Capture the Flag: It's a game for hack...I mean security professionals

Written originally on dev.to

My First Big Girl Capture the Flag Competition

Last weekend I attended BSides Iowa, a smaller security conference taking place in Des Moines, and competed in my first capture the flag competition as a security professional. Before you start thinking about large open fields outdoors and physical exertion, Capture the Flag competitions are games for security offense professionals a.k.a. what most would call hackers (red team) and security defense professionals (blue team) alike and everyone who falls in the middle. During a CTF, players compete against one another on their computers to solve challenges.

There are different types of CTF competitions, jeopardy style with a game board and attack-defense (Red Team vs Blue Team) style with players actively attacking and defending network infrastructure. I'll be focusing on the jeopardy style CTF here.

Typically, jeopardy-style CTFs are broken down into categories (these differ based on who is facilitating, but there are a few constants like cryptography and packet analysis) and each category has a set of challenges that the user needs to solve in order to find the flag. The flag is usually a string of text that the user then input into the game board to get their points. The more points a challenge is worth, the more difficult it is to solve (presumably).

"7.5 hours, a plate of fries, 2 slices of pizza, and two aspirins later I shut down my computer ending up with 3,250 points and 6th place."

The BSides Iowa CTF was facilitated by SecDSM, our local user group for network and information security professionals in the Des Moines area. The CTF had 6 categories: Airwaves, Crypto, Network Forensics, Pwned, Host Forensics, and Let's Get Physical (Lock picking Locksmithing). Beginning at 10am, I and approx. 20 other people had 8 hours to complete the CTF.

7.5 hours, a plate of fries, 2 slices of pizza, and two aspirins later I shut down my computer ending up with 3,250 points and 6th place. I'd chosen to stick pretty close to my skills set and didn't really branch out to categories for which I didn't posses prior knowledge. I ended up solving all 7 of the Network Forensics challenges, 2 of 8 Host Forensics Challenges, and 3 of 6 Crypto challenges. For many of these challenges I was either the first person to solve them or in the top 3. Not too shabby for my first big girl CTF.

"The real fun of the CTF is the feeling you get when you've used real exploits and tactics to find a flag and it actually works (you've hacked something)."

This was a good beginner's competition and it helped me to feel like I truly belong in my field. At times, especially in technical careers, it's easy to fall prey to imposter syndrome. This CTF alleviated any doubt that I had about my skills. I know that I still have a lot to learn, but I also know that I'm not just doing the 'fake it until you make it' thing either. This was also a really fun way to exercise my brain and expand upon my security knowledge. Even though I stayed pretty close to what I knew, I learned a lot of new things while solving the challenges that I didn't know about or know how to do before. Some developers build applications on the side in order to learn new things, but security professionals hack and compete to pick up new skills.

The real fun of the CTF is the feeling you get when you've used real exploits and tactics to find a flag and it actually works (you've hacked something). The CTF is your chance to legally hack things (because unauthorized hacking is extremely illegal and you'll probably go to jail if you're caught).

Let's walk through a few of the challenges from the BSides Iowa SecDSM CTF

Crypto Category

One of the more interesting crypto challenges was the steganography challenge. Steganography is the hiding of a secret message within another file (like an image). This is a fairly common challenge found in Capture the Flag competitions. There are many tools available online to detect a message hidden in an image file, as well as tools to extract those messages.

Steganography Challenge

stegapic

That picture looks absolutely ordinary right? But if we take a look on the command line...

$ file Words-Have-Power.jpg 
Words-Have-Power.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, progressive, precision 8, 849x578, frames 3

Nothing special there.. let's try a hexdump

$ hexdump -C Words-Have-Power.jpg

This returns a bunch of output that I won't paste here, but here's the relevant bits:

