 Hello everyone out there on the internet here. We are again at the I don't want to call it like a casting couch It's like a hacker cat It is it's it's the hacker couch. That's worse. Yeah It's what we'll go with. All right. Let's move on. This is a video showcasing our CTF from B sides Nova when we played the capture flag competition there just this past weekend It's Monday today's Monday. Yeah, the CTF was Friday and Saturday, so We took first place which was cool pull up the thing. Oh, you got the thing. I mean over. I can't reach it now We're here to do all that you're not gonna grab it. Oh, yeah, I don't want to like Do it just climb over I'll be back in a minute. We won. We won. We won. It says two cajillion dollars and five hundred cents That's how you read Please don't cash the check I don't even image of it now Joke we already joke Okay Um, so the game was king of the hill style. Yeah, really fun. Who's the guy who put it on a rush The hacker ground CTF. Yeah. Yeah, super good What this video is is nine hours or ten hours or whatever I'm ever meant to time Footage that I split up to sixteen hundred times feed. So it looks like flashing We have some basis to like actually make this video out of so Let's do it. Let's play the video. I'm gonna put us over here and I can move us around if need be But it's on the TV so we can watch it and talk about it. I'm like winded from getting that You should do more cardio, I guess so How do I play the video? I don't computer very well okay so Premise of the game they put us in a network that had a couple machines surrounding us inside of it that we were to attack and break Into here at the beginning of this kind of take an inventory of what all those machines actually are running my n-map scan seeing what challenges are actually Asked of us right and I tried to put together some discord communications We can actually share all these n-map scans or finding it cetera. Etc. You might be able to see the CTF D Challenges just spring up every now and again. I also went through looking at them But really the task was to just break into each of these machines Maybe they go they're just flying around and actually be able to hold them down It was a king of the hill style game like Julian mentioned so you mentioned that the CTF D So the CTF D was there to submit flags So once you got access to a machine you could submit a flag and you got some points For the actual flag on the machine But the majority of your points were going to come from holding that machine for a long period of time And the CTF D didn't provide any prompts and say like oh do this on this machine It just said here's the here's an IP address of a machine and submit a flag for it or name of a machine For those of you who aren't aware of what King the Hill style CTFs are there was like eight or nine servers I don't remember how many and you had to hack into them But the other teams could hack into the same servers and kick you out So not only were you doing attack, but you also had to do defense of the machines. You've just compromised And so that way one team just didn't have the thing the entire game Every like two hours was like rolling reset So then whoever could hack back into it faster and reset up their persistence and re-kick everybody out got points And then there's a captured binary that you ran with your points your team name and that basically gave you points Yeah, one of the big things is not just taking other people out That's great, and that's really good. And if you don't do that, they're just gonna keep being annoying But the other thing is patching whatever vulnerability that you got in through said they can't get in after that Unless you can kick them out another way because if you patch the vulnerability and lose your C2 then you've now Trevor's here. Hi Trevor. Come join the video Your friend Trevor was there, but he didn't play on our team. He was hanging out You brought tequitos Nice so anyways We talked about how we're doing you see right here on the screen if you can pause it John Yeah, man, right now isn't a minute. This one took us way too long to figure out This was a Java RMI one So it was a deserialization one and basically like this should have been a very simple like just used Why so serial and for the life of us we could not figure out why it wasn't working. We didn't get it till day two So part of the reason we didn't get it working. So why so serial has a lot of different payloads it can use Specifically this was an RMI server and so that's a specific exploit that you can tell why is this yearly use you just have to Tell what payload to use and then what command to run so The problem was we didn't know what the machine was for example John tried it for a long time using ping which theoretically should work no matter what type of machine it is like Windows or Linux I For some reason in my own stupidity like just assumed it was a Windows box And I was trying to run other things and none of it would work Julie ended up getting it to work because he was like no, this is a Linux box man So He ended up getting to work it ended up being the command we run But one thing we had talked about was just trying to create something for this type of thing to just automatically run through the payloads and Try all those payloads for both Windows and Linux type type of commands and then see which one works I kind of did a little bit of that but stupidly assumed it was Windows the whole time So you could see me like looking at if sec video is when I see him done like a Y So serial Java RMI exploit and I was trying that syntax or whatever But yeah be cool to like weaponize something that'll try all the payloads And then just be able to figure it out and know when it's actually got some response back to it The easiest way we were talking about earlier