Sourcecon capture the flag

syklops · 08-05-2013 11:56am #1

Has anyone done this? It says teams of up to 4. Would it be too much work for 1 person?

link: http://www.sourceconference.com/dublin/ctf.html

Edit, actually its called the Source conference, not SourceCon.

Khannie · 08-05-2013 1:49pm

Would love to do a CTF. Don't currently have the requisite skills I'd imagine. That conference is 300 for non-students and 50 for students though.

Defence of the box would be handy though. You could just lock down everything except port 22, refusing connections from anything that isn't you.

Hell...you could just ifdown the interface if necessary.

I wonder would it be possible to head along to view the CTF / learn what tactics people are using though. I would be very interested in that.

syklops · 10-05-2013 4:21pm

Well I have registered for it now what ever happens. I will post back with how it goes.

Khannie · 12-05-2013 6:55pm

Have you done anything like it before?

syklops · 12-05-2013 10:11pm

Khannie wrote: »

Have you done anything like it before?

Yeah I did a CTF in Vegas 2 years ago at SANS. Came 7th out of 200.

Khannie · 12-05-2013 10:44pm

Nice. Can you give some details on what you did? I'm intrigued by the idea. Definitely a way to improve security awareness anyway.

syklops · 13-05-2013 9:02am

Khannie wrote: »

Nice. Can you give some details on what you did? I'm intrigued by the idea. Definitely a way to improve security awareness anyway.

There were 4 levels with 10 questions on each level. The flag in this scenario was an md5 hash of the correct answer. The first few were basic linuxy questions like what is the contents of the file in /home/user/level1.txt, so you would cat the file and pipe it to md5sum to create the flag. The final question of level 1 was what is the root password, so you had to take the shadow file and crack it in John the Ripper.

Level 2 was about configuring the system bringing up interfaces etc, and if I remember correctly, the final question was using a remote exploit on a node on the network to get access to it. That node was a gateway for 3 others, and so a variety of exploits were needed, one was a web server so there was an SQL injection test. There was also one where the password was saved in Firefox, you had to retrieve the password, which I spent a while on.

It doesn't sound like much but this was 10 hours done over 2 days and you were hammering at the keyboard the whole time.

Khannie · 13-05-2013 9:47am

Sound. OK, I'd be handy at doing most of the things you mention there (any of the linux-ey stuff) but would need a read up / some practice on the others (sql injection, though I understand the principle). I may be heading along. If you're putting together a team and have room sure drop me a line.

syklops · 13-05-2013 10:01am

Khannie wrote: »

Sound. OK, I'd be handy at doing most of the things you mention there (any of the linux-ey stuff) but would need a read up / some practice on the others (sql injection, though I understand the principle). I may be heading along. If you're putting together a team and have room sure drop me a line.

I've emailed the organisers and told them its just me and could I join a team, we will see what they say. If not, you'll be very welcome and I'll try and recruit someone from Tog or 2600 dublin.

This is sponsored by Facebook, so Im expecting quite a bit of Web app hacking, but on the other hand they did say that once you take over something, you have to defend it, which would be tricky to do with web apps. In short I have no idea what its going to be like. Thats part of the fun.

Khannie · 13-05-2013 2:26pm

syklops wrote: »

The final question of level 1 was what is the root password, so you had to take the shadow file and crack it in John the Ripper.

OK....I have a question on this one - I was fluting around today with John the ripper a bit and hashcat. Hashcat is ridiculously fast compared to John and that was on my rubbish GPU so I thought hardware might be an issue.

Did it take log to crack the root password? Or was simply knowing that you had to crack it with some tool + basic dictionary sufficient?

When you start to get into rule based cracking, having a fast GPU to hand (even remotely) would obviously be very useful if it's a difficult password.

syklops · 14-05-2013 11:29am

Khannie wrote: »

OK....I have a question on this one - I was fluting around today with John the ripper a bit and hashcat. Hashcat is ridiculously fast compared to John and that was on my rubbish GPU so I thought hardware might be an issue.

Did it take log to crack the root password? Or was simply knowing that you had to crack it with some tool + basic dictionary sufficient?

