Victory at PHDays 9. We share life hacks in three parts. Part 3
Hello! It has been several weeks since our victory, emotions subsided, so the time to take on the assessment and analysis of what we did not succeed. It doesn’t matter in our work - we won the competition or found a vulnerability in a real project, but it is always important to work on the bugs and understand what could be done better. Indeed, the next time rival teams can be stronger, and the client’s infrastructure is better protected. In general, the article, which I suggest you read below, is controversial and is more controversial than contains guaranteed working recipes. However, judge for yourself.
As I wrote in the first part, preparation was an incredibly important element of our victory. As part of this phase, we laid the foundation for a future victory. But also, in view of some mistakes, we put several time bombs in this foundation, which could explode and bury the entire structure.
1. Team
')
Our team consisted of 20 people, and to be honest - this is a lot. Objectively, turning back now to everything over time, I see that for the same confident victory we would have had 7-8 people. And for the less confident, it would be enough for 4-5 result-oriented specialists. The more people in the team, the higher the likelihood of conflict, because such competitions are a huge stress, especially on the second day of the competition and without normal sleep. Unfortunately, the reality is that you will not find 20 equally good hackers, which means that you still have to do some quality assurance of younger specialists, which will result in duplication of their work.
An important factor may be the difference in attitude to the competition. I have been participating for more than a year and almost every time I see the following situation: one of the team members leaves at 18-19.00 with the words “the working day is over”, and this VERY strongly demotivates the rest. And on the one hand, it seems to be right, because for many people this is just a job. And on the other - it very demotivates the guys for whom such competitions mean much more than just work. For them, this is part of life. Perhaps such things make sense to discuss in advance within the team before the start of the competition.
TL; DR: Quality is more important than quantity. Many participants are not always good.
2. The exploitation of atypical vulnerabilities
Objectively speaking, this also did not work out as intended. As you remember, in preparation for vulnerabilities unknown to us, we wrote out standard approaches, and also downloaded tools for carrying out such attacks. This was the right step, but a couple more others had to be done. Firstly, in preparing for such competitions, first of all, it is necessary to study the technical base and architecture of solutions. For example, in the case of industrial control systems, not everyone responsible for this area in our team understood the difference between the controller, SCAD and the servers that were scattered here and there. Which ultimately led to the need to study all this during the competition. So much precious time has passed. Well, of course, you need a person who would not only be able to download all the necessary tools, but understand why you need it and how to install it, but rather - pre-installed all the necessary software on virtual machines.
An example with PHDays: one of the distributions of the necessary software consisted of images of 16 diskettes (old ones are remembered), was installed only on Windows XP and required a diskette in Floppy Disk Drive to run. We were not able to install it.
TL; DR: Begin to prepare in a month, or even earlier. Do not be a kiddie script, understand the basics.
3. Equipment preparation
It's no secret that very often in order to remain in a state of flow silence and peace are needed. Well, we only dream of peace, and silence on PHDays is generally a problem. Therefore, I recommend, in addition to all the equipment listed in our articles, be sure to bring a set of ear plugs and soundproof headphones with you. They will save you both from the crowing crowd and from unexpected soundchecks.
TL; DR: Take ear plugs with you. Better take a couple of spare ones, other participants will be VERY grateful to you.
4. Coordination
It’s much easier for me to write critical passages on team coordination, because I was engaged in it, and I definitely won’t offend anyone here. So, for effective coordination, you need a person who understands very well what is going on here, how the pentest works, understands kill chains, and in general, he must understand the specifics of each person’s work. Obviously, this is a person with a pentester background who is actively practicing, or practiced in the recent past (less than six months).
On the other hand, it’s hard to watch the guys crack something, look for ways out of the impasse somewhere, but it’s very hard not to get involved in any of the problems. This became a problem for me, and I objectively could not cope with it. At a certain point, I was actively engaged in exfiltration of the data and began to help fight the competing team. Because of this, for 3-4 hours, part of the team (approximately 30% of the participants) simply got lost and did not know what to do. Now I realize that it would be much more correct to delegate this task to one of the team members, and to continue to monitor the overall picture of the competitions myself. After all, the coordinator should always know what is happening in each of the areas of work.