to do that I think would probably be the same thing you did and the same thing you tried to do is run ping But there's some little caveats in there. You have to do what I was talking about earlier I think you could do it with just like escapee and Python You could start the capture in a separate thread and then start this send the payload stop the capture check for ICMP packets Yeah The only reason I knew it was Linux was I pinged myself and I didn't see it stop paying myself So I knew that meant it was either Mac or Linux and yeah next was more likely nice Yeah, I had used ping with a taxi knowing that hey Maybe that will stop it because if it goes an infant loop that could be very will be bad But I think I literally used a hyphen see rather than a forward slash see or whatever the syntax is on windows because I just couldn't I didn't get it right, but Yeah, that was really cool. We also you also found the What was it? It was blue keep? I've been doing a ton of research on eternal blue because one of the boxes had linked to in their CTF challenge I've linked to literally the blue song by like I pull I pull 65 That's exactly right and Eternal blue wasn't right because SMB was filtered and we're like is SMB supposed to be filtered and then you found a different machine That we literally had no idea was even on the network. I don't know what happened When we pinged it at first or it didn't respond to paying at first And it didn't end map right unless you threw a tack PN on there But then when you actually did this Whatever that mode is the assume it's down. Oh, yeah tack PN right then it responded as 3389 open and blue keep made sense And it was nice because not only it didn't Whatever Windows 7 box implemented he made it work with the default set one payload Or set target one in metasploit You didn't have to try to guess which hypervisor it was on to figure out what box you had it's below now Blue keep is really unstable, right? Yes So did you have to do anything special or fancy to figure out the parameters or if you had to do that? What would you do that? So I don't know a lot about yeah, so past experiences the it's very touchy on the groom size I think the default one for a interpreter or metasploit is 250 megabytes in practice if you set your groom size to 50 I've Don't know why it makes it more stable, but it does The other thing you can do is if you're setting up your own range basically like if you're running it in virtual machine If you take your virtual memory and use recall to figure out what the offset should be Then you can get the exact offset you need to set to your thing and if you Google this There's more stuff online on how to do it But I've had to do that before setting on my own range where you find what offset and you pass that Edit the back-end Ruby script for metasploit that way. It's not just your regular default ones You can actually put in your own custom one and that works But luckily he made it work with one of the default metasploit exploits Okay, let me talk about some of the stuff that's flying around on the screen because once we got onto some of the boxes I was doing like really dirty. Oh sure sure. I don't know if I don't know if it's visible well I had written some stupid scripts to stop all of their people's Capture like they would run their capture program and it would just fail or I would want to kill it as soon as I saw it Or if it was like running in the processes and I went ahead and would try and spam their terminals This is like my favorite technique Catting dev you random into their PTY device and then their entire terminal on there Whatever SSH section they're in just goes like haywire with all the output and it's so funny because yeah You can you can hear the the terminal like the alarm or the bell escape character going through them So there was a team behind us. It would be like ding ding ding ding It's like oh, man. We're hurting some people you could hear people like A lot of a lot of angry people it was fantastic another thing you did I know I heard some other people talking about it was you were a place or you alias. Yeah cat to bin true Yes, so that whenever they tried to get the flag they get on the machine They try and cat the flag and it would just return nothing They'd like the flag files empty and this is totally the person writing this he did like no It's not I just checked the flag files there. It's like I can't it. It's empty I love this because we didn't change the flag the flag not removed the contents all still there You just can't flat cat flag dot text If you open it with anything else, you'd see it like totally still within within rules So then your idea the second day was all these like evil little things we were doing John's idea was like, hey Can we can we make this happen automatically? Can we just like have it all happen? So what we actually did we went home that night and so they shut the game off You can't play it at night, but we went home and actually Wrote a script we called it maintain and basically what maintain did is it logged on it would after it logged on it would go through and I think the first thing it did was spam Debbie random to everyone's terminals everyone stop you put that in a background It was a while one in bash And it would just put it the background at any time a new pty came up that wasn't from a var IP addresses It would just spam Debbie random to that terminal The next thing it did is it reset passwords On all of the accounts so even accounts that you don't normally use like LP or mail or sis and things like that And it would reset all those passwords it would patch or back door been false and User has been no login So the way logging in works on on Linux is the way to disable my account is you make their default shell either been false or User has been no login and