Flag Slurper

Flag slurper is a Red Team utility for Cyber Defense Competitions. It provides Auto PWN functionality, as well as functionality for tracking obtained credentials, files, and most importantly, flags.

Projects

Flag slurper has the concept of “projects”. These projects tell flag slurper where to find various files such as the teams.yml and services.yml files. It may also contain other configuration options such as where flags are located. The primary purpose of the project system is to keep data from different CDCs separate.

To create a project, run:

flag-slurper project init --base ~/cdcs/isu2-18 --name "ISU2 2018"

This will create a project named “ISU2 2018” in the folder ~/cdcs/isu2-18. You can then run the following command to activiate the project.

eval $(flag-slurper project env ~/cdcs/isu2-18)

Note

The output of the env command will set the SLURPER_PROJECT environment variable. This variable can also be set manually, instead of the --project flag.

When you want to deactivate a project, run the unslurp command.

Alternatively, you can specify --project PATH on each command. For example:

flag-slurper --project ~/cdcs/isu2-18/ autopwn generate

Note

The --project PATH flag must be before any subcommands.

Flags

The Auto PWN feature will automatically look in common directories for flags that look like a flag. You can also specify locations to check. The following project file defines the “Web /root flag”:

_version: "1.0"
project: ISU2 2018
base: ~/cdcs/isu2-18
flags:
  - service: WWW SSH
    type: blue
    location: /root
    name: "team{{ num }}_www_root.flag"
    search: yes

You can specify as many flags as you want. All of the following fields are required:

service
The name of the service this flag is associated with. Auto PWN matches against this when determining what flags it should look for when attacking a service.
type
Which flag type this is blue (read) or red (write). Currently only blue is supported.
location
The directory the flag is supposed to be located in.
name
The expected file name of the flag. Pay close attention to {{ num }}. This is a placeholder that will be replaced with the team number during the attack.
search
Whether Auto PWN should search location for any files that are roughly the correct file size. A search is only performed if the falg is not found at it’s exact name {{ location }}/{{ name }}.

Here’s an example of an Auto PWN run that obtained flags:

https://asciinema.org/a/SZK8Ma0lUzX8H1CE02sLOjVIT.png

Credentials

Credentails can be managed through the creds subcommand. To add a credential:

flag-slurper creds add root cdc

List credentials:

flag-slurper creds ls

Remove credential:

flag-slurper creds rm root cdc

Show details for a credential

flag-slurper creds show root:cdc

Files

Flag slurper contains a database of files found on competitior machines. This is normally populated by the AutoPWN functionality. All file commands require that a Project is set.

Usage

The main command you’ll use is listing all files in the database.

flag-slurper files ls

The ls command can be filtered by team number (-t TEAM), file name (-n NAME), and/or service name (-s SERVICE).

Once you find a file you want to see, you can use the show command. This will display metadata on the file and will then open the file in your text editor if it is a text file.

flag-slurper files show 1

You may also save the file directly from the database to the given file path.

flag-slurper files get 1 ~/team1_shadow

If you don’t want to keep a file around any more, you can remove it.

flag-slurper files rm 1

Example

https://asciinema.org/a/uCV0jU7XEQpOUFFmaL5mp1bkq.png

Glossary

IScorE
IScorE is the scoring system built and used by ISEAGE during their CDCs.
CDC
Cyber Defense Competition.
Flag
A file on the teams’ system representing sensitive data. Red team’s goal is to place red flags, and to read blue flags placed on the system by the Blue Teams.
Red Team
The attacking team.
Blue Teams
The defending teams.

Overview

Flag Slurper contains a utility for automatically attempting default credentails against teams’ SSH hosts. This works by grabbing the team list from IScorE and a list of all the services. The default credentails it uses are:

  • root:cdc
  • cdc:cdc

Requirements

AutoPWN requires a database. For many cases sqlite will do, but in order to use parallel AutoPWN, a server-based database (such as postgres) is required. This is due to sqlite only allowing one writer at a time. The database can be configured in your flagrc file:

[database]
; For sqlite (default)
url=sqlite:///{{ project }}/db.sqlite

; For postgres
url=postgres:///splurper

The {{ project }} variable is the file path to the current project and is optional.

Usage

You first need to create a project and result database:

flag-slurper project init -b ~/cdcs/isu2-18 --name "ISU2 2018"
flag-slurper project create-db

To generate the team and service list you can simply run:

flag-slurper autopwn generate

This will cache the team and service lists into the database. This will be used by other autopwn commands so they don’t need to keep hitting the IScorE API during the attack phase when the API is getting hammered.

After generating the local files, you can then pwn all the things!

flag-slurper autopwn pwn

This will print out what credentials worked on which machines and any flags found. These results are recorded in the database and can be viewed like this:

flag-slurper autopwn results

Post PWN

The AutoPWN functionality can be extended through post pwn plugins. These are plugins that run against a service after the pwn process (gaining access, checking sudo, capturing flags, etc.). At the time of writing there is one built-in post pwn plugin:

  • ssh_exfil

Configuration

Post pwn plugins are configured through the Project File, but they can also be run automatically based on decisions made by the plugin. Here is an example configuration for the ssh_exfil plugin:

_version: '1.0'
base: /home/mattg/cdc/isu1-18
project: ISU1-18
flags: []
post:
- service: WWW SSH
    commands:
    - ssh_exfil:
        files:
            - /root/ToughNut/

The above configuration explicitly declares that the service WWW SSH should use the ssh_exfil plugin, and should look for additional files in the /root/ToughNut directory. Any additional services exposing SSH will automatically attempt to find any of the default exfil files.

Plugins

SSH Exfil

Custom Plugins

CDCs often have unique elements that AutoPWN doesn’t know how to exploit. Frequently this includes services runing in a non-standard way, and interesting ways to gain access to the system. For this reason, AutoPWN allows you to write custom Post PWN plugins, to do any post actions that are necessary for your targets. To write a plugin, you must subclass PostPlugin and register it with the PluginRegistry.

Loading Custom Plugins

Currently, post pwn plugins do not have an auto-loading method (i.e. entry points). In order to load a custom plugins, you must manually call register() after ensuring your plugin is on the PYTHONPATH. A much better method is planned.

Indices and tables