I have no idea why Google dropped almost all my pictures in this post. But I didn't keep original ones after I uploaded, sorry.
還在想要用英文還是中文寫這篇,不過考慮到一些來自台灣的朋友對於英文文章閱讀能力,最後還是決定用中文寫了,大意的部分翻成英文。順便防止國外隊伍偷學去 (誤)
I'm still wondering I should write this writeup in English or Chinese, some of my friends in Taiwan they can't (or don't want to) read English articles, so I decided to write this post in Chinese and try to translate (important parts) to English.
可以先看一下寬寬學長的 write up :(
Here's another write up from @Bletchley131
http://www.slideshare.net/Bletchley131/hitcon-ctf-2014-bamboofox
首先恭喜來自日本的 fuzzi3 (富士山),實在是非常強勁的隊伍,裡頭有好多個來自北海道、大阪和東京的 CTF 玩家,其中部分人來自打進 Defcon 22 final 裡面的 team "binja" (binary ninja 之意) 。雖然他們在 Defcon 沒有運氣像是 HITCON 這麼好,不過能有實力打進去 Defcon final 也代表是十分強大的對手。
Frist we congrats to fussi3 from Japan, a super powerful team. Lots of famous CTF players from Hokkaido, Osaka and Tokyo (北海道, 大阪 & 東京), some of them are members of the team "binja" in Defcon 22 final. Although they didn't have enough luck as team HITCON from Taiwan, but still an earthshaking competitor for us.
就不負責的 twitter 考據學,team fuzzi3 成員包括 @akiym (dodododo) ,team newbie (@mage_1868 + @hority), team katagaitai (@bata_24), team ε-δ Epsilon-Delta (https://ctftime.org/team/3050) 再加上常來 hitcon 的勇士Q (@ucq) 和 @int03 ,他們根本是我所知道日本最強的一群人全都過來了!lol
According to some twitter feeds, the members of team fuzzi3 including @akiym (dodododo), team newbie (@mage_1868 + @hority), team katagaitai (@bata_24), team ε-δ Epsilon-Delta (https://ctftime.org/team/3050) and vert often hitcon attendees 勇士Q (@ucq) & @int03 .
全部成員名單這邊有 (?)
Here's the total members list
http://mage-ctf-writeup.blogspot.jp/2014/08/hitcon-ctf-2014.html
https://twitter.com/mage_1868/status/501403899291381761
我們隊伍 BambooFox (竹狐) 竹狐是,結合了兩個交大在 hitcon wargame 優勝常客 DSNS Lab 和 SQLab (CRAX) 以及一些朋友。
Our team "BambooFox" (竹狐) is the mascot of our school, we're a combination of two security labs, DSNS & SQLab (CRAX), both are very high ranking teams in previous HITCON games, plus some friends in NCTU (National Chiao Tung University).
原本我個人決定休息一年的 HITCON wargame 在 Shih-Kun Huang 老師的邀請下跟著 SQLab 和 DSNS lab 的高手們一起打,雖然是還是按照原本計畫是度假模式,僅只於嘴砲嘴砲的鍵盤參與,有在玩的時間也大概 24hr 不到,但是貢獻了最簡單的兩題後接著有開的題目又都不是自己熟悉的領域。比賽最後一刻才被隊友告知出了自己手頭產品相關的題目,無奈是花時間的計算題程式寫完後沒有足夠的時間把 key 算出來。不過後來也在 twitter 上面交了朋友。
Personally, I decided to take a rest of HITCON wargames, but after the invitation of Professor Shih-Kun Huang, I joined the game with SQLab guys. I was taking a vacation in Chicago on the weekend then, only chatted on trello boards and Skype, didn't help our team actually. :(
But on the final hours, my teammates told me there's a ELF is in HSA format (Brig file), I was astonished then. My works of my internship in states is solving the bugs in the HSA simulators! lol. But still, I didn't have enough time to complete that challenge (girby). Anyway, I made some friends on twitter after the game.
這邊是最後的排名和解題
Here's the final ranking and solved challenges.
感謝隊長達達 ddaa 幫我們安排在學校電腦教室場地以及規劃相關的事宜,辛苦了!我們用 Skype 和 trello board 來分享紀錄比賽內容,似乎現在很多 CTF 比賽大家都用這兩個工具 XD 不過由於就算用了這些東西,資訊交換還是不太即時,也造成了部分多人同時寫程式的狀況。
Thanks to our team leader ddaa, for arranging the computer rooms in school and other stuffs.
We used Skype and trello board to exchange game information internally, just like other of CTF teams(?)
DIAGCGI
這題是 web 題,我一向不擅長 Web 類型的題目,即使在實戰經驗上確實打了不少網站 (面壁),這題題目是個 cgi ,給 ping/traceroute/curl 這幾個 command 可以用,測試了一下 ping -c 後發現可以部份的注入指令,當下想到的是一些常見的安裝方式,透過 curl + pipe 給 bash 或是其他程式跑
curl -L http://cpanmin.us | perl - App::cpanminus
or curl -L url | bash
不過 | 好像不會動,在試了各樣的 quote 和 escape 後,發現 \ 剛好可以拿來用,成功注入指令,在 ls / cat 看完後發現 key file 在根目錄下,並且由另一個 user 權限掌控,所以 web server 無法讀取,不過有另一個 read_key 的 executable 可以用,拿來發現就噴出 key 惹!
