Our Information Security Office has hosted a Cybersecurity Festival event yearly during Cybersecurity Awareness Month for several years. In 2020, I participated in a CTF event, which I covered here. In 2021, I was part of a team that created an infrastructure for the Red Team versus Blue Team event, which I mentioned here. Last year, I participated in creating a CTF challenge for the event. I also helped a colleague with the Offense for Defense event.
To some extent, creating a CTF challenge was similar to last year’s event in that you try to think of a scenario from both attacker’s and defender’s perspectives. Since I have participated in several CTFs, choosing the category for the challenge was the first that came to mind.
Since networking is my background, I figured I should create a CTF challenge that involves network forensics. From there, I started to think about what I wanted folks to learn. Since I had an idea of who signed up for the event, I did not want it to be easy. Moreover, I wanted them to learn something about networking.
Category
Technically, the CTF challenge that I created involved multiple categories. The main one was network forensics since participants needed to analyze the traffic within a PCAP file. The challenge also included offensive security since they must crack the authentication key to get the flag. If you consider “Googling” as OSINT, there was some of it too.
Since I needed to generate a PCAP, I had to figure out what traffic I wanted to add to the file. First, I needed to decide what networking topic I wanted the participants to learn about. I settled on FHRP (First Hop Redundancy Protocol) as the topic, specifically, HSRP (Hot Standby Router Protocol).
HSRP
I have already covered a post about HSRP, which you can read here. Essentially, the challenge was related to it. If the participants came across my post, they could follow the instructions to help solve the challenge.
The PCAP file contained three different sets of HSRP traffic. One set of traffic was related to an environment with a plain text authentication key. You might ask, what was my intention in including this? Well, I wanted to demonstrate to participants who do not have a networking background that there is an insecure way of implementing authentication. That is if they had the time to realize that during the competition. Furthermore, I wanted to trick them into thinking the authentication key they found was the flag.
| Related: Attacking HSRP |
Another set of HSRP traffic had an MD5 authentication but with a weak key. The MD5 authentication key I selected is in the RockYou wordlist (rockyou.txt), which is in Kali Linux. It might be evident that I intended to teach the participants not to use a weak key. Especially a key that is in the popular wordlist.
The last set of HSRP traffic had an MD5 authentication with a key that is impossible to figure out within the time allotted without a clue. From the perspective of cracking the key, it is essentially the same as above, except the participants must use a custom wordlist.
Custom wordlist
Since the authentication key I selected is unlikely to be included in any popular wordlists out there, I needed to give them a clue on how to create a custom wordlist for them to use. I covered the custom wordlist creation here. Below is the clue for the wordlist. While there are many ways to generate network traffic, I used the Netcat utility for this task.
1 digit
1 lowercase character
1 uppercase character
1 symbol
Alter ego’s First name of a Marvel character
Separated with an underscore
1 symbol
1 lowercase
1 digit
1 uppercase
Alter ego’s Last name of a Marvel character
Since the authentication key I selected is unlikely to be included in any popular wordlists out there, I needed to give them a clue on how to create a custom wordlist for them to use. While there are many ways to generate network traffic, I used the Netcat utility for this task.
Essentially, I created a file with the instructions on creating a custom wordlist and served it on one of my VMs, then connected to it from another VM. Technically, we can do this using one machine. However, production traffic typically does not flow like that.
The syntax below is how to perform the task, just in case you are unfamiliar with the Netcat utility.
andrew@server:~$ sudo nc -lvp 80 < clue.txt listening on [any] 80 ... andrew@client:~$ nc 192.168.100.100 80
ZIP file
Since the CTF organizers agreed to intertwine the challenges, I included a ZIP file for the next challenge in my PCAP file. The ZIP file was password protected with my challenge's flag.
For this task, I used an unencrypted protocol, so it was easy to generate the traffic and easy for the participants to perform data extraction. I chose HTTP for the job since I knew I could easily use the built-in Python HTTP server module on Kali Linux.
The syntax below is how to perform the task, just in case you are unfamiliar with the Python HTTP server module.
andrew@kali:~$ python -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
Difficulties
CTF participants faced a few difficulties with my challenge. The common one was the custom wordlist creation.
