Monthly Archives: April 2015

Cyber Security Challenge Belgium 2015 – Solving the One Way challenge

This is the third blog post in the Cyber Security Challenge Belgium 2015 (CSCBE) solutions series. This time, we’re taking on a very technical challenge: One Way.

Data Extraction

The challenge

The following challenge description was given to the students:

We want our employees to be able to send us confidential information which only we can decrypt. Since we don’t believe in PKI (we have our reasons!), we made our own crypto system (homemade is always better, right!). To prevent tampering, we took some precautions: A salt is added to each request and the IV is chosen at random for every connection. Take a look at the given clientFramework.py file for more info on how to use our crypto system.

The accompanying clientFramework.py file contains some helper methods so that the students could focus on the actually encryption logic instead of fighting with python to be able to correctly communicate with the server.

The details

The python file contains some information about the server, from which the following information can be deduced:

  • The Initiation Vector (IV) is chosen at random for every session
  • The IV is updated after every encryption request according to a known algorithm
  • The server encrypts the given plain text as follows: encryption = encrypt(plain text + FLAG, IV)
  • The encryption protocol is AES in CBC mode with blocks of 16 characters
  • The FLAG consists of 8 lowercase ASCII characters
  • The used IV is returned together with the encrypted string

The IV is randomly chosen at the start of the session, but the client can request multiple encryption operations during each session. After each encryption, the IV is updated according to a known function. That means that we can calculate the IV that will be used for the next iteration. This will prove to be very important in what follows.

Encryption 101

Let’s take a look at how the Cipher Block Chaining (CBC) algorithm works, which is what the challenge is using.
The following image shows the working of CBC:
Image taken from Wikipedia
The plaintext is split up into blocks of 16 bytes each and each block is encrypted separately. In order to counter certain attacks which are possible against the Electronic CodeBook algorithm (ECB), each plaintext is first XOR’ed with the ciphertext of the previous block. Because the first block doesn’t have a previous block which it can use to XOR with, an IV is used. The IV should always be random and unpredictable. 
After the plaintext has been encrypted, the IV has served its purpose and it no longer has to be secret. In this challenge, the IV is returned to the client together with the encrypted text.

Finding the flaw

You may have already noticed a small but very important mismatch between how CBC should be implemented, and how the challenge server implements CBC: the IV should always be random and unpredictable. The server’s IV is completely random and unpredictable, but only for the first encryption request. For every subsequent request, the IV can be calculated from the original IV, which creates a serious security flaw.
Take another look at the CBC diagram. By knowing which IV will be used to XOR with the plaintext, we can prevent the IV from having effect. If we XOR the plaintext with the predicted IV before sending it to the server, the server will apply the XOR again which undoes our original XOR:
plaintext \oplus IV \oplus IV = plaintext \oplus (IV \oplus IV) = plaintext \oplus 0 = plaintext.
The second flaw is that the flag is appended to the given plaintext. Since we have full control over the plaintext, we can decide at which position in the plaintext the flag will be, and hence we can control where it will end up in the encrypted string.

Exploiting the flaw

If we have complete control over which plaintext is entered into the first encrypted block, we can get the encrypted value of any given plaintext. This means we can create a rainbow table for every possible plaintext consisting of 16 bytes:
aaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaab
aaaaaaaaaaaaaaac
//…
zzzzzzzzzzzzzzzx
zzzzzzzzzzzzzzzy
zzzzzzzzzzzzzzzz
Remember that we have to XOR the plaintext string with the predicted IV before sending it to the server.
Before encrypting the plaintext, the server appends the flag to our input. If we only send 15 characters to the server, the server will encrypt aaaaaaaaaaaaaaaX where X is the first character of the flag. 
We can now look up the encrypted value of aaaaaaaaaaaaaaaX in our rainbow table. This will match to 
aaaaaaaaaaaaaaas and we now know that the first character of the flag is an ‘s’. 
To get the second character, we need to create a rainbow table based on the aaaaaaaaaaaaaas prefix (which has 14 a’s). When the table is complete, we can ask the server to encrypt “aaaaaaaaaaaaaas”. The encrypted string will contain the second character of the flag in the last position and we can look it up in our rainbow table. The encrypted string will match to aaaaaaaaaaaaaasa, so ‘a’ is the next character of the flag. We can keep doing this for every character:
aaaaaaaaaaaaaaas
aaaaaaaaaaaaaasa
aaaaaaaaaaaaasal
aaaaaaaaaaaasalt
aaaaaaaaaaasaltm
aaaaaaaaaasaltmi
aaaaaaaaasaltmin
aaaaaaaasaltmine
aaaaaaasaltmine0
aaaaaasaltmine00
aaaaasaltmine000
aaaasaltmine0000
aaasaltmine00000
aasaltmine000000
asaltmine0000000
saltmine00000000
After a few iterations, the padding zeros start showing up in the solution. These extra zeros after the flag are just padding that was added by the server in order to have a complete block to encrypt. When we’ve removed all the prefixed a’s, we end up with the flag, which is saltmine.

