이번에 처음 해킹캠프에 참가하게 되었는데, 너무 재미있었습니다. 이렇게나 좋은 기회를 주신 POC 시큐리티 여러분, 데몬팀 여러분 등 해킹캠프 운영진들께 진심으로 감사드립니다. 또 6쌈냉면먹을래요 조원 여러분께도 부족한 저를 이끌어 주어 고맙다는 말씀을 전하고자 합니다.
이번 해킹캠프에 참가하여 제가 현재 얼마나 부족한지 깨닫게 되었고, 많은 분들이 열정적으로 정보보안을 위해 노력하고 있다는 점에 자극받게 되었습니다. 특히 CTF 문제를 열정적으로 풀이하시는 모든 분들이 정말 존경스러웠습니다. 많이 배워야겠다는 생각밖에 들지 않더군요.
또한 해킹캠프에서 얻은 경험들을 바탕으로 부족하지만 제1회 INFO CTF 대회를 열고 동아리원들에게 정보보안 로드맵을 잡아주는 등 습득한 지식을 응용할 수 있었습니다. (INFO는 대덕소프트웨어마이스터고등학교 정보보안 전공 동아리로, 현재 제가 동아리장을 맡고 있습니다.) 앞으로 부족하지만 워게임을 개발하여 교내에서 해킹캠프처럼 대회를 열어보려 노력하도록 하겠습니다.
이제부터 해킹캠프 활동내용을 말씀드리겠습니다. 전체 정리내용의 분량이 많은 관계로 정리본은 아래에 적었습니다. 급하게 정리하느라 오타도 있을 수 있고, 제 이해력의 한계로 인한 오류도 있을 수 있습니다. 부족한 부분을 지적해 주시면 감사히 생각하겠습니다. (참고로 영어로 정리하였는데, 운영진 분들께 보여드리니 깜짝 놀라시더군요;; 꼭 후기에 업로드해 달라고 하시길래 신기했습니다. 개인적으로는 영어 정리가 별 것 아니라고 생각하고 있었는데...)
키노트 발표에서는 정보보안의 로드맵을 올바르게 확립하는 데 큰 도움이 되었습니다.
김도현 님이 발표하신 회고록은 BOB에 합격하게 되기까지의 진솔한 과정을 들을 수 있었습니다.
이범진 님이 발표하신 '웹 해킹의 시작과 끝'은 웹 해킹의 과정에 관해 상세히 설명해 주셨습니다.
최종윤 님과 강민석 님이 발표하신 커널과 사용자영역 UAF 차이점은 커널에 관심 있던 저에게 유익하게 다가왔습니다.
안병찬 님이 발표하신 SCADA 취약점은 개인적으로 신기했습니다. 업데이트가 10년째 진행되지 않았다는 점이...
한우영 님이 발표하신 블록체인 취약점은 매우 인상 깊었습니다. 평소 페이스북을 통해 알고 있던 분이었는데 역시 대단하십니다.
박문범 님이 발표하신 이야기는 편안하고 유익하였습니다. 전혀 꼰대 같지 않더군요.
민진규 님이 발표하신 키보드 후킹은 직접 시연해 주셔서 이해가 잘 되었습니다.
마지막으로 시상식이 있었습니다. 솔직히 말씀드리자면 베스트 해커상을 노리고 있었는데, 실력이 저보다 좋으신 분이 가져가시는 게 맞지 않나는 생각이 듭니다. 그래도 발표 내용을 열심히 정리한 공으로 성실한 해커상을 받을 수 있어서 다행이었습니다.
다음 해킹캠프 때도 꼭 참가하여 질문도 많이 하고, CTF도 많이 풀고, 발표도 하겠습니다.
The Key Notes
BY JEONG JINUK, GANG SUHUI OF POC SECURITY
- Security Consulting
- Malware Analysing
- Security Developing
- Security Accident Managing
- Security Educating
- KISA, NIS, Armed Forces
THE LEARNING CURVE
- Programming, Network, Operating system, Database, Cryptography
- System Hacking, Network Hacking, Physical Hacking, Security Devices Managing
IF WE CLASSIFY THAT AGAIN
- Theory (such as OS and Database)
- Vulnerability Technique
- CTF, Wargame
- 0-day Analysing and Recreating
- Bug Hunting
WHY DOCUMENTS ARE IMPORTANT (1)
Every company aims for improving the security level to earn wealth.
