initial commit

README.md

@@ -1,2 +1,30 @@
-ctf
-===
+CTF Field Guide
+=====
+
+> “Knowing is not enough; we must apply. Willing is not enough; we must do.” - Johann Wolfgang von Goethe
+
+## Welcome!
+
+We’re glad you’re here. We need more people like you.
+
+If you’re going to make a living in defense, you have to think like the offense.
+
+So, learn to win at Capture The Flag (CTF). These competitions distill major disciplines of professional computer security work into short, objectively measurable exercises. The focus areas that CTF competitions tend to measure are vulnerability discovery, exploit creation, toolkit creation, and operational tradecraft.
+
+Whether you want to succeed at CTF, or as a computer security professional, you’ll need to become an expert in at least one of these disciplines. Ideally in all of them.
+
+That’s why we wrote this book.
+
+In these chapters, you’ll find everything you need to win your next CTF competition:
+* Walkthroughs and details on past CTF challenges
+* Guidance to help you design and create your own toolkits
+* Case studies of attacker behavior, both in the real world and in past CTF competitions
+
+To make your lives easier, we’ve supplemented each lesson with the Internet’s best supporting reference materials. These come from some of the best minds in the computer security field.
+
+We’ve tried to structure this so you can learn as quickly as you want, but if you have questions along the way, [contact us](https://github.com/trailofbits/ctf/issues). We’ll direct your question to the most relevant expert. If there’s enough demand, we may even schedule an online lecture.
+
+Now, to work.
+
+-The [Trail of Bits](https://www.trailofbits.com) Team
+

SUMMARY.md

@@ -0,0 +1,18 @@
+# Summary
+
+* [Capture the Flag](ctf.md)
+* [Vulnerability Discovery](vulnerabilities/README.md)
+    * [Auditing Source](vulnerabilities/source.md)
+    * [Auditing Binaries](vulnerabilities/binary.md)
+    * [Auditing Webapps](web/vulnerabilities.md)
+* [Exploit Creation](exploits/README.md)
+    * [Binary Exploits 1](exploits/binary1.md)
+    * [Binary Exploits 2](exploits/binary2.md)
+    * [Webapp Exploits](web/exploits.md)
+* [Forensics](forensics/README.md)
+* [Toolkit Creation](toolkits/README.md)
+    * [Toolkit Prep](toolkits/prep.md)
+* [Operational Tradecraft](tradecraft/README.md)
+    * [Case Studies](tradecraft/case_studies.md)
+* [Contributors](contrib/README.md)
+

book.json

@@ -0,0 +1,7 @@
+{
+	"plugins": ["ga", "-mixpanel", "-mathjax"],
+	"pluginsConfig": {
+		"ga": { "token": "UA-XXXXXXXX-X" },
+		"fontSettings": { "theme": "night" }
+	}
+}

contrib/README.md

@@ -0,0 +1,15 @@
+# Contributors
+This book was built on a lot of hard work, most of which happened elsewhere. Without permission to republish from these folks, this book would still be in development. They have our gratitude and admiration.
+
+So, reader, when you’ve completed a few CTFs, and you’re ready for more, reach out to this list. They like to support ambition, and they just might have an internship open.
+
+* [Andrew Ruef](http://www.mimisbrunnr.net/~munin/blog/) created the initial proposal and slides
+* [Evan Jensen](https://github.com/wontonSlim) developed many of the lessons
+* [Nick Anderson](https://github.com/PoppySeedPlehzr) ran through the lessons and made numerous improvements
+* [Alex Sotirov](http://www.phreedom.org/) delivered the ROP lecture and provided feedback
+* [Jay Little](https://twitter.com/computerality) for reviewing the binary exploitation modules
+* [Brandon Edwards](https://twitter.com/drraid) delivered the source auditing lectures and the newspaper app
+* [Marcin W](https://twitter.com/marcinw) and [Gotham Digital Science](http://www.gdssecurity.com/) delivered the web security lectures
+* [Dino Dai Zovi](http://www.theta44.org/main.html) delivered the introductory exploitation lectures
+
+If you're interested in taking a course like this one for credit, check out [NYU Poly](http://engineering.nyu.edu/academics/departments/computer/). They offer concentrations in cybersecurity and we collaborate with them frequently through their [Hacker in Residence](http://www.isis.poly.edu/hackers-in-residence) program.

