A Primer for On-Site CTFs

I have been to many CTFs over the last five or six years and I wanted to share some tips, tricks, and advice for beginners. My hope is that this post helps those who are new to CTFs by sharing what I pack in my "go-to-war" bag, what some of the non-standard tools I use are, and how I spin up cloud based systems.

Go-to-War

When the CTF room opens up, the first problem is finding a place to sit. I like to get to the room as soon as possible to ensure that we have a decent place to setup. For example, all of the Defcon villages on day one are crowded and intense. I encourage everyone that's serious about the event to line up well before it opens. Also, the CTF and the village talks are generally held in the same room so it is likely going to be noisy and seating will be limited. My advice is to sit as close to the infrastructure as possible.

It doesn't hurt to have a plan in place about approaching the challenges before you get there incase you can only tolerate a couple of hours in or near the room.  For example, if you're stuck sitting on the floor, there is nothing wrong with grabbing offline challenges and performing recon, and then going back to the hotel room to do research and work on the offline challenges. In my experience - the second day is usually not as crowded anyway.

After finding a seat, powering your laptop is the next problem that everyone seems to have. Sometimes there is a strip on the table and sometimes not. I usually bring a surge-suppressor with a 15' cable and some large twist ties. I have never seen those 3' cords solve a power problem for anyone. Just be cognizant about where you lay your cords, if it can be taped down or not, and if you are creating a tripping hazard. 

Networking is the next issue. Sometimes you have no choice but to play on wireless, that's generally fine but I have been to multiple events where I was either getting de-authed, the spectrum was noisy and the connection too slow, and at least in one case I could not get a reverse shell over wireless but I could over a wire. I'm sure I did something dumb for that last issue, but given the choice I prefer to plug-in when possible. I bring a 100' Cat-6 cable for that. It is also worth mentioning that this isn't a panacea. I've also been to events where players try to mitm everyone (poor form - don't do this) and the network still goes down for a bit...so it goes.

Bringing your own switch is not a bad idea if you're on a large team, but I never do as I don't think it's worth the hassle. As with all cabling, have situational awareness about where you are at, where you need to plug in, where people walk, etc... No one wants you to run your cables right under their feet, next to their mouse, or across a walkway without being taped down.

The next problem I have seen plenty of newcomers encounter is updating your system. Simply put, update your system before the event. If you forgot and your Kali box is a little out of date and you just realized when you started to play - leave it. If you encounter something that requires you to update - address it then. That way you're burning time when you know you have to and not because you think you have to. Updating as soon as you sit down will be painful while everyone is scanning and enumerating the network. If it's multi-day, consider updating overnight when you get back to the hotel room.

If you are missing a Metasploit module that you desperately need in the heat of the moment; remember that you can always install it manually by copying the .rb file to the appropriate location, and then enter reload_all in Metasploit.

Failing to prepare a team server or Kali box in the cloud is the last problem. Either do it before hand or else you will have to burn time and deal with it during the event. In my personal experience, installing Metasploit on a Droplet during the CTF is 10 times more difficult than when you do it at home. It's not the end of the world, but you can spend more time working on challenges rather than getting setup if you put a little effort in before hand.

I'll go over preparing those systems later in this post. Now, let's go over what I carry.

Loadout

Inventory

Here's an overview of what I carry:
  • Book bag
  • Surge supressor w/15' cord
  • Laptop power adapter
  • Laptop
  • USB-C 12-in-1 hub
  • USB Mouse
  • 100' Cat-6 cable
  • USB-A Hub
  • 16GB USB drives
  • Alfa
  • Ubertooth One
  • Bluetooth Headphones
  • Portable battery pack with various charge cables
  • RTFM
  • Lock picks
  • Koozie, bottle opener, and flashlight
  • Welcome Thrillhouse Group stickers for sharing
I don't always bring everything to the room, but this is usually what I pack.

Bag 

I prefer a simple bag, the less pockets the better.

Why it works: "Everything is somewhere and in its place"  ...I have an easier time staying organized if I pack light and have a limited amount of compartments. Also, it's not some huge bag that is in everyones way no matter where you put it. Figure out what works best for you, but my suggestion is to pack light and keep it simple. For example, If I notice that I don't need the 100' cable and power strip, I will leave them behind. 

