CTF organizer's guide against zombies

CTF organizer's guide against zombies

0x00 background

XDCTF2015 is a CTF that I think is very powerful. The problem is moderately difficult and there is nothing wrong with it. It has ended successfully.

CTF has always been easy to get confused. Sometimes it comes from itself. For example, in a year, XDCTF paused for several hours due to power outages in the school room. Of course, more chaos comes from "hackers ". Because CTF is a security-related competition, it naturally attracts the attention of many security researchers. Here, "hackers" refer to people who use various means to make other contestants unable to answer questions normally.

Players like this generally claim to be "zombie "~ Hey. Of course, I didn't condemn them. Competition is a process of competition with others. I think it is also a kind of ability to prevent opponents from scoring through various means. However, as the organizer, we should try to make all contestants compete properly to ensure a fair degree. So I wrote this document to record my handling methods for this competition.

0x01 question Quality Assurance

This is the source of all defense methods.

The question is difficult. If it is too difficult, it is easy for people to give up and get revenge. After giving up, the rest of the time is the time to give up. It cannot be too idiotic. The question of being too idiotic is minute-and-second, and the rest of the time is also used to trick people.

I feel that the question is difficult. I would like to, but it seems like there is a pitfall. How can I bypass it ...... After a period of hard work, I made a question; or I did not make a question at the specified time. After reading writeup, I suddenly realized it.

Such a question will give everyone a sense of accomplishment, learn something, and appreciate the organizer. In this way, we can reduce a lot of trouble. First, we don't want to bother the organizers, and second, we have no time to think about other issues.

0x02 defense first move-code Layer

Some permissions are limited, so you can defend against the code.

For example, this web2-100 is a vulnerability in any user password modification. After discovering the vulnerability and Successfully modifying the password of the front-end administrator, you can see the flag after logging in. Flag is stored in the user file. Normally, xdsec-cms allows you to delete your own files. Then, if the first person who made the question obtains the flag and deletes the file, there will be no second one.

So I added a judgment in the deleted code:

If the user is an administrator, false is returned directly and deletion is not allowed. Add, delete, modify, and query operations. This judgment is required for deletion and modification. Of course, a good hacker can write a script and add 999999 fake files. The flag style is similar. No one knows which one is a true flag, which also affects the contestants to answer questions. So strictly speaking, this judgment is also required for the "increment.

There is also a common means to stir up a stick, namely the "violent competition law ".

For example, a question requires two steps. The first step is to change the user name to xxx, and the second step is to trigger a second injection to obtain the injection result. Then I wrote a script and kept using 50 threads to change the user name to an irrelevant name, so that other users could not perform the Second Step normally. (The first step has just been completed and changed by others) in this case, other contestants generally think that their operation method is wrong, which leads to a direct deviation in the direction of the question. Even if the contestant finds that someone is messing up, they can only write the same script and run it with 100 threads.

I think this BUG can be avoided when the question is given. Taking this example as an example, we can create a multi-user environment. Different users can only operate on their own user names, thus completely avoiding the above problems. If this cannot be done, we should use the verification code to deal with the "Competition" by 12306. This will make it very difficult to write competing scripts, which can be avoided in general.

0x03 second defense-Service permission Layer

If PWN is not mentioned for the moment, the WEB will certainly involve some system services, such as web services, database services, and cache services. The Web Service also involves the middleware and script permissions. Here, we take nginx + php as an example, and mysql as an example.

In many preliminary ctf competitions, web questions are often "small", so multiple web questions are put on one server. In this case, permission settings are extremely important. If the permissions of a game are not set properly, the player may exploit the Arbitrary File Reading Vulnerability of a question, or a root injection + load_file can directly read the source files of all questions. As a result, the ctf instantly becomes a code audit competition.

Therefore, the sandbox environment is essential for this type of ctf. The Sandbox can be docker in recent years, a "virtual host" in the past few years, or a simple open_basedir, there is always better than no. We recommend that you place a question in an independent virtual host.

In the same question, Service permission settings are also extremely important.

For example, if you want to hide the flag in the background administrator's password location, you can use the method described in 0x02 to prevent sp:

The Administrator cannot change the password. The administrator cannot be deleted. The administrator cannot be added.

If something is forgotten, it will be a tragedy. To solve this problem, remove the "add", "delete", and "modify" permissions of the current database user for the Administrator table. In mysql, it is similar to grant select ON db. admin? Xxx @ localhost. Only select permission is granted. Of course, you can develop more detailed permission planning based on the specific situation analysis.