ctf.md

@@ -0,0 +1,33 @@
+# Capture the Flag
+
+<script async class="speakerdeck-embed" data-id="c62a87d0b92c0131e4494251e58a135f" data-ratio="1.33333333333333" src="//speakerdeck.com/assets/embed.js"></script>
+
+## Why CTF?
+Computer security represents a challenge to education due to its interdisciplinary nature. Topics in computer security are drawn from areas ranging from theoretical aspects of computer science to applied aspects of information technology management. This makes it difficult to encapsulate the spirit of what constitutes a computer security professional.
+
+One approximation for this measure has emerged: the ‘capture the flag’ competition. Attack-oriented CTF competitions try to distill the essence of many aspects of professional computer security work into a single short exercise that is objectively measurable. The focus areas that CTF competitions tend to measure are vulnerability discovery, exploit creation, toolkit creation, and operational tradecraft.
+
+A modern computer security professional should be an expert in at least one of these areas and ideally in all of them. Success in CTF competitions demands that participants be an expert in at least one and ideally all of these areas. Therefore, preparing for and competing in CTF represents a way to efficiently merge discrete disciplines in computer science into a focus on computer security.
+
+## Find a CTF
+If you ever wanted to start running, you were probably encouraged to sign up to a 5k to keep focused on a goal. The same principle applies here: pick a CTF in the near future that you want to compete in and come up with a practice schedule. Here are some CTFs that we can recommend:
+
+* [PicoCTF](https://picoctf.com/) and [PlaidCTF](http://www.plaidctf.com/) by CMU
+* [HS CTF](http://hsctf.com/) is made for high school students
+* [Ghost in the Shellcode (GitS)](http://ghostintheshellcode.com/)
+* [CSAW CTF](https://ctf.isis.poly.edu/) by NYU-Poly
+* [UCSB iCTF](http://ictf.cs.ucsb.edu/) is for academics only
+* [Defcon CTF](https://legitbs.net/)
+
+Visit [CTF Time](https://ctftime.org/event/list/upcoming) and the [CapCTF calendar](http://captf.com/calendar/) for a more complete list of CTFs occuring every week of the year.
+
+## How is a Wargame different?
+Wargames are similar to a CTF but are always ongoing. Typically, they are organized into levels that get progressively harder as you solve more of them. Wargames are an excellent way to practice for CTF! Here are some of our favorites
+
+* [Micro Corruption](https://microcorruption.com/login)
+* [SmashTheStack](http://www.smashthestack.org/)
+* [OverTheWire](http://overthewire.org/wargames/)
+* [Exploit Exercises](http://exploit-exercises.com/)
+
+## What about CCDC?
+There are some defense-only competitions that disguise themselves as CTF competitions, mainly the Collegiate Cyber Defense Challenge (CCDC) and its regional variations, and our opinion is that you should avoid them. They are unrealistic exercises in frustration and will teach you little about security or anything else. They are incredibly fun to play as a Red Team though!

exploits/README.md

@@ -0,0 +1,3 @@
+# Exploit Creation
+
+<script async class="speakerdeck-embed" data-id="f9333300b92c0131e4484251e58a135f" data-ratio="1.33333333333333" src="//speakerdeck.com/assets/embed.js"></script>

