ZeekWeek 2020 Capture the Flag Summary

Other Notes:
This challenge was a lot of fun to write and exemplifies a few subtle points. First, don’t trust all code from all packages – just because it executes, or compiles, doesn’t mean it’s safe to run. Second, Zeek is a script interpreter. Which means that any code it interprets is executed with the same privileges the zeek process is running as.

timers-and-switches

Description:
This is an odd script… The flag should be *this* once it gets to length 1000. Note that changing how fast the script goes will change the order of events.

Flag: nnnnccccrrrnnnnrcncccncrcrrrnnnnrcrncccncrcrrrnnnnrcrncccncrcnrrrnnnrcrncccncrcnrrrnnnrcrncccncrcrrrnnnnrcrncccncrcnrrrnnnrcrncccncrcnrrrnnnrcrncccnrccnrrrnnnrcrncccnrccnrrrnnnrcrncccnrccnrrrnnnrcrncccnrccnrrrnnnrcrcccnnrccrrrnnnnrcrcccnnrccrrrnnnncrrcccnnrccrrrnnnnrcrcccnnrccrrrnnnncrrcccnnrccrrrnnnnrcrcccnnrcrrrcnnnnrcrcccnnrccrrrnnnnrcrcccnnrcrrrcnnnnrcrcccnnrcnrrrcnnncrcccrnnrcrrrcnnnnrcrncccnrcnrrrcnnnrcnrcccnrcnrrrcnnncrcccrnnrcnrrrcnnnrcrncccnrcrrrcnnnnrcrcccnnrcrrrcnnnnrcrcccnnrcrrrcnnnnrcrcccnnrcrrrcneeennnrcrcccnnrcnnnrrrncnnncccrcnrcccnrrrrcnnnnrrrcnnnrccccnrcccncrrrrnnnncrrrnnnrccccnrcccnrrrrcnnnncrrrnnnrccccrncccnrrrrcnnnnrrrcnnnrccccncccrncrrrrrrnnnncnnrccccnrccnrrrrcrrnnnncnnrccccnccrnrrrrcnnnnrrcnnrccccnrccncrrrrnnnncrrnnrccccnrccncrrrrnnnncrrnnrccccnrccncrrrrcnnnnrrnnrccccnrccnrrrrccrrnnnnnnrccccrnccnrrrrcnnnnrrcnnrccccnrccncrrrrrrnnnnnnrccccccnrrrrcnnnnrrnnccccrnccrrrrcnnnnrrnnrccccncccrrrrnnnnrrnnrccccncccrrrrnnnnrrnnrccccncccrrrrnnnnrrnnrccccncccrrrrnnnnrrnnrccccncccrr

Writeups: None

Other Notes:
This challenge was also fun to write. Since Zeek is an event driven system, combining different timers is a sure way to complicate execution flow. Massive thanks to Justin Azoff for noticing that this challenge is actually impossible to solve. Since some of the intervals will eventually overlap, for example one timer of 300 and three timers in a row of 100, there’s no deterministic way of knowing which event will be handled first. To fix this challenge I should have used numbers which would not overlap, i.e. prime numbers like 103. We apologize to all participants who may have sunk cycles into analyzing this challenge.

backdoored-source

Description:
Someone introduced a bug in one of the source files from release/2.0. The flag for this challenge is the path to the file that changed. For example, “testing/btest/Baseline/BiFs.count_to_addr/out”.

Flag: scripts/base/protocols/conn/main.bro

Writeups:
eck

hash-yourself

Description:
This Zeek script calculates a levenshtein distance between two strings but doesn’t print it 🙁 See if you can figure out what line 42 evaluates to. But be careful, you might not want to edit the script.

Flag: 23

Writeups:
eck

Other Notes:
This script demonstrates some odd things that can happen with module names in scripts. All of the export and module statements are meant to be a distraction. The inability to modify the original script is meant to force players to think outside of the one-script-mentality and realize that an invocation of Zeek pulls many script files into a single process. Sometimes how these scripts interact and layer on top of each other can be complicated to debug.

vector-fun

Description:
Vectors are my favorite Zeek type. Vectors of any are full of surprises. Place your guess for the flag in the your_guess variable and invoke the script to see if you guessed correctly.

Flag: ThisIsTheFlag223

Writeups:
eck

Other Notes:
The any type is meant to escape Zeek’s strong typing in scriptland. This challenge highlighted some of the interesting things that can be done with variables or type any.

man-or-machine

Description:
This one is simple. There’s a pcap which contains 100 SSH connections. Only 1 of the connections was human driven. The rest weren’t. All we want to know is the source port number for that 1 connection. You ONLY have 2 attempts, so don’t bruteforce guess! All the connections used the same client, server, and configurations. If everything is the same and the payload contents are encrypted, what else could you compare?

