (part 2)

By Nytro, in Challenges (CTF)

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted


GynvaelEN


Part 1: https://www.youtube.com/watch?v=pYrGJ...
Table of Content:
00:08 [PROLOG] nervous_testpilot - Focus | http://nervoustestpilot.co.uk/
02:15 [PROLOG] TheFatRat - Monody (feat. Laura Brehm) | https://youtube.com/user/ThisIsTheFatRat
07:06 [PROLOG] Stellardrone - Bettween The Rings
13:20 ⁂ START ⁂ - Greetings ( ;E ;) )
13:45 Short agenda about todays' stream; Q&A rules
14:50 Announcements and hypes
 - introduction of mod's page - foxtrot_charlie | https://foxtrotlabs.cc/
 - Paged Out! #2 is out // Call For Papers (one page) until 02/20/2020 (20 Feb 2020);
 - 16:21 Authors of articles from 1st rel of Paged Out! who have chosen non-TIP/POOL SAA should receive an email; if not get back to me :)
 - I've made one of Winja CTF '18 tasks and now it's released | https://github.com/google/google-ctf/...
 - It looks like Dec 2018 will be exciting contest between TOP 4 of CTF Time | ctftime.org
19:24 Let's get started!
20:44 2Warm / general / 50pts
22:42 picobrowser / web exp / 200pts
 - on page we see that we are not picobrowser so we are going to change User-Agent
 - see Dev Tools in web browser, but could be solved in different way, e.g. curl
26:39 Question: Can we use CTFs for prepare for OSCP? Q @ YT chat: are CTFs useful for real life pentesting?
29:03 plumbing / general / 200pts
 - netcat + "grep to win" technique which is easy and was described previously
30:11 rsa-pop-quiz / crypto / 200pts
 - tools: netcat + Python CLI as helper for calculations
 - knowledge: basics of prime numbers and RSA theory
 - objectives of this task: get to know with RSA - it's really simple
51:31 slippery-shellcode / bin exp / 200pts
 - tools: checksec.sh (checking protection of running binary)
 - knowledge: basics of assembly and code review of C-like languages
 - objectives of this task: old-school basic exploitation with a NOP sled; 32-bit ELF binary (execute shellcode, get the rid of problem with buffering, have no protections, isn't PIE...)
 + 0:57:44 about shellcodes
 + 1:00:00 writing a shellcode that uses fopen/fgets found in memory at known locations
1:10:42 Q: Do you know what AVX2 is used for in assembly?
 - some historical roots of SIMD extensions in Intel CPUs (MMX, SSE, AVX), why was it created, and registers naming (mm0, xmm0, ymm0, zmm0)
 - note from viewer: there is JSON parser library that uses vectorized instructions
1:15:16 Q: Check whether it is statically linked on the server also, not just the downloaded version.
 - why this should *not* be true for CTFs because of annoying players and what's the difference from not-lab exploitation cases
1:16:40 vault-door-3 / rev eng / 200pts
 - reversing Java code
1:27:28 "I'm going to show you another way to do this" :)
 - taking a fresh look at the same problem since I got confused by trying to do the reverse mapping in my head on livestream (which I failed hard); so instead, I showed a way to get the mapping to generate itself
1:32:29 Q: What motivates you when doing a hard challenge?
1:34:10 whats-the-difference / general / 200pts
 - comparing two binary files with use of python
Q: What about zip() in Python when the length of lists is not equal?
Q: How hard does a challenge have to be to resemble that of a real life scenario in the work force (or as close as it come)?
1:39:58 where-is-the-file / general / 200pts - file starting with .
1:41:20 WhitePages / forensics / 250pts
 - three code units: E2 80 83 ... :)
 - funky ASCII art or binary ASCII encoding?
 - at the end: a note about ASCII and code pages
1:51:03 c0rrupt / forensics / 250pts
1:51:43 In YT chat Daniel mentioned 24/7 CTF challenges (https://247ctf.com/). Take a look at it - they are really cool!
Returning to task:
 - broken PNG file...
 - ...but many files are simply based on zlib aka DEFLATE (e.g. ZIP, GZIP, HTTP compression, but also PNG)  - we will try to brute force it!
 - ...and in the end hack it in GIMP.
2:01:55 Q: With zlib compression, can we decompress even without the beginning of the bytes stream? Or if we have "holes" in the bytes stream?
2:03:55 m00nwalk / forensics / 250pts
 - WAV file with 11MB
Please make volume down, because we are m00nwalking with SSTV over the stream sound directly 😎
- from 2:07:00 to 2:07:56
- from 2:09:57 to 2:10:03
- from 2:10:53 to 2:11:33
2:18:17 Q: What did you study in college/University and what certs did you get?
See also (in Polish but Google Translate could do the thing):
- https://gynvael.coldwind.pl/?id=337
- https://gynvael.coldwind.pl/?id=338
2:20:36 Epilog
 Thanks for attending folks!
 Thank you foxtrot_charlie for being my Moderator today!
 Next stream is planned on next Wednesday (part 3).
2:21:06 [EPILOG] nervous_testpilot - Our Heroes | http://nervoustestpilot.co.uk
(kudos to J.V. for ToC!)

Our Discord: https://discord.gg/QAwfE5R
Our IRC: #gynvaelstream-en on freenode

 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...