My experience with my first I.T. security Capture The Flag (CTF) contest while at BSides LasVegas (BSidesLV).
Background: For the last two years, I’ve gone to the annual BlackHat USA conference in Las Vegas. I’ve loved it both years. The conference quality along with the presentation quality at BlackHat is fantastic. This year I decided to switch it up a bit and go to BSidesLV and do one day at BlackHat (business pass only) after BSides was over.
What is a BSides? For a lot of good info on this you can go here. Basically, it is a community sponsored I.T. security conference.
What is an I.T. security capture the flag contest? Essentially it’s a contest where you and your team defend I.T. systems under your control while attacking the systems of other teams.
Pre-Conference: BSides is completely free to attend (which is amazing). I chose to sign up as BSIdesLV sponsor a few weeks before the conference. I chose the Rock level of sponsorship which was ~$100. I wish I could say I was a really great guy and I just wanted to help out, but the truth is I did this in order to get a reserved ticket. The DefCon (another I.T. security conference in Vegas) ticket line is legendary and I wanted to avoid anything remotely like that if at all possible. I also wanted to be sure I got in. I did not want to go all the way to Vegas only to have BSides run out of passes. So, I forked over my $100 and booked some travel.
While reviewing the BSidesLV web site, I noticed the ProsVsJoes capture the flag contest. I was intrigued and decided to sign up as a “Joe” since I don’t do infosec (Information Security) full time, and I had never participated in a CTF (capture the flag) before. My plan was to get on a team, contribute where I could, have some fun and learn some stuff. Signing up for the CTF meant that I would miss essentially all of the other BSidesLV sessions. Its rumored that most of the sessions are recorded and posted online shortly after the conference. I hope that is true because there were some really cool looking sessions I would still like to see.
A few days after signing up as a Joe, @dichotomy1 (Dichotomy) dropped me an email and asked if I might be willing to serve as a Pro acting as a team captain for one of the blue (defense) teams. We went back and forth a bit about my credentials and experience. He mentioned that at that point he had three full teams, but if more folks signed up he might like to add a forth team and that team would need a captain. He mentioned most of the team captain duties were management / administrative / coordination in nature, so I agreed to do it if he needed the forth team.
A few days after that he emailed to let me know that our team was a go. He setup a mailing list for our team, I chose the team name Labyrinth Guardians and we were off to the races.
Over the next couple of days, each of our team members introduced themselves over the email list. I started and shared a Google Drive folder and Google Doc that became our team-planning document. I encouraged our team to take a collaborative approach, and boy did they ever do that.
Everyone started to share ideas and questions in the Google Doc. It started to become clear that I had a group of guys who were really engaged. As an aside – there were female CTF participants; I just did not have any on my team. We all wanted not only to participate, but to win. I setup a group of smaller functional teams in the document, and asked the guys to pick a team to be a part of as their primary focus. We hoped this would help us all be able to get down to business faster in areas where each of us could bring our expertise and background to bear. While most of the guys on my team did not seem do infosec full time either, we had a good array of skills. So, our functional teams ended up being very well rounded.
We decided to schedule a team call to talk through our strategy etc. As usual, with a group this size we could not find a time that worked for everyone, so we took a time that worked for most of us and ran with it. Initially, I tried to setup a Google Hangout on Air (so we could record the call for other team members). That ended up failing (likely because I did something wrong), so we quickly switched over to a Skype call. It was a messy 15 minutes trying to get the alternate call up, but the team hung in with me. Finally, 5 or 6 of us were on a call together. We spoke for an hour or two during which time we got to know each other better and planned for another meeting early on the first day of the conference in Vegas. We also spun up a Slack account for our team to use for real time communication. I can’t say enough positive about this tool. It enabled very efficient real time communication that gave us an advantage.
A couple of the guys volunteered their rooms as a meeting spot, and we agreed to meet at 8AM local time in Vegas. The conference and the CTF started at 10AM. So, we had about an hour to get in sync and plan, then we all went over to the conference and got settled in.
Go time – Day 1: At 10AM, it was supposed to be go time. However, the wireless network for the CTF was not cooperating. The guys who run the BSidesLV network and Dichotomy were working hard to fix things. Eventually, we got to a state where Dichotomy was able to kick things off. My understanding is that next year they are planning to go wired – which makes lots of sense.
The scenario for the CTF is that we are essentially taking over a network that has previously been run by idiots. Dichotomy called it “horribly vulnerable”. Our job was to keep network services up and running, deal with user requests (tickets), and find flags in our environment. We were to do all of this, while a red team of professional penetration testers was attacking us.
The game is scored by a proprietary program Dichotomy developed called “Score Bot”. Score Bot periodically measured our service uptime, how many tickets we had closed, how many flags we had submitted, and how many of our hosts had been compromised by the red teamers. When things kicked off, our guys went to work in their functional team areas. The windows team guys went to work on the windows boxes, the *nix team went to work on the *nix boxed etc.
We were doing fairly well midday on the first day. However, we were heavily focused on finding and submitting flags. We had found several but there was some significant ambiguity in how we were to submit these to score bot. Several of our guys banged away on this for a while. Eventually, they figured it out after expending some significant time. One of our team members noticed that flags did not count for very many points, but that closing tickets from fake users counted for a lot. So, we started to prioritize dealing with tickets higher.
