aRcTicCON









The CTF had three main components to it, with SE being peppered in as well:

OSINT

Physical

Netpen I was assigned to team

OSINT On May 2nd, 2019, the CTF opened up for teams to begin working on the OSINT challenges. First of all, the conference was amazing. The first day was dedicated to the CTF, the second day had a focus on training/labs, and the third day was loaded with presentations that were all informative, inspiring, and packed full of tips, tricks, tools, and advice that I could actually use in my day-to-day.The CTF had three main components to it, with SE being peppered in as well:I was assigned to team IronMan , along with five others.On May 2nd, 2019, the CTF opened up for teams to begin working on the OSINT challenges.





The Jeopardy style challenge board gave no hints and asked no questions.

Here is an example of a challenge:





Challenge Three









[0] FLAG0:8c1446b0920d1e68175f951721791900 (1 point)

The members of team IronMan were all added to a private slack channel and the following pinned message provided us with flag 0; as an example of the format:



FLAG0 I began this CTF with some bad assumptions concerning when it was held last year, so shortly after I began my hunt for OSINT, I started submitting flags from last years challenges. This didn't count against our score, but submitting incorrect flags is never fun. Okay with that all said, let's get into it:[0] FLAG0:8c1446b0920d1e68175f951721791900 (1 point)The members of team IronMan were all added to a private slack channel and the following pinned message provided us with flag 0; as an example of the format:







We found this flag by reviewing the linkedin profile that



[2] FLAG2:48aeebf0a3d4bb9ea51c7a47f9911998 (5 points)

Here was my first contribution to the score board. I found flag 2 by hunting down twitter accounts relating to encomtech.net and this tweet stuck out:





https://twitter.com/userjack43/status/1122961168761544705 [1] FLAG1:c2833ac9c2599c4e4cf26b5fdfc9ffe8 (5 points)We found this flag by reviewing the linkedin profile that @userjack43 tweeted here: https://twitter.com/userjack43/status/1123245845783162880 [2] FLAG2:48aeebf0a3d4bb9ea51c7a47f9911998 (5 points)Here was my first contribution to the score board. I found flag 2 by hunting down twitter accounts relating to encomtech.net and this tweet stuck out:







I found flag 3 by searching github for "encomtech" which returned the following account:

https://github.com/encomtech



I manually reviewed the files in the NEST repository and found flag 3 in the wargames.sh file (



[4] FLAG4 - NOT SOLVED (15 points)

No teams found flag 4. This was because the file that was supposed to have the flag did not actually have the flag in it. During the CTF close-out presentation, they said it was in the document properties of one the files found under /trace. I know that I checked for that very thing, and I've heard other teams say that they did as well. We all assumed they uploaded the wrong file which was sort of confirmed. The file with the flag was uploaded but not copied over to /var/www which doesn't really matter because none of us getting it is the same as all of us getting it.



[5] FLAG5:f0714505322f3367bdb306505ccb954e (5 points)

This flag was submitted early on by another teammate who simply provided the following link:



I ended up finding this as well by running nikto against www.encomtech.net which returned a directory listing for the /images directory. "slide_8.txt" looked interesting and it contained the flag.



[6] FLAG6:31a2066a8182b6f99a17df370c4baaf4 (10 points)

I found flag 6 at [3] FLAG3:60fc85f8941befeb75e2a83271067574 (10 points)I found flag 3 by searching github for "encomtech" which returned the following account:I manually reviewed the files in the NEST repository and found flag 3 in the wargames.sh file ( https://github.com/encomtech/NEST/blob/master/wargames.sh ) where the flag was present as a comment in the script.[4] FLAG4 - NOT SOLVED (15 points)No teams found flag 4. This was because the file that was supposed to have the flag did not actually have the flag in it. During the CTF close-out presentation, they said it was in the document properties of one the files found under /trace. I know that I checked for that very thing, and I've heard other teams say that they did as well. We all assumed they uploaded the wrong file which was sort of confirmed. The file with the flag was uploaded but not copied over to /var/www which doesn't really matter because none of us getting it is the same as all of us getting it.[5] FLAG5:f0714505322f3367bdb306505ccb954e (5 points)This flag was submitted early on by another teammate who simply provided the following link: http://www.encomtech.net/images/slide_8.txt I ended up finding this as well by running nikto against www.encomtech.net which returned a directory listing for the /images directory. "slide_8.txt" looked interesting and it contained the flag.[6] FLAG6:31a2066a8182b6f99a17df370c4baaf4 (10 points)I found flag 6 at http://www.encomtech.net/report/TPS_Report_216.txt by running dirb against encomtech.net. Dirb found the /report directory and I manually reviewed the directory listing's contents. Though multiple TPS reports were listed, only one didn't have a file size of 103K.





Physical

FLAG12

FLAG9

Example Locker Lock





Using the digits from the previously obtained flags (zoom in on the picture of FLAG12 to see what I'm referring to) we were able to determine the combination for these two lockers and pulled out flags 11 and 14 (15 points each).





This was my favorite part of the CTF. I've never encountered physical challenges during one before and I hope this becomes a trend.



On to the netpen challenges!