exploits/binary1.md

@@ -0,0 +1,34 @@
+# Exploiting Binaries 1
+Binary exploitation is the process of subverting a compiled application such that it violates some trust boundary in a way that is advantageous to you, the attacker. In this module we are going to focus on memory corruption. By abusing vulnerabilities that corrupt memory in software we can often rewrite critical application state information in a way that allows us to elevate privileges inside the context of a particular application (like a remote desktop server) or perform arbitrary computation by hijacking control flow and running code of our choosing.
+
+If you're trying to find bugs in compiled C programs, it's important to know what you're looking for. Start with identifying where the data you send to the program is used. If your data is stored in a buffer, take note of the sizes of them. Programming in C without errors is very difficult and the [CERT C Coding Standard](https://www.securecoding.cert.org/confluence/display/seccode/CERT+C+Coding+Standard) catalogues many of the ways that errors can come about. Paying attention to [commonly misused APIs](http://stackoverflow.com/questions/4588581/which-functions-in-the-c-standard-library-commonly-encourage-bad-practice) can be a quick path to success.
+
+Once a vulnerability is identified it should be used to compromise the integrity of the program, however, there are a variety of ways to achieve this goal. For programs such as web servers, obtaining the information from another user may be the end goal. In others, changing your permissions may be helpful, for example changing the permissions of a local user to the administrator.
+
+## Lecture
+The first lecture, Memory Corruption 101, provides background and step-by-step explanation of exploiting an overflow on Windows. The second lecture, Memory Corruption 102, covers more advanced topics, including web browser exploitation. Both of these lectures use Windows-specific examples but the techniques and process are applicable across operating systems that use the x86 instruction set. Remember that the names of functions and sometimes the calling conventions will be different when you are working with UNIX/Linux binaries.
+* [Memory Corruption 101](http://vimeo.com/31348274)
+* [Memory Corruption 102](http://vimeo.com/31831062)
+
+## Tools
+We recommend using GDB to debug the challenges in this module since all of them are compiled for 32-bit Linux, however, GDB is intended for debugging source code, not stripped binaries without symbols and debugging information. Projects such as [gdbinit](https://github.com/gdbinit/gdbinit), [peda](https://code.google.com/p/peda/), and [voltron](https://github.com/snarez/voltron) are attempts at making gdb more useful for debugging when source code is not available.  We recommend making a `.gdbinit` file in your home directory with at least the following commands:
+```
+    set disassembly-flavor intel
+    set follow-fork-mode child
+```
+
+## Workshop
+In order to run these challenges, you'll need to setup an [Ubuntu 14.04 (32-bit)](http://www.ubuntu.com/download/desktop/thank-you?country=US&version=14.04&architecture=i386) virtual machine. We recommend using [VMware Player](https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/6_0), since it's free and well supported. When you have it running, open a terminal and install `socat` with command `sudo apt-get install socat`.
+
+There are three challenges in this workshop, each contained within this folder when you clone this repository in git. The ultimate goal of each challenge is to manipulate the executable into reading the flag to you. For each challenge, try to translate the disassembly into C code. After making an attempt, you can verify your guess by checking the actual C source provided. Then, try to exploit it to read you the flag.
+
+### Challenge: Easy
+Make sure the flag is in the same directory as the `easy` program. Once you execute `easy` it will listen for instructions on port `12346`.
+
+### Challenge: Social
+Similar to easy, make sure the flag and `host.sh` are in the same directory as `social` program. Once you execute `social` it will listen for instructions on port `12347`.
+
+## Resources
+* [Using GDB to Develop Exploits - A Basic Run Through](http://www.exploit-db.com/papers/13205/)
+* [Exploiting Format String Vulnerabilities](/ctf/exploits/references/formatstring-1.2.pdf)
+* [Low-level Software Security: Attacks and Defenses](/ctf/exploits/references/tr-2007-153.pdf)