0000a580  00 00 00 1e 00 00 00 08  00 00 00 66 6c 61 67 2e  |...........flag.|
0000a590  74 78 74 7d fa c9 4c 8f  fb d4 5e 8d 43 86 1f 63  |txt}..L...^.C..c|
0000a5a0  f9 f5 dd 12 d0 9d c7 e1  1d 50 5b 26 a5 32 7e ad  |.........P[&.2~.|
0000a5b0  94 04 3e a1 27 3b d4 e5  7f a4 f6 45 43 50 4b 01  |..>.';.....ECPK.|
0000a5c0  02 3f 03 14 03 01 00 00  00 bc 0c 94 4a 21 ff 41  |.?..........J!.A|
0000a5d0  1a 2a 00 00 00 1e 00 00  00 08 00 24 00 00 00 00  |.*.........$....|
0000a5e0  00 00 00 20 80 a4 81 00  00 00 00 66 6c 61 67 2e  |... .......flag.|
0000a5f0  74 78 74 0a 00 20 00 00  00 00 00 01 00 18 00 80  |txt.. ..........|
0000a600  63 53 a4 a0 b9 d2 01 80  70 f5 17 a1 b9 d2 01 80  |cS......p.......|
0000a610  63 53 a4 a0 b9 d2 01 50  4b 05 06 00 00 00 00 01  |cS.....PK.......|
0000a620  00 01 00 5a 00 00 00 50  00 00 00 00 00           |...Z...P.....|

Now we know the flag is in a text file and from the last line we can tell there's a zip file hidden in the jpg.

If we try to unzip it..

$ unzip Words-Have-Power.jpg
Archive:  Words-Have-Power.jpg
warning [Words-Have-Power.jpg]:  42349 extra bytes at beginning or within zipfile
  (attempting to process anyway)
[Words-Have-Power.jpg] flag.txt password: 

Now we have a prompt for a password. If we try 'wordshavepower' (the words in the image)...

$ unzip Words-Have-Power.jpg
Archive:  Words-Have-Power.jpg
warning [Words-Have-Power.jpg]:  42349 extra bytes at beginning or within zipfile
  (attempting to process anyway)
[Words-Have-Power.jpg] flag.txt password: 
 extracting: flag.txt         

Awesome! Let's see what the file says

$ cat flag.txt 
flag{not_stego_not_even_once}

Cipher Challenge

Another one of the challenges was a cipher challenge to decode:
pcyv{mvac_flt_bg_kdzja_xoksvp_iaof_u4}

At first glance, I thought it might be a Caesar Cipher but no dice. The next most popular cipher is called a Vigenere Cipher. A quick Google search later and... ciphersolver

The other challenges in this category required conversions from binary, Base64, Base32, or Base16 to ascii or the decryption of a file encrypted using AES (I didn't finish that one).

Host Forensics Category

The challenges required the player to download a MS Host dump and analyze it to find out the name of the malware that ran and the C2 (Command & Control) IP address and port.

This particular category was the closest I came to trying something out of my realm of knowledge. I've never had to do forensics on a Windows machine, but Google is a friend to all. I found that I could use a command line tool called Volatility to analyze the dump and find the flags.

After downloading the file, I ran the file command to get a better idea of what I was looking at because if you try to simply cat the file you'll get a bunch of gibberish.

$ file memory.dmp
memory.dmp: MS Windows 64bit crash dump, full dump, 2097152 pages

I've never looked at a crash dump, but a quick Google search led me to Volatility and the commands I needed to get up and running. (I also found a write up from another CTF with a similar challenge)

I began by looking at the network connections in the dump. If nothing else, I knew I could probably spot the connection for the C2 botnet.
netcon

I noticed that the server had been given a strange external IP address that had multiple outbound connections. I filtered for that IP and looked for connections out to a non-standard port (in this case, not port 80 or 433 because those are web ports and wouldn't normally be used for control of a botnet).

$ volatility -f memory.dmp --profile=Win7SP1x64 netscan | grep 10.0.10.103
Volatility Foundation Volatility Framework 2.5
0x23d43aec0        UDPv4    10.0.10.103:138                *:*                                   4        System         2017-04-21 19:18:49 UTC+0000
0x23d472ec0        UDPv4    10.0.10.103:137                *:*                                   4        System         2017-04-21 19:18:49 UTC+0000
0x23da11b40        UDPv4    10.0.10.103:1900               *:*                                   2292     svchost.exe    2017-04-21 19:20:47 UTC+0000
0x23f434690        UDPv4    10.0.10.103:68                 *:*                                   904      svchost.exe    2017-04-21 19:35:12 UTC+0000
0x23f21f880        TCPv4    10.0.10.103:49662              174.127.99.252:4576  CLOSED           -1                      
0x23f471010        TCPv4    10.0.10.103:49682              98.139.199.205:443   CLOSED           -1                      
0x23fdbe3b0        TCPv4    10.0.10.103:139                0.0.0.0:0            LISTENING        4        System         
0x23f91c010        TCPv4    10.0.10.103:49665              165.254.114.16:80    CLOSED           -1                      
0x23faa0cd0        TCPv4    10.0.10.103:49698              63.250.200.63:443    CLOSED           -1                      

