CSAW CTF Finals 2018 – Wic Wac Woe 1 writeup

Introduction

I had the opportunity to compete in the CSAW CTF Finals 2018 for a second year in a row, with the UMBC Cyber Dawgs. It was a lot of fun, despite our somewhat lackluster finish in 10th place. I learned a lot. For instance, in this challenge, I learned how to exploit a Use-After-Free vulnerability (in WebAssembly no doubt!).

Challenge

WASM is the future of the web! JS devs will be writting c++, what could go wrong?.

This debugger might help kinda shrug emoji

Written by itszn, Ret2 Systems

http://pwn.chal.csaw.io:1000

HINT: You can get source via /test.wasm.map and /test.cpp

Continue reading “CSAW CTF Finals 2018 – Wic Wac Woe 1 writeup”

CSAW CTF Finals 2017 – KWS 1 Writeup

Introduction

I recently had the opportunity to compete in the CSAW CTF Finals with the UMBC Cyber Dawgs. It was an amazing competition; the organizers were awesome and did a great job. We placed 7th in North America, by the way :)

If you’ve never heard of CSAW before, it’s a huge student-run security conference/competition. We played in the CTF, or capture-the-flag competition. I would consider one of the best undergraduate-level CTF competitions. CSAW CTF is a jeopardy style competition in which you have a board of challenges, and you get points for solving them. You solve the challenge by hacking at it until it gives you a flag of the form flag{th1s_i5_a_f1@g}, which you enter into the scoreboard to receive points. Team with the most points wins.

I’ll be publishing a couple writeups about how we solved some of the challenges; this is the first one.

Challenge

We developed a much better alternative to AWS. Our high-performance kernel
driver gives us unparalleled speed of execution. And we're super-secure!

http://web.chal.csaw.io:6001/

NOTE: Login with your CTFd credentials.

NOTE: This might take a minute to start up the first time you login. Please be
patient!

NOTE: There may be ways to poke at other teams' boxes. Don't do that, it is not
part of the challenge.

NOTE: If you have issues with your instance, try logging out of the KWS
interface, and logging back in.

NOTE: Sorry for all of the notes :P

Author: itszn, Ret2 Systems

Solution

We begin by visiting the provided URL and we’re greeted with a dashboard. We have 1 KWS "instance" (lol), and we have the ability to store new JSON objects by name. So we have a key-value store of some sort.

We do some inspection of traffic (I use the Firefox DevTools), and we can see some requests to the API, and we see some requests to http://some.ip.ip.ip/action. We notice they are all POST requests, and they have a JSON payload of the form

Continue reading “CSAW CTF Finals 2017 – KWS 1 Writeup”

Why I generated a GPG Key

So if you’re here, you’re probably one of three types of people. Most likely is that I sent you here because you were wondering why the heck I mentioned this on social media. It’s also possible that you actually care about why I generated a GPG key. I happen to like my explanation, and I hope you do too :) Additionally, in the unlikely case that you just want my key, you can find it at the bottom of the post.

As a result, before I actually answer the question in the title, I should probably answer something else first: What the heck is a GPG key?

What’s a GPG key?

GPG stands for GNU Privacy Guard… and there’s a ton of history that I won’t spend the space to explain. It’s an encryption program. A GPG key has two parts: a public key and a private (or secret) key. You spread the public key as far as you want (I’ve published mine below), and you keep the private key secret.

Then, people can use your key and they can send you messages only you can read. (You also can create a message and prove you wrote it, with a process called signing.)

Why I have one

Ok, that’s great, I guess. Now why do you need one again?

Well, that’s an interesting question. I’ve got a few reasons.

First, by analogy, encryption, for nerds, is a bit like guns for um… people that like guns. You can use it to make your life better (such as allowing you to keep criminals from reading your taxes), just like you can use a gun as a tool (to hunt deer, or some other game). You can also just have it, for the simple reason that you’re a free man and you can. Do I actually think I need to be able to encrypt my emails such that no other soul on the earth can read them? Well, no, but does anyone really need (insert your favorite slightly controversial weapon)? Maybe not (I don’t know what you picked, and that’s not what this article’s about anyway), but people have it/them because they can. Finally, in the unlikely scenario that the world as we know it falls apart, secure communication may come in handy. Well… Personally, I’d take the gun in that situation… but that’s not the point.

Practically speaking, I can now securely store sensitive documents so that only I can read them. Also, if by some freak accident, I end up writing a piece of software that becomes popular, I can sign the source code so people know it’s from me. And also, if I needed to talk to someone about my bank account number or something, and they had a GPG key, we could communicate securely.

About my key

I generated my key on my laptop, and I’ve uploaded it to a few different places. Its “fingerprint”, a short set of numbers that uniquely identifies it, is 8BCF 4423 CBAF 7F6C 60E3 BBA0 3238 40E9 FC31 AFAA. You can use it to verify that the key you have is really mine, and not fake.

I’ve uploaded it to some GPG keyservers, and to Keybase here: https://keybase.io/chainsaw10/

Keybase

So you might have seen a social media post about “verifying myself” or something like that. That has to do with Keybase (link above ^^^).

Keybase is a company that’s trying to make cryptography possible for less extremely technical people. They’ve done a decent job, and it’s pretty cool. The only negative comment I have at the moment is that you should NEVER under ANY circumstances upload your private key somewhere you don’t control, even in encrypted form. They offer a feature that allows just that, so I’d recommend against using it. Otherwise, it’s cool to see someone trying to make cryptography a bit more friendly. Hopefully they can succeed in a way that doesn’t force them to ruin their serviceĀ (through really ugly ads or something) in the process.