Netpen

I'm calling this section "netpen" even though there weren't really any technical exploits like ms17-010, SQLi, etc..





Initially, we had no way into the target network. So, we assumed we had to phish someone that we discovered during the OSINT portion of the CTF to get our initial access.





Part of my process during initial recon activities is to build inventories of things that I care about, such as users to validate and target. I used the Welcome Thrillhouse Group "sock" account to email everyone that I discovered during OSINT with the following message to see if anyone had an out-of-office response configured:



Greetings ENCOM employee!



ENCOM and the Welcome Thrillhouse Group is excited to announce our partnership to provide perks at work for all ENCOM employees!



Please be on the lookout for your first "perk at work!"



We look forward to serving you!



Thanks,

Milhouse



Then, once we had our team server up and running, we followed up with another email to our targets that read:

Greetings ENCOM Employee,



In order to register you for the new Perks at Work program please click this link and run the Request For Info program:



http://x.x.x.x/EncomTech/RequestForInfo.exe



Thanks,

Milhouse









[18] FLAG18: Not Logged (30 points)

Obtained from the PROD-DS Server



[19] FLAG19:a50e2686a3cd01bffcdfbd87a4af72c3 (25 points)

Obtained from the PROD-FS Server by performing a recursive search:





FLAG19



FLAG19

Obtained from the PROD-DC:



[+] host called home, sent: 133715 bytes

[+] received output:

name : WIN-C6D4E3VT1G4

name : PROD-FS1

name : PROD-FS2

name : PROD-SQL2

name : PROD-SQL

name : SHAREPOINT

name : WEBSERVER1

description : FLAG21:33db243c7e8de9c179cd55ed85b94f3b

name : WEBSERVER2 [*] Tasked beacon to run: Get-DomainComputer -Properties name,description,comment -Domain prod.encomtech.net | fl (unmanaged)[+] host called home, sent: 133715 bytes[+] received output:name : WIN-C6D4E3VT1G4name : PROD-FS1name : PROD-FS2name : PROD-SQL2name : PROD-SQLname : SHAREPOINTname : WEBSERVER1description : FLAG21:33db243c7e8de9c179cd55ed85b94f3bname : WEBSERVER2

<snip>



[22] FLAG22:f7af229aaa3cf9a36d2c4004e6606b87 (15 points)

Flag 22 was found by enumerating description field of all users pulled from the DEV-DC.



[23] FLAG23: Not Logged (10 points)

Obtained from the DEV-DC, not documented.



[24] FLAG24: Not Logged (10 points)

Not documented.



[25] FLAG25:67cd5d3e502e8ff5c40e2148332d15e9 (5 points)

Flag 25 was on the desktop initial access system from our initial phish.



With about an hour and half of the competition remaining, we were focused on capturing flags 15, 16, and 17. Unfortunately, around this same time the infrastructure ground to a halt.



Shortly after the event, the organizers announced the winners and presented a recap which looked like this: This gave us our first session.[18] FLAG18: Not Logged (30 points)Obtained from the PROD-DS Server[19] FLAG19:a50e2686a3cd01bffcdfbd87a4af72c3 (25 points)Obtained from the PROD-FS Server by performing a recursive search:[21] FLAG21:33db243c7e8de9c179cd55ed85b94f3b (15 points)Obtained from the PROD-DC:[22] FLAG22:f7af229aaa3cf9a36d2c4004e6606b87 (15 points)Flag 22 was found by enumerating description field of all users pulled from the DEV-DC.[23] FLAG23: Not Logged (10 points)Obtained from the DEV-DC, not documented.[24] FLAG24: Not Logged (10 points)Not documented.[25] FLAG25:67cd5d3e502e8ff5c40e2148332d15e9 (5 points)Flag 25 was on the desktop initial access system from our initial phish.With about an hour and half of the competition remaining, we were focused on capturing flags 15, 16, and 17. Unfortunately, around this same time the infrastructure ground to a halt.Shortly after the event, the organizers announced the winners and presented a recap which looked like this:





Attack Path



Our narrative basically follows the same attack path as detailed in the image above.



We phished a user and got a shell on Guard_WSX. Then we found credentials in a clear text file which we reused everywhere.



My memory is a little foggy here, but there was a DNS issue that either made abusing the domain trust extremely difficult, or it was the ability to get domain admin for the DEV domain...either way after a while the organizers provided everyone with the credentials needed to progress the game. We hunted down the flags and various files of interest on every system we could but obviously missed some.



During the physical portion of the competition, we established a shell on WG_WS1 which was supposed to be the only way to SSH into the LinuxSrv to access the NEST database.



Per the access guide we obtained from the file server, we had credentials (also stolen from the file server) to use for the SSH connection from WG_WS1 to LinuxSrv but they did not work. While working on our credential issue, the infrastructure stopped responding. Thus ending the game.



In the end, we came in third:



Final Scores

For an 8 hour CTF - I thought this was very well done. Nobody trounced it and nobody really faltered. I can't wait for next years and I hope to bring more to the table when it comes to using cobalt strike.



In the end, we came in third:For an 8 hour CTF - I thought this was very well done. Nobody trounced it and nobody really faltered. I can't wait for next years and I hope to bring more to the table when it comes to using cobalt strike.