ArcticCon 2019 CTF

Arcticcon is a conference by red teamers, for red teamers...and I was lucky enough to attend and participate in their 2019 CTF.

aRcTicCON

First of all, the conference was amazing. The first day was dedicated to the CTF, the second day had a focus on training/labs, and the third day was loaded with presentations that were all informative, inspiring, and packed full of tips, tricks, tools, and advice that I could actually use in my day-to-day.

The CTF had three main components to it, with SE being peppered in as well:
  • OSINT
  • Physical
  • Netpen
I was assigned to team IronMan, along with five others.

OSINT

On May 2nd, 2019, the CTF opened up for teams to begin working on the OSINT challenges. 

The Jeopardy style challenge board gave no hints and asked no questions.
Here is an example of a challenge:

Challenge Three

I began this CTF with some bad assumptions concerning when it was held last year, so shortly after I began my hunt for OSINT, I started submitting flags from last years challenges. This didn't count against our score, but submitting incorrect flags is never fun. Okay with that all said, let's get into it:

[0] FLAG0:8c1446b0920d1e68175f951721791900 (1 point)
The members of team IornMan were all added to a private slack channel and the following pinned message provided us with flag 0; as an example of the format:

FLAG0

[1] FLAG1:c2833ac9c2599c4e4cf26b5fdfc9ffe8 (5 points)
We found this flag by reviewing the linkedin profile that @userjack43 tweeted here: https://twitter.com/userjack43/status/1123245845783162880

[2] FLAG2:48aeebf0a3d4bb9ea51c7a47f9911998 (5 points)
Here was my first contribution to the score board. I found flag 2 by hunting down twitter accounts relating to encomtech.net and this tweet stuck out:


[3] FLAG3:60fc85f8941befeb75e2a83271067574 (10 points)
I found flag 3 by searching github for "encomtech" which returned the following account:
https://github.com/encomtech

I manually reviewed the files in the NEST repository and found flag 3 in the wargames.sh file (https://github.com/encomtech/NEST/blob/master/wargames.sh) where the flag was present as a comment in the script.

[4] FLAG4 - NOT SOLVED (15 points)
No teams found flag 4. This was because the file that was supposed to have the flag did not actually have the flag in it. During the CTF close-out presentation, they said it was in the document properties of one the files found under /trace. I know that I checked for that very thing, and I've heard other teams say that they did as well. We all assumed they uploaded the wrong file which was sort of confirmed. The file with the flag was uploaded but not copied over to /var/www which doesn't really matter because none of us getting it is the same as all of us getting it.

[5] FLAG5:f0714505322f3367bdb306505ccb954e (5 points)
This flag was submitted early on by another teammate who simply provided the following link: http://www.encomtech.net/images/slide_8.txt

I ended up finding this as well by running nikto against www.encomtech.net which returned a directory listing for the /images directory. "slide_8.txt" looked interesting and it contained the flag.

[6] FLAG6:31a2066a8182b6f99a17df370c4baaf4 (10 points)
I found flag 6 at http://www.encomtech.net/report/TPS_Report_216.txt by running dirb against encomtech.net. Dirb found the /report directory and I manually reviewed the directory listing's contents. Though multiple TPS reports were listed, only one didn't have a file size of 103K. 

[7] FLAG7:de552985b099c3315b6698e657b8e973 - NOT SOLVED - (10 points)
I failed to find flag 7 during the CTF window. My problem was that I wrote-off the broken Citrix login as something that might be used when the CTF went live. As a result I didn't run dirb against mail.encomtech.net/js/rdx/ which would have found flag.txt. Lesson learned: don't assume and dirb all the things.

This was the end of the OSINT challenges. To quote Olivia Newton-John...Let's get physical.

Physical

When we approached the physical challenges, four of us went to tackle them, and two on the team stayed back for remote support. We had lock picks, a keysy, and a USB drive loaded with a malicious executable on it.

I'm going to write this section out narrative style rather than by flag as this makes a much better story when told chronologically rather than by flag.

The way this worked was pretty cool. During our netpen activities, we obtained an image that was a map of where the CTF was held. There was a target door clearly marked on this map. When our time to run the physical challenges began, we were basically dropped off outside a locked door and told "good luck."

With our map in hand, we made our way over to the star marked on the rear of another building. As we approached, a gentleman on his cellphone made eye contact with us, got off his phone, and stepped in front of us as if to say "follow me."

We followed that person right into the key card protected door that was clearly marked "encom" so we knew it was in scope.  That person, however, was not in on the CTF and we were supposed clone the key card of someone that was in on the game. This little hiccup meant we missed out on FLAG13 (15 points).

We had another piece of intel from our netpen activities that indicated a room number that we were supposed to find. When we got to the room, we found an unlocked computer, a small fire proof lockbox, and two locked filing cabinets: a two drawer and three drawer pedestal, all of which had wafer locks.

I began by sitting down at the computer and opening a file on the unlocked machine which had flag.txt on the desktop and that gave us FLAG17 (35 points).

I next tried to run the contents of the USB drive but the machine did not want to mount the drive at all. While I was messing around with that, the rest of the team was working on picking the locks and scouring the room for flags.

