Red Teaming at WRCCDC 2015
WRCCDC just ended this year and it was epic as always. I got to compete on the red team this year, and I wanted to detail some of my thoughts below, as we didn't quite get the one-on-one debrief some teams were looking for. The network was divided pretty evenly among linux and windows targets, which was a nice spread of targets to both pop and persist on. The teams also got access to a FireEye NX box this year, which made things extra interesting, as that NX box is pretty much an automatic snort box with signatures pushed directly from FireEye. So I thought for sure that could be leveraged to give us a lot of trouble, which we will get into later.
Organizationally, WRCCDC operated very different from PRCCDC. From a network perspective the networks were flatter and the teams could even interact with each other across the network. Similarly, from an infrastructure perspective it seemed a bit rushed as there weren't as many rich services, however there were more targets on the flat network. That said, there were only 5 services being scored for SLAs, so some blue teams brought down all of the machines that weren't involved in scoring SLAs. Red team also operated in a very different way, as there were no cell teams and everyone seemed to target specific services and machines they were familiar with across the board. We did a good amount of sharing and shell passing using both cobalt strike and metasploit handlers. This kept a strong team synergy while allowing people to focus on what they were the most familiar with. Ideally, I think a mix of the organizational concepts of PRCCDC (the preparation and the focused cell teams) and the organic / experienced nature of the WRCCDC red team would have the best result. In my mind this would look like cell teams that have an extra man, who could apply some of that teams nicest hacks across all other teams, and aid in the meta team pwnage, while cell teams could ensure each team got the special love they deserve at all times. Which is cool because that is actually a lot like the way national CCDC red team operates.
As far as a blue team debrief / red team attack strategy I will say the following in hopes of better enabling the teams that make it to nationals to leverage their FireEye provided NX boxes. I got into the FireEye NX boxes almost immediately using default creds that were announced at a briefing where both red and blue teams were present. Once on every team's NX box, I went through enabling all of the support accounts, adding administrative users, white listing our IP ranges, and dropping all alerting rules from the config. At no point did we change the default root password, giving every team the opportunity to easily reclaim their NX box by simply logging in and shutting down our new accounts. However the few teams that did this failed to reenable the rules and disable our white listed IP space. The teams that didn't remove these administrative backdoor accounts, I would ssh into the box and start a tcpdump of all the traffic on the box, then scp this back to my machine. I could use these tcpdumps from the box to then collect passwords transmitted over cleartext as well as gather intel on the various teams based on their traffic. I also focused heavily on persisting on the linux and windows servers through stolen credentials, new admin accounts, reverse shells, keylogging, scheduled tasks, and tricks such as adding my own ssh keys or sticky-key persistence on RDP but these are fairly well documented CCDC red team techniques, so I won't go into them here.
The trolling this year via the red team was pretty entertaining. Aside from the typical defacements and same-machine harassments, the red team did a few notably hilarious things. We attempted several social engineering attacks, both phoning the teams for OWA account access and sending spear phish emails as injects. We were also able to setup private Runescape servers on several teams boxes, which was a lulzy reprieve from the beat down. We pulled off the classic stomping the boot loader, and there was also an great hack where /bin/bash was overwritten with a Golang program that just did an ascii version of the pirate virus. This was great because it turned a typically useful administrative ssh service into a giant ascii joke. I've included some screenshots of the highlights that I collected from the entire red team below:
Organizationally, WRCCDC operated very different from PRCCDC. From a network perspective the networks were flatter and the teams could even interact with each other across the network. Similarly, from an infrastructure perspective it seemed a bit rushed as there weren't as many rich services, however there were more targets on the flat network. That said, there were only 5 services being scored for SLAs, so some blue teams brought down all of the machines that weren't involved in scoring SLAs. Red team also operated in a very different way, as there were no cell teams and everyone seemed to target specific services and machines they were familiar with across the board. We did a good amount of sharing and shell passing using both cobalt strike and metasploit handlers. This kept a strong team synergy while allowing people to focus on what they were the most familiar with. Ideally, I think a mix of the organizational concepts of PRCCDC (the preparation and the focused cell teams) and the organic / experienced nature of the WRCCDC red team would have the best result. In my mind this would look like cell teams that have an extra man, who could apply some of that teams nicest hacks across all other teams, and aid in the meta team pwnage, while cell teams could ensure each team got the special love they deserve at all times. Which is cool because that is actually a lot like the way national CCDC red team operates.
As far as a blue team debrief / red team attack strategy I will say the following in hopes of better enabling the teams that make it to nationals to leverage their FireEye provided NX boxes. I got into the FireEye NX boxes almost immediately using default creds that were announced at a briefing where both red and blue teams were present. Once on every team's NX box, I went through enabling all of the support accounts, adding administrative users, white listing our IP ranges, and dropping all alerting rules from the config. At no point did we change the default root password, giving every team the opportunity to easily reclaim their NX box by simply logging in and shutting down our new accounts. However the few teams that did this failed to reenable the rules and disable our white listed IP space. The teams that didn't remove these administrative backdoor accounts, I would ssh into the box and start a tcpdump of all the traffic on the box, then scp this back to my machine. I could use these tcpdumps from the box to then collect passwords transmitted over cleartext as well as gather intel on the various teams based on their traffic. I also focused heavily on persisting on the linux and windows servers through stolen credentials, new admin accounts, reverse shells, keylogging, scheduled tasks, and tricks such as adding my own ssh keys or sticky-key persistence on RDP but these are fairly well documented CCDC red team techniques, so I won't go into them here.
The trolling this year via the red team was pretty entertaining. Aside from the typical defacements and same-machine harassments, the red team did a few notably hilarious things. We attempted several social engineering attacks, both phoning the teams for OWA account access and sending spear phish emails as injects. We were also able to setup private Runescape servers on several teams boxes, which was a lulzy reprieve from the beat down. We pulled off the classic stomping the boot loader, and there was also an great hack where /bin/bash was overwritten with a Golang program that just did an ascii version of the pirate virus. This was great because it turned a typically useful administrative ssh service into a giant ascii joke. I've included some screenshots of the highlights that I collected from the entire red team below:
Ahhh, good times. Can't wait to see everyone at nationals!
