InfoSec 101 — Part Three (b): Technical Resources for VMs, CTFs, and Online Challenges

Source: https://insomnihack.ch/insomnihack-2018-ctf-results/

(If you’re wondering where the previous part is, click here!)

In the previous segment to this series, we covered the possible avenues for where you’re able to learn the bare essentials of cyber security, from a high level perspective. Now, I want to do a deep dive of how you can start to delve into the finer, more technical skills of this industry. This will mostly touch on offensive capabilities; although, irrespective of whether you’re looking to get into the “blue team” side of security or not, it’s vital to understand the attacker mentality, the techniques they use, and how they change to avoid detection.

I’ll break this down into two sections. Firstly, I’ll cover how to setup a virtual machine (and why!), and then get into some online resources you can use to become familiar and practice this broad range of competencies

Virtual Machines: What, Who, Where, When, and Why?

What is a virtual machine? In the most simplistic way I can describe it, it’s an emulator of a computer system, which allows you to run and operate another computer on your laptop or desktop. It’s inception for computers. To run a virtual machine on your computer, you’ll need a specialised piece of software called a Type 2 Hypervisor, otherwise known as a Hosted Hypervisor; the reason for this is because it’s installed on an existing OS. The main players in this space who offer free solutions, are Oracle and VMware.

Virtual machines are crucial for two situations. The first is simple; if you’re studying malware analysis where you have to run malicious code, you don’t want to do this on your host machine as you could accidentally get infected. Running the malware in a virtual machine that’s been configured properly, will not affect your underlying host operating system.

The second reason is that if you’re wanting to develop skills in offensive security (such as pentesting, wireless attacks, social engineering, password cracking, or web application attacks), you’ll need tools to do this, and these tools often don’t come by default on a Windows or Mac computer.

What operating system will provide such tools for you? Kali Linux.

Installing Kali Linux

Let’s start by installing this as a virtual machine. To download the hosted hypervisor, choose one of the following:

• Oracle’s VirtualBox: https://www.virtualbox.org/wiki/Downloads
• VMware’s Workstation Player: their downloads page.

To download the Kali Linux virtual machine, head over to the following page:

• https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image-download/; notice how there are seperate tabs for VMware and VirtualBox — ensure you’re downloading the appropriate virtual machine. When testing for this blog, I needed to choose the 32-bit VirtualBox image.

After you install the hypervisor, it’s time to import the virtual machine.
For VMware, it’s as simple as this:

File -> Open, choose the VMware VM you’ve downloaded

For VirtualBox, it’s not as easy. For me, while importing the .ova file, I had to untick ‘Import hard drives as VDI’. Once imported, in the VM settings we need to untick ‘Enable VT-x/AMD-V’ from System -> Acceleration, and ‘Enable EFI’ from System -> Motherboard, as shown:

Import -> Choose .ova that was downloaded, adjust settings for import process

Untick EFI and VT-x/AMD-V in your VM settings once imported.

Configuring a Virtual Machine

You’ll then have ‘Kali’ in your library, and if you want to get started straight away, right click and hit the ‘Power On’ button. Otherwise, you may need to customise your VM for a number of reasons:

• If you’re planning to deploy malware for research purposes, disable or remove your network adapter as you wouldn’t want it connected to the internet.
• Create a snapshot of your VM once you have everything up and running. Think of snapshots like a backup; if something goes horribly wrong (system failure, unintentional malware execution), you can restore from a previously known-good state and continue on with whatever you wanted to do.
• Increase the number of processes and memory allocated to the VM. You’ll also want to make sure that your hard disk has enough memory too as this can quickly fill up with all the downloads and installs during a CTF or otherwise.

Now that we have Kali installed, there’s a good chance you may not be familiar with the Linux OS. Here are some quick starting points to immerse yourself with navigation, commands, and file management within Linux:

• https://ryanstutorials.net/linuxtutorial/
• Cybrary: Kali Linux Fundamentals or Linux Basics (this is not an exhaustive list).

To be completely honest with you though, there’s no better way of learning than actually going through some material that has practical value, which brings me to the next section of this article.

CTFs, Vulnerable VMs, and Blue Team Challenges

CTFs

The Internet is a huge repository of knowledge and we’re so lucky to be in a community that enables and encourages sharing. The most efficient way I’ve been able to learn how to use Kali, or compete in CTFs, is to actually participate in it, but also read walkthroughs from people who have done this previously.

Before I hit you up with a number of useful resources, let me introduce some key concepts first. I’ve mentioned CTFs quite frequently throughout this series, but if you’re unaware of what it is, it stands for ‘Capture the Flag’. In Jeopardy style CTFs, the challenges are presented in categories that tackle a different skill, such as Binary Exploitation, Forensics, Steganography, Web Attacks etc. Your task is to find the flag, that’s usually in the format of “ctf{this_is_the_flag}”. Let’s go through one example together.

