Category: CTF

RVAsec 7 CTF Prizes

RVAsec 2018 is just a few days away, which means it’s almost time for another CTF! As mentioned in our first blog post, we have some exciting problems planned in topics ranging from cryptography to web and binary exploitation to lockpicking and badge hacking. The actual CTF will take place on Friday, June 8th all day, but we’ll have some practice challenges set up on Thursday.

Thanks to Crowdstrike as well as Offensive Security and Netsparker, we have some really exciting prizes. As done in the past, we will have two separate prize tiers: you can either compete individually or in teams of up to 5 people. The top 3 individuals and teams in each category will be guaranteed a prize, and the remaining prizes will be distributed to the next highest individuals/teams. Priority will be given to the highest finishing competitors/teams (1st place chooses first, then 2nd, etc), with the top 3 individuals picking first, followed by the top 3 teams.

As one last note, you’ll be able to connect to the CTF stuff both wired and wirelessly. As we don’t have enough hardware to allow everyone to connect via a wired connection, you are encouraged to bring your own switch and long Cat5 cable.

Without further ado, the RVAsec CTF 2018 prizes:

● 2x Offensive Security PWK Course with 30 days of lab + OSCP Certification
● 2х Netsparker License
● 2x Hak5 WiFi Pineapple Tetra Tactical
● 2x Hak5 Bash Bunny
● 2x Hak5 Rubber Ducky
● 3x Holy Stone Racing FPV Drone
● 2x Anker PowerCore Speed 20000 Portable Charger
● 1x $250 Visa Gift Card
● 2x $100 Visa Gift Card


RVAsec 7 CTF

The CTF crew is once again hard at work preparing challenges for this year’s competition. As in the past, the first day of the conference will be CTF prep while the actual competition will take place on Day 2 (Friday, June 8th). Even though it will contain some hard challenges, this is a learning CTF – not just a bash-your-head-against-the-wall competition. As such, there will be plenty of challenges from lockpicking to recon and web exploitation for people of all levels and backgrounds. Additionally, you may choose to compete as an individual or form teams of up to 5 people – there are separate prize categories for both.

You will need an updated Kali machine, but we will provide everything else.

Below is a list of some of the skills/topics that have been covered in previous years.

Entry Level: Primarily aimed at beginners and those with a less technical background, focusing on basic infosec skills and concepts.

  • Rot N encoding
  • Google Fu / OSINT
  • Examining website source code
  • Basic file analysis (eg. file, strings)
  • Trivia

Intermediate: Expect to begin taking a deep dive into the core categories by finding and exploiting vulnerabilities, cracking passwords, etc.

  • Extracting objects from Wireshark dump
  • SQL Injection
  • URL Fuzzing
  • Cracking password hashes (using john, Hashcat, etc)
  • Reverse Engineering and Disassembly

Hard: For our battle-hardened, seasoned CTF players which will challenge competitors to truly think outside the box, crack encryption, exploit binaries, and more.

  • Blacklist filter evasion for SQL Injection
  • Binary Exploitation (buffer overflows and more)
  • Cracking RSA Encryption
  • Multi-step OSINT investigation
  • Hardware

In addition, we are always looking for volunteers to help out with creating and testing all of the problems. If that interests you, please reach out to us at contact [at] metactf.com, and we’ll add you to the mailing list.

We are pleased to announce that CrowdStrike has sponsored the CTF this year!

Finally, good luck to everyone and we’ll see you in June!

 


CTF Sponsor: Capital One

www.capitalone.com

@CapitalOne

Capital One

We are very pleased to announce Capital One is our sponsor for the CTF this year! Please stop by and say hi to their representatives in the Capture the Flag room.

RVAsec 2016 Register now!

 


Come one, Come all – It’s CTF 2016 time!

The RVAsec CTF team is beginning the setup and planning phase of the 2016 conference.  As many of you know, we pride ourselves with this CTF being an all-inclusive learning CTF and not just a ‘stump the chump / who’s the best engineer in the room’ kind of CTF. That said, we need volunteers to come up with fresh ideas, challenges, and setups that are both fun and informative. Additionally, we do want to provide a challenge for those who show up looking for one, so if you are a more advanced user or admin and have some killer challenges that can stump someone, we’ll need those too for the higher tiers.

Speaking of Tiers, we plan to have 3 or 4 tiers this year and they will be as follows:

Tier 1 -Beginner

This tier will comprise the majority of the challenges and points ideally. Challenges in this category should be purely beginner level challenges. Some examples of year past are:

 Connecting to SSH and copying part of the SSH key as the flag

 Looking in web page source code for the flag

 Trivia questions related to IT / Hacking History / Etc.