When you start to get into rule based cracking, having a fast GPU to hand (even remotely) would obviously be very useful if it's a difficult password.

The root password had been set to something that could be cracked with a standard dictionary file so the trick was in knowing what to do. Even then there were guys over or under thinking the problem, like doing "cat /etc/passwd | md5sum" thinking that would give them the hash of the password and things. I suppose because it was a timed exercise, they couldn't have too complicated a password.

Khannie · 14-05-2013 1:10pm

That seems fair. Good to know too. Obviously it would be good to push it a bit but given a time constraint and hardware differences it wouldn't really be fair.

jsabina · 17-05-2013 9:32am

I am registered as well without a team (and without proper skills

)

syklops · 17-05-2013 9:36am

jsabina wrote: »

I am registered as well without a team (and without proper skills )

Email honeyn3t@gmail.com and they will try to introduce you to a team. They hooked me up with some l33t doodz.

jsabina · 17-05-2013 9:59am

syklops wrote: »

Email honeyn3t@gmail.com and they will try to introduce you to a team. They hooked me up with some l33t doodz.

thanks!

Khannie · 26-05-2013 8:20pm

Super fun.

My first CTF. Learned a lot. Will definitely do another one.

jsabina · 26-05-2013 8:23pm

Khannie wrote: »

Super fun. My first CTF. Learned a lot. Will definitely do another one.

agree.. the day passed and I haven't noticed!!
Difficult to stop for lunch time

I need to study and practice though!

Razzen · 26-05-2013 11:33pm

Great event, well done to all the honeyn3t team! I had a great day..teamed up with lots of people I'd never met, but we did well and learnt a lot together. Lots of new friends

Thanks for having me guys!

Mark

trout · 28-05-2013 8:28pm

I was at the first two days of the conference ... was really hoping to get to see part of the CTF as well.

Raging I missed it now, by all accounts it was a great success.

syklops · 29-05-2013 9:53am

jsabina wrote: »

I need to study and practice though!

We all do. I need to work on my traffic analysis. There was one problem, with some WEP encrypted traffic, and you had to find the hidden message. With some help from Yore Ma I got the WEP key, and decrypted the traffic, but to be honest, once I got that far, I might as well have been looking into a field of thistles. The usual follow TCP stream stuff didnt work, and I couldn't put it all together. It was a pity to get so far through a relatively valuable challenge, and be stuck on the final hurdle. I would love to be able to read Wireshark, like Neo can read the matrix(The Matrix was on TCM last night).

Khannie · 29-05-2013 10:04am

I think the trick in those things is to use tools to read wireshark for you to narrow down the noise from the various streams into useful ones. Razzen was showing me a tool that parses pcaps (may require decryption first, but if it's WEP sure it's as easy a picking your srón) but I can't remember the name of it now (network miner maybe?).

syklops · 29-05-2013 10:38am

Khannie wrote: »

I think the trick in those things is to use tools to read wireshark for you to narrow down the noise from the various streams into useful ones. Razzen was showing me a tool that parses pcaps (may require decryption first, but if it's WEP sure it's as easy a picking your srón) but I can't remember the name of it now (network miner maybe?).

Someone on my team suggested explico, but I spent ages getting it installed, and never got the Web App working. Network Miner is available on linux but only using mono which I think I deleted recently. Surely there is some other tool that can do it(Aside from a python shell and a spare saturday)

Khannie · 29-05-2013 11:00am

I just got network miner running on my kali VM there very handy. One apt-get install (mono) a few other commands to retrieve Network Miner and chmods = presto.

syklops · 29-05-2013 11:17am

Khannie wrote: »

I just got network miner running on my kali VM there very handy. One apt-get install (mono) a few other commands to retrieve Network Miner and chmods = presto.

Actually it was very swift for me too.

Razzen · 29-05-2013 12:11pm

the trick is to reduce the size of the haystack before looking for the needle. network miner is good at parsing everything, helping you look for stuff out of the ordinary, which will give you a general area to search in more detail..usually back in wireshark. I'm pretty good at the pcaps (crap at everything else) so that usually the only tools i need to solve most pcaps, maybe a little aircrak and grep every now and then.

Sourcecon capture the flag

Comments