Review of 2013 USCC SJSU Cyber Camp
Well it’s only been about a day since I have come home, and I still haven’t quite adjusted back to my normal routine. The last few weeks have been really wonderful… This year I to I got to TA the IDA Pro class with Chris Eagle at Black Hat. He is definitely a person I look up to and respect in the security industry. I met some great people from all over the world while I was there and really learned a lot. I got to meet up with some great friends at Defcon 21, Play some CTFs, and meet new people who are just like me! After a week and a half of sweltering heat in Vegas I landed back home in Monterey, and 4 hours later I was on my way to the SJSU USCC Cybercamp.
I made the decision a year ago at my fist Defcon to dive into security headfirst. It was my first time at Defcon and I loved it, I was surrounded by so many different people with so many different ideas. They were all diverse, but they were all just like me too… I remember wondering what my life would be like a year from then. Well a year has come and gone and my life is remarkably different… I sleep less, work harder, try harder (read oscp) and have more (security) friends… I have learned so much about security, about learning from mentors and about helping people get into this field. Anyway, enough of the reminiscing… on to cybercamp!
What a whirlwind the cybercamp has been. Firstly let me express my sincere gratitude to everyone involved in making the event a tremendous success! Your hard work and commitment resulted in the event being a significant and meaningful place to grow the security skills of the next generation. Finally I would like to thank all of the SANS instructors… All I can say is WOW you guys really know your stuff. From day one up until the end we were carpet-bombed with new information, new ideas, new tools and new techniques! No one who is at your level of experience and skill is REQUIRED to help the next generation of security experts, but you did, so thank you very very much for that!
The class was intense: day 1 was memory forensics, day 2 reverse engineering malware, day 3 tactical attack/defense, day 4 writing exploits, and day 5 a ctf!!!! I’m happy to say I learned a lot from every speaker with day one teaching me how to solve some challenges from previous CTFs. Day 4 was certainly very challenging, by the second half of the class I was in the world of the unknown as far as exploits go. We were bypassing stack protection mechanisms in the second part of the class… crazy amazing new stuff for me!
Finally on to the big takeaways for me…
Each instructor had some really good advice for all of the students; if I could condense the themes of their advice I would say it’s this.
-All of our instructors were experts in a specific area of security, pick an area that interest you and get really really good at it. (eventually)
-There is no way to bypass the hard work it takes to become an expert, do the hard work, so you can get to the really fun work.
- Review the course material! There was a lot we didn’t cover and you can learn a lot more by reading the book, and working with the class lab materials.
-Take responsibility for your education. USCC was a huge opportunity for every student at the camp, capitalize on those opportunities and do whatever you can to get more of them.
Okay, on to the CTF – This review is mostly for someone just starting out with infosec / security / CTFs…
Firstly, a note to Threatspace / the USCC organizers… Upon registering for the USCC ctf students could look at the flags section of the competition to see what questions would be asked during the CTF. I’m not sure if this information leakage was intentional or otherwise but the night before the CTF I was able to determine that the CTF would focus solely on Webapp pentesting, pcap files, and password cracking. Some questions were a better indicator than others as to what would be involved. Questions like “What is the MySQL account password for Wordpress?” made me think SQL injection and wordpress… Questions like “What is the WEP hex key?” made me think aircrack-ng… questions like “What is the plaintext password for ssmith?” made me think password cracking. Luckily some questions were vague enough like “What is the flag on target 2?” But ultimately this information leakage (whether by design or unintentional) led to something of advanced notice for those who were up late at night trying to prep for the CTF.
Since many students mentioned that this was their first CTF, and many students weren’t able to get the tools they needed to solve the challenges in time. Pro-tip: If you know the context of the CTF i.e. SQL injection / webapp hacking what have you. Setup a practice environment in which you actually compromise those types of systems.
I’m also talking to myself here, for NCL (which also ran on threatspace) there were a number of password cracking challenges. I spent a lot of time on those because I thought they were fun. However that was last year and I had forgotten all of the special switches and settings I needed to make hashcat work quickly and effectively. I probably wasted about 30 – 45 minutes during the competition fiddling with ocl-hashcat and googling during the competition to get everything setup right. Googling during a CTF is inevitable, but if you can avoid it by preparing beforehand… do that! Those 45 minutes I wasted could have been spent on another challenge, gotten me more points and put me further ahead.
Also, if it’s not working, don’t stress… take a break walk around… talk to some people… just don’t stress. I always have to take breaks because I get so amped up about the competitions… also moving helps you think (I think?) My friend Dan Borges put things in perspective for me the night before the CTF when he said not to worry… “There will always be another CTF.” You know what? He’s right… I’m a really competitive person and I really want to win a CTF but if I don’t (and I didn’t) there will always be another one right around the corner!
With that what can I say about the challenges… I focused mostly on the wep/pcap stuff and password cracking so I will post my thoughts on that.
I realized fairly quickly that many of the USCC flags were in the format USCC-1234-ABCD. This was very similar to the NCL competition format of NCL-1234-ABCD so I tried to (quickly) create a wordlist that encompassed all possible USCC-num-letter combinations. Let me just say it is a big wordlist… Many of the password flags were not in this value and I was able to use the rockyou wordlist to recover them. Additionally my suspicion is that the hashcat dictionary + mask attack would yield a few more flags but the root/administrator passwords are probably in the USCC- format. (Stay tuned I will probably crack them when I get back home)
Ultimately my plan didn’t work, I simply didn’t have enough compute power to get through all of the password combinations in time for the strategy to be effective. If I had to re-think my strategy I would have stopped trying to crack the WPA pcap file and worked on recovering data out of the WEP pcap files to gain more points. For a time limited CTF like USCC you really want to go after the low hanging fruit and not spend time trying a strategy that *might* pay off big if it works.
I had a really great time at the event, and at the CTF I want to again thank all of the staff, faculty, organizers, and sponsors for their hard work in making the event a success.
Friday meetings may have to be postponed or rescheduled to another day. My involvement in CyberPatriot is taking up my Friday evenings. Saturday mornings anyone????
Over the weekend I experimented with the new java 7 exploit that is available in metasploit. It’s effective against fully patched windows 7 machines. Definitely a cause for concern! Use of this exploit module could be a topic for future meetings!
Looks like it should be a fun project!
Def Con 20 was great this year, a great first year for me to go :) Got to play with some lock picking, hardware hacking, and listened to some excellent talks. Even more important I met some great people. I am definitely looking forward to next year!
Monterey 2600 will be attending Defcon this year! So excited to meet new people and learn new things!