EC-Council, profile picture
Uploaded byEC-Council
PPTX, PDF306 views

Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persistence led to a Vulnerability Disclosure


The document discusses the transition from Capture The Flags (CTFs) to Common Vulnerabilities and Exposures (CVEs), detailing various CTF types, sources, tools, and the realism of CTF challenges. It shares the author's journey of identifying a vulnerability in a D-Link router, engaging with the manufacturer, and navigating the CVE disclosure process. Key insights include the importance of community support in vulnerability disclosure and the value of hands-on experience in security training.

Downloaded 15 times
From CTF to CVE: How Application of Concepts and Persistence led to a Vulnerability Disclosure Joe Gray
About Me/Why Me www.hackerhalted.com 2 • 2017 DerbyCon Social Engineering Capture the Flag (SECTF) winner • Member of 2018 NOLACon OSINT CTF 3rd PlaceTeam • Co-founder ofThrough the Hacking Glass • Frequent Guest Blogger • AlienVault • Tripwire • ITSP Magazine • Dark Reading • CSO Online • Maintains blog and podcast at https://advancedpersistentsecurity.net
2017 DerbyCon SECTF www.hackerhalted.com 3
2018 NOLACon OSINT CTF www.hackerhalted.com 4
Objectives/Flow www.hackerhalted.com 5 • DiscussTypes of CTFs • Sources of CTFs • Common CTFThemes • Tools of theTrade • Demonstrate Pros and Cons of CTFs/Applicability • Finding a Bug • Responsible Disclosure
Types of CTFs www.hackerhalted.com 6 • Self Contained • VM • Puzzles (think DEF CON badge shenanigans) • Network orWeb Based • Network King of the Hill (popular here with dc404) • Social Engineering • OSINT • Missing Persons CTF is subset (h/t to Robert Sell andTrace Labs) • Hack-a-thons • DFIR • Pros vs Joes
Sources of CTFs www.hackerhalted.com 7 • Conferences • Vulnhub.com • Hack the Box (hackthebox.eu) • Root Me (root-me.org) • Over theWire (overthewire.org) • CTF365.com • Companies (i.e. Google) • Security groups (i.e. dc404 and dc865) • OpenSOC
Commonalities www.hackerhalted.com 8 • Wordpress, Drupal, or Joomla • Weak Passwords • “Poor” Configurations • Insecure Protocols • HTTP, FTP,Telnet • WebApplications • NamedVulnerabilities • Dirty Cow, Heartbleed, Eternal Blue, Kerberoast • Cryptography • Steganography • Packet Captures
More Specialized CTFs www.hackerhalted.com 9 • OSINT • Collect flags on predetermined targets • Specific details about people from social media (Chris Silvers’ OSINT CTF) • Collect flags about companies (and sometimes) the people of the company (Chris Hadnagy’s SECTF) • Everyone is searching for the exact same flags (Silvers’ OSINT) • Social Engineering • OSINT and Report writing element • Live vishing • Each competitor has a unique calling time and unique target • DFIR • Conduct forensics and analysis on files provided vice hacking in • BlueTeam or Pros vs Joes • Actively monitor for further attack or analyze existing logs
Typical Tools of the Trade www.hackerhalted.com 10
Arguments About CTFs Being Realistic www.hackerhalted.com 11 • …but CTFs are not realistic. • That is sometimes true. • You may not encounter the same flag format in real life. • The creative concepts used to gain access are the same in many cases. • No one puts “incriminating” info in the page source. Wanna bet?
Told You So www.hackerhalted.com 12
Arguments About CTFs Being Realistic www.hackerhalted.com 13 • …but the CTF systems are too vulnerable. • Again, this can be true. • Speaking from experience, vulnerability management is still lacking. • This also trains us to look for the most simple solution and not go “nation- state” off the bat.
Arguments About CTFs Being Realistic www.hackerhalted.com 14 • …this CTF is nothing more than a gimmicky game. • I won’t argue. • Some are. • These are about stimulating creativity and novel ways to attempt to attack.
Effective Uses of CTF Concepts www.hackerhalted.com 15 • Bug Bounties • Security Research • PurpleTeaming
Bug Bounties www.hackerhalted.com 16 • Just like a penetration test, you use the same concepts used in CTFs to attempt to find security vulnerabilities for fun and profit. • The use of nmap, Burp Suite, and fuzzers is a prerequisite. • Any guesses as to a method to gain experience and comfort in using them? • Your lack of knowledge of the target company will create a similar blackbox or greybox scenario as a CTF. • I have tried my hand at many bug bounties. I have made a total of $100 and that was from OSINT. I fail far more often than I succeed.
Security Research www.hackerhalted.com 17 • Same a bug bounties but may have different terms or scopes. • You may be targeting your internal assets (penetration testing) or your personal devices (think IOT).
Purple Teaming www.hackerhalted.com 18 • Using the concepts of a CTF can help you work on building detections for common attacks. • Especially useful if you have a small shop. • Exposes the BlueTeam to hands-on attack methodologies. • The theoretical attack method is great, but we learn more by doing. • Allows cross training and innovation.
My CTF to CVE Story www.hackerhalted.com 19 • Started on OSWP • Bought the network card and router • Finishing aVulnHub CTF • Began configuring the router • Had not backed out of my browser configuration routing traffic through Burp Suite • …the rest is history
