API tools faq
paste
Advertisement
joemccray

CTF Prep Class

joemccray
May 23rd, 2015
2,293
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 22.38 KB | None | 0 0
raw download clone embed print report
  1. Here are the slides for the CTF Prep:
  2. https://s3.amazonaws.com/StrategicSec-Files/Preparing-For-The-Strategic-Security-CTF.pptx
  3.  
  4.  
  5. Here are the videos from the previous year's CTF Prep classes:
  6. https://s3.amazonaws.com/StrategicSec-Videos/2013-12-02+19.03+Get+ready+for+the+Capture+The+Flag+Competition.wmv
  7. https://s3.amazonaws.com/StrategicSec-Videos/2013-12-04+19.02+Get+ready+for+the+Capture+The+Flag+Competition.wmv
  8.  
  9. Here is the video of the current class (23 May 2015)
  10. https://s3.amazonaws.com/StrategicSec-Videos/_2015_5_23_rec-lw-us-7_248809_recording.mp4
  11.  
  12.  
  13.  
  14. #######################
  15. # Encoding Challenges #
  16. #######################
  17. 1) - 0100100101110100001000000110100101110011001000000110100101101101011100000110111101110010011101000110000101101110011101000010000001110100011011110010000001101110011011110111010001100101001000000111010001101000011000010111010000100000011100110111010101100100011001000110010101101110011011000111100100101100001000000110000101101110011001000010000001100001011001110110000101101001011011100111001101110100001000000110000101101100011011000010000001110000011100100110111101100010011000010110001001101001011011000110100101110100011110010010110000100000011000010010000001110011011100000110010101110010011011010010000001110111011010000110000101101100011001010010000001101000011000010110010000100000011000100110010101100101011011100010000001100011011000010110110001101100011001010110010000100000011010010110111001110100011011110010000001100101011110000110100101110011011101000110010101101110011000110110010100101100001000000111001101100101011101100110010101110010011000010110110000100000011011010110100101101100011001010111001100100000011000010110001001101111011101100110010100100000011101000110100001100101001000000111001101110101011100100110011001100001011000110110010100100000011011110110011000100000011000010110111000100000011000010110110001101001011001010110111000100000011100000110110001100001011011100110010101110100001011100010000001000001011011100110010000100000011100110110100101101110011000110110010100100000011101000110100001101001011100110010000001101001011100110010000001101110011011110111010000100000011000010010000001101110011000010111010001110101011100100110000101101100011011000111100100100000011101000110010101101110011000010110001001101100011001010010000001110000011011110111001101101001011101000110100101101111011011100010000001100110011011110111001000100000011000010010000001110111011010000110000101101100011001010010110000100000011101000110100001101001011100110010000001101001011011100110111001101111011000110110010101101110011101000010000001100011011100100110010101100001011101000111010101110010011001010010000001101000011000010110010000100000011101100110010101110010011110010010000001101100011010010111010001110100011011000110010100100000011101000110100101101101011001010010000001110100011011110010000001100011011011110110110101100101001000000111010001101111001000000111010001100101011100100110110101110011001000000111011101101001011101000110100000100000011010010111010001110011001000000110100101100100011001010110111001110100011010010111010001111001001011100010000001010100011010000110100101110011001000000110100101110011001000000111011101101000011000010111010000100000011010010111010000100000011101000110100001101111011101010110011101101000011101000010110000100000011000010111001100100000011010010111010000100000011001100110010101101100011011000011101000100000010101000110100001100101001000000101011101101000011000010110110001100101001110100010000001000001011010000110100001101000001000010010000001010111011011110110111101101111011010000010000100100000010101110110100001100001011101000010011101110011001000000110100001100001011100000111000001100101011011100110100101101110011001110011111100100000010101110110100001101111001000000110000101101101001000000100100100111111001000000101011101101000011110010010000001100001011011010010000001001001001000000110100001100101011100100110010100111111001000000101011101101000011000010111010000100111011100110010000001101101011110010010000001110000011101010111001001110000011011110111001101100101001000000110100101101110001000000110110001101001011001100110010100111111001000000101011101101000011000010111010000100000011001000110111100100000010010010010000001101101011001010110000101101110001000000110001001111001001000000111011101101000011011110010000001100001011011010010000001001001001111110010000001001111011010110110000101111001001