Our Information Security Office (ISO) hosted its first-ever capture the flag (CTF) event recently during the Cybersecurity & Privacy Festival. The CTF was open to all staff for a whole week from 10/19 – 10/23. It was engaging, educational, exhausting, frustrating, and infuriating. In this post, I want to share my CTF experience. I will also include some information about the challenges and my thought process. Bonus: I incorporated a mini-CTF. I encourage you to try it out!
Before this event, I’ve participated in three CTFs in the past. The first two CTFs I’ve done were back in April 2018. It was during my SANS SEC530 (Defensible Security Architecture and Engineering) training at Louisville, Kentucky.
The first one was the Cyber Defense NetWars. This particular CTF is what I’d say a traditional one since it covers multiple categories. The second CTF was for the SEC530 class itself. The third CTF, hosted by Palo Alto Networks, focused on their Prisma Cloud product, which I’ve never used until that day.
While this CTF was my fourth one, my CTF experiences varied from one to the other. All four of them had a different set of challenges. However, this CTF has some similarities with SANS NetWars.
There are three common types of CTF: Jeopardy-style, attack-defense, and mixed. Our internal CTF was a Jeopardy-style. This type of CTF usually has multiple categories of challenges. Since the game organizers recognized that participants were coming from various backgrounds (some of which were non-technical), they included privacy and security questions of varying degrees of difficulty.
When they opened the CTF site on Monday at noon, there were around 100 challenges. By Tuesday night, the top 3 players ran out of challenges, and I was at the top. We thought we could finally rest from it and enjoy the rest of the festival. We were wrong.
On Wednesday, the organizers added 20 more challenges. The majority of the challenges were different from the original set. It required more thought and research than the previous ones.
The top 3 players couldn’t answer one of the questions in the password category. Each one of us didn’t want to take the hint, so the organizers decided to give us a freebie.
Unfortunately, the notification bell didn’t show me that there was a new message. I had to go to the notification page to see what’s there. By then, I was three hours late. On top of that, I had to install, troubleshoot, and learn how to use GPG Suite. By then, I, unfortunately, lost the lead because whoever gets the highest score first gets the top spot.
They didn’t stop there. On Friday morning, they added two more challenges. These two challenges require us to apply the knowledge we gained from one of the workshops. The workshop focused on exploiting vulnerabilities on multiple systems.
I had mixed feelings about the additional challenges. I know other CTF participants welcomed the extra challenges. My main gripe was the amount of time we had to dedicate if we wanted to win the CTF. Other than that, it was very educational.
Unfortunately, I was not permitted to share the real files from the challenges. The next best thing I could do is to try to give you a similar example of the challenges. Since there were a lot of challenges, I will only pick a few of them.
I’ve heard of steganography before the CTF. However, I’ve never inspected a file that has a hidden message until last week. It was fun to go through the process of learning how to decipher what’s the secret message. There are several tools that you can use in the area of steganography. I will only cover some of the tools that I’ve encountered to solve the CTF challenges.
I believe this challenge is a perfect warmup for the steganography category. It serves as an excellent way to teach someone to gather any data that they can get from the file.
The challenge has a simple question: where does this road go?
Depending on someone’s experience, the CTF player may perform a reverse image search to get a clue where it is. However, some CTFs will never make it that easy.
|Related: Kaos Corp: Habanero|
Since I wasn’t familiar with the tools used in steganography, I had to research the subject. One of the tools I encountered was the ExifTool. Alternatively, you can use this site to view the metadata.
