Capture the Flag

Holiday Hack Write-up

Current Projects, Reports and Write-ups

I finally finished my write-up for the SANS Holiday Hack 2020. I learned a lot through the process of writing this up!

If you’re interested, check out my full write up on GitHub. Here are my key takeaways though, pulled straight from my write-up:

Personal Takeaways

Favorites

These are my favorite challenges and experiences of this challenge:

Linux Primer

I love the linux command line. It’s fun. Not to mention if my kids walk through the room and see me in linux they’re always like, “Mom’s hacking again!” which of course makes me laugh, and also makes me feel like a pretty cool mom.

The lights and the vending machine in the UnPreparedness Room

I enjoy cryptography, even though I haven’t done much of it yet. It’s probably my math background, I have taken a lot of math classes and really enjoy math. And the problem solving involved in these was just fun!

Soundtrack

Have I mentioned I loved the soundtrack for this challenge? My favorite song though was Ninjula’s You’re a maen one, Mr Grinch. So much energy!

Cool tools from this challenge

Bucket Finder

https://digi.ninja/projects/bucket_finder.php

Cyberchef

https://gchq.github.io/CyberChef/

Atomic Red Team

atomic red team

HID / Proxmark

I’m fascinated by the idea that through a little device you can manipulate id cards. The Proxmark3 seems like an awesome tool. This HID/ProxCard Cheat Sheet could come in handy some day.

Scapy

Really any specific way to change a packet is new and fascinating to me! I knew it was possible but to see it in action was pretty cool.

Things in this challenge that were mostly or completely new to me

S3 Buckets

I don’t know a whole lot about how Amazon Web Services works. I’ve just started learning about EC2 instances, but haven’t gotten very far yet. I love learning about how everything works together in the cloud and look forward to learning more about S3 storage buckets and ways to secure them.

Tmux

The idea of multiple terminal sessions being accessible in one window kind of blows my mind, not gonna lie.

Regex

Regular Expressions is a concept I’ve come across before but never in this much detail. I actually was working on a script the other day where I ended up using regex and it was so helpful! I still am a baby when it comes to using it, but I learned a lot through the process in this challenge!

Redis

I still feel unsure of what exactly redis is used for, but at least now I’ve had a little exposure to build on next time I come across it!

Lookup Tables

I have to say I’m proud that my natural way to fix the vending machine was basically a lookup table. I’ll have to look into methods for lookup tables in more detail next time I come across a polyalphabetic cipher. I’m sure there was a way to automate this, or at least I’d like to think python could have saved a lot of time here, I just don’t know enough about it yet to make it happen!

Things I learned about hacks and challenges during this challenge

Taking Notes

I took notes right from the start, but as I progressed through the challenges I realized my note taking was definitely lacking. I tweaked my notes along the way, but still as I wrote this up I found there was so much missing from my notes and had to revisit the challenge and walk through it quite a bit a second time to get the details I missed. In the end, here are the things I learned about taking notes:

  • Take all the screenshots. I took quite a few screenshots along the way, but I wished I had taken more… or differently. What I would change for next time? Take a screenshot of the full badge at the beginning. Take a screenshot of each room before interacting with it.
  • Track the dialogue better. I started just making notes of the gist of what the elves said. Then I realized their specific words were probably more important, so I started typing their comments word for word, but quickly decided there had to be a better way. After looking through a little more closely, I realized their dialogue was in the chat window! Wish I had paid attention to that from the start. Copy and paste is so much easier than copy typing!
  • Take notes in a way that will support a write-up. This write-up took forever because I didn’t do a great job of typing up all my thoughts along the way. Most of my notes were in the form of screenshot or short phrases, which was good but I definitely could have done better.

Stop and Smell the Roses

I have a feeling I missed a lot. I was so focused on the specific objectives and didn’t notice as much as I could have about the environment, the narrative, storyline, etc. I heard people mention a few Easter Eggs and man I want to see what I was missing!

I guess what I’m trying to say is I learned that challenges like this are more than just about the objectives. They can be so much fun too!

SANS Holiday Hack Challenge & KringleCon3

Current Projects

Where has this been all my life?!

For real though. KringleCon3 and the Holiday Hack Challenge, I can’t even tell you how awesome. It’s the perfect combination of geeking out, having fun, listening to a great soundtrack, watching short talks to give me tips, stalking discord, taking notes, and learning by doing.

I didn’t get a chance to start on this until later in December, but it’s been SO much fun and I’ve gotten a little over halfway through so far. (Still a few more days before I need to stop and write it all up…)

And it looks like they do it every year, so it’s definitely going on my calendar for every December because I’ve loved it so much.

It’s on my list to look at the write-ups from last year too. I’m new to the write-up thing so it will be such a good resource!

Capture the Flag Noob

Current Projects

I’ve been seeing teasers about SANS Community CTF for a while, and the idea of a free CTF is intriguing. I have loved the tiny exposure I’ve had to Hack the Box, but really besides that this is all new to me.

They had a free community CTF in October, but I chickened out on that one. Well, I saw the registration for this one go live and decided I would just try it. I almost didn’t because I felt like I would bomb 100%. Well, I’m so glad I pushed through that and just signed up anyway!

I really liked the format. It was a bunch of Challenges, categorized as Easy, Medium, or Hard. (There might have been an Extreme category too?) They were also named with a convention that kind of told you if it was a networking challenge, or binary files, or cryptography, etc. You were awarded a certain amount of points for each challenge (based on difficulty) and could track your progress on the dashboard.

Beyond that, I got the impression that SANS doesn’t want people to publish write-ups for these challenges so I’ll keep my notes on it private. But I’m working on a GitHub repo to keep useful tools all in one place, so check it out and I’m so open to feedback on format for that one, it’s a work in progress for sure!

There were a few challenges that were fairly easy to figure out, but for the most part I was learning new things as I went and lots of trial and error! I got about halfway through the challenges, which I was pretty proud of as a total beginner. Also, I didn’t finish last so go me! 😉

If you’re ever looking for a fun CTF keep your eyes open for these! I’m hoping they’ll continue them in 2021.