Merry Christmas, hackerkin! Well, sorta.
This is a compressed, really SHORT guide to assist you in navigating your way through the SANS Holiday Hack CTF based on their past challenges and my observations over time. Whether or not you are successful (completing all the challs) is not the point of this exercise. The idea is to have fun, hopefully learn new techniques and grow as a security researcher, pentester, hacker, whatever you identify as.
If you have any ideas you’d like to add, drop me a line on Twitter and I’ll see if I can add them. I wanted to list more but I’m swamped with work and this is the best I could do right now.
This was last year’s challenges. https://holidayhackchallenge.com/2016/
This is going to be mainly an advice, tools and resource listing under each category that I think you should have based on the last four years’ worth of solutions entries and what kind of challenges there were or because they are the tools which tend to be used in other CTF competitions.
It’s NOT exhaustive and many of the things I link to here will be in a larger guide I’ve been trying to get published for the last year and a half but it’s at 300 chapters and won’t stop growing. This is just to point you in the right direction for right now. I also wanted to be able to upload this for you all before the challenge starts and I’m pressed for time.
Pay CLOSE attention to the SANS blogs, especially Jeff McJunkin’s posts! He is one of the hackers who writes the challenges for Holiday Hack!
Also say hi to Jeff! He’s very nice!: https://twitter.com/jeffmcjunkin
Anything posted this year that is a fairly new technique or unique in nature will likely be featured in the challenge itself. It makes sense. It is their research so of course they wish to display it and thanks to them many of the techniques you know are because somewhere along the line their staff taught it to someone who showed it to someone else. SANS is an important member of our community and a solid pentesting/hacking repository of information.
Someone usually posts a HolidayHack thread on Reddit where you can get hints. This was last year :
Please read this next part VERY carefully. I’m asking nicely because this annoys me when I see it. Please don’t give out spoilers. You should be able to discuss a technique in subtle ways so as not to blatantly ruin it for others.
For instance, if you want to tell someone to use tcpdump or netstat to view INCOMING traffic to their system, you might say something like, “Maybe see if anything is phoning home?” Rather than “TCPDUMP ALL THE THINGS!” If you find you cannot give a hint without ruining it, it’s better not to say anything at all.
Myself and many others look forward to this challenge ALL YEAR LONG. I get my box prepared for this months in advance and I take off from work for this, at least a couple of days so I can play.
Seriously, I do. I get to Starbucks and get my Peppermint Mocha (or three) and I’m in front of this computer for hours, dancing in my chair to the awesome custom soundtrack they provide too.
I scour everything SANS related for months leading up to this. I want to arrive at the conclusion on my own and while it is fun to do I view this as a necessary part of my duty to educate myself. This is how I’ve lead my own career. I don’t want to be handheld through it and neither does anyone else. Memorizing something is not learning. Learning is when you can repeat the topic in your own words which suggests to the listener you comprehend it. You’re not a parrot. I want to comprehend and so do others. The way we do that, mostly, is by failing and keeping at it until we get it right.
Set up a temporary virtual environment for this and any other challenge you do online. You shouldn’t use your production box. If you have to change something, just for this challenge to get something to work, and you forget? Somethings might not work the next time you spin up the instance.
Many new hackers make this mistake and one last year, not understanding what the shellcode he downloaded did, ruined his environment and network. This wasn’t in a SANS challenge but another I did and it was disheartening to hear about. While I am not aware of SANS having any sort of malware in their Holiday Hack challenge, treat every file you are examining as if it is suspect. You don’t know what it’s going to do and even normal files when placed in the wrong environment or with specific configurations can screw things up.
I am a legend in the arena of breaking things the wrong way. I’m so good at it, I now go out of my way to do things the wrong way just to see what will happen.
That said, make sure your environment is FULLY PATCHED prior to the challenge itself. This also means updating the tools themselves if they don’t automatically update with apt-get update. When you’re all done setting up all the tools, reboot and then take a snapshot. That’s your starting point.
Get a notebook and have it on your desk so you can write notes on the fly and refer back to them if you have to stop and come back again the next day. Also if you plan to submit your solutions to possibly win, you are going to need those notes!
Cheatsheets are available everywhere. On my desk I have a literature rack which spins and has sections which I flip.
I have Common Ports, Mubix’ and G0tM1lk’s Linux-Post-Exploit guides and more.
