EPISODE ONE: THE CTF AWAKENS

Each and every December, some of the best and brightest hackers from around the world travel to Washington D.C. for the NetWars Tournament of Champions. Champion golfers may have their prestigious green sportscoats, but NetWars champions receive the coveted black hoodie.

Bishop Fox's Kelly Albrik competed at NetWars Tournament of Champions in 2017

Some golfer in his green jacket, me in my hoodie

Who am I?

Let’s start with the basics: I am a Security Analyst at Bishop Fox. Here, I specialize in network penetration testing and social engineering. Last year, I was lucky enough to be one of the 24 women chosen to participate in the SANS Women’s Immersion Academy 2017, which gave me the chance to compete at SANS Rocky Mountain NetWars. While I’m relatively new to infosec (and self-taught at that), the Women’s Academy allowed me to formalize my knowledge through their top-notch training programs.

I could not be prouder to be a part of this group of impressive and talented women. After winning my challenge coin at Rocky Mountain NetWars, I started planning for the Tournament of Champions.

Wait, What is NetWars?

NetWars is a capture the flag (CTF) tournament organized by SANS that takes place at SANS conferences around the world. Players compete over two nights in five levels of infosec challenges in categories like forensics, malware analysis, webapp, and network hacking, hoping to earn a place in the fifth level where players attack and defend digital targets. The top champions of NetWars regional tournaments are awarded the NetWars challenge coin and invited to the Tournament of Champions in Washington, D.C. each December.

Bishop Fox's Kelly Alibrink competed in the NetWars Tournament of Champions in 2017.

Insert Training Montage

via GIPHY

Before heading to the tournament, I asked my fellow Foxes for their best CTF tips. I was touched and overwhelmed with the support I received from the team. Loaded up with tools and techniques from some of the brilliant minds at Bishop Fox, I was ready to play at the Tournament of Champions. Here are some of the things they shared with me:

Bring your answers from the qualifying tournament. You may (by some twist of fate) be presented with some of the same challenges (and answers) that you encountered in the regional tournament.

Read up on previous CTF walkthroughs. SANS 2016 Holiday Hack had some great write-ups, and the challenges are from the same creators of the NetWars Core CTF.

Check out pwntools, the python CTF framework for rapid exploit prototyping. (Documentation: http://docs.pwntools.com/en/stable/index.html / GitHub: https://github.com/Gallopsled/pwntools)

Stalk the Twitter accounts of SANS instructors and NetWars creators (like @edskoudis and @jeffmcjunkin) for posts on recent vulnerabilities. Then, research how you can exploit them. SANS loves to include the latest and greatest vulns in their challenges.

Finally, get your hands on the latest SANS pen testing poster! It will provide some scripts and tips that will come in handy.

Game Time

This year, 300 competitors packed into the conference room at the D.C. Hilton to play in Core NetWars 5. While I’ve played in lots of online CTF tournaments, nothing can come close to the energy and excitement of playing in person at a NetWars tournament. People rushed to stake out their favorite seats, assemble giant plates of nachos, and socially engineer extra drink tickets for their teams. The amount of raw talent in the room can be intimidating, but I was lucky to join a five-person veteran team with fellow Women’s Academy graduate, Kat Sweet from Duo Security. This year’s tournament was “Star Wars” themed, so our team name was “HanShotFirst.” Competitors played as members of the Rebel Alliance working hard to infiltrate the Empire’s network and blow up the Death Star.

After a brief welcome from tournament organizers Ed Skoudis and Jeff McJunkin, the music started, the scoreboard loaded, and the competition was on! For veterans (players who played in Core NetWars 5 for their qualifying tournament and not Core NetWars 4), the early part of the game is a race to see who can enter their previous answers the fastest. Teams that can reach Level 5 first can set up their defenses and gain a competitive advantage in the attack/defend round. While furiously copying and pasting flags into the scoreboard system, our team quickly realized some other teams had scripted this part for an extra competitive advantage.

With the answers that our team had saved from the qualifying tournament, we quickly gained access to Level 3 where the real competition would begin. I found myself registering for training as a lowly Storm Trooper on the Death Star’s internal network. Web application challenges tested our ability to exploit common vulnerabilities such as cross-site scripting (XSS), SQL injection, and broken session management. Players could also answer “Star Wars” trivia questions, like “Which species stole the plans to the Death Star?” to unlock hints for challenges.

For two straight nights, everyone furiously clacked away at their keyboards, furrowing their brows when challenges had them stumped and high-fiving when new flags were found. On the tail end of the second night, Jeff McJunkin asked for everyone to stop hacking and take a moment to witness history being made.

“Ladies and gentlemen, we have a first tonight. One team has managed to do what no NetWars Core 5 team has ever done before. Please direct your attention to the front.”

Across the room, 300 faces looked up from their screens to see the Death Star projected on the scoreboards.

Someone from the crowd yelled, “That’s no moon!” to a roar of laughter.

Then, the magic happened. With a blast that was clearly rigged with backyard special effects and probably some illegal fireworks, the Death Star* exploded to thunderous applause.

All Good Things Must Come to an End

The NetWars tournament always ends the same way. For the final 30 minutes, NetWars organizers turn off the scoreboard so there’s some mystery as to who will end up on top. Last-minute flags can be all that stands between victory and defeat. For the closing five minutes of gameplay, the traditional song “The Final Countdown” by Europe (yes) is played.

While my team didn’t win the tournament, I had a great time meeting other infosec professionals and swapping techniques. I learned so many new things to take back to work with me and developed some lasting friendships. I am incredibly grateful for the support of everyone at Bishop Fox and the SANS Women’s Academy during this experience.

Hopefully, I’ll be back to compete next year … with some new tricks up my sleeve.

*To learn how network segmentation COULD have saved the Death Star, please read this blog post from Fran Brown.

Kelly Albrink (OSCP) is a Security Analyst at Bishop Fox, a security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. In this role, she focuses on network penetration testing and social engineering. Kelly was a 2017 recipient of the SANS CyberTalent Immersion Academy scholarship.