Friday, October 8, 2010

Experiences From CyberRaid 0 - Red Team

Ax0n and Asmodian X from h-i-r posted their experiences from CyberRaid 0, and I figured I'd do the same for those who missed it and anyone interested in competing in CyberRaid 1.


I didn't know what to expect going into it.  The event was put on in conjunction with BSidesKC, and the CTF was ran by White Wolf Security.  No rules were given ahead of time, which I figured was to keep us from preparing to cheat ahead of time using any technique that wasn't specifically banned.  I had quite a few ideas of how to cheat, although I didn't have time to prepare them (and in retrospect they probably wouldn't have helped much anyway), so I basically just loaded up a fresh BackTrack4 R1 instance, then updated everything I could think of.  Attempting to cheat was pretty worthless anyway, because the guy next to me totally out-cheated anything I could have done by planting a baby monitor built into a power strip, and USB thumb drives with malware planted around the room professionally designed and sealed packaging.  He delivered these items in the middle of the night to blue team's room.  Since I didn't have too much time to prepare, I was going to keep it simple and I was going to be okay with last place, and happy with anything higher.


We met before we began to go over the rules.  I don't think there really was any rules, except they just told us to score we needed to run a phonehome.exe on any box we own, and that you had to run it every so often.  I couldn't believe that attacking people's computers outside of the game (people's hosts) wasn't prohibited.  They also didn't prohibit any firewall rules from being set.


Once the game got started I found a couple of systems that looked promising and got lucky and got a shell on one of them pretty quickly.  I grabbed the phonehome.exe and I ran the crap out of it from meterpreter while I was working to automate this with a batch script (it was kind of hard to remember how to loop in batch without internet access).  At this point, I was happy to be on the board so quickly.  I finally dropped down to a interactive shell and ran the phonehome.exe and saw that it required some parameters that White Wolf hadn't given us.  The usage actually implied it was optional, so it took me a while to figure out that it was failing.  It took White Wolf a little while to get back to me with the IP and port, yet it still wouldn't connect.  Pretty soon my connection was killed because the blue teams had completely locked down the firewalls.  Egress traffic to connect back, and egress traffic to the scoring bot was all blocked.  Nobody could hit anything for a few hours until White Wolf told the blue teams to open up a few services.  For the last two thirds of the game we had 30 of us hitting these services, yet they all were pretty secure.  I think in the end only two or three people scored.  From what I heard, at this point the blue team was mostly just sitting around with nothing to do.


In the end, we had a period where we couldn't score, then for the rest of the game their systems were so locked down that only 10% of the people could score.  How much fun would football be to watch and play if only 10% of the teams scored each Sunday?  I had a lot of fun, but I expected much better preparation from cyber exercise professionals.  I will definitely don't regret playing.  I met a lot of very talented people in the area.    CTF aside, the event was extremely well put together.




Suggestions for next year
  • Prohibit attacking of computers outside of the game.
  • Test the network before the game begins.
  • Tell us what we need to know to score.
  • Ensure the game is somewhat fair (or at least entertaining) for the duration of the game.

No comments:

Post a Comment