Friday, November 7, 2014

Kaizen @ National Business Park

On Tuesday November 4th, 2014, several of us participated in the Kaizen-CTF. This wasn't quite a Crimson Agent function as it was against the CTF rules for any collaboration, but several of us were present.

The format of the CTF consisted of 18 challenges, most of which were downloaded and required some analysis. Many of the challenges were locked until previous challenges were completed. I felt most of the challenges covered basic tasks. A notable exception were the Android Forensics challenges, which I really enjoyed. In comparison to a CTF such as CSAW, most of these challenges would fall in the 100-200 point range. However Kaizen-CTF was three and half hour competition, where CSAW is 48 hours. This made time management as important of a role as solving the challenges themselves.

Final Scoreboard
As one can see from the scoreboard, I skipped the coding and crypto challenges I felt would be too much of a time-sink. One example was to find a string from a pcap file that matched an md5 checksum, another involved creating a custom wordlist for john the ripper (very similar to work I've done here https://github.com/maetrics/john-scripts). Were I completing these challenges with a team, I would have switched into coder/brute force mode, and let my teammates perform the more manual work.

Though I was carefully managing my time/points, I would eventually lose my hold on third place due to taking a wrong but interesting path. On WebExp 3, the challenge involved getting data from a MySQL database. I unwittingly found my way onto the CTF's Amazon MySQL server, believing it to be the rightful target. I found out after the competition that this turned out to be the infrastructure database. It appears they thought they had prevented players from discovering this, but I had found a way around it. Sadly no points for unwittingly finding a vulnerability in the CTF, but it was a reported.

Me on the right
Overall all, I walked away with fifth place, out of 40 contestants, and another copy of the Red Team Field Manual, and I was the only one to complete the Binary Exploitation challenge. I will not be writing a per-challenge write-up as I normally do, since they re-use these challenges.

My suggestions for future Kaizen CTFs would be first more challenges, as it was almost possible to do all the challenges in the limited time. Having twice as many challenges would increase the pressure and give people more routes to score points. Second, Crimson Agents would have loved to play as a team, so a team version would be nice. Lastly, I would like to see Kaizen include challenges that reflect new techniques and research that has come out recent years.

But don't let these critiques give the impression that we didn't enjoy ourselves or the contest. This was certainly the best way to spend election night. I and others from our team would enjoy doing it again.

No comments:

Post a Comment