Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persistence led to a Vulnerability Disclosure
1. From CTF to CVE: How Application of Concepts and
Persistence led to a Vulnerability Disclosure
Joe Gray
2. About Me/Why Me
www.hackerhalted.com 2
• 2017 DerbyCon Social Engineering Capture the Flag
(SECTF) winner
• Member of 2018 NOLACon OSINT CTF 3rd PlaceTeam
• Co-founder ofThrough the Hacking Glass
• Frequent Guest Blogger
• AlienVault
• Tripwire
• ITSP Magazine
• Dark Reading
• CSO Online
• Maintains blog and podcast at
https://advancedpersistentsecurity.net
6. Types of CTFs
www.hackerhalted.com 6
• Self Contained
• VM
• Puzzles (think DEF CON badge shenanigans)
• Network orWeb Based
• Network King of the Hill (popular here with dc404)
• Social Engineering
• OSINT
• Missing Persons CTF is subset (h/t to Robert Sell andTrace Labs)
• Hack-a-thons
• DFIR
• Pros vs Joes
7. Sources of CTFs
www.hackerhalted.com 7
• Conferences
• Vulnhub.com
• Hack the Box (hackthebox.eu)
• Root Me (root-me.org)
• Over theWire (overthewire.org)
• CTF365.com
• Companies (i.e. Google)
• Security groups (i.e. dc404 and dc865)
• OpenSOC
9. More Specialized CTFs
www.hackerhalted.com 9
• OSINT
• Collect flags on predetermined targets
• Specific details about people from social media (Chris Silvers’ OSINT CTF)
• Collect flags about companies (and sometimes) the people of the company (Chris Hadnagy’s SECTF)
• Everyone is searching for the exact same flags (Silvers’ OSINT)
• Social Engineering
• OSINT and Report writing element
• Live vishing
• Each competitor has a unique calling time and unique target
• DFIR
• Conduct forensics and analysis on files provided vice hacking in
• BlueTeam or Pros vs Joes
• Actively monitor for further attack or analyze existing logs
11. Arguments About CTFs Being Realistic
www.hackerhalted.com 11
• …but CTFs are not realistic.
• That is sometimes true.
• You may not encounter the same flag format in real life.
• The creative concepts used to gain access are the same in many cases.
• No one puts “incriminating” info in the page source. Wanna bet?
13. Arguments About CTFs Being Realistic
www.hackerhalted.com 13
• …but the CTF systems are too vulnerable.
• Again, this can be true.
• Speaking from experience, vulnerability management is still lacking.
• This also trains us to look for the most simple solution and not go “nation-
state” off the bat.
14. Arguments About CTFs Being Realistic
www.hackerhalted.com 14
• …this CTF is nothing more than a gimmicky game.
• I won’t argue.
• Some are.
• These are about stimulating creativity and novel ways to attempt to attack.
15. Effective Uses of CTF Concepts
www.hackerhalted.com 15
• Bug Bounties
• Security Research
• PurpleTeaming
16. Bug Bounties
www.hackerhalted.com 16
• Just like a penetration test, you use the same concepts used in CTFs
to attempt to find security vulnerabilities for fun and profit.
• The use of nmap, Burp Suite, and fuzzers is a prerequisite.
• Any guesses as to a method to gain experience and comfort in using them?
• Your lack of knowledge of the target company will create a similar
blackbox or greybox scenario as a CTF.
• I have tried my hand at many bug bounties. I have made a total of
$100 and that was from OSINT. I fail far more often than I succeed.
17. Security Research
www.hackerhalted.com 17
• Same a bug bounties but may have different terms or scopes.
• You may be targeting your internal assets (penetration testing) or
your personal devices (think IOT).
18. Purple Teaming
www.hackerhalted.com 18
• Using the concepts of a CTF can help you work on building detections
for common attacks.
• Especially useful if you have a small shop.
• Exposes the BlueTeam to hands-on attack methodologies.
• The theoretical attack method is great, but we learn more by doing.
• Allows cross training and innovation.
19. My CTF to CVE Story
www.hackerhalted.com 19
• Started on OSWP
• Bought the network card and router
• Finishing aVulnHub CTF
• Began configuring the router
• Had not backed out of my browser configuration routing traffic
through Burp Suite
• …the rest is history
22. “Securing” a Router
www.hackerhalted.com 22
• Determine and configure the following:
• Hostname
• SSID
• Whether to broadcast SSID
• Encryption (WEP, WPA, WPA-2)
• Key
• Channel
• Connectivity and configuration abilities over wireless
• HTTP or HTTPS?