 Wireshark dumps of plain text authentications

 Port and/or device identification (that’s port 25, used for SMTP, running on a Raspberry pi, identified by its MAC OUI)

Tier 2 – Moderate

This is a moderate tier geared more towards people who digging deeper into Security and the different facets it includes as well as experienced Pentesters. Some examples from the past:

 XOR code samples with python

 Heartbleed exploit to retrieve login information

 Local privilege escalation to find the Flag

 SQL injection

 MS08-67 Exploits

 Brute force SSH or SFTP sites

 DFIR recovery and artifact location

Tier 3 – Hard

The hard tier, built mainly with ‘stump the chump’ challenges that are for the seasoned CTF player and people solely after winning prizes and spending the whole con in the CTF:

 Reverse engineering samples

 Malware C2 traffic Analysis

 Chained exploits

 Ghost services that have to fuzzed

 Firmware disassembly

Tier 4 – Hardware

Hopefully, we will be able to include various hardware challenges this year with the help of HackRVA as we have in the past, this tier will be specific to the Badges but we are always open to including other Hardware or IoT related challenges in at this level, so any idea, let us know!

So all that said – Come help out! If you are interested in assisting, please send an email to Mike Bailey and we’ll add you to the mailing list going forward as we begin to work it all out.

We are looking for a sponsor for the CTF, if you are interested please contact us to discuss!

Thanks and we will provide more updates as they happen!


CTF Update

We caught up with Nick Popovich from the RV4sec CTF team and he had some great information to share with us!

The RV4sec CTF is next week, and is going to be the most intense CTF the 804 has ever seen! Here’s what’s new and amazing this year. Also you’ll want to read on for some info that will aide you during the event.

New:

1). We have what most folks expect: the RV4sec CTF with new challenges and our smiling faces.

2). Bugcrowd will be onsite, and all LIVE, REAL vulns in the Bugrcrowd bug bounty system that CTF participants submit during the event will be checked on the spot. Points for the CTF will be awarded if the submitted bugs are accepted as valid by Bugcrowd.

3). GE has partnered with us and will have their Ghost Red CTF running with MANY amazing challenges (including hacking a simulated nuclear power plant). All points for Ghost Red will also be added to total RV4sec CTF score.

4). Last but certainly not least, the HackRVA folks have included CTF challenges in the RV4sec badges. That’s right, you can tinker with your badges and find “keys” or “flags” and submit those into the RV4sec CTF scoreboard for points.The scoreboard also has clues (for all the challenges).

Info:

There will be three systems that folks can register for that will count towards their total score for the CTF:

1). The RV4sec CTF scoreboard.
2). The Bugcrowd system via the Internet (click here for more info for Bugcrowd)
3). The GE Ghost Red CTF scoreboard

The Bugcrowd info linked to above has some values for “points” but that is for the Bugcrowd system only. We will be adjusting the point values for Bugcrowd vulns for the CTF to match our points system. But obviously, the harder/neater the vuln is to exploit, the more points you’ll get.

It is CRAZY important that in all the systems you choose THE SAME USERNAME, and append “_rvasec” without quotes to your username. I’ll say it again. CHOOSE SAME USERNAME IN ALL SYSTEMS and AND “_rvasec” without quotes to your username. if you don’t the points won’t be added up for all your hard work across the systems.

Example: If i want my username to be pipefish, I would put pipefish_rvasec in when creating accounts in all 3 systems.

I know some App Devs, DBA’s and IT folks are scowling now, asking why we don’t have API’s or some consolidated system that curates all the data from the three systems and shows a single leaderboard. To you I say… maybe next year 😉 This year, we have three systems, and that’s that.

We’ve got some rad prizes too including a OnePlus phone loaded with NetHunter courtesy of OffsecNetsparker licensesWiebeTech Forensic ComboDock v5, USB-WiFi-Premium KeyGrabber and a Yubikey NEO!


CTF: Know A Local RVA Company That Needs Security Help?

Do you know any local RVA companies that need security help?  Whether they can’t afford to hire help, are a Non-Profit organization or something else, the RV4sec CTF team is here to help!

This year we are working with Bugcrowd to allow CTF participants the ability to give back to the community. The live bug hunting aspect will provide real organizations security testing so they can better understand and improve the security posture of their online presence.

Please help us spread the work that an organization can receive free security testing by signing up for the BugCrowd platform here:
https://tracker.bugcrowd.com/organizations/programs/new

Once you signup please email us so we can help you through the next steps.

The testing will provide real world feedback on what an attacker would be able to see from the Internet, allowing you to understand what needs to be fixed.

If you have any questions please contact us to discuss!

This year’s CTF is being sponsored and brought to you by United Network for Organ Sharing (UNOS), a non-profit 501(c)(3) organization.

 

UNOS

 


CTF: New Hybrid Challenge Includes Live Bug Hunting!

ctfThe RV4sec CTF dev team has been hard at work for the last few months cooking up some great new challenges for this year’s Capture the Flag (CTF) event. We’re sticking with the tiered approach in an effort to bring a healthy mix of educational challenges, along with more difficult “hack the Gibson” challenges.

