Posts

Showing posts from October, 2018

2018 BSidesRDU CTF

Image
Winner! Winner!

Welcome Thrillhouse Group took first place at the 2018 BSidesRDU CTF by that was put on by Eversec CTF.

BSidesRDU Final Score Board.
Team Ntropy was in the lead for most of the day and put up a really good fight, but WTG was able to pull ahead in the last few hours and hold first place till the end. 
Our prize for taking first place was a copy of Clear and Present Danger by Tom Clancy:

Clear and Present Danger.
However this is no ordinary edition!  This copy contains what appears to be a silk-screened or possibly etched BSidesRDU 2018 flask.

BSidesRDU Flask.
The team didn't really have time to put together any write-ups for this event. We were just too busy trying to overtake Ntropy the whole day.

However, I did make some mental notes on the challenge involving the libssh vulnerability CVE-2018-10933, and still have some spool files from using metasploit so I'll talk about that briefly.

[1] nmap indicated libssh
Nmap scan report for 192.168.0.201
Host is up (0.0…

2018 Derbycon CTF - Jenkins

Image
Just like last year; the Derbycon CTF was awesome! I had the honor of competing on team illuminopi this year and we got second place.

Sitting next to and working with such highly skilled hackers was so fulfilling and rewarding it is easy to justify the means of getting there, staying awake for way too long, and even getting "iced" with a hot can of poison called Smirnoff.

Hot Poison
My goal for this year was to contribute over 5000 points and writeup at least one challenge where full exploitation was necessary. I met both of these challenges so without further ado, here's how we popped the Jenkins box.

Jenkins -  192.168.253.45 [1] Initial Recon:  nmap revealed 8080 and I browsed to the website.
Jenkins Login Page
[2] Create an account 
I followed the "create an account" link and filled out the form as seen below:

After the account was successfully created, the following page loaded:
Successful Account Creation
[3] Manage Jenkins
Under the "Manage Jenkins&…