Earlier in 2018, I attended the SANS West training conference in San Diego and competed in the Netwars Core competition. This was my first Netwars experience, and I was surprised by not only placing second in the individuals bracket, but by doing so also received an invitation to the year-end Tournament of Champions. I had no idea this was a thing I would get (more on this later), but I was excited to have done well. And, as luck would have it, my work leader was in attendance, got excited as well, and offered to budget out the cost to allow me to attend the ToC event!
So, I headed out to DC for the Netwars Core Tournament of Champions (ToC) held the evenings of Dec 16 and 17, 2018, during SANS CDI. DC was rainy, but I got in a day early to relax, get some grub and supplies nearby, and otherwise spend that evening and most of the next day taking it very easy.
I suppose at this point I should mention that Netwars Core is a hybrid technical question-and-answer competition (jeopardy-style CTF wrapped in a wonderful Star Wars-themed story) and castle-vs-castle top tier played out in 5 Levels over the course of 2 evenings (3 hours each) during most SANS events. Competitors are given a USB stick with some files and a virtual machine to import, and are asked to sign up for an account on the scoreboard where scores and questions are housed. Levels 1 and 2 consist largely of your typical infosec CTF questions like which Linux command does this, or run this command on the provided event virtual machine and find the flag or decode this password. These questions range from non-technical through the gamut of many skills and tidbits of knowledge such that even novices have a good shot at having plenty to do. And for those questions that are unfamiliar, you can “unlock” hints for free which definitely get most people on the right path for answers. As competitors submit answers and score points, more questions are unlocked. At some point, Levels 3 and 4 are unlocked which starts competitors down the path of offensively probing and attacking systems on another network altogether. And, unlock enough points, and you can get up to level 5, which is a whole new competition in itself. At Level 5, the game becomes a more classic CTF where competitors get a castle of services they need to defend and keep up while trying to also take over and bring down the castles of other teams to score points.
For anyone daunted by that Castle part, at least be comforted that not every SANS Netwars Core event has people get far enough to unlock Level 5. Most of that top tier competition comes from the pentest-focused events like SANSFire or Hackfests or here at ToC or on the separate Netwars Continuous package.
I didn’t have much to prepare for or with. I scored 275 points in the earlier event, which took me up almost entirely through levels 1 and 2 and into some clear stopping points in Level 3 and 4. Unfortunately, I hadn’t saved any questions or code or scenarios from those higher levels, so I only had vague memory to go by. I didn’t know 2nd place got an invite nor how all of this works! I had saved the questions page for the initial levels (most of which can be answered in the provided VM), but I had most of those already solved, so there wasn’t much to do there. See, the game itself closes after the event, so you can’t go back and see the old questions or hints. Even worse, once you hit Level 3 (I think), the scoreboard and targets are on a different network that you connect to which also isn’t available outside the event itself. Lesson learned, my friends, lesson learned: Leave windows open, copy/paste, download what you can, save shit, suspend your VM if you can.
Registration and check-in took place about 4pm or so Sunday afternoon, where we basically just got our guest badge. And at about 4:30pm we were allowed into a reception room for free drinks, appetizers, and mingling with fellow security geeks. During this reception, Jason Blanchard and Ed Skoudis gave a presentation about the event and some of the rules specific to ToC that we need to know about. Also, one of them made mention to look around the room and take in the fact that lots of excellent and smart people were in that room. To be honest, that was one of the better moments of the event for me: being in the company of some super smart and dedicated people. We also got handed our swag (a custom t-shirt and an athletic polyester long-sleeved black half-zip shirt), had a chance for some forced mingling with fellow competitors, and then slowly wandered down into the competition seating area.
When I got down to the seating area, some teams were already moving desks to face each other, and I picked out a spot for myself between some teams so as not to get in the way. ToC players had seats on the left side of the room reserved. Turns out, I sat behind the team that would end up winning the overall prize. I got set up, got a drink, and waited out the rules presentation before getting started! I will say, while the rules went on a surprisingly long time, I actually really enjoyed Jeff McJunkin’s energy and enthusiasm as the emcee/host of the event.
As this was just my second Netwars event, I was in for an unexpected start. I spent the first 45 minutes keying in answers I already had, unlocking more portions of the scoreboard, and just turning my mind to mush. It was pretty awful once I sat back in my chair near the end of this marathon submission session, and I wondered how the heck I would find my groove back and actually “get into” the VM and the mindset of the challenges I was up cleared for, especially since some of the things you do in early challenges set up the VM to be ready for the later ones. I think once all of my answers were submitted and I was feeling pretty lost, I got up to get a drink and take a small break. I can definitely see why the established teams have their answers all scripted and submitted within minutes! (I’ll have to save the web page code and figure that out next time.) The team ahead of me, of course, submitted all 645 points of answers and sat back for their Level 5 access. Turns out, there were some technical issues with the Castles, and those teams ended up sitting around waiting for about 90 minutes.
