Category: Uncategorized

I decided this year during cyber awareness month I was going to finally participate in a Capture the Flag (CTF) competition. After looking around at some of the offerings and following John Hammond on YouTube (https://www.youtube.com/@_JohnHammond) I gravitated towards the Huntress CTF.

Their competition has been spread over all of October, releasing a couple of challenges a day, up until the last week when the challenges began to get tougher. Here are some of the takeaways and highlights from the entire challenge this year.

1. A lot of the challenges are really quite easy and when they have put “easy” down they really have meant it. What these challenges have done however is made me realise exactly where the gaps are. Whilst they have been challenging they have also been rewarding. Challenges like BaseFFFF+1 really threw me for a loop as I’d never seen the encoding method used before.
2. The community are absolutely awesome, I’ve been able to collaborate with a few people over the last month and have gotten to know these individuals and find out where they are in their learning journey. Don’t get me wrong some of them are sticklers for making sure you spend a reasonable amount of time on a challenge/down a rabbit hole before they will help, it is a competition after all. However, they absolutely do help out and learning from these individuals has been truly amazing. I hope I’ve been able to impart some knowledge to them as much as they have helped me.
3. The duration. This for me was a marathon, not a sprint and finding time to tackle the challenges whilst moving house and dealing with a day job has been especially hard. I’ve found getting the laptop out and cracking on with the challenges just as hard as some of the most basic challenges. If you want to spend a day messing about finding flags this one is absolutely not for you. However, if you want to learn over a period of weeks, and collaborate either in a team or just with a bunch of different people then this one really does work.
4. Highlight challenges.
   • There are quite a few here but the ones I was particularly good at were the OSINT ones (didn’t think I would be but only took me a couple of minutes). These challenges made use of the Geoguesser game:
     • Under the Bridge
     • Operation Not found
   • I also found some of the forensic and miscellaneous challenges quite rewarding, in particular:
     • Tragedy Redux
     • Operation Eradication
     • Rock, Paper, Psychic
     • Bable
5. Time. All in per day I believe the maximum amount of time I spent was about 3 hours. It’s not a small commitment as I alluded to in a previous point particularly if you come across something you’ve never seen before.

Conclusion

So what do I personally think about this CTF. Honestly, if it wasn’t for the community that joined up I probably wouldn’t be doing it again. The time commitment for me particularly with what I’m going through personally at the moment is too much and as a result, it would have put me off playing again should they do it next year. That being said, I am hoping to participate again next year depending on work and personal life. I’m also hoping to take some of these ideas and build my own CTF for work. Would I recommend this to any other cyber security/IT persons? Absolutely, the benefits of the community far outweigh the time requirements. The only thing I would suggest is to make sure that you’re having fun with it. I at some points got quite anxious because I saw there were challenges that were incomplete. This says way more about the type of person I am than the game that the Huntress team put on and please don’t be discouraged.

So I took this exam last week and it’s fair to say I failed and pretty hard too. The structure of the exam is really good and I felt that the initial contact was very well written. The Rules of Engagement are super clear and you’re given an Open VPN file to connect to the network.

The network itself is really responsive and running scripts and other attacks work really really well.

The problems

Please note the problems here are all mine. Absolutely nothing wrong with TCM and their practices.

After about 9 hours of trying to get some sort of foothold on the network and getting nowhere, I became super frustrated so frustrated I emailed TCM’s support team asking them to check the environment as I was convinced something was wrong. Let’s put it this way I didn’t send my email graciously, it was a rather panicked clumsy email that no doubt sounded like I was asking for help and tips. I wasn’t but certainly didn’t help myself. They responded in about 10 minutes which I couldn’t quite believe. They were very gracious in their response and kindly informed me that the environment was working fine with no errors.

The second thing I did which was super stupid in hindsight is going to Discord Server and ask for general guidance on OSINT. I was convinced and still am that my OSINT sucked. What I was trying to ask for is how people take the information and make the decision on their attacking method. I was quickly pulled into a one-to-one meeting with the moderators and told off. Whilst this is an open-book exam and I felt I was being generic enough to ask, the topic in question is still pertinent to the exam. Just learn from my mistake don’t do it. Fortunately, the moderator was gracious enough to tell me off and put a temporary ban on my account on the Discord Server. They said that if I did anything like that again, my exam would have been terminated. It’s not worth it, it’s open book just go to Google and research.

Take-Aways

So all in all, I didn’t get very far in the exam, the thing I wanted to test my knowledge on Active Directory I never got into which is a shame. Once I submitted my report the TCM team dropped me a little hint, my jaw dropped as I looked into it and my wife started laughing her head off because it was rather stupid.

Takeaway 1: I believe the exam is designed for beginner to intermediate, if you’re spending hours and hours coming up with weird and wonderful ways to exploit something, don’t. Just stop!