The Router: D-Link DIR-601 www.hackerhalted.com 20
Info www.hackerhalted.com 21 • D-LINK DIR-601 Router • HardwareVersion: A1 • FirmwareVersion: 1.02NA
“Securing” a Router www.hackerhalted.com 22 • Determine and configure the following: • Hostname • SSID • Whether to broadcast SSID • Encryption (WEP, WPA, WPA-2) • Key • Channel • Connectivity and configuration abilities over wireless • HTTP or HTTPS? • All these things are configured in the web interface
My Config www.hackerhalted.com 23 • Determine and configure the following: • Hostname: Mothership • SSID: Wireless Lab • Whether to broadcast SSID: Yes • Encryption (WEP, WPA, WPA-2): WEP • Key : 123test123test123 • Channel: Auto • Connectivity and configuration abilities over wireless: Yes • HTTP or HTTPS?: No option for HTTPS • All these things are configured in the web interface
The web interface you say? www.hackerhalted.com 24
Password Change www.hackerhalted.com 25
Logging Back in www.hackerhalted.com 26
Base64 Decoding www.hackerhalted.com 27
Great! www.hackerhalted.com 28 • NowWhat?
Next Steps www.hackerhalted.com 29 • I did some precursory OSINT to see if anyone else identified this vulnerability. • CVEs • Exploit-DB • Metasploit • Google • D-Link’s website • I reached out to D-Link, a nice person namedWilliam triaged the vulnerability.
Emails www.hackerhalted.com 30
Next Steps www.hackerhalted.com 31 • After a few back and forth discussions, William acknowledged the vulnerability and advised me that the router and firmware was EOL and no patch was expected for the foreseeable future. • I asked when I could disclose andWilliam told me that I was welcome to at any time. He asked that I include specific verbiage in my disclosure and that I get a CVE for it. • Great! • Where is the manual for getting CVEs?
Getting a CVE www.hackerhalted.com 32 • I hadn’t found anything that warranted a CVE before, so I had to learn how the process worked. • I knew about CNAs (CVE Naming Authorities) and generally how they work (spoken searching for them in Exploit-DB to see if a POC was posted). • I did a Google search. Not much here. • I reached out to the dc404 mailing list. MAJOR KUDOSTO KARL S. AND MIKE C.
Path to Getting a CVE www.hackerhalted.com 33 • I was advised to go through Mitre by one and CERT by the other. • I looked at the processes of each, CERT seemed simpler.
Path to Getting a CVE www.hackerhalted.com 34 • CERT said thanks, but you need to go through Mitre. • I did the Mitre write-up. • For Mitre to publish the CVE, you must have already publicly disclosed the vulnerability. • Great.Where does one do that?
Public Disclosure www.hackerhalted.com 35 • I published in a variety of places: • Full Disclosure Mailing List (http://seclists.org/fulldisclosure/) • http://seclists.org/fulldisclosure/2018/May/17 • Peerlyst (https://www.peerlyst.com) • https://www.peerlyst.com/posts/vulnerability-disclosure-insecure-authentication- practices-in-d-link-router-cve-2018-10641-joe-gray • MyWebsite – Advanced Persistent Security • https://advancedpersistentsecurity.net/cve-2018-10641/ • Github Gist (https://gist.github.com/) • https://gist.github.com/jocephus/806ff4679cf54af130d69777a551f819
The CVE www.hackerhalted.com 36
Key Points and Takeaways www.hackerhalted.com 37 • Curiosity (and dumb luck) go far! • Not all CTFs are garbage, just as not all CTFs are made of gold or even on the same level! • You can make a difference in a product! • Don’t accept answers that don’t make sense! • No formally defined process was readily available for disclosing! • Having a network of security professionals at your fingertips is invaluable (Defcon Groups, CitySec, OWASP, other groups/Slack channels). • Don’t be afraid or intimidated to ask for help.
Through the Hacking Glass www.hackerhalted.com 38 • Mission Statement: To provide free and low cost training resources to enable information security professionals and aspiring professionals to expand their skill sets and marketability to close the skills gap.This is based on the frequent occurrence of a paradigm of employers seeking entry-level people with experience beyond typical formal education curricula.This further allows professionals and those seeking to enter industry the opportunity to gain experience beyond the walls of academic institutions or capture the flags (CTFs). • https://www.peerlyst.com/ • tthg@peerlyst.com • Twitter: @hackingglass • Facebook: facebook.com/hackingglass • Peerlyst:Through the Hacking Glass (as username or hashtag) • Also hashtagTTHG
Future Speaking Engagements www.hackerhalted.com 39 • 10/4: NorthernVA (Social EngineeringTraining) • 10/5-10/7: DerbyCon • 10/16: GridSecCon, LasVegas (Social EngineeringTraining) • 10/17-10/18: Cybersecurity Atlanta (hosted alongside ISSA International Conference) • 11/10:Temple University CARE (Social Engineering training and co- presentation withTracy “InfosecSherpa” Maleeff)
Questions? • Joe Gray • jgray@advancedpersistentsecurity.net • Twitter: @C_3PJoe/@hackingglass • LinkedIn: linkedin.com/JoeGrayInfosec • Facebook: facebook.com/JoeGrayInfosec • Peerlyst: joe-gray www.hackerhalted.com 40

