csaw-ctf2012-certapp
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
lib
public
solution Update solution/writeup.md Feb 5, 2013
tmp
views
Gemfile
README.md
config.ru

README.md

CSAW Cert App

An intentionally vulnerable ruby/rack SSL/TLS Client Certificate application. Generates and distributes certs, and maintains a directory of public keys.

Authenticate as 'admin' to obtain the flag.

History

This was used as a challenge in NYU Poly's CSAW CTF 2012. 7 of 15 competing teams were able to solve it.

Solution

There's a writeup and an exploit

Requirements

  • Some version of Ruby >= 1.9.1 (ruby1.9.x)
  • Developer libraries for same (ruby1.9.x-dev)
  • A working mongodb installation
  • rubygems
  • bundler

Development Environment

The Development environment is configured to use Webrick. Sample CA and Server keypairs are generated on first run.

To install, type;

bundler install

To run

rackup

Notes:

  • Both CA certificate and public key must reside (or be symlinked) in the app's /keys directory ** If these are unavailable on first launch, both will be created. ** You may wish to create your own keypairs
  • Ruby 1.8.7 should work, but bundle fails to install Webrick. Feel free to troubleshoot if you'd prefer.

Production Environment

The Production environment has been testing under nginx with Phusion Passenger.

A sample nginx config will include:

server {
    listen       443;
	root /path/to/certapp/public;
	passenger_enabled on;

    ssl                  on;
    ssl_certificate      /path/to/keys/cert.pem;
    ssl_certificate_key  /path/to/keys/cert.key;
	ssl_client_certificate /path/to/keys/ca.crt;
	ssl_verify_client optional;
	passenger_set_cgi_param	    SSL_CLIENT_CERT $ssl_client_raw_cert;
    ssl_session_timeout  5m;
    ssl_protocols  SSLv3 TLSv1;
    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers   on;
}

Notes:

  • The client certificate is passed as an SSL_CLIENT_CERT cgi parameter.
  • Server keypair must be made available to nginx
  • The CA certificate (but not key) must be made available to nginx
  • Both CA certificate and public key must also reside (or be symlinked) in the certapp's /keys directory ** If these are unavailable on first launch, a CA will be created. It must match the CA cert used by nginx for proper operation. ** You may wish to create your own CA keypair