ХакерДом: SergeyBorisov/ictf ...

Null Page | Каталог | Изменения | НовыеКомментарии | Пользователи | Регистрация | Вход:  Пароль:  

чтобы не забыть, только факты и воспоминания, без анализа:


Отчет и фотки одной немецкой комманды
http://bilder.philippfleck.de/?verz=2006_12____iCTF_SquareRoots_Uni_Mannheim
и
http://blog.philippfleck.de/1_philipps_blog/archive/689_ictf-review.html?ref=rss10feed
а это перевод PROMT-а с немецкого на английский:


Here Einge of the last entries were weird{tangled} maybe a little bit or difficult to understand. Beside{Alongside} blog if one has, actually, no time, allowed no detailed explanations{statements}. The concrete rules became only at the same time with the password for the image publish and from the time no time remained for long entries. Hence, I would like to explain{declare} first over again briefly around what it went:


Against former{earlier} CTF competitions the purpose{destination} of the competition this year was not this steal and protect from flags{banners}, but the teams were a bank and had to defend her{their} money and “steal” at other banks. The money could be shifted between the teams in two different kinds{ways} and ways{manners}. Either as electronic checks{cheques} or as an inter-bank transaction. The purpose{destination} of every{any} team was to increase her{their} money. So long the different services on the server were available, this could be used for transactions. From the Gameserver customers and tried{attempted} money came{got} over and over again to deposit. If this functions{works} because the services run{walk} and are functioning, then the property of the bank increases. This corresponds{fulfils} to the devensiven evaluation with the present{previous} evaluation system. By the offensive evaluation we had to put on one side at other banks possibly a lot of money. However, partly per transaction, partly per round there was an upper limit how much one could put on one side with a way with another team. If one played poker too high it could also happen that one «removed{drew}" a negative amount.


Beside active and passive Geldbeschaffen there was still the third possibility how one could come{get} in money. The main bank of (Gameserver) publishes in irregular distances Nebenaufgaben (Quests) with which one could still collect money.


The detailed control description is found here.


How I have announced{prefigured} in the last entry, here a small{little} review, as the whole event from my view{sight} ran{proceeded}:


By the preparations at the beginning did handicraft most thus before himself, besides, I was not sure whether we had prepared now everything in such a way as we would need it later. A check list would have been helpful in addition perhaps. However, this should not be vital later. But after the row: On receipt of the password for the image against 18:00 we had to make ourselves first sometimes with the rules close{familiar} and find in the system. Specially{Particularly} latter was not so easy{simple} at all, because his{its} exact feature way was nowhere documented. We had to look which services run{walk} and where possible security gaps could be. We have distributed the spheres{areas} at the beginning sometimes roughly. It was unclear at that time{this point}, when it goes off. We assumed, actually, from the fact that the schedule is shifted itself about one hour to the back. When shortly after half seven came{got}, however, the message that it goes off at about 20 minutes, it became worried here a little bit. Everybody knew that we had not even beginning-wise a sure system. When then at 19:00 o'clock the Routing was activated{energised} and the single participants{competitors} to themselves could reach{arrive} mutually confirmed{ratified} itself the feeling{emotion}. We were open like a barn gate. Several times{Repeatedly} I have kicked subscribed users of other teams of our computer. Also our services were not accessible long to the central bank.
However, after some time it became better, we received most services to there run{walk} and had also the first results with “ease” of the others. There was during the play{game} no whole ranking in which one could read how well one stands in total there, but when we were listed times-wise with the best “hackers” as second, we knew that we are not so bad completely. Our credit balance grew slowly, however, continuously{constantly}, even if always sometimes again was drawn off{deducted} a little bit. The latter was a clue{an indication} for the fact that we have somewhere still holes. With the time teams which have taken care of the different problems had formed. Some have looked primarily{chiefly} after the Quests, other more around the offensive aspects and again others have looked after the security gaps in our system.
If I think over it in the Nachhinein, nobody presumably had the overview who has really worked on what and whether we work on all spheres{areas} or overlook something important or forget.
Nobody has done{made} continuous Monitoring of the activities on our system of my knowledge. This possibly was also the reason{ground}, which is why we exactly{just} did not know where against half one our money suddenly went and how we could stop it. We lost within the shortest time of our 1.8 millions amassed in the meantime almost more than half a million. Hence, we have decided to switch off{turn off} the services of our system and to wait{watch for}. Unfortunately, our credit balance further decreased. We pushed first on the time delay between theft and update of the credit balance. However, unfortunately, he further{farther} sank{fell}, so that we have decided to take also the test systems completely from the network{net}, because we supposed that the transactions were dealt with about that. After other{farther} rounds wartens stop our credit balance then, finally, with about 7900 $. The disappointment{disillusion} was gigantic, because we had lost within a half or three quarters of an hour nearly 1.8 million dollars. It spread resignation and considerations{reflexions} were done{made} whether it was the probably best to let simply the systems runtergefahren to lose not completely{especially}. In the interim Torsten has tried{attempted} use a security gap further{farther} and reached{arrived} with it{thus}, at least{anyway}, that our credit balance rose again on about 58,000. Nobody compare to the previous stand{state}, but it was enough to lift the mood{tendency} again. Everything moved again in a rope and tried to give the last hour{lesson} over again everything. However, at the getting closer end we were excluded over again and our stand{state} sank{fell} again on the just 8000 $. However, shortly before end{conclusion} Robert got to turn around this Martix encoding and we put{placed} our hope in the points which we received about the Quests. At the beginning some asked, which is why the Quest points would not be added{not be added up} immediately on the credit balance, however, in the Nachhinein we were glad that they were added{added up} only in the end, because she{it} put out{turned off} the main part of our final stand.


