Bsides Calgary 2021
A writeup on my experience at BSides Calgary 2021.
About
Bsides Calgary 2021 was a virtual security conference held on October 21st and October 22nd of 2021. It was filled with various thought-provoking talks as well as a Jeopardy-Style Capture-The-Flag competition, which will be the main focus of this short blog post.
Opening Keynote
Before starting the CTF, I attended the opening keynote which talked about how mobile phones are primarily used for targeted advertising and data analytics. The full talk was done by Joel Reardon, a professor at The University of Calgary. In short, Joel found that many mainstream Android applications collect data that can be used to build behavioural profiles on a person. In his case studies, Joel found that information such as WiFi SSIDs, Router MAC Addresses, and even phone IMEI numbers were transmitted over the network. You can find more information via scholarly articles, but overall I thought the talk was great and made for a good introduction into what our smartphones are actually used for, and how our universal right to privacy is being slowly stripped away from us as time goes on.
CTF
The CTF spanned both days of the conference and included a bunch of challenges ranging from OSINT, reconnaissance, Hash Cracking, and Web. Along with the challenges, there were a few prizes that were given out to people who came in 1st to 6th place (thanks sponsors!).
Prizes
| Placement | Prize |
|---|---|
| 1st Place | ??? |
| 2nd Place | Xbox One Series X |
| 3rd Place | HackRF One |
| 4th Place | Wifi Pineapple Mark VII |
| 5th Place | Raspberry Pi 4 8GB |
| 6th Place | Raspberry Pi 4 4GB |
Results
At the end of the competition, I tied for 3rd place.
Overall the CTF was great, it introduced a bunch of new challenges I had not been able to do at a CTF before (such as coming up with patterns to crack hashes). Below, I talk about a few challenges that in particular stood out to me.
Challenges
CPU Cycler
This challenge was one of the first to really catch my eye and challenge me as I was participating in this CTF. At the time of writing this, I have never done any challenge which involved cracking hashes that didn’t include a password in a pre-made wordlist.
In a different challenge, we were given NTLMv2 hashes with the story that they were captured using Responder in an Active Directory environment. This challenge made reference to those hashes with the idea being that one of them is probably following this given format.
The first thing I did was look for a password that would match the criteria given in the question. I checked the pre-made wordlists that were included in Kali and ran those passwords against the hashes to no avail.
-r Recursive Search | -x Match Regular Expression to the entire line | -P Interpret Perl-Compatible Regular Expressions
After exhausting all of the common wordlists, I decided that brute forcing was the only option.
I installed Hashcat so that I can use my graphics card for faster cracking.
Even though I didn’t have the Nvidia SDK installed, I was still able to reach ~400 MH/s peak with my RTX 3060.
-a 3 Third attack mode (Brute Force) | -m 5600 NTLMv2 Hashes | -1 Both lower and upper-case alphabet characters | -2 2 Just the number ‘2’ | -3 0 Just the number ‘0’
In order to reduce as many possibilities as I could, I used custom masks. Custom masks are like variables, they are given a possible set of values and efine which position to take in your password.
Since the only hints we were given for this challenge included a 4-digit year somewhere along with a word, I chose to omit any special characters, and then limited the word length to something reasonable. Since the 4-digit number is a year, I chose to start from the 2000’s and then try the 1900’s.
The end of the command is where the masks are used. Every ?1 argument specifies a single lower/upper-case alphabet letter, so in this case 5 ?1's means that the first 5 characters should be every combination of lower and upper-case alphabet letters. The ?2 and ?3 arguments specify that the two characters after the 5 alphabet characters should be 2 and 0 respectively, since we are trying to brute force the year 2000. The final two ?d's at the end specify that the final two characters should be any digits from 0-9. Thus, we will try every every year from 2000 to 2099 with every possible combination of letters up to a length of 5 letters. Before this permutation, I tried having the year be in front of the word, as well as word lengths of 4 letters.
This combination ended up yielding the correct matching hash in a reasonable amount of time.
However after seeing the password, I realized that I could have reduced the number of combinations further by using a dictionary of 5 character words.
This challenge has taught me that much more thought goes into password cracking than just telling a tool to try billions of combinations mindlessely. Using common patterns can drastically reduce the time it takes to crack a password.
Just a little too nice
This challenge had us attacking a web portal that was discovered in earlier challenges. The portal included a field for a 5-digit PIN number, email, and password.
Upon entering the wrong PIN number, we get an error message saying that the PIN is not preregistered. This means that if we enter a PIN number that is preregistered, the error message will be different, likely giving us the flag for the challenge.
I didn’t actually solve this challenge in time, as I tried to brute force all 99,999 combinations of PIN numbers using Burp Suite’s Intruder. However the reason that I couldn’t get the right PIN number wasn’t due to the speed of Intruder, but an issue that revolved around cookie states.
This is what a regular error message looks like when entering the an invalid ID. When trying to recreate this in Burp however, the weird redirection flow seems to remove the session cookie during one of the redirections and as a result, truncates the error message.
A working solution to this problem could instead be written using Python.
#!/usr/bin/python3
import requests
from concurrent.futures import ThreadPoolExecutor, wait
def post_request(id):
r = requests.post("https://datahub.balam.ca/signup", data={'clientid': id, 'email': 'lconner3@4d2.ca', 'password': 'foo'})
if '@' in r.text or len(r.text) != 3292:
print("SUCCESS!!! ID: " + str(id))
else:
print("Nothing for id: " + str(id))
with ThreadPoolExecutor(max_workers=16) as executor:
for i in range(1, 99999):
executor.submit(post_request, id=i)
Even though this script uses multithreading, it still takes a while to run through all of the combinations. Fortunately, the client ID was 10601.
What I learned from this challenge is that some challenges require you to use multiple tools in order to solve the problem. Even if all of the tools achieve the same thing, the way they work will differ and may generate different results, as a vulnerable web app may react differently to different attack techniques.
Conclusion
All in all, the CTF provided a good mix of challenges ranging from OSINT, web directory brute forcing, advanced scanning, and most uniquely, intelligent password cracking. The talks were informing, and the overall experience was great. I hope to compete next year as well.
