Introduction

Welcome back, friend. My goal in this blog post is to describe my cybersecurity journey since my first Pros Versus Joes CTF in 2023, as well as some thoughts from this year’s event. I was encouraged to write a follow-up post, after some teammates stumbled upon my original post through a Google search, and found it informative about the PvJ CTF. This will not be a technical post, although I might consider publishing some of our game strategies, commonly used commands, and scripts in a future article. Click on these links if you have any questions about what a cybersecurity CTF (capture the flag) or Pros versus Joes CTF competition is all about.

A Few Thoughts From Last Year’s PvJ

Click on the link if you need a refresher from last year’s event. The three major highlights included:

  1. I had a lot of fun. A bit overwhelming at times, but very fun.
  2. I kept in touch with some of my team mates, from as close as my home town to, as far away as Israel.
  3. I learned a lot - I am a cybersecurity n00b so everything was/is exciting to me. . I had such an awesome experience last year that I wanted to do it again this year. I am also a sucker for punishment.

A Few Things Have Happened Since Last Year’s Event

  1. I obtained my first penetration testing certificate! I was a Windows admin in last year’s PvJ and enjoyed learning about Windows attack/defense tactics. This encouraged me to review the Active Directory portion of The Cyber Mentor’s Practical Ethical Hacking course and challenge the Practical Junior Penetration Tester exam in December 2023. This is a practical exam with no multiple choice or essay questions; you have 48 hours to enumerate an Active Directory network, move horizontally/vertically within the network, elevate privileges and compromise the Domain Controller. You MUST pwn the DC otherwise it is an automatic fail. You then have another 48 hours to submit a written report with your findings to the “client”. This exam simulates an internal penetration test, and you must pass both components in order to achieve the certification. If you are looking for an introductory exam/cert, or a confidence booster before taking a more rigorous exam, I highly recommend the PJPT. It was a great experience, and I actually had a lot of fun. I plan to challenge the Practical Network Penetration Tester (PNPT) exam in the next few months. This is a 5 day engagement where you begin with OSINT to assist with external penetration techniques to obtain a foothold in a network; next, you have to compromise the Domain Controller in an Active Directory network, followed by 48 hours to write a report for a “client”. firstcert
  2. In preparation for the above, I rebuilt my Active Directory lab in Proxmox to provide a persistent instance of the Domain Controller and client machines (previously built with VMware Workstation Pro) and documented the process in a series of blog posts, primarily for my own future reference. The configuration(s) were compatible with TCM’s PEH Active Directory module. tcmadlab
  3. After meeting and making new friends with like-minded people at least year’s PvJ, I started to attend our local BSides, DefCon and ISACA meetups; however, due to work and life commitments this did not occur as frequently as I would have liked. Highlights included meeting Micah Lee at our annual conference, and hanging out with a previous teammate (Father Stalin) who was visiting from another country and presented to our local DefCon group. micahlee dcmeetup These events and milestones would not have occurred had I not participated in the 2023 PvJ.

Pros Vs Joes 2024 - Here We Come!

I had such an awesome experience at the 2023 PvJ, which also led to other positive events afterwards, it was only natural that I would apply to participate in the 2024 BSidesLV Pros Vs Joes CTF. I had the same 3 goals as last year:

  1. Have fun.
  2. Make new friends, and see old friends.
  3. Learn new stuff :)

On June 10 2024, I was relieved to receive an email from dichotomy that I had been selected as a Blue Joe for this year’s PvJ. Phew. But imagine my surprise when I found out I would be competing with the same team captain (Gx00) as last year! (Double Bonus!). Let the preparations begin!

Strategies We Repeated From Last Year

  • We had weekly meetings, starting with individual introductions, description of game play/rules, discussion of overall team and subteam strategies. One of our important tasks was to choose a team name (There’s No Way It Was DNS) and a team graphic. teamavatar
  • We created subteams ie. firewall, DNS, Linux admins, Windows admins
  • We had a Google Drive to archive our documents
  • On game day, we used one document to store all keys, passwords, server information, etc
  • Our table was arranged by subteams (see pic below)
  • For my own personal preparation, I started and completed The Cyber Mentor’s Linux Privilege Escalation course. This was my first time taking the course and I really enjoyed being back in the linux world after spending the last year focussed on Windows related vulnerabilities. I then reversed the enumeration and exploitation processes, thinking about network security from a Blue Team perspective.
  • I used a similar hardware setup from last year. Squeezing 12 teammates around a table does not leave much room beyond the width of a laptop and a water bottle. I used a laptop stand to bring the screen to eye level to minimize neck and back discomfort. I also brought a mechanical keyboard and gaming mouse (with mousepad) to maximize my typing accuracy and minimize wrist discomfort. Lastly, a privacy screen was recommended to all teammates to avoid clandestine shoulder surfing. teampic1 laptop

