Posts

Trudging Through the Derby MUD in Lock Step

Image
For the final DerbyCon CTF, I decided to take on the MUD for team Illuminopi.

Derbycon 9.0 EvilMog CTF MUD
The CTF MUD was created by EvilMog and the world he created was pretty staggering. I really appreciate the effort that he put in to the MUD for us all to enjoy. For those that do not know. a MUD, or Multi-User Dungeon, is a real-time, text based, multiplayer game. You can learn more about them here.

Okay, let's get into it.
Upon your initial login and sign-up, there were more rules, tips, and tricks presented to the player. I mostly ignored everything and went in with tree branches a-blazing!
By the end of the conference; I believe I captured about 4 to 6 thousand points worth of flags in the MUD, and if I recall correctly, I only got about halfway through the challenges.

I attempted to make use of some evenings after the conference to take on the challenges outside of derby and got as high as third place:
Okay maybe I spent a day on it. 
Even with the pictures from a derby f…

DEF CON 27 - Our Car Hacking CTF Experience

Image
The Car Hacking Village CTF at DEF CON 27 was a fun, educational, and humbling event to participate in. We got 9th place, mostly due to luck and tenacity. Before this event, we have not tried to interface with, let alone hack, a vehicle. So, we spent the whole of DEF CON 27 in the CHV CTF to change that. Here's our story...

CHV CTF Final Scoreboard
Unfortunately, we cannot offer up a single write-up for the actual car hacking challenges as we were unable to complete a single one of them. However, there were a lot of trivia questions which sent us down multiple rabbit holes where we learned terms, concepts, and attack vectors that we had zero knowledge of before. The purpose of this post is simply to share our experience and touch on building the nano-can and using a HackRF One to replay a key-fob button press.
Overall, I'd say that going to one of the largest hacking conferences in the world to participate in a hacking competition against something that you have zero experienc…

2019 Stonecutters - The Battle of Gettysburg

Image
Here's our latest write-up for the secret Stonecutters challenge that we've code named "The Battle of Gettysburg."

Somebody is Going to Get Parasites
For this challenge we made use of a tool that automates OS command injection.

Okay, let's get into it.

Similarly to all of the other "Any Key" challenges, I registered my SSH key with the scoring server and I was able to connect to a web server on 127.0.0.1:8080. For more information about this CTF feel free to check out this post.

The web server that loaded was a simple input field that indicated that I needed to check if a file existed and a submit button that said fire.

Naturally, I tried /etc/passwd and here's what I saw:

Hit!
When I checked for "foo", I saw a message that said "missed."
I then entered /flag.txt and got another hit.

I tried really hard to find an LFI, and I also spent some time attempting to eke out a SQL error. However, commix was the tool that won the Battle o…

A Primer for On-Site CTFs

Image
I have been to many CTFs over the last five or six years and I wanted to share some tips, tricks, and advice for beginners. My hope is that this post helps those who are new to CTFs by sharing what I pack in my "go-to-war" bag, what some of the non-standard tools I use are, and how I spin up cloud based systems.

Go-to-War
When the CTF room opens up, the first problem is finding a place to sit. I like to get to the room as soon as possible to ensure that we have a decent place to setup. For example, all of the Defcon villages on day one are crowded and intense. I encourage everyone that's serious about the event to line up well before it opens. Also, the CTF and the village talks are generally held in the same room so it is likely going to be noisy and seating will be limited. My advice is to sit as close to the infrastructure as possible.

It doesn't hurt to have a plan in place about approaching the challenges before you get there incase you can only tolerate a coupl…

ArcticCon 2019 CTF

Image
Arcticcon is a conference by red teamers, for red teamers...and I was lucky enough to attend and participate in their 2019 CTF.

aRcTicCON

First of all, the conference was amazing. The first day was dedicated to the CTF, the second day had a focus on training/labs, and the third day was loaded with presentations that were all informative, inspiring, and packed full of tips, tricks, tools, and advice that I could actually use in my day-to-day.

The CTF had three main components to it, with SE being peppered in as well:
OSINTPhysicalNetpen I was assigned to team IronMan, along with five others.
OSINT On May 2nd, 2019, the CTF opened up for teams to begin working on the OSINT challenges. 
The Jeopardy style challenge board gave no hints and asked no questions.
Here is an example of a challenge:
Challenge Three

I began this CTF with some bad assumptions concerning when it was held last year, so shortly after I began my hunt for OSINT, I started submitting flags from last years challenges. Th…

2019 Stonecutters - Bleeding Gums

Image
In honor of Bleeding Gums Murphy, who passed away 24 years ago today; I thought it would be nice to pay tribute to him by publishing my write-up for the Stonecutter's "Bleeding Gums"challenge.

RIP Bleeding Gums
Bleeding Gums was an empty website aside from a single search field as seen below:


index.php
When I searched for the letter "a", I saw the table below:

Search Results
When I searched for the letter "b", I saw a smaller data set returned and some of the artists were different.

Next, I searched for years and album titles but the query only seemed to search for Artists.
Searching for ' gave me the following SQL error:

Error: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ')'' at line 1

I threw sqlmap at it but I wasn't able to get anything out of it. I then started to play with the injection manually.

With this particular challenge, I notice…

2019 Stonecutters - Fink Does Yoga

Image
The "Fink Does Yoga" website was a very basic login form to schedule a yoga class. No matter what you entered as credentials, the username was reflected back to the user on the next page that loaded and the password given didn't really seem to matter. I started this challenge fuzzing bad characters to find some kind of injection vulnerability.

I found that entering a "<" as the username gave me an interesting error. Seen below is the complete response:

Warning: DOMDocument::loadXML(): StartTag: invalid element name in Entity, line: 1 in /app/web/login.php on line 22
Warning: simplexml_import_dom(): Invalid Nodetype to import in /app/web/login.php on line 24 Hi there, ! Welcome back. Calendar No spots are available at the moment. Please check back later. 
I noticed XML errors in this output so I tried the following XXE injection attack against the username field:
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT f…