More Related Content

PDF
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
byEC-Council
 
PDF
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
byEC-Council
 
PPTX
Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...
byEC-Council
 
PDF
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
byEC-Council
 
PPTX
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
byEC-Council
 
PDF
Weaponizing OSINT – Hacker Halted 2019 – Michael James
byEC-Council
 
PPTX
Defcon Crypto Village - OPSEC Concerns in Using Crypto
byJohn Bambenek
 
PPTX
ANALYZE'15 - Bulk Malware Analysis at Scale
byJohn Bambenek
 
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
byEC-Council
 
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
byEC-Council
 
Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...
byEC-Council
 
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
byEC-Council
 
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
byEC-Council
 
Weaponizing OSINT – Hacker Halted 2019 – Michael James
byEC-Council
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
byJohn Bambenek
 
ANALYZE'15 - Bulk Malware Analysis at Scale
byJohn Bambenek
 

What's hot

PPTX
GreyNoise - Lowering Signal To Noise
byAndrew Morris
 
PDF
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
byPRISMA CSI
 
PDF
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
byJohn Bambenek
 
PDF
Advanced Threats and Lateral Movement Detection
byGreg Foss
 
PPTX
Defending Against 1,000,000 Cyber Attacks by Michael Banks
byEC-Council
 
PPTX
Utilizing OSINT in Threat Analytics and Incident Response
byChristopher Beiring
 
PDF
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare Nelson
bySSIMeetup
 
PDF
From OSINT to Phishing presentation
byJesse Ratcliffe, OSCP
 
PDF
Zero-Knowledge Proofs in Light of Digital Identity
byClare Nelson, CISSP, CIPP-E
 
PPTX
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
byEC-Council
 
PDF
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
byAndrew Morris
 
PDF
Zero-Knowledge Proofs: Identity Proofing and Authentication
byClare Nelson, CISSP, CIPP-E
 
PPTX
Lateral Movement by Default
byInnoTech
 
PPTX
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
byAndrew Morris
 
PDF
Wi-Fi Hotspot Attacks
byGreg Foss
 
PPTX
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
byAndrew Morris
 
PPTX
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
byThreatConnect
 
PDF
Fade from Whitehat... to Black
byBeau Bullock
 
PDF
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
byJohn Bambenek
 
PDF
OSINT x UCCU Workshop on Open Source Intelligence
byPhilippe Lin
 
GreyNoise - Lowering Signal To Noise
byAndrew Morris
 
Practical White Hat Hacker Training - Passive Information Gathering(OSINT)
byPRISMA CSI
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
byJohn Bambenek
 
