2017 - CTFs Not Just For Halo by Ray Doyle

CCF's thank you and thanks for our NCC group for putting this on sponsoring it could see me to come here so who here has ever done a CTF before of any kind awesome most of you for those of you that haven't hopefully after this talk you'll go out and even just do the one out here they're fun you love them so my co-presenters not here it's named Clayton he works for SecureWorks with me as a senior penetration tester he's been doing CTF since 2012 he's competed in the DEFCON so hopelessly broken CTF which is IOT based it's routers baby cameras light bulb various things for the last four years now and he's won it twice I came in third once I'm also a

senior penetration tester at SecureWorks I've been doing CGS for 10 years now the last time I gave this talk I had a picture of myself doing it when I was 17 I took that out cuz a it's embarrassing it be it was actually at the comments giving the talk at but if you really want the picture I can show it to you I'm a two-time DEFCON black badge winner now the first time was with Clayton in the IOT CTF and the at DEFCON 24 and the second time was actually this year at the DEFCON 25 Wireless CTF the team was led by Erik Escobar one of my co-workers who's actually giving a talk today at

2:30 and track 3 about wireless home security you know this is wireless stuff we want to look another black badge so CTFs yeah this does this help at all the microphone alright I'll just talk loudly so capture the flag CTF competitions are at least the ones I'm talking about are generally information security competitions that have challenges of various types usually someone wins or there's some sort of scorekeeping and there's often time prizes which is why you do them right there's a few different types there's either going to be a few challenges you solve or there might be computers you get to attack or defend against some are team-based summer individual base it depends on the

competition how they're running it and the way you normally know that you've solved the challenges you get some sort of flag or a key or token to give you an indication that this is you'd finish the challenge here's your flag so they're basically three major types of CTFs there's Jeopardy which is what you'll see it most conferences or online this is going to look like the Jeopardy scoreboard you'll have a hundred points through 500 points for web-based a hundred through 500 for crypto and so on these are the easiest to run the easiest to set up and the easiest to jump into you can just go and find a challenge you think you can solve

knock it out and get your flag another main type is attack defense this is going to be the type of CTF that the main DEFCON CTF is so you're gonna have your computers or your network and other teams will have their computers or their network and your goal is to in parallel attack their network while defending yours some have various things where you have to keep certain services online I don't know if they do it here but in the States there's a CDC C so it's a college competition where the college students will actually be the blue team and have to defend the services and the hire professionals to be the red team so the

students have to keep the services online defend against attackers and have various challenges while they're being attacked by professionals and the third one is a bit different it's this is going to be a mixed or scenario CTF the most common one I know of is the Derby Con CTF so instead of knowing exactly what your challenges are going to be you're just in an open network and there are flags everywhere so last year their theme was um the United States election so there's the Republican servers and the Democrat servers you had to hack into Donald Trump's email at one point and get a flag things like that these are a lot less common they're harder to

set up but they can be really fun if you find one so if you're still not sure about CTF s-- the number of challenges that can be in them are huge you don't have to be some reverse-engineer binary binary exploitation wizard to participate in them I've seen challenges that our programming almost entirely you don't have to know anything about security so if you're a dev you could still do these I've seen some that are just packet analysis so if you work in a sock and you still want to help with these you could be more useful than someone who's been on a red team some that have just been games of the same derby come CTF I played one that

was a text-based game based at the conference so like you were a speaker in a room and you could type leave room when your talk was over and you had to find various clues so if you at all enjoy games or puzzles there's probably a challenge for you or something you can at least contribute to a team about so now I'll show my first demo just give a basic example of something you might see out of CTF so in maybe a jeopardy style or another CTF we might be given an image like this so just a basic image this is actually Clayton speaking of myself receiving our black badge two years ago so if you have an image in a

CTF they're really any file the first thing you want to do is just open it normally don't start throwing you just look at it I've done CTF swear that you open a file and that's the flag anybody here can open an image file if the flag was there we would have gotten some points unfortunately in this case since I made it I know that's not the case so there's a lot of different ways to go about attacking images and I'm nowhere near the best person at them but if you have a file you're not familiar with even just forensics he related you can run strings against it just to see what's in it so that'll grab all of the