The first challenge was the number of characters in Marvel comics. There are many Marvel characters to choose from. However, when I created the clue, I thought the participants would think about our Cybersecurity Festival's theme: Cloudy with a Chance of AWESOME. Unfortunately, they did not figure it out, so we had to give them a free clue because they were just on the third challenge. The Marvel character that I chose was Storm's alter ego, Ororo Munroe.
The second challenge was the clue technically required a massive wordlist. However, the wordlist I created was an incomplete one. It was to lower the total number of words in the wordlist. As a free clue, we gave them the total number of lines needed for the wordlist.
I realized the participants were using the command below. As you may have noticed, this command will generate over 49 billion lines.
andrew@kali:~$ crunch 20 20 -t %@,^Ororo_^@%,Munroe > custom_wordlist.txt Crunch will now generate the following amount of data: 1045058414400 bytes 996645 MB 973 GB 0 TB 0 PB Crunch will now generate the following number of lines: 49764686400
But, the way I did my wordlist was the following commands below. When I created the challenge, I failed to realize how flawed my thinking was. Without the free clue, nobody would have figured it out. I was glad that there was a participant that was able to get the flag for this challenge.
andrew@kali:~$ crunch 9 9 -t %@,^Ororo > ororo.txt andrew@kali:~$ crunch 11 11 -t _^@%,Munroe > munroe.txt andrew@kali:~$ paste -d "" ororo.txt munroe.txt > custom_wordlist.txt
Dependencies
Another common one was the software dependencies needed to run the Python script in the John the Ripper (JtR) directory to extract and convert the hash to something it could understand. When I created the challenge, I used Kali Linux version 2020.3, which still had Python 2.7. That said, the instructions I covered here worked fine on mine. All of the CTF organizers agreed to make this part of the challenge. That said, I included a hint that says Python 2.7.
At the time, the latest Kali Linux version removed Python 2.7, and folks were encountering software dependency issues. We eventually gave them free hints about that as well. The participants could not install python-pip since Debian removed it from the repo because they deprecated Python 2.7. Some participants installed python3-pip instead, which would not work with the JtR Python script.
One of the free hints we gave them was to use Kali Linux 2020.3 since it still has Python 2.7 installed by default. We gave them another hint to install the python-pip by following the commands below.
andrew@kali:~$ curl https://bootstrap.pypa.io/pip/2.7/get-pip.py --output get-pip.py <-- Output omitted for brevity --> andrew@kali:~$ sudo python2 get-pip.py
Alternative
I found a way to fix this issue in newer versions of Kali Linux. Though, I have not tested this with other flavors of Kali Linux, like the ARM version. Essentially, you have to download and run the Pimpmykali script found here. One of the things the script does is re-install Python 2.7, which is useful for scripts that do not have a Python3 equivalent.
JtR script error
When they ran the JtR Python script, the participants encountered yet another error message, so they thought we gave them a corrupted file. We told them that it was part of the challenge to figure it out.
andrew@kali:~$ sudo /usr/share/john/pcap2john.py hsrp.pcap Note: This program does not have the functionality of wpapcap2john, SIPdump, eapmd5tojohn, and vncpcap2john programs which are included with JtR Jumbo. Traceback (most recent call last): File "/usr/share/john/pcap2john.py", line 1494, inpcap_parser_htdigest(sys.argv[i]) File "/usr/share/john/pcap2john.py", line 1372, in pcap_parser_htdigest pcap = dpkt.pcap.Reader(f) File "/root/.local/lib/python2.7/site-packages/dpkt/pcap.py", line 328, in __init__ raise ValueError('invalid tcpdump header') ValueError: invalid tcpdump header
When I created the PCAP file, I saved it in PCAP Next Generation format. The JtR Python script cannot handle PCAPNG files, so they must convert it to regular PCAP format. The participant can issue the command below to perform PCAPNG to PCAP conversion.
andrew@kali:~$ editcap -F libpcap -T ether hsrp.pcap hsrp-new.pcap
Final words
Participating in CTF events as a player allowed me to learn a lot. I also learned a lot as one of the CTF organizers. If you ever have an opportunity to join a CTF event as a participant or organizer, make sure to take advantage of the opportunity. This year, I am part of the team that will create CTF challenges again. I think this time, however, I will make easy and medium-difficulty challenges only.
You might like to read
BUY ME COFFEE ☕