So Keybase’s idea is that you prove that you control various online accounts, and if people know you there, they can personally verify those proofs and have some level of assurance that your keys belong to you. It’s an interesting concept; I’m interested to see how it works out.

More-Technical Details

(Most of the following information will probably only be relevant to people that know what to do with it.)

GPG key fingerprint: 8BCF 4423 CBAF 7F6C 60E3 BBA0 3238 40E9 FC31 AFAA

Download link: https://zackorndorff.com/downloads/zack.public.gpg-key (Or get it from your favorite keyserver)

It’s 4096 bit RSA, with two subkeys so the main key can be kept nominally offline, as explained here.

My March Madness Bracket 2016

So I wrote a blog post about my process of creating my March Madness bracket last year, so I figure this year I’ll revisit it and explain what I changed. (Note: I know this post is actually after March Madness started… but I’ve been busy. I did actually create the bracket before the games began.)

I used Coder’s Bracket again for a couple reasons. First, it was pretty cool last year, and I wanted to try it again. The second was that I was really busy all week at Big Break with Cru, and I didn’t have much extra time to fill out a bracket, so just slightly modifying last year’s algorithm was really easy.

If you haven’t read my post from last year, you should probably go back and read it first for context.

I stuck with forcing seeds better than 5 in the first round and better than 2 in the second round to win. I did this to make sure my bracket doesn’t end up too crazy. Next year, I should try to remove that and see how I do.

What I changed, however, was making that check actually work :) . Last year, I used the >= operator for the condition, checking if the seed was greater than or equal to 5 and 2, which had the opposite effect than what I intended. This year, I’m using the <= operator, which actually does what I want.

I’ve also changed my scoring algorithm to remove winning percentage from the calculation. I’m already using RPI, so it seemed a tad redundant.

Additionally, I messed with the weights, because I felt like it. This isn’t a totally scientific process, contrary to what my comment might indicate :)

And that’s pretty much all there is to it! You can view my completed bracket on the Coder’s Bracket site here.

Here’s the code:

Continue reading “My March Madness Bracket 2016”

MACA Valedictorian Speech 2015

Recently I had the privilege of speaking as valedictorian at my graduation from Mount Airy Christian Academy. I had so many people ask me for a copy of it, that I decided to post it here. I hope this helps someone. (If you are from MACA, please email/message/whatever me if you want a copy of the video. I’m not publishing the link publicly here.)

Continue reading “MACA Valedictorian Speech 2015”

My March Madness Bracket 2015

I’m just okay at picking basketball brackets. I usually finish somewhere in the upper third of the pack, IIRC.

However, it’s interesting to enter a bracket and watch the results come in (I almost never watch the games), so I usually make a bracket.

This year, I decided to use Coder’s Bracket to create my bracket.

If you haven’t already seen Coder’s Bracket, you should take a look. Basically, you algorithmically generate your bracket using JavaScript. However, setting that up manually is a lot of work. Fortunately, Coder’s Bracket has already done that for you. You provide a function taking three object parameters (game, team1, team2) that will call team1.winsGame() or team2.winsGame() depending on what you determine. You start with a simple seed-rules algorithm and work from there.

My algorithm runs basically like this:

  1. If it’s round 1 and the seed is greater than 5, it wins.
  2. If it’s round 2 and the seed is greater than 2, it wins.
  3. Otherwise, compute my extremely not scientific score for each team and the higher score wins.

My scoring algorithm takes into account strength of schedule (RPI), Field Goal %, Free Throw %, 3’s %, and Missed 3’s. I weight the values to make my bracket interesting (probably at the cost of correctness…).

There are probably a million and a half (exactly) problems with this algorithm, but it was fun to create.

You can see my bracket on Coder’s Bracket’s website.

I’ve included my algorithm below.

Continue reading “My March Madness Bracket 2015”

Disposable Email Addresses with Postfix

As I thought about setting up my website and email, I wanted to have a way to give out disposable email addresses. That way, I can give Widget Co an email address unique to them, and I can know if they sell my email because I will get emails from Sprockets Inc. at my address for Widget Co. In that case, I can trash all email sent to that address, eliminating that spam.

A Possible, but not Ideal Option

I know of a couple people who use the following system: they set up a catch-all email for their domain, and point it at their main inbox. Then, they give name@domain.com to people they want to communicate with, and they give business_name@domain.com to businesses they need to communicate with. In my example, they would give widget@domain.com to Widget Co.

However, there are a couple problems with this system.

  1. Spam. They receive all the spam that is sent to any address at their domain. Granted, they could use spam filtering to solve this, but wouldn’t it be better if it just bounced?
  2. Plausible deniability for the company. It is conceivably possible that a spammer could have made up that address from a dictionary, or someone could have done so deliberately. I would prefer to have a stronger reason to claim that a company sold my email.

A Better Option

Another option would be to set up an alias pointing to the main email for every company you want to communicate with. This has the advantage of dramatically reducing the spam problem, and depending on how creative you get with the addresses you give out, it could potentially address #2 above as well.
However, this option has a flaw that caused me to write it off. That is that you have to manually create an alias for every address you want to give out. The huge advantage of the first option is that you don’t have to pre-plan or keep a list of the addresses you give out.

My “Ideal” Option

As I thought about it (this is before I even had a domain name, so it was purely theoretical), I came up with the idea that maybe I could combine the company name with some sort of hash of the name and a constant secret, so that the disposable email would only be delivered to my inbox if the hash matched its expected value.

Continue reading “Disposable Email Addresses with Postfix”