The following post is a guest blog from recent JOLT Hackathon participant Eric Capuano.
I recently had the great opportunity to participate in the annual #JOLT Hackathon held by the Venture Center in Little Rock, Arkansas. Our team, /dev/null, was even fortunate enough to place 1st in the competition! There was even media coverage of the event. My team can be seen tucked away in the corner during the camera pan.
This guide is intended for anyone that is new to the #JOLTHackathon or to CTF/Hackathons in general. If you are looking for solutions to some of the challenges we solved, see below.
For anyone considering attending JOLT, I would highly recommend it. Too often I've heard the excuse from peers afraid to do a CTF, "I'm not ready for that sort of thing." Well as a member of the winning team this year, trust me when I say, none of us were ready our first time. It's actually going to CTFs and practicing every chance we get that makes us "ready", and even then, there's always a more difficult challenge on the horizon.
Another great reason to attend a CTF is to network with other security-minded folks and seize opportunities to be a mentor and/or learn from others!
All of that said, JOLT is the perfect CTF for beginners and veterans alike. The duration of the event is just right to give you plenty of opportunities to learn new things, but not so long that you're thinking "is it over yet?" The Game Masters came up with some very creative challenges and were very open to feedback on ways to improve them in future games.
JOLT was very well put together and the challenges were great. JOLT is ideally suited for developers, network engineers, sys admins and infosec folks of all skill levels. There was a wide variety of skill levels at the event I attended, but it seemed that teams at every skill level had a great time.
Here are some helpful excerpts I pulled from the scoreboard and the JOLT site to help newcomers know what else to expect from JOLT:
JOLT is a weekend-long cyber security-themed "game of codes." On-site, expert Game Masters monitor and adjust the challenges in a responsive, real-time environment to ensure that everyone has tons of fun while leveraging advanced open source technology and using the tools that power some of the most complex real time solutions in the world. Connect with some of Arkansas’ best tech wizards and explore new tools.
JOLT combines the development of soft skills such as communication, leadership and collaboration as well as real-world, technical hard skills in an exciting interactive learning experience. Challenges are divided by category, with puzzles of increasing difficulty within those categories.
First rule of the JOLT! Hackathon is: Do not hack the scoreboard. Tampering with the scoreboard or logging on as another team will result in immediate disqualification.
Second rule of the JOLT! Hackathon is: This year, some puzzles require each team to use a server container that will be assigned to them. Do not hack other teams' servers. This is not an Attack/Defend competition, this is a friendly Capture the Flag game. Enjoy it!
Some puzzles may require you to build a script or web application to be run from a URL. Feel free to use any cloud resources you wish, such as IBM Bluemix.
Our JOLT event ran from Friday to Sunday, 2/24 to 2/26.
6pm to 8pm - Orientation, registration and equipment setup. This was extremely useful because it gave teams an opportunity to setup any equipment they wanted to use such as workstations, monitors, switches, etc. They also made sure that every team was registered on the scoreboard so that teams could hit the ground running first thing in the morning. They discussed the format of the CTF, rules (basically, don't hack the scoreboard) and answered questions. They also fed us!
8am to Midnight - Technically, breakfast started at 7:30am, but at 8am sharp it was Game On! 14 hours of hacking, cracking, lock picking, and flag capturing. 3 meals were served as well as a seemingly unlimited supply of caffeinated and adult beverages.
8am to Noon - Again, breakfast at 7:30am, challenges re-opened at 8am and closed at noon. From noon to about 2pm were closing comments and the award ceremony.
This hackathon is a jeopardy-style CTF covering most of the usual, and even a few unique categories:
- Web Vulnerabilities
- Remote Access
- Reverse Engineering
- Lock Picking (my first time encountering this at a CTF, awesome!)
- Scavenger Hunt
- "Escape room"-like challenge (again, my first time encountering this at a CTF)
There are several challenges in each category and are awarded points based on difficulty. Some challenges are pre-requisites in order to unlock others. This provided a story-line and progressive difficulty system that worked well.
Important note: We learned the hard way that some challenges were set to expire a certain number of hours into the competition. We did not know that would be the case so we missed a few of the "freebie" challenges simply because we ignored those early on and chose to dive deep into the harder ones. This didn't affect us too much in the long run, but lesson learned!
First and foremost, follow this guideline from the JOLT site:
Each team member must bring their computer of choice. You are encouraged to bring in your equipment on Friday evening so that you are ready to rock on Saturday morning. Ethernet access is limited, so plan for wifi. Extra extension cords are always appreciated. No monitors or computers will be provided.
While that is a great start, here are a few tips to be even further prepared...
If this is your first CTF/Hackathon, you'll want to try some practice challenges to prepare you for what to expect at JOLT. OverTheWire.org provides free, excellent challenges that will prime you for any CTF or Hackathon. I recommend the following challenges as a minimum for prep:
- Bandit: aimed at absolute beginners. It will teach the basics needed to be able to play other wargames.
- Leviathan: doesn't require any knowledge about programming - just a bit of common sense and some knowledge about basic *nix commands.
- Natas: teaches the basics of serverside web-security.
- Krypton: cryptography and ciphers.
Lock Picking: Watch this YouTube video to learn the basics of lock picking. JOLT provided clear plastic tumbler locks for practice, so don't worry about that. Going in knowing the basics will help a lot.
Pro Tip: see the next section about Kali VMs and use one for the challenges above! It's the best way to get familiarized with Kali Linux.
