My First Big Girl Capture the Flag Competition
Last weekend I attended BSides Iowa, a smaller security conference taking place in Des Moines, and competed in my first capture the flag competition as a security professional. Before you start thinking about large open fields outdoors and physical exertion, Capture the Flag competitions are games for security offense professionals a.k.a. what most would call hackers (red team) and security defense professionals (blue team) alike and everyone who falls in the middle. During a CTF, players compete against one another on their computers to solve challenges.
There are different types of CTF competitions, jeopardy style with a game board and attack-defense (Red Team vs Blue Team) style with players actively attacking and defending network infrastructure. I'll be focusing on the jeopardy style CTF here.
Typically, jeopardy-style CTFs are broken down into categories (these differ based on who is facilitating, but there are a few constants like cryptography and packet analysis) and each category has a set of challenges that the user needs to solve in order to find the flag. The flag is usually a string of text that the user then input into the game board to get their points. The more points a challenge is worth, the more difficult it is to solve (presumably).
"7.5 hours, a plate of fries, 2 slices of pizza, and two aspirins later I shut down my computer ending up with 3,250 points and 6th place."
The BSides Iowa CTF was facilitated by SecDSM, our local user group for network and information security professionals in the Des Moines area. The CTF had 6 categories: Airwaves, Crypto, Network Forensics, Pwned, Host Forensics, and Let's Get Physical (Lock picking Locksmithing). Beginning at 10am, I and approx. 20 other people had 8 hours to complete the CTF.
7.5 hours, a plate of fries, 2 slices of pizza, and two aspirins later I shut down my computer ending up with 3,250 points and 6th place. I'd chosen to stick pretty close to my skills set and didn't really branch out to categories for which I didn't posses prior knowledge. I ended up solving all 7 of the Network Forensics challenges, 2 of 8 Host Forensics Challenges, and 3 of 6 Crypto challenges. For many of these challenges I was either the first person to solve them or in the top 3. Not too shabby for my first big girl CTF.
"The real fun of the CTF is the feeling you get when you've used real exploits and tactics to find a flag and it actually works (you've hacked something)."
This was a good beginner's competition and it helped me to feel like I truly belong in my field. At times, especially in technical careers, it's easy to fall prey to imposter syndrome. This CTF alleviated any doubt that I had about my skills. I know that I still have a lot to learn, but I also know that I'm not just doing the 'fake it until you make it' thing either. This was also a really fun way to exercise my brain and expand upon my security knowledge. Even though I stayed pretty close to what I knew, I learned a lot of new things while solving the challenges that I didn't know about or know how to do before. Some developers build applications on the side in order to learn new things, but security professionals hack and compete to pick up new skills.
The real fun of the CTF is the feeling you get when you've used real exploits and tactics to find a flag and it actually works (you've hacked something). The CTF is your chance to legally hack things (because unauthorized hacking is extremely illegal and you'll probably go to jail if you're caught).
Let's walk through a few of the challenges from the BSides Iowa SecDSM CTF
Crypto Category
One of the more interesting crypto challenges was the steganography challenge. Steganography is the hiding of a secret message within another file (like an image). This is a fairly common challenge found in Capture the Flag competitions. There are many tools available online to detect a message hidden in an image file, as well as tools to extract those messages.
Steganography Challenge
That picture looks absolutely ordinary right? But if we take a look on the command line...
$ file Words-Have-Power.jpg
Words-Have-Power.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, progressive, precision 8, 849x578, frames 3
Nothing special there.. let's try a hexdump
$ hexdump -C Words-Have-Power.jpg
This returns a bunch of output that I won't paste here, but here's the relevant bits:
0000a580 00 00 00 1e 00 00 00 08 00 00 00 66 6c 61 67 2e |...........flag.|
0000a590 74 78 74 7d fa c9 4c 8f fb d4 5e 8d 43 86 1f 63 |txt}..L...^.C..c|
0000a5a0 f9 f5 dd 12 d0 9d c7 e1 1d 50 5b 26 a5 32 7e ad |.........P[&.2~.|
0000a5b0 94 04 3e a1 27 3b d4 e5 7f a4 f6 45 43 50 4b 01 |..>.';.....ECPK.|
0000a5c0 02 3f 03 14 03 01 00 00 00 bc 0c 94 4a 21 ff 41 |.?..........J!.A|
0000a5d0 1a 2a 00 00 00 1e 00 00 00 08 00 24 00 00 00 00 |.*.........$....|
0000a5e0 00 00 00 20 80 a4 81 00 00 00 00 66 6c 61 67 2e |... .......flag.|
0000a5f0 74 78 74 0a 00 20 00 00 00 00 00 01 00 18 00 80 |txt.. ..........|
0000a600 63 53 a4 a0 b9 d2 01 80 70 f5 17 a1 b9 d2 01 80 |cS......p.......|
0000a610 63 53 a4 a0 b9 d2 01 50 4b 05 06 00 00 00 00 01 |cS.....PK.......|
0000a620 00 01 00 5a 00 00 00 50 00 00 00 00 00 |...Z...P.....|
Now we know the flag is in a text file and from the last line we can tell there's a zip file hidden in the jpg.
