As you friends probably already checked at DDTEK, we finally did 5th place in this year’s Defcon CTF. Let us explain why.

This year’s contest has been interesting but weird, really really weird. The contest started after a long delay and the teams had an usb key with the binaries almost two hours before the system started to work (later we discovered some of those bins were not the same that the ones running on the servers). Once the whole thing started, the teams were scoring without knowing the real points scored by any of the teams and with a limited view of the services’ SLA (only a reduced number of the complete set of services were reported, and that caused some teams to close any service not listed in the SLA status information).

(more…)

We met our friend Mudsplatter at Defcon and that’s what happened:

The point is that we were able to enter the CTF room while they were setting up things without even wearing a defcon badge. Of course this is only for the lulz while we write our usual post-ctf report. Sorry about the video quality and shouts to “Chino” Mudsplatter xDDD

Seven pwndas are ready to go to Defcon, towards unknown shores, to defend a vulnerable server with honor and courage against hordes of evil hackers. We might have less equipement and find ourselves in numerical inferiority, but be mindful because Pwndas never retreat! Pwndas never surrender! Pwndas never forget! Spread the word and let every contestant know the truth of this. We are on our way. See you there friends and foes, remember us despite whether we win or fail and maybe we will meet again in Valhalla.

For us it was impossible to imagine two years ago, when the “Sexy Pandas” concept was born, that this group of friends would become… well, whatever we are now xD Anyways, this two years have been amazing and we think it’s time to say thanks to you, all anonymous friends, that have been supporting us in so many different ways. Thanks!

And about this year’s prequals, we played hard in a competition controlled almost from start to end by Sk3wl and VodaGodz, but we did a good work during the last hours and scored a nice amount of points that allowed us to tie them. At the last moment (that sounds familiar…) Sk3wl solved pwn400 and got first place, we were almost done with that same exploit but time was over and we still have to train a bit those last-minute-pwnage skills.

As for the rest of the qualified teams (you can see the full list in the Defcon forums), all are well known and highly skilled friends so this year we are expecting one of the hardest CTF competitions ever.

That’s all folks, see some of you in Vegas and be ready for some awesomeness!

PS: Yes, we know there are some pending posts but, tempus fugit

Update: complete results at ddtek.biz

This year at the Defcon CTF there was only one kenshoto-level service (or at least only one that scored as a Kenshoto, you’ll know what we mean in further writeups). That service was Kryptod, so we will be trying to explain how we managed to exploit it.

As in the major part of the CTF bins the service starts setting up the socket, in this case listening at port 20020, and dropping the proper user privileges. Then it sets up signal handlers for SIGILL, SIGTRAP, SIGEMT, SIGBUS, SIGSEGV, SIGSYS and SIGALRM. The handler is always the same and it just uses the current socket to send back to the client an encoded value related to the signal received and then doing a clean exit (let’s say it’s a nice way to say: “Hey, I crashed!”).

The next step is just the client handler. Kryptod reads the file ‘/home/krypto/key’ (the token) and put its contents into a buffer, then it reads from the socket up to 63 chars (or a terminating \x0A if it comes before). The next part is a bit tricky, if the socket received 0 bytes it justs send the contents of the token/keyfile to the user. WTF??? Strike one! No luck this time, the token is an overwrite one so reading it gives you nothing

(more…)

Ok, we can’t hide it, we finished on 7th place. That hurts. We will try to explain why or at least, what we think caused this madness.

This year we started like the previous one, although we didn’t draw first-blood (I think that taekwon or wowhacker did it). The team was working very well and we quickly got 5 breakthrougs (!!!). But that was all for us. At the end of the first day some major network problem took down the SLA of most of the teams and after that, we began to have serious networking issues. From that point to the end of the contest our network was really slow, with a lot of timeouts and lots of lost of packets. Also there was a strange behaviour of the other-teams services. We found very interesting the thoughts of Atlas from 1@stplace regarding this owning prevention.
(more…)

The D-Day is coming. In 7 days we will know which team managed to win the Defcon CTF’08. The pandas have been training hard, so we’re ready to go and (try to) kick some asses

All preparations are done: we improved our Sexy Panda Exploitation Framework, designed our new shirts, the Riviera ordered a high amount of bamboo, bought new networking hardware, got invitations for all-night parties… a lot of new things that would make this year funniest than ever.

One final note regarding the t-shirts. We’re trying to find/evaluate online stores where to publish the design, so if you are a panda fan or if your laundry bleached your ninja suit and you need a new look… stay tuned! (questions and suggestions can be sent to shirts@pandas)

Well, nothing more to say right now. Good luck to everybody and see you in Vegas.
GO GO PANDAS!!!

Pandas With Gambas reversing monkeys are glad to introduce…
Reversing 500 CTF Prequals solution!

#!/usr/bin/python
import struct
import socket
import math

def makeSin( freq, number_samples, samples_per_seq ) :
    data = ''
    for i in range(0,number_samples):
        data += struct.pack('h', 1000*math.sin( 2*freq*i*math.pi/samples_per_seq ))
    return data

# print '''Rev 500'''

Host = '127.0.0.1'
Port = 2600

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((Host, Port))
chunk = s.recv(4*5)

print struct.unpack_from('LLLLL', chunk)

if chunk == '':
    print 'Error receiving data\n'

number_samples  = 5000
samples_per_sec = 4000

header_fmt  = struct.pack('L', 0x20746d66 )   # fmt
header_fmt += struct.pack('L', 16 )           # size   = 16
header_fmt += struct.pack('h', 1  )           # format = pcm
header_fmt += struct.pack('h', 1  )           # n. Chanels. unused
header_fmt += struct.pack('L', samples_per_sec )
header_fmt += struct.pack('L', 1  )           # Avg. Bytes Sec. unused
header_fmt += struct.pack('h', 2  )           # block align. Bytes/sample*channel
header_fmt += struct.pack('h', 16 )           # bits_per_sample

size_header_data = number_samples * 2
frequencies = struct.unpack_from('LLLLL', chunk)
header_data  = struct.pack('L', 0x61746164       )
header_data += struct.pack('L', size_header_data )
header_data += makeSin( frequencies[0], number_samples/5, samples_per_sec)
header_data += makeSin( frequencies[1], number_samples/5, samples_per_sec)
header_data += makeSin( frequencies[2], number_samples/5, samples_per_sec)
header_data += makeSin( frequencies[3], number_samples/5, samples_per_sec)
header_data += makeSin( frequencies[4], number_samples/5, samples_per_sec)

size = len(header_fmt) + len(header_data) + 4

header  = struct.pack('<L', 0x46464952 )  # RIFF
header += struct.pack('<L', size )        # size
header += struct.pack('<L', 0x45564157 )  # WAVE

s.send( header)
s.send( header_fmt)
s.send( header_data )

file = header + header_fmt + header_data
print s.recv(1024)

Stay tuned for the write-up….

Escribo estas lineas una semana despues de que terminara el Capture The Flag (CTF) en la Defcon-15. El CTF es un concurso en equipo en el que se valoran habilidades como descubrir vulnerabilidades, saber cómo parchearlas y por suspuesto, explotarlas.

¿Y porqué escribo acerca del CTF? Pues porque este año algunos amigos cometimos la locura de participar. Al igual que el año pasado, para acceder a la fase final era necesario pasar una fase previa cuyo objetivo no era otro sino seleccionar a los 7 mejores equipos que,junto al actual campeón, deberían reunirse en Las Vegas para disputar la parte final del concurso.
(more…)