Being from the Louisville metro area (and recently having moved back with my family), Derbycon is one of the highlights of my year. The general conference ran from Friday, October 5th, to Sunday, October 7th, at a brand new location, the Louisville Downtown Marriott! Every previous year, the neighboring Hyatt has hosted it, but the move meant a bigger venue with more rooms for all the activities. Despite more space, the Derbycon team actually decides not to significantly increase the number of tickets sold, in order to keep the smaller, more familial feel. I really like this about Derbycon and the crammed, chaotic atmosphere is one of the reasons I haven’t been to DEFCON yet…though I think I’m going to finally make myself go to it next year, just to get one under my belt.
For only about a grand more than a con ticket, you have the opportunity to sign up for one of several excellent training courses that run on the Wednesday and Thursday before the conference. And trust me, $1000 might sound like a lot, but this is a steal compared to what you’ll pay for courses like this at SANS or Blackhat. Last year, I took @FuzzyNop’s Modern Red Team Immersion Bootcamp, which was very heavily focused on open-source intelligence (OSINT) gathering, selecting good spear phishing targets, and crafting convincing phishes. This year, I went towards the more technical side of red teaming with Silent Break’s Dark Side Ops 2: Adversary Simulation.
This was a great opportunity, as Silent Break normally only teaches this course at Blackhat, where it can cost as much as $4000 just to attend! Despite the numbered name, the first Dark Side Ops course is not a required prerequisite. The first course focuses on developing your own malware, whereas this course gives you a completed version of that malware and works on ways to expand it, deliver it, and hide it from blue teamers. Silent Break is one of those red teaming companies that’s big on really simulating adversaries and APTs, so their philosophy is to not use any commercial or public pentesting tools, but to instead develop them all in house. They like to keep their tools small and purpose-built, using droppers to put as little on disk as possible, with a rapidly development cycle, so that when one gets burned or picked up by AV, they can chuck it in the trash and quickly start over with a new one.
Before the course, you’re given three VMs: a Windows 10 development box, a small Linux server to act as your C2 server, and another Windows 10 VM to be your target. On the dev box, you get Visual Studio and the C/C++ codebase for their custom “Slingshot” implant, which is apparently what you build in the first DSO course. In addition, you get a folder with all the code and scripts you’ll need for the course, PDF slides for the course, and an enormous and detailed lab manual PDF that walks you through all the steps in each hands-on lab.
It followed the general training format; Nick Landers (@monoxgas) and Will Pearce (@moo_hax) from Silent Break would go over the slides for a section, explaining what we would be doing in the upcoming lab, introducing new concepts and breaking them down, then we’d be given ample time to go over the following lab on our own, with Nick and Will available to answer any questions or troubleshoot problems.
You start off building the Slingshot malware as a Windows executable and progress through additions, such as adding a web cradle to deliver it through a Powershell one-liner, making a VPN tunnel so you can interact with the target through your Linux C2 server, customizing the delivery based on which browser is used, evading sandboxes, bypassing app whitelisting, adding persistence, adding the ability to trigger the implant with specific network activity, and a diversion into how to build Windows rootkits.
Overall, it was an outstanding course! It strikes a nice balance of getting you into the technical weeds, but holding your hand if you’re not a very good Windows dev. There were several points at which you had the option to write Powershell scripts by yourself, but a completed one was offered in case you screwed it up or ran out of time on the lab. I really want to take the first Dark Side Ops course now, so I can learn more about how Slingshot itself was built. Nick and Will have said they’re trying to find smaller cons to bring it to, so you can avoid the Blackhat tax, and might even offer it at next year’s Derbycon.
The only criticism I would offer is that, while the lab guide is generally very good, it could use a little proofreading, as we encountered numerous instances where steps were missing, file paths had changed between Slingshot versions, screenshots were out of date, etc. Also, the code itself could probably use some better commenting to guide users to where they needed to copy/paste new modules, as this seemed to be the most common reason that students’ code was failing to compile or not working correctly. Also, I’d love to see more about how they rewrite or change up their code once an implant gets burned and ends up on VirusTotal (but now that I think of it, maybe that’s covered in the first course).
But these are minor quibbles and I otherwise highly recommend the course. Nick and Will did an excellent job and I can’t wait to take their other course.
Coincidentally, the afternoon after the course finished, Silent Break announced they’re now selling their tools, including Slingshot, as a commercial product called the Red Team Toolkit.
With the training over, the next three days were devoted to the general Derbycon conference…and of course, the 9th annual Derbycon CTF (Capture the Flag) competition!