Advanced Threats and Lateral Movement Detection
byGreg Foss
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
byEC-Council
 
Utilizing OSINT in Threat Analytics and Incident Response
byChristopher Beiring
 
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare Nelson
bySSIMeetup
 
From OSINT to Phishing presentation
byJesse Ratcliffe, OSCP
 
Zero-Knowledge Proofs in Light of Digital Identity
byClare Nelson, CISSP, CIPP-E
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
byEC-Council
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
byAndrew Morris
 
Zero-Knowledge Proofs: Identity Proofing and Authentication
byClare Nelson, CISSP, CIPP-E
 
Lateral Movement by Default
byInnoTech
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
byAndrew Morris
 
Wi-Fi Hotspot Attacks
byGreg Foss
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
byAndrew Morris
 
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
byThreatConnect
 
Fade from Whitehat... to Black
byBeau Bullock
 
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
byJohn Bambenek
 
OSINT x UCCU Workshop on Open Source Intelligence
byPhilippe Lin
 

Similar to Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persistence led to a Vulnerability Disclosure


PPTX
Play,Learn and Hack- CTF Training
byHeba Hamdy Farahat
 
PPTX
Cyber Security Workshop Presentation.pptx
byYashSomalkar
 
PDF
earning by s/doing/h4ck1ng/ - Our experience learning application security th...
byNECST Lab @ Politecnico di Milano
 
PPTX
BSides_Charm2015_Info sec hunters_gathers
byAndrew McNicol
 
PPTX
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
bylokeshpidawekar
 
PPT
HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and...
byAnthony Lai
 
PPTX
Caputre the flag
byUIT
 
PDF
CyberX_Slides_Melloni.Daniele.pdf
bycifoxo
 
PDF
CTFs, Bugbounty and your security career
byIbrahim El-Sayed
 
PDF
SOHOpelessly Broken
byThe Security of Things Forum
 
PDF
How to strengthen the ctf web field for beginners(English)
bykazkiti
 
PDF
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
bykhalavak
 
PDF
Hack Attack! An Introduction to Penetration Testing
bySteve Phillips
 
PDF
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
byAditya K Sood
 
PPTX
How I Learnt hacking in High School - BSidesLV - 2015
bylokeshpidawekar
 
PDF
CSFI Stuxnet Report
byAmr Ali
 
PDF
Abraham aranguren. legal and efficient web app testing without permission
byYury Chemerkin
 
PDF
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
byLior Rotkovitch
 
PPTX
A Technical Dive into Defensive Trickery
byDan Kaminsky
 
PDF
Attack Simulation and Hunting
bynathi mogomotsi
 
Play,Learn and Hack- CTF Training
byHeba Hamdy Farahat
 
Cyber Security Workshop Presentation.pptx
byYashSomalkar
 
earning by s/doing/h4ck1ng/ - Our experience learning application security th...
byNECST Lab @ Politecnico di Milano
 
BSides_Charm2015_Info sec hunters_gathers
byAndrew McNicol
 
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
bylokeshpidawekar
 
HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and...
byAnthony Lai
 
Caputre the flag
byUIT
 
CyberX_Slides_Melloni.Daniele.pdf
bycifoxo
 
CTFs, Bugbounty and your security career
byIbrahim El-Sayed
 
SOHOpelessly Broken
byThe Security of Things Forum
 
How to strengthen the ctf web field for beginners(English)
bykazkiti
 
Hacking the Company : Risks with carbon-based lifeforms using vulnerable systems
bykhalavak
 
Hack Attack! An Introduction to Penetration Testing
bySteve Phillips
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
byAditya K Sood
 
How I Learnt hacking in High School - BSidesLV - 2015
bylokeshpidawekar
 
CSFI Stuxnet Report
byAmr Ali
 
Abraham aranguren. legal and efficient web app testing without permission
byYury Chemerkin
 