• All these things are configured in the web interface
23. My Config
www.hackerhalted.com 23
• Determine and configure the following:
• Hostname: Mothership
• SSID: Wireless Lab
• Whether to broadcast SSID: Yes
• Encryption (WEP, WPA, WPA-2): WEP
• Key : 123test123test123
• Channel: Auto
• Connectivity and configuration abilities over wireless: Yes
• HTTP or HTTPS?: No option for HTTPS
• All these things are configured in the web interface
29. Next Steps
www.hackerhalted.com 29
• I did some precursory OSINT to see if anyone else identified this
vulnerability.
• CVEs
• Exploit-DB
• Metasploit
• Google
• D-Link’s website
• I reached out to D-Link, a nice person namedWilliam triaged the
vulnerability.
31. Next Steps
www.hackerhalted.com 31
• After a few back and forth discussions, William acknowledged the
vulnerability and advised me that the router and firmware was EOL
and no patch was expected for the foreseeable future.
• I asked when I could disclose andWilliam told me that I was welcome
to at any time. He asked that I include specific verbiage in my
disclosure and that I get a CVE for it.
• Great!
• Where is the manual for getting CVEs?
32. Getting a CVE
www.hackerhalted.com 32
• I hadn’t found anything that warranted a CVE before, so I had to
learn how the process worked.
• I knew about CNAs (CVE Naming Authorities) and generally how they
work (spoken searching for them in Exploit-DB to see if a POC was
posted).
• I did a Google search. Not much here.
• I reached out to the dc404 mailing list. MAJOR KUDOSTO KARL S.
AND MIKE C.
33. Path to Getting a CVE
www.hackerhalted.com 33
• I was advised to go through Mitre by one and CERT by the other.
• I looked at the processes of each, CERT seemed simpler.
34. Path to Getting a CVE
www.hackerhalted.com 34
• CERT said thanks, but you need to go through Mitre.
• I did the Mitre write-up.
• For Mitre to publish the CVE, you must have already publicly disclosed the
vulnerability.
• Great.Where does one do that?
35. Public Disclosure
www.hackerhalted.com 35
• I published in a variety of places:
• Full Disclosure Mailing List (http://seclists.org/fulldisclosure/)
• http://seclists.org/fulldisclosure/2018/May/17
• Peerlyst (https://www.peerlyst.com)
• https://www.peerlyst.com/posts/vulnerability-disclosure-insecure-authentication-
practices-in-d-link-router-cve-2018-10641-joe-gray
• MyWebsite – Advanced Persistent Security
• https://advancedpersistentsecurity.net/cve-2018-10641/
• Github Gist (https://gist.github.com/)
• https://gist.github.com/jocephus/806ff4679cf54af130d69777a551f819
37. Key Points and Takeaways
www.hackerhalted.com 37
• Curiosity (and dumb luck) go far!
• Not all CTFs are garbage, just as not all CTFs are made of gold or
even on the same level!
• You can make a difference in a product!
• Don’t accept answers that don’t make sense!
• No formally defined process was readily available for disclosing!
• Having a network of security professionals at your fingertips is
invaluable (Defcon Groups, CitySec, OWASP, other groups/Slack
channels).
• Don’t be afraid or intimidated to ask for help.
38. Through the Hacking Glass
www.hackerhalted.com 38
• Mission Statement: To provide free and low cost training resources to enable
information security professionals and aspiring professionals to expand their skill sets
and marketability to close the skills gap.This is based on the frequent occurrence of a
paradigm of employers seeking entry-level people with experience beyond typical
formal education curricula.This further allows professionals and those seeking to enter
industry the opportunity to gain experience beyond the walls of academic institutions or
capture the flags (CTFs).
• https://www.peerlyst.com/
• tthg@peerlyst.com
• Twitter: @hackingglass
• Facebook: facebook.com/hackingglass
• Peerlyst:Through the Hacking Glass (as username or hashtag)
• Also hashtagTTHG
39. Future Speaking Engagements
www.hackerhalted.com 39
• 10/4: NorthernVA (Social EngineeringTraining)
• 10/5-10/7: DerbyCon
• 10/16: GridSecCon, LasVegas (Social EngineeringTraining)
• 10/17-10/18: Cybersecurity Atlanta (hosted alongside ISSA
International Conference)
• 11/10:Temple University CARE (Social Engineering training and co-
presentation withTracy “InfosecSherpa” Maleeff)