Running the ExifTool is easy. Just issue the
exiftool <filename here> syntax, and you will see the metadata, as shown below.
networkjutsu@MacBook-Pro$ exiftool road-untraveled.jpg ExifTool Version Number : 12.00 File Name : road-untraveled.jpg Directory : . File Size : 209 kB File Modification Date/Time : 2020:10:27 19:25:51-07:00 File Access Date/Time : 2020:10:27 19:29:57-07:00 File Inode Change Date/Time : 2020:10:27 19:29:56-07:00 File Permissions : rw-r--r-- File Type : JPEG File Type Extension : jpg MIME Type : image/jpeg JFIF Version : 1.01 Exif Byte Order : Big-endian (Motorola, MM) Orientation : Horizontal (normal) X Resolution : 72 Y Resolution : 72 Resolution Unit : inches Color Space : sRGB Exif Image Width : 1024 Exif Image Height : 674 GPS Version ID : 220.127.116.11 GPS Latitude Ref : North GPS Longitude Ref : West Current IPTC Digest : d41d8cd98f00b204e9800998ecf8427e IPTC Digest : d41d8cd98f00b204e9800998ecf8427e Image Width : 1024 Image Height : 674 Encoding Process : Progressive DCT, Huffman coding Bits Per Sample : 8 Color Components : 3 Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2) Image Size : 1024x674 Megapixels : 0.690 GPS Latitude : 37 deg 48' 43.74" N GPS Longitude : 122 deg 28' 39.80" W GPS Position : 37 deg 48' 43.74" N, 122 deg 28' 39.80" W
To me, the only interesting data here is the GPS information. If you plug that into Google Maps, then you should see the Golden Gate Bridge. That’s the flag for this challenge.
This challenge has a simple task – to find one of my favorite quotes. The hint is: The only true wisdom is in knowing you know nothing.
This challenge was a hard one. I tried using exiftool and other tools, but I wasn’t having any luck. Eventually, I found this site, which helped solve the challenge.
Alternatively, if you can use CyberChef, you can also use that to solve this challenge. However, when an image has three different values for the bit planes, then CyberChef is not the right tool.
The StegOnline tool is easy to use. The hardest part is figuring out which RGB bit plane values you need to solve the challenge.
To use the StegOnline, upload the image, then choose the Extract Files/Data button. From there, you tick a box or more and click the Go button. Look at the ASCII section and inspect anything that may be of value. Some CTF challenges do not require you to decode anything – it will just be in regular text. Take this image, for example.
In this case, I encoded it using Base64. There are a lot of online tools out there that can decode it for you. Alternatively, if you are a Mac user, you can use the command line. Use the
echo SSBrbm93 IG5vdGhp bmcgZXhj ZXB0IHRo ZSBmYWN0 IG9mIG15 IGlnbm9y YW5jZQ== | base64 --decode syntax to find out the flag. If you’re a Linux user, you may need to remove the spaces.
networkjutsu@MacBook-Pro$ echo `echo SSBrbm93 IG5vdGhp bmcgZXhj ZXB0IHRo ZSBmYWN0 IG9mIG15 IGlnbm9y YW5jZQ== | base64 --decode` I know nothing except the fact of my ignorance networkjutsu@ubuntu$ echo `echo SSBrbm93 IG5vdGhp bmcgZXhj ZXB0IHRo ZSBmYWN0 IG9mIG15 IGlnbm9y YW5jZQ== | base64 --decode` base64: invalid input I know networkjutsu@ubuntu$ echo `echo SSBrbm93IG5vdGhpbmcgZXhjZXB0IHRoZSBmYWN0IG9mIG15IGlnbm9yYW5jZQ== | base64 --decode` I know nothing except the fact of my ignorance
As mentioned earlier, you can also use CyberChef. The great thing about using CyberChef is the recipes that you can add, for example, adding From Base64 recipe.
CTF Challenge #1: Fast and expensive car
Experience is the best teacher, so I want any CTF beginner to figure out the flag. Comment your answer below. Check back a few days later to see if your comment gets posted. If you see your comment, then you didn’t answer correctly. If you don’t see your comment, then you answered the challenge correctly.
FYI – This is a relatively easy CTF challenge. You may not experience the same in a real CTF.
Before the CTF, I’ve played with two popular password cracking tools in the past: Hashcat and John the Ripper (JtR). In fact, I used JtR in one of my articles. That said, I thought it would be relatively easy with wordlists. I was wrong. It turned out that you only need one wordlist, additional command flags, and some thought.
The password section had six challenges. I thought that three of those challenges were related to each other because of the CTF titles. The CTF titles were along the lines of a weak password, still not adequate, and better but still crackable.
