Or ‘why we love building boxes’.
If you are a pen tester (penetration tester), hacker or otherwise involved in the technical security of computers, chances are you have played one or more Capture the Flag competitions. Most conferences nowadays offer teams the opportunity to participate in a CTF, and sites like Vulnhub (http://vulnhub.com), TryHackme (http://tryhackme.com) or Hack the Box (http://hackthebox.eu) offer players ample opportunity to play these challenges at their own pace.
Playing CTF’s challenges your creative thinking and forces you to think outside the box. Most of the machines focus on one specific technology or vulnerability and so offer you the opportunity to learn them hands-on. My friend Andreas and I have played a lot of these CTF’s, and learned a lot from them.
However, after a while, playing these CTF’s becomes less challenging. In most cases, getting a foothold (your initial shell access on the system) is still interesting, but the escalation to a high privileged account becomes something that you have seen and done before. And you will also start to notice that most CTF boxes are not modelled on real-life systems (there is no real need for that, but don’t think that a ‘real’ pen test is anything like a CTF).
Andreas was already involved in building the Tempus Fugit boxes for Vulnhub, and I offered my help to build the next one in that series (if I recall correctly, TF3). Now the tables were turned and we (I) was working on the other side, trying to come up with (not so) clever ways to gain access to the box we were building and how to escalate the privileges.
We decided to make our boxes as life-like as possible, based on my experience as a pen tester and new vulnerabilities published on exploit DB ttp://www.exploit-db.com/).
It turned out to be a great learning experience, and building boxes based on real life examples and new vulnerabilities is a great way to acquire new skills that you can use, either for your pen testing jobs or your sysadmin jobs. We have since built boxes for Vulnhub and TryHackme and had some great feedback from people who have played them.
If you’re interested in trying it yourself, here are the steps we followed when building a new box.
Firstly, we had to come up with a scenario and background story. This helps in building a box that is as close to a real life situation as possible. It helps enormously to have a solid background story, especially if you are building a series of boxes. Our current series on TryHackme is based on a story about the Windcorp corporation which keeps getting hacked, fixes the previous vulnerabilities but then makes (real life) mistakes in building a new system.
The second step is to select a platform for the CTF machine. In most cases this is Linux, because it is free, but luckily we can also use Windows if we are building systems for TryHackme. To enhance our own learning experience, the THM Windcorp series is based on the Windows platform.
The third, and often hardest part, is finding a vulnerability that leads to the initial foothold (access) on the system. We consult ExploitDB for new vulnerabilities, or use things I have seen during a pen test, or use software we find interesting. For one of our boxes, we found a 0-day in an interesting piece of software that we had used to create an initial foothold on the system.
Once a player has an initial foothold, you need to think of a way to escalate the privileges. This can be by using another, vulnerable, software package. For Windows we sometimes make deliberate configuration errors that regular sysadmins make, as well as opening the system to SYSTEM access.
So far we have learned a lot when building each of these boxes and will continue to do so.
If you are interested in playing a CTF, please visit one of the sites we mentioned. If you’re interested in building a box yourself, don’t hesitate to give it a try. You will definitely learn a lot and other people will certainly enjoy hacking your CTF box.
Arthur Donkers Andreas Finstad