Accessories

As Apple laptops are starved for ports, I had to buy a few things to make my go-to-war actually usable. Chiefly among those is the USB-C Hub.

I opted for the TOTU 12-in-1 as it has two HDMI ports, a single VGA, and an ethernet port in addition to the other ports that other laptops ship with. At the time of this writing, you can find it here for about $80.

It's kind of pricey, but it seems to account for all the things that my previous laptops had ports for and then some. FWIW those fancy block style USB-C hubs that plug into the side of your Mac as an extension of the laptop are easy to unseat, but everything else, including the price, are about the same. 

Power and network I already covered. You can sort of see in the image above that I put some stickers on the ends of my cables and on most of my gear to help me easily identify what's mine and where my cords are in the rat's nest when it's time to go. 

In my bag there is also a small USB battery pack for my phone or headphones.
Sometimes that charge cable gets in the way so it is nice to hide it all away while it charges. 

A pair of bluetooth, noise cancelling, closed-back, over-the-ear, headphones are nice to have in order to listen to those audio challenges, silence the world around you, or just sink into the beat while you're hacking away. I prefer music like do make say think, carpenter brut, and others like that while hacking because it doesn't draw my attention away from the task at hand and that kind of music seems to keep me alert and motivated.   

A 4-port USB-A hub has been useful in the past if only to prevent bulky USB-A devices from blocking neighboring ports. I also have a couple of USB thumb drives just in case we have to sneakernet large files to each other or if there is a physical aspect to the event. A no-frills USB mouse has obvious benefits and in the off-chance that I need them, I also carry an Ubertooth One, an Alfa, homemade lock picks, flashlight, bottle opener, koozie, teamWTG stickers, and of course one of the best notebooks ever published: RTFM. 

I also bring a USB-A > multi-end cable and a short USB-A > USB-C cable for my various charging needs.

Go-to-War

I recently purchased a new 13" Macbook Air that has a 1.6GHz i5 with16GB of memory and a 512 SSD. It seems to do the job just fine.

Though I do have virtual box installed, I prefer to use VMWare fusion as the shared clipboard and mouse/keyboard integration seems to work better. My preferred VM to compete with is an up-to-date Kali image, currently 2019.1, but I also keep various ISOs and VMs on hand for Windows and Linux in both 32 and 64 bit architectures. 

I tend to leave the host alone during the event and run everything from the guests. 

Tools

In terms of tools, I mostly leverage what ships with Kali, but here's a list of the tools and websites, that don't ship with Kali, that I lean on the most during CTFs:

cyberchef
rumkin
audacity
dcode.fr
RsaCtfTool
subbrute
Aquatone 1.6
Burp Pro

A more complete listing of the things I use during CTFs and real engagements alike, that are not included with Kali, can be found in what I've starred on Github.

Third-Party Stuff

Concerning cloud-compute services, I've been a huge fan of Digital Ocean because their Droplets have network interfaces that are directly connected to the Internet and their user interface is simple to use. However, each Droplet has a cost associated with it.

AWS is a cheaper alternative, but the free tier t2.micro instance doesn't meet minimum requirements to run a Cobalt Strike Team Server.

Okay, let's get into how I set up a Droplet and an AWS instance to run Kali.
Starting with Digital Ocean, here's how to setup a Droplet.

Digital Ocean - Droplet

Step 1 - Create Account > Create a Droplet.

Create an account, if you don't have one already. It is pretty straight forward.

Then create a Droplet by clicking Create > Droplet
Select Ubuntu and scroll to the left to the $5 (1GB/1CPU/25GB SSD/2GB Tfr) or the $10 option (2GB/1CPU/50GB SSD/2TB Tfr) depending on your needs.
I don't add backups or any additional storage and I usually choose a location geographically close to where the event is held. At this point you can also setup your SSH key to access it.
Update the hostname if you want, I like to shorten it up so I have a cleaner prompt that tells me exactly where I'm at.
Once you are done, Digital Ocean will build your system and email you the password.

Step 2 - Password Stuff

Login and change your password; you can also setup SSH keys now.

Step 3 - Install Docker and Kali

# snap install docker
# docker pull kalilinux/kali-linux-docker 
# docker run -t -i kalilinux/kali-linux-docker /bin/bash
root@blahblahblah:/# apt-get update && apt-get install metasploit-framework

note: this will take between 5 and 10 minutes and you will be prompted to hit y, unless you specified -y for apt-get install.

