Things You Should Know for the CTF from Wed

Requirements Things you should know for the CTF From Wed. Oct. 24 evening MIT meeting: o Web server must run on port 80

o WordPress must allow registration/login via verified OpenID

o Registration/login process must bring user back to front page

o Widgets/plugins must exist on front page to be graded. Friday, October 26, 2012 o Network Time Protocol (NTP) service must be enabled. CS342 Computer Security o Cannot block/filter IP addresses (I think) o Anything else? Department of Computer Science Wellesley College

CTF Knowledge/Skills 14-2

Startup who : list logged in users Email from Michael Zhivich (Fri. Oct. 26): root@ctf-portal:/# who We're still working out logistics for the contest start-up. There will be sysadmin tty1 2012-10-19 14:59 a period when VMs are available for players to install tools/harden/etc sysadmin pts/1 2012-10-22 03:31 (10.0.2.2) and graders are not running (so the competition has not officially started). Unfortunately, we don't have any technical means to prevent [cs235@puma ~] who various teams from attacking each other during this period. sysadmin :0 2012-08-22 11:03 Unlike the previous event, all services will be turned off at the sysadmin pts/1 2012-08-22 11:03 (:0.0) beginning, so the only exposed service should be SSH; I believe this is a cs304 pts/3 2012-09-20 13:27 (sampras.wellesley.edu) reasonably secure configuration. zjansen pts/6 2012-10-26 08:24 (149.130.134.100) cs235 pts/7 2012-10-26 09:07 We highly recommend that your team comes equipped with either a (pool-96-252-11-240.bstnma.fios.verizon.net) Windows machine or a VM; this will enable them to get "console access" anderson pts/9 2012-10-19 16:22 (sampras.wellesley.edu) to their VM via vSphere client, so they'll be able to unplug their tanner11 pts/10 2012-10-19 16:23 (puma.wellesley.edu) machine from the network. There is also a Web-based vSphere client anderson pts/13 2012-10-02 11:38 (sampras.wellesley.edu) available, but I haven't tested it out. anderson pts/19 2012-09-19 11:42 (sampras.wellesley.edu) cs304tes pts/24 2012-10-09 15:10 (sampras.wellesley.edu) Does anyone know what this means? sysadmin pts/11 2012-09-18 10:31 (:0.0)

CTF Knowledge/Skills 14-3 CTF Knowledge/Skills 14-4 ps : list processes kill -9 : kill a process root@ctf-portal:/# ps -ef root@ctf-portal:/# ping google.com > /tmp/pingout & UID PID PPID C STIME TTY TIME CMD [1] 6421 root 1 0 0 Oct19 ? 00:00:00 /sbin/init root 2 0 0 Oct19 ? 00:00:00 [kthreadd] root@ctf-portal:/# ps -ef | grep ping root 3 2 0 Oct19 ? 00:00:01 [ksoftirqd/0] root 6421 6387 0 00:21 pts/2 00:00:00 ping google.com mysql 730 1 0 Oct19 ? 00:01:05 /usr/sbin/mysqld root 6423 6387 0 00:22 pts/2 00:00:00 grep --color=auto ping qmails 742 682 0 Oct19 ? 00:00:00 qmail-send qmaild 743 683 0 Oct19 ? 00:00:00 tcpserver -v -R -l ctf-portal.ctf.csail.mit.edu -x /etc/qmail root@ctf-portal:/# kill -9 6421 root 744 684 0 Oct19 ? 00:00:00 /var/lib/qmail/bin/qmail-verify root 798 742 0 Oct19 ? 00:00:00 qmail-lspawn |preline procmail root@ctf-portal:/# ps -ef | grep ping qmailr 799 742 0 Oct19 ? 00:00:00 qmail-rspawn root 6425 6387 0 00:22 pts/2 00:00:00 grep --color=auto ping qmailq 800 742 0 Oct19 ? 00:00:00 qmail-clean [1]+ Killed ping google.com > /tmp/pingout root 815 1 0 Oct19 tty1 00:00:00 /bin/login -- sysadmin 974 815 0 Oct19 tty1 00:00:00 -bash root 3314 1 0 Oct21 ? 00:00:05 /usr/sbin/apache2 -k start Note: if kill parent process, all children are killed. www-data 5571 3314 0 06:25 ? 00:00:00 /usr/sbin/apache2 -k start root 6368 5358 0 23:51 pts/2 00:00:00 ps -ef