The same problem exists in pwn. We encountered a problem that required the user to execute the command. After the contestant successfully completed the command execution goal, he wrote a loop kill and killed pwn's own service, as a result, other teams cannot continue to answer questions. This is indeed a tricky problem, because the process permissions obtained from pwn fork are normally the same as those obtained from pwn, so no matter how you downgrade pwn, you cannot kill the pwn process directly.

There are three possible solutions:

Rename or delete executable programs such as kill, pkill, and skill and set the other permission of directories such as/usr/bin,/bin,/usr/local/bin to 0 to use selinux, set security context

Method 1 is the simplest, but it may not take weeks into consideration. After all, there are so many linux commands. Method 2 is rough, and normal operations may fail. Method 3 should be the most appropriate, but it is also the most troublesome to configure. This depends on the complexity and importance of personal abilities and ctf.

0x04 defense Third move-File Permission Layer

If the ctf involves file operations (read, upload, delete, modify, and rename), you have to properly set the file permissions.

First, you must first understand the extent to which file operations can be performed on your questions: whether to read, modify, and whether to allow getshell. Here is an advice. In the CTF preliminary round, you should try not to allow getshell players. After Getshell, there are several ways to make your game unable to continue.

However, sometimes the question test site is a file upload vulnerability or any file operation vulnerability. How can I verify that the contestant meets the requirements without getshell? Here I take this web2 as an example: the ultimate goal of the web2-400 is the user getshell, using an Arbitrary File Rename Vulnerability, rename the normal file to. php after getshell. In fact, I want to check whether the player has successfully renamed the file to a. php suffix ".

Therefore, the real getshell cannot be used by contestants. My approach is as follows:

On the entire site, requests directed to the index. php and th3r315adm1n. php files are sent to fastcgi for execution:

This effectively ensures that any other PHP files cannot be executed. This step is mainly used to ensure the security of the server.

All other requests suffixed with. php. If the file exists, I think the user has successfully getshell. In this case, the request is rewritten to the flag text file, and the user obtains the flag:

In my environment, the entire web directory had only two PHP files. If a third PHP file exists, it must be your webshell.

All requests whose names start with "“flag-example" and end with "".txt" Return 403. This is to prevent someone from directly guessing the flag File Name:

After completing these three steps, we completed the configuration of a "getshell" vulnerability, simulating the getshell situation, but not actually getshell.

So what else does getshell caused by a file operation prevent the real getshell?

Of course, it is to prevent spam. There are one thousand ways to make the game unusable: delete/overwrite/rename normal files, route normal files to music videos, or even "help" the organizer modify the flag, or modify the vulnerability file. It is easy to deal with. I changed all the permissions of all existing files (normal files) to 755, and changed the owner to root:

In this way, even if you have any file operation vulnerability, you do not have the permission to modify the normal file.

However, most cms will involve directories that need to be written, such as cache, upload directory, and backup directory. If it is set to unwritable, the cms will not run. For example, in this question, there is a static file download function in the background. I have to set the owner of the css, js, img, and other directories to www to make the static directories writable.

Users familiar with linux permissions should know whether a file can be deleted depends on its directory permissions. If I have the write permission on the directory where the file is located, I can delete it even if the file does not belong to me. Therefore, through the deletion function in the background, you can "Delete light" static website files, directly affecting the experience of subsequent contestants.

What should I do in this situation? Files in Linux have some "hidden attributes", which can be viewed through lsattr and modified by chattr:

For example, this is the hidden permission of the js directory file I configured.

I have added the I sign (chattr + I *) to all existing js files. I means that the file cannot be modified (including deleted ).

At this time, we can try rm:

The root user cannot delete the flag file.

This effectively ensures the security of website files, and cannot disrupt the website structure and normal functions. Clever Use of the permission control capabilities provided by these systems can effectively prevent zombie attacks!

0x05 defense Fourth move-fighting revenge against social-style pub

This kind of pub is really a "bad guy", and it is a direct trick to harm people. For example, if you win the flag, then you can tell everyone about it through official QQ groups, IRC, and other channels, directly undermining the playability and fairness of the game. There are also people playing the DDOS game server during the competition. (That's how much hatred you have.) I don't think there is anything to say about this type of person. The title number should be blacklisted and try to make him unable to contact contestants. At the same time, you need to check the server logs and check the abnormal status in time. We recommend a real-time log viewing tool-ngxtop:

You can search for the source code and usage on github.

If the organizer maintains a good attitude and has sufficient respect and patience for the contestants, this type of competition will not happen. In the final analysis, CTF is a play and learning activity. Both organizers and contestants can learn a lot through the competition. Maintain a good attitude to solve problems and gradually accumulate experience.