If we try to unzip it..
$ unzip Words-Have-Power.jpg
Archive: Words-Have-Power.jpg
warning [Words-Have-Power.jpg]: 42349 extra bytes at beginning or within zipfile
(attempting to process anyway)
[Words-Have-Power.jpg] flag.txt password:
Now we have a prompt for a password. If we try 'wordshavepower' (the words in the image)...
$ unzip Words-Have-Power.jpg
Archive: Words-Have-Power.jpg
warning [Words-Have-Power.jpg]: 42349 extra bytes at beginning or within zipfile
(attempting to process anyway)
[Words-Have-Power.jpg] flag.txt password:
extracting: flag.txt
Awesome! Let's see what the file says
$ cat flag.txt
flag{not_stego_not_even_once}
Cipher Challenge
Another one of the challenges was a cipher challenge to decode:
pcyv{mvac_flt_bg_kdzja_xoksvp_iaof_u4}
At first glance, I thought it might be a Caesar Cipher but no dice. The next most popular cipher is called a Vigenere Cipher. A quick Google search later and... 
The other challenges in this category required conversions from binary, Base64, Base32, or Base16 to ascii or the decryption of a file encrypted using AES (I didn't finish that one).
Host Forensics Category
The challenges required the player to download a MS Host dump and analyze it to find out the name of the malware that ran and the C2 (Command & Control) IP address and port.
This particular category was the closest I came to trying something out of my realm of knowledge. I've never had to do forensics on a Windows machine, but Google is a friend to all. I found that I could use a command line tool called Volatility to analyze the dump and find the flags.
After downloading the file, I ran the file command to get a better idea of what I was looking at because if you try to simply cat the file you'll get a bunch of gibberish.
$ file memory.dmp
memory.dmp: MS Windows 64bit crash dump, full dump, 2097152 pages
I've never looked at a crash dump, but a quick Google search led me to Volatility and the commands I needed to get up and running. (I also found a write up from another CTF with a similar challenge)
I began by looking at the network connections in the dump. If nothing else, I knew I could probably spot the connection for the C2 botnet.
I noticed that the server had been given a strange external IP address that had multiple outbound connections. I filtered for that IP and looked for connections out to a non-standard port (in this case, not port 80 or 433 because those are web ports and wouldn't normally be used for control of a botnet).
$ volatility -f memory.dmp --profile=Win7SP1x64 netscan | grep 10.0.10.103
Volatility Foundation Volatility Framework 2.5
0x23d43aec0 UDPv4 10.0.10.103:138 *:* 4 System 2017-04-21 19:18:49 UTC+0000
0x23d472ec0 UDPv4 10.0.10.103:137 *:* 4 System 2017-04-21 19:18:49 UTC+0000
0x23da11b40 UDPv4 10.0.10.103:1900 *:* 2292 svchost.exe 2017-04-21 19:20:47 UTC+0000
0x23f434690 UDPv4 10.0.10.103:68 *:* 904 svchost.exe 2017-04-21 19:35:12 UTC+0000
0x23f21f880 TCPv4 10.0.10.103:49662 174.127.99.252:4576 CLOSED -1
0x23f471010 TCPv4 10.0.10.103:49682 98.139.199.205:443 CLOSED -1
0x23fdbe3b0 TCPv4 10.0.10.103:139 0.0.0.0:0 LISTENING 4 System
0x23f91c010 TCPv4 10.0.10.103:49665 165.254.114.16:80 CLOSED -1
0x23faa0cd0 TCPv4 10.0.10.103:49698 63.250.200.63:443 CLOSED -1
The only option was 174.127.99.252:4576 and that turned out to be the correct flag.
The next challenge was to find out the exact malware that had infected the system. I used strings to search through the dump and filtered for the C2 IP address because I knew that the IP address was definitely tied to the malware.