ASCII printable strings from the file we have so if you can see the very bottom we actually got a flag right here CTFs always check strings so that wasn't very hard anyone who has any participant at CTF we just got our first leg as simple as that that said there are a lot of other ways that people will hide things and images so another thing we can check for is to see if there's more than one file hidden in there the simplest tool and the one I like the most of this is bin walk so if we take a quick look at the file we can actually see that there's there's appears to be jpgs in it so the person right making

the challenge may have concatenated two JPEGs together or hidden one nothing to complicate it but we want to see all the images just to make sure so let's see if I can get the command right because I have trouble with this one I think this is right man this is why I live demos are even more fun dee dee so what I'm telling bin wok to do is to extract any file types that are jpg from this combined file because if you remember from earlier if the only the only interesting files to me here look to be JPEGs that TIFF file is probably a thumbnail or something I don't really care about the copyright string I know

what it is so for now I just want to get every JPEG file that exists in this combined JPEG file and hopefully it works so it did so it creates a directory called the name of the file dot extracted so if we go in there we can see that there's actually three files which correlate with those three JPEGs we saw listed in the file so let's take a look at them one by one just to see what they are so if we open the 0 this is the first one I showed you this is just the regular picture so nothing interesting there for us if we open this 45d one this is just the jpg thumbnail

probably happened with whatever image we created with but if we open this middle file who actually found another flag so all this was was two JPEGs concatenated together and we had a flag nothing too complicated all of the CTF challenges aren't gonna be like this but we just got two flags and a matter of minutes even without me remembering the commands so don't think that's ETF's are gonna be too hard so how do you do CTFs just enter them if you're at a conference almost always there will be if you can't make it to conferences there's a website called CTF time that is gonna list a ton of upcoming online CTF you can just pick a random one log

in do it for a weekend and see what happens in person is a lot easier though at Def Con I had a 17 year old kid just sit at my table during the open CTF and asked if he could join I said of course yeah we're always welcome turns out this kid was an absolute wizard at reverse engineering and binary analysis we ended up getting seventh in open CTF mostly because of his work it was incredible there's also a subreddit called open to all CTF team and if you missed I pit they actually have a few reddit's that are like nope you're at the wrong one this is gonna be a huge team that allows anyone to join they

have an IRC or reddit and they participate in everything on CTF time and most in person cons if you want to just join a team and you don't know anyone this is a great place to look you can also just read write-ups of older challenges this will let you get a feel for sort of how they're arranged tricks you can use to solve them as well as maybe cons in your area or CTF Signoria that you can participate in but know them that just Google you can if you just type CTF sin manchester things like that you'll find something you can participate in if you want to so for those of you who have participated in

CTF s-- this part will be a little more interesting I'm going to cover some more advanced tactics ideas that will help you sort of go from participating in CTF to maybe winning them so the one that's not on this slide that's the most important I want to touch on is take care of yourself at a shorter con like this or it's less important but if you're at a four day con like Def Con and you're sitting in a CTF room for 10 hours a day don't do that take showers take breaks eat it makes a huge difference when you're not sitting there strung out on twelve hours of staring at the same challenge the same screen

you're gonna think better you're gonna feel better you'll miss stuff if you don't it's not worth it outside of that actual tools the first one we'll talk about is for those of you familiar with it you probably use it for work or chatting with friends it's very similar to IRC or a chatroom but it's great for CTS you can have one for each conference or each room and it allows you to collaborate so much easier if you don't know cryptography you can go into your slack channel throw a message say hey guys I got this far in this challenge can I pick it up from here it just makes communicating instead of sitting at a

table or waiting for someone else to come by a lot easier the next tool I'll talk about it's Trello and I actually talked about it a bit more in the next slide but Trello is a very simplified workflow management tool so if you haven't use if you use something like JIRA bugzilla really anything that allows you to track something from start to finish with statuses it this is this very similar tool another useful tactic is going to be specialization this is going to be for your heart or cts or bigger CTFs or once you you definitely want to win having a reverse engineer guy or having an image guy or having a programmer will help a ton knowing

