Capture the flag for hackers. This completely hands on day was so amazing that it made up for any other deficiencies in the course. If you must miss a day of the course, do not miss day 6.
Here is the setup. Star configuration LAN. Off of each of the eight ports of the central switch was a six port hub - the team hubs. Each team of two to five students plugged their laptops into their team hub and configured their NIC according to particular settings, one subnet per team. On one hub, however, where four IBM laptops , the targets, and each of them held a text file in their root directory whose name began with "flag" (i.e. flag1.txt). The four targets are also on their own subnet. Within each of these flag files there are hints to discover the secret fifth flag. While connected to the game LAN, players are allowed no other external connections (i.e. no hotel wireless). Although players are permitted to disconnect from the LAN, leave the war room, and download tools or Google exploits, then return.
I was on a team of three with two RCMP tech-crime officers. One of them was a veteran of these sorts of exercises and a wizard with the Metasploit Framework. I came ready with an array of password sniffing and cracking tools thinking that was a wise addition to my colleague's skillz. Our third team member was openly out of his element, being much more comfortable with forensics. While my decision to prepare for good old fashioned password attacks would prove to serve the team well, my decision to focus on Windows as an attack platform would not.
Before the game started, the instructor went over the ground rules (such as no attacking or DoSing the other teams), the simulated publicly available information on the targets (whois and Google search results), and other preliminaries. The instructor's speech was interrupted by one student's Zone Alarm ringing off that his computer was under attack (or at least heavy scan) by four IP addresses on our game LAN! In a moment four names were called and four students were lead out of the room for a stern talking to although they eventually were allowed to return. Meanwhile the game began.
I squandered the first hour or so of the test trying to get nmap to work under Windows. I never did find out exactly what was wrong. Was it wpcap? Was it a network driver issue? Who knows. While I struggled with this issue, my teammate drew first blood. His stated strategy was do not even bother with vulnerability scanning - just find a listening TCP port or two and start hitting them hard with Metasploit (his personal favorite). His paid off as he demonstrated to the instructor that he had flag 1 in hand. I then took my teammate's advice, turned my back on Windows, and inserted the knoppix-std boot CD. This advice was pure gold (and knoppix-std is a sweet set of tools).
Without my technical issues holding me back, I completed my nmap scan in seconds, and turned my attention password attacks against an attractive looking box running telnet and ftp with the help of my RCMP forensics-focused teammate. Our Metasploit jockey continued his exploit onslaught on his own. After a quick review of the whois information, we had some potential passwords to try. The second password that I tried had a blank password! Without further ado, I was in with telnet, straight to the root directory, and opening flag4.txt which happened to by world readable. While several other teams had found either flag 1, 2, or 3 at this stage, I was the first to hit flag four! I have to admit that this made me awfully good.
The host that I had gained user-level access to was a Linux box that was not employing shadow passwords. In moments, I had used the running ftp service to transfer the password file to my laptop in preparation for some cracking. I took a moment to seed John the Ripper's default password dictionary with a few potential tidbits garnered from the publicly available information, and John was on his way. Meanwhile, we confirmed that the user account that got me to flag 4 did not have a blank password on the next host with login services running - in this case ssh and telnet. However, in less than a minute, John had recovered the password for another user from the flag 4 host. Sure enough, this gets me into the next box, also running Linux, and directly to the root directory where flag 3 resides. Unfortunately, flag 3 is readable only by root, and, to make matters worse, this box does properly employ shadow passwords. However, as luck would have I stumbled across a world readable copy of the shadow file in the root directory. The instructor told me after that this was to simulate common shoddy administrative practices. Soon this file was also fed to John who shortly recovered another password...
Cutting to the finish, this is as far as our team got. A team from a Quebec university was the only team to find all four flags and the fifth bonus flag.
Overall, it spectacular to test drive a few of the tools that we had talked so much about. This final exercise tied the entire course together and demonstrated the clear value of the many hours of lecturing that we endured.
- Day: Day 6
- Topics: Capture the flag
- Tools (at least the ones I used): nmap, John the Ripper, hydra, Metasploit Framework, nessus
- Overall value: 5 out of 5
- Coolness: 5 out of 5