Flag: 54712

Writeups:
ZeekRJuicy
answer is the id.orig_p in uid CtCU2Eqt7k66iGcU9; when ecnrypted, i’d compare number of packets;

ran pcap through zeek to generate a different log files;
parse conn log using zeek-cut to display uid id.orig_h id.orig_p resp_pkts;
find the one with the most number of responding packets;
confirm the same uid in ssh log

check-your-alignment

Description: This script doesn’t do much. Maybe there’s a secret in the file itself.
Flag: HowsThisForAFlag
Writeups:

BKirk
After trying to decode all the characters I realized the # marked the start of the flag going down

eck
Not much to say here except that the 4th char in the var names spelled out the flag

Other Notes:

After trying a few challenges, which require a deep understanding of the scripting language or some esoteric feature, it can be difficult to take a step backwards and think abstractly. This challenge was worth a low number of points as an attempt to signal to players not to overthink the problem.

wiat-wat

Description:
?

Flag: watagreatflag983740234

Writeups:
eck
Stop the scripts from unlinking the files is creates and look at the contants of the “flag” file.

nachosauce

Other Notes:
Script files which delete themselves are nasty little things. This challenge was meant to demonstrate how Zeek can delete files on disk and how scriptland includes a pcap_packet type. Additionally, since Zeek is able to execute system commands it is possible for one zeek process to call another zeek process.

make-your-own-simpson-episode

Description:
The writers for the Simpsons have basically done every comedy sketch conceivable. To help them construct more creative episode scripts, Matt Groening wrote this Zeek script. The script randomly choses characters from the show and assigns them common sitcom roles. But, there’s a catch… D’oh! For some reason Homer’s name never gets chosen. Figure out why.

Flag: This was a manually assessed challenge.

Writeups:
eck

Justin Azoff
The global set is initialized containing 0x00, this makes the while ( i in loop always skip index 0 as a valid item. fix is to just initialize the set to be empty

asharma
This user submitted a handful of submissions. Considering thehm all together, it seems they solved this one.

Aashish also sent me a few Slack messages explaining his solution further.

kobajin

The character name is stored in an vector and the index is generated randomly. To prevent the same character from being selected over and over again, “llil: set[count]” is used to store the index once selected, but contains 0 as the initial value. Homer’s index is 0, so he will never be selected!

rdp-auth

Description:
Only one of these RDP connections sucessfully authenticated to the server. The answer to this challenge is the source port the client used in the connection which successfully logged in.

Flag: 36190

Writeups:
ZeekRJuicy
answer is the id.orig_p in uid CHCAoo1XWPGxgwNqWe;

ran the pcap through zeek to generate the log files;
check conn log for rdp activities;
the one with sucessful connection has more bytes than the rest;
confirm by checking the rdp log using the same uid

neslog
The concept is that failed attempts will all have similar data transfer sizes. A successful login will result in larger data transfer size as the server will continue to establish the session with the client. to analyze this I reviewed the resp_bytes for a larger treansfer.
$ grep -v ^# conn.log | awk -F’ ‘ ‘{print $11}’ | sort | uniq -c | sort -nr 62 1720 1 3081
From the output you can see that 1 session had a larger resp_bytes than the other sessions. This indicates successful login. Below is the session of the successful login.
1583786327.880795 CMpfPb4LvHa14Kk5Qj 192.168.57.9 36190 192.168.57.8 3389 tcp ssl 0.360920 3896 3081 RSTO – – 0 ShADdatFR 28 5048 26 4202-
This can also be verified by the connection state analysis. There is one session where the Originator aborted the session with a reset.
$ cat conn.log | zeek-cut conn_state | sort | uniq -c | sort -nr 62 RSTR – RSTR: Responder sent a RST. 1 RSTO – RSTO: Connection established, originator aborted (sent a RST).

fly-off-the-handle

Description:
I ran `zeek fly.zeek` to generate all the files in tmp/. However, I then deleted the flag.zeek file. See if you can recover the flag string.

Flag: 3s..AWildFlagAppeared..3Sx[ylmnop::GLOBAL::

Writeups:
eck
I did this the hard way. The zip files had creating timestamps of Sep 16th, so I used the fact that srand is deterministic and worked backwards from that timestamp looking a seed that would produce the output of the tmp/0 file. Turns out that was Wed 26 Aug 2020 10:55:44 PM EDT. Once I had the seed that was used that seed to discover “winner”. Once I found that winner was 705 I could then just decode that file. (In hindsight I could have just decoded all of the files and done a case insensitive grep “flag”. My way would have worked if the string “flag” wasn’t in the flag at least.

sudo-su

Description:
This is another easy one. The pcap contains a single ssh session. The user authenticated with a public key. The user was then provided a pseudo-terminal on the server. The user entered the “sudo su” command. The user then typed their passowrd and successfully elevated to root. The user then pressed CTL+D twice which exited first the root and then the user’s ssh session. All we want to know is the length of the user’s password. It’s a number. YOU ONLY GET 2 ATTEMPTS. DON’T WASTE THEM.

Flag: 6

Writeups:
eephillips