exploits/binary1_workshop/easy/EasyServer.c

@@ -0,0 +1,183 @@
+#include <stdio.h>
+#include <strings.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+
+
+#define PORTNO 12346
+
+int h=0,b=0,p=0;
+
+#define BUFFER_SIZE 512
+
+int checksec(FILE* f){
+  FILE* key;
+  char buf[1024];
+
+  if(h&b&p){
+    key=fopen("easy_key","r");
+    fread(buf,1024,1,key);
+    fprintf(f,"%s",buf);
+    fclose(key);
+    return 0;
+  }
+  return 1;
+}
+
+
+void hekers(FILE* f){
+  volatile int zeroWeekend;  
+  char buf[32];
+
+  fprintf(f,"So you want to be an 31337 Hax0r?\n");
+  fgets(buf,40,f);
+  switch(strcmp("y3$\n",buf)){
+  case 0:
+    fprintf(f,"First you must get power\n");
+    break;
+  default:
+    fprintf(f,"Well then go away\n");
+    break;
+  }
+  if(zeroWeekend==0xcafebabe){
+    h=1;    
+  }
+  return;
+} 
+
+void batmenss(FILE* f){
+  volatile int batsignet; 
+  char buf[32];
+
+  fprintf(f,"So you want to be the batman?\n");
+  fgets(buf,40,f);
+  switch(strcmp("YESSSSSSS\n",buf)){
+  case 0:
+    fprintf(f,"First you must get rich\n");
+    break;
+  default:
+    fprintf(f,"Well then go away\n");
+    break;
+  }
+
+  if(batsignet==0x12345678){
+    b=1;
+  }
+
+  return;
+} 
+
+void pokemans(FILE* f){
+  volatile int pikachy;
+  char buf[32];
+
+  fprintf(f,"So you want to be the best there ever was?\n");
+  fgets(buf,40,f);
+  switch(strcmp("catchemall\n",buf)){
+  case 0:
+    fprintf(f,"First you must get respect\n\n");
+    break;
+  default:
+    fprintf(f,"Well then go away\n");
+    break;
+  }
+
+  if(pikachy==0xfa75beef){
+    p=1;    
+  }
+  return;
+} 
+
+
+
+
+
+void readInput(int sock){
+  int msg;
+  char choice[4];
+  char buffer[BUFFER_SIZE];
+  FILE* fptr = fdopen(sock, "r+");
+  char* prompt="Do you want to be a?\n"
+               "1.) Pokemon Master\n"
+               "2.) Elite Hacker\n"
+               "3.) The Batman\n";
+
+
+
+  while(checksec(fptr)){
+    fprintf(fptr,"%s",prompt);
+    fgets(choice,4,fptr);
+    switch(choice[0]){
+    case '1':
+      pokemans(fptr);
+      break;
+    case '2':
+      hekers(fptr);
+      break;
+    case '3':
+      batmenss(fptr);
+      break;
+    default:
+      fprintf(fptr,"\nThat is not one of the choices\n");
+      fflush(fptr);
+    }  
+  }
+
+  fprintf(fptr, "%s", buffer);
+  fflush(fptr);
+  fclose(fptr); 
+  return;
+}
+
+int main(int argc, char *argv[])
+{
+  char buffer[BUFFER_SIZE];
+  int sockfd, newsockfd, portno, pid;
+  socklen_t clilen;
+  struct sockaddr_in serv_addr, cli_addr;
+  /*
+  if (argc < 2) {
+    fprintf(stderr,"ERROR, no port provided\n");
+    exit(1);
+  }
+  */
+  sockfd = socket(AF_INET, SOCK_STREAM, 0);
+  if (sockfd < 0){
+    perror("ERROR opening socket");
+    exit(1);
+  }
+  bzero((char *) &serv_addr, sizeof(serv_addr));
+  //portno = atoi(argv[1]);
+  serv_addr.sin_family = AF_INET;
+  serv_addr.sin_addr.s_addr = inet_addr("0.0.0.0");
+  serv_addr.sin_port = htons(PORTNO);
+  if (bind(sockfd, (struct sockaddr *) &serv_addr,
+	   sizeof(serv_addr)) < 0){
+
+    perror("ERROR on binding");
+    exit(1);
+  }
+  listen(sockfd,5);
+  clilen = sizeof(cli_addr);
+  while (1) {
+    newsockfd = accept(sockfd,
+		       (struct sockaddr *) &cli_addr, &clilen);
+    if (newsockfd < 0)
+      perror("ERROR on accept");
+    pid = fork();
+    if (pid < 0)
+      perror("ERROR on fork");
+    if (pid == 0)  {
+      close(sockfd);
+      readInput(newsockfd);
+      return;
+    }
+    else close(newsockfd);
+    waitpid(-1,NULL,WNOHANG);
+  } /* end of while */
+  close(sockfd);
+  return 0; /* we never get here */
+}

exploits/binary1_workshop/easy/easy_key

@@ -0,0 +1,2 @@
+Congratulations on your memory coruptions.
+It only gets harder from here.

exploits/binary1_workshop/easy/makefile

@@ -0,0 +1,3 @@
+all: c
+c:
+	gcc -m32 -g EasyServer.c -o easy32 -fno-stack-protector

exploits/binary1_workshop/social_format/host.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+socat TCP-LISTEN:12347,reuseaddr,fork EXEC:./social

exploits/binary1_workshop/social_format/key

@@ -0,0 +1 @@
+Format strings are tricky, format strings are powerful.

exploits/binary1_workshop/social_format/makefile

@@ -0,0 +1,5 @@
+
+all: social
+
+social: social.c
+	gcc social.c -o social -m32 -O0 -o social