Today I had the pleasure of participating in the West Michigan CyberSecurity Consortium's (WMCSC's) annual red vs. blue competition. In April I received an email from one of my professors about red teaming for this event and was interested because I like red teaming. I thought the experience would be worth the money I had made at my internship, so I decided to come out here to play. I was certainly right about it being worth it; I have done a bit of red teaming before, but this was the first time I was doing something without any knowledge of the infrastructure. The team that was gathered was mostly centered in Michigan, with a few people from other areas like myself. We started collaborating in mid July so that we could form a game plan. There were 11 people total on our red team lead my Mr. Matt Carpenter of Grimm. We spent a week or so talking about strategies and tools and then were given access one week before the actual event to try and breach systems and put backdoors in place. This infrastructure was broken up into a few different parts: the school, the power plant, Alphaville, (one other one I can't remember right now), and our target Zenda. Zenda was supposedly a research company we were supposed to hack as the Kneebonian Mafia. The infrastructure for the competition was put together by Merit, a company that was developing networking technologies back when ARPANET was starting to be more heavily used and other networks were popping up. The company now (among other things) runs the Michigan Cyber Range, which was the infrastructure we were playing on.
To gain access to the environment we had to log log onto Windows 7 machines via the VMWare Horizon View client, which connected to the Kali VMs via a remote service called NoMachine. Getting in was actually surprisingly easy, but I locked myself out a few times with a couple of dumb mistakes (I'll explain this in a second). The one disappointing aspect of this competition was that there was no internet within the environment, so we couldn't just go out and get tools and things without a bit of hassle. We ended up being able to upload packages to a web interface and access them from Kali, but this wasn't fully set up until Saturday or Sunday. We gained access to Kali on Thursday, but I didn't really end up doing much until I was able to get my toolset onto the box. They did not give us any IP address information, so I just tried scanning and poking at everything and eventually I ended up locking myself out twice, like I mentioned above. This is how I found out that I do stupid things when I'm not given targets!
When I scanned and saw the exposed outside (local) network I was a bit disappointed: it was Windows XP, Server 2003, and a lot of Linux 2.X. I thought that was it; we were going to own everything and make blue team cry, and be done in 20 minutes... but I was so wrong. Not long after scans had finished I quickly gained access to five or six Windows XP/2003 machines on that outside local network which was known as Alphaville (the 10.0.3.0/24 network). Our Kali boxes were also on this network. This was Monday, so I spent the day planting myself deep into these boxes with Cobalt Strike's beacons and other shenanigans I like to do to maintain access. One of the boxes was a Server 2003 domain controller for the school network (192.168.40.0/24), which had many hosts underneath it. Unfortunately I was having trouble getting to them, so I moved on and attempted to crack passwords for a bit. I ended up importing ophcrack's XP free small tables into the environment and trying to use those. Since Cobalt Strike and metasploit were already hogging most of my RAM I ended up using OCR to get the hashes on my local box and cracked them using the XP special tables. Through credential re-use I gained access to the Linux machine that the library website was hosted on and planted backdoors on that.
Tuesday was a travel day for me; it was my first time in Michigan ever. I flew into Detroit and took a 4 hour bus ride to Grand Rapids where I stayed in the crappiest hotel I could find. I started doing more recon in the hotel over my phone's data connection because the free wifi wasn't working and the staff wasn't being very helpful with it. Someone had found a whole other network: the Zenda network. The outward facing network for Zenda (10.115.3.0/24) had a few boxes: FTP, web, a workstation with RDP enabled, two PFSense machines. Luckily the FTP server was Windows 2000 (SO OLD). After breaching that box with the trusty MS08_067 exploit I pivoted through to Zenda's inner network (192.168.66.0/24) and started inspecting machines. The part I want to note here is that I was pivoting through a WINDOWS 2000 machine; it was so unstable that MS08_067 stopped working after a few people popped it and then the RPC server crashed (but did not reboot) when I switched to MS03_026. Not only that, but shells kept dying randomly for some reason and after the RPC server was dead it could not be rebooted through normal methods (I tried a ton of stuff, psshutdown, tsshutdn, shutdown, killing processes, etc. but nothing really worked). However in the time I had the shells I got I was able to gather some important information about the internal network. I started with an ARP scan because I figured that was a quick way to map out the network. Since I'm a Windows guy I and I could only scan a limited number of ports because I was pivoting I decided to scan ports 389, 445, 3389, 22, 23, 1408, 3306, 21, 8080, 80, and 443. Note that through pivots and proxies ONLY CONNECT SCANS will work, so I didn't want to scan every port and wake all the neighbors, plus it was slow scanning a lot of ports. I then used the smb_version scan module on the hosts that had SMB (445) open. The smb_version scan returned three Windows hosts and one Linux host. One of those Windows hosts also had 389 and 53 open, so I had a strong hunch that that was the domain controller. I wanted that machine. I spent the next few hours fighting with my pivot and having no luck on the Zenda network. I tried bruteforcing credentials, re-using passwords from the outside, throwing exploits, and a few other things until I had to go to sleep. I was honestly feeling pretty defeated at that point... but I had a plan.
