Welcome back! This was another great year at
WRCCDC, one of the major
attack / defense CTFs I was looking forward to this year. With Cal State Northridge taking 1st, Stanford taking 2nd, and Cal Poly Pomona taking 3rd, it was a close competition throughout. I personally spent a lot of time converting some of our previous dropper payloads from OS scripts to native executables for each operating system. The intention here is that it will require more serious reverse engineering and incident response capabilities than simply recovering a script through any number of forensic methods. That said, they should still be very easy to detect. For example, at Western regionals we were dropping five additional unique binaries and modifying over 40 different observable security controls on each endpoint with just the droppers alone! Patching, passwords, and turning off unnecessary services are always critical first steps, but I want to provide some more advice for rapidly securing your network. A bunch of this sage advice actually comes from the closing talk of
Black Team lead James, and makes a ton of sense considering the network architecture. Secure your network perimeters first, and move from these secured zones to insecure zones. I thought the Western regional network was exceptional this year because it introduced four unique environments, each one initially more secure than the next. By blocking off all or partial network traffic to certain machines, you can monitor and fix a machine, as well as perform forensics to understand root cause. It can also help to make quick backups of key configurations and initial settings, keeping these locally or in a safe location can provide a quick recovery option. Also, ensure you are logging properly on your machines and if possible set up a machine for remote log collection and analysis, this will pay dividends when you need to investigate a compromised machine, especially if you have already secured network zones you can log to. Now lets dig into some of the carnage of Western! One of the fun, open source projects I deployed was
Windows-Hacks, despite having to download .NET (as if there weren't enough indicators to detect us already)!
There were some really funny moments, like when we busted out all our great troll payloads. We would set these up to persist on various scheduled tasks, and use them like time bombs in already compromised systems. They were fun parting gifts when we had finished looting certain systems.
Our constant assault eventually made some of the services unusable, which was even more hilarious as they would grind to a halt. We also used multiple ransomeware payloads and had the genius idea of resizing several of the virtual disks in the process, causing some serious disk issues on day two.
My favorite part of Western is the fun atmosphere and light hearted trolling, it's really a great time and makes for a lot of creativity and experimentation. It's a great place for new ideas and hacking on some really fun projects with some amazing people. If you've never been I encourage people to check it out, they always need volunteers on the various teams.
And ultimately, this was all especially hilarious when combined with some of our more destructive payloads, a large theme this year in the industry. After all, the amazing part of CCDC is that you have the freedom to experience and experiment with things you don't often get to try in real life. And I think we all had a lot of fun with it.