$ strings -d memory.dmp | grep '174.127.99.252' | more -5
{"NETWORK":[{"PORT":4576,"DNS":"174.127.99.252"}],"INSTALL":true,"MODULE_PATH":"Ns/k/Erc.R","PLUGIN_FOLDER":"fDNTvmjCywD","JRE_FOLDER":"KRBDYF","JAR_FOLDER":"
HfItRcGAvMp","JAR_EXTENSION":"JFKuuO","ENCRYPT_KEY":"mZWoFgfReBJIoLFLZKsOOIaqn","DELAY_INSTALL":2,"NICKNAME":"User","VMWARE":true,"PLUGIN_EXTENSION":"TvEXt","
WEBSITE_PROJECT":"https://jrat.io","JAR_NAME":"kpjCTotwwxd","SECURITY":[{"REG":[{"VALUE":"\"SaveZoneInformation\"=dword:00000001\r\n","KEY":"[HKEY_CURRENT_USE
R\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments]"},{"VALUE":"\"LowRiskFileTypes\"=\".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg
;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;\"\r\n","KEY":"[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Association
In all of that, I found out that the malware is called jrat.io and it's also the flag.
I started working on this category a little bit later in the day. I wish I'd had more time to attempt the other challenges because I think I could have solved them. The two challenges above were worth the most points for the host forensics category.
Network Forensics Category
This category is where I felt most at home. Packet analysis is a major part of my everyday work life. The challenges in this category had three major themes; phishing, ransomware, and heartbleed. In order to complete the challenges in this category all the player needs is Wireshark and knowledge of packet analysis and networking.
I'll walk through the heartbleed challenge. We had to download a pcap file and the only description of it was 'broken'.
Heartbleed Challenge
Looking at the pcap in Wireshark, I knew that it would be a heartbleed attack because of the heartbeat requests and responses. I looked up how heartbleed works and could guess where to look from there. (Check out the graphical explanation I found)
If you look through the heartbleed responses and copy the Payload as text you eventually find...
SC[r+H9
w3f
"!985
32ED/A I
42
#ge: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Length: 28
Pragma: no-cache
Cache-Control: no-cache
bsides={heartbleed_for_life}kYV<V4
and bsides={heartbleed_for_life} is the flag.
Give It A Shot
If you've made it this far and I didn't lose you somewhere in the Microsoft crash dump, maybe you should give a Capture the Flag competition a shot. There are a lot of beginner CTFs out there specifically designed to help people learn. There are also a lot of CTFs focused specifically on web exploits, for you developers out there. As a developer, knowing how to exploit your own application before an external threat can is invaluable. If you're interested but don't want to compete just yet, check out a few of these websites:
- CTFLearn
- HackThisSite
- A list of websites to practice with
- Tools and Resources to Prepare for a Hacker CTF Competition or Challenge by Infosec Institute
Interested in the command line utilities I used?
I completed the majority of the challenges on a Ubuntu 16.04 Digital Ocean Droplet.
Specifically interested in learning how to exploit web applications? I suggest giving WebGoat a try. I've used it to demonstrate SQL Injection attacks for a presentation to a group of students and it was pretty easy to set up and use.
Again, you don't have to know a lot already to compete in a Capture the Flag competition. You just need an annoying and unrelenting desire to keep trying. The point of the competition is to learn so don't be afraid to just jump in there. If you end up doing a CTF, let me know how it goes. If you've already done a CTF, what did you learn?
Top comments (9)
I had never heard of this activity before this post and I'm so glad you shared it, Toni! I really want to start attending security-focused events, they seem like a blast.
"...in this case, not port 80 or 433 because those are web ports and wouldn't normally be used for control of a botnet."
Maybe a dumb question (I'm definitely not a security expert), but why not use ports 80 or 443 to control a botnet? I'd think that by doing so, it'd be easier to get past various firewall restrictions and it'd blend in better with whatever other network traffic noise is on the machine. Also, running over SSL might make it harder for others to pick apart exactly what you are doing.
Joel,
For OUTGOING requests you'd be correct. However for INCOMING (hosting on a port) most home internet services providers (like COMCAST) block hosting anything on a public IP on port 80 or 443 (also 25 which is mail). This is to limit people from trying to host a web site on their home internet (and a spam mail server in the case of 25).
That makes sense.
I know about stuff like this from geohot back in the day before comma.ai
There are even a few livestreams of him doing some challenges.
It seems really cool and awesome...wish I had more time to learn security stuff to that level :)
I had never heard of any of this, so thanks for ruining my life because all I do now are the puzzles on hackthissite and ctflearn! :)
Capture The Flags are awesome! I took part at one in Dublin a few weeks ago. We placed 6th, not bad for my first CTF :)
Just dropped in to say great write-up!
Your write-up just made security approachable for me! Thanks and well done!