During my first SANS experience last week, I also opted to participate in NetWars Core the nights of Day 4 and Day 5. This was also my first NetWars experience, and I came in having pretty low goals, since I didn’t really know what this was all about. I basically wanted to see the top 10 leaderboard for first timers and unlock Level 3 by the end of the event. Turns out, I unlocked Level 4, held onto overall first for several hours, and finished in 2nd place amongst the individuals (and 6th overall), earning me a NetWars coin and invite to the Tournament of Champions in December!

For those unfamiliar, NetWars Core is a two-day event held on site for 3 hours both nights. You show up with a laptop in hand and get handed a USB stick. On the USB stick are some supporting documents and a virtual machine image to load up. Once loaded up and signed into the event, the countdown begins! Once started, the event website allows access to a battery of questions whose answers are found either in the supporting documents or on the VM itself. These questions cover a wide variety of information security topics, from linux and windows systems administration commands, technical trivia, analyzing forensic evidence, examining network traffic, decoding hidden messages, and reversing malware. There are things for defenders and attackers alike.

Upon arriving, I was given the event USB stick, an instructional piece of paper, and 2 drink tickets good for free drinks from the open bar in back. The tickets certainly beat paying up to $12 for a glass of wine! And as each night moves on, you can get more tickets from the minders handing them out. The dimly lit room itself slowly filled up with fellow geeks, the glow of laptop monitors, and the swell of some light techno music from the speakers up front.

The desks all have power provided and a wired switch for use if one does not want to trust the wireless network, which itself was solid the entire event. The instruction sheet gave details on signing up for an account at CounterHack and the username and password for the Virtual Machine. A web-based VM could be connected to from the CounterHack site (with added latency, of course), or one could just use the VM included on the USB stick.

The USB stick included the event VM and some additional files. Before the event truly started, I copied all of the files to my local Windows system and fired up the VM in VM Workstation 14 Pro (trial). It converted and fired up without issue, and default networking settings allowed it access out to the Internet (needed) through my host laptop. I rebooted it and gave it some more RAM for good measure.

After waiting around a bit, the event kicked off! I started out super slowly as I acclimated myself again to the Linux VM, sheepishly Googling up some commands that I should have known, and otherwise having some issues getting into a groove. But eventually I did hit a groove.

Level 1 and Level 2 are basically traditional Jeopardy-style CTF questions. You are asked something about a file or command or binary or whatever, and you work to provide the answer. Sometimes it just means running a few commands, sometimes it means doing some forensics or attacks on various artifacts. Each question has points assigned to them. The more questions you answer, the more points you get, and the more questions open up below those. The first incorrect answer on all questions didn’t cost anything, but subsequent tries would cost more and more points (up to a certain amount).

Most questions have hints you can unlock. These hints do not cost any points, and you can unlock as many or as few as you want. The only role they play is as a tiebreaker in the unlikely event of a tie in points. The hints themselves range from terms you can Google all the way up to actually giving you the command(s) to run to find the answer. This hint system makes the early parts of the event very accessible to anyone with even passing Linux experience.

After hitting a groove and getting a feel for the questions and VM, I appeared on the top 10 leaderboard, and for the rest of the 3 hours on Day 1 I skipped up and down with my fellow geeks from about 10th place up to a peak of 3rd place or so for brief moments. Early on, one team surged very far into the lead, and the admins of the event sought them out. Within a few minutes, their team was removed from the boards. Turns out they had some veterans on the team, and to avoid discouraging other teams, the admins “ghosted” their score off the board.

The scoreboards are broken down into a top 10 list of individuals and a top 10 list of teams. I believe teams can be 5 or less members. In other events, I think veterans and first-timers are also separated out, but for this event, we were all put into the same boards (they gave a reason why, but I didn’t follow it).

At the end of Day 1, I was firmly into Level 2 with 100 points, and sitting at 8th place on the boards. The first place individual had 146 points and the highest team (visible) had 155 points. I retired to my room, but spent the next 3-4 hours working on various questions that I hadn’t gotten to. I think the small break I took to get to my room and settle in really helped, as I hit a stride over those few hours and solved quite a few puzzles and staged up the answers for Day 2. While the game system itself is closed overnight, as long as you keep the question window up and have any hints you want opened up, you can still see and work on the questions on the local VM. This is true for Level 1 and Level 2, but not for subsequent levels.

Day 2
As Day 2 started, I had a flurry of points submitted in the first 60 minutes, and I actually surged into first place overall with 241 points and 2.5 hours remaining. At this point, I hit a wall. Over the next 1.5 hours, I held onto my lead with 269 points, but others were slowly closing in as I stalled out.

Eventually, at level 3 you can attack and attempt to infiltrate remote systems and networks as an attacker. and from there begin attacking other systems in that DMZ network and answer questions on a separate scoreboard. I was rusty with this, as my day job does not involve attacking systems. The Level 3 hints also became time sucks, with some seriously deep trivia that required heavy Googling and searching. Would help immensely to have a wingman doing just those items! Level 4 involves even deeper access. Ultimately, level 5 is reached and at that point those contestants have to defend their servers and services against others at level 5, while attempting to attack the others and earn points through uptimes.

I spent the next hour watching as a rival passed me up for first place, and the teams jostled for their positions. With 30 minutes left, the admins replaced the scoreboard with a countdown clock. After time ran out, winners were announced and I found out that no one else managed to pass me for second place. I finished with 275 points, with first place sitting at 297. The ghosted team of veterans finished with the top score of 370, but the admins also awarded prizes for the next team, which had 301 points; only 6 points ahead of their next rival!

Honestly, had I tackled this event last year, fresh off my OSCP certification, I realistically would have expected at least another 40 points or so. I had lots of time left, and not much comfort level with the attacks I needed to perform at the later stages.

Overall
I had an absolute blast with this event and the question formats. I’m looking forward to doing another one of these, or also trying out the DFIR and Defense ones as well.

Tips from a First-Timer
Spend Day 1 trying to unlock everything you can, including hints. You want to get as far into the levels as possible, with the ultimate goal of getting into the Level 3 and Level 4 stages.

Try to make sure you get the question finished that yields root access to the local VM. This is important in order to progress further.

With Level 3 unlocked, start attacking it right away. Again, it’s more about getting as far as possible, rather than clearing each level completely. The points-per-question trend a little bit upwards as you go.

One could conceivably unlock level 4 without doing much at level 3. Just from my perspective, I think getting dug into level 3 is more important.

The night between the days can be spent researching Level 3+ strategies, but also backfilling Level 1/2 questions and researching Level 3 hints.

Day 2 should be spent trying to open up Level 5 by performing successful attacks and eventual pivoting into internal networks.

For some added drama, the admins turn off the scoreboard for the final 30 minutes. If you’re feeling brave, feel free to bank some points to score during this time. This would be an excellent moment to finish submitting any level 1 and level 2 answers that weren’t needed to open up the higher levels. Of course, the downside might be encountering technical issues that prevent more scores from being posted, so do so at your own peril!

I strongly suggest writing down and saving out answers to a text file in the crazy event the VM crashes or becomes unstable. Near the end of Day 2, my VM’s xfce often became unresponsive, and I wasn’t in a position where I wanted to reboot it fully. I probably lost a good 30 minutes of productivity this way.

Lastly, have fun. Use those drink tickets if you are so inclined, and enjoy!