everything is super useful but if you get so far and you just know you're stuck having a person you can reach out to even if they're not on your team I've talked to people I've been at Def Con and reached out to B by noon North Carolina who are great at crypto and say hey we're at Def Con we're doing the CTF or here what do we do next just knowing people that specialize and things like that will help a ton and the last one is going to be these not cheating but the sort of extra things you can do ask organizers for hints people who makes etf's do it because they enjoy it but they

also want people to have fun and learn no one creates a CTF hoping that every team gets zero points they don't want that it makes them look bad they don't have fun don't be afraid to ask for hints we run run in North Carolina we love it when people come up an organizer is less likely to help you if you come up and say what's the flag for challenge four but if you go up to an organizer when you say hey I'm working on this challenge I did this this and this this worked this didn't I feel like I'm close do you have a hint for what I next a lot of times they'll help you

though at least point you in the right direction I'll say hey have you thought about doing X or Y instead what happens if you do this at one point during this the end of a CTF I actually had an organizer they shut off the CTF he logged me into his laptop and helped me finish the last part of a command to get a flag because he knew I was real close but they had to shut down the network some other ones depending on the the CTF are also allowed if it's allowed you can ARP spoof you can sniff the network there are CTF s-- that are run on just open networks that allow things like

that listen to the traffic if Flags are going in plain text there's no reason for you not to listen to them if users are logging into systems without HTTPS listen maybe you can get a foothold into the system some way you didn't notice bribery also works yep so during the this year's Def Con where else CTF a member of our team gave the organizers a taste of Belgian beer and then end up with almost as many points as I got from getting it to to AP's organizers love stuff like that I mean it's worth a shot plus you have a fun story to tell so don't cheat don't and this is an important one for CGS people there to

have fun don't be a dick about it we ran a CT f at a calm not too long ago and someone actually got into the router and like reset all the settings and like we're having to fix stuff just because someone wanted to mess with Italy don't do that people are there to have fun if you want to do stuff like that set up a lab attack the systems you're supposed to be attacking follow the scope rules even if it is a game excellent okay so Trello I mentioned earlier is a workflow sort of solution this is actually a screenshot from Derby con last year this was our CTF board we ended up getting second at

the whole thing so we did pretty well but I have four columns here Derby con was a bit more particular that we needed the fourth one because as I mentioned early was a scenario-based so instead of knowing that you needed one flag for this challenge you never knew when you were done with something usually so I had we had to do so this was machines we really no one had touched yet we got the IP we got a screen shot that was in in progress was something someone was already working on and Trello is great at this so if I scan what I scan some course I find a website I can throw it in in progress

grab some screenshots throw my basic enumeration in there but then I can move on and someone else can pick it up instead of them having to start over or ask me hey man did you look at this what did you find anyone can go to this board at any time look at all the machines say hey I think I have an idea here grab it and continue working on it it makes life so much easier when keeping notes for when trying to see what you have and have it done yet even if it's just stuff you tried that you failed on it's just it's cleaner than even like having a notepad which is what I still do a lot

like I'll have a notepad talk and be like I did this on this challenge not as useful but then for derbycon it was great because we had a the third column which is possibly done these were machines that like we rooted we found a flag or two on but something didn't quite feel right maybe we did go through the whole file system or we found some files that were a bit janky and then we had done so these were machines we were almost hundred percent certain we got every flag on we didn't have to worry about it so why do you want it why should you do CDF's for the money in the fame obviously the same reason you would

do any of it but in all seriousness this is a chance for you to even if you're not a pen tester you get to do real hacking real pen testing legally and have fun doing it you're also going to get experience with these tools especially if you don't have it if you join a team doing a CTF and someone's working on a challenge and they're using sequel map in a way you've never seen before or something like that you can ask them questions you can see how they use it even if you're not on a team you're going to be googling for how do i how do I test for XSS with Bert you're gonna be using these tools in a way that