Now, I will say just reading this during my proof-read, I can realize how someone will look at this and wonder why compete if there are whole teams that just script the answers up to Level 5? Well, as part of the ToC rules given during the reception, players were awarded prizes in 4 groups: Level 5 teams, Level 5 individuals (I believe there were only two brave enough to tackle Level 5 alone), other Teams, and other Individuals. So, even if you didn’t have Level 5 unlocked, you could still earn something by crawling up higher into Level 4. I do not know when Level 5 actually opens, but if it’s at 645 points, you can see there is still a gap in the field based on the screenshots at the end of this post.
Once sitting back down, I got my head in the right place and started making progress. For the rest of that evening, I felt pretty good with my progress, but I definitely had and still have a long way to go. By the end of that first evening, I had clawed some points above and beyond what I already knew, and felt confident in my progress. I made sure to keep scoreboards open and save files, questions, and hints for research later that night and the next day. Looking back, my biggest wins that day was the experience of that first marathon of answer submitting, and the saving of relevant data/info for research later.
If I had any complaint on the event, I may as well get it out of the way here. The music played during the hacking activities was largely 80s and early 90s rock. Things like Van Halen, Bon Jovi, Billy Idol, Starship, and so on. And while I grew up in those times and am quite comfortable with that music, I did not need to listen to “Don’t Bring Me Down….Bruce!” 3-4 times (the only re-repeat I remember hearing), nor do I really want to listen to that rock for 3 hours a night while doing hacking things. It was distracting at times. But that’s me; I’d prefer some sort of techno/electronic genre (deep house, lounge, chill, psytrance, trance, or anything in between). Or maybe at least a slightly better curated 6 hours of rock. (It’s honestly not that long, but can feel long.)
One tip before the night of the event is to make sure you know how to import or add a new virtual machine to whatever VM platform you use. Once sitting down in the competition hall at a desk, be sure to keep your head up and look for whomever is handing out the Netwars USB sticks and instruction sheets and be sure to get one of both. If you don’t get an instruction sheet, ask to take a picture of someone else’s near you.
In fact, here’s a general checklist for someone sitting down to Netwars 5.0 for the first time:
- Prep: Bring a mouse. Bring a second portable monitor if you have one. Both of these make the experience so much better. Bring headphones and music if that helps you. Make sure you have whatever virtual platform of choice you prefer already installed and ready on your system. As far as other software, you don’t really need much else on the host; most things are either present in the VM or can be downloaded into it from the Internet later. I’d also suggest being at least a little familiar with Linux command line (things like ls, cd, cat, file, cp, rm, touch, chmod, chown…that level of stuff). I don’t suggest using a work laptop, unless you have the power to turn off security protections so as not to kill/quarantine what you’re doing! I used an old Thinkpad X230 upgraded to 16GB RAM and 500GB SSD, running Win 10 and VMWare Workstation 15 Pro, with an AOC 16-inch portable monitor; the portable monitor is a lifesaver as the X230 screen size can be limiting alone.
- Sit down and set up your computer; power strips should be nearby.
- Once booted up, get on the netwars core wireless (will either be on the instruction sheet or on the screen up front). I suggest writing this down.
- After that, get your hands on the USB and start copying all of the files to your system. It’s always better to work off the local copy than straight off the USB.
- Once copied, fire up the VM platform of choice, and import/add the .ova file as a new VM.
- Once added, I strongly suggest increasing the RAM on the system above the default if you can spare it, and also add some video RAM if using VMWare (if you can’t find this setting, then don’t worry about it, it’s just to have better full screen sizing on some versions; probably not a problem with a laptop).
- It should work by default, but I also strongly suggest being familiar with testing and enabling (if needed) copy/paste from the VM to your main system.
- When ready, start the VM and log in (should be on the instruction sheet or it will just autologon for you). There’s no reason to not at least start up the VM and test Internet connectivity. Maybe even poke around the system a bit.
- I don’t recall ever needing to deal with installing VMWare Tools, but maybe I just do this automatically and remember it. I’m adding it here as a reminder to think about if something isn’t working.
- Once ready, feel free to get a drink or two and for the love of all that is pure, lock your system when you walk away.