000000110111101101011011000010111100100101100001000000110001101100001011011000110110100100000011001000110111101110111011011100010000001100011011000010110110001101101001000000110010001101111011101110110111000100000011001110110010101110100001000000110000100100000011001110111001001101001011100000010000001101110011011110111011100101110001000000100111101101111011010000010110000100000011101000110100001101001011100110010000001101001011100110010000001100001011011100010000001101001011011100111010001100101011100100110010101110011011101000110100101101110011001110010000001110011011001010110111001110011011000010111010001101001011011110110111000101110001000000101011101101000011000010111010000100000011010010111001100100000011010010111010000111111001000000100100101110100011100110010000001100001001000000111001101101111011100100111010000100000011011110110011000100000011101000110100101101110011001110110110001101001011011100110011100100000011010010110111000100000011011010111100100101110001011100010111000100000011101110110010101101100011011000010000001001001001000000111001101110101011100000111000001101111011100110110010100100000010010010010000001100010011001010111010001110100011001010111001000100000011100110111010001100001011100100111010000100000011001100110100101101110011001000110100101101110011001110010000001101110011000010110110101100101011100110010000001100110011011110111001000100000011101000110100001101001011011100110011101110011001011100010000001001100011001010111010001110011001000000110001101100001011011000110110000100000011010010111010000100000011000010010111000101110001011100010000001110100011000010110100101101100001000010010000001011001011001010110000101101000001000010010000001010100011000010110100101101100001000010010000001000001011011100110010000100000011010000110010101111001001011000010000001110111011010000110000101110100001001110111001100100000011101000110100001101001011100110010000001110010011011110110000101110010011010010110111001100111001000000111001101101111011101010110111001100100001011000010000001110111011010000110111101101111011100110110100001101001011011100110011100100000011100000110000101110011011101000010000001110111011010000110000101110100001000000100100100100111011011010010000001110011011101010110010001100100011001010110111001101100011110010010000001100111011011110110111001101110011000010010000001100011011000010110110001101100001000000110110101111001001000000110100001100101011000010110010000111111001000000101011101101001011011100110010000100001001000000100100101110011001000000111010001101000011000010111010000100000011000010010000001100111011011110110111101100100001000000110111001100001011011010110010100111111001000000100100101110100001001110110110001101100001000000110010001101111001011100010000001011001011001010110000101101000001011000010000001110100011010000110100101110011001000000110100101110011001000000111001001100101011000010110110001101100011110010010000001100101011110000110001101101001011101000110100101101110011001110010111000100000010010010010011101101101001000000110010001101001011110100111101001111001001000000111011101101001011101000110100000100000011000010110111001110100011010010110001101101001011100000110000101110100011010010110111101101110001000010010000001001111011100100010000001101001011100110010000001101001011101000010000001110100011010000110010100100000011101110110100101101110011001000011111100100000010101000110100001100101011100100110010100100111011100110010000001100001011011100010000001100001011101110110011001110101011011000010000001101100011011110111010000100000011011110110011000100000011101000110100001100001011101000010000001101110011011110111011100100000011010010111001101101110001001110111010000100000011010010111010000111111001000000100000101101110011001000010000001110111011010000110000101110100001001110111001100100000011101000110100001101001011100110010000001110100011010000110100101101110011001110010000001100011011011110110110101101001011011100110011100100000011101000110111101110111011000010111001001100100001000000110110101100101001000000111011001100101011100100111100100100000011001100110000101110011011101000011111100100000010100110110111100100000011000100110100101100111001000000110000101101110011001000010000001100110011011000110000101110100001000000110000101101110011001000010000001110010011011110111010101101110011001000010110000100000011010010111010000100000011011100110010101100101011001000111001100100000011000010010000001100010011010010110011100100000011101110110100101100100011001010010000001110011011011110111010101101110011001000110100101101110011001110010000001101110011000010110110101100101001000000110110001101001011010110110010100100000001001110100111101110111001001110010110000100000001001110100111101110111011011100