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
byLior Rotkovitch
 
A Technical Dive into Defensive Trickery
byDan Kaminsky
 
Attack Simulation and Hunting
bynathi mogomotsi
 

More from EC-Council

PPTX
CyberOm - Hacking the Wellness Code in a Chaotic Cyber World
byEC-Council
 
PDF
Cloud Security Architecture - a different approach
byEC-Council
 
PPTX
Phases of Incident Response
byEC-Council
 
PDF
Hacking Your Career – Hacker Halted 2019 – Keith Turpin
byEC-Council
 
PDF
Data in cars can be creepy – Hacker Halted 2019 – Andrea Amico
byEC-Council
 
PDF
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
byEC-Council
 
PDF
War Game: Ransomware – Global CISO Forum 2019
byEC-Council
 
PPTX
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...
byEC-Council
 
PDF
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
byEC-Council
 
PPTX
Alexa is a snitch! Hacker Halted 2019 - Wes Widner
byEC-Council
 
PPTX
Hacker Halted 2018: Don't Panic! Big Data Analytics vs. Law Enforcement
byEC-Council
 
PPTX
Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...
byEC-Council
 
PPTX
Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...
byEC-Council
 
PPTX
Global CCISO Forum 2018 | Sebastian Hess "Cyber Insurance and Cyber Risk Quan...
byEC-Council
 
PPTX
Global CCISO Forum 2018 | John Felker "Partnerships to Address Threats"
byEC-Council
 
PPTX
Global CCISO Forum 2018 | Sharon Smith "Don't Panic"
byEC-Council
 
PPTX
Global CCISO Forum 2018 | AI vs Malware 2018
byEC-Council
 
PPTX
Global CCISO Forum 2018 | Ondrej Krehel | The Era of Cyber Extortion and Rans...
byEC-Council
 
PPTX
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
byEC-Council
 
PPTX
Global CCISO Forum 2018 | Tari Schreider "The Fault Lies in the Architecture"
byEC-Council
 
CyberOm - Hacking the Wellness Code in a Chaotic Cyber World
byEC-Council
 
Cloud Security Architecture - a different approach
byEC-Council
 
Phases of Incident Response
byEC-Council
 
Hacking Your Career – Hacker Halted 2019 – Keith Turpin
byEC-Council
 
Data in cars can be creepy – Hacker Halted 2019 – Andrea Amico
byEC-Council
 
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
byEC-Council
 
War Game: Ransomware – Global CISO Forum 2019
byEC-Council
 
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...
byEC-Council
 
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
byEC-Council
 
Alexa is a snitch! Hacker Halted 2019 - Wes Widner
byEC-Council
 
Hacker Halted 2018: Don't Panic! Big Data Analytics vs. Law Enforcement
byEC-Council
 
Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...
byEC-Council
 
Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...
byEC-Council
 
Global CCISO Forum 2018 | Sebastian Hess "Cyber Insurance and Cyber Risk Quan...
byEC-Council
 
Global CCISO Forum 2018 | John Felker "Partnerships to Address Threats"
byEC-Council
 
Global CCISO Forum 2018 | Sharon Smith "Don't Panic"
byEC-Council
 
Global CCISO Forum 2018 | AI vs Malware 2018
byEC-Council
 
Global CCISO Forum 2018 | Ondrej Krehel | The Era of Cyber Extortion and Rans...
byEC-Council
 
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
byEC-Council
 
Global CCISO Forum 2018 | Tari Schreider "The Fault Lies in the Architecture"
byEC-Council
 

Recently uploaded

PDF
Session 7 Specialized AI Associate Series: UiPath Communications Mining Overview
byDianaGray10
 
PDF
Top 11 Sites to Buy Verified GitHub Accounts in 2025
byBuy GitHub Accounts Looking for a verified GitHub account?
 
PDF
How Generative AI Helps US Healthcare Startups Save 40.pdf
byimoliviabennett
 
PDF
Immer vorne mit dabei sein - Roaming leicht gemacht
bypanagenda
 
DOCX
Formula 1 - APIC general MACO calculation.docx
byMarkus Janssen
 
PDF
The Future-Ready PMO: Unlocking Project Success with Copilot and AI Innovatio...
byWellingtone
 
PDF
UiPath Community Day UNI - Nuevos productos de UiPath.pdf
byfelixluen
 
PPTX
Assignment Review and Accessibility Audit Findings.pptx
byJulia Undeutsch
 
PDF
Fighting CVEs in Embedded Linux with the Yocto Project and OTA Updates
byLeon Anavi
 
PPTX
Building Smarter Integrations with MuleSoft_ MCP Server and Cursor in Action ...
byKunal Gupta
 
