 Hey, what's up YouTube? This is John Hammond and in front of your faces is some footage when I played the pros vs Joes capture the flag competition at B sides DC So I'm pretty excited and happy to be able to showcase some of the stuff because this is this is this is three weeks Three weeks ago right now. I played B sides DC pros vs. Joes competition three weeks ago And just recently I played the pros vs. Joes competition at B sides Delaware This is just the footage from B sides DC if you would like to see the footage from B sides Delaware and a little bit more commentary I can certainly showcase that but I did just want to bring this to you and an opportunity for me to for one thing Talk about the game talk about some of the preparations that I've done talk about stuff and hopefully it's a little bit enjoyable so pros vs. Joes I mentioned in a bit of go in my video on securing Windows boxes with dis astiggs And I think that that has played a good part of the success actually in this game what I had done is I tried to prepare for this event kind of as much as I could and Truth be told I fell behind the ball at least in my eyes about what I wanted to produce but It wasn't that big of a deal. We we did win. We came in first place the Raiders of the lost art team So that was a success in my eyes, but we came back from a pretty hard Last place in the first hour. So what you can see is I'm actually working through a lot of Console into console machines, right? I'm actually counseling into a virtual machine and just displaying it through the browser rather than SSH Again, and I'm doing that with this proxmox System manager thing admittedly. I don't know a whole lot about proxmox Normally, I just use like VMware either ESXi or v3 or stuff like that But whatever whatever lets me get hands on keyboard on a box I thought it was pretty cool, but I was doing that for the longest time because we managed to kind of block ourselves out of the router for just a little bit of time and That was not too good, but also it wasn't the death of us We we fell into last place for a bit because we had our Firewall and router kind of locked away and we weren't able to actually get any points on the board because the scoring is done by Availability and uptime right you have a set of services on a set of computers servers a couple workstations that are all providing either email or websites or FTP or domain controller etc etc We even have stuff like GitLab and some of those things just they need to be up and running They need to be maintained because the way you are scored is Determined, I'm sorry determined by if you can actually if the scoreboard and the scoring service can actually reach that Service that your network is providing So you have to play a little bit of defense in that yes You have to maintain all your services availability But you also have an active red team in the same room pretty much trying to break down your walls and Kind of take down some of your stuff. So the game is mainly incident response Red team has prior access right the the evil side the the villains here in the game Have their footholds Already in place by the time you get there So me playing in B sides DC. This is the first time I've ever seen the game It took a little bit of me learning when I came to B sides Delaware two weeks later Actually had a little bit of that foresight because I had played earlier So I did have a bit of an advantage there But hey, whatever that comes with just the exposure and just being able to play around what whatever So a lot of stuff that I ended up finding as I'm logging into boxes is some specific things that I guess I won't explicitly talk about. I don't want to drop too many of those hints but I can say that Making yourself prepared with automated scripts automated tools is that that will make you so much better off, right? A lot of the game a lot of the content and a lot of the the stuff that actually happens on the keyboard between you as a Blue team and the other players as red team is very much tribal knowledge, right? Like a Lot of the stuff just comes from association or playing with the game There's not a whole lot of information or documentation out there So maybe I can provide some of it in this but I also didn't want to showcase everything So I'm trying to hide IP addresses Although I'm sure you can track some of that stuff down. I'm trying to hide some of my stuff, but not not my stuff specifically I actually have a github repository now for everything that I had kind of produced and prepared Made available to you for those that are playing the pros versus joes competition So what I've been doing actually the first portion of this video in the screen cap You can see I've been working on a DNS bind box One thing that we tried to do is actually prepare a CH routed environment or a jailed bind service and I had a script prepared to just like okay crank that out like Auto configure everything and just spin it up. So it's done in a single like dot slash go but I Did that I made that happen But it still needs to be able to adapt to the environment that we walk into And that has a lot of other zones and DNS stuff that I wasn't able to quickly deal with But thankfully didn't turn out to be that big of a deal our DNS wasn't completely hosed at least until about scorched earth so scorched earth is another cool thing because That's a technique or some kind of event. I don't know a good way to say it. It's a portion of the game At the very very last hour where all the rules go away, right? So if red team has a box What they can do because they've got remote code execution is potentially delete everything or They could if they wanted to Like shut down or boot loop the computer But they don't because they throughout the portion of the game you you want to be able to recover from it Blue team is supposed to be able to at least learn from it and recover from it Except for scorched earth in the very last hour in the very last hour all the rules are gone If someone has a box they can fork bomb it they can RMRF they can just boot loop it whatever they want And that's pretty cool So another interesting thing about this game is that yes blue team is playing as blue team You are wanting to be defensive and hardening your boxes and doing in for incident response, etc However halfway through the game and besides DC. This was only a one-day event So we had eight hours of play first four hours were strictly blue last four hours or in deep besides Delaware We had two days it was one day blue and then the second day the other half of the game You get allowed to go purple and when I say go purple. I mean the blue team. Yes, you are still blue You want to defend and lock down your stuff, but you have the potential if you want to go red You can be on the offensive and you can go and break down some of the other blue team infrastructure So that is what I had tried to do here. You can see some of the flying stuff that's going by I got into a my SQL server because there are just default credentials or I was able to track down a Joomla server I'm looking at some of