Fortian CyberCon 2019 challenge reflection (Part 1)

Jake Astles, Security Consultant (jacob@fortian.com.au) | Oct 16, 2019

Congratulations to Mattias T for being the first to successfully complete the challenges and winning the Samsung Galaxy Note 10!

AISA CyberCon 2019. Time for another annual Fortian Technical Security Challenge.

As somewhat of a newcomer to Fortian and the CyberCon Conference I jumped at the opportunity to come up with this year's Technical Security Challenge. I have been in the Capture The Flag (CTF) game for a while now, but always as the player, not the creator. This was a perfect opportunity to take what I have learned and turn it into something fun that could also help other aspiring ethical hackers and security enthusiasts test their skills and hopefully learn something new.

As someone with a technical background I knew designing the Challenge would always be the hardest part. I spend a lot of my spare time completing CTFs. So I had my own opinion on what makes a good CTF Challenge.

With this in mind, I started off with a few simple principles:

  1. It should not require any guessing or luck work – the Challenge should not rely on someone getting lucky and choosing the right wordlist.
  2. It should have a narrative - a CTF with a story and logical flow is more engaging.
  3. It should be web based and people should be able to complete it using a mobile device.

I’ll go through the first two of these in a bit more detail as follows.

1. No Guesswork

Firstly it should not require any guess work or luck to complete. CTFs that rely solely on the player lucking out with the right wordlist or combination of steps to reproduce can be frustrating. I wanted something that if the player knew what they had to do, or researched the technologies involved, it would just work. No luck involved.

2. The Narrative

Having a story to the Challenge makes it more engaging for the player. But it also helps tie back to point one. If there is a logical flow and order to the challenges, there is no need to perform any guessing. This is because breaking through one step provides enough clues to lead the player to the next step. I also wanted the story to be something entertaining for all levels. For those new to the security industry I wanted something that would make them think "Surely no one is that incompetent." and for those with experience in the industry I wanted something that would make them facepalm and think "That reminds me of …"

Knowing the target audience was conference attendees, I could not expect people to pull out their laptops, fire up their operating system of choice and start hacking. The CTF had to be comprised of challenges that could be completed from a mobile device using web-based tools.

It should also start off easy and get progressively harder. There was a prize on the line after all. The initial goal was three levels of difficulty, each revealing a flag that could be submitted at the Fortian booth. Submitting each flag, with an explanation of how it was obtained, would award a number of tickets based on the difficulty. So the more flags submitted, the higher the chance of winning the prize.

The first attempt at the Challenge did not meet most of these requirements, but I was just developing with no plan or goal and got a bit carried away with the harder flags. These ended up requiring a bit of guess work and offline tools to complete... Back to the drawing board. The second time around I stopped, planned out and designed the intended user flow and ensured that all the steps would meet all the requirements.

Planning the Challenge I decided to design the start and end of the CTF and hope the middle would come to me during the process. The story was simple, yet believable. The first idea involved an incompetent employee leaking information. This was scrapped almost immediately because with Fortian's high standards this story was already unbelievable :). So I went with the classic security game of Red vs Blue. For those unaware, the rules are simple. The Red team are the attackers trying to get in, and the Blue team are the defenders trying to detect and prevent the Red team from getting in.

To start things off I thought it would be something different to throw some Open-Source Intelligence (OSINT). Introducing Rancin Mcreedo (https://twitter.com/RMcreedo). Rancin is a nondescript security 'evangelist' that for about a month or so leading up to AISA has been learning the basics of cryptography. Rancin also happened to stumble upon an encrypted string he was unable to decipher so he went to Twitter for help, without realising exactly what he was leaking to the public.

This Challenge was a simple ASCII to Text conversion revealing the URL of the first flag. This page also reveals a basic game of Red Team vs Blue Team within the fictional fsbox organisation, this forms the rest of the narrative for the challenges.

For any one unfamiliar with the concept, the idea is pretty simple. The Red Team are posing as real-world attackers and attempting to gain access. The Blue Team are the defenders, they must try to identify, respond and adapt their defenses to prevent the Red Team from gaining access.

The medium challenge combines some common methods of encoding data. Used primarily by web applications to encode binary data, Base64 can usually be easily identified and decoded. The challenge here is to recognise that the data is Hex or Base16 encoded. Decoding the first string returns another encoded string, this time Base32 encoded. You probably get the idea (and the doubling hint), decoding the Base32 string returns some Base64. Once fully decoded, the string contains a message from the Red Team on their progress as well as a URL containing the medium flag and something that does not look anything like the previous challenges.

The final challenge involves identifying an esoteric language called "Ook!". Once identified any online interpreter produces a note from the Blue Team containing a URL with the final login form. Combining the knowledge uncovered throughout the previous challenges, we are able to log in to the form using the username RedTeam@fsbox.org and the password P4ssW0rd! to obtain the final flag.

Creating this challenge gave me a new level of respect to all the CTF creators out there and the time and effort involved in designing and creating a CTF challenge. My next goal is to create a full blown CTF Virtual Machine. I think I have found my newest hobby!

Next week I’ll provide some more technical information on how the challenge was set up in AWS.