Example with PHDays IX: In the second hour of the competition, we noticed a relationship between the Bigbrogroup domain and cf-media. As a result, having an enterprise admin account, we only realized after 5 hours that it could also be used in the second domain. Just before, no one paid attention to the connecting domain, which appeared in both tasks. I suppose that if we used this account, then we could take control of the second domain long before the officially announced merger and save a lot of time and nerves.
TL; DR: The coordinator should try not to dig into the details, but look at the picture as a whole.
5. Interaction with the organizers
Specifically, this moment in our case worked like a clock. But we noticed that many teams interact with the organizers very passively or do not interact at all. Firstly, you need to carefully monitor updates in telegram chats. Many teams did not even see the results of social. engineering, until they were announced from the scene, but it was too late. We are all human beings and it is common for everyone to make mistakes. So, in the framework of the game, we found 3-4 bugs that directly affected our points, reported to the organizers and they corrected the situation. The same goes for the flag format.
TL; DR: Pay attention to everything the organizers say. Feel free to ask them if you suddenly do not understand something.
6. Papers
For the second year in a row, the organizers, in the framework of their reports, talk about research, which, among other things, found its application in the framework of StandOff. Therefore, you definitely need a person or group of people who will go around all sections with technical reports with topics close to StandOff and make short retelling for those who are fighting on the StandOff site. In particular, this year there was a report, using which it was possible to get access to one of the automated process control systems.
TL; DR: Try to highlight a person or group of people so that they attend all the technical reports.
I would like to end this series of articles with a little feedback on the competitions themselves. As I have said more than once, the main fact of Standoff over the past 3 years is one and the same fact: security has always been and will be a part of the compromise between functionality, usability and security itself. And in the case of real life, the functionality and usability very firmly defends the business.
Security is not an end in itself, but just one of the tools that help businesses. And not all the desires of information security experts are fulfilled. Precisely because they run counter to the interests of the business. More than once during the competition, we came across a situation where hackers found a vulnerable service, and the defenders simply turned it off. Imagine that this happens in a bank. Some hacker found a vulnerability in the RBS system and began to study it, and the IS service, having seen this, turned off this system, and not for an hour, but for several days. The company would incur enormous losses. An employee who decided to disable the service would be fired, and the service would be restored immediately. But alas, in the current format of the competition this is impossible, and this is the main factor that prevents us from showing the real picture in a world where, unfortunately, IS “catches up” with the capabilities of hackers, and not vice versa.
Training
As I wrote in the first part, preparation was an incredibly important element of our victory. As part of this phase, we laid the foundation for a future victory. But also, in view of some mistakes, we put several time bombs in this foundation, which could explode and bury the entire structure.
1. Team
')
Our team consisted of 20 people, and to be honest - this is a lot. Objectively, turning back now to everything over time, I see that for the same confident victory we would have had 7-8 people. And for the less confident, it would be enough for 4-5 result-oriented specialists. The more people in the team, the higher the likelihood of conflict, because such competitions are a huge stress, especially on the second day of the competition and without normal sleep. Unfortunately, the reality is that you will not find 20 equally good hackers, which means that you still have to do some quality assurance of younger specialists, which will result in duplication of their work.
An important factor may be the difference in attitude to the competition. I have been participating for more than a year and almost every time I see the following situation: one of the team members leaves at 18-19.00 with the words “the working day is over”, and this VERY strongly demotivates the rest. And on the one hand, it seems to be right, because for many people this is just a job. And on the other - it very demotivates the guys for whom such competitions mean much more than just work. For them, this is part of life. Perhaps such things make sense to discuss in advance within the team before the start of the competition.
TL; DR: Quality is more important than quantity. Many participants are not always good.
2. The exploitation of atypical vulnerabilities
Objectively speaking, this also did not work out as intended. As you remember, in preparation for vulnerabilities unknown to us, we wrote out standard approaches, and also downloaded tools for carrying out such attacks. This was the right step, but a couple more others had to be done. Firstly, in preparing for such competitions, first of all, it is necessary to study the technical base and architecture of solutions. For example, in the case of industrial control systems, not everyone responsible for this area in our team understood the difference between the controller, SCAD and the servers that were scattered here and there. Which ultimately led to the need to study all this during the competition. So much precious time has passed. Well, of course, you need a person who would not only be able to download all the necessary tools, but understand why you need it and how to install it, but rather - pre-installed all the necessary software on virtual machines.
