Monday, October 21, 2013

BSidesDC 2013 WiFi CTF - Challenge write-ups


We solved 5 of 9 challenges in this obstacle course based competition taking fourth place. Only 8 of the 9 challenges were 100% solvable, and one other one was bugged. Overall while the challenges weren't complex, the clues themselves seemed to be more confusing, we had a lot of fun due to the uniqueness of this competition.

My only complaint was that for a conference which had two competitions running, the room was very small. This likely discouraged quite a few people from participating.

The one bugged challenge (#4) was supposed to be simple WPS cracking exercise. However, it seems that WPS wasn't designed to be cracked by a room full of attackers. At one point the organizers asked who in the room was running reaver against it and at least five of us including myself raised our hands. Since WPS wasn't working as expected, they did clue us that the WPA password was 8 hex characters, which made me create two new character sets for John the ripper (yay!).

In the future it would have been interesting to perform a WIFI fox hunt and some client side challenges.

Challenge 1 - Welcome to the TerrorDome

This was an open access point. No challenge at all on getting the key, except there was a slight trick. Apparently someone (I have my suspicions) was spoofing fake ESSIDs. Instead of BSSIDesWCTF1, people were getting tricked to attaching to BSSIDesWCFT1, which had a server hosting a bad key.

Challenge 3 - Home Invasion

This was a simple WPA cracking exercise. The only hick-up in this was a word collision. While performing a dictionary attack, 'Cnidaria' triggered as the correct password. However this key didn't work. Curious, team JennyJenny had also discovered the exact same result. The white team said we probably cracked a spoofed AP network, but after confirming the BSSID of the station, I figured this was not the case.

I removed Cnidaria from my dictionary 'grep -v Cnidaria web2 > web3', and proceeded cracking again, this time achieving the legitimate key 'Lucernariidae'. Even curiouser, Lucernariidae is a member of the Cnidaria phylum, so perhaps the white team wasn't giving us the full story...

Challenge 5 - WEP used to be easy

Odd, it was still easy. The WEP key was 1234567890.

Challenge 6 - From Phil to #52

At this point it seemed the white team was running out of ideas. This was another open wifi, but the trick here was to sniff the traffic and look for "something odd." Personally I was hoping the clue was going to be in the SSDP announcements, but turns out it was in the data section of some ICMP echo replies.

Challenge 9 - Cisco is like CycloX

For this one we didn't even have to associate with the access point. Instead we had to sniff the broadcasts and examine the Cisco Certified Extension (CCX) field.

Lessons Learned

Challenge 2 - Michael Ballack found me, can you?
Since Michael Ballack is associated with the number 13, we had thought that this meant it was on Channel 13 which is not a standard channel for the US. We spent time on getting various cards to work on Channel 13, but was unable to. Turns out it our assumptions were off and it was a non-broadcasting (and completely open) access point on channel 2. Not sure what the clue had to do with anything.

Challenge 4 - This will WiPS you into shape.
This one should have been a simple WPS cracking exercise but for some reason it wasn't working for anyone.

Challenge 7 - It's getting hot in herre; turn up the AirConditioner
Another open access point, but in order to connect to it, you needed a 802.11ac card, which we didn't have.

Challenge 8 - Welcome Back to DC
Unsure, we didn't have enough time to attempt this one.

No comments:

Post a Comment