Oct 9, 2023

Raymond James CTF 2023 Write-up

The theme of the CTF is 'Generative AI: Transforming cyber defenders of tomorrow.' Indeed many challenges seem readily solvable with ChatGPT and a little understanding.

pacman (misc)

File

So we can easily open this with Wireshark and observe that it has a list of 10-byte HID data:

0200efffefff00000000 0200eefff6ff00000000 0200ecfff6ff00000000 0200f3fffbff00000000 0200ecfff8ff00000000 0200ebfff7ff00000000 0200eefff9ff00000000 0200edfffaff00000000 0200f6fffdff00000000 0200f1fff9ff00000000 0200f1fffcff00000000 0200f4fffcff00000000 0200f5fffdff00000000 0200f6fffeff00000000 0200fafffeff00000000 0200f8fffeff00000000 0200f8fffeff00000000 0200f9fffeff00000000 0200f9ffffff00000000 ......

ChatGPT is actually very good at observing it:

Examining the data, the following pattern seems evident:

Given the pattern, this data very likely originates from a USB HID mouse:

This interpretation is further bolstered by the signed 16-bit values. When viewed in a signed context, some values represent slight movements to the left or up (negative values) while others indicate movements to the right or down (positive values).

It is also possible to ask ChatGPT to plot it. After a bit tweaking we get something like this:

import os import matplotlib.pyplot as plt os.system("tshark -r pacman.pcap -T fields -e usbhid.data 'usb.data_len == 10' > usb.dat") with open('usb.dat', 'r') as f: usb_data=f.readlines() # Convert 2 bytes from the data string to a signed 16-bit integer def bytes_to_int(byte_str): val = int(byte_str, 16) if val >= 0x8000: val -= 0x10000 return val usb_data = [data for data in usb_data if data[2:4] == "01"] # Extract X and Y movements x_movements = [bytes_to_int(data[6:8] + data[4:6]) for data in usb_data] y_movements = [bytes_to_int(data[10:12] + data[8:10]) for data in usb_data] # Calculate cumulative movement for plotting x_positions = [sum(x_movements[:i+1]) for i in range(len(x_movements))] y_positions = [-sum(y_movements[:i+1]) for i in range(len(y_movements))] # Plot plt.figure(figsize=(10,6)) plt.plot(x_positions, y_positions) plt.title("USB HID Movement") plt.xlabel("X Movement") plt.ylabel("Y Movement") plt.grid(True) plt.show()

We get something like this:

It is actually a bit hard to read, but after trial and error we get th3 pacman t0ken you s33k is capcapyouf0undit.

book (web)

Very classical book cipher:

book = [ """ Zero Trust is a security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data. Zero Trust assumes that there is no traditional network edge; networks can be local, in the cloud, or a combination or hybrid with resources anywhere as well as workers in any location. """, """ Zero Trust is a framework for securing infrastructure and data for today’s modern digital transformation. It uniquely addresses the modern challenges of today’s business, including securing remote workers, hybrid cloud environments, and ransomware threats. While many vendors have tried to create their own definitions of Zero Trust, there are a number of standards from recognized organizations that can help you align Zero Trust with your organization. """, """ At Cyb3rg0v solutions, we align to the NIST 800-207 standard for Zero Trust. This is the most vendor neutral, comprehensive standards, not just for government entities, but for any organization. It also encompasses other elements from organizations like Forrester’s ZTX and Gartner’s CARTA. Finally, the NIST standard ensures compatibility and protection against modern attacks for a cloud-first, work from anywhere model most enterprise need to achieve. """, """ As a response to the increasing number of high profile security breaches, in May 2021 the Biden administration issued an executive order mandating U.S. Federal Agencies adhere to NIST 800-207 as a required step for Zero Trust implementation. As a result, the standard has gone through heavy validation and inputs from a range of commercial customers, vendors, and government agencies stakeholders – which is why many private organizations view it as the defacto standard for private enterprises as well. """, """ Zero Trust security means that no one is trusted by default from inside or outside the network, and verification is required from everyone trying to gain access to resources on the network. This added layer of security has been shown to prevent data breaches. Studies have shown that the average cost of a single data breach is over $3 million. Considering that figure, it should come as no surprise that many organizations are now eager to adopt a Zero Trust security policy. """, ] book = "".join(book) text = "2:1, 10:2, 1:2, 51:1, 55:3, 59:1, 6:9, 5:7, 20:5, 33:1, 14:3, 30:4, 135:1, 142:2, 296:2, 5:1, 282:2, 304:3, 313:7, 3:1, 94:7, 61:1, 7:9, 207:1, 220:9, 8:2, 90:2, 5:3, 23:1, 99:1, 120:1,86:1, 22:1, 315:5, 67:1, 74:1, 350:1, 322:2, 30:4, 98:6, 55:2" pairs = [(int(pair.split(":")[0]), int(pair.split(":")[1])) for pair in text.split(",")] words = book.split() a = [] for p in pairs: a = a + [words[p[0] - 1][p[1] - 1]] print("".join(a))

cap (web)

Bascially we have to find the entry point http://example.com/Cyb3rg0vAdmin/Login.aspx. The Cyb3rg0vAdmin part is really hard to find without a hint from the organizer…

Random Things

I feel their announcement can really be improved by ChatGPT :)

Welcome to 2023 Raymond James CTF. Here are the rules of engagement for this year's CTF.