PDF
Jonathan De Vita - Java and AI Development
byJonathan De Vita
 
DOCX
Formula 2 - APIC HBEL general calculation.docx
byMarkus Janssen
 
PDF
NPTEL Assignment Completed PDF FILE with ans
byadultme43
 
PDF
How UK Employers Are Simplifying Entry-Level Hiring with Day One Jobs
byDay One Talent Solutions Ltd
 
PDF
RR B.Ed. educational trust. Ashish Tiwari
byat386834
 
PPTX
RAPTOR_Intro_Exercises_Presentation.pptx
bySwatiMalik36
 
PDF
ODSC West 2025 OpenMetadata Workshop.pdf
byOpenMetadata
 
PDF
Build Agentic AI Applications with Oracle AI Database Private Agent Factory -...
bySandesh Rao
 
PPTX
2025 - AI terms & Meanings for Marketers
byashishav29
 
PDF
2025 AI Adoption Report: Gen AI Fast-Tracks Into the Enterprise
byRazin Mustafiz
 
Session 7 Specialized AI Associate Series: UiPath Communications Mining Overview
byDianaGray10
 
Top 11 Sites to Buy Verified GitHub Accounts in 2025
byBuy GitHub Accounts Looking for a verified GitHub account?
 
How Generative AI Helps US Healthcare Startups Save 40.pdf
byimoliviabennett
 
Immer vorne mit dabei sein - Roaming leicht gemacht
bypanagenda
 
Formula 1 - APIC general MACO calculation.docx
byMarkus Janssen
 
The Future-Ready PMO: Unlocking Project Success with Copilot and AI Innovatio...
byWellingtone
 
UiPath Community Day UNI - Nuevos productos de UiPath.pdf
byfelixluen
 
Assignment Review and Accessibility Audit Findings.pptx
byJulia Undeutsch
 
Fighting CVEs in Embedded Linux with the Yocto Project and OTA Updates
byLeon Anavi
 
Building Smarter Integrations with MuleSoft_ MCP Server and Cursor in Action ...
byKunal Gupta
 
Jonathan De Vita - Java and AI Development
byJonathan De Vita
 
Formula 2 - APIC HBEL general calculation.docx
byMarkus Janssen
 
NPTEL Assignment Completed PDF FILE with ans
byadultme43
 
How UK Employers Are Simplifying Entry-Level Hiring with Day One Jobs
byDay One Talent Solutions Ltd
 
RR B.Ed. educational trust. Ashish Tiwari
byat386834
 
RAPTOR_Intro_Exercises_Presentation.pptx
bySwatiMalik36
 
ODSC West 2025 OpenMetadata Workshop.pdf
byOpenMetadata
 
Build Agentic AI Applications with Oracle AI Database Private Agent Factory -...
bySandesh Rao
 
2025 - AI terms & Meanings for Marketers
byashishav29
 
2025 AI Adoption Report: Gen AI Fast-Tracks Into the Enterprise
byRazin Mustafiz
 

Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persistence led to a Vulnerability Disclosure