An example with PHDays: one of the distributions of the necessary software consisted of images of 16 diskettes (old ones are remembered), was installed only on Windows XP and required a diskette in Floppy Disk Drive to run. We were not able to install it.
TL; DR: Begin to prepare in a month, or even earlier. Do not be a kiddie script, understand the basics.
3. Equipment preparation
It's no secret that very often in order to remain in a state of flow silence and peace are needed. Well, we only dream of peace, and silence on PHDays is generally a problem. Therefore, I recommend, in addition to all the equipment listed in our articles, be sure to bring a set of ear plugs and soundproof headphones with you. They will save you both from the crowing crowd and from unexpected soundchecks.
TL; DR: Take ear plugs with you. Better take a couple of spare ones, other participants will be VERY grateful to you.
Competition
4. Coordination
It’s much easier for me to write critical passages on team coordination, because I was engaged in it, and I definitely won’t offend anyone here. So, for effective coordination, you need a person who understands very well what is going on here, how the pentest works, understands kill chains, and in general, he must understand the specifics of each person’s work. Obviously, this is a person with a pentester background who is actively practicing, or practiced in the recent past (less than six months).
On the other hand, it’s hard to watch the guys crack something, look for ways out of the impasse somewhere, but it’s very hard not to get involved in any of the problems. This became a problem for me, and I objectively could not cope with it. At a certain point, I was actively engaged in exfiltration of the data and began to help fight the competing team. Because of this, for 3-4 hours, part of the team (approximately 30% of the participants) simply got lost and did not know what to do. Now I realize that it would be much more correct to delegate this task to one of the team members, and to continue to monitor the overall picture of the competitions myself. After all, the coordinator should always know what is happening in each of the areas of work.
Example with PHDays IX: In the second hour of the competition, we noticed a relationship between the Bigbrogroup domain and cf-media. As a result, having an enterprise admin account, we only realized after 5 hours that it could also be used in the second domain. Just before, no one paid attention to the connecting domain, which appeared in both tasks. I suppose that if we used this account, then we could take control of the second domain long before the officially announced merger and save a lot of time and nerves.
TL; DR: The coordinator should try not to dig into the details, but look at the picture as a whole.
5. Interaction with the organizers
Specifically, this moment in our case worked like a clock. But we noticed that many teams interact with the organizers very passively or do not interact at all. Firstly, you need to carefully monitor updates in telegram chats. Many teams did not even see the results of social. engineering, until they were announced from the scene, but it was too late. We are all human beings and it is common for everyone to make mistakes. So, in the framework of the game, we found 3-4 bugs that directly affected our points, reported to the organizers and they corrected the situation. The same goes for the flag format.
TL; DR: Pay attention to everything the organizers say. Feel free to ask them if you suddenly do not understand something.
6. Papers
For the second year in a row, the organizers, in the framework of their reports, talk about research, which, among other things, found its application in the framework of StandOff. Therefore, you definitely need a person or group of people who will go around all sections with technical reports with topics close to StandOff and make short retelling for those who are fighting on the StandOff site. In particular, this year there was a report, using which it was possible to get access to one of the automated process control systems.
TL; DR: Try to highlight a person or group of people so that they attend all the technical reports.
I would like to end this series of articles with a little feedback on the competitions themselves. As I have said more than once, the main fact of Standoff over the past 3 years is one and the same fact: security has always been and will be a part of the compromise between functionality, usability and security itself. And in the case of real life, the functionality and usability very firmly defends the business.
Security is not an end in itself, but just one of the tools that help businesses. And not all the desires of information security experts are fulfilled. Precisely because they run counter to the interests of the business. More than once during the competition, we came across a situation where hackers found a vulnerable service, and the defenders simply turned it off. Imagine that this happens in a bank. Some hacker found a vulnerability in the RBS system and began to study it, and the IS service, having seen this, turned off this system, and not for an hour, but for several days. The company would incur enormous losses. An employee who decided to disable the service would be fired, and the service would be restored immediately. But alas, in the current format of the competition this is impossible, and this is the main factor that prevents us from showing the real picture in a world where, unfortunately, IS “catches up” with the capabilities of hackers, and not vice versa.
Source: https://habr.com/ru/post/461325/
All Articles