{"id":534,"date":"2013-03-23T02:07:28","date_gmt":"2013-03-23T07:07:28","guid":{"rendered":"http:\/\/www.webadminblog.com\/?p=534"},"modified":"2013-03-23T08:58:55","modified_gmt":"2013-03-23T13:58:55","slug":"lessons-learned-from-participating-in-my-first-ctf","status":"publish","type":"post","link":"https:\/\/www.webadminblog.com\/index.php\/2013\/03\/23\/lessons-learned-from-participating-in-my-first-ctf\/","title":{"rendered":"Lessons Learned from Participating in my First CTF"},"content":{"rendered":"

Yesterday I finished competing in my first ever Capture The Flag (CTF) tournament.\u00a0 It was called Kommand and Kontroll Revenge of the Carders and was run by Rod Soto of Prolexic.\u00a0 I’m going to caveat this post by saying that this was my first ever CTF competition so I have absolutely no baseline of comparison.\u00a0 It was also pretty thin on competition (only one other team actively pursuing flags for any period of length).\u00a0 That said, it is what it is and in the end my team ended up with the win which I’m quite proud of.\u00a0 We got system level privileges on 15 different systems to come away with both the most points as well as accomplishing the primary objective which I’ll describe more about below.<\/p>\n

The competition consisted of somewhere around 30 virtual machines running as servers and workstations on a completely isolated network.\u00a0 Each system played a role in the scenario that Rod created around a carding ring that got pwn3d by one of its members using a Zeus botnet.\u00a0 The primary objective for the CTF was to take over command and control of the botnet.\u00a0 The secondary objective was to capture flags of various levels of difficulty (and points) in order to score more points than the competing teams.\u00a0 It took the better part of two days to do it, but once we finally got system privileges on the CnC server, it was only a matter of time before we figured out a way to take ownership of it and win the game.\u00a0 What follows are some lessons (in no particular order) that I learned throughout the competition that will hopefully serve to better myself and others as they compete in future competitions.<\/p>\n

    \n
  1. Participate with a team:<\/strong> These CTF competitions are most definitely a team sport.\u00a0 It’s a series of challenges, different types of systems, and different applications.\u00a0 There’s no way that any one person can be an expert in all of them.\u00a0 Working with one or more partners means that you have a fresh perspective when you need it.\u00a0 It also helps when there are situations where time is of the essence.\u00a0 For example, at one point I had system level privileges on a box and found the flag, but needed a way to get it onto my system.\u00a0 We had a running FTP server to make the transfer, but this risks the other team seeing the file.\u00a0 With the help of a partner, we had the file on the server, downloaded, and removed in under 5 seconds.<\/li>\n
  2. Keep important files on removable media:<\/strong> I constantly found myself transferring files between different environments.\u00a0 Some were flags, some were exploit code, others were just files with notes on them.\u00a0 At one point I had my attack VM lock up on me and die to the point where I had to restore it from a snapshot.\u00a0 Had I not been keeping my important files on removable media, it would have cost us several flags and many points.\u00a0 Thank goodness for being prepared.<\/li>\n
  3. Don’t submit all of your flags at once:<\/strong> Believe it or not, there’s quite a bit of strategy involved in how you present your team.\u00a0 Show too little points and people will think you’re a chump.\u00a0 It’ll encourage others to join the game because they feel they can make up those points quickly.\u00a0 Show too many points and now the competition feels the need to work harder and faster to catch up.\u00a0 My partner and I decided that it was best to start off with a low number of points.\u00a0 We posted a few flags just to show some progress, but kept a large number in our back pocket for later.\u00a0 At the end of day one I posted some more, but not all of the remaining flags.\u00a0 In hindsight, this was a bad move on my part as it seemed to get the other team moving faster.\u00a0 At the beginning of day 1 they posted enough points to overtake us on the scoreboard, but we still had enough flags in waiting at that point to more than make up the difference.\u00a0 We decided to hold them until the end to make the other team think they had it in the bag.\u00a0 I think this proved to be a far smarter strategy.<\/li>\n
  4. Have a variety of different environments available:<\/strong> Since the CTF machines were running a wide variety of host operating systems, we ran into a number of challenges where we needed to be able to mimic a similar environment.\u00a0 Fortunately, I had a fairly diverse system that I was running which had OSX, Windows, and Linux.\u00a0 I found myself constantly switching between them during the game.\u00a0 I know that other players were definitely hindered by their lack of diverse environments.<\/li>\n
  5. Take snapshots of your environments:<\/strong> As I mentioned in #2 above, at one point I had my attack VM lock up on me.\u00a0 I tried restarting, but no matter what I did, I couldn’t get back into the GUI interface to resume my attacking.\u00a0 This would have killed my game.\u00a0 Snapshots to the rescue.\u00a0 Fortunately, before I started, I took a snapshot of my VMs and was able to quickly and easily roll back to a known good state.<\/li>\n
  6. Have Internet access available:<\/strong> Maybe it’s via your phone or via another computer attached to a different network, but there were a number of times where we had to query things on the Internet.\u00a0 Sometimes it was for scripts (like a PHP C99 shell) and sometimes it was for knowledge, but without Internet access, things would have been far more difficult.<\/li>\n
  7. Know how to query an exploit database:<\/strong> Assuming that you found a way to get Internet access, you should know how to use an exploit database like the one at http:\/\/www.exploit-db.com.\u00a0 After you do your discovery, you have a list of running applications, sometimes even version numbers, and need to know if they are affected by any vulnerabilities with known exploits.\u00a0 That’s where these guys come in.<\/li>\n
  8. Update in advance:<\/strong> In several cases, the needed exploit was provided in the latest version of Metasploit.\u00a0 Unfortunately, my partner had a version that was a bit outdated.\u00a0 As in the case of this CTF, Internet access was not available in the game environment.\u00a0 He ended up taking his system onto the conference wireless network to do the update, but it sidetracked him for a fairly significant amount of time.\u00a0 It’s far easier to update your tools before you walk into the CTF environment so you can spend your time actually hacking all the things.<\/li>\n
  9. Be well versed in exploitation tools:<\/strong> The time I spent listening to my friend Raphael Mudge talk about penetration testing with Armitage paid off dividends here as did the many months our study group went through David Kennedy’s Metasploit book.\u00a0 I went into it feeling like I had a pretty good grasp on the concepts with no practical application of the skills.\u00a0 Now, I feel like the CTF gave me the practical application and then some.\u00a0 If you don’t have at least some knowledge of a tool like Metasploit or Armitage, you’re going to struggle.<\/li>\n
  10. Explore the system:<\/strong> The system that I mentioned earlier that we used to take over the botnet command and control was one that I had rooted several hours earlier.\u00a0 I browsed the system, got the flag, and moved on.\u00a0 It wasn’t until I established a VNC connection to the system that I found the CnC console staring right back at me.\u00a0 It had been there all along and because I didn’t give the system enough attention, I moved right on past what could have won us the game far sooner.\u00a0 Remember, there are many different ways to view the data on the system.\u00a0 Be somewhat thorough while at the same time remembering that time is of the essence.<\/li>\n
  11. Know how to use a directory brute forcer:<\/strong> I think that many of the people who came in, played for an hour, and then left got stuck here.\u00a0 They ran their scan, found some HTTP servers, and connected to them but saw nothing but a “Hello world!” message.\u00a0 They knew that something was running, but couldn’t figure out what.\u00a0 Fortunately, I’m familiar with the OWASP ZAP tool and was able to tell it to brute force common directories on the web server.\u00a0 We found a number of different applications this way that there was really no other way to find.\u00a0 Your Metasploit exploits will never work if you can’t tell it the proper URI to target.<\/li>\n<\/ol>\n

    So, there you have it.\u00a0 My list of lessons learned from participating in (and winning) my first Capture the Flag (CTF) challenge.\u00a0 Big thanks to my partners Alek and Nate for pwning systems alongside me.\u00a0 As I said in #1 above, CTF is a team sport and I couldn’t have won it without you guys.<\/p>\n","protected":false},"excerpt":{"rendered":"

    Yesterday I finished competing in my first ever Capture The Flag (CTF) tournament.\u00a0 It was called Kommand and Kontroll Revenge of the Carders and was run by Rod Soto of Prolexic.\u00a0 I’m going to caveat this post by saying that this was my first ever CTF competition so I have absolutely no baseline of comparison.\u00a0 […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[516,517,28],"tags":[423,529,521,518,530,525,520,519,522,523,527,526,524,528],"class_list":["post-534","post","type-post","status-publish","format-standard","hentry","category-bsides-austin-2013","category-capture-the-flag","category-security","tag-austin","tag-botnet","tag-bsides","tag-capture","tag-carder","tag-carders","tag-ctf","tag-flag","tag-kommand","tag-kontroll","tag-learned","tag-lessons","tag-revenge","tag-zeus"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-8C","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/534","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=534"}],"version-history":[{"count":4,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/534\/revisions"}],"predecessor-version":[{"id":538,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/534\/revisions\/538"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=534"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=534"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=534"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}