This is for the Vishing CTF Challenge at Wild West Hackin Fest 2024. Please visit our booth to get the starting phone number.

In this vishing CTF challenge, your mission is to infiltrate MegaCorp by socially engineering its employees to reveal sensitive information, specifically their passwords. The goal is to strategically target employees, starting with the help desk, and using your skills of persuasion, deception, and quick thinking to gather flags that will guide you further into the challenge. Each conversation is an opportunity to uncover new leads, but remember—every employee behaves differently, and no one holds all the answers. Your success hinges on asking the right questions, building rapport, and navigating the complex social dynamics of corporate life. Will you be able to outsmart MegaCorp’s defenses and achieve your goal?

General Strategy

1. Preparation:
   • Have a clear persona or role in mind (e.g., a new employee, a stressed-out IT technician, or a third-party vendor). Keep it simple, so you don’t forget key details while speaking.
   • Develop plausible scenarios for why you need help (e.g., troubleshooting access issues, urgent deadline, or system error) to create a sense of urgency.
   • Use terms and language common to the corporate environment, such as “I can’t get into my VPN,” “I forgot my credentials,” or “I’ve been locked out of the system.”
2. Build Rapport:
   • Start by being friendly and casual. Employees are more likely to help if they feel you’re approachable and in need.
   • Mention relatable company terms or pretend you’re new and nervous. This can lower the defenses of the person you’re speaking to.
   • Mirror the employee’s tone. If they’re formal, stay formal. If they’re casual, be more relaxed.
3. Targeting the Help Desk:
   • Entry Point: Call in as a new employee or an external IT technician. You could say, “Hi, this is [Your Chosen Name], I’m working with [Department Name] but having issues accessing my account. Could you help me out?”
   • Error Messages or Password Resets: You might start with something like, “I’m having trouble with my password, and the reset link isn’t working. Could you verify my account is set up properly?”
     • Goal: Prompt them to offer resetting the password for you.
     • Once rapport is built, ask them to “walk you through” the process as if you’re unfamiliar.
4. Use Targeted Questions to Gather Information:
   • For Help Desk Staff:
     • “I was told to reset my password, but I think it didn’t take. Can you confirm my account info?”
     • “Oh, do you need me to verify my current password to reset it?”
     • “Could you remind me of the password policy here, like special characters and such? I’m trying to make sure I do it right.”
   • Leverage Knowledge: After initial questions, frame your next approach based on the answers you get (e.g., If you learn about password policies, you could guess passwords based on policy structure).
5. Escalation:
   • If the help desk employee doesn’t provide the needed information, ask for someone higher up who might have access. “Who else could help with this if it’s a more technical problem?”
   • Use phrases like “I’ve been bounced between a few departments. I was hoping you could help since I’ve heard you’re the expert in [system/tool name].”
6. Flags and Next Steps:
   • After gathering the first flag (perhaps access or account details), look for clues or mention another department. Employees might reveal specific department names or procedures that could guide your next move.
   • Don’t forget to revisit prior flags for cross-referencing. You might ask, “Oh, and do you happen to know if [previous person you spoke to] gave me the right instructions on this?”
7. Backup Plan:
   • In case you face resistance, try appealing to authority or urgency: “I was told by [manager’s name] that you’re the best person to help with this, and I really need this fixed before the end of the day. Could you assist?”
   • If denied, back off slightly and ask a smaller, unrelated question to reset the conversation before trying a different approach later.

Persona Ideas

• New Employee: “Hi, I’m really new here and don’t want to mess this up. My onboarding got all mixed up, and I can’t remember my password.”
• Third-party IT Vendor: “I’m working on a system integration for MegaCorp and I’ve been having trouble accessing the admin accounts. Could you verify this for me?”
• Urgency-driven Persona: “I’ve got a deadline in 30 minutes and the system’s locked me out. Could you give me a hand with a quick password reset? I’ll owe you one!”

Key Points to Keep in Mind:

• Plausibility: Always keep your requests and persona plausible, so it doesn’t raise suspicion.
• Small Wins: Focus on getting small pieces of information that you can piece together.
• Employees Behave Differently: Adapt to each employee’s tone and approach, switching strategies if needed.

With this approach, you should be able to start gathering useful information and navigating toward those key flags while minimizing suspicion.

The Final Flag:

Upon completion of the last challenge and getting final flag (It is not subtle, so you will definitely know that you have found the final flag) Bring that flag up to the team at the desk, and claim your challenge coin!

We thank you for your interest in this Vishing Challenge!

If you have any further questions, please join us in the Discord!