Things you should know for the CTF

Transcription

1 Things you should know for the CTF Requirements From Wed. Oct. 24 evening MIT meeting: o Web server must run on port 80 o WordPress must allow registration/login via verified OpenID o Registration/login process must bring user back to front page Friday, October 26, 2012 CS342 Computer Security Department of Computer Science Wellesley College o Widgets/plugins must exist on front page to be graded. o Network Time Protocol (NTP) service must be enabled. o Cannot block/filter IP addresses (I think) o Anything else? 14-2 Startup who : list logged in users from Michael Zhivich (Fri. Oct. 26): We're still working out logistics for the contest start-up. There will be a period when VMs are available for players to install tools/harden/etc and graders are not running (so the competition has not officially started). Unfortunately, we don't have any technical means to prevent various teams from attacking each other during this period. Unlike the previous event, all services will be turned off at the beginning, so the only exposed service should be SSH; I believe this is a reasonably secure configuration. We highly recommend that your team comes equipped with either a Windows machine or a VM; this will enable them to get "console access" to their VM via vsphere client, so they'll be able to unplug their machine from the network. There is also a Web-based vsphere client available, but I haven't tested it out. Does anyone know what this means? root@ctf-portal:/# who sysadmin tty :59 sysadmin pts/ :31 ( ) [cs235@puma ~] who sysadmin : :03 sysadmin pts/ :03 (:0.0) cs304 pts/ :27 (sampras.wellesley.edu) zjansen pts/ :24 ( ) cs235 pts/ :07 (pool bstnma.fios.verizon.net) anderson pts/ :22 (sampras.wellesley.edu) tanner11 pts/ :23 (puma.wellesley.edu) anderson pts/ :38 (sampras.wellesley.edu) anderson pts/ :42 (sampras.wellesley.edu) cs304tes pts/ :10 (sampras.wellesley.edu) sysadmin pts/ :31 (:0.0)

2 ps : list processes root@ctf-portal:/# ps -ef UID PID PPID C STIME TTY TIME CMD root Oct19? 00:00:00 /sbin/init root Oct19? 00:00:00 [kthreadd] root Oct19? 00:00:01 [ksoftirqd/0] mysql Oct19? 00:01:05 /usr/sbin/mysqld qmails Oct19? 00:00:00 qmail-send qmaild Oct19? 00:00:00 tcpserver -v -R -l ctf-portal.ctf.csail.mit.edu -x /etc/qmail root Oct19? 00:00:00 /var/lib/qmail/bin/qmail-verify root Oct19? 00:00:00 qmail-lspawn preline procmail qmailr Oct19? 00:00:00 qmail-rspawn qmailq Oct19? 00:00:00 qmail-clean root Oct19 tty1 00:00:00 /bin/login -- sysadmin Oct19 tty1 00:00:00 -bash root Oct21? 00:00:05 /usr/sbin/apache2 -k start www-data :25? 00:00:00 /usr/sbin/apache2 -k start root :51 pts/2 00:00:00 ps -ef kill -9 : kill a process root@ctf-portal:/# ping google.com > /tmp/pingout & [1] 6421 root@ctf-portal:/# ps -ef grep ping root :21 pts/2 00:00:00 ping google.com root :22 pts/2 00:00:00 grep --color=auto ping root@ctf-portal:/# kill root@ctf-portal:/# ps -ef grep ping root :22 pts/2 00:00:00 grep --color=auto ping [1]+ Killed ping google.com > /tmp/pingout Note: if kill parent process, all children are killed top: list process resources htop: fancier top top - 04:35:58 up 3 days, 14:19, 2 users, load average: 0.00, 0.01, 0.05 Tasks: 85 total, 1 running, 83 sleeping, 1 stopped, 0 zombie Cpu(s): 0.0%us, 0.0%sy, 0.0%ni, 92.6%id, 7.4%wa, 0.0%hi, 0.0%si, 0.0%st Mem: k total, k used, k free, 48412k buffers Swap: k total, 0k used, k free, k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 676 root S :05.38 runsvdir 1 root S :00.30 init 2 root S :00.02 kthreadd 3 root S :01.46 ksoftirqd/0 5 root S :00.17 kworker/u:0 6 root RT S :00.00 migration/0 7 root RT S :03.45 watchdog/0 8 root S :00.00 cpuset 9 root S :00.00 khelper 10 root S :00.00 kdevtmpfs 11 root S :00.00 netns 12 root S :01.57 sync_supers 13 root S :00.03 bdi-default 14 root S :00.00 kintegrityd 15 root S :00.00 kblockd 16 root S :00.00 ata_sff 17 root S :00.07 khubd