During the event, you do what you need, but I strongly suggest taking a break now and then. Get up, stretch, get a fresh drink, take a small walk, get your eyes and brain off the screen a bit, tip the bartender, start up a quick intro conversation with any others back there in line, with them luck, and get back down to business.
I know some people bank points until the final 30 minutes of the last day when the scoreboard is hidden from view, but honestly, I’m not sure who does that, since the more points you submit, the more new stuff you unlock. And I think in most cases, it is better to unlock things early than in the waning minutes. There may be some more easy points waiting!
I wish I knew the cutoffs in points where things unlock. Maybe next time I’ll try to pay attention to that….
On day 2, I sat in a different place behind a team from the Army branch. I honestly don’t know how they did (not top 3 at least), and I’m unsure if they are displayed on the scoreboards and have a made-up team name or something.
Day 2 was a more heads-down day working on some of the new challenges, and I made some progress by the end of the night, totaling 328 points and finishing in the middle of the pack at 31st place. Unfortunately, I didn’t really unlock anything by the end of the trip that I shouldn’t have already had from my first Netwars experience, but at least this time I am better able to take some studying points home to work on directly.
In reflection on my experience, I feel like there are probably 4 very different experiences you can have with Netwars.
- First timer – This is the purest experience as someone completely new sitting down at a blank scoreboard with questions to bang away at and answer. This was absolutely a blast and I encourage everyone attending a SANS event to give Netwars Core at least this first try. It has accessible questions so everyone can ramp up slowly into more involved stuff.
- Experienced aka “the level 4 doldrums” – After the first experience, no matter the performance, coming up next are what I would call the level 4 doldrums where a competitor has completed the things they find easy, and are now working harder on the trickier or less familiar topics. This lasts until one can unlock level 5. Large swaths of an event may be spent working on just a handful of challenges at hand. This is definitely where I am. I unlocked Level 4 on my first event, and now I get to spend a lot of time making slow progress through it (and finishing challenges inside Level 3). The one caveat that may change this experience is joining up on a team of others in the same boat, but I have mixed feelings about teams prior to level 5.
- Level 5 unlocked! (fanfare music) – This is probably the next big jump, where one emerges from the Level 4 doldrums and unlocks Level 5! …And then is lost while trying to figure out the castles, defend them, and somehow also attack. The first experience in Level 5 is probably pretty rough, especially so for an individual. But, you gotta have a first time at some point so you know what’s coming up next time and how to start preparing for it. Because, let’s face it, there’s only a small number of posts about the experience of Level 5. It might be interesting getting to this experience on a team, either of those who’ve made it before or all newbies to Level 5, as at least then you can get some boots on the virtual battlefield quicker. And even at some of the larger non-champion events, there may not even be any other Level 5 teams! I think in that case, even if unlocked, you don’t get your Castle early, as that might be a little unfair to later entrants, but I don’t know that for sure.
- Level 5 veteran – Lastly, all that is left is to dive into Level 5 with eyes wide open, probably as a member of a team. This is the penultimate experience, and I hope to get there someday to at least give it a try once. I’ve never competed on the blue side of a castle-style CTF like that (only the red team, and it’s been years).
One nice small benefit I received after the event was a discount to Netwars Continuous. While still a large chunk of money, I might have to think about that if I want to experience Level 5 competition and get some practice. (Assuming I get up to it!)
Would I do this again? I think so, but I don’t know. I don’t really learn much from it directly, but I love the access and mingling with other extremely smart people, just like any other SANS event. I am qualified for two years, so I’ll have to think hard about it. My participation may depend on others on my work team being able to go, or my progress towards Level 5, and of course budgets. That said, the meeting of other people and the chance to further hone skills is always welcome in this ever-learning industry. If I were on a Level 5 team, I absolutely would!
Would I suggest others do this? Yes! If you can budget this out (keeping in mind you don’t necessarily have to be taking a course at CDI to attend ToC!), I think this is a great event to experience at least once. Even better if you get the chance to experience this at Level 5 with a team. There really are not that many chances to experience something at that level and I think they would be worth it.
What’s next for me? I have a very long ways to go, and the number of questions I have in front of me to answer has dwindled quite a bit. Basically, I’m at that point where I need to answer a question to open the road to answer the next question, and so on. My choices are limited, and while that means I can focus my studies a bit, it also means I have no idea what’s behind those doors.
I’ll next be at SANS East the first week of February with a coworker. I plan to sit again for Netwars Core rather than trying out DFIR yet. And this time, I’m taking a course that I need more confidence and speed with (SEC542) which hopefully gets me another small step or two through the Level 4 doldrums!
(images via CounterHack team and Sean Donnelly)