DakotaCon 2016: Talks, Training, and CTF

April 09, 2016

Last week I was lucky enough to visit DakotaCon, the security conference known for being in the middle of a cornfield! I wouldn’t be honest if I said I wasn’t a bit skeptical when I first found out about it, but boy was I wrong. DakotaCon was able to bring in some of the biggest hitters in the information security community for both talks and trainings. The talks were held on Friday, and the 2 day training was on Saturday and Sunday. The cherry on top of the whole weekend was the ongoing jeopardy-style CTF. This blog post will contain my remarks on the various talks I attended, a recap of the training I received, and some write-ups of the CTF challenges I was able to solve.

Talks
Red vs. Blue Techniques training with @HackingDave and @Ben0xA
CTF Write-Ups

Talks

Screen Shot 2016-04-07 at 8.21.34 PM

The conference had two speaking tracks running simultaneously. I stayed in Track 1, seen here on the right. Up first was Dave Kennedy’s (@HackingDave) talk. Dave talked about how he got his start in information security and some of things he learned along the way. He insisted upon positivity and spoke out against the competitive and egotistical tendencies of the information security community. This resonated with me. I know I have seen and been guilty of this. If we, as a community, are trying to actually make the world’s security posture better, we should be working together and bringing each other up, not putting each other down. (I guess I’m a cyber hippie!)

Afterwards, Eric Smith (@InfoSecMafia) paralleled the ancient Greek philosopher Cicero’s “6 mistakes of man” to the security consulting industry. This talk was really thought provoking and highlighted a lot of pitfalls the security community gets tripped up on, as well as how to overcome them. If you have a second, give the “6 mistakes of man” a read! Next up, Rob Fueller (@Mubix) took the stage. He had given his talk at previous events and it can be viewed here. mubix He basically outlined some different defense techniques that will scare the hell out of attackers. At this point, my friends and I left for lunch, so we did not get to see Senator Mike Rounds speak, but we were back in time for Michael Iedema (@iedemam)! He talked about how usability and security are typically seen as opposites. He advocated that finding their intersection is difficult, but that the best type of security is usable security. This makes sense, if a security solution is difficult and makes a user’s life more difficult, they are going to try and circumvent it.

The last talk of the day was by John Strand (@strandjs). More correctly, I should say the last two talks of the day were from John. The previous speaker finished ~20 minutes early, so he opened some AV bypass slides he had to spare and started talking. It was awesome. If you have the opportunity to see John Strand talk, I highly recommended it. He is not only knowledgeable, but is so passionate about security. His actual talk covered SDR Hacking, a VPN 0-day, some remote exploits, and a touch of defense (Also free BHIS shirts delivered via the air with pelting speed by his son).

Red vs. Blue Techniques

There were a few different training options. I decided to take the Red vs. Blue Techniques with Dave Kennedy and Ben Ten. This course was phenomenal. The course covered the life cycle of a typical attack: reconnaissance, exploitation, and post-exploitation. My favorite thing about this course was how Dave and Ben kept it dynamic. They did an amazing job following the flow and interest of attendees. The thing I found most beneficial was simply having two experienced, knowledge experts in the room. Normally when I get confused or interested about a security topic, I have to find relevant materials and read until my eyes hurt. It was amazing to have the personnel in the room that could not only spare me the reading, but could expand and provide more insight. I’m not going to dive into the specific topics and details, but I will mention two new tools the course brought to my attention: CrackMapExec and Unicorn. If you haven’t heard of them, they are definitely worth a look. Shout out to @HackingDave and @Ben0xA for the awesome training!

CTF Write-Ups

As previously mentioned, the CTF took place throughout the weekend. This meant that there was very little time to dig too deep into it. However, I found some time between talks and in the evening on Friday to work on it a bit. Originally, I naively thought I would come back to my hotel after training and work on it. But the reality was that after drinking from the security knowledge firehose provided by Dave and Ben, the only thing I wanted to do when I got to my hotel was sleep!

