Exploiting simple network services in CTF’s

Greg
3 min readSep 6, 2019

For those of you that enjoy CTF’s here are a few tips on how you can go about testing non HTTP network services.

There are plenty of different services out there to test with, and this is by no means an exhaustive tutorial, but gives you a few tips to get started testing non HTTP based services.

So how could we approach attacking these services?

In CTF challenges where you are given the binary it can make like alot easier as you can decompile the software to understand its structure and how the binary operates.

Initially you may start with:

  • running strings to identify readable text within the binary.
  • Extracting the binary (depending on its format) using tools such as objdump, NSA's Ghindra framework, OllyDbg etc.

Then use the insights you gain from debugging the code locally to understand how the software is operating.

Typically in the case of CTF’s these binaries won’t contain the flag you want to capture, but have the same program structure so that you can build a network based attack.

Once you have an initial understanding run the binary and debug with GDB. ExploitDB has a quick primer

  • Examine the behaviour with different inputs
  • Walk through the logical functionality of the program

If you don’t have access to the binary you may need to start with the socket service and develop your knowledge in a more automated way. You can use the same approach with a local binary or network service.

Using python to test the service

Python provides the socket to interact directly with TCP sockets.

It is also possible to treat the socket as a file like object. This can be useful if you have a copy of a binary to decompile and examine and a webservice that you are testing such as in HackTheBox.eu Little_Tommy challenge where you are provided with a binary that you can reverse and a webservice to attack that is running said binary.

With this knowledge you can quickly start to test the service and fuzz for vulnerabilities.

In line with the code of conduct on HackTheBox the solution isn’t here for the challenge, but the tools and techniques apply.

--

--

Greg

Security addict, 17+ years in industry making systems more secure and finding those that aren’t