On 5 aug 2011, at 05:33, Zaki Akhmad wrote:
> On Thu, Aug 4, 2011 at 8:34 PM, Marcelo Mandolesi <rolldabass@xxxxxxxxx> wrote:
>
>> Can you elaborate on this particular CTF? Perhaps provide us a link to it?
>
> Well, it's OWASP AppSecUSA 2011 CTF #1[1] and the .pcap file is
> here[2]. Although they had provided the answer[3] I still couldn't
> understand how to identify the exploit.
The whole idea behind a "Capture The Flag" is that the flag is sort of hidden and that it takes skill to find it. I'm no web security expert, so I am also not able to recognize the exploit (without taking time to delve into it). But some simple steps that get you on the way are:
1) Have a look at which conversations are in the file (two TCP conversations in this case)
2) Do a follow-tcp-stream on all of them and look at the results, this will show you that
- Host .50 is requesting some webcontent from host .5
- Host .50 is using port 4444 on host .5 which seems to offer a form of cmd shell in which a file is being retrieved
3) Going back to the webcontent being retrieved, you can see there is a script being run and that the program code of the script is obscured in some way.
So... things to look at are
1) Is port 4444 a known port of some exploit?
2) Can you "decrypt" the javascript code and does that point you in the right direction
3) etc.
Hope this helps,
Cheers,
Sake