Road to DerbyConCTF
There are two things I positively enjoy. Deconstructing complex concepts into neat little boxes and checking off boxes. Its why I love computers, games and designing projects. I live for checking off those boxes.
Some self reflection has helped me realize that all my certifications and degrees have been means for me to get my box checking fix while increasing my knowledge. However, that shiny piece of paper is just what a small number of people feel is important about the given subject. While that is a safe comfort zone for me its time I stepped out of it. So instead of chasing knowledge within the safe confines of the ivory tower, I decided I need to come up with my own plan to get a different goal. So I am going to come up with a plan to complete at DerbyConCTF and share it online as I go through it.
To think I will benefit from this is probably a bit delusional. After all people are critical and rarely forget. On the web everyone else is an expert and they will let you know it. So this should be a nice humbling experience for me.
Day 1: 28 Days remaining: Metasploitable 2 up and running. I have reviewed the FTP, SSH and SMTP exploits. Not just running the msfconsole but aslo reviewing the protocol and how the commands work. Little things are always interesting to go back over. I forgot how FTP only allows retrieving one file at a time and learned that my Kali VM was not large enough to start the database.
Day 4: 25 Days remaining: Oh Armitage. That sweet cheat button that lets me click and instantly script kiddy my way through everything that was laid out for me. It reminds me of Core Impact and how easy that made everything when it was properly working. Im about halfway though the vulnerabilities in Metasplotable 2. I have doubled back for some basic stuff that I keep forgetting in Linux. Got stuck with DNS exploits, password cracking with Hashcat is being really flippin weird and my new Pineapple Pine AP doesn’t really want to play right now. I really should find a new vulnerable VM (or 12) so I can set up and practice some pivoting.
Day 13: 16 Days remaining: I have made it through 75% of my Metasploitable 2 plan. I have gotten the pulling of files, adding users and all that on the box stuff down pat. The unfortunate aspect of this is my list of things to do has now grown by leaps and bounds.
I tried to make the Raspberry Pi Rangebox working but the file just wont load. So instead I have taken my old pineapple and turned it into a beatdown box. TX/RX is now holding the AP which is broadcasting WEP. My Antennas are all up and running. Turns out I have to just had to update the drivers a little better.
I had a friend walk through what he is doing for OSCP. I know which cert im going for next! It looks exciting and fun filled! Will have to wait until January I think but then I should be set.
Password cracking picked up several useful trinkets including PACK to develop Masks and HashTag which nicely splits out hashes by types. It also led to some anger as I have learned that sometimes -m 110 list is really a -m 100 list… infuriating.
Next time I should have something fleshed our my pivoting and reverse shells.
What a crazy two weeks leading up to Derbycon. So much for continously blogging my journey.
My prep work seems to be a blur up to the CSAW CTF. The great qualifier round helped show me just how bad I was at a great many things and yet how I had a broad scope of the topics. I was slightly disappointed that I spent so much time on “Silk Goat” which turned out to not work. I still got quite a few points and considering I was working by myself I feel proud about my progress. After time and reflection I came away with two big points: 1) Manage your time 2) Google more
Derbycon’s web training taught by Scott White had its ups and downs. On the positive side I have never had a better explanation of sql injections or demonstrations on how to walk through them. I never used dirbuster before and never had such good examples of Burp Suite. It makes me somewhat sad that my pro license lapsed. Unfortunatley, Shell Shock had me running around and missing a large amount of training for work. Which is a shame, the hands on that Scott custom server had was amazing but proprietary.
Oh Derbycon CTF. With over 1000 flags and plenty of room to explore I have fallen in love. Set up with hardlines and wireless the network was like a wonderland. Im pretty sure I did not see all the boxes in play and I should have scanned quite a bit more. Best part, whenever someone scored a goat bleating sounded across the room.
My first day I ventured alone trying to make my mac/kali simply connect through the hostile network while running back to the hotel to field questions regarding shellshock. Most of my VMs didnt have enough harddrive space to completely update and armitage wasn’t loading. So you do what you should always do… fall back to old default and move on.
The WEP key on the wireless network was quickly broken but sadly it was not a flag. Inside was two other boxes which promised easy points. 3 hours later I still had none and had to retreat back to the hotel. Its pretty disheartening for that to happen. Any time you train a month for something and are in last place is a bad thing.
The “fappening” database let me play with many of the things that I had seen in the training. Which stands to reason since Scott had designed it. It was the first points I got through a sql injection. Then it quickly led to grabs for more and more points. This is where it all started to turn around for me.
A big decision for me was to start working with a team. I had wanted to go this alone which is hindsight was noble but stupid. I joined team DFWTF who had some people I knew from Derbycon Training, Burboncon and SANS Houston. Im glad I did because I got further and learned more than if I had gone alone.
Armitage was helpful for a box with an SMB exploit. I should know this easily. Of course a windows 2003 is vulnerable but the hail Mary option popped it and let me wander around the box, stealing credentials. However, I had serious troubles with decrypting the passwords. Armitage pulled it in but did not run cracking well. Through much john and hashcat I finally gave up to move onto other things. My teammates were able to crack them a little later.
On of the interesting services online was the anonymous ftp. Ah hah I had studied this! It was probably the first thing I had actually studied in the past month that was helpful to me. There is a hidden file that we were supposed to debug. Although I ran through IDApro and olly I didnt find the strings. There is a fantastic writeup here:
http://chigstuff.com/blog/2014/09/30/derbycon-4-dot-0-ctf-trndocs-elf-binary-reverse-engineering-and-debugging/
Most of the flags I had found were from searching in odd areas and continually prodding the boxes. Web applications were plentiful and while they got a majority of my points I cant help but feel I was lucky more than clever. My WEP password also turned out to be a flag!
In the last minutes, I had grabbed a handshake for the WPA wireless and was furiously trying to decrypt it. Our team was 7th during and just a minute before the end zf0 scored. Just barely knocked down to 8th at the last minute. It was exciting until the end and while nobody from our team was able to get our hard won prize during the closing ceremony I still was excited all the way home.
About an hour into the flight while writing an after action review I noticed that my VM was still running. The WPA flag was cracked and decrypted an hour too late.
Email me when JamesDietle publishes or recommends stories