Sync Dev: Security & Programming – Starting Early

Developing on the BitTorrent Sync API? Our developer evangelist is here to work with you.

As a BitTorrent employee and Developer Evangelist on Sync, I consider a big part of my job to be general awareness around how BitTorrent and Sync are making the Internet better. As such, I try to take on as many opportunities as possible to host meetups at BitTorrent HQ for local developer groups like Ethereum, student groups like the University of Twente, programming competitions for university groups like UC San Diego’s Women in Computing, and all who feel that privacy, security and a better Internet is something we should all contribute to.

Last week I had the privilege of speaking to a group of high school students enrolled in a Computer Security course at UC Berkeley’s Academic Talent Development Program. I was blown away by how much these students “got it” – there was no shortage of hands raised when I asked the small class who could explain to me how a DMCA Takedown works on cloud storage sites, or how long it would theoretically take to break the AES-128 encryption we use on BitTorrent Sync.

M2400359 copy

For next week’s post, I’m in beautiful Las Vegas attending DEF CON 22 (protip: have you always wanted one of those coveted Sync T-Shirts?  Follow me on Twitter @aaronliao if you’re at DEF CON to find out how to score one).  In the spirit of hacking and reverse engineering, I want to draw attention to what the technologists of tomorrow are learning and working on today and talk about the Capture the Flag (CTF) competition that followed my brief talk on the importance of Peer-to-Peer, decentralised internet, Sync and the pitfalls of cloud storage.

About the Game (in the words of student/competitor Zeque)

“All contestants connect to a server, where a bunch of small programs are being run on separate ports. The game consists of 50 rounds, each one lasting 3 minutes. Each round, every program you can successfully hack and get the “flag” out of, can be submitted for a point. Each flag can only be scored once a round, but any amount of rounds. For instance, if I hack “program1” and score a flag, the next round I could do the same thing and get another point. If you are the first person to hack a specific program, you are given a “first blood” bonus of 20 points.”

Lets jump right in and take a look at a couple of the Python programs these students were trying to exploit – if you’re feeling adventurous, try to hack the flags from the programs without looking through the code.

guess.py

#!/usr/bin/python

import random
import os
import sys

f = open('/home/warmup/flags/flag_guess')
flag = f.read()

r = random.Random()
r.seed(os.urandom(16))

credits = 100
bet = 0

print "Welcome to our guessing game!"
print "Go from rags to riches - win 10k to get the prize!"
sys.stdout.flush()

while credits > 0:
     i = r.randint(0, 100)
     print "You have " + str(credits) + " credits"
     print "How much would you like to bet?"
     sys.stdout.flush()
     bet = int(raw_input())
     if bet > credits:
          print "You don't have enough credits!"
          sys.stdout.flush()
     else:
          print "You bet " + str(bet) + " credits"
          print "Now guess between 0-100 to win"
          sys.stdout.flush()
          guess = int(raw_input())
          if guess == i:
               print "You guessed right! Congrats!"
               sys.stdout.flush()
               credits = credits + bet
     else:
               print "Nope, sorry! It was " + str(i)
               sys.stdout.flush()
               credits = credits - bet
     if credits >= 10000:
               print "YOU WIN! Here's the prize:"
               print flag
               sys.stdout.flush()
               sys.exit(0)

pyauth2.py

#!/usr/bin/python

import sys
import os
import math

f = open('/home/warmup/flags/flag_pyauth2')
flag = f.read()

print "Please enter password:"
sys.stdout.flush()
passwd = raw_input().strip()
passwdlen = len(passwd)

if passwdlen < 10:
     print "Incorrect."
     sys.stdout.flush()
     sys.exit(0)

a = 2
try:
     num = int(passwd)
except:
     print "Incorrect."
     sys.stdout.flush()
     sys.exit(0)
while int(math.sqrt(num)) > a:
     if num%a==0 & a!=num:
          print "Incorrect."
          sys.stdout.flush()
          sys.exit(0)
     a += 1

print "Authorized."
print flag
sys.stdout.flush()

doge

Configuration Details

These services were run on an Intel NUC DC3217IYE w/4gb RAM running Ubuntu Server 14.04.  The router used for the NUC was a Chinese clone of the popular TP-LINK 703n portable router, except with two RJ45 ports (LAN, WAN/LAN) vs a single WAN/LAN on the TP-LINK variant, and 64mb RAM and 16mb flash vs 32/4.  Vulnerable services were managed by xinetd and the score server was written in Python.

M2400365 copy

In addition to the above services that were written in Python, there were a number of services that were written in C – these were compiled with gcc -fno-stack-protector -z execstack.  ASLR remained, but none of the exploits required precise stack position knowledge.  Students connected to the server via a mix of OS X machines and PCs with VMWare Player with a Ubuntu 14.04 VM (distributed with Sync!)  Static analysis was done with IDA 5.0 Free.  Many students used netcat to connect to services and some ran a combination of cron jobs, bash scripts, Python and Perl scripts for exploitation.

The top 3 scorers in this first round of CTF were awarded BitTorrent Sync t-shirts and sticker packs.  I was thoroughly impressed by the level of ingenuity and creativity these students exhibited during the competition and look forward to seeing what tomorrow’s technologists create.

M2400363 copy

Aaron Liao
Written by: Aaron Liao

Aaron Liao is a Developer Evangelist at BitTorrent

 Related Posts: