Reflecting on the Capture the Flag contest from last night

Last night I participated in the Hurricane Labs and NEO Info Forum Hack Challenge.  The event was an offensive only (aside from protecting your own machine from others on the network) Capture The Flag contest.  Although overlooking some of the easier flags in retrospect I figured I’d detail what my initial approach was in the contest and what it should have been in completing the contest.

My initial strategy going in was to do an nmap -sS -O -P0 targets > nmapresults.txt to have a list of all the services running on the targets.  From this point I started with some general web application security tests on all of the hosts serving web.  For this a combination of Nikto2, W3af, and the Security Compass Firefox plug-ins were the main tools along with a lot of hand testing via the browser.  From that point I moved on to the Cisco router which had a default password. I then started checking out the Windows servers although I was running into issues forgetting syntax in metasploit and also some problems getting it to load up so I checked the Samba shares.  I finished the night cracking a zip file, telneting to a random high port, and trying some automated Windows scripts.

During the reveal at the end of the night it was clear that a lot of the Flags were available via one hack, for example invalid object queries after 1 flag I figured it was done, the same with directory traversal attacks.  Also, a smarter approach would be to look for simpler things first.  There was a DNS server on the network that was able to be zone transferred but it hadn’t even crossed my mind.

All in all I came out of it with the mind frame of start with the more obscure services and work back to the more common ones.  DNS isn’t obscure, but when you see that or a web application that is likely vulnerable to SQL injection, your misdirected a bit.  I also realized that I need to do a lot more hands on with the tools prior to a contest as I wasn’t remembering syntax and had to use a lot more -h’s than I’d like to admit.  For going in not feeling very confident I came out with third place and feeling like this is something I’d like to do more often.

Thanks to Hurricane Labs and the NEO InfoSec Forum for a great competition!