whatever they try and log in it'll run that and then it just won't work You'll just connect it won't it won't actually have your shell Well, if you copy been bashed to those places then even places that show No login or been false will now be able to log in so we changed all those people's past all those Accounts passwords, and then we back toward those Those binaries and then all of a sudden we could log in as users like mail or sis and things like that we also added them to Sudoers files that all those users were now administrators And the last thing that I had added to that script was at least for this part was Installing SSH if it wasn't already installed because we had root access so an SSH server then setting up SSH to disable password authentication and patching it so that every single user's Authorized keys was our authorite or our public key So we had generated a public key for our us as the red team and we and we could then log in as any user With that private key and all users had pseudo access and no one else could authenticate with a password or any other private key So that gave us access to anything with SSH on or able to run SSH and then We continued writing scripts to automate some of this for a couple of the challenges that had SSH access you went in and like made a script that would just test that SSH access And then if it was there immediately send and run that script Then do what yeah, so the buffer overflow ones that I had I had solved there was a buffer flow easy and buffer flow hard And so I had solved those challenges and you end up getting basically an interactive shell over the same socket You connected to the service as and so my exploit scripts then would automatically after it gets a shell Like create a listener stage the maintain script on that machine run the maintain script in the background and then drop you to a Shell so I had those kind of running as well And just they would just automatically as soon as we got access to anything as soon as anything reset We just send all those and start running the maintain script so that No matter what no one could access and then once that was done We could like add our own leisure log in and patch the binaries or patch whatever we need to do So that was really nice. That was a huge help the second day Yeah, I was kind of doing those originally like by hand which is quick scripts that I would put together And they were like disjointed and not centralized and I put them in the cron tab and you might have been able to see earlier I had opened up cron tab and someone had found it and mess with it So they ruined all the paths and then putting it together in like a formal script that I think is honestly awesome It's like a good hammer for immediately finding access and then trying to maintain it They're just kind of troll other people so we can work with it that worked well But you did a lot of stuff for the windows one because you got your blue keep Yeah So with the rolling resets what was hard was like you would have to be the first one on the box Otherwise they would start killing you and then you were fighting for the box and that's never a good spot to be in So we wanted to automate it so that night I was taking a crack at trying to automate the blue keep And there's two like ideas. I was kind of going after I was gonna either use Python and like Interact with Metasploit and script it Or what I ended up doing was using resource resource files in Metasploit So it's just Ruby you set it up basically like if you think oh like set target and do all that stuff You can then when you're opening up MSF console if you pass this it in MSF console tack or the file the resource file Name it will just automatically start doing that So not only do that did I do that but I also read a batch script to like set up firewall rules to block other people out and then like kill the malware that was on the box because The CTF administrator had quote-unquote malware on the box that way he could get in the box And then if the game was getting unfair he could like fuck with us But we found his malware so we could kill his connections as well But anyway, so like as soon as the box it would like run through set the parameters set our hosts Change the groom size exploit as soon as the exploit would run it would upload the Batch script for setting the firewalls automatically and then once that was running Uploaded and executed and then it was like safe to be on the box without having to worry about getting kicked off the box So that was kind of cool The firewall rule script did not work exactly because Windows firewall is batch it crazy I'm still tweaking that because I want to know why it wasn't working Because I would end up like setting default Any any rules for myself to be able to go back in but then I couldn't like I couldn't re-exploit the box Which was annoying because I lost my connection once or twice and then I was just locked out of the box No, we can get into it and that was really annoying. I Also ended up Later in the game when that was happening a couple times. I started playing with Covenant as well So not only did I met us use interpreter to have like do all the stuff on the box But we uploaded automatically with the resource script a Covenant Executable and then it would call back to our Covenant C2 server that way multiple of us could log in through a web interface and like control Those boxes if we need to do anything Which was cool just to play with Spectrops's new tool You mentioned fighting over stuff with people and I thought it was really funny at one point I think actually in the end I thought somebody else had solved the buffer for easy But I think in the end I was the only one that solved any of the buffer overflow ones Because Well, yeah, so there's a couple things one We were sitting there and