Friday, July 17, 2015

What Did I Learn From My First Live Cyber Challenge

I’m writing this post in hopes that it helps people who are afraid to try these cyber challenges because they think that they don’t know enough.

I got into this challenge, not necessarily because of my knowledge, but because of my ability to find answers when I need them.  I could read a little code, I could understand a little bit about what was going on, but I can’t write code very well anymore.  It’s been 9 years since I graduated college.  As anyone knows, in tech time, that’s a long time.  There are version changes and new languages being made.  Sure, the basic things that I had learned still apply, but it’s not exactly the same.  I’ve been out of the workforce for nearly that long as well.  So if you’re in that same boat, don’t let it discourage you.

You’d be surprised how much of a distance in learning I’ve made since I started doing these online cyber challenges and this live challenge just by giving them a shot.  My first attempts weren’t very elegant.  So just try them, you might surprise yourself.

Once you make it to a camp:

Listen to the instructors.  This seems obvious, but sometimes we get distracted by minor glitches, like having connectivity issues, or taking notes, so we don’t pay attention to their message. 

Take advice from other students and the TA’s.  Another student who was more experienced than I told me to not worry so much and to open notepad or bring a notebook, and make notes of page numbers of important info as we go along.  He’s absolutely correct.  Indexing is a great idea.

Use every avenue within legal means.  I tried a little social engineering and recon before the challenge.  I'm going to put a disclaimer on this.  This does not mean send a phishing e-mail to your instructor and attempt to own their machine.  This means, ask them what they've been reading.  Ask them what projects they've been working on, ask them what ctf's that they've done before.  Here is why.  People are busy.  Many times, they will reuse material from things that they are working on, reading, or doing.  Sometimes, they even reuse the same challenges.  If you've read my previous blog posts, Shmoocon, and the SANS 2014 Brochure challenge were pretty much the same with minor changes.  Yes, the target may say, “No, I can’t help you,” but it never hurts to ask in a respectful manner.  You never know, they may go for it because that is part of the lesson that they are trying to teach you.  Know human behavior.  If they aren't willing to answer, read their blogs.  You can usually find those things on their blogs.

DO NOT SKIMP on RECON and SCANNING. People quickly dismiss this part of the process without realizing that the creators of the challenge will make the contest much like the real world.  People in the real world make mistakes.  If you focus on the exploits, you’ll never see the easy solutions sitting right in front of you.  Sure, it feels awesome to pop that first shell, but in the real world, we are on a time-limit, we have a scope of what we are allowed to do, and we can’t afford to chase down exploits that could easily be accomplished in other ways like finding a plain text password from a search of user logs that takes about five seconds.  During my research last night, I uncovered this blog:

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

Notice that many of the privilege “exploits” are actually just social engineering, in other words, knowing human behavior.

I also looked up one of the hostnames because people commonly name their machine whatever OS they are running, and/or the version number.  I didn’t understand the significance of it until today.  I wasn’t entirely wrong.  I just didn’t think that I had all the info that I needed.

I looked up the other OS versions, as well, looking for vulnerabilities for those particular OS's.  If you have notes, for heaven’s sake, share them.  I was so nervous today, that I forgot to share my research.  I spent a long time last night doing research, and that effort wasn’t exactly wasted, because I learned, but it could’ve been more useful. 

Don’t expect metasploit to find everything for you.  You can help narrow down results the night before.  I suggest not waiting until the last night to study and research.

Know your tools.  There were a couple of questions I'm sure that we could have found the answer to if we knew how to use the tools.  We were okay with the tools we learned in class, but lacked skills in other useful tools.

When you find out who your teammates are, make a plan of attack.  Find out what each others strengths and weaknesses are, and play to your strengths.  I suggest having each person take one section of what you have learned and research it extensively.

On the Challenge Day, listen to what the instructors and challenge creators say.  I know, you want to dig right in, but sometimes they give hints on challenge days that you may miss if you’re trying to attack.  Their first advice, go for the low hanging fruit.  Don’t spend hours going into the machine and trying to do the exploits because you might end up losing a lot of points if you’re chasing a tangent that may or may not be the correct solution.

The ctfs, any of them, so I'm not giving anything specific away, have different sections.  Pick a section that you are good at and go for it.  That being said, plan with your teammates on who does what, accordingly.  You do not want to waste time answering the same questions.  It only counts for points one time.

Google your heart out.  You may find the answer that way.

Don’t give up.  Keep trying until that last call.  You may learn something in the process.

No comments:

Post a Comment