As usual, I played with my Eversec teammates: Gabe Marshall (@gabemarshall), Paul Whelan (@LuxCupitor), and Ray Doyle (@doylersec). We also had a few Derbycon first-timers join our team, including Steve Myrick (@stevemyrick) and Austin Robertson (@austinrobertson) whom I used to work with at Fidelity, plus Erwin Karincic, who we met through LinkedIn and wanted to come learn how to CTF. We did have one traitor: longtime Eversec member Clayton Dorsey (@claytondorsey) decided to play for his employer’s CTF team and is now dead to us (j/k Clayton).
After two consecutive years of being a CTF zombie and doing little else except stare at screens and hunt for flags, I decided this year I would actually try to enjoy the social atmosphere more. I actually attended some talks, instead of just waiting for the inevitable YouTube uploads by IronGeek. One of which was by my boss, Mike Weber (@BouncyHat), who delivered a talk on Offensive Browser Extension Development, showing how he was able to build malicious Chrome extensions and sneak them past the Chrome Web Store reviewers. Another talk I saw was former NCCer Cara Marie (@bones_codes) and her talk, Cloud Computing Therapy Session, about the frustrating quirks in different cloud computing platforms and a new Python tool she and her colleagues at DataDog developed to better attribute AWS security groups. In addition to hanging out with those speakers and my Eversec friends, I also had a great time with some other friends, including new NCC coworker David Tulis, NCC Group’s NYC research director Jeff Dileo (@jtd), Melissa Amano (@samuslav), Matt Turner (@strupo_), and probably some others I’m forgetting.
And perhaps as a consequence, Eversec didn’t do as well this year as in previous ones, though we were still in the top 10 and once again donated our small prize to Hackers for Charity, as is customary. Once again, Nettitude Labs’ “spicyweasel” team took home first place and they already have an excellent write-up posted of how they solved various challenges.
The only sort of write-up I can contribute that they didn’t get relates to the MUD. One of the servers in the CTF network was hosting a multi-user dungeon (MUD) on TCP port 4000. If you aren’t familiar with MUD’s, it’s the text-based grand-daddy of the MMORPG, reminiscent of old text adventures like Adventure and Zork, usually with D&D roleplaying combat and character development elements mixed in, but able to host multiple logged-on users at a time so their characters can interact with one another. No special software is required, just a terminal window and a telnet client. Past Derbycon CTF’s have featured MUD’s and this one was built by @Evil_Mog using the DGD server with the GurbaLib “mudlib” environment.
The rumors floating around the CTF room were that the “wizard” class in the game had the ability to run certain shell commands, and a perusal of the GurbaLib source confirmed as much. What wasn’t clear was exactly how to become a wizard. The game features a short newbie quest for learning how to play the MUD, part of which has you fighting your first enemy and obtaining a purple potion that grants you 5000 experience points. I assume you’re only supposed to be able to do this once, but there is either a bug (or a deliberate code change by @Evil_Mog) that allows you to fight the easy monster again and again and keep obtaining purple potions. I did some manual level-grinding for a while to see if maybe you could promote to wizard after a certain level, but gave up after reaching a million experience points. The only other option I could think of was a daunting maze, helpfully named the “Wizard Dungeon”, near the start point. With my extremely levelled-up character, I dove into it and wandered around. Each room helpfully tells you your location on a grid using a letter-number combo, so I decided to just keep trying to worm my way southeast (incrementing the numbers and letters ever higher) to see what happens. I believe it was around room R-12 that I discovered a hole in the ground that led to a fight with a DROWN vulnerability. With my beefed-up character, I easily beat him and was promoted to wizard status!!
But none of the wizard commands the documentation promised, such as “ls” or “cd”, were present…and a few minutes later, the VM reset to a previous snapshot and I was back at square one!
This was Sunday morning, just hours before the CTF ended, so I tried to go to the newbie quest and quickly level up my character to go fight DROWN again…but by this point it was an orgy of violence, with numerous other CTF players in the game murdering each other before they could progress, so I had to give up.
So take that, Nettitude, I got farther than you in the MUD! 😛
If you want to give it a try yourself, @Evil_Mog is apparently hosting it on his own server.
The move to a new venue was not without its problems. The Marriott didn’t seem quite prepared for a conference of this size to descend upon it. There were numerous times the on-premise bar and restaurant were empty or completely understaffed. Considering this place was crawling with people on expense accounts who were eager to spend their company’s money, this seems like they were really pissing away a lot of business. One morning we tried to eat in their restaurant, but gave up and went to Sway at the neighboring Hyatt after waiting fifteen minutes to be seated and then spending another fifteen waiting without even water or coffee being brought to the table. Another problem, for those who stayed in the hotel, was all the renovation going on and the near constant construction noise in the rooms. My buddy Clayton did manage to complain his way into a quiet comped room, though. I’m sure they’ll iron out all these problems for next year.
If you haven’t been to Derbycon, I highly recommend trying to find a ticket. If you don’t mind waiting until the last minute, there always seem to be tickets going on sale up to the day of the conference. As always, I had a great time with some great friends and can’t wait until next year!