Wednesday, January 23, 2019

Kringlecon SANS CTF

#!/bin/bash

$date
Wed Jan 23 12:00 CET 2019

Over the holiday break, I was invited to the North Pole via SANS for the holiday hack challenge hosted by the big man himself. This was a CTF (Capture the Flag) that started roughly a week before Christmas and finally ended a little over a week ago on the 14th of January.

I have waited till post the event to post this as to not put out spoilers or hints in this challenge. Due to the sheer amount of challenges though I will only talk about a few of my favourite and how everything was broken down.

Upon arriving at the website: https://kringlecon.com (which as of writing seems to still be active if you would like to try some of the challenges yourself) you are greeted by Santa at the gates of the North Pole heading into Kringle Castle. The prestigious home of the jolly man himself.

We are all welcomed into this castle as special guests of Santa to help with some minor computer problems around the manor. As more time passes, the demand has become too much for the elves to handle themselves. Santa's plan was to automate the toy building process around the workshop to ensure quotas were met and children would receive their due gifts.

This challenge was broken up into 2 portions. There were terminal challenges and objectives. (I will include pictures bellow of some of my challenge solving and the way the terminals were set up.) The terminal challenges were little kiosks littered around the castle running "Cranberry pi" OS. These were simple little GNU/linux terminals with various puzzles to solve. Upon completion, the elf beside the terminal would congratulate you and give a hint toward one of the main objectives.

These main objectives were actually challenges or puzzles completed outside of the emulators unlike the "Cranberry pi" terminals. There were websites to exploit, VM's to explore, PCAP data to analyze and a malware file to reverse engineer. All in all the challenges were diverse and really fun!

Terminal challenge: Mint Candycane - The Name Game

Within the main room, there was a terminal off to the left with an elf named Mint Candycane. Clicking on her, she will say:
Hi, I'm Minty Candycane.
Can you help me? I'm in a bit of a fix.
I need to make a nametag for an employee, but I can't remember his first name.
Maybe you can figure it out using this Cranberry Pi terminal?
The Santa's Castle Onboarding System? I think it's written in PowerShell, if I'm not mistaken.
PowerShell itself can be tricky when handling user input. Special characters such as & and ; can be used to inject commands.
I think that system is one of Alabaster's creations.
He's a little ... obsessed with SQLite database storage.

Booting the terminal, you will be shown a program for generating name tags. Option 1 will allow you to enter a new person, while option two will allow you to input an IP address. Selecting option 2, you can use Powershell exploits to get a list of files on the server running:

& ls -l

This will give you a list of files available, amongst them being:

onboard.db


after hitting enter, being booted back to the main screen again, you may type in option 2 and run this command:

& sqlite3 onboard.db .dump > onboard.bak 

After that, select option 2 again and run:

& more onboard.bak | grep Chan


Running that will reveal that our targets name is Scott Chan. Then we just select option 2 one last time to run:

& ./runtoanswer (One of the files previously seen in the original ls command)
Scott Chan

We are then greeted with a lovely completion screen! This post was much longer than anticipated, so if I get any feedback or interest in this post, I will make more posts recapping more challenges. Otherwise I will next be posting about the Hacker One CTF from their website as soon as I complete it.

With new challenges, there is actual reason for me to post again, so I will likely start doing that. I know this blog is not consistent, but I only have interest when there are CTFs or Hackathons for me to attend and as I competing more for work, there should be an increase in posts.








#Caramon



Monday, June 18, 2018

Let's talk about security!

Welcome to 2018, the year of GDPR. Let's discuss some good home security habits. In today's blog, we will cover a simple tactic that will keep you and your family safe, secure and relatively inexpensive.

How many people have a personal firewall? I am not referring to the Windows defender or whatever software variant you might have preinstalled on your Operating System of choice. The easiest way to thwart some security issues is to have a physical firewall with accompanying services offered by a reputable company.

 Such services are offered by WatchGuard, SonicWall, or other companies that design a small, low-cost system to be installed on a personal network. These devices are simple to configure and practically plug and play.

On that firewall, you need 3 services activated:
-Web block/IP blocking
-IP whitelisting/IP blacklisting
-The blocking of inbound and outbound traffic

Web blocking services typically check with several opensource or private lists of cataloged websites that are labeled as known good or known bad. This prevents the access of shady or unknown sources and prevents pop-ups from opening or downloading unwanted software. This lowers the chance of malware or ransomware from accessing your computer and network. Note, you can still download the malicious software yourself.

