A couple of bank holiday weekends ago I had the privilege to compete with a bunch of cool people on the Plaid CTF competition. While it turns out I’m not much of a hacker I did manage the side channel attack using sleep.
The idea was that the server had a security hole that allowed us to execute commands on the server by putting them in the url. The only problem was that the system was a) read-only, b) limited commands were available (although you were told which) and c) you couldn’t see the output from any of them directly. The sleep command was one of the commands available so you could effectively get input that way. After one of our team members figured out how to construct the urls correctly I then set about figuring out how to get the key located on the server.
I’m not going to bother posting the solution because that was fairly boring. I figured it was worth mentioning a few of the lessons I learnt from completing that sort of task.
- Don’t faff about constructing fancy commands to figure out stuff until you can see output from the tools. Playing about doing things blind is fun, but ultimately it tends to waste a lot of time. After you’ve figured out the correct url format to inject your commands figure out a set of commands to pull back the textual output quickly.
- Test the commands you want to use work as expected on the server with known output. Do an
echoto work on predictable output. For example test commands like
tailwork with the same command line options by providing predictable input to them and then checking their output. I wasted a lot of time with a neat trick using
tr " " "\n"to get around the lack of a
cutcommand that worked beautifully here but didn’t work at all when I tried it on the server. A simple
sleep `echo a b c | tr " " "\n" | wc -l`would have demonstrated it didn’t work as intended a lot quicker.
- Break things up. While you can turn a character into a number like 94 and get that returned, that’s 94 seconds waiting. If you turn it into two separate calls and get a 9 and a 4, that’s 13 seconds waiting. Theoretically I guess octal is actually the optimal number system to use for pulling back ascii characters when using sleep.
Time::HiResif you’re using perl. In general you want a time library with a decent resolution because a seconds precision isn’t good enough when you need to count seconds accurately. Initially I just used the command line time utility when I was testing things, which was perfectly accurate, but to pull back full text a proper script was needed.
I should also thank the people who organised the the competition, it looked like they had put a lot of effort into it. I was very impressed by the variety of challenges. I was impressed by the other members of my team too who did some impressive work despite lots of family commitments.
Incidentally, using sleep wasn’t the only way of solving the challenge. That feature creep thing came into play to allow at least one team to solve the challenge in a completely different way.