I haven’t been at an IT conference (or out of the house for that matter) in a while. With summer approaching quickly I decided to visit Positive Hack Days in Moscow’s Gorky Park. The conference had quite a bit of social media coverage and hype. I reached out to my friends over at xakep (an IT security magazine that I used to read back in the early 00s, which went digital a handful of years ago) and got me an entry ticket, booked the flight and hotel and got ready to relax and chill for a weekend. Boy, was I wrong…
I landed in Moscow early Friday morning and slowly made my way towards the park. People were gathering slowly, I got my pass and started studying the tracks. There were literally a dozen of them over two days, so I picked and planned, keeping in mind that they would upload talk videos quite quickly to their channel.
Before the talks began I headed into the Standoff stand, the main attraction of the event. This held a CTF context between a bunch of blue and red teams. A large and fancy interactive city model was in the middle of the standoff which displayed the current state of the CTF. Smoke machines, stage lights, loud music to go along with it all. The lack of technical details (visitors weren’t allowed to get close to the teams’ computers to watch) to go along with this all quickly made it evident that this was a mere show, one that quickly lost my interest.
But what did end up enveloping my interest was the handful of open CTFs that were available all around the conference:
- $NATCH: the ATM. An ATM machine virtual image (ova download available here) connected to a model ATM machine at the venue which spewed out cash for every flag
- $NATCH: the bank web and mobile apps.
- $NATCH: cash register. A physical production-grade cash register with no rules but a bug bounty program attached.
- AI Track: Data Breakout. An escape room puzzle.
- Ethical Hacking. A MATIC contract CTF on the Polygon Mumbai testnet.
- IDS Bypass. Six nodes behind a real IDS which ping your in Telegram upon detection.
- Wireless Fuzzy Frenzy. A wireless-themed CTF.
- 2drunk2hack. A tequila-driven CTF.
- PHD bot. A public arcade/funpark QR hunt.
- UserGate’s seccomper. A traditional reverse engineering/cracking CTF.
- Python Conf++ afterparty pass CTF (unofficial, impromptu).
Wireless Fuzzy Frenzy
Long gone are the days of wardriving, my collection of antennas, adapters, software were left behind somewhere in 2005. But this CTF didn’t need anything fancy, was the first one up, so I decided to give it a go. We had 5 flags to capture, so I started with the more difficult ones.
We got a sound file of some typing, an image with fingerprints on the keyboard, and a cap file with a WEP authentication handshake. This was straightforward. aircrack-ng with some wordlists generated by pydictor gave me the password within 15 minutes. I was inside the network, an nmap showed an HTTP server running on a non-typical port, which had an 3D video a couple of the frames of which had a QR code with the flag. Done.
The second to hardest was actually a bit harder. We got a CSV file with tens of thousands of SSIDs, coordinates, signal strengths from a real wardrive somewhere in the middle of Russia. The assignment said that the flag is hidden on a wireless network with the most “normal” name. There was a hidden network, but I couldn’t capture any broadcast frames to get the name (even by restarting the routers physically by cutting their power, sorry orgs), nothing connected to them, and the other contestants were behind. I had to uncover my second most powerful weapon to my technical skills – my social engineering ones. Turns out that “normal” hinted at being an average of all SSIDs. A tiny script later I had the average of all SSIDs in the CSV, this matched the hidden network name. Scanned the network, found the server, downloaded 100 zip files, half of which were password protected… I immediately understood where this was going: known plaintext PKZip attack (legacy). There are a couple of open-source tools for this, but 40 minutes later I had recovered the key and bruteforced the password.
The three remaining flags required us to find three transmitters physically and scan their QR codes. One was in plain sight. Once I knew what to look for I quickly found the second one, and managed to scan it after a tiny argument with security, who said I wasn’t supposed to snoop around. The third transmitter was hidden in the AI quest room. This room had a queue of participants spanning to the next day. I needed to get in without signing up for the game. Pulled out my social engineering box once more to get 30 seconds in the room alone between batches of participants.
Before I knew it I spent half of the first day to win one CTF. Having missed a bunch of talks and lunch. More importantly, I realized that a lot of progress was done on the other CTFs and it was quite late to start most of them.
I did win quite a bit of cool loot, however, including a quadcopter from this CTF.
$NATCH: cash register
Not too much progress was done on the cash register, however. It appeared to be production-grade, with a bug bounty and no flags. These are the best kinds of challenges. They’re real, not a game. While root access was easily attained by participants nobody seemed to know what to do next. I asked for 5 minutes with the thing (there was a queue of people wanting to take a stab at it), connected to the network and dumped some files that seemed to be promising for later analysis, hoping to relax at some of the remaining talks for the day.
Of course no relaxing was possible. Having found and decompiled some jar files that were autostarted as root listening on ports (an updater engine and and a remote synchronization engine) I knew this was were the vulnerabilities would likely be. Not mentioning the fact that both contained vulnerable log4j libraries, which I immediately sent a bug bounty report for. I slowly studied both services and found potential points of entry, which would allow an attacker on the same network to gain access to these registers.