You need to use your technique to do that. Every last level of earning wealth is to make the client understand our product can remove security vulnerabilities or our analysing found out that your system can be hacked and your clients' data will leak out without our help.
This means that the final step is to make our clients understand our security services and products. For instance, Offensive Security views the problem from the attacker's view, but the ultimate goal is to manage threats.
We need to make them understand by a document. A good document has what the client wants, and what the current problem is, and what they want to avoid on.
The thoughts need to be crystal clear. A good document can be understood when only read once.
So when writing self-introduction and in an interview, the interviewers are not wanting to get a person who uses technology well. They want to get someone who can use the - literal - language fluently.
WHY DOCUMENTS ARE IMPORTANT (2)
The bad examples are using slangs or big words, saying that their skills are the best, no explanations and such.
The good examples are the ones who understood the goal of the interview. They understood what the company or the Hacking Camp wants.
Of course, when writing an official document, be intuitive. Always memorise that the documents will be read by many people.
And go to many activities other than the school or the company. Because those who have a hobby and have networking with many people shall do their work more efficiently.
- When you think you got to the end and learnt everything, select the way.
- Solving CTF and Wargames aren't always required.
- Do not limit your limit when learning Hacking.
- Understand about somebody when you want to talk or submit documents.
- Never disrespect about writing documents.
Memoirs since I started hacking
BY KIM DOHYEON, RESEARCHER OF STILIAN, BOB 7th
Follow your dreams. Follow what you always dreamed of.
- STAY HUNGRY, STAY FOOLISH - Steve Jobs, Former Apple CEO
When I first started to learn to hack, I followed the instructions written in books and I opened some game servers. I started to solve basic problems while learning C. I barely used Bash and Lua Script.
I learned that POC opens Bellumminar. I thought that I want to go there. Thus I joined Team H3X0R and started to solve CTFs.It was bad when I failed to pass the admission of Korea Digital Media High School. I played games for a very long time. Bad days. Bad. oh.
Thankfully I joined the BOB 7th after trying hard. Therefore I started to meet multiple people. And I passed the admission of AJU and BUSAN UNIVERSITY. But I still regret that ... what if I started to learn it earlier?
Web hacking from start to end
BY LEE BEOMJIN, BOB
The web is easy to access, and ubiquitous. Web hacking is easy to learn and easy to make results. Learning to do it can also widen your job selection such as hacker one, bugcrowd, kisa, and naver.
HOW TO EXPLOIT THE WEB
At the past, the web was static. But it developed to get parameters from the user and customise the output of it. This is called the dynamic web.
So the vulnerabilities like Injection, Broken authentication, Sensitive data exposure arose. They give the data that the website developers didn't think when developing the target to make the target crash.
If we give an invalid request to the server, it can return the following responses:
- Default response
- Response with Error
- No response
Hackers can guess how the operating mechanism works by inputting parameters like
param = 1, param = 10, param = @. These processes can be automated by using proxies like Fiddler and Burpsuite. Do not forget to check the dereference.
GAP OF INTERPRETING
- Server-side language (PHP / JSP)
- Client-side language (js / HTML)
- Web application firewall
- Regex filter
- resource A → resource B → resource C → resource D
Many resources reference other resources in the modern web. This can lead to file uploading vulnerability.
- Depends on injection point
- Blind injecting
- Blackbox testing
- Open source analysing
THE SINGLE PAGE APPLICATION
Many sites use the oath to provide a connection between other sites. Using path normalisation can redirect them to the attackers' one.
It's recommended to check the web projects that are released by open source. The opportunities are limited on Korea, but checking bug bounties and trying to solve it is also recommended.
When you feel your techniques are limited, try to solve wargames and ask someone who already solved it.
Differences between Kernel and User UAF
BY KANG MINSUK, CHOI JONGYOUN
BASIC LINUX KERNEL
The kernel is the key of the operating system. It manages the process, the filesystem, and many others. It is classified into Monolithic, Micro, Hybrid, EXO types.
For example, Monolithic kernels have everything in it. Apart from it, Microkernels have limited features and provide additional features by a server.
The Device communicates by bytes.
The goal is simple. We want our privilege to be elevated.
In CTFs, you get
bzImage (kernel image), rootfs.cpio (root file system), run.sh, zerofs.ko (vulnerable device drivers). Try to boot it by qemu. You can get root privilege by writing exploits by C and executing it.
Kernels have kernel protection. It tries to protect the system by doing actions such as randomising memory addresses.
The heap allocators are
calloc(). The kernel allocates the memory as the heap allocators requested.
