At Cisco Live this year in Las Vegas, a coworker (Paul Giblin Twitter: @dreamlessod) and I decided to attended a new kind of event hosted by Cisco. The event was titled "Cisco Capture the Flag: A Full-Stack, Team-Based Competition". The competition was a structured game where teams compete in order to try and solve challenges related to networking, operating systems, applications, forensic analysis, and security; and the winning team gets Intel NUC computers. While CCIE is listed in the title, having a CCIE certification was not a prerequisite to attend and compete (good for me as I don't have a CCIE certification).
First of all, this was a VERY challenging competition, and I really enjoyed that it covered such a wide breadth of technical domains. While it was network-focused, it required the teams to really have a wide array of expertise in order to successfully navigate the challenges. With that said, I wanted to share the various challenges and solutions that were part of this competition in order to get the word out about this competition in hopes that Cisco will decide to do it again next year. In case you're wondering, the creators of this course are fine with me sharing the solutions.
The competition started with a web portal with a map of the world, and each challenge was a country. When you clicked on the country, you would be presented with the scenario and a clue as to what the flag was that you needed to capture. When you found the flag, you would enter it into the web portal and collect points.
The site was a global map similar to this and you were able to click on countries. Each country was a challenge to complete.
United States (50 Points)
In this challenge you were presented with a router who had an adjacent router which was configured with IPv4 and IPv6 addressing, and running OSPF, EIGRP, ISIS, and BGP. The challenge was to configure your router to bring up the adjacencies and peerings with the other router, and then there would be a host route that you would learn via each protocol. One of those host routes would be the "flag". Once complete, you enter the host IP address into the CTF portal and you get 50 points.
The solution was pretty standard. Just configure routing for the four protocols and learn the prefixes.
Spain (100 Points)
It was a similar scenario in the Spain challenge as to the US challenge. You need to bring up a BGP peering with an adjacent router. Here's the kicker, first, it is using IPv6 addressing, and second, you have to peer using a Linux server, not a Cisco router. Once the peering is up, there is a host route that your linux server will learn, and that is your flag.
The solution for this challenge was to first configure the linux server's second NIC for IPv6 and configure it with a static IPv6 address. The second part of the solution was to configure a BGP daemon on the linux server and peer with the router. In this case we used Quagga. With a little trial and error, and reading the manual, we were able to get the peering up.
Australia (100 Points)
This challenge presented you with a linux server and gave a clue that some other device was transmitting the flag to you. That was the entirety of the clue; pretty vague, right?
So at first everyone struggled on this one because tcpdump showed zero packets coming or going from the NIC on the linux server. Eventually the proctors made an adjustment to the lab and packets started to flow. The flow of packets was a multicast stream of data. We figured the stream of data must contain the flag and we just needed to figure out what kind of data it was and read it. So we took a packet capture with tcpdump, SFTP'd it off the box and loaded up Wireshark. Once in Wireshark, we looked at the
Statistics > Conversations and saw three distinct streams. Looking at one of the streams' meta-data showed that it was MPEG2 encoded data. From there, we used
Decode As in Wireshark and selected RTP. Then,
Telephony > RTP > RTP Streams. From there we analyzed the streams, and exported the stream bytes to a file. Once we had extracted the bytes from the packet capture and saved them to a file, we opened it with VLC media player and it was a video that showed an IPv6 address. This was our flag!
China (100 Points)
This challenge's clue said that there was an adjacent router in which you needed to bring up a BGP peering. That was it. There was no other information given.
To start, we knew that the other router was already configured for BGP so we used the Embedded Packet Capture feature in the router to get a PCAP and export it to the laptop and open it in Wireshark. We could see the packets coming in on TCP/179. What we were hoping is that we could see the BGP OPEN message which would have the neighbor's AS number. Unfortunately though we did not see that. The reason why is BGP must have TCP established first, so we configured BGP on our router even though we knew that we didn't have the correct information. At this point, we still could not see the BGP OPEN message as we still could not get a TCP handshake established. We could see that option 19 (MD5 checksum of TCP packet) was present in the TCP SYN packet so we knew that we had to crack that password for that MD5 checksum in order to complete the challenge. At this point in the competition, we ran out of time.
Below is the solution that I came up with, but was not able to complete. And at the very end, I will give the other solution that one of the other teams came up with. They actually did complete the China challenge and shared their method after the competition ended.
My Proposed Solution
RFC 2385 defines TCP option 19 which is a MD5 checksum of the TCP pseudoheader, TCP header, TCP payload, and the password (source). I was going to take all of these fields from Wireshark and then brute force the password and try and find an MD5 checksum that matched what was extracted from the packet capture.
An Alternative Solution
One of the other teams brute-forced the BGP MD5 password by looping over the packet capture with the
tcpdump -M option. The
-M option allows you to specify a checksum password and tcpdump will tell you if it is valid or not. Much easier than attempting to do it my way.
But Wait, There's More
Now that the BGP password is known and now configured on your router, you can see what AS number the other router is configured for in the
BGP OPEN message. Once you have configured both the remote-as and the password, you still will not be able to form a peering. This is because the other router only sends his own ASN, not what ASN he thinks the peer to be. So, then you must brute force your ASN and keep trying different ASNs on your router until you happen to guess the one that the remote router is configured to peer with. Only then will the peering come up and you can get the BGP learned prefix, which is the flag for the China challenge.
I really enjoyed this competition and it is not quite like any CTF I have ever seen. Most are security or networking, but not a total mixture of so many different technical domains. I hope that Cisco continues this again next year. In case you were wondering, my team (Team Presidio) did win the competition. That said, I just want to say that there were so many skilled teams and it was really fun to discuss with everyone how they came about their solutions.
Here are the NUCs! I'm thinking about using it to run some containers with different services for my house (think Plex, and other such things).