The fireproof box was opened fairly quickly for FLAG12:e0345fce6f32b372da7f91348e343cbf (10 points):

FLAG12

Around this point, the two filing cabinets were not cooperating, and running the EXE was giving me trouble so we switched up what everyone was doing. While another teammate worked with our folks back at home base to get a call back, I picked the last two cabinets to pull out flags 9 and 10 (both 10 points) respectively.

FLAG9

Though the call back was successful, sadly, we all missed FLAG8 (5 points) while we were in the room. Though we looked under the laptop, we did not look for a flag taped to the underside of the laptop. So close...

At this point we knew there were at least 2 more flags, we walked out of the room, and we may have looked around an unlocked supply closet for a bit, but we eventually noticed two storage lockers with encom logo's on them.

Unfortunately I forgot to take a picture of them. The image below is a similar style to what we were presented with, however ours did not have such a traditional looking keyway to attack.

Example Locker Lock

Using the digits from the previously obtained flags (zoom in on the picture of FLAG12 to see what I'm referring to) we were able to determine the combination for these two lockers and pulled out flags 11 and 14 (15 points each). 

This was my favorite part of the CTF. I've never encountered physical challenges during one before and I hope this becomes a trend.

On to the netpen challenges!

Netpen

I'm calling this section "netpen" even though there weren't really any technical exploits like ms17-010, SQLi, etc..

Initially, we had no way into the target network. So, we assumed we had to phish someone that we discovered during the OSINT portion of the CTF to get our initial access. 

Part of my process during initial recon activities is to build inventories of things that I care about, such as users to validate and target. I used the Welcome Thrillhouse Group "sock" account to email everyone that I discovered during OSINT with the following message to see if anyone had an out-of-office response configured:

Greetings ENCOM employee!

ENCOM and the Welcome Thrillhouse Group is excited to announce our partnership to provide perks at work for all ENCOM employees!

Please be on the lookout for your first "perk at work!"

We look forward to serving you!

Thanks,
Milhouse


Then, once we had our team server up and running, we followed up with another email to our targets that read:

Greetings ENCOM Employee,

In order to register you for the new Perks at Work program please click this link and run the Request For Info program:

http://x.x.x.x/EncomTech/RequestForInfo.exe

Thanks,
Milhouse


This gave us our first session.

[18] FLAG18: Not Logged (30 points)
Obtained from the PROD-DS Server

[19] FLAG19:a50e2686a3cd01bffcdfbd87a4af72c3 (25 points)
Obtained from the PROD-FS Server by performing a recursive search:


FLAG19

[21] FLAG21:33db243c7e8de9c179cd55ed85b94f3b (15 points)
Obtained from the PROD-DC:
[*] Tasked beacon to run: Get-DomainComputer -Properties name,description,comment -Domain prod.encomtech.net | fl (unmanaged)
[+] host called home, sent: 133715 bytes
[+] received output:
name : WIN-C6D4E3VT1G4
name : PROD-FS1
name : PROD-FS2
name : PROD-SQL2
name : PROD-SQL
name : SHAREPOINT
name : WEBSERVER1
description : FLAG21:33db243c7e8de9c179cd55ed85b94f3b
name : WEBSERVER2

<snip>

[22] FLAG22:f7af229aaa3cf9a36d2c4004e6606b87 (15 points)
Flag 22 was found by enumerating description field of all users pulled from the DEV-DC.

[23] FLAG23: Not Logged (10 points)
Obtained from the DEV-DC, not documented.

[24] FLAG24: Not Logged (10 points)
Not documented.

[25] FLAG25:67cd5d3e502e8ff5c40e2148332d15e9 (5 points)
Flag 25 was on the desktop initial access system from our initial phish. 

With about an hour and half of the competition remaining, we were focused on capturing flags 15, 16, and 17. Unfortunately, around this same time the infrastructure ground to a halt.

Shortly after the event, the organizers announced the winners and presented a recap which looked like this:

Attack Path

Our narrative basically follows the same attack path as detailed in the image above.

We phished a user and got a shell on Guard_WSX. Then we found credentials in a clear text file which we reused everywhere.

My memory is a little foggy here, but there was a DNS issue that either made abusing the domain trust extremely difficult, or it was the ability to get domain admin for the DEV domain...either way after a while the organizers provided everyone with the credentials needed to progress the game.  We hunted down the flags and various files of interest on every system we could but obviously missed some.

During the physical portion of the competition, we established a shell on WG_WS1 which was supposed to be the only way to SSH into the LinuxSrv to access the NEST database.

Per the access guide we obtained from the file server, we had credentials (also stolen from the file server) to use for the SSH connection from WG_WS1 to LinuxSrv but they did not work. While working on our credential issue, the infrastructure stopped responding. Thus ending the game.   

In the end, we came in third:

Final Scores

For an 8 hour CTF - I thought this was very well done. Nobody trounced it and nobody really faltered. I can't wait for next years and I hope to bring more to the table when it comes to using cobalt strike.

-strupo_

Popular posts from this blog

BHIS CTF@Shmoocon 2019 - Feeling Blue?

2018 Derbycon CTF - Jenkins