IP whitelisting and blacklisting allows you to block websites based on a category or individual site. With a combination of the two, you can choose to only allow specific site access, i.e., social media, entertainment, or specify the sites such as Instagram, FaceBook, YouTube, etc. You can also block in the same method such as adult websites, mature content, or other flags like the free flash game websites that are prone to viruses. The main difference you need to know is blacklisting allows any site to be accessed other than the specified list, or whitelisting which blocks every website other than your permitted sites in the same manner.

Finally, monitoring inbound and outbound traffic ensures that if something is downloaded, or another device on your network is accessed, that it can not call out to the control server. If a Botnet infects your machine, either a router, computer, Internet of Thing, or another internet connected device, the program is designed to call back to a command and control server. If you're monitoring the outbound traffic, the firewall will recognize the untrusted address and block the program from reaching out to its controller. This is similar to the function of ransomware which we can cover in another article.

The first place cybersecurity starts are with you. This still requires safe search habits and practicing general security habits. This is a good start to protecting a small business or home. There are many other things you can do to help increase security, but that is for another post!

//Caramon

Tuesday, January 16, 2018

#!/bin/bash

New year, new site, new blog. When Nikolai and I started this blog, we wanted to document our coding and hackathons. Well, he made the decision to leave on a two year LDS mission in Norway, and I have moved to Sweden as a cyber security consultant. That being said, I will try and restart the blog. I will move it to a better server, where I get more creative control over the HTML, CSS, and JavaScript. I would also like to post more code, and explain it.

The other half of this blog will serve to keep Nikolai updated on the current tech and sort of allow for some small reviews. I know no one reads this blog regularly, so I sort of get to write anything I want. But maybe it will help some passerby one day.

All this being said, I am unsure if I will post every week. Maybe every two weeks. It depends on what I have time or. Whatever I decide, I will first change the hosting to allow a better design in a more pleasing format. I like the photo of my first drone build, but it needs better placement. This will allow for a cleaner page and for a new post on how I created the new site.

Sorry for the lack of posts. I will hopefully be at a European Hackathon soon. Hopefully more pictures. Hopefully a new blog.

#Caramon

Wednesday, March 22, 2017

<body>
36 hours versus 24 hours to build a project. The time difference between a relaxing project, and full panic, not enough time 0 sleep, and crying in a corner waiting till the event ends. about 2 weekends ago, Liam and I attended Disrupt the District which was a 24 hour hackathon. Not a usual length for an event, but very relaxing. The project we had in mind was a HUD project. We modeled the unit after Google Glass, to display the WiFi connectivity and show the systems connected to the router.

The project was simple, using a few spare parts laying around the lab. Pro micro arduino, a 48x64 OLED display, and BLE h11. discovering the pin out for all these pieces was interesting. I learned how SPI (Serial Peripheral Interface) worked to run an image from the pro micro to the OLED display.

Was it successful... Well, other than the DOA part we received, yes. We got an image to display from the pro micro to the screen, and it bounced through the optics to reach the eye properly. What I would have changed though, was a nicer case that was wide enough to fix the project, and better optics to properly relay the image from the hardware to the user.

In short, this post is long over due, Nikolai and I have become very busy as of late. The main take away was that even though we didn't design the coolest looking project, or the fanciest project, it didn't matter. I took a huge step in learning hardware, and that is what truly mattered. I was able to teach, and broaden my knowledge in a field that I want to learn about, and I was successful in my book.
</body>

Wednesday, February 8, 2017



What’s the longest you’ve ever gone without sleep? Over the course of the hackathon I slept for less than an hour in a two day period. It was at the point where I was starting to hallucinate a war between dingoes and eagles swooping through hallways of the facilities trying to steal all the babies*. I was wobbly, and stairs were a no go. I started spouting my thoughts out loud without meaning to and mumbling incoherent rituals, spells, and incantations -- not really, but you get the idea. And now that you have considered my question you can either relate and agree that sleepy drunk is just the greatest state of being of all time or you can call me crazy and move on. Either way, you would most likely want to know why anyone would ever stay up that long; and if you can relate to me and are thinking not sleeping is the best, now is the time that I call you crazy. I didn’t sleep because I had work to do. I had pages of code to write and not nearly enough time to do it.


But I did and it was glorious.


In that short amount of time, I was able to develop a working app with an aesthetically pleasing interface and mildly entertaining animations. That's a lie, it wasn’t entertaining at all; I just made some things wibbly wobbly when the cursor was over them to match my fading vision. Also a lie, but while not entertaining, it did look great and, more importantly, it worked great.


But enough about me. I did not design this project on my own and I’ve hardly even explained the project at all by now. The project was a mesh network with an app designed to allow people to access and take full advantage of the network. Liam designed the hardware and embedded the devices into articles of clothing with the help of a fashion student we met that weekend. Caramon developed the mesh network itself which allowed the devices created by Liam to communicate and interact with each other. Caramon also helped me to design a chat platform within the app allowing you talk to people over the network.


