AaronMelton.com

In closing, I wanted to say a few things about my experience with DerbyCon CTF 2014.

This year was much different than years past simply because I had my family with me this year.  Although I had my wife’s blessing to experience the con as I always had, it just felt different because my family was present and therefore I acted different.

When I was in the CTF room my attention was divided between trying to discover the next flag and taking a break to spend time with my family.  When I was with my family, my mind was secretly trying to solve a problem I hadn’t yet answered.  In other words, it wasn’t much fun for me or the family.  Well, it wasn’t awful — it just couldn’t be both.

Continue Reading…

PurpleMooCow was the final flag (I found) of the competition, worth 500 points.

Following up on the exploit from the previous flag I found, I thought there might be more here to exploit in the way of SQL injection:

Continue Reading…

SourceCodeTheft was the next-to-last flag I found.  It was worth 100 points.  Here’s how I found it:

Still working on the 10.10.146.187 host, which had yielded previous flags, I had discovered this additional page on the website: http://10.10.146.187/pmc.aspx

I honestly don’t recall how I had found this page but I suspect an earlier wget to mirror the entire website pulled the file down and I saw it on my local folder and decided to visit it.  It’s a simple website with a single text box for input:

Continue Reading…

This is my second time posting this… so please excuse my brevity.

At this point in the competition (I use that term loosely), I was hitting the wall on discovering flags.  As I previously disclosed, I had been all over the place and not very methodical in identifying targets and attacking them in some sort of order.  What with all the chasing squirrels and all, I was starting to get weary of finding flags in small spurts.

As a result, I started throwing a few terms into the scoreboard to see what stuck.  While ironic that I didn’t get the obvious flag in the title of this page, I made something up based on the content of the page and it worked.  TheFappening was worth 100 points.

Hey, when you’re behind you’ll take ’em any way you can…

I have two more flags to disclose and I’ll publish those next week.  Have a great weekend!

I say “all flags” with some reservation, but here is what I found:

My nmap scan revealed there was a host with Telnet open, so I cruised over there to see what was going on.  Sure enough, it was a Cisco router with a flag in the banner:

Continue Reading…

I had this flag recorded on my spreadsheet but I failed to capture the text to point it out.  According to my notes, I found MudFlaps in the page source of http://10.10.146.187/Default.aspx Page source.  This flag was worth 80 points.

That was obviously a right-click with the mouse and “View Page Source” and it was either obvious or I scanned for it.  There could have been more flags in there that I didn’t see.  No doubt there were given the total number of flags in the contest and considering the ones I missed yesterday that I blogged about.

I found a few more flags on this same host that I’ll blog about next week.

When I captured files during this year’s DerbyCon CTF, I intended on holding onto them so I could blog about the flags that I found.  I expected there might still be hidden flags waiting for me to discover — and that I would blog about them.  I just didn’t expect some of them to be so obvious to me now and so easily overlooked then.

Perhaps that’s more proof of the importance of being on a team where you have many eyes reviewing the same material.  Maybe it’s also proof that I’ve got a long way to go before I’d even consider myself a junior penetration tester. /shrug

While I was writing yesterday’s blog, I was reviewing screenshots I had taken so I could write a post about the flags I found through SQL injection and there was a flag, front and center.  It couldn’t have been more obvious to me now and yet not obvious at all on game-day:

Right there in the title: The Fappening 2: Shell Shock f l-ag is DuckDynasty

Continue Reading…

The 10.10.146.187 host also happened to contain a database (or more, dunno).  That was an easy enough to figure out upon visiting the website:

Obviously (or maybe not), that meant it was time for some old-fashioned SQL injection.

Continue Reading…

Just as I had found with previous flags, MayUrG0atsBeFr33 and Goats34Milk, I found the flag ML5jVuOCTvMhaG70p0BL by using grep to search through files I had already downloaded:ML5jVuOCTvMhaG70p0BL

No special sauce here, just another easy flag worth 20 points.  The file I found it in, 10_25_2_165_rexpzo.xml was somewhat interesting.  It appeared to be an XML output file from a Nessus scan?  I’m not sure.  Either way, I probably spent too much time looking through this file than was really necessary.  It didn’t occur to me until NOW that the numbers in the filename might have been an IP address worth scanning: 10.25.2.165.  I guess I’ll never know.

Continue Reading…