At the end of day one, we had won. A screen shot of Score Bot is below. We had done a decent job of keeping attackers out of our boxes all while closing tickets like mad men. Team morale was high. We were excited to have won day one, but we all felt like we were also a bit lucky. Our expectation was that the work we did on day one securing boxes would pay off on day two. So, we all headed our separate ways and agreed to meet in the CTF area at 9AM on day two. Day 2 – Attack time: I think we were all looking forward to day two. On day two, the red team members break up and embed with the blue teams. Then, each blue team goes to work attacking each other. In general, the majority of our team seemed to have more experience on the defense side of things. So, day two was a great opportunity to learn from a pro red teamer. We got a great red teamer on our team. He quickly engaged and brought his experience to bear for our cause.
Before we started on day two, we also discovered that the entire environment was going to be reset to the state it was in the prior day before we started. So, all of our defense work from day one was effectively lost, and we had to do it again. In addition the scoring model was going to be changed. Tickets would count for fewer points, and flags would count for more points. Since we knew the environment we hit the ground running quickly. We got boxes locked down as much as possible while maintaining service uptime. We submitted flags like mad men. We also went to work scanning both our our own network as well as our adversaries networks for vulnerable systems. We used NMAP, Nessus and Open VAS for this work.
Once we identified vulnerable hosts on our network we mitigated the vulnerabilities as quickly as we could. However, we identified multiple RCE (remote code execution) vulnerabilities that we were never able to fix due to issues in the environment. After we had our stuff at least heading mostly in the right direction, we started kicking off scans of the competition. Once we identified vulnerable hosts on the other teams networks, we worked with our red team member to start attacking them. Fortunately, our work on the defense side of things along with a bit of luck paid off well. By mid afternoon, none of our boxes had been compromised yet. All of the other teams had boxes that had been burned, some thanks to our guys working with our red teamer. At one point Dichotomy was essentially asking the other team to focus on us and break into our boxes. Since we still had some unresolved vulnerable systems, eventually they did get in to a couple of our lower priority boxes. We started to focus heavily on offense later in the afternoon. We identified the team that was closest to us in points (SaltyGoats – SG) and went after them with everything we had. We had identified some unresolved vulnerabilities in their environment, so our red team pro went to work. After about an hour of focused work, he had compromised their Active Director Domain Controller (AD DC), so we essentially owned their windows network. Our red teamer did some work so that Score Bot would know that a couple of our competitors boxes were owned, then we started to plan for what we would do once the “scorched earth” rules went into effect at 4PM. Prior to those rules going into effect, all we could do was signal Score Bot that we owned these boxes. We were not allowed to destroy them. However, once the scorched earth rules started, it was open season.
Because of the way the scoring engine worked (which was public knowledge from the beginning), a down domain controller would cause our competition to loose all availability points (because DNS in the environment would fail which all the rest of the scoring of their environment was dependent on). So, we started to talk about how to kill their AD box, which we had gained administrator level access to. In the end we opted to break the box in a way that would not allow it to boot (marked the boot partition inactive using diskpart), then simply rebooted it. After a couple of minutes their network went all red. Mission accomplished. After that a few of our guys continued to focus on attacking, but at that point we had pretty well established a point lead that would be hard for others to catch up to in the time remaining. At 5PM Dichotomy had the red teamers come up and give a presentation on how they attacked us. We did not learn anything especially surprising, but it was a good overview and good education. In the end – we won. The official scores were: These scores differ from the screen shots shown because positive ticket scores did not count on day two (one of the rule changes). So, essentially our total score minus our positive ticket scores equaled our ending score. Also – its doubtful I got my screen shot at the exact last moment.
Thanks! I believe all of our guys had a good time. I know I sure did! With that in mind, I’d like to thank some folks who worked hard so that we could enjoy this experience.
- The folks who got BSides started, and have grown it into an amazing movement. For some great back story, check out this podcast with @Jack_Daniel where he explains how this got started. While I’ve never had the pleasure of meeting Jack, I have seen him in the wild and he is an incredibly well spoken (not to mention well dressed) guy. He is an absolute gift to the infosec community. Clearly one of the really good guys.
- The entire team who makes BSidesLV happen. Organizing a conference this large is an enormous amount of work. Organizing a free community driven conference on a limited budget with only a group of volunteers and pulling it off as well as these folks do is an absolute work of art. You folks are amazing in every sense of the word.
- The BSidesLV network team. You all showed tremendous grace under fire dealing with the CTF WiFi issues. Well done!
- Dichotomy – Dichotomy put together a really great CTF event for us to participate in. The amount of work required to create this game environment must have been huge. Thanks man! You gave us all a great opportunity to learn, have fun, and grow. We appreciate it! I’ll forever remember this fondly as my first CTF.
- My team (LabyrinthGuardinas)– You guys ROCKED! It was great to work with such a good group of guys who were willing to do whatever was needed to succeed. Your skills, patience, flexibility, creativity and generally awesome ideas are what allowed us to win. I hope you guys had a much fun as I did.
- Our friendly competition: Lets be honest – any of us could have won this thing. Our friendly competition is just as smart as we are. I spoke to one of the other team captains after we were done on day two, and he was just a great guy. I hope we get the opportunity to get to know you guys better in the years ahead.
What’s next? I want to contribute to the BSides movement. This year, I basically enjoyed an awesome event because of the work of a lot of dedicated folks. Now I feel like its time for me to get more involved and contribute. I’m not sure exactly where that is yet – but I’m determined to help where I can. What about you?
- Here is a post one of my teammates wrote: http://www.74rku5.com/2015/08/12/my-pros-vs-joes-ctf-writeup/
Amazing recap for someone who has never participated in an event like this but was always curious. Thanks.
Sounds awesome! Thanks for sharing.
Very cool! Congrats on the win, and thanks for sharing.
Way to go Winslow! Team LG FTW!