DerbyConCTF Flag: DuckDynasty, SandDunes?

October 15, 2014 — Leave a comment

When I captured files during this year’s DerbyCon CTF, I intended on holding onto them so I could blog about the flags that I found.  I expected there might still be hidden flags waiting for me to discover — and that I would blog about them.  I just didn’t expect some of them to be so obvious to me now and so easily overlooked then.

Perhaps that’s more proof of the importance of being on a team where you have many eyes reviewing the same material.  Maybe it’s also proof that I’ve got a long way to go before I’d even consider myself a junior penetration tester. /shrug

While I was writing yesterday’s blog, I was reviewing screenshots I had taken so I could write a post about the flags I found through SQL injection and there was a flag, front and center.  It couldn’t have been more obvious to me now and yet not obvious at all on game-day:

Screenshot from 2014-09-27 17_45_28

Right there in the title: The Fappening 2: Shell Shock f l-ag is DuckDynasty

How embarrassing is that?  I completely missed it.  Which of you following along can tell me how many points that missed opportunity was?

And while I’m confessing, here is another one I missed:

It didn’t look like anything to me then, but following my propensity to completely miss base64 tags, I decided to try and decode it:
aaron@computer $ echo "/wEPDwUJNDM0Mzg3MDI4DxYCHgRmbGFnBQlTYW5kRHVuZXNkZNQgVPTT+ZqCbkJFhtkmmEIQ/HF6" | base64 -d
� 434387028flag SandDunesdd� T�����nBE��&�B�qz

I’m not sure what to make of that, but it looks like it says “SandDunesdd” to me.  Maybe just “SandDunes”?  Either way, I missed it.

I don’t know.  That seems like a whole lot of fail to me now.  Maybe not more than 50 missed points there, but combined with others I’m sure to find, it could have been enough to place me in the teens.


Aaron Melton


No Comments

Be the first to start the conversation.

Leave a Reply

Text formatting is available via select HTML.

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>