Completely enveloped in the CTFs the last talk of the day was sunset. On my way out I decided to look into the funpark…
Around 15 games and activities were set up across Gorky Park. Anyone visiting was allowed to participate in these security-themed fun park attractions, get points in the form of a QR code, which when scanned sent a message to a Telegram bot.
I wasn’t in this for the games. I swiped the code off of a clueless visitor’s shoulder, saw that it was a link in the form of:
Ah. No HMACs! Beautiful. I headed towards the hotel. I needed to get some sleep, but the cash register jar files and the PHD bot kept me up till morning. I did figure out that the
did_dXX was the activity,
sc_XXX was the score and
ts_XXXXXXXXXXX was the timestamp. The timestamp prevented doubly submissions. Long story short, I bruteforced the activity IDs with a score of 9999. There was a score cap on every activity, so the maximum total score achievable was 855.
With an hour or two of sleep, I headed back for day two. Got my first place loot for the PHD bot fun park contest without the fun.
The seccomper binary gave me a chance to try some of the newer RE tools on the market. I landed on radare2, a scriptable framework which I loved. Unfortunately, due to networking, awarding for the won CTFs and a huge lack of sleep I didn’t manage to reverse this one in time, UserGate wrapped their stand up quite early.
The reason for not getting at least some morning sleep was simple: I needed to get into the drinking hacking contest. I knew there were only 20 spots and I needed to reserve one at all costs. I arrived super early to talk my way into it. The organizers said it’s going to be a live queue at 4pm, but I pressured and pressed told them I really wanted in. They told me to come a bit earlier to see if I could get in, but I continued to bug them throughout the day, marking myself as a nuisance. At 4pm this paid off, as I reminded them how much effort from 8am I’ve been putting. I got in.
One shot of tequila before the start, and one every 10 minutes for an hour of straight hacking. Extra shots were to be taken by those who were caught by the WAF most. There were around 30 flags to capture along 6-7 PHP webapps ranging from SQL injections to CSRF, XSS, LFI, RCE, etc. A bunch of participants did automated scanning and ramped up their WAF scores to over 5000 detections. This meant that I was guaranteed (with my measly 3 detections) to never drink extra and concentrate on the flags as I wasn’t using automated tools (fuzzers, scanners).
You can watch the event here, see if you can find me and count the number of shots I took. The commentators mention me a couple of times as I was solidly in the top 3 for until almost the end, when the ones with automated tooling with not a care in the world fuzzed their way through to the top. This was fun, but I got squeezed out into 6th place, won a 2drunk2hack t-shirt and stumbled towards my last impromptu CTF.
Python Conf++ afterparty
Having networked quite a bit over the days, a guy approached me asking if I was going to the Python Conf++ afterparty which was to start in 15 minutes in a restaurant nearby. He showed me a sticker I had to get and told me his buddy, who wasn’t attending gifted his pass to him and that these passes were to be bought in advance. Challenge accepted.
I had 15 minutes to get a sticker somehow. I started approaching people who looked like staff for the Python section and quickly landed in front of a young man with two stacks of stickers. My social engineering skills (read: begging) didn’t get me a sticker. The lad was too scared to hand one out or let me steal one as it was his first time, he was afraid to get into trouble. I asked about who he thought he’d get in trouble with. He pointed towards a small crowd of girls.
Nice. I approached with confidence (in part thanks to the tequila), asked if I could have a sticker. They explained that the sticker passes were for those on the guestlist only and I wasn’t on there. I pressed on and said that I’m a Python aficionado and the only reason I missed every single talk in their track was because I was busy with the CTFs. I showed them my hacker badge (the badges had the name and the company name, and since I came via the xakep magazine my badge literally said “Хакер”). Slightly impressed they found a silly excuse to not give me a pass: they said I’d have to talk to their top Python guy and he would quickly interview me so that they could find out that I was full of bullshit.
Well, I wasn’t. I accepted their challenge and reminded them that I get a sticker pass if their top guy says I’m good. They phoned their guy, he came in a couple of minutes. I started telling how much I love Python, that he should visit my GitHub account, and I would really love to tell him how I built Pressjitsu a hosting company using Python at the afterparty. He looked at me, at the loot I was carrying, took a look at my badge. Said: he’s a hacker. Give him a sticker.
And that’s how I captured my final flag of the day, got to drink more at the afterparty, networking with even more cool folks from cybersecurity companies. I do not remember how I got to the hotel.
With foresight I did book the return flight home on Monday evening instead of Sunday, but I nearly missed that as well as the 48+ hours of no sleep and quite a bit of drink had me wake up from a mere 4 hours before my flight, 12 missed calls from my worried wife. Longest sleep I’ve ever had I think, I think I’m getting old…