Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persistence led to a Vulnerability Disclosure 

From CTF to CVE: How Application of Concepts and
Persistence led to a Vulnerability Disclosure
Joe Gray

About Me/Why Me
www.hackerhalted.com 2
• 2017 DerbyCon Social Engineering Capture the Flag
(SECTF) winner
• Member of 2018 NOLACon OSINT CTF 3rd PlaceTeam
• Co-founder ofThrough the Hacking Glass
• Frequent Guest Blogger
• AlienVault
• Tripwire
• ITSP Magazine
• Dark Reading
• CSO Online
• Maintains blog and podcast at
https://advancedpersistentsecurity.net

2017 DerbyCon SECTF

2018 NOLACon OSINT CTF

Objectives/Flow
• DiscussTypes of CTFs
• Sources of CTFs
• Common CTFThemes
• Tools of theTrade
• Demonstrate Pros and Cons of CTFs/Applicability
• Finding a Bug
• Responsible Disclosure

Types of CTFs
• Self Contained
• VM
• Puzzles (think DEF CON badge shenanigans)
• Network orWeb Based
• Network King of the Hill (popular here with dc404)
• Social Engineering
• OSINT
• Missing Persons CTF is subset (h/t to Robert Sell andTrace Labs)
• Hack-a-thons
• DFIR
• Pros vs Joes

Sources of CTFs
• Conferences
• Vulnhub.com
• Hack the Box (hackthebox.eu)
• Root Me (root-me.org)
• Over theWire (overthewire.org)
• CTF365.com
• Companies (i.e. Google)
• Security groups (i.e. dc404 and dc865)
• OpenSOC

Commonalities
• Wordpress, Drupal, or Joomla
• Weak Passwords
• “Poor” Configurations
• Insecure Protocols
• HTTP, FTP,Telnet
• WebApplications
• NamedVulnerabilities
• Dirty Cow, Heartbleed, Eternal Blue, Kerberoast
• Cryptography
• Steganography
• Packet Captures

More Specialized CTFs
• OSINT
• Collect flags on predetermined targets
• Specific details about people from social media (Chris Silvers’ OSINT CTF)
• Collect flags about companies (and sometimes) the people of the company (Chris Hadnagy’s SECTF)
• Everyone is searching for the exact same flags (Silvers’ OSINT)
• Social Engineering
• OSINT and Report writing element
• Live vishing
• Each competitor has a unique calling time and unique target
• DFIR
• Conduct forensics and analysis on files provided vice hacking in
• BlueTeam or Pros vs Joes
• Actively monitor for further attack or analyze existing logs

Typical Tools of the Trade

Arguments About CTFs Being Realistic
• …but CTFs are not realistic.
• That is sometimes true.
• You may not encounter the same flag format in real life.
• The creative concepts used to gain access are the same in many cases.
• No one puts “incriminating” info in the page source. Wanna bet?

Told You So

• …but the CTF systems are too vulnerable.
• Again, this can be true.
• Speaking from experience, vulnerability management is still lacking.
• This also trains us to look for the most simple solution and not go “nation-
state” off the bat.

• …this CTF is nothing more than a gimmicky game.
• I won’t argue.
• Some are.
• These are about stimulating creativity and novel ways to attempt to attack.

Effective Uses of CTF Concepts
• Bug Bounties
• Security Research
• PurpleTeaming

Bug Bounties
• Just like a penetration test, you use the same concepts used in CTFs
to attempt to find security vulnerabilities for fun and profit.
• The use of nmap, Burp Suite, and fuzzers is a prerequisite.
• Any guesses as to a method to gain experience and comfort in using them?
• Your lack of knowledge of the target company will create a similar
blackbox or greybox scenario as a CTF.
• I have tried my hand at many bug bounties. I have made a total of
$100 and that was from OSINT. I fail far more often than I succeed.

Security Research
• Same a bug bounties but may have different terms or scopes.
• You may be targeting your internal assets (penetration testing) or
your personal devices (think IOT).

Purple Teaming
• Using the concepts of a CTF can help you work on building detections
for common attacks.
• Especially useful if you have a small shop.
• Exposes the BlueTeam to hands-on attack methodologies.
• The theoretical attack method is great, but we learn more by doing.
• Allows cross training and innovation.

My CTF to CVE Story
• Started on OSWP
• Bought the network card and router
• Finishing aVulnHub CTF
• Began configuring the router
• Had not backed out of my browser configuration routing traffic
through Burp Suite
• …the rest is history

The Router: D-Link DIR-601

Info
• D-LINK DIR-601 Router
• HardwareVersion: A1
• FirmwareVersion: 1.02NA

“Securing” a Router
• Determine and configure the following:
• Hostname
• SSID
• Whether to broadcast SSID
• Encryption (WEP, WPA, WPA-2)
• Key
• Channel
• Connectivity and configuration abilities over wireless
• HTTP or HTTPS?
• All these things are configured in the web interface

My Config
• Determine and configure the following:
• Hostname: Mothership
• SSID: Wireless Lab
• Whether to broadcast SSID: Yes
• Encryption (WEP, WPA, WPA-2): WEP
• Key : 123test123test123
• Channel: Auto
• Connectivity and configuration abilities over wireless: Yes
• HTTP or HTTPS?: No option for HTTPS
• All these things are configured in the web interface

The web interface you say?

