22 Nov 2018 Shearwater Capture The Flag 2018

As part of Shine’s commitment to always be levelling ourselves up in security, a bunch of us decided to have a go at a CTF (capture the flag) competition.

We reasoned if 8 year old script kiddies could break into websites it couldn’t be that difficult, and it would also give us some insights into protecting ourselves against those same script kiddies.

Shearwater was running their annual Offensive Web Application Security Hackathon in November. It was billed as one of Australia’s largest cybersecurity events, so we decided to sign up for that. If we were going to fail – we might as well fail big-time.

We had two main goals:

1. To learn something new
2. To not come last

Here’s how it all went.

Training

There are heaps of online resources to choose from when training for a CTF.
We used the following resources:

• pico CTF
• pentesterlab
• The Web Application Hacker’s Handbook

On the Day

There were 50 teams competing from Sydney, Melbourne, Canberra and Brisbane. The format of the CTF was two challenge applications which we had to hack, one in the morning and one in the afternoon. The hacking times were interspersed with information sessions about web application hacking techniques.

First Challenge Application

This application was your typical online store application.

It was pretty cool being able to do things like place an order using someone else’s credit card, force the price of cart items to zero etc..

The usual suspects here were SQL injection, parameter and cookie tampering, forced browsing, and password cracking. We also managed to find an unintended vulnerability related to pulling out dummy credit card information which wasn’t part of the challenge.

We probably could have done with another hour on it to finish up all the vulnerabilities.

Second Challenge Application

This application was an HR application allowing an employee to apply for and approve leave, as well as update banking information.

There were double the vulnerabilities here compared to the first challenge application, but having gone through the techniques in the first challenge, going through this challenge app was definitely more straightforward.

We did hit a brick wall though, trying to do some SQL injection – which pointed out an area to brush up on for the next CTF.

There was also some repetition in this challenge application: one exploit could be applied to nearly all of the pages to yield easy points.

Lessons Learnt

If we were to do another CTF we would probably spend some time levelling up on how to automate a lot of the common attack vectors. The attack tool we were using allows for this but we hadn’t learnt that part of it well enough. The more experienced hacker teams seemed to be doing this: 30 seconds or so into the competition some teams already had hundreds of points on the board!

The next time we would also come prepared with hacker names like 0BL1V10N, M4357R0, or 74L15M4N as everyone knows you’re not a real hacker unless you have a cool-sounding hacker handle.

Closing Thoughts

We found that the challenges were pegged at the right level for us. They were difficult enough to stop us racing through all the challenges quickly, but yet not so difficult that they didn’t give us enough time to try different techniques.

We did find that some of the vulnerabilities were repetitive across pages so we ended up grinding to bump up our points, which was a bit tedious.

We managed to achieve both our goals – learning something new, and not coming last (we came in 4th).

Special thanks to members of the Shine team who took the time to train up for the CTF: Aaron Brown, Ryan Siebert, and Nick Freemantle.