  1. Players must be onsite and on the game floor to participate in the Raymond James CTF. Under no circumstances will anyone be allowed to participate remotely. Any team found making use of remote participants will be disqualified and asked to leave the game floor.
  2. We are not providing or guaranteeing Internet access. Do not expect to have Internet access via the CTF network.
  3. Your team is not authorized to plug any equipment into the CTF network with the exception of one laptop computer per onsite team player. If your team is noted as having any additional equipment plugged into the CTF network your team will be disqualified and asked to leave the game floor. There is no flexibility on this rule, no second chances…consider this as the only warning.
  4. Teams are expected to provide their own laptop computer systems to plug in to the CTF network. Do not try to read between the lines on this…it's pretty straightforward, 1 laptop computer plugged into the CTF network per onsite team player…no exceptions. If your team brings additional laptop computers, they are not authorized to be plugged into the CTF network. A tower system may be used as a substitute for a laptop. If you have any questions on the type of system you are allowed to use, check with the Support Team prior to the event.
  5. Stay in your lane. Your team is not authorized to attack, scan or otherwise interfere with any assets that are not provided directly as a target address (Web or IP) assigned to your team. There are no exceptions to this rule. If your team is identified as violating this rule your team will be disqualified and asked to leave the game floor. This includes but is not limited to the use of additional wireless equipment that has not been pre-approved, setting up your own access point, jamming, interfering, collecting traffic or overpowering the Raymond James access points etc, etc.
  6. Your team is not authorized to bridge anything to the CTF network. This includes but is not limited to wireless Internet, 3G/4G mobile connections, etc, etc. There are no exceptions to this rule. If your team is identified as violating this rule your team will be disqualified and asked to leave the game floor.
  7. If your team is tasked with a physical security challenge, we will provide you with the minimal necessary tools to complete the task. Your team is not expected to or authorized to bring additional equipment. Any physical security challenges received must remain in a provable working condition upon completion of the task.
  8. Do NOT blindly scan for targets, it's a waste of time and bandwidth. When your team receives a target, if you feel it necessary to scan that target you are authorized to do so. In most cases, you will be provided an address (Web or IP) and port number. Teams are not authorized to attack each other. If you find yourself in question as to the target you are proceeding after, get clarification. Violations of this rule will get your team disqualified and asked to leave the game floor.
  9. Expect to retrieve t0k3ns, plant t0k3ns and solve a variety of challenges. Once you have a t0k3n, unless otherwise directed, move on to the next challenge.
  10. The laptops your team brings should have a virtual machine software installed such as VMware, or VirtualBox. At least one team laptop should have wireless capability. All laptops should have the capability to connect to an Ethernet network.
  11. Most important…if you have questions before the competition contact the Support Team at [email protected]. Once teams are onsite ask the Command Center Staff for any clarifications.

Interacting with Gam3z Inc Support/RJ Staff:

ChatGPT version:

Welcome to the exhilarating 2023 Raymond James Capture The Flag (CTF) challenge! As we gear up for a riveting competition, here's a rundown of the game rules to ensure a smooth and enjoyable experience for all participants:

  1. Players, your presence on the game floor is essential for partaking in the Raymond James CTF adventure. Unfortunately, remote participation isn't an option this year. If a team is discovered utilizing remote players, a gentle exit from the game floor will be required following disqualification.
  2. While we strive for a seamless experience, we're unable to promise internet connectivity. The CTF network might not provide internet access, hence come prepared.
  3. Your team is permitted to connect one laptop per onsite player to the CTF network. Any deviation noted, such as additional equipment, will regrettably lead to disqualification and a request to vacate the game floor. This rule is steadfast with no room for negotiation, so consider this a friendly heads-up.
  4. It's expected that each team comes with their own laptop for plugging into the CTF network - a simple one laptop per onsite player rule. In case of additional laptops, they're to remain disconnected from the CTF network. However, a tower system can replace a laptop if preferred. Any queries regarding permissible system types? Feel free to reach out to the Support Team before the event.
  5. Maintaining your focus is key! Your team should only interact with designated target addresses (Web or IP). Any unapproved interactions, including, but not limited to, the usage of unauthorized wireless equipment or setting up personal access points, will unfortunately result in disqualification and a polite request to leave the game floor.
  6. Bridging external networks to the CTF network is not allowed, this includes wireless or mobile connections. Adhering to this rule is crucial to continue enjoying the game.
  7. For physical security challenges, we'll equip you with essential tools. Your team isn't required to bring extra equipment. It's important to ensure the challenges remain in a demonstrable working condition post-completion.
  8. Scanning indiscriminately for targets isn't advisable as it's both time and bandwidth consuming. Upon receiving a target, feel free to scan if deemed necessary. Missteps in this rule may lead to disqualification, so when in doubt, seek clarification.
  9. Engage in a quest for tokens, plant them and unravel a myriad of challenges. Once a token is secured, gear up for the next thrilling challenge!
  10. Your team's laptops should be outfitted with virtual machine software like VMware or VirtualBox. Ensuring at least one laptop has wireless capability and all can connect to an Ethernet network will set you up for success.
  11. Queries are welcome! Prior to the competition, direct your questions to the Support Team at [email protected]. Onsite, the Command Center Staff is at your disposal for any clarifications.

Interactions with Gam3z Inc Support/RJ Staff:

We're thrilled to have you at the 2023 Raymond James CTF and wish you an exciting and intellectually stimulating competition ahead!

I will have you decide which version is better :)