SANS NetWars Core Continuous CTF Writeup

NetWars Core Continuous is a pay-to-play online cybersecurity CTF challenge offered by the SANS Institute. I recently completed my four-month subscription time in the NetWars Continuous environment and wanted to share my experience and thoughts about this CTF-like training product.

SANS offer several versions of NetWars. The Tournament product is usually an on-site contest run over two evenings during a SANS training event. Then there are the Core and DFIR (digital forensics) four month ‘continuous’ online products. After taking part in a NetWars Tournament event, I wanted to experience the ‘full-fat’ NetWars so signed up for the Core product which lasts 120 days. The normal registration price (at time of writing) for NetWars Core Continuous is 2890 USD, but it can be purchased for a discounted price of 1260 USD if participating in a 4+ day SANS training course.

This brief introductory video by SANS gives some more information about NetWars:

After registering for NetWars Core through the SANS website, I was instructed via email to sign up at the Counter Hack Challenges website, which seems to be a SANS subsidiary or spin-off partner company that hosts the NetWars content. This is the same website that is used for the in-person NetWars Tournament events often held during SANS training conferences.

The course takes an approach similar to a jeopardy-style CTF event, with a number of questions or tasks requiring a ‘flag’ to be provided as the answer. The twist is that the questions are stratified in to four sequential levels of increasing difficulty, and a minimum number of points must be obtained to unlock the next level. A fifth attack-defend (player versus player) level awaits those who have obtained a sufficient number of points over the previous levels.

For each question there is an automated hint system within the Counter Hack Challenges web interface. Requesting a hint does not deduct points, but rather increments a ‘hints’ counter. The number of hints taken is used to differentiate players on the scoreboard, which is particularly relevant in the end-game where many players have the same points score. Answering a question incorrectly more than once will however deduct points from the player score. A scoreboard in the web interface provides the player with an overview of their progress through the first four levels:

SANS Netwars scorecard showing progress through the entire CTF challenge.

In the sections below, I will offer some insight in to what to expect on each level of NetWars Core. Unlike a normal ‘CTF write-up’ however I can’t provide any answers due to the SANS NDA (this is supposed to be a training course after all!).

Level 1

The first level is conducted ‘offline’, in a customised SliTaz Linux virtual machine provided where the challenges are undertaken. Throughout NetWars the answer flags are typically contents of files or text strings, hashed with SHA-1 and entered into the CHC web interface.

This level provides an easy warm-up to the course and is not going to tax anyone with some general Linux and networking knowledge. Everything in level 1 can be readily answered with some simple web searches if the required technique or command is not immediately apparent. There are 23 questions in level 1, worth between 1 and 5 points each, with a total of 58 points available. All of the questions can be answered independently of one another, using only the provided VM and the tools already installed on it.

Level 2

Unlike the first level, level two starts with a ‘gateway’ question which must be answered before any of the other questions are unlocked. Questions at this level are a little more challenging, involving more intricate operating system knowledge and the use of some common information security tools (e.g. nmap). You can expect some interesting forensics and steganography questions in this level. Some basic Bash shell scripting is likely to be useful for parsing text data on a couple of the questions.

Level two is still pretty straightforward but might require some more in-depth research than the first level. If you have some prior penetration testing or CTF experience, level two won’t put up much of a fight. There are 18 questions worth between 3 and 6 points making a total of 77 points available in this level.

Level 3

From level three onwards, the virtual machine is no longer required as an online CTF environment is used. This is accessed via SSH login to a NetWars gateway machine shared with other students. Your local network will need to allow outbound SSH connections (which could be a problem for participants on firewalled corporate networks). As with level 2, a ‘gateway’ question must be answered first to obtain a personalised SSH login.