CTF Knowledge/Skills 14-5 CTF Knowledge/Skills 14-6

top: list process resources htop: fancier top

top - 04:35:58 up 3 days, 14:19, 2 users, load average: 0.00, 0.01, 0.05 Tasks: 85 total, 1 running, 83 sleeping, 1 stopped, 0 zombie Cpu(s): 0.0%us, 0.0%sy, 0.0%ni, 92.6%id, 7.4%wa, 0.0%hi, 0.0%si, 0.0%st Mem: 1019500k total, 558248k used, 461252k free, 48412k buffers Swap: 1046524k total, 0k used, 1046524k free, 367040k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 676 root 20 0 188 28 12 S 0.3 0.0 0:05.38 runsvdir 1 root 20 0 24308 2212 1344 S 0.0 0.2 0:00.30 init 2 root 20 0 0 0 0 S 0.0 0.0 0:00.02 kthreadd 3 root 20 0 0 0 0 S 0.0 0.0 0:01.46 ksoftirqd/0 5 root 20 0 0 0 0 S 0.0 0.0 0:00.17 kworker/u:0 6 root RT 0 0 0 0 S 0.0 0.0 0:00.00 migration/0 7 root RT 0 0 0 0 S 0.0 0.0 0:03.45 watchdog/0 8 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 cpuset 9 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 khelper 10 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kdevtmpfs 11 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 netns 12 root 20 0 0 0 0 S 0.0 0.0 0:01.57 sync_supers 13 root 20 0 0 0 0 S 0.0 0.0 0:00.03 bdi-default 14 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kintegrityd 15 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kblockd 16 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 ata_sff 17 root 20 0 0 0 0 S 0.0 0.0 0:00.07 khubd

CTF Knowledge/Skills 14-7 CTF Knowledge/Skills 14-8 netstat netstat (continued)

Active UNIX domain sockets (servers and established) root@ctf-portal:/# netstat -aln Proto RefCnt Flags Type State I-Node Path Active Internet connections (servers and established) unix 2 [ ACC ] SEQPACKET LISTENING 6657 /run/udev/control Proto Recv-Q Send-Q Local Address Foreign Address State unix 2 [ ACC ] STREAM LISTENING 6479 @/com/ubuntu/upstart tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN unix 2 [ ACC ] STREAM LISTENING 8259 /var/run/mysqld/mysqld.sock unix 2 [ ACC ] STREAM LISTENING 7021 /var/run/dbus/system_bus_socket tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN unix 6 [ ] DGRAM 7151 /dev/log tcp 0 0 0.0.0.0:8888 0.0.0.0:* LISTEN unix 2 [ ] DGRAM 12763 tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN unix 2 [ ] DGRAM 12760 tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN unix 3 [ ] STREAM CONNECTED 12151 tcp 0 0 10.0.2.15:22 10.0.2.2:60040 ESTABLISHED unix 3 [ ] STREAM CONNECTED 12150 tcp6 0 0 :::22 :::* LISTEN unix 2 [ ] DGRAM 12141 unix 2 [ ] DGRAM 11813 tcp6 0 0 ::1:6010 :::* LISTEN unix 2 [ ] DGRAM 11810 udp 0 0 127.0.0.1:11113 0.0.0.0:* unix 2 [ ] DGRAM 8509 unix 3 [ ] STREAM CONNECTED 7119 /var/run/dbus/system_bus_socket unix 3 [ ] STREAM CONNECTED 7118 unix 3 [ ] STREAM CONNECTED 7094 unix 3 [ ] STREAM CONNECTED 7093 unix 3 [ ] STREAM CONNECTED 6983 @/com/ubuntu/upstart unix 3 [ ] STREAM CONNECTED 6980 unix 3 [ ] DGRAM 6698 unix 3 [ ] DGRAM 6697 unix 3 [ ] STREAM CONNECTED 6642 @/com/ubuntu/upstart unix 3 [ ] STREAM CONNECTED 6637 CTF Knowledge/Skills 14-9 CTF Knowledge/Skills 14-10

nmap: find open ports nmap: example 2

root@ctf-portal:~# nmap localhost root@ctf-portal:~# nmap -p1-65535 localhost

Starting Nmap 5.21 ( http://nmap.org ) at 2012-10-23 04:45 Starting Nmap 5.21 ( http://nmap.org ) at 2012-10-23 04:47 EDT EDT Nmap scan report for localhost (127.0.0.1) Nmap scan report for localhost (127.0.0.1) Host is up (0.000025s latency). Not shown: 65530 closed ports Host is up (0.000023s latency). PORT STATE SERVICE Not shown: 996 closed ports 22/tcp open ssh PORT STATE SERVICE 25/tcp open smtp 22/tcp open ssh 3306/tcp open mysql 25/tcp open smtp 6010/tcp open unknown 3306/tcp open mysql 8888/tcp open sun-answerbook 8888/tcp open sun-answerbook Nmap done: 1 IP address (1 host up) scanned in 5.18 seconds

Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds

CTF Knowledge/Skills 14-11 CTF Knowledge/Skills 14-12 nmap: example 3 root@ctf-portal:~# nmap -A -T4 localhost nmap: example 4