if you wanted to do InfoSec or pen testing more so as a hobby or as a job it'll get you closer to this you're gonna be learning skills you're gonna be improving old ones it's really surprising how many skills translate back and forth between offensive InfoSec and CT apps I've learned things in both that help the other a lot competition at least for me some people are is always fun you get to compete against other people you get to see how you match up you get to try and win something it can also be aggravating at that last year's Derby come CTF before I was with SecureWorks they had a huge contingent of people there and one of the players

main strategy seemed to be to annoy the other teams as much as possible at one point he sat next to me and sang in my ear for 10 minutes while playing a synthesizer so not always pros but it's still fun and it's a great way to meet new people I mean we met the 17 year old kid I saw him again this year at Def Con I've met some new coworkers it's also a great way to find employers or current coworkers I met the SecureWorks team at the Derby con CTF it wasn't a recruiting thing for them it wasn't me looking for a job but I shared some bourbon and some flags with some people and ended up going to work for

them I not even a year later and CDF's are also great practice because at least in the States a lot of companies use them as part of the interview process so once you get past your phone screenings and your technical they'll actually give you a CTF that's going to be any just like anything you'll see but a con and ask you to solve it so having the practice always helps so some of the more popular upcoming CTF I recommend you check out the DEFCON one is huge unfortunately I have to qualify for that one but it's still really fun to read about or go watch in person they have qualifiers all are year round if

you do have a team and you think you can beat give it a shot I've tried twice and haven't qualified yet but it's something I'd like to do one day the open CTF is also at DEFCON unfortunate I don't know a lot about the European CTF so some of these aren't great the open CTF is one that anyone at DEFCON can join but it's a very similar to a lot of seat you'll see at a conference with jeopardy the seesaw CTF is actually online and it's great for beginners my co-presenter Clayton this was how he got to start doing CTF they're very basic very introductory friendly challenging you can solve you can get points have some fun and then

two upcoming online ones I found where the ecto part echo party I believe this is their second year running it and the hit Con CTF which is still online and it's their third year running it and there's also a CTF right outside if you haven't seen it NCC group's booth has three laptops it's a jeopardy style CTF there were eight challenges when I was last out there give it a shot if you've never done it before or even if you have I have some fun asked the organizers asked me for hints give it a try so here's some resources I'm gonna release these slides don't worry about taking pictures but if you do this the

second link is actually my site it's gonna have a lot more resources than even this slide I have I basically had a giant bookmark folder I used for CT halves with a hundred some-odd links and I end up throwing it all on one post on my blog with the description of every link so if you want a picture you want to write anything down now that link will have everything on this slide anymore hopefully something you find useful on it if you have any more resources feel free to send them to me I'll add it to you you can have credit it's I wanted to replace my bookmark holder and all of the things I do during

CTF that I forget every time and throw that there so these are gonna be tools I use that I always forget to install things like that but other than that if you don't want to go there CTF time org as I mentioned earlier is great for finding CTF it's not as good up for challenge write-ups but if you go to old CTF so they will have some links for each challenge so what I like doing at least is if I do a CTF and I don't solve some challenges or I think some are cool and I don't really know how they worked I'll find some write-ups usually a month or two later about how other people

solved then either learn if I'm going to just get to see wow that was cool no wonder I couldn't do that the CTF tools github I mentioned has a huge list of tools and it's separated by category which is great so if you go to that the github page it'll have you know image steganography tools and they'll have a list of them it'll have cryptography tools and a list of them it's a great place to go if you're working on a CTF and you think and there should be a tool for this or I don't what do I do next there might be a tool for it there are a ton of practice ETFs online that are

always open Piko CTF I think they're starting to close down there older ones but they still have a new one every year that runs throughout the year continuously they used to have all of their old ones open all the time I don't remember they still do hone Adventure is what I want to mention because it's a really fun run that I'd like to play with more it's an actual MMORPG game you play the earlier ones weren't mmo's but they have free now it's a game you play that you you can't beat the game without hacking I think the the first of the second one you actually start your regular RPG character you've like a wooden stick and