We did not know up to the end{conclusion} who has used like which gap with us where. However, we supposed that it was a gap which we had, indeed, on our primary system gepatch, but not on our test system. Because I have primarily the Betreung of the systems home-made, I was not sure whether I was to blame even directly{immediately} for the problem: We had put on{had arranged} in the approach a total of three systems in which the VMware images could run{walk}. one was of it the “live system” two served to test and as a backup. However, against the acceptance of most the test computers were accessible totzdem to all the other teams. However, for the testing we have used only one. The other was lying round, in principle, all the time and ran{walked} together with all services. Has noticed or has used the system nobody. However, for the system responsibly I was, in principle, because it stood directly{immediately} in my corner. If this computer einfallstor had been, I would have had to take the defeat to 100% on on my cap. This was also the reason{ground}, which is why I have gone today over again to the Pi Pool? to pack the images and log files together around after can look what tramped thus everything on the system, because it simply did not leave alone me and I was not sure whether the system was the inspiration gate. At least{Anyway}, nothing at all was on{after} it gepatcht and even{still} the password for the user a team was still “team”. As far as I can assess this at the moment, I have had luck{happiness}. We had, fortunately, on the team box, so to the computer which was the connection to the VPN, at the doubtful{uncertain} time a TCP dump in run{walk} which we have also stored. In total we have taped from 0:12:42 AM clock{watch} 58:53 min long and, besides, have recorded 590887 Paktete. Therefore I could understand any network transport which find out simplified ran{walked} over this computer and with the fact that in the period{interval} of the dump just 20 packages were directed{turned} near this computer or came{got} from him{it}. 8 of it were DNA queries of himself, 8 the accompanying answers, 2 were Pings and 2 answers to it. Because the interest of these inexpressive packages is low{small} in the comparison of the total quantity destructive and no packages about the management went which give a tip to the fact that someone else uses the system, I am sure quite that the system was still clean at the time. In addition{Moreover}, there were on the system even also no tips to the fact that somebody has used the system. The user “team” was never logged, in/tmp there were no suspicious files or directories and the files changed{amended} last{in the end} also proved no conspicuities. On the machine I had had once again properly{correctly} “pig”.


In the analysis of the network dates I have bumped into some conspicuities which point out to the fact that it was a team 12 (int80) that has excluded us so{in such a way}. As it seems, they have opened by an Overflow with a preserved package to the UDP port 2342 a Shell on TCP port 20000. About this they have displayed cheques{checks} in our name on her{their} team. First they have tried it on our real{virtual} server. If one does{makes} something like that of this, however, one receives the message that it should do{make} for safety reasons from another computer from our IP sphere{area}. Then they have come along to look after alternatives. First they wanted to use nmap directly{immediately} in the Shell. However, this does not clap{work}, because it was not installed. Hence, have searched our network{net} from first up to the last IP with a Ping and a connection attempt for current computers. Then the current computers were roofed after the row with a connection attempt on the UDP port 2342 and the TCP port 20000. The first computer, those the boys of the Georgia Tech? have found then was the primary test computer. Also could also have appealed{spoken} to themselves to the other machine from which I have talked just now. From the IP she{it} would have been even low, however, apparently it has used longer to the answer. I suppose that it had done{made} no difference, however, in the case on which machine they do{make} her{their} things. In the case would have only helped{assisted} that we do not hold negligently the test computers as accessible like the “live system”, but the access to this explicitly only to our network{net} permit.
After the system was discovered{found out}, had int80 light{simple} play{game}. Over and over again generate a query which erects a cheque{check}, these of our server to the central server allow to mail and spend the answer again in themselves. They have repeated this then also within 15 minutes 38x. With cheques{checks} to 50,000 $. With the 39th and 40-th cheque{check} they received the message that we are probably a bankruptcy and left it. From this invoice{bill} we would have been at the time of the beginning of the bankruptcy even{still} more than 1.9 millions.


The last 50,000 which Torsten has won over again have presumably changed on the same way the owner. Indeed, there the recording did not run{walk} any more, but the exactly 50,000 $ were drawn off{deducted} over again, suggest this end{conclusion}.


Bitterly the knowledge{realisation} is triple for me: First this would have insulate of the test machines to my field of application heard. Secondly one must watch and has no notion as the money runs away, actually, and thirdly we would have landed with the 1.9 millions on place{space} 7 (1.9 Mil. + 0.46 Mil. from the Quests).


In spite of the bitter experience shortly before end{conclusion} I believe that it has done{made} to all others from the team Squareroots just as much fun{joke} like me. It was a brilliant{an ingenious} mixture of fun{joke}, stress, learning{study} and about the abilities{talents} other amazement.
When was spoken after the end of the session about the “ next year ", I had to find out that I cannot be present{involved} there presumably any more. Unfortunately.
When Wolfgang and Laura have asked me the last Thursday on the FIM party whether I for taking part{joining in} desire{appetite} had I did not know so properly{correctly} whether something so fun{joke} did{made} to me. Because I had nothing else before, I imagined that I could take part{join in} sometimes.
In the Nachhinein I know that it was no mistake and me if the possibility comes up, again will take part in a CTF.


For all interested ones I have put{arranged} the images to on-line which have shot Martin Mink and me during the ICTF. To the accumulated download there is also tgz.


 
Файлов нет. [Показать файлы/форму]
Много комментариев (2). [Показать комментарии/форму]
2007-01-13 01:42:31 | Владелец: Sergey Borisov | Свойства | Наблюдать | Версия для печати | Поиск: