My good friend Justin and I recently won the Derbycon Capture The Flag competition. A few people mentioned that they’d be interested to see a write up from us. It seemed that more people were interested in our methodology than anything else so I will discuss our strategy and tactics and if anyone is interested maybe we’ll follow it up with some of the technical challenges in another post.
I think I should start off by saying that the challenge was freaking awesome. It was so much fun. My hat goes off to the three gents that set it up, they did a great job and I know from conversations that people of all skill levels really enjoyed it. I definitely look forward to seeing those guys again and hopefully helping to create a future CTF.
There was a wide range of challenges, which is one of the reasons I think it was so much fun, you really got a nice cranial workout. Some of the challenges included attack vectors such as
- Port Scanning
- Web Application Scanning
- SQL Injection
- Reverse Engineering
- Packet Captures
- FIrefox Internals
- Password Cracking
- Public Key Cryptography
I think one of the reasons we really enjoyed this (and did relatively well) is that in a very real sense the CTF closely mirrored our experience when Penetration Testing. I should probably note that Justin and I have been friends for a long time and have been performing penetration tests together for quite some time. We’re currently working for the same company and head up our Offensive Security Practice so we’re used to working together (and wanting to punch each other in the face).
Tactic 1 – Enumeration
Now clearly enumeration is a part of any successful security engagement but in this case it took on a little twist. We knew there were many points (flags) to be collected spread across many different vectors. As we would enumerate different areas that seemed like they might lead to more flags we’d keep a list of these possibilities in a text file and then continue to try and enumerate additional vectors. We found ourselves referring to this list many times either after we had obtained a flag and needed a new challenge or when we became frustrated and needed a new challenge.
Tactic 2 – Divide and Conquer
Justin and I worked very well as a team, we really played off each others strengths and we were rarely working on the same thing at the same time. We would each take a task and try and see it through to the end. There were definitely times we had to collaborate and bounce ideas off each other and it was this constant touch and go that I think really made a difference. A sub-tactic of this would be peer review and feedback. If either of us thought the other one was doing something stupid or wasting time we didn’t hesitate to voice our opinion and make sure we stayed on track.
Tactic 3 – Think Logically
With the group of very intelligent folks at Derbycon – thinking logically probably goes without saying. However, I think we might have had a unique twist that also helped obtain the win. There were several occasions where we would step back and think *What exactly are we trying to accomplish, and how should it work*. This really helped us to focus on the goal we were trying to achieve. Don’t confuse our attack goals with our ultimate goal of winning. The perfect example I can think of is when we had been spinning our wheels for a while on a web challenge.
The gents who ran the CTF had installed the FCKeditor on one of the web servers. We had found it with the nikto tool and a quick google search shows that the FCKeditor is a WYSIWYG text editor and historically has had a few vulnerabilities. I was convinced that I could exploit a File upload/RFI/LFI vulnerability and kept trying to force the issue. It wasn’t until I took a second to step back and think, what exactly am I trying to accomplish, how does it work, and what will it get me. When I did that a lightbulb went off and I realized, wait a minute, there aren’t any active pages within FCKeditor (they had all been removed by the CTF guys)! And with no active pages (ASP, PHP, etc) there’s no way an RFI/LFI vulnerability exists! Time to move on!
Tactic 4 – Take a Freaking Break
The previous tactic works very nicely with this one. Some people don’t necessarily need breaks. Justin for example is a freaking tenacious maniac and trying to pry him away from a problem he’s working on is like ripping a bone out of dogs mouth. I on the other hand have learned that I can work more efficiently if I take regular breaks. If I’m spinning my wheels and not getting anywhere I say ok, time to step away, grab some coffee, food or go to the bathroom. Just take a few minutes to clear your head, the problem will still be there when you get back. This used to be very hard for me to do (I used to be more like Justin, and frankly sometimes it’s still very hard) but I’ve found that I can personally be more effective if I give my brain a break.
Tactic 5 – Know Thy Enemy
Sun Tzu was whispering in our ears during the CTF ( we’re actually good friends with Sun Tzu… we know people). And we kept thinking about the makers of the CTF. One thought we kept working through is, what is the point of X. For example we knew that for the most part we could count on every file on the FTP server being placed there for a reason, and some of them had multiple purposes. We kept thinking what is the reason this particular file exists and was the flag we captured just a little too easy. This helped us to double back on a few challenges and find flags that needed just a little further digging.
Real World Penetration Testing Parallels
I had mentioned that this CTF did a pretty damn good job of mirroring our efforts during a real penetration test and I figured some of this was worth mentioning. I think above all else the most direct parallel is the frustration and the tenacity needed. There were times when we were both EXTREMELY frustrated, literally cursing at our computers, the servers (and maybe the organizers :P). We knew there was something we were missing, wondering why the specific SQL syntax we were using wasn’t working, why this hash isn’t decrypting like we thought it should, why wireshark wasn’t doing what it was supposed to, the list goes on. We had to use all the previously mentioned tactics and work past the serious frustration until each challenge was met.
Research… Just like during real penetration tests we came across things we weren’t familiar with. The best example is the FCKeditor. We had never seen it before, but googling it showed us what it was, how it worked and some of the vulnerabilities in previous versions. Not stopping at unfamiliar points is critical in the real world and definitely came into play here.
One last time just want to thank all the organizers of Derbycon and the organizers of the CTF. Derbycon was beyond freaking awesome. And the CTF only elevated it, it was so cool that they got so many people at different skill levels involved. It’s sort of like The Matrix… No one can be told what Derbycon is, you just have to see it for yourself. If you weren’t there you simply can’t understand the amazing friendly/community vibe. Everyone there was super chill and super cool. Can’t wait for next year, BAM!