  • 1.
    From CTF toCVE: How Application of Concepts and Persistence led to a Vulnerability Disclosure Joe Gray
  • 2.
    About Me/Why Me www.hackerhalted.com2 • 2017 DerbyCon Social Engineering Capture the Flag (SECTF) winner • Member of 2018 NOLACon OSINT CTF 3rd PlaceTeam • Co-founder ofThrough the Hacking Glass • Frequent Guest Blogger • AlienVault • Tripwire • ITSP Magazine • Dark Reading • CSO Online • Maintains blog and podcast at https://advancedpersistentsecurity.net
  • 3.
  • 4.
    2018 NOLACon OSINTCTF www.hackerhalted.com 4
  • 5.
    Objectives/Flow www.hackerhalted.com 5 • DiscussTypesof CTFs • Sources of CTFs • Common CTFThemes • Tools of theTrade • Demonstrate Pros and Cons of CTFs/Applicability • Finding a Bug • Responsible Disclosure
  • 6.
    Types of CTFs www.hackerhalted.com6 • Self Contained • VM • Puzzles (think DEF CON badge shenanigans) • Network orWeb Based • Network King of the Hill (popular here with dc404) • Social Engineering • OSINT • Missing Persons CTF is subset (h/t to Robert Sell andTrace Labs) • Hack-a-thons • DFIR • Pros vs Joes
  • 7.
    Sources of CTFs www.hackerhalted.com7 • Conferences • Vulnhub.com • Hack the Box (hackthebox.eu) • Root Me (root-me.org) • Over theWire (overthewire.org) • CTF365.com • Companies (i.e. Google) • Security groups (i.e. dc404 and dc865) • OpenSOC
  • 8.
    Commonalities www.hackerhalted.com 8 • Wordpress,Drupal, or Joomla • Weak Passwords • “Poor” Configurations • Insecure Protocols • HTTP, FTP,Telnet • WebApplications • NamedVulnerabilities • Dirty Cow, Heartbleed, Eternal Blue, Kerberoast • Cryptography • Steganography • Packet Captures
  • 9.
    More Specialized CTFs www.hackerhalted.com9 • OSINT • Collect flags on predetermined targets • Specific details about people from social media (Chris Silvers’ OSINT CTF) • Collect flags about companies (and sometimes) the people of the company (Chris Hadnagy’s SECTF) • Everyone is searching for the exact same flags (Silvers’ OSINT) • Social Engineering • OSINT and Report writing element • Live vishing • Each competitor has a unique calling time and unique target • DFIR • Conduct forensics and analysis on files provided vice hacking in • BlueTeam or Pros vs Joes • Actively monitor for further attack or analyze existing logs
  • 10.
    Typical Tools ofthe Trade www.hackerhalted.com 10
  • 11.
    Arguments About CTFsBeing Realistic www.hackerhalted.com 11 • …but CTFs are not realistic. • That is sometimes true. • You may not encounter the same flag format in real life. • The creative concepts used to gain access are the same in many cases. • No one puts “incriminating” info in the page source. Wanna bet?
  • 12.
  • 13.
    Arguments About CTFsBeing Realistic www.hackerhalted.com 13 • …but the CTF systems are too vulnerable. • Again, this can be true. • Speaking from experience, vulnerability management is still lacking. • This also trains us to look for the most simple solution and not go “nation- state” off the bat.
  • 14.
    Arguments About CTFsBeing Realistic www.hackerhalted.com 14 • …this CTF is nothing more than a gimmicky game. • I won’t argue. • Some are. • These are about stimulating creativity and novel ways to attempt to attack.
  • 15.
    Effective Uses ofCTF Concepts www.hackerhalted.com 15 • Bug Bounties • Security Research • PurpleTeaming
  • 16.
    Bug Bounties www.hackerhalted.com 16 •Just like a penetration test, you use the same concepts used in CTFs to attempt to find security vulnerabilities for fun and profit. • The use of nmap, Burp Suite, and fuzzers is a prerequisite. • Any guesses as to a method to gain experience and comfort in using them? • Your lack of knowledge of the target company will create a similar blackbox or greybox scenario as a CTF. • I have tried my hand at many bug bounties. I have made a total of $100 and that was from OSINT. I fail far more often than I succeed.
  • 17.
    Security Research www.hackerhalted.com 17 •Same a bug bounties but may have different terms or scopes. • You may be targeting your internal assets (penetration testing) or your personal devices (think IOT).
  • 18.
    Purple Teaming www.hackerhalted.com 18 •Using the concepts of a CTF can help you work on building detections for common attacks. • Especially useful if you have a small shop. • Exposes the BlueTeam to hands-on attack methodologies. • The theoretical attack method is great, but we learn more by doing. • Allows cross training and innovation.
  • 19.
    My CTF toCVE Story www.hackerhalted.com 19 • Started on OSWP • Bought the network card and router • Finishing aVulnHub CTF • Began configuring the router • Had not backed out of my browser configuration routing traffic through Burp Suite • …the rest is history
  • 20.
    The Router: D-LinkDIR-601 www.hackerhalted.com 20
  • 21.
    Info www.hackerhalted.com 21 • D-LINKDIR-601 Router • HardwareVersion: A1 • FirmwareVersion: 1.02NA
  • 22.
