At the beginning
The Missing Link took a road trip to be part of BSides Canberra - Australia’s largest cyber security conference. The primary goal of our trip was to win their prestigious capture-the-flag (CTF) game again. BSides has grown from a modest 360 attendees five years ago, to over 2,000 attendees, making another win much more difficult. Along with the increase in competition (as many of Australia’s best hackers also signed up), the organisers have been consistently upping the challenge, creating longer and more challenging CTFs than previous years.
Following up on last year’s win, Matt Bush was anxious to participate in the 'Pwn to Drone' competition and this time he brought some team members along to share in the potential glory, because hacking and flying a drone by yourself is no fun! Elad Shamir, Danyal Drew, and Melody Lei were the first to show up on Friday morning with laptops in hand, and thus #DreamTeam was formed (we may be good at hacking, but we don’t claim to be good at coming up with team names).
Getting down to business
As usual, the objective of the Pwn to Drone CTF is to compromise your way through a fictional company’s corporate network, find the systems controlling the drone, then defeat the security controls to fly the drone. First to fly the drone gets to keep it. This year’s CTF environment expanded over the previous years to cover a wider variety of security domains, including web applications, Active Directory, and embedded Industrial Control Systems running on AVR architecture.
Because there were four team members all hacking the environment at the same time, a collaboration tool was necessary. Cobalt Strike, being the red teaming post-exploitation tool of choice, was used as command and control (c2) and to share compromised credentials, sessions, and shells between team members.
The first step was to breach the external perimeter, which was done through an unpatched PHP web site that contained a remote code execution vulnerability.
Breaching the perimeter put the team into the DMZ where the web servers were running, but after performing internal network reconnaissance using Nmap, it was clear that access to the internal network and operational technology (OT) network was required to get to the drone control systems.
Using the DMZ servers as a pivot to the internal network, account credentials were stolen from an IT workstation using mimikatz. One of the stolen credentials was a domain administrator, so by passing-the-hash of this account, other servers on the internal network were methodically compromised until one was found that could be used as a jump box to the OT network. The OT servers, however, were joined to a different domain, so none of the compromised accounts was useful in this new domain.
After being stumped for a bit, hashcat was used to crack the previously obtained password hashes, and it was found that one of the cracked passwords was being reused in this new domain, so access was finally gained to the OT servers.
Winning the battle
On the OT servers, firmware controlling the door locks on the drone hangar was discovered. Reverse engineering this firmware would have revealed a buffer overflow that could be exploited to disengage the hangar locks without authorisation, and we would have achieved the goal. Unfortunately, time was up and three teams were tied for the highest score. However, one team reached every checkpoint first and that was The Missing Link, we were declared the winner and got to take home the drone. As a reward, the organisers of the competition let the team use the manual override (a good old-fashioned lock and key) to release the drone to the skies.
While flying a drone isn’t something we normally get to do during our red team engagements, the rest of the Pwn to Drone competition very closely resembled what we’ve seen in our clients’ environments. Because The Missing Link was the fastest team to complete all the tasks, we had one additional concern and that was not to leave behind any artifacts or easily identified indicators of compromise that would allow the other teams to follow in our tracks. Using the proper tools and relying on previous experience helped a lot with avoiding being detected, and that experience is what makes our red team so effective at adversary simulation and evading the blue team.
In addition to red teaming, The Missing Link also provides penetration testing, physical security, and web application assessments. If you would like to put your security team to the test you can request an assessment here.
If you liked this article, you may also like:
Password management tools: how important are they really?
The top 3 cloud security challenges
Why you need a Managed Security Service Provider