3 netstat netstat -aln Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp : :* LISTEN tcp : :* LISTEN tcp : :* LISTEN tcp : :* LISTEN tcp : :* LISTEN tcp : :60040 ESTABLISHED tcp6 0 0 :::22 :::* LISTEN tcp6 0 0 ::1:6010 :::* LISTEN udp : :* 14-9 netstat (continued) Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] SEQPACKET LISTENING 6657 /run/udev/control unix 2 [ ACC ] STREAM LISTENING unix 2 [ ACC ] STREAM LISTENING 8259 /var/run/mysqld/mysqld.sock unix 2 [ ACC ] STREAM LISTENING 7021 /var/run/dbus/system_bus_socket unix 6 [ ] DGRAM 7151 /dev/log unix 2 [ ] DGRAM unix 2 [ ] DGRAM unix 3 [ ] STREAM CONNECTED unix 3 [ ] STREAM CONNECTED unix 2 [ ] DGRAM unix 2 [ ] DGRAM unix 2 [ ] DGRAM unix 2 [ ] DGRAM 8509 unix 3 [ ] STREAM CONNECTED 7119 /var/run/dbus/system_bus_socket unix 3 [ ] STREAM CONNECTED 7118 unix 3 [ ] STREAM CONNECTED 7094 unix 3 [ ] STREAM CONNECTED 7093 unix 3 [ ] STREAM CONNECTED unix 3 [ ] STREAM CONNECTED 6980 unix 3 [ ] DGRAM 6698 unix 3 [ ] DGRAM 6697 unix 3 [ ] STREAM CONNECTED unix 3 [ ] STREAM CONNECTED nmap: find open ports nmap: example 2 root@ctf-portal:~# nmap localhost Starting Nmap 5.21 ( ) at :45 EDT Nmap scan report for localhost ( ) Host is up ( s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 3306/tcp open mysql 8888/tcp open sun-answerbook root@ctf-portal:~# nmap -p localhost Starting Nmap 5.21 ( ) at :47 EDT Nmap scan report for localhost ( ) Host is up ( s latency). Not shown: closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 3306/tcp open mysql 6010/tcp open unknown 8888/tcp open sun-answerbook Nmap done: 1 IP address (1 host up) scanned in 5.18 seconds Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds

4 nmap: example 3 root@ctf-portal:~# nmap -A -T4 localhost Starting Nmap 5.21 ( ) at :45 EDT Nmap scan report for localhost ( ) Host is up ( s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (protocol 2.0) ssh-hostkey: :c7:ff:39:0f:96:fb:c4:67:e2:02:25:7a:31:dc:ca (DSA) _ :77:90:d4:d2:e4:10:68:45:25:64:9f:e8:b1:34:26 (RSA) 25/tcp open smtp netqmail smtpd 1.04 smtp-commands: EHLO ctf-portal.ctf.csail.mit.edu, PIPELINING, 8BITMIME _HELP netqmail home page: /tcp open mysql MySQL ubuntu mysql-info: Protocol: 10 Version: ubuntu Thread ID: 241 Some Capabilities: Long Passwords, Connect with DB, Compress, ODBC, Transactions, Secure Connection Status: Autocommit _Salt: 'mrw *X_ 8888/tcp open http Apache httpd ((Ubuntu)) _html-title: 404 Not Found No exact OS matches for host (If you know what OS is running on it, see submit/ ). TCP/IP fingerprint: OS:SCAN(V=5.21%D=10/23%OT=22%CT=1%CU=40364%PV=N%DS=0%DC=L%G=Y%TM= %P lots of details omitted nmap: example 4 Starting Nmap 5.21 ( ) at :08 EDT Nmap scan report for cs.wellesley.edu ( ) Host is up (0.011s latency). rdns record for : puma.wellesley.edu Not shown: 991 filtered ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 111/tcp open rpcbind 443/tcp open https 2049/tcp open nfs 3306/tcp open mysql 8009/tcp open ajp /tcp open http-proxy Nmap done: 1 IP address (1 host up) scanned in seconds Linux Firewall A firewall filters network packets into and out of machine according to rules. o o Input rules filter packets addressed to local machine; Forward rules filter packets traversing machine in router mode; Firewall: iptables Can configure rules by hand using iptables command, but has a reputation for having a high learning curve. The default firewall on your CTF machines is too permissive! It doesn t filter anything: root@ctf-portal:/# iptables -L Chain INPUT (policy ACCEPT) o Output rules filter packets originating from local machine and being sent to other machines. Chain FORWARD (policy ACCEPT) Chain OUTPUT (policy ACCEPT)

5 Firewall: ufw (Uncomplicated Firewall) Ubuntu provides ufw as an easier-to-use interface to iptables. Documentation: Use man or see server guide at: sudo ufw enable Command may disrupt existing ssh connections. Proceed with operation (y n)? y Firewall is active and enabled on system startup root@ctf-portal:/# sudo ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing) New profiles: skip Firewall: ufw enable root@ctf-portal:/# sudo ufw enable Command may disrupt existing ssh connections. Proceed with operation (y n)? y Firewall is active and enabled on system startup root@ctf-portal:/# iptables -L Chain INPUT (policy DROP) ufw-before-logging-input all -- ufw-before-input all -- ufw-after-input all -- ufw-after-logging-input all -- ufw-reject-input all -- ufw-track-input all -- Chain FORWARD (policy DROP) ufw-before-logging-forward all -- ufw-before-forward all -- ufw-after-forward all -- ufw-after-logging-forward all -- ufw-reject-forward all -- Chain OUTPUT (policy ACCEPT) ufw-before-logging-output all -- ufw-before-output all -- ufw-after-output all -- ufw-after-logging-output all -- ufw-reject-output all ufw-track-output all Configuration files Basic networking o /etc/apache2/apache2.conf o /etc/apache2/httpd.conf o /etc/apache2/sites-enabled o /etc/mysql/my.cnf o ping o ifconfig o /etc/hosts o telnet o curl o digg

6 Other things o starting/stopping services o apache logs o wordpress logs? o mod_security plugin for apache o apparmor? o chroot o tripwire o snort 14-21