/csaw2012_cert_app

csaw-ctf2012-certapp
  1. Ruby 100.0%
Switch branches/tags
Nothing to show
Find file
Clone or download

Clone with HTTPS

Use Git or checkout with SVN using the web URL.

Download ZIP

Launching GitHub Desktop...

If nothing happens, download GitHub Desktop and try again.

Launching GitHub Desktop...

If nothing happens, download GitHub Desktop and try again.

Launching Xcode...

If nothing happens, download Xcode and try again.

Launching Visual Studio...

If nothing happens, download the GitHub extension for Visual Studio and try again.

Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
lib
public
solution Update solution/writeup.md Feb 5, 2013
tmp
views
Gemfile
README.md
config.ru

README.md

CSAW Cert App

An intentionally vulnerable ruby/rack SSL/TLS Client Certificate application. Generates and distributes certs, and maintains a directory of public keys.

Authenticate as 'admin' to obtain the flag.

History

This was used as a challenge in NYU Poly's CSAW CTF 2012. 7 of 15 competing teams were able to solve it.

Solution

There's a writeup and an exploit

Requirements

  • Some version of Ruby >= 1.9.1 (ruby1.9.x)
  • Developer libraries for same (ruby1.9.x-dev)
  • A working mongodb installation
  • rubygems
  • bundler

Development Environment

The Development environment is configured to use Webrick. Sample CA and Server keypairs are generated on first run.

To install, type;

bundler install

To run

rackup

Notes:

  • Both CA certificate and public key must reside (or be symlinked) in the app's /keys directory ** If these are unavailable on first launch, both will be created. ** You may wish to create your own keypairs
  • Ruby 1.8.7 should work, but bundle fails to install Webrick. Feel free to troubleshoot if you'd prefer.

Production Environment

The Production environment has been testing under nginx with Phusion Passenger.

A sample nginx config will include:

server {
    listen       443;
	root /path/to/certapp/public;
	passenger_enabled on;

    ssl                  on;
    ssl_certificate      /path/to/keys/cert.pem;
    ssl_certificate_key  /path/to/keys/cert.key;
	ssl_client_certificate /path/to/keys/ca.crt;
	ssl_verify_client optional;
	passenger_set_cgi_param	    SSL_CLIENT_CERT $ssl_client_raw_cert;
    ssl_session_timeout  5m;
    ssl_protocols  SSLv3 TLSv1;
    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers   on;
}

Notes:

  • The client certificate is passed as an SSL_CLIENT_CERT cgi parameter.
  • Server keypair must be made available to nginx
  • The CA certificate (but not key) must be made available to nginx
  • Both CA certificate and public key must also reside (or be symlinked) in the certapp's /keys directory ** If these are unavailable on first launch, a CA will be created. It must match the CA cert used by nginx for proper operation. ** You may wish to create your own CA keypair