I grabbed all the shadow files from these three challenges and copied the ones I needed. I ran hashcat with RockYou wordlist and waited for it to finish. When the cracking process finished, only one password was in the output file.
networkjutsu@MacBook-Pro$ $ cat combined-hash $5$00000$i8iHSm4kLHOMO0u8nbtpg.4N/t5hgYJBCJ1OFlkk42/ $5$00000$Megnzik.4VtQFweBSkgZqjNGeH5M27UncMuCDOeDK0B $5$00000$zCy8qKUIqL3RTJooaLxEDATUwYi.h9gvKKyUee039OC networkjutsu@MacBook-Pro$ hashcat -m 7400 -a 0 -o cracked.txt combined-hash rockyou.txt -O hashcat (v5.1.0) starting... OpenCL Platform #1: Apple ========================= * Device #1: Intel(R) Core(TM) i7-6920HQ CPU @ 2.90GHz, skipped. * Device #2: Intel(R) HD Graphics 530, 384/1536 MB allocatable, 24MCU * Device #3: AMD Radeon Pro 460 Compute Engine, 1024/4096 MB allocatable, 16MCU Hashes: 3 digests; 3 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Applicable optimizers: * Optimized-Kernel * Zero-Byte * Single-Salt Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 15 Watchdog: Hardware monitoring interface not found on your system. Watchdog: Temperature abort trigger disabled. Dictionary cache built: * Filename..: rockyou.txt * Passwords.: 14344391 * Bytes.....: 139921497 * Keyspace..: 14344384 * Runtime...: 2 secs Approaching final keyspace - workload adjusted. Session..........: hashcat Status...........: Exhausted Hash.Type........: sha256crypt $5$, SHA256 (Unix) Hash.Target......: combined-hash Time.Started.....: Sat Oct 31 09:17:01 2020 (5 mins, 35 secs) Time.Estimated...: Sat Oct 31 09:22:36 2020 (0 secs) Guess.Base.......: File (rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#2.........: 4689 H/s (12.95ms) @ Accel:16 Loops:4 Thr:256 Vec:1 Speed.#3.........: 38154 H/s (2.93ms) @ Accel:64 Loops:16 Thr:256 Vec:1 Speed.#*.........: 42842 H/s Recovered........: 1/3 (33.33%) Digests, 0/1 (0.00%) Salts Progress.........: 14344384/14344384 (100.00%) Rejected.........: 244335/14344384 (1.70%) Restore.Point....: 13868283/14344384 (96.68%) Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:4996-5000 Restore.Sub.#3...: Salt:0 Amplifier:0-1 Iteration:4992-5000 Candidates.#2....: 0841831213 -> 0805545693 Candidates.#3....: $HEX[2a34657665723732332a] -> $HEX[042a0337c2a156616d6f732103] Started: Sat Oct 31 09:16:56 2020 Stopped: Sat Oct 31 09:22:38 2020 networkjutsu@MacBook-Pro$ cat cracked.txt $5$00000$Megnzik.4VtQFweBSkgZqjNGeH5M27UncMuCDOeDK0B:Roja_1587
CTF Challenge #2: Crack the passwords
We’ve cracked one password, and that’s a clue in itself. I suggest you brute force attack the other two passwords. With a better GPU than my Radeon Pro 460 that comes with MacBook Pro 2016, you should be able to crack these two passwords in less than 30 minutes.
Same as CTF challenge #1, comment your answer below. If you come back to my site and do not see your comment, that means you answered it correctly.
It’s normal to feel intimated by CTF competitions, especially if you’re new to it. I felt the same way during my first CTF at SANS NetWars. However, I still went in there with no expectations to win and just wanted to have fun solving challenges. Guess what? I ended up being on the board and won a coin.
Trust me when I say that you will expand your skillset when you participate in a CTF. Whether you enter as an individual or a team, you will gain knowledge from the competition. Having said that, if you’re new to CTF, I suggest you participate in my mini-CTF.
You might like to read
BUY ME COFFEE ☕