The only option was 174.127.99.252:4576 and that turned out to be the correct flag.

The next challenge was to find out the exact malware that had infected the system. I used strings to search through the dump and filtered for the C2 IP address because I knew that the IP address was definitely tied to the malware.

$ strings -d memory.dmp | grep '174.127.99.252' | more -5
{"NETWORK":[{"PORT":4576,"DNS":"174.127.99.252"}],"INSTALL":true,"MODULE_PATH":"Ns/k/Erc.R","PLUGIN_FOLDER":"fDNTvmjCywD","JRE_FOLDER":"KRBDYF","JAR_FOLDER":"
HfItRcGAvMp","JAR_EXTENSION":"JFKuuO","ENCRYPT_KEY":"mZWoFgfReBJIoLFLZKsOOIaqn","DELAY_INSTALL":2,"NICKNAME":"User","VMWARE":true,"PLUGIN_EXTENSION":"TvEXt","
WEBSITE_PROJECT":"https://jrat.io","JAR_NAME":"kpjCTotwwxd","SECURITY":[{"REG":[{"VALUE":"\"SaveZoneInformation\"=dword:00000001\r\n","KEY":"[HKEY_CURRENT_USE
R\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments]"},{"VALUE":"\"LowRiskFileTypes\"=\".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg
;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;\"\r\n","KEY":"[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Association

In all of that, I found out that the malware is called jrat.io and it's also the flag.

I started working on this category a little bit later in the day. I wish I'd had more time to attempt the other challenges because I think I could have solved them. The two challenges above were worth the most points for the host forensics category.

Network Forensics Category

This category is where I felt most at home. Packet analysis is a major part of my everyday work life. The challenges in this category had three major themes; phishing, ransomware, and heartbleed. In order to complete the challenges in this category all the player needs is Wireshark and knowledge of packet analysis and networking.

I'll walk through the heartbleed challenge. We had to download a pcap file and the only description of it was 'broken'.

Heartbleed Challenge

Looking at the pcap in Wireshark, I knew that it would be a heartbleed attack because of the heartbeat requests and responses. I looked up how heartbleed works and could guess where to look from there. (Check out the graphical explanation I found)

heartbleed

If you look through the heartbleed responses and copy the Payload as text you eventually find...

SC[r+H9
w3f
"!985
	32ED/A	I
42
	
#ge: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Length: 28
Pragma: no-cache
Cache-Control: no-cache

bsides={heartbleed_for_life}kYV<V4

and bsides={heartbleed_for_life} is the flag.

Give It A Shot

If you've made it this far and I didn't lose you somewhere in the Microsoft crash dump, maybe you should give a Capture the Flag competition a shot. There are a lot of beginner CTFs out there specifically designed to help people learn. There are also a lot of CTFs focused specifically on web exploits, for you developers out there. As a developer, knowing how to exploit your own application before an external threat can is invaluable. If you're interested but don't want to compete just yet, check out a few of these websites:

Interested in the command line utilities I used?

I completed the majority of the challenges on a Ubuntu 16.04 Digital Ocean Droplet.

Specifically interested in learning how to exploit web applications? I suggest giving WebGoat a try. I've used it to demonstrate SQL Injection attacks for a presentation to a group of students and it was pretty easy to set up and use.

Again, you don't have to know a lot already to compete in a Capture the Flag competition. You just need an annoying and unrelenting desire to keep trying. The point of the competition is to learn so don't be afraid to just jump in there. If you end up doing a CTF, let me know how it goes. If you've already done a CTF, what did you learn?


Antoinette Stevens

Antoinette Stevens

Writing about tech and security.

comments powered by Disqus