At BSides earlier this year Redacted conducted an espionage, physical, cyber security challenge event. We hadn’t seen a Black Bag event in Australia since Ruxcon 2016, and our business has been doing reasonably well so we thought we’d do something fun to give back to the hacker community.
This write up will not be told in time order. Everything I describe for the lead up to the event happened concurrently. It was a bit of a sprint really.
We pitched the idea of building a physical challenge environment in the conference centre to the BSides organisers and they accepted. We were already a Gold Sponsor of BSides 2023, but we wanted to do something more tangible. Our only requirement for the event was a room, and a spot on the schedule.
Simon and I threw around some ideas and then made a rough plan. The key decision in our plan was to build a space for the challenge. Other black bag events had used an existing room or environment (such as Ruxcon using an actual hotel room in 2016). We decided that more control over the physical properties of the space was required to achieve our aims.
Our aim with this event was to exercise not just cyber security, or even red team type skills, but a lot of the secondary skills which can take a hacker from good to great. In priority order we wanted to focus on:
- Planning
- Operational Security
- Critical Thinking
- Teamwork
- Decision Making
- Technical Red Team
- Digital Forensics
- Espionage
- Intelligence Gathering
To do this we wanted teams to have access to parts of the environment that wouldn’t be possible in a third-party space. The door, power points, furniture, vents, lighting and other parts of the space all needed to be within our control. A secondary effect of this control was also to prevent teams from meta gaming their way to success (e.g. that thing there isn’t important because it’s clearly part of the conference centre).
So, we built a motel room.
It wasn’t as easy as we had hoped, but also didn’t become too hard because we planned well. Simon led the way on planning the fabrication of walls. He even did up a quality floor plan:
I assisted him in his woodwork workshop for just over three days. We even took a speed video of some of our activity.
The most difficult part was making the door sturdy enough. We didn’t want people to be able to manipulate the frame to get the latch out or use any other means to open it other than what we intended for the challenge.
Look, I guess we’re saying it was hard. But totally worth it. When we set it up in our rehearsal space (thank you to Southwell Scout Group at Aranda Scout Hall and your Scout Lord) we finally got to appreciate the scale and feel some of that sense of achievement:
Aside from the walls we needed furniture, hotel paraphernalia, challenge and team items, and personal items from our target. A lot of these we got from Green Shed in Mitchel (https://thegreenshed.net.au/). The second hand furniture fit with the vibe we wanted to go for our budget 70s Charnwood Manor Motel (more on the scenario later).
All told we needed to acquire and pack the following list:
General
- Flats
- Posts
- Long screws for posts
- Wood corner braces
- Steel brackets
- Short screws for brackets
- Redacted sign
- Briefing television
- Television remote
- USB with briefing video on it
- Two foldout tables
- Three curtains
- Power cables (at least three)
- Forearm forklifts
- DOOR KEYS
- Masking tape
- Label maker
- Door sweep
- Fly up screen
Bathroom
- Bathroom floor
- Short screws for brackets
- Shower
- Towel rail
- Towel
- Toilet roll holder
- Toilet paper
- Toilet
- Firearm for toilet
- Vanity
- Mirror
- Scales
- Circular vent
- Shower caddy
Walls
- Rectangular vent
- Wall card reader
- Power outlets
- Live power outlet
- Hallway lights
- Door numbers
- Hallway CCTV sign
Living room
- Wardrobe
- Ironing board
- Clothes
- Rug
- Bin
- Books
- Coffee table
- TV stand
- Television (plasma)
- Couch
- Couch legs
- Beds (two)
- Mattresses (two)
- Pillows (two)
- Sheet sets (two)
- Doonas (two)
- Bedside tables
- Suitcase
- Clothes
Housekeeping Cart
- The cart
- Towels
- Some tied bags of rubbish
- Spray bottle
- cloths
Challenge Items
- microSD (red/black)
- microSD (white/black)
- SSDs
- Red USBs
- Shredded intel
- Briefcase
- Blue USBs
- Audio bugs
- Keys
- Housekeeping cards
Paper items
- TS Doc
- Dossier
- Counterintel manual
- Letter
Staff items
- Apron
- Backstage lights
- Front stage light
- Clipboard 1, 2, & 3
- Consumable debrief pages
- Storage boxes
- Radios (three) and earpieces
- ALCOHOL WIPES
Loan items
- Lockpick kit
- Borescope
- UV Torch
- Screwdriver Set
- USB A/C Card Reader
- Hi-Vis vests
- Fingerprint Kit
- Nanny Cam
- Head Torch
- USB to SATA/IDE bridge
- Clipboard with ‘tough tac’
… there was a lot of running around making sure we had everything.