Starting Nmap 5.21 ( http://nmap.org ) at 2012-10-23 04:45 EDT Nmap scan report for localhost (127.0.0.1) Starting Nmap 5.21 ( http://nmap.org ) at 2012-10-23 05:08 EDT Host is up (0.000077s latency). Nmap scan report for cs.wellesley.edu (149.130.136.19) Not shown: 996 closed ports Host is up (0.011s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (protocol 2.0) rDNS record for 149.130.136.19: puma.wellesley.edu | ssh-hostkey: 1024 95:c7:ff:39:0f:96:fb:c4:67:e2:02:25:7a:31:dc:ca (DSA) Not shown: 991 filtered ports |_2048 83:77:90:d4:d2:e4:10:68:45:25:64:9f:e8:b1:34:26 (RSA) PORT STATE SERVICE 25/tcp open smtp netqmail smtpd 1.04 | smtp-commands: EHLO ctf-portal.ctf.csail.mit.edu, PIPELINING, 8BITMIME 22/tcp open ssh |_HELP netqmail home page: http://qmail.org/netqmail 25/tcp open smtp 3306/tcp open mysql MySQL 5.5.24-0ubuntu0.12.04.1 80/tcp open http | mysql-info: Protocol: 10 | Version: 5.5.24-0ubuntu0.12.04.1 111/tcp open rpcbind | Thread ID: 241 443/tcp open https | Some Capabilities: Long Passwords, Connect with DB, Compress, ODBC, Transactions, Secure 2049/tcp open nfs Connection | Status: Autocommit 3306/tcp open mysql |_Salt: 'mrw|*X_ 8009/tcp open ajp13 8888/tcp open http Apache httpd 2.2.22 ((Ubuntu)) 8080/tcp open http-proxy |_html-title: 404 Not Found No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/ submit/ ). Nmap done: 1 IP address (1 host up) scanned in 10.13 seconds TCP/IP fingerprint: OS:SCAN(V=5.21%D=10/23%OT=22%CT=1%CU=40364%PV=N%DS=0%DC=L%G=Y%TM=50865963%P … lots of details omitted… CTF Knowledge/Skills 14-13 CTF Knowledge/Skills 14-14

Linux Firewall Firewall: iptables

Can configure rules by hand using iptables command, but has a A firewall filters network packets into and out of machine reputation for having a high learning curve. according to rules. The default firewall on your CTF machines is too permissive! It doesn’t filter anything: o Input rules filter packets addressed to local machine; root@ctf-portal:/# iptables -L o Forward rules filter packets traversing machine in router mode; Chain INPUT (policy ACCEPT) target prot opt source destination

o Output rules filter packets originating from local machine and Chain FORWARD (policy ACCEPT) being sent to other machines. target prot opt source destination

Chain OUTPUT (policy ACCEPT) target prot opt source destination

CTF Knowledge/Skills 14-15 CTF Knowledge/Skills 14-16 Firewall: ufw (Uncomplicated Firewall) Firewall: ufw enable

root@ctf-portal:/# sudo ufw enable Ubuntu provides ufw as an easier-to-use interface to iptables. Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup

Documentation: Use man or see server guide at: root@ctf-portal:/# iptables -L Chain INPUT (policy DROP) https://help.ubuntu.com/12.04/serverguide/firewall.html target prot opt source destination ufw-before-logging-input all -- anywhere anywhere ufw-before-input all -- anywhere anywhere root@ctf-portal:/# sudo ufw enable ufw-after-input all -- anywhere anywhere Command may disrupt existing ssh connections. Proceed with operation (y|n)? y ufw-after-logging-input all -- anywhere anywhere Firewall is active and enabled on system startup ufw-reject-input all -- anywhere anywhere ufw-track-input all -- anywhere anywhere root@ctf-portal:/# sudo ufw status verbose Status: active Chain FORWARD (policy DROP) target prot opt source destination Logging: on (low) ufw-before-logging-forward all -- anywhere anywhere Default: deny (incoming), allow (outgoing) ufw-before-forward all -- anywhere anywhere New profiles: skip ufw-after-forward all -- anywhere anywhere ufw-after-logging-forward all -- anywhere anywhere ufw-reject-forward all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT) target prot opt source destination ufw-before-logging-output all -- anywhere anywhere ufw-before-output all -- anywhere anywhere ufw-after-output all -- anywhere anywhere ufw-after-logging-output all -- anywhere anywhere ufw-reject-output all -- anywhere anywhere CTF Knowledge/Skills 14-17 ufw-track-output all -- anywhere anywhere CTF Knowledge/Skills 14-18

Configuration files Basic networking

o /etc/apache2/apache2.conf o ping o /etc/apache2/httpd.conf o ifconfig o /etc/apache2/sites-enabled o /etc/hosts o /etc/mysql/my.cnf o telnet o curl o digg

CTF Knowledge/Skills 14-19 CTF Knowledge/Skills 14-20 Other things

o starting/stopping services o apache logs o wordpress logs? o mod_security plugin for apache o apparmor? o chroot o tripwire o snort

CTF Knowledge/Skills 14-21