At this level things start to get more interesting with the questions becoming more technically demanding. There are a number of separate target machines on the lab network which need to be rooted. If you don’t have previous experience with penetration testing you may find yourself getting stuck and becoming reliant on the hints system. I found the SANS SEC560 penetration testing course great preparation for dealing with the questions at levels three and four. You can expect to see questions requiring network tunnelling, system exploitation, traffic capture/analysis and memory forensics.

A tip for people who get to level three - start keeping notes on information gleaned from each compromised system (i.e., do some post-exploitation enumeration), as they will be useful as you progress through the challenges. There are less questions in level three - only 12 questions but they are worth between 5 and 10 points each, for a maximum score of 85 points.

Level 4

The final level of the main part of NetWars has the smallest number of challenges at just 10, but also the most points available, with a maximum score of 122 points. Again, a ‘gateway’ question is used to open up the level, but unlike the previous levels, most questions naturally lead in to the subsequent ones.

Most of the tasks at this level involve obtaining root access on a target machine and are reasonably challenging. Expect to be using a variety of penetration testing tools like Metasploit/BurpSuite, privilege escalation, compiling exploits and tunnelling traffic over multiple hops inside the lab networks. A couple of the questions are real puzzles and most people can expect to be spending hours or days on each part of level 4. There were a couple of good web application security challenges in this level. The difficulty level here stops just short of creating customised exploit payloads.

A tip for players at level 4 - if you’re using ‘easy mode’ exploits like Eternal Blue or Dirty Cow, you’re bypassing the intended solution for a target, and in the process possibly missing out on learning new techniques.

Level 5

The final level differs from the rest as it is an attack/defend style player-versus-player network. The dedicated level 5 environment resets each week and eligible players can take part to secure and defend their machine’s services (e.g. WordPress) while attacking other players in the network, until their lab time expires.

Scoring is derived from the player’s service uptimes over the 7-day period. This is measured by inserting a personalised ‘flag’ within each service, which is then periodically checked by the scoring bot. Additional bonus points can be obtained by hijacking other player’s services and replacing the flag value (necessary for maximum points). A maximum of 342 points are available in levels 1 to 4, leaving a maximum score for level 5 of 180 points. A scoreboard viewable by all players in the session is available through the NetWars web interface, shown below. Notice how my availability score has exceeded 100% due to taking over services on one of the other machines (other player names blurred to protect the innocent!).

SANS Netwars scoreboard during a level 5 PvP session.

This entertaining level combines the skills used in earlier levels with systems administration and blue-team techniques. It’s well worth planning to have a few weeks of lab time when arriving at level 5 to get the most from it. One tool I found to be very useful during my participation in level 5 of NetWars was the Lynis security auditing tool, which is well worth a look. It’s worthwhile running a continuous packet capture on the machine being defended so that a post-mortem of any successful hacks can be performed. I also created a shell script to automate securing the box being defended – avoiding attacks in the first few minutes of the round often proved crucial to winning.

Whilst levels 3, 4 and 5 can be completed with the tools on the provided SliTaz virtual machine, I used a virtual Kali Linux installation, which I would highly recommend as it has more tools.


I enjoyed the NetWars Core Continuous training and got a lot out of it. For me the NetWars course was about refreshing practical penetration testing knowledge before undertaking the OSCP exam, and in that respect, I think it was a complete success. After taking a handful of hints I obtained the maximum score of 552 points ranking in the top 1% of the scoreboard.

As I expected, the full NetWars experience had a lot more content than the two-evening NetWars tournament product. I found the technical support provided by the NetWars team to be rapid and helpful. The staggered difficulty levels make the training accessible to pretty much everyone whilst keeping things interesting for experienced security practitioners towards the end-game. One area of possible improvement would be to have some extra Windows challenges as the course felt quite Linux-centric.

I think that NetWars has some tough competition from the plethora of free CTF offerings such as Hack the Box and Root-Me. Whether NetWars is the right choice for you may boil down to availability of discount coupons or someone else footing the bill – nevertheless, it gets a thumbs up from me.

Did you like this article? Please consider supporting this site.

Page last updated: