Last month, my friends and I hosted a Capture the Flag (CTF) tournament for the Red Team Village during DEF CON Safe Mode with Networking, and the event was a blast. I’ve been designing and participating in CTFs for five years, and I love the variety of themes and structures that they take on; they can be about attacking individual targets, simulated networks, or be heart-racing, attack-and-defense simulations where you battle against rival teams’ environments. I was excited to bring my own spin to the format for my first CTF hosted at DEF CON.
In my daily work, I’m an operator at Bishop Fox for their Continuous Attack Surface Testing (CAST) service, where I use our custom tools to vigilantly map client attack surfaces, share information between teammates with finely tuned ChatOps, flag abnormal indicators, and compile information into digestible bits for clients to better understand the current state and future security of their complex environments. Most of the time, designing a CTF means disengaging from work and getting creative, but the work that I do for CAST is so engaging and unique in a way that I’d never seen captured in a CTF, so I decided to combine them for DEF CON.
I took a stab at representing the complex, multi-disciplined approach required in the environments I work with each day. I hoped to give teams a realistic environment, and for them to experience and appreciate the formula for success that I’ve found when collaborating with my teammates in CAST. To capture all the flags, teams would need to discover information about fictional employees and then leverage that information inside a corporate Windows environment modeled after a small business. Because I wanted the CTF to reflect my daily work in CAST, the fake corporate world would need the following attributes:
I gathered my fellow CTF builders and we designed a three-phase CTF and waited eagerly for DEF CON Safe Mode to arrive.
The event kicked off on Thursday, 6 August with 1,923 players matching wits against a Jeopardy board of challenges (a familiar CTF format). Teams had over 130 challenges to choose from, in categories from reverse engineering to computer network exploitation. Some were simple web attacks for beginners, while others were truly challenging and required teams to apply their deep knowledge creatively to earn points. Most teams either worked in shifts or stayed up all night during the qualifiers. The fastest team cleared the board of challenges within 18 hours, and the top 20 teams moved into the main phases of the CTF; 24 hours of reconnaissance followed by 24 hours of exploitation.
Although some of the Jeopardy challenges had hinted at the theme, the teams now focused on the main scenario based on the cult classic: Office Space. Our fake company website for Initech was the starting point for exploration and collecting open source intelligence (OSINT), but the world of this CTF was different from most because each social media profile, code repository, and even telephone number had some relevance to the story and theme of the final scenario. There was a company email server full of intelligence, fake LinkedIn profiles for each of the movie’s characters, an HR database full of personal information that played a role in compromising user accounts, and a telephony and SMS system that took the challenges off the screen into real life. Some flags were audio files, or even cameos like David Herman as the original Michael Bolton.
I’ve seen other CTFs with fake websites, but when I do real recon for clients (to map out their complete attack surface), the most useful data often comes from unexpected corners of the internet. And the internet is big – really, really big -- and most of the places you look won’t be incredibly helpful except in crossing off the list. (In CAST, we are responsible for mapping about 600,000 assets, cumulatively, for our clients.) I wanted my CTF to mimic that complex nature of data that we uncover and map every day, because the information you’re after is rarely just sitting on a client’s About Us page.
During recon, the teams could gain credentials and intelligence on the target network, its users, and patterns of life. They could find the portal to an internal webmail server as a future treasure trove of information, and an elaborate phone system that players could interrogate. This system could only be explored with real-life calls and text messages. Players could find employees in a phone directory and stumble upon fun movie references and flags. The most persistent players unlocked a password reset function that allowed them to gain access to that user’s account inside the internal network. The teams that fully explored this system during the reconnaissance phase definitely earned themselves an advantage when the final 24 hours commenced.
Each team was given their own copy of the scenario and therefore didn’t have to directly compete with other teams for access to the internal targets. They did however, have to compete with each other to maneuver around the network. Some of the instances in the scenario had limited resources, and players could effectively cause a denial of service (DoS) on the targets if multiple members of a team kicked off large scans at the same time. In our feedback survey, many players expressed that they loved this concept of attacking an internal network as a team. It meant they had to communicate their accomplishments, share their loot, and coordinate their attacks to avoid DoS-ing the targets and each other.