# service postgresql start
# msfdb init
# msfconsole


HUZZAH! All set...but what if your SSH session dies or you accidentally exit docker?
If you exit out, you do the following:

# docker ps -a    (note the CONTAINERID)
# docker start CONTAINERID
# docker attach CONTAINERID

If you lose you SSH connection and didn't exit out of your docker container you can do the same thing and run the "docker ps" command and then run "docker attach CONTAINERID."

If you'd prefer to not spend any, or at least as much money, then AWS is a decent alternative.
Here's how to run Kali on AWS.

AWS - EC2

Step 1 - Setup or Login to your Account

If you don't already have one, create a "Free Tier" account and/or Login.

Step 2 - Create Instance

Login and click "Launch a virtual machine"
Search for Kali
Click on AWS Market Place
Click on the only result "Kali Linux"
Click Continue
Select t2.micro (Clearly marked "Free Tier Eligible")
Click Review and Launch
Click Launch

Step 3 - Setup Key Pair and Launch

Unless you have one already, you can simply choose to "Create a new key pair" and give it a name, then click "Download Key Pair." Otherwise I think you can load an existing key here as well.
Click "Launch Instances"

Step 4 - Connect to your Instance

Click the "Services" menu near at the top, and then select EC2 from the "Recents" column on the left hand side of the menu. 
Click "Running Instances"
Assuming this is your only instance, it should be selected already, so now click on the "Connect" button.
At this point, a pop-up should give you instructions on how to connect which imply you need to cd to where you saved the .pem file that you recently downloaded and change the permission to -r-------- (chmod 400 key.pem).
The example command to connect won't actually allow you to connect to it as the root user. Take the command they provide and change the username to ec2-user. Then you can just sudo su - when you need to do root stuff.

Step 5 - Allow Specified Inbound Connections

By default, you can only SSH to the instance.
Go back to the web console, and assuming you left it on the dashboard you can click "Security Groups" under the "Network & Security" heading in the left hand side menu.
Select the generated security group,  and at the bottom, under the "Inbound" tab, you can click the "Edit" button to add a custom TCP rule for port 4444 (or whatever), from specified sources.
Now that the port has been added, go back to your instances list and apply the updated security group to your instance by going to Actions > Networking > Change Security Groups and then click "assign Security Group" on the pop-up.

Now you're ready to rock and or roll.

Aside from installing other tools, properly hardening the system, etc..that is basically it for third party compute. It's probably worth mentioning in this section that I've also spun up multiple "sock accounts" for teamWTG so that we have email accounts to phish from and send test emails to, establish linkedin connections, the twitters, Trello, and Slack. This takes us to the concept of team management.

Team Management 

For team management tasks, I prefer to use Trello and Slack. These two resources allow for basic project management, discrete comms, and quick file transfers.

I have been to events where there was no Internet connection and had to resort to using ncat as a rudimentary encrypted comms channel. But CTFs that don't provide any Internet connectivity are pretty rare for me anymore.  Another way around this issue is by burning data and tether your phone, though this could end up costing you money.

I'd like to put it out there that Trello is awesome, but how awesome it is depends on how your team uses it. If you have any intention of sharing knowledge or writing-up your work as you go, for me it is a must. If you just want to win, at a minimum your team needs to share which flags they've submitted and which box/challenge they came from so someone else doesn't waste their time on something already solved.

When it comes down to it, everything you want to track and how you organize it is on you. I like to build inventories for things like users, targets, creds and have a section of cards for leads or things that people are working on, what's solved, and what needs done.

There are a million ways to skin a cat and this post only highlights the bits of my current method that I think the most people would benefit from.

For more good tips and ticks about participating in CTFs, I recommend watching @doylersec and @claytondorsey's talk: https://www.youtube.com/watch?v=HT5gpvbAVqU.
I'd also like to give a shout out to @ch1kpee for sharing his Kali AWS guide with me because I basically just straight up copied it. 

Anyway, I hope someone finds this useful!

Thanks,
@strupo_

Find us on twitter: @teamWTG

Popular posts from this blog

BHIS CTF@Shmoocon 2019 - Feeling Blue?

ArcticCon 2019 CTF