110011101100101001001110010110000100000001001110101001001101111011101010110111001100100001001110010110000100000001001110100011101110010011011110111010101101110011001000010011100100001001000000101010001101000011000010111010000100111011100110010000001101001011101000010000100100000010001110111001001101111011101010110111001100100001000010010000001001000011000010010000100100000010010010010000001110111011011110110111001100100011001010111001000100000011010010110011000100000011010010111010000100111011011000110110000100000011000100110010100100000011001100111001001101001011001010110111001100100011100110010000001110111011010010111010001101000001000000110110101100101001111110010000001001000011001010110110001101100011011110010110000100000010001110111001001101111011101010110111001100100001000010010000001011011010000110111010101110100011100110010000001110100011011110010000001100001001000000110010001101001011100110111010001100001011011100111010000100000011101100110100101100101011101110010000001100001011100110010000001110100011010000110010100100000011101110110100001100001011011000110010100100000011010000110100101110100011100110010000001110100011010000110010100100000011001110111001001101111011101010110111001100100001000000110000101101110011001000010000001110011011100000110010101110111011100110010000001110101011100000010000001100001001000000110110001100001011100100110011101100101001000000110110101110101011100110110100001110010011011110110111101101101001000000110001101101100011011110111010101100100001000000110111101100110001000000111001101101110011011110111011101011101001000000101010001101000011001010010000001000010011011110110111101101011001110100010000001000011011101010111001001101001011011110111010101110011011011000111100100101100001000000111010001101000011001010010000001101111011011100110110001111001001000000111010001101000011010010110111001100111001000000111010001101000011000010111010000100000011101110110010101101110011101000010000001110100011010000111001001101111011101010110011101101000001000000111010001101000011001010010000001101101011010010110111001100100001000000110111101100110001000000111010001101000011001010010000001100010011011110111011101101100001000000110111101100110001000000111000001100101011101000111010101101110011010010110000101110011001011000010000001100001011100110010000001101001011101000010000001100110011001010110110001101100001011000010000001110111011000010111001100101100001000000010001001001111011010000010000001101110011011110010110000100000011011100110111101110100001000000110000101100111011000010110100101101110001000010010001000100000010011010110000101101110011110010010000001110000011001010110111101110000011011000110010100100000011010000110000101110110011001010010000001110011011100000110010101100011011101010110110001100001011101000110010101100100001000000111010001101000011000010111010000100000011010010110011000100000011101110110010100100000011010110110111001100101011101110010000001100101011110000110000101100011011101000110110001111001001000000010101001110111011010000111100100101010001000000111010001101000011001010010000001100010011011110111011101101100001000000110111101100110001000000111000001100101011101000111010101101110011010010110000101110011001000000110100001100001011001000010000001110100011010000110111101110101011001110110100001110100001000000111010001101000011000010111010000100000011101110110010100100000011101110110111101110101011011000110010000100000011010110110111001101111011101110010000001100001001000000110110001101111011101000010000001101101011011110111001001100101001000000110000101100010011011110111010101110100001000000111010001101000011001010010000001101110011000010111010001110101011100100110010100100000011011110110011000100000011101000110100001100101001000000111010101101110011010010111011001100101011100100111001101100101001000000111010001101000011000010110111000100000011101110110010100100000011001000110111100100000011011100110111101110111001011100010000
  18.  
  19. 02) - 010101000110100001100101001000000110000101101110011100110111011101100101011100100010000001101001011100110010000001101111011101010111010000100000011101000110100001100101011100100110010100101100001000000100111001100101011011110010110000100000011000010110111001100100001000000110100101110100001001110111001100100000011011000110111101101111011010110110100101101110011001110010000001100110011011110111001000100000011110010110111101110101001011000010000001100001011011100110010000100000011010010111010000100000011101110110100101101100011011000010000001100110011010010110111001100100001000000111100101101111011101010010000001101001011001100010000001111001011011110111010100100000011101110110000101101110011101000010000001101001011101000010000001110100011011110010111
  20.  
  21. 0
  22.  
  23. 3) - 01010011011100000110000101101110011001000110010101111000001110100010000001101001011101000010011101110011001000000110000100100000011100000111001001101001011101100110100101101100011001010110011101100101001011000010000001101110011011110111010000100000011000010010000001110010011010010110011101101000011101000010111
  24.  
  25. 0
  26.  
  27. 4) - 0101011101101000011000010111010000100000011010010111001100100000011101000110100001100101001000000111000001110010011010010110110101100001011100100111100100100000011001110110111101100001011011000011111100100000010010100110111101110011011010000111010101100001001110100010000001010100011011110010000001110111011010010110111000100000011101000110100001100101001000000110011101100001011011010110010100101110000011010000101
  28.  
  29. 0
  30.  
  31. 5) - 010101110100100001000001010101000011111100100000010110010110111101110101001000000111011101100101011011100111010000100000011011110111011001100101011100100010000001101101011110010010000001101000011001010110110001101101011001010111010000111111
  32.  
  33.  
  34.  
  35. 6) - 010101010110111001100110011011110111001001110100011101010110111001100001011101000110010101101100011110010010110000100000011011100110111100100000011011110110111001100101001000000110001101100001011011100010000001100010011001010010000001110100011011110110110001100100001000000111011101101000011000010111010000100000011101000110100001100101001000000100110101100001011101000111001001101001011110000010000001101001011100110010111000100000010110010110111101110101001000000110100001100001011101100110010100100000011101000110111100100000011100110110010101100101001000000110100101110100001000000110011001101111011100100010000001111001011011110111010101110010011100110110010101101100011001100010111
  36.  
  37. 0
  38.  
  39. 7) - 0101001001100101011011010110010101101101011000100110010101110010001011000010000001101000011000010110001101101011011010010110111001100111001000000110100101110011001000000110110101101111011100100110010100100000011101000110100001100001011011100010000001101010011101010111001101110100001000000110000100100000011000110111001001101001011011010110010100101110001000000100100101110100001001110111001100100000011000010010000001110011011101010111001001110110011010010111011001100001011011000010000001110100011100100110000101101001011101000010111
  40.  
  41. 0
  42.  
  43. 8) - 01001001001000000110110101110101011100110111010000100000011011100110111101110100001000000110011001100101011000010111001000101110001000000010111100100000010001100110010101100001011100100010000001101001011100110010000001110100011010000110010100100000011011010110100101101110011001000010110101101011011010010110110001101100011001010111001000101110001000000010111100100000010001100110010101100001011100100010000001101001011100110010000001110100011010000110010100100000011011000110100101110100011101000110110001100101001011010110010001100101011000010111010001101000001000000111010001101000011000010111010000100000011000100111001001101001011011100110011101110011001000000111010001101111011101000110000101101100001000000110111101100010011011000110100101110100011001010111001001100001011101000110100101101111011011100010111000100000001011110010000001001001001000000111011101101001011011000110110000100000011001100110000101100011011001010010000001101101011110010010000001100110011001010110000101110010001011100010000000101111001000000100100100100000011101110110100101101100011011000010000001110000011001010111001001101101011010010111010000100000011010010111010000100000011101000110111100100000011100000110000101110011011100110010000001101111011101100110010101110010001000000110110101100101001000000110000101101110011001000010000001110100011010000111001001101111011101010110011101101000001000000110110101100101001011100010000000101111001000000100000101101110011001000010000001110111011010000110010101101110001000000110100101110100001000000110100001100001011100110010000001100111011011110110111001100101001000000111000001100001011100110111010000100000010010010010000001110111011010010110110001101100001000000111010001110101011100100110111000100000011101000110100001100101001000000110100101101110011011100110010101110010001000000110010101111001011001010010000001110100011011110010000001110011011001010110010100100000011010010111010001110011001000000111000001100001011101000110100000101110001000000010111100100000010101110110100001100101011100100110010100100000011101000110100001100101001000000110011001100101011000010111001000100000011010000110000101110011001000000110011101101111011011100110010100100000011101000110100001100101011100100110010100100000011101110110100101101100011011000010000001100010011001010010000001101110011011110111010001101000011010010110111001100111001011100010000000101111001000000100111101101110011011000111100100100000010010010010000001110111011010010110110001101100001000000111001001100101011011010110000101101001011011100010111
  44.  