There are HIGHLY COVETED prizes attached to this contest each year. First prize a FREE SANS course of your choosing! They are all around six grand. There’s also Best Technical Answer, Best Creative Answer and Random Draw. So you’re competing for a chance to get the very best of training, no cost to you, from the very best hacker and pentest experts there are.
Ed Skoudis, Jeff and their team do our community a great service by working hard on these challenges every year. They don’t really need to do this but they do and for that I am grateful to them. It’s essentially free training.
Before I start linking, I’m not suggesting all of what I mention below will be in the challenge this year. I’m just trying to give you the best starting point. If it isn’t included and you didn’t know about one thing I mention, there will come a time where it will come in handy so save it for later.
Like for Hacky Easter (not hosted by SANS but by Hacking Lab each April) they most likely will too.
Also, the SANS people *love* Android analysis. I tweeted about this twice this year and I’m mentioning it again now…if you don’t have it on your system now, set aside two hours and install Android Studio. Get some dinner, learn to play a new instrument, bang your head against the wall, just install it. It is one of the longest software installs in history and you do NOT want to be installing it as you’re trying to solve a challenge. Trust me on this. I speak from painful experience.
If you can spare the time try to do last year’s Holiday Hack because there was an APK you needed to analyze and it was most enjoyable to do.
PRIV – ESC
The SANS guys are masters at Linux and PrivEsc. Get your hands on either Rob Fuller’s PrivEsc guide (His handle is Mubix)
or hacker G0tmi1k’s version
BOOKS TO HAVE ON HAND
Red Team Field Manual, Blue Team Field Manual, Web App Hacker’s Handbook, Hacker’s Playbook 1 & 2.
Get sticky notes to mark the pages that you think will be useful.
These are all on my desk, at all times.
Kali comes with Wireshark. Have it updated and a copy of the appropriate cheatsheets.
Also, before you ask because you’re probably going to ask (and this is something I’m DMed a lot about for some reason, I don’t know why):
Know how to quickly filter certain info.
Know how to decrypt packets and what specific things are needed to decrypt each protocol you come across. You don’t want to be going down the wrong path wasting valuable time.
E.g. WEP You only need one key to decrypt but with SSL you’d need both the private AND the public key.
So this is where your critical thinking comes in. Let’s say you come across a key. If you don’t have any keys or only one? You need to find the other or they want you to do something else with the traffic or perhaps the information you seek is in part of the packets which are NOT encrypted.
I once did a challenge four years ago looking for keys that weren’t there only to find that the information I needed was in plaintext in the pcap and I spent hours for nothing. With hacking it’s always important to know what you CAN’T do because it’s going to lead you to what you CAN DO instead. My mantra “What can I do, what can’t I do? What can I see, what can’t I see?”. Otherwise without certain pre-requisites in place you might waste time.
Download Network Miner. It is full of win.
Alternative Alphabets / Encoding / Etc
Morse, Sherlock’s Dancing Men, Futhark Runes, Maritime Flags. If they obfuscate the alphabet in a code, you want to have as many of these at your fingertips to save time.
Fun fact: I have a pigpen cipher ring. I wear it a lot and it’s actually come in handy in a real life situation where a pigpen cipher was used.
This is a tool by Kahu Security I use every week. It does Hex to text, converts shellcode, has an ASCII chart, everything.
It will be helpful if you are familiar with how certain formats look. If something is encoded in Base64 and you don’t know what that looks like, you might have to spin your wheels trying to figure it out.
When in doubt as to something’s origin? Paste in Google.
Tools on hand to extract the metadata from pictures.
What can you see if you view them in a Hex editor? I use HXD, primarily
If steg is suspected, know which tools can handle which image types or you might waste time.
JpHide, as an example, only analyzes, jpegs.
If you haven’t downloaded Audacity, do it. I have used it a number of times for real-life engagements and CTF challenges.
Sonic Visualizer – E.g. (See if there’s a hidden message in the spectogram.)
Web Application Tools
You’re probably going to use BURP at some point so if you don’t know it, brush up on how to get started with it now:
Previous Write-Ups I Enjoyed Reading
Just have fun. Don’t worry if you don’t get them all. It’s not Pokemon. And if they include a game like they did last year with Wumpus, go with God Mode. Lesson learned. God that elf was annoying!