Some of these items won’t make sense without you understanding the scenario. We’ll get there. First though, let’s talk about some of the team logistics.
We wanted to have as many people through as possible, so with that in mind we set the team size to a minimum of 5 (so we wouldn’t have ones and two’s consuming a whole slot), and a maximum of 7 (even 7 feels a little crowded in the room). I thought about how to register people for a long time. I wanted people to be able to self-register rather than have us do it, so I resisted the ‘email us your team details’ angle. We also needed to communicate the mission brief and a few particulars to teams after they register.
I resolved to automate the process with whatever I had on hand. This turned out to be: Microsoft Bookings, Power Automate, and Microsoft Forms.
We had our creative design agency people (https://shoelacecreative.com) make us a sweet signup page which we hosted on Linode (sorry, ‘Akamai’) with a basic Nginx web server:
The buttons at the bottom link to a Microsoft Bookings page, or a Microsoft Forms form (depending on if you’re an individual or a full team ready to book):
I then set up a Power Automate task to trigger whenever anyone made a booking. The task: initialised some array and static string variables to hold details about the team, parsed their booking response for team member emails, made each member a user in our CTFd server, and then emailed them a booking confirmation along with the mission brief:
This was intended as an automate ‘hands off’ approach to taking bookings. Unfortunately, there were not good tools available to be to validate input in the booking custom fields so some people didn’t enter emails, which created all sorts of problems. Every few days I put individuals who had signed up into teams and booked them a slot.
We got there in the end. With the entire even booked out the day before BSides, much to the disappointment of everyone who walked up to check it out.
Now, on to the scenario. Each team got sent a full mission brief:
As you can see, there’s quite a bit there. You may also be able to infer that we’ve set up some fake websites for intelligence gathering prior to the event, and have other people performing roles in this challenge.
The websites were designed by our great creative people over at Shoelace Creative. There is one for the fictional hostile nation of Burligrifistan: https://burligrifistan.xyz and one for our motel: https://charnwoodmanor.net/. They’re both still up so please take a look and see if you can spot the intel we’ve seeded through them.
As indicated in the brief, teams can borrow tools, and are given an implant to persist on the target’s device and an audio bug to plant. We knew the mission brief might be a bit much to take in so I also made a video that the team is shown just before they go into the challenge area:
Once targets were permitted to enter, they had to listen to the follow team (played by one of our actors) on the radio for the mission go ahead. To ratchet things up a bit we had the lights off, as the hotel lights are controlled by a card activator in the room.
Once the follow team told the exploitation team to go, they were permitted beyond the curtains into the Charnwood Manor Motel hallway. The team has to move round the hallway to the room door. Originally, we were going to have decoy doors in the hallway, however we ran out of time for this. We did however, put a housekeeping cart in the hallway, which has several useful items if the team looks hard enough. Not least of these is a key chain with about 18 random keys. One of which goes to the door. Once the team goes into the room there are 27 flags for them to find. We’ve written them all into this handy table below:
Challenges |
||
Name | Category | Solution |
Whats a ‘charnwood manor’? | OSINT | Within the HTML of the Charnwood manor site is a flag. Inspect the source to find it. |
Visit beautiful Burligrifistan | OSINT | “Like the minimum characters of their password policy, Buligrifistan also have 8 lakes. What is the name of the eighth lake?”
This information can be found on the Burligrifistan site, and ensures teams go there at least once. |
Door | Physical Access | The room door lock can be picked, or as it opens outwards the latch can be hooked with a rigid shim tool. The key is also in housekeeping’s cart. Finally as described, housekeeping with eventually turn up and let you in if you ask nicely. The flag is on the reverse of the door.
