Categories
CTF Open Source Open Source OSINT Tech

Judging a Tracelabs CTF

Judging?

After the June CTF I was considering participating in a couple more events in a competitive manner. The goal being to get better at the analytics side of things as it is not limited in scope to OSINT for missing people. I like Nicole’s Cognitive Stairways of Analysis as a foundational framework (https://threathuntergirl.com/f/the-cognitive-stairways-of-analysis). However, the intent to be competitive implies preparation, and life got in the way; with 2 team mates down I could only hope for a 3rd time in top 50. So for the Defcon edition of the Tracelabs CTF, I applied to judge.

Preparation

Much like for competitive participation, judging requires some preparation. You want to be the best judge for your team(s). However, the preparation is not as extensive as for competitive. In my case it consisted of catching up with the judge’s briefing & reading the judge’s guide. Following that it was a matter of preparing a way of (easily) keeping track of the accepted flags. Joplin comes pre-installed on the Tracelabs VM, so I created the notes with that tool. I have migrated them to Obsidian as Obsidian uses less metadata within the files. A template for other judges or people participating solo is available on my github. This should be fairly easy to import into Obsidian, Joplin or Notion as it is a simple collection of markdown files. Links may need to be converted if using Joplin instead of Obsidian.

Having the guidelines quickly at hand meant I could easily copy-paste reasons for rejecting a flag, or validate if a flag was in the right category. (Family vs Friends, Basic vs Advanced subject info, etc.). By keeping track of the submitted flags I could quickly spot duplicates.

For future judging I would look into having something else to do, as the flags seem to come in batches wether you have 1, 2 or 3 teams. I found myself often with 10-15 minute interludes between batches of flags, specially at the begining while the teams were getting warmed up.

The process

You might expect the flags to come pouring in with no break – except, of course the tams need to start their research which means until the first flag comes in you’re left finalising your preparations. As you will need to be verifying flags from various social media elements, one element of preparation is ensuring you still have access to the various platforms. I left the various platforms open such that I could then copy-paste the URLs with no need for logging in & avoiding cross-contamination between the isolated tabs (Firefox Containers does wonders for this).

The first flag comes in and suddenly the platform makes a lot more sense to when competing. (Which hopefully means less rejections at the next competition). The flag includes the team name so let the team know I’m judging for them in the comms channel, this way they can discuss any questions more easily than interposed flags & rejections. Test the flag (is it a new flag?) and validate it (does the flag make sense?) accept or reject. Upon rejecting, explain why – having the guidelines handy makes it easier to explain why a flag is rejected or category changed.

You have 2-3 teams. Life happens so some judges will take on 4. If any flags seem odd, or you are unable to verify them other judges can help, this means you can then provide your team with the best possible experience.

Post CTF

The Tracelabs CTFs can expose some of the worst that humanity has to offer. As such, it’s important to create an appropriate disconnection from what you’ve experience before shutting down. See Nicole’s talk at ConINT on strategies for disconnecting:

In my case, it was just catching up on a comedy TV show and crashing for the night. Had there been any significantly traumatic elements having the other judges to discuss and externalise any thoughts was/is reconforting. It is made abundantly clear that if any judge needs to step away at any time for any reason, it is not a fault on their person, and other judges are happy to take on the extra flags. Knowing when and how to seek help is a part of preparation, but the Trace Labs team make sure to remind the judges about their availability should a crisis happen.

Learning outcomes

During competitions I found the platform to make it difficult to explain the value of the flag. You can establish the category, the relevance and the supporting evidence, along with 1 attachment. As a judge it actually made a ot more sense: Submit the URL pointing to the flag. Relevance: explain the flag (i.e. Category => sub category, what cn be done with this piece of information?). Supporting evidence => How did you get to this conclusion? If you got to a profile from a different URL, submit it here. As a jduge, it is a lot easier to follow your reasoning, and during recompilation the flag will be extra useful. Attachment => visual aid. Screenshot of a social media account isn’t ideal, however, being able to show how you can proove it belongs to a person adds value to the flag.

10/10, would judge again

Categories
Open Source Security Tech

First Steps with KeePassXC

Why KeePassXC?

