CSAW 2014 walkthrough – Fluffy No More

Fluffy No More was a Forensics 300 point challenge at CSAW 2014. The backstory seemed kind of funny and I thought I’d give it a shot!

fluffy no more challenge

Setup

The attached tarball contained a few additional tarballs:

  • Full /etc directory contents
  • Full /var/log directory contents
  • Full /var/www directory contents
  • A MySQL database dump file

The task was to determine the attacker’s ingress point as well as discover a key for the CTF challenge. I cover both points in the sections below.

CSAW 2014 walkthrough – pybabbies

pybabbies was an Exploitation 200 challenge during the CTF and I got “voluntold” to work on this one by my team mates since I have a strong Python background. The night was young and I felt pretty good about it, so I took a look.

pybabbies challenge

Setting the scene

Connecting to that IP/port with netcat revealed a shell prompt indicating that I had connected to a Python sandbox environment. Python sandboxes are nothing new, and I had actually recently done some reading on a sandbox challenge from an older CTF writeup so I felt pretty good about what I was getting myself in to.

The opinions and thoughts on this blog are those of Overflow Security members, and do not reflect those of our members employers.