Samuel’s Code #1 | Misc. 100

Between the description and file format, I had a pretty good hunch this was going to be morse code. Upon writing this blog post, I realized the father of morse code was Samuel Morse. Therefore, the title itself was a hint as well. Sure enough, after downloading the mp3, I found this was a morse code challenge. In the past I have had issues with morse decoding tools, so once I saw how short the message was, I decided to decode it by hand. Upon first listen, there was no way I could distinguish between “long” and “short” tones. I decided to use everyone’s favorite audio program Audacity to help distinguish the tones. Luckily, Kali Linux has a package for Audacity, so the install was easy.

apt-get update
apt-get install audacity

1 2	apt-get update apt-get install audacity

I then opened the mp3 with Audacity. From here, distinguishing “long” and “short” tones visually was cake. Additionally, seeing the separation between letters and words was also easy.

Screenshot from 2016-04-08 10-04-14

Now using a morse code tree like below, I could follow along and decode the message. Dash = “long. Dot = “short”.

The message was “resolute yoke broken kittens”, which ended up being the flag.

Spambots Can’t Solve This | Misc. 200

Screen Shot 2016-04-02 at 12.52.51 PM

Next up was a pcap challenge. I fired up Wireshark and followed the only available TCP stream in the pcap (outside of a DNS lookup). The stream was unencrypted HTTP GETs and responses. Before jumping into any advanced analysis with scapy, I always cheat and see what NetworkMiner finds. NetworkMiner is great for extracting files out of pcaps and is developed in .NET for Windows. However, you can run NetworkMiner on Linux using Mono, an open source implementation of the .NET framework. Kali Linux has a Mono package, so again, install was easy:

apt-get update
apt-get install mono-complete

1 2	apt-get update apt-get install mono-complete

From here, I downloaded NetworkMiner and then ran it using Mono:

mono NetworkMiner.exe

1	mono NetworkMiner.exe

NetworkMiner was able to pull out some HTML, CSS, and a JPG image.

Screenshot from 2016-04-08 10-36-09

The image wouldn’t open. After checking the magic bytes, I learned it wasn’t a JPG, but a PNG. I changed the extension and bingo. Here is the flag:

Layered Defense | Coding 400

Screen Shot 2016-04-02 at 12.50.43 PM

The description linked to a Wikipedia article about Matryoshka dolls. I wasn’t quite sure what was going on until I download the ZIP and extracted the file, at which point I was greeted with this file:

flag.zip.b64.b64.bz2.bz2.xor9a.b64.b64.b64.gz.xor81.bz2.gz.b64.xor8b.gz.xor8d

1	flag.zip.b64.b64.bz2.bz2.xor9a.b64.b64.b64.gz.xor81.bz2.gz.b64.xor8b.gz.xor8d

It appears that the flag was encapsulated with various compression tools and encodings. I assumed the outermost “xor8d” meant to XOR the bytes with hex “8d”. I wrote some python to test my theory:

b = bytearray(open(filename, 'rb').read())
for i in range(len(b)):
    b[i] ^= 0x8b
open(newfilename, 'wb').write(b)

b = bytearray(open(filename, 'rb').read())

for i in range(len(b)):

b[i] ^= 0x8b

open(newfilename, 'wb').write(b)

I then ran a “file” command on the output file to see what it thought the file was. It suggested the file was a gzip, which just so happened to be what the next extension was. My theory was correct. I admittedly did the rest of the decodings and extractions by hand using various tools and python. Upon extracting “flag.zip”, I was presented with another file with long list of encapsulated compressions and encodings. Wan wan waaan. But it makes sense; it wouldn’t be a coding challenge if it could be done by hand. Luckily, outside of the XOR, all the encodings and compressions had command line tools. So I wrote a recursive python script to wrap it all! The only tricky part was once the script got to the bottom “flag.zip”. Normally, I manually kept track of the file name, and just removed each extension name after performing the operation. But with the bottom “flag.zip”, the file name of the extracted file was new and had to be persevered in order to extract and decode the next layer. I wrote some regex to grab the outputted file name to take care of this. I ran my script and shortly found out that python has a maximum recursion depth. Who knew?!

Screen Shot 2016-04-02 at 12.45.38 PM

My lazy hacker way to fix this was to just figure out where the script left off and then start the script over with that as the base. I called my script extensionCrusher.py and it can be found on my GitHub. Here is a video of it in action:

Once the script hits the bottom text flag, it stops executing because there’s no file extension to tell it what to do.

Screenshot from 2016-04-08 13-26-25

As seen above, the flag was “throne move mixed birthday”.

DakotaCon was awesome and I’m excited to see what they have in store for next year!
Thanks for reading!