The bins can be classified like this:
- Fast bin
- Unsorted bin
- Large bin
- Small bin
The malloc() function is vulnerable because the data (the address of chunk) is not removed even when the memory became free. This is called the double-free.
The Slap allocator does the same operation as the heap allocator. The slab has 3 status such as empty, partial, and full. They do not empty the slap automatically, so the attacker can use the write function to change the data in it. It is easier to exploit than userland.
Introduction to SCADA Vulnerability and Analysis
BY AHN BYEONGCHAN
The SCADA is short for Supervisory Control And Data Acquisition.
- Acquisition → Conversion → Communication → Control
Many vendors in the world use their protocols, and the devices can't be replaced easily due to maintaining stability. The security threats are like this: Acquisition is 1%, Conversion is 14%, Communication is 21%, and Control is 63%. Multiple attacks are in the form of DOS.
Some of the known vulnerabilities are as below:
CVE-2014-2378: Traffic sensor accepts modifications without sufficient check.
CVE-2014-2379: Unencrypted wireless traffic.
We tried to attack PLC, GE, Siemense, LSIS, and ABB in the Conversion and Communication step, GE-SRTP and S7-Comm in the Control step.
The vulnerability to reset the target device's password, execute the remote shell and such was found. It was very interesting that most software was last updated in 2009.
In the future, we will analyse the sensor network that is connected with SCADA and develop a vulnerability scanner.
Analysing Vulnerabilities of Blockchain Ethereum
BY HAN WOOYEONG
The blockchain is like a database but it's uncentralised. This enables trusted data management. Anyone who uses the ethereum network can trust others because the network itself can't be manipulated. But sadly there are vulnerabilities such as the Mist node unlock.
It's hilarious that anyone can execute internal functions as
suicide(), which makes withdrawing impossible. Also, it's possible to use the unsigned int overflow to make the wallet's amount to maximum.
- Unchecked return values for low-level calls
- Short address attack
- Race condition (Front running)
- Time manipulation
- Human mistakes
Starting Hacking with Operating Systems
BY KIM SEONGU
Why do we have to study the OS?
Try to read development books for making operating systems as it will going to help you. First, the quality of knowledge will improve greatly. Second, you can finally code in Assembly Language. Finally, it's easier to understand structured programming.
And it will also benefit you to get a job. Just by saying that you followed instructions in the book to create an OS can surprise the interviewers. Why? Because it's so hard.
Use these resources:
- University Lectures
- MOOC (like coursera)
- OS Books
- OS Development Books
If you don't know OS at all:
- Learn about Kernel drivers
- Follow the book from A to Z
- Try to use Pintos
But if you know some parts of it:
- Develop an OS yourself and learning only what you need
The relations between development and hacking
Those who don't develop well can hack well. The reverse is also true. But with development skills, it's even better.
What to study
- System Hacking: for pentesting
- Reversing: for analysing hard programs
- Web Hacking
Company or University?
It's recommended to finish university before getting a job. You can improve your skills while developing outsourced programs, commonly known as 외주 in Korean.
Can someone only live on skills?
Nah.. Those who have good relationships with other people and rest well can live better.
About Armed Forces
Not so recommended.
Some Recommendations for You
BY PARK MOONBEOM
UNTIL HIGH SCHOOL
- His dream was to be a reporter.
- Exploited PC-Tongsin when in high school.
- Started to learn C, PHP and others.
- Deface attacked a police station website.
AT UNIVERSITY AND BEYOND
- Joined the Wowhacker Group and KUCIS (Korean: 대학정보보호동아리연합).
- Joined the KISA.
- Analysed 7.7 DDos, 3.20 Cyber Terror, ...k
- Joined the BOB as a Digital Forensics mentor.
- Presenting at many conferences.
Please get permission first from the administrator when exploiting others' properties. You might get sued according to the
ACT ON PROMOTION OF INFORMATION AND COMMUNICATIONS NETWORK UTILIZATION AND INFORMATION PROTECTION, ETC.
BY MIN JINGYU
- The hooking is a technique to alter the operation of software by intercepting its components.
- The queue is a data structure in which the data that was first inputted comes out first. This is called the FIFO structure.
- When the user inputs a character, it goes into the Message queue.
- Windows OS provides the function of SetWindowsHootEx.
The keylogging can be done by hooking the keyboard of the target process. Then we can redirect the queue of the target (such as chrome.exe) to the other queue (such as notepad.exe). This process is part of the reversing.