after I got an access to the buffer overflow ones The source code was in the machine and so I just went in Fixed the errors in their application and then recompiled it and it was there I also recompiled them all with like I think one of them didn't have depth on another one didn't have a SLR I remember I recompiled them all as position independent with depth and everything so that even if they even if I've left a Vulnerability in there would be much harder to do and they had the wrong copy of the binary I think one of them was also compiled as 32 bit and I recompiled as 64 so that all of your exploits wouldn't work even if I like But it's really funny I was sitting there and we were we were playing with stuff and I heard the guy behind me We were at the very front talking to the to a rush Yeah, right and rush And he was like asking he's like well like my exploit works But then it won't work on the remote thing and I and I heard him like talking back and forth of them for a little bit Okay, I feel I was I told everybody the tables like I feel really bad. I have to go up there I went up there. I was like so your exploit might work locally, but The binary that's running on the remote system might not actually be the same one anymore And I kind of looked at me like what and I was like It I might have patched But it was funny the other team that was right behind us they posted a Write-up of all their things and I thought it was really funny in their write-up They they mentioned they were like, yeah, we could never get the buffer overflow to work But we just had this script that ran Constantly that would just connect to it and crash the service repeatedly. They were like if we can't have it No one can we don't know how to actually get a shell from this, but it's not gonna work for anyone else either And I was like that's fantastic. I love that. Yeah Um What was I going to say you were talking about the stuff that you were working working with windows and the covenants over and everything That was with Pat who was our other teammate who wasn't able to hang out with us for the video He's busy studying for sysp, which I should probably do as well When I was trying to use the windows machine and start starting to capture program with the windows machine I couldn't seem to get like a shell to be returned with an interpreter and I couldn't for the life Me figure out why so I would try to run like exec or an executor multi-command and stuff like that and at one point I accidentally wrote buffer overflow rather than butter overflow or I included single quotes around the team name and then Apparently because it needed just your team name as an argument for the capture program It showed up on the scoreboard as a buffer overflow or butter overflow with single quotes And then we weren't able to get those points. We just had like fake accidental ourselves up there Totally my bad at one point. We realized it and then the one with quotes. Yeah kept going up Where's this running something is running somewhere? We can't and we couldn't stop it We're like, I don't know where this is running, but it's losing points for us. Oh, it was funny That mistake ended up making third place Yeah, so on the first day Yeah, on the first day that that team we couldn't get it to stop getting points And it overtook like three other teams before we could get it to stop and so it ended up in like third place for a Team that like didn't exist Yeah, so we wanted to pivot because the reason that we ended up writing those like access or maintain scripts rather than kind of Dirty doing it by hand was because by the end of the first day One of the organizers came up to us and said like hey guys, so what we're gonna do for tomorrow So we're actually gonna try and change the scoring up It's honestly so that we can So the winners that are winning are penalized and that the other players that are playing have kind of more of a chance to catch up and Pat was so funny. It was like why? like why why would Penalizing the winners for winning like And and they said yeah, so like, you know other teams like if pony IP we were to play tomorrow They could still like realistically catch up and like so it's so it's mathematically possible People don't just walk in and say like well, there's no way to do this. It's a stupid and they just rage quit I was like, okay Yeah, I we totally get that sure do whatever you guys got to do I think we talked about it a lot. We got it if it was like a friendly CTF game Then we were just playing for like no notoriety. Yeah, but because there was a cash prize I think we were a little upset. We were dirty So that night when we wrote all of our access and maintain scripts to just be like immediately grab stuff immediately lock things down The next day that was all kind of in the effort to be like well We don't want anyone to catch us. We absolutely don't want to lose this lead We have like a hundred thousand points in the lead But it's still like possible if someone were to break into the other machines and and that stuff down That morning when we got back there, we were thinking oh Yeah, let's they wanted to make sure if someone else not in the lead has like a bonus Or they get more points when they capture and the winning team gets less points when they capture Julian had the sinister idea like let's just make another team that gets the bonus point And we're like, oh, that's a good idea There's nothing to stop us from that and we were thinking about it be like you want to chime in to be fair So when we have these ideas we always like in CTF D There's usually like an ethics or like a rules page If there's no rule page then everything is fair game Oh, yeah, that is accepted within the community. It's like whatever is in the rules page You don't mess with like don't attack the seat game server Don't