  45. 0
  46.  
  47. 9) - 0100100001100101011110010010110000100000010010010010000001100100011011110110111000100111011101000010000001100010011001010110110001101001011001010111011001100101001000000111010001101000011000010111010000100000011000010110111001111001001000000111001101111001011100110111010001100101011011010010000001101001011100110010000001110100011011110111010001100001011011000110110001111001001000000111001101100101011000110111010101110010011001010010111000100000
  48.  
  49.  
  50.  
  51. 10) - 0101010001101000011100100110111101110101011001110110100001101111011101010111010000100000011010000111010101101101011000010110111000100000011010000110100101110011011101000110111101110010011110010010110000100000011101110110010100100000011010000110000101110110011001010010000001100010011001010110010101101110001000000110010001100101011100000110010101101110011001000110010101101110011101000010000001101111011011100010000001101101011000010110001101101000011010010110111001100101011100110010000001110100011011110010000001110011011101010111001001110110011010010111011001100101001011100010000001000110011000010111010001100101001011000010000001101001011101000010000001110011011001010110010101101101011100110010110000100000011010010111001100100000011011100110111101110100001000000111011101101001011101000110100001101111011101010111010000100000011000010010000001110011011001010110111001110011011001010010000001101111011001100010000001101001011100100110111101101110011110010010111000100000
  52.  
  53.  
  54.  
  55.  
  56. ##############################################
  57. # Here is a VM that I used in a previous CTF #
  58. ##############################################
  59. https://s3.amazonaws.com/StrategicSec-VMs/CTF-VM1.zip
  60.  
  61.  
  62.  
  63.  
  64. ######################
  65. # Simple Exploit Dev #
  66. ######################
  67.  
  68. Download the following file to the Desktop:
  69. https://s3.amazonaws.com/StrategicSec-Files/SimpleExploitLab.zip
  70.  
  71. - Extract this zip file to your Desktop
  72.  
  73. - Go to folder C:\Users\Workshop\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
  74.  
  75. - Open a new command prompt and type:
  76. nc localhost 9999
  77.  
  78. - In the new command prompt window where you ran nc type:
  79. HELP
  80.  
  81. - Go to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts
  82. - Right-click on 1-simplefuzzer.py and choose the option edit with notepad++
  83.  
  84. - Now double-click on 1-simplefuzzer.py
  85. - You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.
  86.  
  87.  
  88. - Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
  89.  
  90. - Now go to folder C:\Users\Workshop\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
  91.  
  92. - Go back to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
  93.  
  94. - Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).
  95.  
  96. - Now isolate the crash by restarting your debugger and running script 2-3000chars.py
  97.  
  98. - Calculate the distance to EIP by running script 3-3000chars.py
  99. - This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
  100.  
  101. 4-count-chars-to-EIP.py
  102. - In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
  103. - so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
  104.  
  105. 5-2006char-eip-check.py
  106. - In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242
  107.  
  108. 6-jmp-esp.py
  109. - In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll
  110.  
  111. 7-first-exploit
  112. - In this script we actually do the stack overflow and launch a bind shell on port 4444
  113.  
  114. 8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.
  115.  
  116.  
  117. ------------------------------
  118.  
  119. cd /home/strategicsec/toolz/metasploit/modules/exploits/windows/misc
  120.  
  121. vi vulnserv.rb
  122.  
  123.  
  124.  
  125. cd ~/toolz/metasploit
  126.  
  127. ./msfconsole
  128.  
  129.  
  130.  
  131. use exploit/windows/misc/vulnserv
  132. set PAYLOAD windows/meterpreter/bind_tcp
  133. set RHOST 192.168.153.133
  134. set RPORT 9999
  135. exploit
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!