However, this year’s CTF has a new twist! We are combining the CTF you know and love with live bug hunting with the help of Bugcrowd!  Bugcrowd has run Bug Bashes at conferences before, but we are taking it to the next level at RV4sec: we’ll be incorporating aspects of the live Bugcrowd bug bounty system into the CTF scoring.  This means you can get involved in finding real live bugs on systems and they will count for points in the CTF. Isn’t that excellent?!

BugcrowdThe CTF has been a big success the last few years, and we are working hard to ensure that it continues to educate and provide a fun, safe environment to learn many aspects of IT, IT security, hacking and defending.

We are also working with Bugcrowd to allow CTF participants the ability to give back to the community. We are working on a process to allow local companies and not-for-profit organizations the ability to sign up to have their security tested as part of the CTF.  The live bug hunting aspect will provide real organizations security testing so they can better understand and improve the security posture of their online presence. In the end, isn’t that what IT security should be about?  We hope to provide more information on this very soon!

The CTF team is a mix of folks from many different facets of IT: we’ve got incident responders, hacker trackers, IT directors, pentesters, IT managers and everything in between. These folks have a passion for technology, enjoy exploratory dives into interesting problems, and want to share the joy, fun, frustration, learning, and general shenanigans that make the RV4sec CTF so much fun!

Our hope is that a healthy mix of folks will also come to participate in the free CTF hosted at RV4sec. We want everyone to come out and play, whether you’re new to tech, or you remember putting your first program on punch cards. Come out, plug in (well it’ll be wireless, but…) and get hacking, teaching, and learning.

Also, feel free to tweet us things you’d like to see in the CTF. It’s getting close but there may be time to get the ideas into a challenge. Use hashtag #rv4secctf and tweet to @pipefish_@mpbailey1911, or even @RVAsec with ideas and we’ll see what we can do.

Come out to the RV4sec conference and enjoy the training, the talks, and plan to stop by the CTF for some hackery!

Thanks again to UNOS for sponsoring the CTF, as well as the other organizations donating prizes.

We’ll see you there, and keep your eyes peeled for more information soon!

UNOS


RVAs3c Capture The Flag Update and Prizes Announced!

RVAs3c Capture The Flag:
The RVAsec Capture The Flag (CTF) is getting close! Below are details that are meant to ensure participants are prepared for the event. We’re excited to invite anyone and everyone who is interested in learning and exploring using different tools and techniques with hands on practical exercises to join us.

The team has worked hard to keep the “every man or woman” feel of the CTF from last year in effect. There are challenges of different varieties that should satisfy every skill level.

This year we are again going for the wireless competition, which allows a little bit of freedom as far as cables go. There will be a dedicated space setup in the vendor area, with some seating on first come basis. Please confirm in advance with the survey you will receive from the RVAs3c organizers soon to help us make sure we have enough space and can better guarantee you’ll be counted when that space is divided up.

We plan to have staff walking around to assist folks in case of any major issues, as well as to answer questions, within reason. We can’t give you the answers of course, unless you happen to have some massive dogecoin wallets laying around (kidding!).

When: Friday, 06/06/2014 – Start time will be near 10am EST, and end time will be at or prior to 4pm EST; announcements will be made onsite. Also, note that we have CTF prep time on Day 1 if you have questions or need helping getting setup. The first 10 people that show up to the prep session will get a custom SecuraBit USB case. The RVAsec schedule also reflects this: http://rvasec.com/schedule/
Where: Same location as the con itself (http://rvasec.com/location/) in the main vendor room.
Who: Living humanoid-ish… seriously, this is for everyone from hobbyists, sys/net admins, infosec pro’s, tinkerers, makers, fixers and breakers… come out and play. We’ll all teach, learn and grow together!
What: …to do. See below:
DO bring a wireless network enabled laptop. This will be primarily wireless access so make sure you have that capability.
DO have the ability to run Backtrack 5r3 (http://www.backtrack-linux.org/downloads/), Pentoo (http://www.pentoo.ch/) or Kali Linux (http://www.kali.org/) either as a virtual machine, from bootable media (CD/DVD flash drive), or installed as your OS. Most of the scenarios in the CTF can be completed with the tools within these security-centric Linux distributions. Not a requirement per se, but a BIG suggestion.
DO understand that the CTF network is a closed private network, and will not have Internet access. CTF Participants will have the ability to connect to a separate guest wireless network with internet access for research, tool downloads, etc. during the event, but will have to disconnect from the CTF network to do so. Do not rely on this entirely though, if that wireless goes down it may be beneficial to bring your own hotspot.
DO listen to and respect any instructions and guidance provided at the event. We want to provide an environment that is conducive to learning, tinkering, exploring and having a good time.
What: …NOT to do. See below:
DON’T use words or phrases like “irregardless”, “all of the sudden” or “cybergeddon”.
DON’T feed or pet any of the conference organizers or volunteers.
DON’T attack any other CTF participants (logically or physically).
Pre-Register: If you plan to participate in the CTF we ask that you check the CTF option when registering for RVAsec or if you’re unsure if you did already, email us atfeedback@securabit.com and we’ll make sure you’re accounted for.
************  What you can win? *******************

There are some awesome prizes lined up.