like but if they don't if that if the organizer fails to put anything in the rules page Anything's on the table. Hey, they give me access to a network and they didn't tell me it was in scope. So everything's in scope So we made this second team And we thought like well the organizer had said now I see the answer to the dot net. Oh, yeah, yeah Now the organizer had said like hey if bone ip would have played the next day and they wanted to catch up It's still possible for them. So we're like, you know what? Yeah, let's make our second team name pony IP just to be sure They're like local rivals to us. So it was kind of like just a fun poke around We could do something like margarine underflow or like other play on our names or something random but we went with that and we set it up so that our maintain script would not only run our Capture script for our actual team but also for the pony IP team And then it got on the scoreboard and it was scoring points and the guys The organizers and the segments of the pony IP team that were there doing other things that were hosting their own workshops So they weren't playing They had like oh geez. Thanks for getting us on the board guys And then because they're kind of tight with the actual maintainer and the guy that hosted the ctf There would be like up on stage like entering whatever sequel commands They needed to like bump up their points or or they actually made sure that pony IP was ahead of us for a little bit in the Scoreboard and it was just like a stupid fun They went up by like a hundred thousand points in one iteration of like of the scoring Yeah, and we were like what the hell just happened. We looked up at a rush. We're like come on It was funny. Yeah I think there was two boxes we didn't end up solving right one of them was You had a pop hefe hefe was we actually got efe. Well, but you had to get to the other one. Yes How do we get hefe? Hefe? Well, I actually headed up there was a was a react application that was theoretically running in in debug mode Looking at the source in the javascript. You could find literal ssh credentials So we ended up using our access script that maintained stuff to force ourselves in there immediately on a reset or a revert And that way we were able to kind of actually maintain our persistence and get stuff done That one was interesting because it was just a regular user, but for the privilege escalation for hefe and Elise or sondra or whichever one other other one was with the y serial They were both container privilege escalation. So hefe you had access as docker So you could just create a docker instance where you had root access to the rest of the file system And then you could get the flag there and edit suitors and actually prevask And sondra or lease or whatever the one that one was was with lxd So I really actually want to make other videos kind of tailored to this stuff Not just in this lightning speed video, but actually showcasing that technique with the docker prevask or with lxd prevask So that more to come The other machine hawns that julien was getting at you needed to get into through hefe or something So Caleb and I were kind of speculating. We were thinking maybe it was uh, you had to like Go in through the ssh tunnel So yeah, the he The organizer implied that when you actually scanned Hawns, you saw nothing open the organizer implied that hawns was actually sshing to hefe And we realized that toward the end There is a way that you can hijack that connection which i've done before We didn't end up actually trying to implement that But likely that's what it seemed like was happening We had we were trying to use ps by to or p spy to watch Incoming ssh connections. The problem was our maintained script was flooding processes And we couldn't we couldn't see bottom lines. We couldn't see it. Couldn't we have just like read the off log? Um Maybe but that wouldn't tell us what exactly they were running But it wouldn't tell us if they were ssc Yeah, the off log could have told us you're right. Um We were trying to see what they were running or what was happening Maybe they were scp'ing a file back to themselves. I know i've seen that on like hack the box or whatever You could also hijack actually hijack that connection sometimes if you have a like a malicious ssh server Sometimes you can hijack the connection, um, which it is essentially malicious because we owned hefe Um, but that being said we never actually got that our our p spy process listing was flooded by our maintained script But you can see up on the kind of top left of my terminal. Those are our access and maintain scripts working Access would try and automatically log in with ssh pass and then copy our maintained script over to it And then run the maintained scripts sort of flood everything else and and make that box ours And that was another thing we kind of felt guilty about was because we automated all of our exploits like Unless the other team had also automated their exploits. You had 0.5 seconds to pack into it before us before we would lock you out I didn't really feel bad about that because it was a competitive game with an actual Yeah, I mean it's it's it's a king of the hill game So that's like just the nature of it when I talk with some of the organizers and just saying like it'd be really cool if these boxes had other Pathways to get into it or other vulnerabilities or other attack vectors So there wasn't always just one hole to break in but there were multiple things to it Yeah, you might get in patched the way you came in But you didn't even know about another vulnerability that another team is using to get in Yeah, um, that would make it a little more competitive. I think Uh, what what they ended up deciding on was hourly resets. I think at the end They were like, okay, people are getting in and locking