- Computer - You should bring a computer with at least 8GB of RAM, enough to run virtual machines. This isn't a requirement, but highly advisable.
- WiFi Adapter - At a minimum, you need a built-in WiFi adapter to connect to the game network. However, I have it on good word that future JOLT challenges may involve WiFi cracking challenges. For that, I would recommend the inexpensive, yet powerful Alfa Networks AWUSO36H. This adapter is one of few that is most compatible with WiFi cracking tools such as the aircrack-ng suite.
- Virtualization software like VMware Player, VirtualBox, etc... (both are free)
- Virtual Machines - I would strongly suggest to use a Kali Linux virtual machine for the event. Kali already contains a lot of the tools needed for forensics, reverse engineering, password cracking and just about anything you'll encounter in a CTF. It's also a good idea to have a Windows 7 virtual machine which may come in handy for certain challenges, better to have it just in case. Best part about using VMs for the event is that you can simply delete them afterwards.
- Get a plugin that can intercept and modify HTTP requests made by the browser. ex: Tamper Data for Firefox.
- Get a plugin that can edit cookies used by sites like Cookies Manager+ for Firefox or Edit This Cookie for Chrome.
- Whatever you do, don't go crazy with browser extensions or bad things can happen. See post: When Browser Extensions Go Rogue
- Get very familiar with the "Developer Tools" of your browser of choice. Here are guides for Chrome and Firefox. Specifically, learn how these tools allow you to inspect and modify how your browser interacts with web pages. You will use these tools for nearly every web-related challenge (as well as for countless infosec analyst activities.)
- Popular CTF Tools - be sure to check out other resources like the ones listed here or here
Create a Slack team for your CTF team! When the heat is on and you need to communicate quickly and efficiently with your teammates, Slack wins.
This recommendation is dual-purpose, because the Game Masters also use Slack which is where you will go for help and be notified of challenge hints or issues.
- You can also do clever things like subscribe to notifications of all Twitter posts by @VentureCenter and all of the Game Masters right into your team's Slack channel! This is important because sometimes useful hints or announcements are posted via Social Media and you might miss it if you aren't watching! We subscribed to @VentureCenter, @XxSlvrBuletxX, @CitadelAR, @almostdaniel, @quasarj, @thenmal,
@alocalresident, @PhotonWalt, @Nicholas_Seward, and @BexFiles.
- As you get more advanced, you can even write custom integrations to query online password cracking databases, run nmap scans, and more.
Twitter. Yes, you'll probably need it.
- Several of the scavenger hunts required teams to Tweet pictures at certain locations. So at least one of your teammates will need an account.
- Twitter is an excellent source of intel and situational awareness leading up to, and during the event. Before attending JOLT (or any similar event), study the Twitter feeds of those who seem to be connected to it. You might learn more about the challenges or even pick up on early clues.
Create a Trello board for your team. Trello is an intuitive task management platform that is very easy to use. This tool serves multiple purposes that any solid CTF team must have covered. Trello is like a virtual "whiteboard" where you can create lists and fill them with "cards" which are like tasks. Within the cards, you can dump tons of information like files, code snippets, comments, etc.
Task Deconfliction - Use Trello cards to keep track of who is working on what challenge? You always want to avoid duplication of efforts and try to accomplish many tasks in parallel. Notice in the screenshot of our board above, we created several lists:
- Useful Stuff - quick reference guides we gathered ahead of time. We later restructured it to match the categories of the CTF.
- Not Started - Keep track of challenges that nobody has started yet. Seldom used since the scoreboard clearly shows what has not been completed, but useful if you want to track something specific.
- In Progress - the most important list. This is where your team members will track what they are working on right now and document their work as best they can. This helps other team members know which challenges are already being worked on so that they can focus on something else increasing chances of capturing more flags.
- Abandoned - Let's face it, sometimes we hit a brick wall and can't solve the challenge we are working on. Luckily, you documented everything you tried and the results so that when someone else on your team picks up this challenge, they will see everything that you already tried and go from there.
- Completed but not Submitted - We only created this one because there was a brief period that the scoreboard was down and we could not submit flags... This was a holding cell for those challenges so we didn't lose track.
- Completed - self explanatory, where cards go once the flag is submitted. You will almost certainly go back to one or more of these cards to help solve later challenges, so take good notes!
Activity Log - Use Trello cards to log all activities against each challenge. One of the most important "best practices" of doing a CTF, or anything else in the InfoSec industry, is take good notes.
I'll never forget the time that I was in 2nd place at an individual (non-team) CTF, yet I didn't take very many notes. Right as the 6-hour competition ended, the scoreboard reset and the Game Master said
I've reset all of your scores to zero. You each have 5 minutes to use your notes to re-enter all of the flags you captured. Hope you took good notes :)
While that may seem like a dirty trick on the part of the GM, I will say that it was fair-play in the context of that particular CTF. I ended up placing 9th instead of 2nd, but a valuable lesson was learned that day!
- Integrations - Oh the best part about using Trello? It integrates directly into your team's Slack channel. So now you have a real-time feed of your team's activities in the same place that you are communicating with them!
This guide is not all-inclusive, but just covers some of the basics that will help keep a team organized and on track.
Eric Capuano is an Information Security professional from Austin, Texas, and serves state and federal government as well as SMBs, start-ups and non-profits. Also, a member of the Packet Hacking Village team at DEFCON. You can find him on Twitter here.