Password Change

Logging Back in

Base64 Decoding

Great!
• NowWhat?

Next Steps
• I did some precursory OSINT to see if anyone else identified this
vulnerability.
• CVEs
• Exploit-DB
• Metasploit
• Google
• D-Link’s website
• I reached out to D-Link, a nice person namedWilliam triaged the
vulnerability.

Emails

Next Steps
• After a few back and forth discussions, William acknowledged the
vulnerability and advised me that the router and firmware was EOL
and no patch was expected for the foreseeable future.
• I asked when I could disclose andWilliam told me that I was welcome
to at any time. He asked that I include specific verbiage in my
disclosure and that I get a CVE for it.
• Great!
• Where is the manual for getting CVEs?

Getting a CVE
• I hadn’t found anything that warranted a CVE before, so I had to
learn how the process worked.
• I knew about CNAs (CVE Naming Authorities) and generally how they
work (spoken searching for them in Exploit-DB to see if a POC was
posted).
• I did a Google search. Not much here.
• I reached out to the dc404 mailing list. MAJOR KUDOSTO KARL S.
AND MIKE C.

Path to Getting a CVE
• I was advised to go through Mitre by one and CERT by the other.
• I looked at the processes of each, CERT seemed simpler.

Path to Getting a CVE
• CERT said thanks, but you need to go through Mitre.
• I did the Mitre write-up.
• For Mitre to publish the CVE, you must have already publicly disclosed the
vulnerability.
• Great.Where does one do that?

Public Disclosure
• I published in a variety of places:
• Full Disclosure Mailing List (http://seclists.org/fulldisclosure/)
• http://seclists.org/fulldisclosure/2018/May/17
• Peerlyst (https://www.peerlyst.com)
• https://www.peerlyst.com/posts/vulnerability-disclosure-insecure-authentication-
practices-in-d-link-router-cve-2018-10641-joe-gray
• MyWebsite – Advanced Persistent Security
• https://advancedpersistentsecurity.net/cve-2018-10641/
• Github Gist (https://gist.github.com/)
• https://gist.github.com/jocephus/806ff4679cf54af130d69777a551f819

The CVE

Key Points and Takeaways
• Curiosity (and dumb luck) go far!
• Not all CTFs are garbage, just as not all CTFs are made of gold or
even on the same level!
• You can make a difference in a product!
• Don’t accept answers that don’t make sense!
• No formally defined process was readily available for disclosing!
• Having a network of security professionals at your fingertips is
invaluable (Defcon Groups, CitySec, OWASP, other groups/Slack
channels).
• Don’t be afraid or intimidated to ask for help.

Through the Hacking Glass
• Mission Statement: To provide free and low cost training resources to enable
information security professionals and aspiring professionals to expand their skill sets
and marketability to close the skills gap.This is based on the frequent occurrence of a
paradigm of employers seeking entry-level people with experience beyond typical
formal education curricula.This further allows professionals and those seeking to enter
industry the opportunity to gain experience beyond the walls of academic institutions or
capture the flags (CTFs).
• https://www.peerlyst.com/
• tthg@peerlyst.com
• Twitter: @hackingglass
• Facebook: facebook.com/hackingglass
• Peerlyst:Through the Hacking Glass (as username or hashtag)
• Also hashtagTTHG

Future Speaking Engagements
• 10/4: NorthernVA (Social EngineeringTraining)
• 10/5-10/7: DerbyCon
• 10/16: GridSecCon, LasVegas (Social EngineeringTraining)
• 10/17-10/18: Cybersecurity Atlanta (hosted alongside ISSA
International Conference)
• 11/10:Temple University CARE (Social Engineering training and co-
presentation withTracy “InfosecSherpa” Maleeff)

Questions?
• Joe Gray
• jgray@advancedpersistentsecurity.net
• Twitter: @C_3PJoe/@hackingglass
• LinkedIn: linkedin.com/JoeGrayInfosec
• Facebook: facebook.com/JoeGrayInfosec
• Peerlyst: joe-gray

Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persistence led to a Vulnerability Disclosure

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persistence led to a Vulnerability Disclosure

Similar to Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persistence led to a Vulnerability Disclosure  (20)

More from EC-Council

More from EC-Council (20)

Recently uploaded

Recently uploaded (20)