Today I saw on Twitter that the Kringlecon recap and awards ceremony is coming up fast, in mid-February this year. With this being the case, I figured I’d quickly put out a little post and put up my write-up. Gotta make my blog at least a little bit active, right? Haven’t totally forgotten about the blog–I still have some stuff I want to do and write with O365/Azure, plus I finally got some equipment to do minor home-labbing, and I need to get back into messing with HackTheBox and maybe start doing some formal write ups of those.
I noted last year that I expected 2018 to be easier, but still got tripped up in the end. I’m not sure whether, as I expected in 2018, that I’m just getting better, or if the challenges were easier this year. A lot of the challenges involved threat hunting and log analysis, which comprises a lot of what I do daily, so maybe that was the difference.
When I say easier, that’s certainly still a relative statement to when I started in infosec and hadn’t any established practice with red or blue team skill sets. It still took about a week or so of spaced out efforts to crack the challenges.
The reversing challenge was probably my favorite. It didn’t take as much time as the WannaCookie analysis (that I actually spent weeks playing with after finishing Kringlecon 2018) but it was still fun. I got to brush up on IDA skills which I’m pretty woeful at and I got to work with Ruby for the first time. I found the Ruby to be pretty intuitive, maybe just thanks to the wonderful examples and pointers we were given. I might have to spend some more time playing with the language.
The X-Mas Cheer Laser was a runner-up for me. I felt pretty confident going into the challenge as I live in Powershell, yet, I don’t have any experience with Powershell on Linux and that introduced a number of struggles into how I would have normally gone about the process.
The final challenge was fun and interesting, though I would say that compared to some of the other challenges I was a little frustrated with the way the data was fabricated. I went about the challenge first using a “real” threat hunting mindset, only to find out nearly every IP address was unique and the GET/POST requests didn’t matter at all…and had to re-orient myself in terms of how I went about the challenge.
I didn’t spend as much time on my write-up this year. I’m still happy with it, but I know that based on the quality of submissions, I don’t really feel I’ll have the energy or expertise to compete with write ups of the level that win and really blow you away. Without further ado–here it is.