This is a challenge about web cgis, although I had some real world experiences about website hacking, but still didn't do well in CTF web challenges. The problem is, giving a cgi script that can execute some common commands like ping/traceroute/curl. I tried ping -c and found we can some sort of command injection to the cgi script. I came up with the idea of some software installation, using curl and piping to bash then execute the downloaded content like cpanminus. The normal pipe (|) seemed useless in this case, after tring lots of fuzzying characters, quoting and escaping, "\|" was the correct one to execute a command after pipe. Tried ls / cat for directory listing, our key file is under the root directory, owned by another user "key", but very easy to use the read_key to read that out, done!
Special thanks to @Jokercatz
比賽時間我都在玩,所以沒作其他紀錄(逃)
During the ctf game, I was enjoying my vacation, so I didn't have more pics /flee
Maze 是單純的苦工題,題目是一組 QR code 生成的迷宮,有點類似 nethack,我們使用了大量的工人智慧做暴力破解 orz
Maze is a human powered challange. The puzzle is made by a nethack style game of QR code maze, we used lots of human resource to "brute force" that orz.
日本駭客 @takesako 在 OSDC 2010 給過一場 "Polyglot Programming and Web Security" 很不錯的 talk ,那之後開始有點研究這種混雜語言程式設計。今年我自己沒有時間想題目 (都在玩) ,只能分享一些之前玩 polyglot 的經驗給隊友,
After the talk "Polyglot Programming and Web Security" given by @takesako in OSDC.tw 2010, I've been a fan of polyglot programming, it's super cool!
In the challenge this year, I helped my teammates via sharing my experience about polyglot programming. It helped a lot! ^_^
But I didn't do well on the Haskell part Q_Q
最重要的核心思想就是使用 macro / 或是盡可能的讓 over lapping 的 code "互為註解" (見底下說明)
使用 C 的 macro #define 來替換東西,剛好 # 又會被 Perl/Python/Ruby 忽略當註解
使用 Python 的 doc string """ 包住非 python code
使用 C 的 /* */ 來包住其他語言
#*/ 這個可以當作最後的 pending 來結束非 C 的部分又不會被 Python/Ruby
Haskell 我不熟,不過應該可以用 {- ... -} 當作區塊註解
Haskell 似乎可以有 assignment 來省掉一些部分
C 裡面有個特殊技巧在 C90 和 1995 amendment to the C90 被引入 (trigraphs & digraphs),可以用來避開一些字元。
The core concept of polyglot programming is using macro or comments covering on overlapping codes for each other.
In C, #define macro can be used as substitutions, but also comments for Perl/Python/Ruby
In Python, we can use """ for multiline doc string to cover non-python codes.
In C using /* */ to cover other langs.
#*/ can be used as the ending of a polyglot program for a end of C-style comment and Perl/Python comments.
In Haskell, we can use {- ... -} for multiline comments or using assignment for some symbols.
trigraphs (already in C90) and digraphs (introduced in 1995 amendment to the C90) can be used to avoid some special characters.
http://en.wikipedia.org/wiki/Digraphs_and_trigraphs
Final codes: http://pastebin.com/pZhCVEnN
griby 是包 Brigfile 的 ELF,brig 是 HSAIL 的 binary form. 然後我現在有在做一些跟 HSA simulator 相關的 bug fixing ... 禮拜天花了太多時間在玩,到了台灣清晨六點多我才被告之原來是 HSA 相關的題目,比賽時間不多雖然跟隊友分析完題目後我自幹了 HSA 的 host code 然後成功在隊友的 Linux box 上面跑起來,可惜這個算法是要花時間慢慢算的... 時間不夠殘念 GG
是說我出去度假前還跟強者同事 Jack 嘴砲說該不會我們現在弄 HSA 相關的東西因為可以改動到 host 上面的記憶體,所以會不會有機會出現相關的安全問題,例如看起來正常的 WebGL kernel 在畫 3D engine 其實背地裡在亂來之類的 XDDDD 結果題目就出來惹!!!!! T_T
girby is a ELF of Brig file format, which is the binary form of HSAIL. I'm now doing some bug fixing on the simulator ... orz
I spent too much time in the Museum of Science and Industry in Chicago, when it was 6 am in Taiwan, but I was having some fancy Italian food in RL Restaurant (http://www.rlrestaurant.com/). I wrote the host code for the HSA simulator to launch the kernel (girby), but it's a time consuming algorithm, so ... 残念でした.
I was talking with my colleague Jack about some security issues around HSA at night the day before I went to Chicago, since we can modify the contents in host memory (CPU side), maybe some bad guys will write a "looks good" WebGL kernel but doing some bad stuffs ... Ouch!!! The HSA-related problem was IN the HITCON game!!!
@winesap > darkx: It's not infinity i think, just very very slow :D
一些 HSA 相關的材料在這邊
Some other reference about HSA can be found here.
http://www.hsafoundation.com/standards/
https://github.com/HSAFoundation/HSAIL-Instruction-Set-Simulator
洋洋灑灑亂寫了,比賽打的很開心,隊友都很厲害,我自己個人貢獻沒有很多。不過明年應該看情況就真的會休息了吧!很感謝在 twitter 上面又交了不少新的朋友,其他隊伍也很強,安全對我來說始終算是個當作業餘興趣在打的東西吧,特別是某事件之後 :P 還是專心寫 compilers 吧。
I just finished a mess of this post, anyway, I enjoyed the game, our teammates are powerful, comparing to my personal contribution... I think maybe I'll really take a rest next year? Thanks to the new friends from team fuzzi3 on Twitter, other teams are nice, too. Well, network security for me is just a game, I should not put too much on it. Focus on more studies about compiler techniques :p