I was picked up at 6:15 the next morning by one of the other red teamers and we went to the school that the event was hosted at (GVSU). He was confused at how I had heard about the competition and told me everyone was convinced I was some crazy hacker from RIT. I had been putting a lot of work into this, but when I got there I got similar reaction from people such as "oh, yeah you're that crazy guy" and "ah that's you." Apparently I'd made an impression on some people. It was very welcoming for sure. The competition started around 8:30, so I had time to check a few more things and finalize things for my plan!
The plan was to wait until the blue team logged onto the Windows machine with the domain administrator account, migrate into their processes, and own the domain from there. It would basically leave us a very small Window of time to compromise them before they kicked us out of the box. Well, it worked. I migrated right into the first process I could find when the competition started. I added a user to their domain and immediately pivoted through to the domain controller, where I installed malware and backdoors like crazy. I had made the Windows 2000 pivot more stable by getting initial access with MS08_067 and then migrating out to other things like notepad and VMWare tools, so that was no longer an issue. After planting deep into the domain, I gave one of the other guys RDP access where he used GPO and some other Windows admin magic to lock the blue team out from their DC. That was fun, but was probably a bad idea in hindsight, because blue team started focusing more on network defense from here. After owning the domain I popped two or three other Windows hosts, including one that was outward facing and would have been another great pivot point. Me and one of the other guys were shoveling people shells and backdoors like crazy, it was intense and a lot of fun. At one point I think there were 4 or 5 people all connected to my proxy to pivot through to the internal network to access machines in attempts to persist access or gather information. There was a little push back from blue team before we kicked them out; they disabled our accounts, deleted them, changed the passwords, etc. but this was easy stuff to deal with and we were getting back in fairly regularly. When one of us would lose a shell we could just get it passed back from someone else on the team, which was great. Then, I got kicked out of EVERYTHING around 11am. All of my beacons, shells, and other callbacks completely died. Nobody was able to access Zenda from then on.
I ended up spending the rest of the competition trying to think of ways back in and also defacing the library website with some fun memes I made before the competition and imported into the environment.
When it was all over at 2pm there was a debrief where blue team said that they had null routed us around 11, when I had gotten kicked out. We happened to be on the same network as the Alphaville town network, but they decided to just block us. The "CEO" allowed it and the rules didn't prohibit it, plus their scoring engine wasn't on that network so it didn't affect any service scores. It was a bit disappointing to lose all that access to a broad network filter, but I give them props for playing the game's rules to their advantage. They completed their mission of keeping us out of Zenda... after getting locked out themselves and needing a restore of their domain controller. It was fun to answer questions during the debrief about what I was doing and how my stuff worked.
In the end it was a great experience. I met some really kick ass people, some of which I will be seeing again at Black Hat/DEFCON next week! I'm glad I came out to play, but the real bonus was getting to talk to some of the other players, both red and blue. The guy that was shoveling shells with me actually knows the guy that sits next to me where I work, which is a strange coincidence. I also met the mother of one of the guys that's putting on the Car Hacking Village with Charlie Miller, so that's cool too. Everyone thanked me for coming out and the Merit guys even gave me a sweet challenge coin for coming all the way out and contributing so much!
In the end it was a great experience. I met some really kick ass people, some of which I will be seeing again at Black Hat/DEFCON next week! I'm glad I came out to play, but the real bonus was getting to talk to some of the other players, both red and blue. The guy that was shoveling shells with me actually knows the guy that sits next to me where I work, which is a strange coincidence. I also met the mother of one of the guys that's putting on the Car Hacking Village with Charlie Miller, so that's cool too. Everyone thanked me for coming out and the Merit guys even gave me a sweet challenge coin for coming all the way out and contributing so much! Pretty big honor, I'd say. The praise was very much appreciated and has assured me that I want to keep doing this red team stuff. I learned so much and I'm for sure going to try and come back next year with even more crazy stuff to throw at people. Thanks to everyone who helped make this event happen! It was a ton of fun!
Cyber, cyber, cyber.