this down too quickly Let's hourly reset to let everyone kind of that was kind of try and catch up. So that was good I thought that was an okay solution in the moment, but Um, the only other box we didn't get into was a dot net serialization one, which we ended up Oh, yeah out just after the end. Well, well, we we never knew what port to access the problem was um It was all through rpc And so it was like one of the random rpc ports that was open was actually some kind of Dot net deserialization thing that we never noticed there. There was a reference in the hint and it was like, hey There's this github project for dot net serialization. You find the dot net serialization thing for that cbe Uh, you had to install a bunch of dot net on your computer and then compile his tool Once you had his tool compiled you could use it to essentially exploit it Um, but the problem was we didn't like we weren't familiar enough with it Um, oh, this is fun. Yeah, well, we'll talk about that in a second So we ended up writing the whole thing and you should be able to like leak the version It's a very straightforward exploit once you know all the parameters But we didn't know what port it was on and then you also have to specify the object which Like 10 minutes ago in the video. I saw the object and it finally clicked like how you were supposed to know that Um, but if you would have specified the object and then the port it would have been a very simple for us to exploit box, but we just Weren't familiar with the tool and his documentation is I mean, he's the only one who's created a tool. So it's awesome, but, uh It's not very straightforward if you've never done before so yeah whole points to learn The the other thing that we found kind of on accident. I'm still a little confused how exactly it showed up yeah, um, so A ross tried to explain to us how some misconfiguration happened for about 30 minutes in the morning of the second day But it happened nonetheless Uh, and what it allowed us to do if you pause it real quick. Yeah, sorry. I can go back to um, so What it allowed us to do pat actually accidentally stumbled on it Um was leak the source to the actual scoring server Uh, so we mentioned earlier if you don't put rules or scope or ip addresses on your Oh, yeah, oh, yeah Well, yeah, I told him that we found this too if you don't put rules or scope on your uh on your ctf like Rules of engagement of some sort. Um, you just put us on a subbed and told us to hack things So I'm gonna break everything. Um, so pat leaked to this source code. Um, I never got it working But I'm pretty sure it could have been done Um, given more time I was working on like the last like 30 45 minutes of the ctf, but His scoring server, there's no authentication when you run the actual capture binary All it does is make a git request to the scoring server With your team name and it uses whatever the source ip of that Git request packet is as what machine you're scoring ports from So if you if you run it and the source ip is hefe, for example, then it will score points for you on hefe It has a white list of ip's at the top, which you can't really scroll around on here, which is fine, but um It is a white list of ip's at the top that are all of the actual Um Target machines in the network along with some extras and he actually mentioned when I talked to him later He's like, yeah, all those extra machines just in case I need to spin something else up And then we don't have to go back and modify it I was like, okay Well, so what if um, I Create a packet and just throw it on the wire that says that it is the source ip of that thing That doesn't really work over wireless. I'm not a big wireless dude So there's reasons why that doesn't work that I don't I don't know But the it doesn't work over wireless. There's probably some security thing going on there I don't really know However, uh, all of the machines in the game network are on a switch together, so Theoretically if we take one of the machines we've already compromised We should be able to spoof packets onto the switch with a source ip address of anything we want I tried for a little while to get it work to work But it's kind of annoying and I'm not really good at crafting those packets because you need to craft the entire communication With correct tcp flags and everything with the communication of the server It should theoretically be possible though. Um, I also dropped a couple of the machines off the network by accident Because I was trying to change I was trying to add secondary or tertiary ip addresses Onto one interface because you can theoretically do that in linux But what I ended up doing was just dropping it completely off the network by accident And I was like, oh that's down it'll come back up in an hour when he resets everything Um, but it was interesting. It was fun Again, it goes back to if you're hosting a ctf game, uh, whether it's in the frequently asked questions page with this just on the home page like put a um a Rules of engagement that specifies do not touch our scoring server or I will touch your scoring server I just thought it was awesome. I just thought it was hilarious. Like oh, we found the source It it just verifies based off ip address. Like can we break that? Like yeah, we just try to score on everything. We tried like using x forwarded for Http headers to see if that would trickle through and make it think we were coming from somewhere else We tried x real ip a couple other things, but Whatever service they or whatever framework he was using like checks that so had we've been actually losing We kind of discussed it towards the end We could have spun up a virtual machine since we had root access on all these boxes And added another machine or added another nick and then used one of the We didn't have to actually spoof the ip