"Overall I think that the CTF put on by SecurityMatters was one of only two CTFs that I have ever participated in that were designed to teach participants rather than test them. For this I am eternally grateful to the architect of the CTF, @InfoSecHoudini, because the little time I had to compete in that CTF taught me far more than I was ever expecting. The SecurityMatters CTF has left me with a longing and need to find another just like it so I can continue to learn and better my understanding of the massive world of ICS CyberSecurity.”
[email protected], winner
This year SecurityMatters was a platinum sponsor of the SANS ICS Summit, so we wanted to create a unique activity, something compelling but educational, in the spirit of the SANS ICS event. My colleague Brian Proctor (@brianproctor67) and I decided to create a “Hacking Challenge” or mini Capture the Flag (CTF).
The goal of the challenge was to guide the participants to build their knowledge of both control systems and security by hacking a full-blown network controlling SecurityMatters’ model city, affectionately known as Gotham City, to shut off the city lights and leave the citizens in despair. The idea was to mimic a real network that an adversary would face, so I came up with some rules of engagement for the CTF, asking the contestants not to portscan certain endpoints and not to attack each other.
If you read Michael Mitchell’s (@AWildBeard) “SecurityMatters SANS ICS Summit CTF: Thoughts and Write-Up”, you will understand the environment that the contestants faced. It was comprised of several virtual machines, each with its own purpose, and ICS equipment. The steps were conceived to be fun and test many different skills of the participants, from ICS knowledge to steganography. And, of course, SilentDefense would detect their every move, revealing their exploits to everyone at the Summit!
The first day was really exciting. I gave the contestants only a few hours at the end of the day to attack Gotham City’s power grid. We started the challenge at 2 PM, and initially I was stunned at the turnout. Most contestants came and went, but others paved their way throughout the two days. The contestants were helping each other out and provided encouragement when necessary. Because of my past as an ethical hacker, I suggested that they document everything. Being the architect of this challenge, I would chuckle to myself when they reached a dead end or followed a rabbit hole for an hour. After following their progress carefully using SilentDefense, I prepared some hints to nudge the game in the right direction.
At 5 PM Dennis Murphy (@CyberMurphy) pulled the plug on the access point and shutdown the environment. I suggested the participants to stay up a little later than normal and read up on the intel gathered from the three hours at the hacking challenge.
Time for a nice night in Orlando with other conference attendees and friends!
While I was refreshed, the contestants were not. Heeding my advice about deciphering their intel, they restarted at 10 AM. Here I placed a hint about a certain picture and steganography. This was my first real hint to propel them forward. It worked, and they learned something new about wordlist generators like CeWL and password crackers like hashcat or john the ripper.
I had left a bunch of hashes in the network. Some were rabbit holes, and some weren’t. They finally made it to the Engineering Workstation through an open VNC service and a password they found using steganography. They found the workstation to have an open HMI system and hit the shutoff button. Nice try!
I had left that HMI running for a piece of ICS equipment that was not related to the challenge.
While taking part in their excitement, I decided to give them another hint. I reminded them how pentesting phases are a life cycle and not linear, and to reason about what they could “see” from their vantage point on the Engineering Workstation. They began gathering more information and enumerating the new devices, but they only had half of the puzzle. They revisited the other machines and found an open SMB file share. The next hint involved researching ways to crack PDF password protected files and to research python scripts like PDF2Hashcat and PDF2John on the Internet.
They were able crack the docs, gaining access to an FTP service which contained plaintext credentials. Armed with these credentials, they went back to the Engineering Workstation, logged into the web HMI, and finally shutoff the lights to Gotham City.
We were really ambitious designing this challenge. We wanted the contestants to learn about what they might see on real ICS networks, but we wanted it to be a lot of fun, too. After reading Michael Mitchell’s walkthrough, I really think that we achieved our goals for this Hacking Challenge.