PurpleMooCow was the final flag (I found) of the competition, worth 500 points.
Following up on the exploit from the previous flag I found, I thought there might be more here to exploit in the way of SQL injection:
SourceCodeTheft was the next-to-last flag I found. It was worth 100 points. Here’s how I found it:
Still working on the 10.10.146.187 host, which had yielded previous flags, I had discovered this additional page on the website: http://10.10.146.187/pmc.aspx
I honestly don’t recall how I had found this page but I suspect an earlier wget to mirror the entire website pulled the file down and I saw it on my local folder and decided to visit it. It’s a simple website with a single text box for input:
This is my second time posting this… so please excuse my brevity.
At this point in the competition (I use that term loosely), I was hitting the wall on discovering flags. As I previously disclosed, I had been all over the place and not very methodical in identifying targets and attacking them in some sort of order. What with all the chasing squirrels and all, I was starting to get weary of finding flags in small spurts.
As a result, I started throwing a few terms into the scoreboard to see what stuck. While ironic that I didn’t get the obvious flag in the title of this page, I made something up based on the content of the page and it worked.
TheFappening was worth 100 points.
Hey, when you’re behind you’ll take ’em any way you can…
I have two more flags to disclose and I’ll publish those next week. Have a great weekend!
I apologize for disappearing right in the middle of my posts for the DerbyCon CTF Flags. I’m leading two large projects at work that have deadlines this month (one tomorrow and the other next Friday) — so I haven’t had a lot of time to sit down and type out the remaining posts to finish this series.
Honestly, there are other things I should be diligently working on at the moment, but I’ve been feeling guilty and wanted to finish this one out so I can put a check in the box. Well, that and I needed to take a break. Standby for the remainder (?) of my DerbyCon posts…
According to the logs it appears I’ve had some repeat visitors checking in on the conclusion of my series of posts describing the flags I found during the DerbyConCTF 4.0 competition. It’s been a hectic week but I’ll get around to knocking out a few more of those posts soon enough. Standby.
I say “all flags” with some reservation, but here is what I found:
My nmap scan revealed there was a host with Telnet open, so I cruised over there to see what was going on. Sure enough, it was a Cisco router with a flag in the banner:
I had this flag recorded on my spreadsheet but I failed to capture the text to point it out. According to my notes, I found
MudFlaps in the page source of http://10.10.146.187/Default.aspx Page source. This flag was worth 80 points.
That was obviously a right-click with the mouse and “View Page Source” and it was either obvious or I scanned for it. There could have been more flags in there that I didn’t see. No doubt there were given the total number of flags in the contest and considering the ones I missed yesterday that I blogged about.
I found a few more flags on this same host that I’ll blog about next week.
When I captured files during this year’s DerbyCon CTF, I intended on holding onto them so I could blog about the flags that I found. I expected there might still be hidden flags waiting for me to discover — and that I would blog about them. I just didn’t expect some of them to be so obvious to me now and so easily overlooked then.
Perhaps that’s more proof of the importance of being on a team where you have many eyes reviewing the same material. Maybe it’s also proof that I’ve got a long way to go before I’d even consider myself a junior penetration tester. /shrug
While I was writing yesterday’s blog, I was reviewing screenshots I had taken so I could write a post about the flags I found through SQL injection and there was a flag, front and center. It couldn’t have been more obvious to me now and yet not obvious at all on game-day:
Right there in the title: The Fappening 2: Shell Shock f l-ag is
Just as I had found with previous flags, MayUrG0atsBeFr33 and Goats34Milk, I found the flag ML5jVuOCTvMhaG70p0BL by using grep to search through files I had already downloaded:
No special sauce here, just another easy flag worth 20 points. The file I found it in, 10_25_2_165_rexpzo.xml was somewhat interesting. It appeared to be an XML output file from a Nessus scan? I’m not sure. Either way, I probably spent too much time looking through this file than was really necessary. It didn’t occur to me until NOW that the numbers in the filename might have been an IP address worth scanning: 10.25.2.165. I guess I’ll never know.