I was lucky enough to score tickets to Shmoocon again and of course I was looking forward to working on a CTF while I was there. Black Hills Information Security had organized a CTF to run at Shmoo which made me super happy as I have a lot of respect for them and was excited to see what they had in store for us players.
Unfortunately, I had to work most of Friday and leave first thing Sunday morning. This left me with only a handful of hours on Saturday to compete as I balanced my time with other con activities.
My coworker, Wole, joined the team and together we reached as high as 13th place in just a few hours. The final scoreboard was still hidden at the time of this writing, but I have a feeling we got knocked down a few spots.
The CTF was powered by MetaCTF and the challenges were categorized as follows: CryptographyReconnaissanceWeb ExploitationReverse EngineeringForensicsOther
One challenge that I thought would make for a good blog post to write on the train home was called: &quo…
Arcticcon is a conference by red teamers, for red teamers...and I was lucky enough to attend and participate in their 2019 CTF.
First of all, the conference was amazing. The first day was dedicated to the CTF, the second day had a focus on training/labs, and the third day was loaded with presentations that were all informative, inspiring, and packed full of tips, tricks, tools, and advice that I could actually use in my day-to-day.
The CTF had three main components to it, with SE being peppered in as well: OSINTPhysicalNetpen
I was assigned to team IronMan, along with five others.
On May 2nd, 2019, the CTF opened up for teams to begin working on the OSINT challenges.
The Jeopardy style challenge board gave no hints and asked no questions.
Here is an example of a challenge:
I began this CTF with some bad assumptions concerning when it was held last year, so shortly after I began my hunt for OSINT, I started submitting flags from last years challenges. Th…
Just like last year; the Derbycon CTF was awesome! I had the honor of competing on team illuminopi this year and we got second place.
Sitting next to and working with such highly skilled hackers was so fulfilling and rewarding it is easy to justify the means of getting there, staying awake for way too long, and even getting "iced" with a hot can of poison called Smirnoff.
My goal for this year was to contribute over 5000 points and writeup at least one challenge where full exploitation was necessary. I met both of these challenges so without further ado, here's how we popped the Jenkins box.
Jenkins - 192.168.253.45
 Initial Recon: nmap revealed 8080 and I browsed to the website.
Jenkins Login Page
 Create an account
I followed the "create an account" link and filled out the form as seen below:
After the account was successfully created, the following page loaded:
Successful Account Creation
 Manage Jenkins
Under the "Manage Jenkins&…