Things We Did Differently This Year

  • Our teammate (Eugene created an aweseome Discord channel with sub-channels; I mainly stuck to my own channel for most of the CTF ie. linux; however, I was more focussed on attacking and setting up beacons for the last 2 hours so the attacking and beacon sub-channels were useful for exchanging credentials, discussing privilege escalation paths, and setting up beacons. There are pros and cons of using one Slack channel for all communications (very messy and busy to follow, search is your friend) versus segmented sub-channels for various topics (it is easy to miss important messages in other sub-channels). YMMV with either method.
  • We had a team dinner the night before the CTF. Unfortunately I could not attend the dinner but I heard it was a lot of fun with some additional team bonding and strategizing.
  • Scripting - there was a lot more talk about scripting and incident response strategies with the Windows and Linux admins - and scripts were prepared in advance of the CTF. I recall some of our Linux admins prepared some scripts in advance last year, I think Gx00 even prepped a C2 module. TheGwar and I did not prepare any scripts in advance last year; this year’s Windows admins were MUCH stronger than we were in 2023 (this is not a slight against my Windows-mates from 2023, we just did things manually).
  • I did not write any custom scripts but the LinPEAS.sh bash script had an important role in my toolkit. writable services discord

My Awesome Teammates - The 2024 Version

  • My co-captains this year were Gx00 and BLu3f0x; both had experience as PvJ Joes (players) and Pros (team captains). I’m not sure how Gx00 felt about being stuck with me on his team again, LOL. They were pretty chill during the leadup to the CTF, as well as during the game days, which was a pretty important attribute to have when everything is falling apart during the game.
  • Similar to last year’s team, there was a real mix of skill sets, ages and industries. In fact, the team make-up was much more heterogeneous compared to 2023.
  • I was a Linux admin with 3 other amazing teammates: one of them won the National Collegiate Cyber Defense Competition and now coaches a college team; his attack/defense skills and knowledge of both Windows and linux environments blew me away. He could easily have been a Blue Pro. The other two were younger in age but LEGENDARY in skills. One recently finished their freshman year in college (computer science), and the other just graduated from high school; both have been competing in their high school’s Cyberpatriot programs/competitions since 8th grade. I was honestly amazed by their knowledge base, skillsets, and most importantly, their maturity and ability to work in a team environment. I repeatedly told them they have bright futures ahead of them, regardless of what they choose to pursue, and I am excited to see where they are in 5 and 10 years.
  • There were TWO ANTHONY’S – and BOTH were Windows admins, LOL
  • I did not have time to mingle with the Windows admins as much as I wanted to, but I was extremely impressed to learn one made a career change from a chemist to cybesecurity! During the game days, I empathised with their frustration as they were continuously trolled by Red Team, despite their best efforts to sanitize the Windows boxes - flashbacks from 2023. I enjoyed working with BluP3gu1n and Noah who were able to gain footholds on enemy Windows servers and helped set up beacons to score bonus points for our team.
  • Then there was Eugene, our DNS-Dude. He was very enthusiaitic about his role, and epitomized what PvJ is all about - he dug deep into the topic, gave a presentation during a team meeting, and developed customized strategies for a resilient DNS server (cuz you know, it’s NEVER DNS). He also took notes for our team meetings, built our team spreadsheets, and deployed our team Discord server. Lastly, while the rest of used a variety of laptops for the CTF, he built and used cool pi-based rigs for the CTF. Seriously, you have to be a certain level of l337 to do that. He’s also Blue Pro ready. eugene1 eugene2
  • I met hamsterman at least year’s PvJ. We had kept in touch over the year and I was happy to learn we were on the same team this year. He was our Firewall-Dude this year but unfortunately sat at the opposite end of the table, and we didn’t have much of a chance to interact. BLu3f0x was also on our Firewall-Squad but was pulling double-duty as Co-Captain as well.
  • Gx00 (aka Team Captain) - I think he looked more relaxed this year since he was able to concentrate on his role of Team Captain, asking sub-teams if they needed advice or assistance, coordinating team actions, and interacting with Gold Team regarding infrastructure issues, resetting servers etc. Last year, he had to take on the responsibility of Team Captain as well as a Player leading our Linux admins. However, I wonder if he missed playing this year, a drawback of being a Team Captain. teampic2

