I participated in the Stripe CTF Web Attacks and thus far it was the most well designed CTF I have ever encountered (and I have participated in a couple dozen). This is the second Stripe CTF, the first was exploitation based and this one was web based. Some Concepts CTF stands for Capture the Flag, its a genre of games where you have to get past enemy lines and take their flag and bring it back to your base to win a score. Usually hacking games are CTF like, you have to hack a system, find the flag (its a random string) and bring it to your home to get scores for that level. There are plenty of servers for a CTF host, since many attackers try to just break the servers instead of solving the challenges. Also every participant’s environment has to be secluded to achieve best challenge experiences, so lots of cautious programming on the host side is required. There are almost always lots of bugs on CTFs due to huge codebases, and hackers tend to hack systems in a way that the host didn’t plan of, and get the score; thus the host people have to watch the event and remove those bugs asap, and to respond to questions and feedbacks of the participants. How did I do I participated in this CTF a couple days ago, at midnight. Unfortunately my beloved uncle had just passed away and he had no sons, so I had to take care of much of funeral stuff. I only had a couple hours at midnight (at the cost of not sleeping for the funeral) to participate in this, so I did. I was able to solve 8 out of 9 challenges in almost 3 hours, and left for the funeral chores afterwards. The 8th question was a little lengthy and I returned to it after almost 30 hours (after the funeral and a brief rest) and solved it in a few hours. Below I’m going to discuss the questions and their answers (how to hack them) as an educational document.

Challenges

I’m going to copy the challenges from Stripe-CTF, then provide the solutions in a section below each of them.

This is intended to be a theoretical/practical tutorial on how to use email certificates to encrypt and digitally sign your emails. There are approximately 2 million emails transferred every hour, out of which 80% are spam, and the email world is really creepy, so I strongly recommend you to read the rest of this post.

First of all, let’s cover some theory. There are three Internet protocols involved in sending and receiving emails: SMTP, IMAP, POP

Simple Mail Transfer Protocol is the one responsible for sending emails. An email client – where you compose your email, set recipients, attach files, etc. – sends your email data to a mail server via SMTP. The protocol is fairly simple and the only things worth mentioning is that it can do that under SSL (encrypted connection to server to transfer mail) and use Password Authentication to separate accounts.

Pactical Scenario: GMail

Most of us have used GMail, via creating an account in gmail.com and logging in there. It is very important to know that gmail.com is GMail Client, and smtp.gmail.com is GMail Server. When you log into the GMail, you access its client application, and do your stuff there. Since both client and server applications are on the same machine (Google Servers), your work is quickly sent to the server, that’s why you usually don’t notice.

Everybody can setup a Mail Server on their machine. Famous mail server applications are Microsoft Outlook for Windows and Exim and Postfix for Linux machines. GMail uses neither and has a custom coded server. You don’t need to provide a password to a mail server, neither you have accounts there. You can send any email from any server to any server, i.e you can send email from admin@facebook.com with any body you want to me@abiusx.com. It’s just a packet of data with a name on it (just like ordinary mail).

Famous servers like GMail, that deal with millions of users and lots of spam, implement technologies that require you to login, have accounts and do things lawfully. Other servers don’t. Mail that doesn’t follow GMail and other famous mail server’s rules, are usually treated as spam.

Back to the theory

POP usually used as POP3, is the old-school mail receiving protocol. Mail client uses this protocol to download all mails from the server. The protocol is very handicapped and weak, much like FTP.

IMAP on the other hand is a pretty recent and powerful mail receiving protocol, so basically POP and IMAP are replacements of each other. There were days when not many mail servers provided IMAP to their clients, now almost every web server provides full IMAP support. GMail’s IMAP is accessible at imap.gmail.com (Keep in mind that this is the domain for IMAP protocol, and not HTTP, so heading your browser to it would not bring up anything)

This post is a tutorial on how to run a L2TP over IPSec VPN Server for proxy purposes on a Ubuntu 10.04 LTS Server machine. Before we start the practice, let us review some theories:

What is VPN?

Virtual Private Network, is a technology, mainly developed to provide creation of virtual local networks with a wide geographic distribution. For example, we have a data-center and a considerable network in Bandar Abbas that requires constant maintenance and connectivity to our main servers and offices back in Tehran. We need a local network which consists of our office networks and the Bandar Abbas network, but since they are geographically distributed, we can’t have them local, so we cheat and virtually create a private (local) network, hence VPN.

Specifically speaking, we start a VPN server on our Bandar Abbas hub server (main.rajaei.abx.ir), then create a VPN connection from our computer (or router) and connect to it, and it would be like we have just plugged an Ethernet cable into our system, directly connected to whole Bandar Abbas network. After that we could simply connect to our surveillance server at 192.168.0.220 (which is a Bandar Abbas network IP, not ours) via any application.

As you might’ve already guessed, since VPN is usually established over the Internet, the most important thing to expect is data transmission security. No third party on the route should be able to sniff on our corporates data, right? VPN security is almost the main issue.

Then what is PPTP, L2TP, IPSec, SSTP, etc. ?

VPN, is a concept. It’s also a technology, but many protocols and mixtures of technologies tend to provide such means. The simplest form is PPTP, the point to point tunneling protocol. It is easily established, easily connected and fast. To setup a PPTP server on Ubuntu, you need less than 5 minutes. The problem with PPTP is data encryption. To encrypt data with PPTP, both parties (VPN Client and Server) have to agree on an encryption key, and any hacker listening while they are discussing it, would be able to read their transfers.

Then there comes OpenVPN, which is totally open source and good, but since there’s no native client on Windows, no body actually uses it. SSTP is also only Windows based, which is based on SSL Tunnels, very like the IPSec underlying layer of L2TP.

The other mostly used VPN technology, is L2TP, which relies on IPSec (lower network layer protocol) for its security. IPSec is a protocol which uses PKI (Public Key Infrastructure), or PSK (Pre-Shared Keys) which both are means to establish Zero-Knowledge connections securely without a third party being able to guess the password.

L2TP is technically called L2TP over IPSec, which is because first IPSec establishes a secure connection between two systems, then layer 2 tunneling protocol takes over for the networking and VPN functionality.

VPN as a means of proxy

In many cases, VPN is used for bypassing certain limitations and/or privacy, as proxy servers are used. Since VPN establishes a low level networking, proxies based on a VPN proxy all sorts of network connections, not just the web or videos. Anything, from peer to peer connections to DNS lookups are performed over the VPN.

To use a VPN for proxy purpose, we simply need to connect to a VPN far away (usually outside filtering region, if we are trying to bypass regional filtering) and use their internet connection. It is as if out Internet gateway, is not our own modem, but the computer over at the VPN.

VPN technologies (all PPTP, L2TP, SSTP, OpenVPN, etc.) work on certain ports and use certain traceable technologies. So blocking VPN usage is pretty simple, as PPTP no longer works more than a few seconds in Iran.

But with SSTP and L2TP, since both use a lower level encryption methodology (IPSec for L2TP), they can not be easily blocked. You might think that it would be pretty easy to prevent all IPSec connections and thus stop L2TP, as well as SSL for SSTP, but the case is, IPSec and SSL are used for all forms of encryption. When you use a banking service on the Internet, you employ SSL. When you transfer a file securely over the network, you employ IPSec. Blocking them would stop half of the Internet functionality.

There’s also no way of peeking into IPSec or SSL encrypted data (which contain the actual VPN packets), hence L2TP and SSTP services could not be stopped that easily.

Lets get dirty