Thursday, September 30, 2010

CSAW CTF - Forensics Write-up

The forensics challenge given at CSAW CTF weren't exactly what I was expecting, but still we achieved to solve most of it. Here are my write-ups for the 4 challenges.

Challenges were made by Efstratios Gavas (@xtrat), Director of cyber security labs at NYU Poly! Awesome :)

Wednesday, September 29, 2010

CSAW Exploit 3 Write-up - FreeBSD local root

For exploit3, we were given the following instructions:
Get Root. Get the key. If only I can jump over the mountain without being normal
ssh://128.238.66.100:40010
chal3:$+1zX*(
2048 51:41:94:32:cf:b1:3f:d9:74:c1:d2:08:aa:e3:49:2b /etc/ssh/ssh_host_rsa_key.pub (RSA)
1024 22:7f:72:93:93:7e:9a:3d:01:b9:58:ea:74:1a:c5:af /etc/ssh/ssh_host_dsa_key.pub (DSA)

Vulnerable FreeBSD kernel

We ssh and notice an old FreeBSD kernel. We can try to use @kingcope's freebsd sendfile cache local root. Sadly it does not work out of the box because we do not have /tmp writable: we have to customize a bit the shellcode to use a different one. Also, we can remove the 64-bit part since we are on 32-bit.

CSAW Exploit 1 Write-up - FreeBSD remote stack based buffer overflow

A few weeks ago was held Leet More CTF where Nibbles ended 1st! Didn't have the time to put some write-ups, but you can find some on nibbles blog or by sh4ka, auntitled and hellman.

Last week-end was held the well-known CSAW CTF (quals) by NYU-Poly. Last year and this year winners are none but our awesome friends PPP! We took 2nd place just behind them, see top15 graph.

They gave us interesting exploit challenges and I had the opportunity to look at exploit1: a remote stack based buffer overflow under FreeBSD 8.0.

Wednesday, September 01, 2010

Free secondary DNS services

If you run an authoritative DNS server and serve your own zones you may know about the need to have decent secondary DNS servers, or "slaves", to back you up. I recently changed mine, followed recommendations by Frankb's page and found new ones.

August 2019 update: so far these are great, so passing the word.
  • puck.nether.net: simple, IPv4+IPv6, supports DNSSEC, 1 location; fairly quick to update usually, but had troubles recently (2019-08) so I removed it
  • freedns.afraid.org: simple, IPv4, supports DNSSEC, 1 location; a bit slow to update, sometimes times out, but otherwise stable for years
  • BuddyNS: fancy, but DNSSEC support is not free, so no
  • 1984hosting: simple, IPv4+IPv6, supports DNSSEC, 3 NS; new one I'm trying, so far so good, fast to update