you're attacked by 100 wolves and you die you have to find ways to actually exploit the game to continue on and then just CTF write-ups unfortunate I don't have the link on the slide but there's a github with it's sorted by year for all of the major or most of the online CT apps it'll just have a ton of write-ups you can go search through it first tanja at or just click random ones if you don't know what you want to read you can find random write-ups and these write-ups have actually helped for my job I found ways to go through a pcap file faster because someone did a CTF they need to solve a challenge a

specific way so using t shark and said to quickly grab the dns field so I used in the seats you have to get DNS exfiltration data out of pcap I then later you said I work to find very similar techniques and vice-versa so people who are working in a socking great at pcap analysis super helpful to a lot of CTF teams I know a lot of teams I've been on especially me when I I'm doing a CTF challenge and I get a pcap file I open it in Wireshark and scroll up and down a lot and hope I see something interesting not the most efficient way of working or doing CTFs so time for another demo so this demo will be a

web-based one obviously and when you're doing a CTF well first when you're doing any web assessment via for a CTF be if we're pen testing because you're trying to break into a Russian website and release your Easi into your friends the first thing you want to do is actually take a look at the website see what it does don't just get a URL and throw poop at it don't just throw nikto at it see what the application does first get a feel for it you'll narrow down your attack scope by a tongue unfortunately here all we have is a login page I could look further but I wrote this I know we're not going to

find anything else this is the application so when you're given a web application more so in CTF but additionally in real life you should you should still check the source code even if it does nothing else you only see what the application is doing what it's expecting and you never know I've found creds in JavaScript comments in the real world it doesn't hurt to check it it's quick so first we'll take a quick look at the source I'll make it a bit bigger so for those of you not familiar with HTML or CSS I'll try and explain it but this is a fairly simple website so we have a very basic login form it's sending a post to login dot PHP that's

not gonna help us much yet there's a username field in the password field presumably we're gonna have to do something to do with the login it submits the form but we also have a flag so we got our third flag in the CTF already CTF comments for comments for flags you'll find the especially in CTF so you're gonna find things in comments on pages you don't expect you always check them I found creds I found Flags I found weird programming debug output that you needed to get from the comments always check these when you're doing a CTF at least if you're stuck so unfortunately the comments didn't give us much more about this application so when you have a login page during a

CTF there are three main ways that you're gonna you're gonna get in the first one is going to be you found creds on another box or another challenge or they gave them to you so either in the challenge description it told you the basic login you have the Escalade or you cracked a database on another challenge you've got usernames and passwords and you could reuse them unfortunately for this one this isn't the case the other two main methods that you're gonna find in CTF are going to be weak credentials which you're gonna find in the real world a lot or sequel injection so weak credentials always try especially if you're doing CTF it might work on a CTF

here so we'll try some weak credentials so the most common one you're gonna try anywhere on any application is admin admin if you know nothing about it or if it's Tomcat try this unfortunately that doesn't work here so we'll try another one we can try admin password still don't work for the most part you're not going to have to brute-force the CTF challenge sometimes you can and I've had challenges where we solved that we really didn't deserve just because we threw something at it and eventually a brute force the answer generally speaking you're not gonna have to do that that there's some way to get in that isn't root forcing a 12 character random password okay so in this case I

could try a bit more but I know that it's not gonna work the third most common thing you're gonna see is sequel injection so for those if you're not familiar with it when you log into an application like this and I can make a better demo but I didn't generally if I showed the query at the bottom would make explaining this easier but I'll try and explain it for people who aren't familiar sequel and the simplest form sequel is a way to talk to a database so when you log into your bank website or your Facebook website for those of you understand deal with it it's gonna be a bad analogy basically your computer is telling