    “Securing” a Router www.hackerhalted.com22 • Determine and configure the following: • Hostname • SSID • Whether to broadcast SSID • Encryption (WEP, WPA, WPA-2) • Key • Channel • Connectivity and configuration abilities over wireless • HTTP or HTTPS? • All these things are configured in the web interface
  • 23.
    My Config www.hackerhalted.com 23 •Determine and configure the following: • Hostname: Mothership • SSID: Wireless Lab • Whether to broadcast SSID: Yes • Encryption (WEP, WPA, WPA-2): WEP • Key : 123test123test123 • Channel: Auto • Connectivity and configuration abilities over wireless: Yes • HTTP or HTTPS?: No option for HTTPS • All these things are configured in the web interface
  • 24.
    The web interfaceyou say? www.hackerhalted.com 24
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
    Next Steps www.hackerhalted.com 29 •I did some precursory OSINT to see if anyone else identified this vulnerability. • CVEs • Exploit-DB • Metasploit • Google • D-Link’s website • I reached out to D-Link, a nice person namedWilliam triaged the vulnerability.
  • 30.
  • 31.
    Next Steps www.hackerhalted.com 31 •After a few back and forth discussions, William acknowledged the vulnerability and advised me that the router and firmware was EOL and no patch was expected for the foreseeable future. • I asked when I could disclose andWilliam told me that I was welcome to at any time. He asked that I include specific verbiage in my disclosure and that I get a CVE for it. • Great! • Where is the manual for getting CVEs?
  • 32.
    Getting a CVE www.hackerhalted.com32 • I hadn’t found anything that warranted a CVE before, so I had to learn how the process worked. • I knew about CNAs (CVE Naming Authorities) and generally how they work (spoken searching for them in Exploit-DB to see if a POC was posted). • I did a Google search. Not much here. • I reached out to the dc404 mailing list. MAJOR KUDOSTO KARL S. AND MIKE C.
  • 33.
    Path to Gettinga CVE www.hackerhalted.com 33 • I was advised to go through Mitre by one and CERT by the other. • I looked at the processes of each, CERT seemed simpler.
  • 34.
    Path to Gettinga CVE www.hackerhalted.com 34 • CERT said thanks, but you need to go through Mitre. • I did the Mitre write-up. • For Mitre to publish the CVE, you must have already publicly disclosed the vulnerability. • Great.Where does one do that?
  • 35.
    Public Disclosure www.hackerhalted.com 35 •I published in a variety of places: • Full Disclosure Mailing List (http://seclists.org/fulldisclosure/) • http://seclists.org/fulldisclosure/2018/May/17 • Peerlyst (https://www.peerlyst.com) • https://www.peerlyst.com/posts/vulnerability-disclosure-insecure-authentication- practices-in-d-link-router-cve-2018-10641-joe-gray • MyWebsite – Advanced Persistent Security • https://advancedpersistentsecurity.net/cve-2018-10641/ • Github Gist (https://gist.github.com/) • https://gist.github.com/jocephus/806ff4679cf54af130d69777a551f819
  • 36.
  • 37.
    Key Points andTakeaways www.hackerhalted.com 37 • Curiosity (and dumb luck) go far! • Not all CTFs are garbage, just as not all CTFs are made of gold or even on the same level! • You can make a difference in a product! • Don’t accept answers that don’t make sense! • No formally defined process was readily available for disclosing! • Having a network of security professionals at your fingertips is invaluable (Defcon Groups, CitySec, OWASP, other groups/Slack channels). • Don’t be afraid or intimidated to ask for help.
  • 38.
    Through the HackingGlass www.hackerhalted.com 38 • Mission Statement: To provide free and low cost training resources to enable information security professionals and aspiring professionals to expand their skill sets and marketability to close the skills gap.This is based on the frequent occurrence of a paradigm of employers seeking entry-level people with experience beyond typical formal education curricula.This further allows professionals and those seeking to enter industry the opportunity to gain experience beyond the walls of academic institutions or capture the flags (CTFs). • https://www.peerlyst.com/ • tthg@peerlyst.com • Twitter: @hackingglass • Facebook: facebook.com/hackingglass • Peerlyst:Through the Hacking Glass (as username or hashtag) • Also hashtagTTHG
  • 39.
    Future Speaking Engagements www.hackerhalted.com39 • 10/4: NorthernVA (Social EngineeringTraining) • 10/5-10/7: DerbyCon • 10/16: GridSecCon, LasVegas (Social EngineeringTraining) • 10/17-10/18: Cybersecurity Atlanta (hosted alongside ISSA International Conference) • 11/10:Temple University CARE (Social Engineering training and co- presentation withTracy “InfosecSherpa” Maleeff)
  • 40.
    Questions? • Joe Gray •jgray@advancedpersistentsecurity.net • Twitter: @C_3PJoe/@hackingglass • LinkedIn: linkedin.com/JoeGrayInfosec • Facebook: facebook.com/JoeGrayInfosec • Peerlyst: joe-gray www.hackerhalted.com 40