For this challenge, we’ve been given a file called “file” and the challenge description is “Grep: Can you find the flag in file? This would be really obnoxious to look through by hand, see if you can find a faster way”. Now, from experience I know that grep is a command line tool that we can use to search a file for a particular string. So let’s do that in our Kali VM:

This is a very basic example of a CTF challenge, where we were given a file and must find the flag. If we were to display the file on it’s own using the ‘cat’ command (this prints the contents of the file to your screen), you’d see what’s shown in the screenshot below. Obviously this isn’t an efficient way to find the flag as you’d have to read the entire contents, which is why grep is a useful tool for this challenge. It searches the file for you based on the search term you provide, which here was “pico”.

Clearly, CTFs can also help develop your Linux skills, which is why I wanted to introduce it here.

Here’s a list of CTFs that you can start practicing on:

• The example above was from PicoCTF, which really caters for beginners.
• OverTheWire, are a series of ‘wargames’ designed to teach these kinds of skills and lateral thinking. Try out the starter course called ‘Bandit’.
• RingZero CTF have challenges in multiple categories that you can get your hands dirty with
• CTF Challenges by CherryBlog.

Other resources:

• CTFs that have been made available online: http://captf.com/practice-ctf/
• All live CTFs are captured on https://ctftime.org/
• awesome-ctf: Guide to CTF resources, libraries, tutorials etc.
• Look out for CTFs that are run at your local security meet-up; a great way to learn from others!
• Write ups are your friend. Google “<CTF name> writeup” and you should instantly find others who’ve written about their CTF experience, and how they’ve solved each challenge. Here’s an example for PicoCTF https://github.com/PlatyPew/picoctf-2018-writeup.

Vulnerable VMs

There are other ways of developing these kinds of skills, such as attempting to hack into vulnerable VMs. A little more difficult, sure, but still very enjoyable and rewarding. The idea is that someone has created a virtual machine that is intentional vulnerable to some kind of attack. Your job is to find this vulnerability, and then exploit it (generally using Kali Linux tools).

Generally, these VMs will be hosted online for you, but there are some services that allow you to download the VM and work off your host machine. Similar to CTF flags, these will be a phrase or a hash that’s provided when you’ve reached a certain stage, or successfully exploited the machine.
Let’s go through the resources:

• VulnHub: this was one of the first websites that I came across when starting out in security, where you can download the vulnerable VM onto your host machine. Again, walkthrough’s saved my life. I’d recommend starting with Basic Pentesting 1, and here are the walkthrough’s; 1 and 2.
• Hack the Box: a fantastic set of boxes that range from easy to difficult, in either Windows or Linux machines.
• Pentester Lab: full disclosure, I’ve never used this myself. But with the amount of positive reviews I’ve heard first hand and by those online, this list would be incomplete without it. This is an affordable resource where you can learn offensive skills from step 1 to advanced.

Again, walkthrough’s are there for you whenever you get stuck, if you want to discover a new technique to achieve the same goal, or if you simply give up and need answers (not recommended, ahem, *try harder*).

Blue Team Challenges

These are for people like me that are thrilled whenever they see a .dd, .pcap, or an image file, or simply want to feel like an investigator. Even though Kali is mostly used for offensive capabilities, there are still tools native to Kali (if not, you can download them using ‘apt-get’) to find flags around forensics, steganography, or reverse engineering.

If this does interest you, here are the websites I’ve used in the past to skill up in different areas:

• Hack the Box: such an all rounded site. Under the ‘Machines’ tab in the left navigation pane, you’ll find ‘Challenges’ which has a good set of forensics and steganography based exercises
• Forensic Focus and DFIR Training: both have an awesome compilation of online images, CTFs, and malware samples
• ForensicsContest & SANS Community Challenges: for all things forensics
• Shout out to @AmanHardika as well for sharing this incredible mind map of forensic challenges
• These are a little more difficult, but SANS also runs a ‘Holiday Hack Challenge’ which is defensive focused; can also find the past years competitions here.

If you’re still with me for this last section, I wanted to quickly cover some alternate virtual machines that could be handy for these blue team challenges. FLARE VM was developed by the FLARE team from FireEye, and is a Windows-based VM to analyse malware, with static and dynamic analysis tools, and forensic and network utilities.

SIFT Workstation was created by SANS, which is much more focused on the practical applications of Incident Response and Forensics. With tools including log2timeline, volatility, rekall, and SleuthKit, you’re also able to learn the ins and outs of memory analysis, and how to parse forensic artefacts.

Finally, for anyone who has a particular curiosity towards network analysis, there’s a VM called Security Onion that specialises in IDS (intrusion detection system) and NSM (network security monitoring). There’s a particular tool called “Bro”, which has now been renamed to Zeek, which offers a really good opportunity to learn about different networking protocols. It captures traffic that’s running through your network, and separates the log files based on the protocol observed by Bro’s protocol analyser. You can also split a .pcap using Bro, but I’ll save that for another blog post!

Hope you got some use out of this, and thanks for reading. Until next time!