A mesh network is awesome because it works locally. The devices, or nodes, link to each other when they are in close enough proximity creating a local, private, and personal connection with those around you. This is why a chat feature is completely necessary with an app like this. We also developed a media page where you could post pictures and videos for people on your network to see. This allows for other people to live life through your eyes. It allows others to see the magic of your surroundings that typically you would only be able to see. They can experience life through your perspective and vice versa. This is the only social media app designed to not suck you into a computer screen but to explore and meet everything and everyone around you.


Basically, this better sound awesome to you and if it doesn’t you need to know one last thing; the clothing we embedded the nodes into have neopixel LED’s sewn in. These lights look amazing and straight out of the future. The lights are programmable to different colors and patterns. But wait, there's more! I also previously mentioned that the clothes interact with each other! As the proximity changes the patterns change! They become more sporadic and rapid indicating you are getting closer to another person wearing what I like to Soft Wear -- punny, eh? This is to encourage interaction between users.


The network itself is called Meshh Network and the clothes are called Soft Wear. And these things have an immense amount of potential in your life. The network itself has many applications outside a social media app and it is extremely exciting for everyone on the development team to see where it could end up going. We believe in it and see a lot of potential in it. Also, apparently so do other people because a group of sharks have already tried to steal it. Which is incredibly flattering.


Also, shoutout to our intern, Gauge, for everything he did over the weekend. We would have died had it not been for him. And I might have actually been forced to take breaks and sleep had he not been there to help us in our time of need.


//Nikolai



*There were no babies, or dingoes, or eagles. It’s fine.

Monday, January 30, 2017

Hello,

This weekend, I was able to attend the Kent, OH, Hackathon. These events are put on by Major League Hacking and are generally held on college campuses. They are free to students, and are backed, supported, sponsored, and powered by a large variety of companies seeking to foster ingenuity and creative ideas. While there, participants are supplied with materials to build with, food, rooms to work, and a place to sleep. As a participant, you are able to attend talks and a variety of panels covering various topics, or are free to work through the weekend. The purpose of the event is to inspire the youth to invent and innovate with technology, and create something new.

We arrived at the event on Friday evening, where they shuffled us into the auditorium of the school so we could meet other people for teams and ideas. After listening to the speakers and dinner, we found a room to work in. At 9:00 pm the hack commenced.

My team consisted of my friends: Nikolai -- who was in charge of developing software; Liam -- who built the hardware; and myself, who did networking, built the web server, and aided Nikolai in software development. Upon arrival, we added a fashion student, Abigail, to the team.  Abigail designed the fashion aspect of the project.

Starting our project: we unpacked our boxes and threw them away like other people should have. The four of us split up and began to develop the different aspects of the project.  What was our amazing project?  It was an ingenious collaboration of minds to create a mesh network that could be stored in any piece of clothing as wearable tech and interact with our other products. The ability to connect to other devices allowed for an 'in the moment mesh' for socializing with those around you. It is similar to SnapChat, except that you have to be within close proximity to another person for the tech to work.

This project creates a temporary social media platform to share pictures and media, as well as secure SSH peer-to-peer chat rooms, with those around you. The idea is to create a local network in the effort to live life through the views of those around you and to allow for you to truly connect with these people on and off of the screen.

We want you to see and hear what others hear. We want you to meet those around you. We want you to connect. We want you to mesh.

The difficulties we encountered though in building the network was a nightmare. The OS we were using did not recognize the capability for our WiFi cards to create a network between. The other difficulty was building the messaging platform, because no one had experience in building an application like that.

But we improvised. We learned. And we developed.

We managed to develop a functioning platform with messaging capabilities and connectability with the other products.

//caramon













                                          

Monday, January 23, 2017

Hello!

     Welcome to my blog. I am using this platform as a sort of journal, to keep track of my projects and what I learn. I study in network security, and have recently moved into doing a little computer engineering and playing with micro controllers.

     Through networking I have met many people, whom I will mention by name as they become relevant to particular projects, are helping me learn as I apply my knowledge in coding to building some pretty cool prototypes.

     I need to play catch up, as I started building things already and will make posts for both projects to explain how they work, and my thought process in designing these things. Nikolai is the second admin for this site, and his relevance is I have been teaching him Linux and networking. Nikolai codes as well, and is going for a degree in computer science. So you'll see posts from both of us as we develop new skills and progress.

We code in collectively with a lot of overlap in:

HTML
JavaScript
C++
C#
C
Python
SQL
Java
PHP
CSS

     Our interests lie in both hardware as well as software, and look forward to improving both areas. Look for future posts and updates.

///cstanley