If the team has not gained entry in 6 minutes, then housekeeping shows up and grants them entry if they ask. If this occurs, housekeeping does not also perform an interference mechanism as the team has already lost 6 minutes. |
Safe | Physical Access | The safe is set to default combination. Which can be found by looking at the motel website and finding the safe model, then looking it up online. Alternatively, if teams bring the supplied UV torch they can use it to reveal frequently pressed buttons on the safe giving them three numbers to work with. Lastly there is an emergency keyhole which is a simple wafer lick that can be picked. The flag is on the inside of the safe door. |
Laptop | Digital Forensics | The targets laptop is unlocked for a regular user, with a password protected admin user. The Wi-Fi the laptop is connected to has the flag for the password. If the team logs in as the regular user they can get this off the Wi-Fi security settings. |
Laptop 2 | Digital Forensics | There was a file recently deleted from the laptop, if they pull a disk image, or use a parsing program such as agent ransack then they’ll be able to retrieve it and get the flag. |
No Klepto | OPSEC | The team must not simply take what they need from the room. They need to maintain OPSEC and leave the targets things in the room. This flag is given after they finish.
A staff member meets the team as they exit the room. They check the room and the team and if they have not taken anything then they are given the flag. |
Poltergeist | OPSEC | The team must leave the room as close to the state they found it as possible. This is to maintain opsec. If they have tossed the place then the target will know someone has been in the room. |
Tac Case | Physical Access | There is a tactical case with a 3 digit combo padlock. If they unlock the padlock then they get the flag in the case. |
Get Crackalackin | Cryptography | There is a book box in a pile of books on the coffee table shelf in the room. Inside is a red USB. On the USB the team will find an encrypted file. TO decrypt the file they simply need to make a wordlist from the Burligrifistan website and then crack the encryption with the wordlist. |
Whats my name? | General Intelligence | The team needs to find out what the targets real name is. This can be found in a few places such as the dossier in the safe, or another document in the tac case. |
Whats my purpose? | General Intelligence | This can only be found in the folder in the safe, or in the administrator user desktop on the laptop. |
Execution | Red Team | All the red team challenges are scored manually. The implant they are provided with gives us information on how they used it (see further down). Not least of which, they need to run it. |
Privilege Escalation | Red Team | If they can they need to execute the implant with admin privileges. There are a number of ways to do this. The easiest is to take the hard drive out, then plug it into their own computer and put the implant in an admin folder with a startup run task or any other autorun mechanism. |
Defence Evasion | Red Team | The team needs to try and hide the implant. This can be as easy as putting it in a google chrome folder and naming it ChromeUpdate.exe. |
Persistence 101 | Red Team | The executable needs to be set to persist. Even a scheduled task will do here. |
Persist. I insist! | Red Team | If they do a particularly good job at persistence, say they were able to make a system service that executes the implant, then they get awarded this flag. |
For the glory of Burligrifistan | OSINT | If the team scrapes all the images from the Burligrifistan site and parses them for metadata they will find the flag contains a flag in EXIF. |
Burn after reading | General Intelligence | Inside the bin in the room is a strip cut shredded paper document. Taking this paper will trigger the team losing the No Klepto challenge UNLESS they get one of the “housekeeping has cleaned your room and made your bed.” Cards from the housekeeping cart and place it in the room before they leave (as housekeeping would empty the bin) AND actually make sure they make the bed and clean the room. The document is encoded with a single alphabet rotation cypher. The team needs to reassemble it and decode it for a flag. |
Bed Bugs | OPSEC | The team is given an audio bug to hide in the room. After they exit the staff member will ask them to show them where it is placed and then award a flag if it is reasonable. Good spots were power points, behind the built in mirror in the wardrobe, and within the couch lining. |
Curfew | OPSEC | The team does not know how long they have. The only warning they are given is when the follow team radios to say the target is coming up from the motel bar. This occurs at 14 minutes. The team need to leave immediately at this point as it only takes 30 seconds for the target to return. If they leave before the target arrives back then they are awarded a flag by staff. |
The 90s is calling | Digital Forensics | Hidden in the lining of the targets suitcase, under their clothes is a Nokia 8210 dumb phone. If they find the phone they can unlock it with the code 1234, or they can take the microSD card out. On the microSD is an SMS backup file. The SMS backup for this phone is proprietary Nokia format and so they will need to use the phone then and there to restore it and get the base64 encoded flag from the restored messages.
There is also an audio message on the phone. The audio is in Russian, however if they translate it, they’ll find it contains the admin password to the laptop. |
Laptop 3 | Digital Forensics | There is a file on the administrator’s laptop containing an assassination mission plan for the target to carry out, it also contains a flag. Teams need to get into the administrator account, or simply take the disk out of the laptop and read it for the flag. |
Where is my watch? | Physical Access | Under the bed is a small lock box. The lockbox is somewhat old and so can have the latch manipulated, or the lock picked easily. Inside is some US notes, an expensive looking watch, and a flag. |
With flags in hand teams then submitted them to our CTFd server for points. Surprisingly no one went for the forensic flags, and all attempted the Red Team exploitation as first priority. With limited time available teams could really only do one or the other. Its impossible to execute an implant on a disk while it’s being imaged, and they only have limited time.
Besides challenges, we also used ‘Interference mechanisms’ and red herrings. There are things which interfere with the mission or send them down a rabbit hole:
Interference & Distractions |
||
Name | Category | Description |
Housekeeping | Interference | Housekeeping will attempt to come and clean the room at 6 minutes into the team’s mission. If the team does not put a ‘Do Not Disturb’ sign on the door or uses the chain lock for the door, then housekeeping will enter without much warning and start vacuuming and asking questions. If the team asks housekeeping to leave, then they will immediately. If not then housekeeping will remain and make themselves a nusence. |
Radio Operator | Interference | The radio operator will not shut up. They will describe in detail everything the target is doing at the bar and give all sorts of irrelevant opinions. To stop this the team member with the radio needs to ask the follow team to only give important updates. |
False Alarm | Interference | At 12 minutes the radio operator will give a false alarm that the target is returning:
(With significant urgency) “Bravo Five One, the target appears to be abruptly ending the meeting, they’re getting up, the target is heading back to their room…” 3 seconds wait. “oh…no don’t worry. They’re going to the toilet. Continue your mission Bravo Five One. I say again, false alarm, the target is still in the bar.” “Bravo Five Two out.” This achieves two things: it scares the bejebus out of the team, and it prepares them to listen and bug out quickly. |
Love letter | Red Herring | In the bedside table drawer is a roughed-up letter written in Russian. It is a soppy, somewhat softcore, love letter from Ivan back in Burligrifistan. No flags. |
Weapon | Red Herring | In the toilet cistern there is a H&K USP 9mm semi-automatic pistol (it is a fake resin mould pistol with the front of the barrel painted orange). The firearm seems like it should be intelligence, but it actually has no value to the team. |
Nanny Cam | Red Herring | There is a camera badly hidden in a tissue box what is not recording and holds no value to the team. This was originally an actual challenge, however the camera broke the day we bumped into the conference centre. |
We also seeded a clue document in the form of the ‘Burligrifistan Special Operations Department: Counterespionage” manual, which could be found in the tac case:
As you can see this outlines some clues for where the team might find intel. The other document artefacts describes in the tables above are also here for your perusal:
Redacted does not repeat scenarios or challenges, so we’re putting everything here to perhaps inspire more of this kind of thing, or just for your interest.
The Winners!
We had 25 teams compete. The top place was taken by Root Raiders by a wide margin:
They were a great team, and really went all out to get as many flags as possible and still maintain opsec. If you want to see them they posted on LinkedIn about it: https://www.linkedin.com/feed/update/urn:li:activity:7114593900001959936/
They also took a video of their experience, which they were kind enough to share and allow me to put it up here.
I think that’s about everything. We’re doing more of these soon, with the next one booked for the Australian Defence Force Cyber Skills Challenge in November. After that, more conferences, and more training.
I hope to see you at the next one.
Relinquish before compromise.