csaw-ctf2012-certapp
Ruby
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
lib
public
solution
tmp
views
Gemfile
README.md
config.ru

README.md

CSAW Cert App

An intentionally vulnerable ruby/rack SSL/TLS Client Certificate application. Generates and distributes certs, and maintains a directory of public keys.

Authenticate as 'admin' to obtain the flag.

History

This was used as a challenge in NYU Poly's CSAW CTF 2012. 7 of 15 competing teams were able to solve it.

Solution

There's a writeup and an exploit

Requirements

  • Some version of Ruby >= 1.9.1 (ruby1.9.x)
  • Developer libraries for same (ruby1.9.x-dev)
  • A working mongodb installation
  • rubygems
  • bundler

Development Environment

The Development environment is configured to use Webrick. Sample CA and Server keypairs are generated on first run.

To install, type;

bundler install

To run

rackup

Notes:

  • Both CA certificate and public key must reside (or be symlinked) in the app's /keys directory ** If these are unavailable on first launch, both will be created. ** You may wish to create your own keypairs
  • Ruby 1.8.7 should work, but bundle fails to install Webrick. Feel free to troubleshoot if you'd prefer.

Production Environment

The Production environment has been testing under nginx with Phusion Passenger.

A sample nginx config will include:

server {
    listen       443;
    root /path/to/certapp/public;
    passenger_enabled on;

    ssl                  on;
    ssl_certificate      /path/to/keys/cert.pem;
    ssl_certificate_key  /path/to/keys/cert.key;
    ssl_client_certificate /path/to/keys/ca.crt;
    ssl_verify_client optional;
    passenger_set_cgi_param     SSL_CLIENT_CERT $ssl_client_raw_cert;
    ssl_session_timeout  5m;
    ssl_protocols  SSLv3 TLSv1;
    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers   on;
}

Notes:

  • The client certificate is passed as an SSL_CLIENT_CERT cgi parameter.
  • Server keypair must be made available to nginx
  • The CA certificate (but not key) must be made available to nginx
  • Both CA certificate and public key must also reside (or be symlinked) in the certapp's /keys directory ** If these are unavailable on first launch, a CA will be created. It must match the CA cert used by nginx for proper operation. ** You may wish to create your own CA keypair