King of the Hill

Attack & Defense

attend.osucyber.club

Announcements

• Engineering meeting this week
• Wednesdays @ 7:30 PM Eastern
• See Jackson (engineering lead) or Discord for more info�
• Club meeting recordings
• Links can be found on the wiki (https://wiki.osucyber.club/Meeting-Schedule/SP22)

​

• Hack-A-SAT 3
• Quals: May 21-22
• Space themed CTF (!)

​

• Pwn2Own Miami
• Tomorrow and Thursday (April 20th and 21st)
• Watch people run 0day exploits for $$$$
• https://thezdi.com/ or https://twitter.com/thezdi

​

The Basics

• The “hill” = typically a box (a host/server/computer)�
• The “king” = whoever has control over the box
• What constitutes control? Varies, but normally a unique token that identifies who hacked the box in a viewable location
• Replacing the token may or may not require full control of the box�
• Who wins? Depends on the competition
• King for longest time wins
• Last king standing wins

How do we get in?

• Find vulnerable services!
• nmap -p- <ip>
• -p- says “scan all ports!”
• Notable ports
• SSH
• HTTP
• FTP
• Look up weird�Services
• Then exploit

How do we stay in?

• !!CHANGE PASSWORDS!!
• Delete unneeded users
• Remove unneeded services
• Lock down required vulnerable services

​

The Competition

• Three boxes: Red, Green, and Blue�
• Each box has at least 3 vulnerabilities
• Some obvious, some not
• Give you varying degrees of box control
• CTF challenge experience will help you find and exploit them�
• Each box is hosting a web site
• Whoever’s name is on the site is king
• King at end of meeting is the winner for that box
• Trophies! So you can remember your triumph eternally

Rules

• Try to focus on one box
• If you get stuck, you can switch; this is just to spread people out�
• Do NOT restart, shut down, or crash any boxes
• We may or may not be able to bring them back up
• You ARE allowed to patch vulnerabilities and secure services, but you are NOT allowed to bring them down/crash them outright�
• Do NOT upload viruses or questionable content�
• Do NOT attack anything except the boxes
• Don’t attack other players; just defend against them

Further Reading

• ISTS: Blue Team Resources�https://ists.io/resources�
• Linux man pages�https://www.kernel.org/doc/man-pages/�
• Cyber Security Club Bootcamp�https://bootcamp.osucyber.club�

Thanks for a great semester!

Go!

red.koth.live

green.koth.live

blue.koth.live