Takeaway 2: In the courses, Heath talks about the importance of Enumeration. I genuinely believe he’s right here. Make sure you’re notes are right on this and make sure you include Reconniasinace and Scanning within your Enumeration.

Takeaway 3: There’s a saying “try harder” when it comes to this stuff. However, John Hammond, I think re-phrases this perfectly to “try again”. If you’re stuck. Stop, you might not be able to let go of what you’re doing in your head. I know I can’t however, take 10-20 minutes off, step away from the desk and get a cup of tea or coffee. Then when you sit back down at your desk and review all of your Enumeration, it’s likely there’s something in there that you can use which is much easier than whatever you’re looking at.

Next Steps

I’d like to give this another crack, however, all of my Cisco certifications are up for renewal at the end of the year and with work moving to Juniper, I don’t have access to any of their hardware so I need to put some time aside to get back to it. If I get time I’d like to have another go before the end of the year but we’ll see what happens with my other certifications. I’ll update here once I’ve had another go.

Attempt 2

So, it happened again. TCM has announced a complete overhaul to their exam scenario and should I want to make use of the hint I was provided with I should have another go before the end of 2022. Not ideal with my Cisco certification renewals looming but I felt I needed to use the knowledge I gained on the scenario and not waste it.

With the hint I got from the last attempt I spent 30 minutes on the re-attempt and had access to the internal network through Proxychains. I attempted to use Responder, MITM6 and NTLMRelayX but as they all use Link-Local networking I needed to run the software on the External server. Unfortunately, I couldn’t escalate my privileges on that external server and as such I could run those pieces of software as it needs root privileges.

I was able to run some brute-force attacks against the internal network and got a user account on the domain but the account didn’t have any privileges so I could use SMB or RDP to get onto the internal network any further. All in all a bit of a shame but I’m glad I didn’t give up and continued to attempt to gain further access.

At work, we have been customers of Fortinet for just under 10 years. During this time we haven’t really had anything wrong to say about their product, the Fortigate. That was until about a year ago when we pursued our Cyber Essentials Plus certification. Before we dived into the audit we went over the scope and believed the edge firewalls to be within the scope of audit purposes. This meant that we were going to need to show one of two things for our administration access. Multi-Factor Authentication or Lockout policies. As we were big users of Azure MFA we decided to go down this route as an easy win.

Upon investigation into setting this up, Fortinet had their own product the FortiToken to be able to take advantage of MFA for administration purposes. However, they did allow AzureMFA through SSL-VPNs so we decided to see if we could adopt their configuration guide to allow us to perform MFA on the logins for administration purposes. After a load of trail and error we managed to get it working.

RADIUS Server Configuration – Fortigate

config user radius
edit "NPS"
set server "10.0.0.100"
set secret ENC SecretKey
set timeout 60
set all-usergroup enable
set password-renewal disable
next
end

User Group Configuration – Fortigate

config user group
edit "Admins"
set member "NPS"
next
end

User Configuration – Fortigate

config system admin
edit "twestby"
set remote-auth enable
set accprofile "super_admin"
set vdom "root"
set email-to "talan.westby@takeitfurther.co.uk"
set remote-group "Admins"
set password ENC SecretBackupKey
next
end

Network Policy Server

On your Network Policy Server (NPS) install the AzureMFA extension as per the Microsoft documentation: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension

Next, configure NPS to allow connection from your firewall by setting up a RADIUS Client. All this needs is the IP Address and the SecretKey configured in the Fotigate RADIUS Server Configuration above.

Next, we’ve had to set up both a Connection Request Policy and a Network Policy. In the Connection Request Policy, we’ve left everything at default apart from adding one condition which is the RADIUS Client IP so it always hits this policy and add a Vendor-Specific Attribute in the settings. This Attribute is a RADIUS Standard attribute and has a string value of 12356 and we’ve set the policy to conform.

Finally, we set the Network Policy to meet two conditions, the RADIUS Client IP and the group of users we wish to use for this administration. In our case, we used our IT Department. The constraints we use are to enable PEAP in the EAP types and MS-CHAP-v2 as an authentication method. We’ve then set the same Vendor-Specific attribute as in the Connection Request Policy.

Notes

One thing to note here is we attempted to configure this whilst keeping our old NPS setup active. Don’t do this. We weren’t getting the expected results and were seeing our RADIUS traffic hitting both our old and new NPS servers and as the old one didn’t need MFA it was responding with the Access-Accept message before the MFA was performed. This took me quite a while to figure out despite me setting our group to go via the new MFA NPS server in the Fortigate. The simple solution is to either remove the RADIUS Server from the configuration or just move the configuration across to the new NPS Server altogether.