Padding attack

The attack we used above is a form of padding oracle attack. This attack is possible because of two distinct vulnerabilities in the server algorithm: We can predict the IV, and we can modify the padding in front of the flag. By combining these two flaws, we are able to get the flag, which would have been impossible without either of them.
In November 2014, the POODLE attack was discovered, which uses a padding oracle attack against SSL3.0.

Statistics

Nine of the participating teams were able to solve this challenge. Eight of these teams were able to secure a place in the CSCBE finals. There were a lot of random guesses for the solution of this challenge. Some even came close (“saltflag” or “salted00”) but luckily, only the teams who actually solved the challenge were able to get the points.

Final thoughts

A strong cryptographic algorithm is only effective when it is used correctly. The challenge demonstrated that small flaws can a have disastrous effects. Although cryptography can be very daunting at first, it certainly pays off to invest some time in to understanding how different algorithms work and how they should be used. Even if you don’t fully understand the internal workings of the AES encryption method, you may still be able to find flaws in the way it is used and thereby be able to break the encryption.

Cyber Security Challenge Belgium 2015 – Solving the Data Extraction challenge

This is the second blog post in the Cyber Security Challenge Belgium 2015 (CSCBE) solutions series. This time, we’re taking a look at the Data Extraction challenge.

Data Extraction

The challenge

The following challenge description was given to the students:

We messed up and contacted the wrong forensic department. They say they found data, but we can’t really make anything out of it. Can you?

The students were also given the following image:

The challenge was designed to test the students’ out of the box thinking capabilities, as well as their ability to research a certain subject.

Analyzing the image

Steganography is the art of hiding information inside another file. This can take on many different forms. Images are often used as a container for other kinds of information and the possibilities are endless. Steganography challenges are often part of a CTF and of course, we had to create one too. These challenges are usually one of the more feared challenges, as the number of possible approaches is literally endless.

There are two major categories for hiding information inside an image. Either you modify the internals of the image to add some extra data, or you visually encrypt your information and just add it to the image where everyone can see it. Because the image appears to contain a certain pattern, it is most likely that the second approach was taken.

Four different kind of shapes were used to create the pattern and every shape has its own color. If you’ve payed attention in your high school biology class, you may recognize the shapes. When you learned about the birds and the bees, you should have also learned about deoxyribonucleic acid, which is just a fancy way of saying DNA.

Research

DNA consists of two biopolymer strands coiled around each other, forming the well known double helix:

Image taken from classroom.synonym.com

Each strand consists of many different nucleotides which lock together in a certain way. There are two base pairs: Adenine (A) matches with Thymine (T) and Guanine (G) matches with Cytosine (C).

Image taken from thinglink.com

The colors of the different nucleotides may be different depending on which textbook you use, but the shapes are usually the same. That means we can convert our image into a string of letters consisting of A, T, G and C using a little bit of python:

This is already looking good, but we can’t really see anything that resembles a flag.

Digging a little deeper

 If we do some more research, we can find that different nucleotides are combined into amino acids when they are processed by your cells. Each triplet is combined into one of the amino acids according to the following diagram:

Image taken from commons.wikimedia.org
For example, AAA will be transformed into Lysine (K) and UCA will be transformed into Serine (S). 
We could write a python script that translates these nucleotides into amino acids, but it’s even easier to let the internet do it for us. The Bioinformatics Resource Portal hosts a tool that will do the hard work for us. If we enter our nucleotide string into the tool, we get the following:

This tool also automatically solves the last hurdle of the challenge: If you start combining from the first nucleotide, you only get a bunch of random letters. However, if you start combining from the second nucleotide, you can read “THE PASS IS METAPHYSIC LIGHTYEARS”, which is the solution to this challenge.

Statistics

At the end of the qualifiers, only five teams were able to solve this challenge. Apparently many teams recognized the image as being a DNA sequence and they successfully transformed and combined the nucleotides into amino acids. Only a handful of teams got past the last hurdle of starting with the correct nucleotide. 