address We could have just set it to a static and then actually just use the unused boxes and hopefully you wouldn't have noticed Yeah, so that is another thing any of those machines that were on Linux you theoretically we had a sudo access There was internet on them. We could have spun up kvms and done all of that That would have been interesting as well What else was pretty fun about the ctf Um, oh you want to talk about the miscellaneous challenges yet? Sure. So once we got into hefe uh, hefe was the only one that had some bonus flags There was one bonus flag like an et cetera password that was kind of easy to see like drive just grab that there There were some others in the source code I I wanted to kind of pause here so I can show you guys that yeah, this is um me trying to do the actual Privilege escalation on hefe. Um, I'm using my little upload with netcat script That's all the stuff that I build and put together in the poor man's pen test So uh little side for that Poor man's pen test was a talk that I put on at b-sides nova. It seemed to be a really good success there Also put it on a b-sides double worse to go check that out It gives you a little bit of functionality between managing reverse shell and getting some script data quote-unquote functionality and code in there But I ended up getting the docker command and docker image and container to actually give me Root access on hefe which was super duper cool And again, I want to make a video on that so you can see me now giving myself real access and setting up the Maintain script for that machine that we just broke into and uh, you can probably sit on the scoreboard pony IP is starting to climb up or slowly creep with those new 100,000 points Another you want to talk about how you found the malware? Oh, sure. So um This is something that I had kind of done previously in a windows environment This was back to like cdx days when I wanted to have a service that would like rotate passwords every minute for some stupid Not creative reason So I found a no in an older life in a previous life the n s s m or n s s Yeah, uh, the non-sucking service manager So it's another service manager you could pull into a windows environment and it'll act like services for you So I saw that in the ps output looking at that windows machine that julein broke into with blue keep and I realized like Oh, that must be what's being used to kickstart this like agent service dot exe and that was Arash's uh c2 or command and control to actually fend us off and try to keep the windows machine and boot us away Etc So I could see the agent service dot exe which was pretty clearly what he was using it for his back door his root kit And uh n s s m to actually kick start that over and over again. So I noticed once you delete those two Okay, he's gone. We we flooded him out They had some other questions about doing reverse engineering on his malware We didn't really get into that very much I answered one of them because it was a fairly straightforward. It was asking like how he was injecting Threads into it and in a remote process and that was fairly simple to find in ghedra And then the other question was asking about the xor keys he was using But that required more in-depth Analysis that at that point was either wasn't helpful or too much work To really merit me going through all of it He was going to take a little bit to actually figure out what was actually going on in that binary So specifically the xor key I asked him at the end. It was not root forcible Which is mostly like most I don't know c2 malware is like one or two bite xors so you can like brute force it really quickly Um, but his I think he said it was a 25 bite xor. So yeah, we would have had to actually reverse engineer the malware And that's what he wanted people to do. I we had such a lead at that point And I I was like this is gonna be a ton of work to be honest This is when uh julian had gotten command execution with the y-so serial He's kind of sent me that payload and I started to move around with it Uh, just earlier when you saw me the windows vm That was me trying to set up that dot net tool to try the the dot net deserialization But um, we never ended up getting anywhere with that Cool. Do we have anything else we want to talk about this game trevor? You want to come join in and be like trevor's been lurking in the back? Yeah trevor's been sitting off on the side Get in here. Hey, buddy. Welcome. Welcome. Tell us about tell us about your game So You may have mentioned or not. There was three ctf's that were going on There was the monetized one, which I assume was the challenging one here. There was uh, the skyline ctf Which I think was the inner Yeah, it's back there You got trash on the floor and then there was the I think newbie Focus ctf that uh, katelyn and I were working on and that was a fun one that was um, so These types of competitions aren't really my domain what I do on a day-to-day basis. I do more strategy automation designs Arc systems architecture or security architecture and so getting in here and being able to do the challenges It was really fun. It was a lot of learning experience A lot of you sitting around the table were able to help us while listening to pat just ask the Rosh Rosh Rosh, sorry Just wonder what he's doing up there trying to knock you guys off the systems. Yeah, and then wondering why you were knocking him off the systems So the other the new see newbie ctf that we were doing There was a war game like section to it, which was really fun. It was a lot Yeah, that was like bandit over the wire right like bandit on over the wire and I had a lot of fun with that one because It's more systems administration Misconfigurations and I know how to tackle those with my engineering systems engineering background experience So katelyn and I were