Facebook hey I want a user where the username is Ray and password is password with a zero please don't log into my facebook if he exists in the database and your browser's going to send that off to Facebook and Facebook we'll run this query and say hey I've got one user on Facebook whose user name is Ray and his password with password at the zero yeah you can log in which is great it makes things easier programmers don't have to worry about crazy stuff for logging you in and you just have to type in a username and password without knowing programming unfortunately in a lot of cases bad people can put bad things in the query

so normally and I'm gonna use the the username field here because I didn't plan the demo I'll create what the first time I made it so the query I explained earlier might look something like this

so it might look something like this depending on this system the application would not so in this case it's just selecting all of the users from the users table where their user name is Ray and the password is password great but in some cases maybe we want to change this we're attacking it this is a CTF challenge we know we want to do so what if we were to change this password field to something and I'll show it down here like a single quote that's a weird password but maybe that's our password if the program wasn't written correctly it might it would change our initial query to something like this so even if you aren't familiar

with programming or sequel you don't really use three quotes around something if you're quoting someone's name if you're quoting a book you have a quote on each end so what happens is this then looks for users where the username is Ray and the password is a blank string and then there's some weird quote at the end that just probably gonna break stuff so let's try that and see what happens and if you're testing an application be it for a CTF or something else throw a single quote in a field just to see what happens don't start with these long convoluted queries if you put a single quote in the field just see how the application reacts so that's a lot

different than the logon field we got earlier so we put one single quote which turned into those three single quotes instead of two and the application broke this gives us a very likely hint that there's sequel injection whatever application were testing what does that mean so sequel injection instead of that original query we had we're gonna try and put our own code into that so it executes what we want it to do in this case we don't really want code we just want to login

so we have the original query from earlier that starts out as a blank string so instead of putting a single quote they're putting password with a zero if we put something like I'll separate these out so this is what it would look like so if we put a single quote a space + 1 equals 1 and then the symbols at the end are for a common thing it's basically telling the application ignore everything else that was after this we don't care anymore so in this case this is what the final query would look like so if you read it out even if you don't understand sequel you're selecting everything from the user's where the username is Ray so the

same username we try to log in before and the password is nothing that's not my password we know so I'm not colliding or if one is equal to one and outside of really weird math or physics 1 is going to equal 1 so in this case the second half of the query is going to return true what that means is we're gonna be able to log in as the the r8 user without knowing its password at all you won't see it this simplified in the real world that much but you will in CTF and you will sometimes in a real application so let's give that a try so we still want to log in as the admin user we're

pretty sure that's probably a real user it's a CTF or web application who we want to be admin if that's not a real username left that look more later but so let's try the same string from earlier so these two will make that query we showed earlier and we're in we logged in right now we're logged into this application as the admin user without knowing his password at all and we got our fourth leg from a CTF in 38 minutes we have 4 flags and none of these were particularly difficult that one was the hardest one and you don't have to know how it works to find flags if you literally just do that single

quote space or one equals one during CTF so you're going to get flags it's better if you understand it and go a bit further but you can still get flags with that so any questions or answers I can also try and demo other stuff but it's pretty quick talk yeah I like C T FD the Facebook one is really cool and they open sourced it it's a bit more difficult to set up but it's a great framework if you're just running a CTF I'd probably use something like CTF to hear the Facebook one but if you want to build your own framework it's also really fun the one we run we built it ourselves it's very simple it's just a

scoreboard application that accepts flags and we have the machines we know of so it's literally just a list of challenges and some flags I haven't used a ton other than that though I do like the Facebook one though I know that trying to remember what IOT was using I like theirs as well I'll have to look that up but yeah yeah I've never found a good resource for that the best resources I've found is asking people you know we're asking Twitter say hey I'm running a CTF for months for now submit challenges they'll give you a credit you can have points that's the best thing we've found for doing it I've never found a a good place to download

challenges for a lot of frameworks a few what was that yeah so yeah that's the easiest way to do it yeah so make them yourselves and modify them a bit between CTF soar just ask people you know there are a few resources and I have to find them again that have like this is the Facebook CTF and a bunch of demo challenges but beyond that there isn't really a great place to just like spin up your own CTF from other people's challenges

anywhere else yes thank you [Applause]