their other things and I'm trying to figure out what can I do what can I write? Is there anything that I can actually Establish a foothold with either with a web shell or some kind of thing to get remote code execution Because that right there is kind of the crown jewel I want to be able to have that remote code execution so I can do stuff on that box And the way that we can get scored when we have control or have compromised another machine is to put forth what they've called a beacon And okay, yes, the beacon is the proper name for it But it's not so much a beacon in the eyes of the pros versus joes game and that it's a much more distilled All you have to do to prove to the scoring server. I have this machine is just from that individual box Push some specific token or some unique identifier to the scoring server and that will tell the scoring server Okay, this team or this individual has Enough code execution on the box to be able to spit a token back at me I know that okay, they've got they've got some leverage on that machine That's really cool And I don't think you get to see that in any other game or any other competition So I'm actually at this point trying some stuff on Joomla because I was able to find that Joomla was a good candidate for Easily just like scraping up some remote code execution and they're being able to go ahead and submit some beacon tokens For b-sides DC this footage right here. I was unfortunately not able to get something moving I don't know where there was some miscommunication or what what fell away But unfortunately the beacon token that I was working with was just not getting accepted by the scoring server So no pointed fingers. No name calling or whatever b-sides Delaware we wreck house We we were able to get a lot of beacon set up, especially because we knew this Truth be told I knew I had this foresight from playing the game earlier that upper leg advantage Where I could find some of those easy footholds. So Joomla being one of them Another thing that I think I was able to kind of take advantage of was having the situational awareness of everything that's in the network because another thing that is present in this game is is some notion of injects for puzzle boxes or Machines that the game administration the staff will just drop into the network and you'll have to respond to or deal with as the game goes on An interesting thing to note is that those puzzle boxes are always there and They as well may have some of the default credentials that Are originally being handed out to the teams? So if a team is not cognizant of the fact that they are still on the network and are still a endpoint Maybe we can take advantage of those if some people haven't immediately You know like logged in change creds hard into border up the windows etc etc, so a thing, right? Just got to know everything that's going on in the game And that's very hard to do especially with this because yes, you have windows machines You have Linux machines, and you've got your firewall as one dude and as one player It's not easy for you to kind of manage everything right you got a team for a reason so it besides DC right they both start with a D. So I'm getting moving quick and I'm getting them confused in my mind But besides DC I kind of stayed strictly on the Linux side and that had a lot more I think for the post-exploitation some of the stuff that the red team was doing that I could track down and find besides Delaware when I played a couple weeks later had a much more Thorough I think red team player on the windows side. There was a lot of action going on there so I didn't do much other than a lot of the windows stigs and Some PowerShell rapid response stuff on the windows side, but the Linux side I wanted to prepare with those hardened scripts or those stigs or whatever I could do even kind of write stuff to Verify the packages that were installed either with deb like or the aptitude and their deb packages or yum on the red Hat side to determine. Okay, the binaries that are on a computer Do the hashes match up with what deb or yum as the as the package installer manager really would expect So if they don't we know that they've been tampered with and that was a good way to Track down a lot of kind of the low-hanging fruit or things that we would very very quickly see Another good notion to discuss is that of passwords, right? Well, you can authenticate to a computer and you can authenticate to one of your machines with yeah logging in SSH RDP excuse me RDP or whatever That's one way To access or log into your machine. There are there are other routes So again just nuggets that may help any future players, but without trying to reveal too too much I think those are good things to again keep in mind and be cognitive of so This game was awesome. I don't know any other game like it cyber defense exercise or CCDC right the collegiate cyber defense competition is Similar to this in that there is a network set up that you walk into and you have to defend But it doesn't have that purple team Turn at the very very end same thing when scorched earth happens When you get to the purple team side of it when you get to day two or the last half hour or whatever the case may be You get to still participate in the scorched earth So we're getting close to the last hour and this footage here and you may actually see I go crazy I go kind of stupid actually I'm looking at github like repositories Trying to find stuff online to just how do I how do I DOS something right? How do I completely break something down at least from the outside going in not with the RCE that I maybe have had on Jumla or something on that one. I could drop a fork bomb Maybe that'll do something who knows but it's not going to do as much damage as okay Taking down their entire firewall or taking down someone's entire DNS server because scoring right? That's dependent on DNS it needs host names to work with so those are high value targets and interesting stuff That you should know about if you jump into this game Also in real life, right? They're just high value targets some things that you don't want to lose or have go down. So again You can see me here. Just trying to track down random Metasploit modules or their exploits. I can just throw the wall and see what six And I would watch the scoreboard and people would just start to go red. They'd fall off And I'd be wondering is that me? Is that a red cell? Sometimes it's hard to know You can you can assume it's a red cell, but at least you are adding to the noise just by throwing stuff So I'm very very cool Again, I am happy to showcase B sides Delaware if you want to see more of the offensive side where I'm dropping a ton of Beacons on other machines. I feel kind of bad in a way It's like I have some mercy rules But it was just a very very good game and very very fun So if anyone ever has the opportunity to play pros vs. Joes, I certainly recommend it and hopefully I'll see you there It'll be an awesome opportunity on all ends. So hey, thank you guys so much for watching Hope you enjoyed this and I will see you in the next video