One aspect of the CTF that benefited from teamwork was gaining the credentials for the character Milton Waddams. This user had notes and a binary file that led to the final flags on the infamous paper-jamming printer. Hints to Milton’s credentials were scattered, leading one team member to comb through employee emails for information and find that his password had been reset to his home street address. Meanwhile, another team member might explore the internal network and come across an HR database with home address information, but not understand the value of that information. If teams did not explicitly share their bits of information about Milton, then the team as whole was unlikely to progress through the scenario.
One team told me after that they pounced on one of their teammates that had some critical information but didn’t share it until hours had passed. Many teams realized too late the value of managing data efficiently, sharing information, and specializing their roles within the team. Recognizing this aspect early drove teams to professionalize their ChatOps, processes, and documentation, which has been a critical part of streamlining our own internal CAST process.
Armed with their recon intel from common exposed surfaces, the teams were able to find footholds within Initech’s systems and continue their attack with various pivoting and escalation techniques.
One powerful and critical area that teams could access was the Security Operations Center (SOC) workstation, which held security team reports about a previous network compromise. Those reports clued the teams on looking for the backdoor identified in the report. Lo and behold, the security team had not cleaned up the previous breach and left an active backdoor on a senior manager’s Windows workstation in a protected enclave. In my work on CAST, I often come across out-of-date software and vulnerabilities that the client knows about, has scheduled to remediate, but for one reason or another is still exposed.
We set up Office Space personas for the meme value, but also to guide users to a few common flaws that developers fall prey to. In CAST, we commonly find sensitive information disclosure in source code or shared files. Often an errant commit might contain an API key, or the source code itself could indicate a vulnerability in a production application. It is not uncommon for code templates or administrative scripts to be published to an employee’s personal development space in GitHub or GitLab. (Protip: tools like GitGot can be used to look for these types of information disclosure.) In our scenario, Samir Nagheenanajar, played by Ajay Naidu, accidentally committed AWS credentials in an old commit of some source code. Players then used those credentials to enumerate AWS services until they discovered read access to an S3 bucket. This bucket contained an OpenVPN configuration file that allowed the red teams to legitimately connect to the company network.
CTFs are exciting and valuable exercises in any format, but it was a personal accomplishment for me to create one with realistic vulnerabilities within a rich story and supported by a large environment… and also to have it played at DEF CON. The participants were immersed in a style that simulated the kind of OSINT, data management, and teamwork that my colleagues and I implement every day with CAST.
Of course the CTF wasn’t exactly like a day in the life at CAST, but for the 20 teams who experienced the rush of applying their skills in a big playground in a 72-hour time crunch, it was an exhilarating way to remotely spend a weekend with friends.
The overall event was a huge success that simply would not have come together without all the generous time and expertise offered by a talented group of volunteers. A heartfelt thanks to the Red Team Village and also to my friends that built this CTF. @Nopresearcher, @owtdecaf, @j0nk1m, @kfiducia, @nulloop, landhb, michael-smythe, bobdole, waldo-irc.
Even though DEF CON was remote this year, the event was still an amazingly inclusive community of offensive and defensive information security professionals. The talks were intriguing, the workshops were informative and the CTF was engaging and educational. The icing on the cake? The Red Team Village gave out over $90K in prizes, with loot ranging from some highly sought-after courses and certification attempts to hacking tools and access to training environments.
A special thanks to our sponsors for such generous prize donations! Bishop Fox, Black Hills Information Security, eLearn Security, HackTheBox.eu, Hacker Boxes, Hak5, Immersive Labs, In.Security, No Starch Press, Nord VPN, NotSoSecure, Offensive Security, PentesterLab , Point3 Security, SANS, Zero-Point Security.