πŸ† Wild West Hackin' Fest 2025 - Vishing CTF Challenge

Challenge Overview

In this vishing CTF challenge, your mission is to infiltrate Dominion Industries by socially engineering its employees to reveal sensitive information, specifically their passwords. The goal is to strategically target employees, starting with the help desk, and using your skills of persuasion, deception, and quick thinking to gather flags that will guide you further into the challenge. Each conversation is an opportunity to uncover new leads, but rememberβ€”every employee behaves differently, and no one holds all the answers. Your success hinges on asking the right questions, building rapport, and navigating the complex social dynamics of corporate life. Will you be able to outsmart Dominion Industries' defenses and achieve your goal?

General Strategy

πŸ“± You Only Need Your Phone

  • The entire CTF can be accomplished with just a phone and a web browser.
  • No technical tools are necessary, even if someone tells you they are.
  • Keep it simple - social engineering is about conversation, not technology.
  • REPEAT: YOU ONLY NEED YOUR PHONE. DO NOT ATTACK THE SITE.

🎭 Preparation

  • Have a clear persona or role in mind. Keep it simple, so you don't forget key details while speaking.
  • Develop plausible scenarios for why you need help to create a sense of urgency.
  • Use terms and language common to the corporate environment that match your chosen role.
  • A common scenario is impersonating the help desk and asking for passwords.

🎭 Voice and Persona

  • Don't be afraid to impersonate members of the opposite sex.
  • No impression is too bad to not work. Commitment to your chosen persona is more important than flawless execution.
  • Focus on tone, speech patterns, and mannerisms rather than trying to perfectly mimic a voice.

🎯 Initial Contact

  • Entry Point: Introduce yourself with your chosen persona and explain why you're calling their department specifically.
  • Common Issues: Present problems that would naturally fall within their area of responsibility.
  • Goal: Get them to offer assistance or information. Ask them to "walk you through" processes as if you're unfamiliar.

❓ Use Targeted Questions

  • Ask about verification processes: "What information do you typically need to verify my account?"
  • Inquire about policies: "Could you remind me of the company policy for this situation?"
  • Request confirmation: "Can you confirm that my account is set up properly?"

Leverage Knowledge: After initial questions, frame your next approach based on the answers you get.

🚩 Flags and Next Steps

  • After gathering the first flag, look for clues or mention other departments. Employees might reveal specific department names or procedures that could guide your next move.
  • Don't forget to revisit prior flags for cross-referencing. You might ask about previous interactions or instructions you've received.

Key Points to Keep in Mind

βœ… Keep It Simple

If you feel like you're going down a rabbit hole, you probably are. Keep your approach straightforward.

🎯 Small Wins

Focus on getting small pieces of information that you can piece together.

🎭 Employees Behave Differently

Adapt to each employee's tone and approach, switching strategies if needed.

With this approach, you should be able to start gathering useful information and navigating toward those key flags while minimizing suspicion.

🏁 Find Three Flags

Your goal is to find three flags during your vishing calls. Once you've found all three flags, bring them to the Red Siege booth to claim your challenge coin!

The flags are some sort of sensitive information. Don't worry, you will definitely know when you find a flag.

We thank you for your interest in this Vishing Challenge!

If you have any further questions, please join us in the Discord at redsiege.com/discord!