Most of my experience with password managers lies with KeePass. For an enterprise environment it is simple to use, easy to deploy and fairly lightweight. For my personal use I can take advantage of its portability and not worry about phishing too much, as I tend to type out websites directly when something sketchy comes around. For work, VMs and other users however, I recommend KeePassXC now. It offers some advantages to KeePass, namely an easier interface, browser integration and TOTP.

The browser integration provides phishing protection => if users click on links asking for credentials, the extension will not recognise the domain and therefore not provide credentials. Along with the easier interface, this means users are more likely to avoid password reuse and less likely to fall for phishing attempts.

First Steps

The KeePassXC team have a great introduction to their password manager, covering details from setting up a database to the configuration of the browser integration. I highly recommend taking a look there before doing the install, even if just to make yourself aware of the different interface. You can find their getting started guide here.

Now, following the steps from the KeePass guide there are some differences in the procedures. The first is the key transformation, instead of telling the system how many iterations you want, KeePassXC suggests choosing how long it takes to decrypt the database.

KeePassXC settings interface, on the security menu, encryption settings tab.

Unlike KeePass, KeePassXC doesn’t provide password templates. nor does it offer the ability to generate a password from the previous password (useful for services with character or length limitations). The password generator takes the last used settings. My recommendation is to check the box to avoid lookalike characters (for those times you need to type it out).

Password creator with the Exclude look-alike characters checkbox ticked

Same as with KeePass, KeePassXC allows entries to autoexpire. This is not checked by default, in my use of the application, it does not stay checked when making several entries. The preset expiry times include 1, 2, 3 weeks, months and years.

KeePassXC new entry window with no expiry date selected.

Same as with KeePass, I recommend renewing your passwords at 6 month intervals, but at least once a year.

TOTP

Unlike KeePass, KeePassXC comes with TOTP support out of the box. While arguably this is not great as it means you are getting all your authentication tokens through the same medium, it does protect your accounts from brute forcing attacks. You can’t set TOTP from the entry window, but after creating the entry right click => TOTP =>Setup TOTP. When generating your tokens, tell the web service you can’t scan the QR code, and enter the secret into the TOTP window.

Setup TOTP window with an empty Secret Key.

It is worth mentionning that you can get the secret from KeePassXC. Not the most secure solution but I can see this being useful for teams connecting to client environments, as the database can be shared through KeeShare with those people who need access to it. With the browser extension, this means seamless logging in to services as all the credentials come from a single place, (and the database can be locked with a passphrase & hardware token).

KeeShare

KeeShare sort of takes the need for cloud sync away accross devices, however my limited experience with this feature was not great. Most likely due to user error and limited time / infrastructure to play with it, it is worth knowing that the KeePassXC team have documented it quite well over here.

Nice to know

You can save credentials from the browser extension directly to your database. These will be in a default “browser credentials” group. You can order them into whatever folder you want if you actively use the standard interface to find them faster.

By default, autotype is enabled in KeePassXC, but with no assigned shortcut. With the browser extension I have not found any reason to activate it. Specially after the shenanigans with KeePass spouting my credentials into a couple services.

The browser extension requires the database to be unlocked in order to use the credentials. The icon turns green when the connection between the extension and the data base is active, and grey if the connection is not present. I have found it particularly useful to be able to hide the window once it has been unlocked as it lets me keep an uncluttered desktop, and the browser lets me know if anything is the matter.

KeePassXC Application Setting window with ‘Minimize window after unlocking database’ checked

By default, the database will be saved after every change (new entry, password change, etc.). I’ve found this behaviour useful, but worth knowing if you have a long decryption time it can slow down your machine. The behaviour can be medified in the Application Settings => File Management.

KeePassXC Application Settings window with ‘Automatically save after every change’ option checked

Sadly, unlike KeePass, there is no option to show expired / expiring soon entries upon loading up the interface. The entries will have a different icon showing that the entry has expired and the title will be crossed through.

KeePassXC expired entry “Test” with the expired entry icon, & title crossed through

KeePass or KeePassXC?

I think it really comes down to the user. Both offer similar levels of protection for the users’ databases, they differ mainly in what they offer out of the box. Neither solution has been ported to Android or iOS which means regardless of what you pick, there will always be another party accessing your passwords. I believe KeePass will continue to have its place in enterprise environments where it outperforms the XC variant through a slimmer interface. KeePassXC does provide a nicer experience for first time users, with default settings that make it easy to use from the get-go. As long as you don’t use TOTP, you can use both with the same database and decide later on.