Some Brief Comments From 2024 PvJ

This section is intentionally vague to avoid any potential spoilers for future games. There are good resources on the internet to describe Tactics, Techniques & Procedures for Incident Response, APT/Threat Actors and Attack/Defense CTFs. I would like to focus more on what to expect during the PvJ:

  • The BSidesLV and PvJ organizers provided a buffet breakfast and lunch on both days. This was both delicious and greatly appreciated, allowing participants to focus on the game and not worry about taking time away to find a meal.
  • There were fewer servers/services to manage this year ie. 25, compared to last year’s 37, which was ridiculously difficult to manage; however, 25 servers for 12 operators was no easy task either.
  • There was the usual mixture of Windows (stand alone machines and Active Directory forests ie. a Domain Controller with clients), and linux machines (all Ubuntu, with services including mail, kubernetes, and puzzles). We did not have any weird services ie. PBX boxes or Jira servers to deal with this year, LOL.
  • True to Red Team’s reputation, their trolling remained relentless. As I said last year, get used to it. Treat this more of an incident response exercise rather than an attempt to completely sterilize your machines. See last year’s post for more examples (particularly on Windows machines). gimmeacookie
  • Our team was penalized for a possible denial of service attack (I think the definition was loosely applied and related to disabling the GUI for an important service on enemy servers). The penalty equated to the time period involved (approximately an hour multipled by the associated points delta) which resulted in our team dropping from first to third place. We were temporarily demoralized but rallied to gradually creep our way back towards the second and first place teams by concentrating on strong defense/DFIR.
  • Oh, then our Firewall went down for what felt like an eternity, possibly related to an unsuccessful update procedure, and required “paying” Gold Team with points to revert to a previous working clone. Of course, with no packets entering/leaving, we were not scoring points during this time.
  • With two hours remaining on the clock we decided to go hard on the offensive and planted our first beacon on a competitor’s server at 3:19 pm; we were in third place at that time. A beacon is a unique UUID that you send from a compromised server on another team which will in turn score bonus points for your team. This was a team effort with Anthony, Noah and BluP3gu1n helping to gain footholds on enemy machines, I was able to initiate some beacons using common tools such as certutil, python3 -m http.server, netcat. My teammates were able to script automatic pings to the beacon server every 4 minutes. I think we planted 6 beacons in total across 3 machines. I found this quite exciting since I was not able to successfully plant any beacons in 2023. beacon
  • We continued to plant as many beacons as possible, right to the last second of the game. My last beacon was placed at 4:54 pm (see pic below). These additional bonus points likely helped us crawl back to first place. lastbeacon
  • The game ended a few minutes later while I was trying to plant another beacon, and my teammates told me we hard narrowly won by a slim margin of 1% in points. The other teams were very close behind and within one or two “ticks” (every 3 minutes) we probably would have lost the lead. finalscore

EOF

I am so happy that I was able to participate in the 2024 PvJ. I absolutely fulfilled my three goals to (1) have fun, (2) make new friends, and (3) learn a lot. Furthermore, I felt I was able to contribute more meaningfully in this year’s CTF. Although our team won by the thinnest of margins, this was not the point of the Pros Versus Joes CTF, where Red Team does a very good job of trolling, demoralizing, and maintaining fairly balanced scores between the teams. When I started my cybersecurity journey with The Cyber Mentor’s Practical Ethical Hacking 4 years ago, I never imagined it would have led to all these amazing experiences, from meeting giants in the cybersecurity field, making new friends, competing in Jeopardy-style and Attack/Defense CTFs, or winning a Pros vs Joes CTF.

Lastly, to top all of this off, my team captain Gx00 nominated me to join the PvJ Staff as a Blue Pro/Captain and was recently onboarded by Dichotomy.

In one of my first blog posts in 2020 I likened myself to Bilbo Baggins starting an adventure with Gandalf, perhaps it would be fitting to end this article with a quote from Bilbo:

Don’t adventures ever have an end? I suppose not. Someone else always has to carry on the story.

If the last 4 years has been any indication, I cannot wait to see what the future will bring.

Thank you for reading to the end of this post.

ip3c4c