In the context of the 8th Infocom Security Conference that was organized at April 18-19, 2018 in the Dais Conference Center in Athens, Greece, the EthiHak 2018 Capture The Flag (CTF) competition took place, hosting, among others, the Greek qualifiers for the 2018 European Cyber Security Challenge (ECSC 2018) contest that will be held this year in London, UK at October 15-17, 2018. The challenges for the EthiHak 2018 contest were the same for all participants, but only those who competed individually and were at most 25 years old had the right to claim a place in the National Cyber Security Team of Greece. As a matter of fact, our security expert Petros Mantos (0nlyslayer) participated in the EthiHak 2018 contest and qualified second for the Hellenic Cyber Security Team.
The challenges provided this year were of a higher level of difficulty compared to the challenges of the previous ones, since the creators were from the Greek CTF team Greunion, which is, at the time of writing, one of the best 20 CTF teams worldwide (based on the ranking at “ctftime.org”). There were at total of 22 challenges from various IT security categories, while the scoring system was dynamic and thus the final score given for the solution of every challenge was calculated based on the number of contestants which solved it. More specifically, the challenges belonged to the following categories:
a) Web Challenges, wherein multiple vulnerabilities exist, exploitable among others through Remote Command Execution, Cross-Site Scripting (XSS) and Elastic Search Injection attacks – being extremely demanding and requiring deep knowledge of the underlying vulnerabilities in order to be exploited;
b) Crypto Challenges, wherein the contestants were required to take advantage of poor cryptographic implementations in order to gain authorized access to the application given or decrypt the provided ciphertext containing the desired flag;
c) Reversing Challenges, wherein the contestants needed to study the inner workings of the given binaries by using reversing tools, in order to find the required input and gain authorized access to the application – including the analysis of an obfuscated python script;
d) Forensic Challenges, which were not so demanding compared to the rest of the challenges, but were of extreme interest. For example, a specific challenge required the analysis of a “.pcap” file, which contained traffic produced through the usage of a USB keyboard. The contestants were required to translate the key-events present in those packets and acquire the keys typed by the attacker. In addition, there were challenges which required the analysis of a Windows registry dump and a challenge where hidden communication took place through the DNS protocol.
e) Network Challenges, wherein the contestants were required to connect to the target network through a VPN connection and perform attacks such as Arp spoofing, DNS Poisoning and SSL/TLS Downgrade attacks. In one of those challenges, there was a compromised Web server, from where a reverse shell was spawned towards an attacker controlled server, every few minutes. The contestants were required to Arp poison the compromised Web server in order to force it to connect back to them and gain a shell; and
f) Pwn Challenges, wherein a custom exploit should be created and used in order to take advantage of the underlying vulnerabilities and gain a shell.
In the following days, the first 20 finalists will be interviewed and after training the best 10 contestants will be selected in order to participate in the ECSC 2018 Finals. Training will be provided under the guidance of Greunion in order to achieve the best results possible.