Final thoughts

Not a lot of teams managed to solve this challenge. As steganography can be done in a million ways, it’s not always easy to see a path towards the solution. This can discourage teams and have them invest their time in more practical challenges that have a more well defined scope. Choosing which challenges you invest your time in is an important decision in any CTF and apparently most teams did not prefer to invest their time in this one.

Cyber Security Challenge Belgium 2015 – Solving the SFTP challenge

Two weeks ago, we proudly organised the Cyber Security Challenge Belgium 2015 (CSCBE). The CSCBE was a typical Capture-The-Flag (CTF) competition aimed at students from universities and colleges all over Belgium. During the competition, teams of three or four students had to tackle different technical challenges in order to prove their skills. In the following weeks, we will discuss some of the challenges that the students had to solve.

SFTP

The challenge

The following challenge description was given to the students:

“One of our employees uses an SFTP server to store sensitive company files. He ensured us it’s safe. I mean… Why wouldn’t SFTP be safe?”

They were also given a target IP, a target port and some user credentials (Kermit:MissPiggy).

The challenge was designed to test a few very needed skills for every cyber security enthusiast: problem solving, using the right tool for the job, gathering information and thinking critically.

Connecting to the server

A first approach would be to connect directly to the SFTP server:
After executing the command, the terminal remains empty. This is not normal behavior for an SFTP server, which normally asks for a password, as shown below:
At this point, a lot of the students were complaining that the server was down, or that our firewall was blocking their campus networks. Every complaint was taken seriously, but every time we checked the server, it was up and running. Each time, we suggested that the students should try a different approach.
Netcat is like the swiss army knife of network tools. It can do many different things, but most importantly, it gives us complete control over which data is sent and received. Using netcat (command: nc) gives us the following output:
Now we can see that the server is actually up and running and sending us data. The server introduces itself as “+NVISO SFTP server”, which is not what you would expect from a normal SFTP server. On to the next step!

Gathering information

Although SFTP is a widely known and used acronym for the SSH File Transfer Protocol, acronyms can often mean many different things. A great resource for working out acronyms, is Wikipedia:
As we noted, SFTP stands for SSH File Transfer Protocol. However, SFTP also stands for the Simple File Transfer Protocol. This protocol is “an unsecured and rarely used protocol”, which sounds exactly like something we’d be interested in.
The Simple File Transfer Protocol is fully documented in RFC 913. According to the RFC, the server should greet a client with “+MIT-XX SFTP Service”, which is very similar to what our SFTP server sent.

Using the server

The RFC lists the following commands: USER ! ACCT ! PASS ! TYPE ! LIST ! CDIR ! KILL ! NAME ! DONE ! RETR ! STOR. Let’s try some of these commands:
Great! We were able to log in, and there appears to be a “documents” directory. Inside the documents directory, there is a file called flag, as we can see here:

According to the documentation, we should use ‘RETR flag’ followed by ‘SEND’. But first, let’s set the transfer mode to binary, so that we are sure we get a correct file:

If we send the ‘RETR flag’ command now, the server will print the size of the flag. We can then indicate we are ready to receive the flag by sending ‘SEND’ to the server. This can most easily be done through a python script, which will store away the file correctly:

This little script uses the Pwn library, which makes communicating with the server a lot more easy. Running this script will produce a file called ‘flag’ in the current directory. By using the linux ‘file’ command, we can find out what kind of file this is:

Renaming flag to flag.jpg lets us see the image:

If you look closely, in the upper right corner of the image, it says “KermitLovesBacon”, which was the flag needed to solve this challenge.

Statistics

Fourteen teams managed to solve the challenge during the qualifiers. The first team that solved the challenge was HacknamStyle JR. HacknamStyle JR emerged as the victors in the Finals, so this may not come as a surprise. Out of the fourteen teams that managed to solve this challenge, seven earned their spot in the Finals. 

Hurdles

The biggest hurdle to this challenge was actually communicating correctly with the server. Many students immediately decided that SFTP could only stand for SSH File Transfer Protocol. They quickly realized that their favourite SFTP application didn’t work, but only a few of the teams investigated the root cause of this by looking at the actual data that was sent by the server and doing some research.
One of the teams actually opened netcat and tried nearly every possible combination of four letters to see which commands worked and which didn’t. Even though they failed to find the correct protocol documentation, they did manage to get the flag. Using brute-force to solve this challenge is definitely allowed, but they could have probably saved a lot of time by doing some more research first.

Final thoughts

This challenge was definitely a success. Many teams fell into the trap of thinking it was an SSH FTP Server, which was exactly what we were hoping for. The challenge wasn’t meant to be very difficult, so we were glad that quite a number of teams were able to solve it.