working through that and she and I actually found a few features Or misconfigurations in their setup there. So like level 16 No, no, no level six you could actually achieve It captured the flag when you were level three and then by getting to level 16 or so there was a There was a privilege escalation file that actually just went and catted the the flag in the next user's folder, but You couldn't do that because it couldn't the the file couldn't the binary couldn't read the flag when it was supposed to and then It was the last challenge was level 22 and that just didn't work at all So they just gave us the flag A lot of the other ones was crypto focused which when I realized alfred was playing the ctf and he won number one He is the aws crypto guy and he's a frequent crypto ctf black badge winner and I think he's on the shmucon Crypto ctf bad challenge. So once I realized he's playing was like, all right It's game over. So he alfred took first katelyn took second. You got third. I did. I didn't realize I got third Oh, it's good to play. I just heard my name up on stage. I'm like, what? So and then a lot of the other challenges were Categories of challenges were very similar to the ones you're talking about here. Just significantly easier Um, I didn't actually know this but images.google.com you can do a reverse image look up. Yeah It's like, all right. That's cool. We gotta go out and look in some different areas around the world just to find Some hint of a flag. That's cool. That's kind of neat that ctf is put on by the same guys That are pony ip that that rival kind of local team that we play against It's a friendly rivalry It's uh, it was really cool because they put it on as a workshop this year So like they walked the first day of the workshop they Like walked everybody through how to do all these things so they can learn and then the second day They ran it competitively so people could enforce all those skills. They learned the first day So hopefully they took good notes. Otherwise they had to remember how to do everything All right, cool. I guess I'm out of footage that was 33 minutes of lightning speed breakneck fireworks of hacking Or at least hitting the backspace key like 70 times. That's what hacking is. Yeah I almost broke my computer. Your backspace key is your most frequent key. You did break your computer like We don't even talk. We don't even talk I kind of broke my computer. Midway through the competition And he decides to take his computer apart to replace the uh thing because he broke it The palm rest or whatever the the the hint or the the palm rest assembly Screwposts had broken. So I bought a new palm rest assembly. It came in that evening and I was like, oh cool I'm gonna replace this which requires removing the entirety of the internals of the computer And detaching the monitor from the laptop and then putting it all back together Which I did except that I broke a clip on the touchpad Uh ribbon cable that connects to the motherboard and now my touchpad doesn't work Uh, I was watching this whole thing. I was dying inside. I'm like, there's not nothing exciting medication for me to be able to sit through this He's gonna break it. He's gonna fuck something up. It was all fine. He's not gonna be able to put it back together It was all fine in that little tiny clip The whole thing was fine other than a little tiny clip pops off and now the ribbon cable doesn't stay in which we found I just find the clip. Yeah, you have to go to a backup laptop for you No, I had a I had a bluetooth mouse. It was plus who used the mouse anyway. If you couldn't get your computer to boot Oh, I would just went and bought another one in the return bought a new computer. Let's return to the next day Yeah, so I want to applaud you guys and give you curious on the automation script that you put together Thanks Yeah, so like uh 10 years ago when I first started working professionally We didn't even call it automation then or we didn't it wasn't commonly called that it was probably still, um, was it It's named after like I think ford put it together auto whatever It's two combo words that became together to be automation like something operations But uh, we called it the lazy admin method, which means if you're gonna do it twice you may as well script it Yeah, so good job. Yeah That's how I feel about everything automotive operation So let me wrap it up. Um, I know a lot of people will comment on this video and be like, dude John, this doesn't help me whatsoever. I can't follow a video. That's at 1600 times speed Um, I know I'll try to put together some actual kind of tailored and specific videos for some of the techniques in here We might put together. I know Caleb's got some good ideas bumping for that The why so serial attack and kind of brute forcing payloads to get a callback, which would be really cool Julian if you put anything together for some of that resource Scripts and metasploits to get blue keep up and running like on the fly. That'd be kind of cool. So There's a lot going on. Thank you guys for watching. Uh, besides noble was an absolute blast And it was it was very very cool and a lot of fun. So thanks for thanks for watching Rock and roll. I can't I can't close the webcam at this distance. So I'm just gonna have to hit the bye, but bye Bye This little piggy went to the market, I can't I can't wiggle each toe though. It doesn't I can't I'm not a monkey. What was that thing you were doing a minute ago? What I like You got some good audio there Stay hydrated boys and girls This year's anything from 7 12 No, um If you grab some taquitos The ali don't Taco taquitos Taquitos taquitos Trevor might bring some taquitos from 7 1 because he was like you want anything and I was like, I mean if you buy taco Taquitos, I'll eat them obviously Had been over raised up posterior