First place is a HackRF Pre-order, which is a really great way to learn about wireless beyond the standard 2.4 and 5GHz most are used to from mainstream access points.

Second place is a Pineapple courtesy of Hak5, for all your pwning needs.

Third place is the Android Hacker’s Handbook, to assist you in understanding all sorts of wonderfully evil things you can do to your phone or tablet, or anything else running Android!

If you have any questions please let us know!

 

 


RVAsec CTF: What to expect this year!

Last year RVAsec had its first CTF and it was a huge success.   The team has been planning to make the event this years even better and have a lot in store.  We caught up with Chris Gerling to get some information on what to expect this year.
(RVAsec) The CTF was aimed to be a bit of a different take than normal and huge hit at last year’s at RVAsec. Can you tell us a little about it?
Chris: We wanted to build an “Everyman” CTF, which allowed people from all skill levels and professions to participate and learn. Our goal was education, and to give people a platform for that to happen on. The trick was balancing easy challenges with medium and very difficult as well, giving everyone a challenge without making them feel too confused. We believe it worked very well.
(RVAsec) How many people participated? How did the RVAsec attendees do with the CTF?
Chris: 37 people ended up participating and nearly all scored on at least one challenge. It was really awesome to see people learning and solving problems, and even surprising themselves with what they could figure out.
(RVAsec) What were some things that you learned from last year?
Chris: We learned that the registration process needs to be cleaner, and we need to do a better job of keeping track of people for giving our prizes. It’s also going to be beneficial to have the event more organized with goals we want to hit in terms of announcements, at every stage of the event.
Hardware wise, we’re using a smaller machine that doesn’t weigh as much. The AP we used, which was a WNDR4500 held up well, but we’re going to augment that this year and look into providing wired access.
(RVAsec) What are the plans for the CTF this year?
Chris: We plan on offering a similar style CTF, with a tiered approach. Possible additions are a more robust story line, and a free 1 hour seminar for brand new participants who have never done a CTF before.
(RVAsec) If someone wanted to participate, what would you recommend they do to prepare?

Chris: There are a plethora of tutorials available on youtube and securitytube. There are also challenges available at https://www.honeynet.org/challenges that are really great to learn on.  Getting familiar with tools like Wireshark, and basic command line usage in a distribution such as Kali Linux will be very valuable.  From a DFIR standpoint downloading and learning the SANS SIFT workstation is also one way to learn forensics tools.

(RVAsec) Can you give attendees any hints or teasers about the CTF?
Chris: Only if you bring us some beer. 😉  We’ll actually be releasing some teasers once we’ve got more content built out in the coming weeks!
(RVAsec) How do people sign up to participate?
Chris:  You can register for the CTF when you purchase your ticket for RVAsec, or directly on the SecuraBit web site.

(RVAsec)  Do you need any help?  If so, what and how can people or companies help out?
Chris: We can always use help in creating this. We’re really ramping up over the next few weeks and starting to build things. If you want to build a challenge, or have any content at all you want to contribute, we definitely need that. If you’re really motivated and want to push on us all to do the best job we can, we’d love to have you on the team.

Sponsors are welcomed if any want to donate prizes to give away. We will give you a shout out and display your logo on the scoreboard.
(RVAsec) Anything else?
We can’t wait to see people learn again, and are very grateful to have a place to put this event on in RVAsec!  If you want to get involved, have questions or want to sponsor please contact us at ctf@securabit.com

RVAsec CTF Update

RVAsec is just about a week away and we are excited for many reasons!

This year’s conference marks several firsts:

  • two days of talks
  • two speaker tracks
  • and of course the first RVAsec Capture the Flag (CTF) event!

For more details about the CTF, please check out http://rvasec.com/ctf/

We’ve had a number of people pre-register (http://securabit.com/ctf/), which is fantastic, and you can pre-register all the way up to the day before CTF. The only requirements are that you are an RVAsec attendee and you bring your own laptop. You can even show up to the CTF and participate without pre-registration, space permitting.

And, of course, there are prizes!

1st Place – Nexus 7 PwnPad
2nd Place – Raspberry Pi
3rd Place – 1 BSides Las Vegas ticket
4th Place – 1 BSides Las Vegas ticket
5th Place – The highest of fives