Category: CTF

CTF Update

We caught up with Nick Popovich from the RV4sec CTF team and he had some great information to share with us!

The RV4sec CTF is next week, and is going to be the most intense CTF the 804 has ever seen! Here’s what’s new and amazing this year. Also you’ll want to read on for some info that will aide you during the event.

New:

1). We have what most folks expect: the RV4sec CTF with new challenges and our smiling faces.

2). Bugcrowd will be onsite, and all LIVE, REAL vulns in the Bugrcrowd bug bounty system that CTF participants submit during the event will be checked on the spot. Points for the CTF will be awarded if the submitted bugs are accepted as valid by Bugcrowd.

3). GE has partnered with us and will have their Ghost Red CTF running with MANY amazing challenges (including hacking a simulated nuclear power plant). All points for Ghost Red will also be added to total RV4sec CTF score.

4). Last but certainly not least, the HackRVA folks have included CTF challenges in the RV4sec badges. That’s right, you can tinker with your badges and find “keys” or “flags” and submit those into the RV4sec CTF scoreboard for points.The scoreboard also has clues (for all the challenges).

Info:

There will be three systems that folks can register for that will count towards their total score for the CTF:

1). The RV4sec CTF scoreboard.
2). The Bugcrowd system via the Internet (click here for more info for Bugcrowd)
3). The GE Ghost Red CTF scoreboard

The Bugcrowd info linked to above has some values for “points” but that is for the Bugcrowd system only. We will be adjusting the point values for Bugcrowd vulns for the CTF to match our points system. But obviously, the harder/neater the vuln is to exploit, the more points you’ll get.

It is CRAZY important that in all the systems you choose THE SAME USERNAME, and append “_rvasec” without quotes to your username. I’ll say it again. CHOOSE SAME USERNAME IN ALL SYSTEMS and AND “_rvasec” without quotes to your username. if you don’t the points won’t be added up for all your hard work across the systems.

Example: If i want my username to be pipefish, I would put pipefish_rvasec in when creating accounts in all 3 systems.

I know some App Devs, DBA’s and IT folks are scowling now, asking why we don’t have API’s or some consolidated system that curates all the data from the three systems and shows a single leaderboard. To you I say… maybe next year 😉 This year, we have three systems, and that’s that.

We’ve got some rad prizes too including a OnePlus phone loaded with NetHunter courtesy of OffsecNetsparker licensesWiebeTech Forensic ComboDock v5, USB-WiFi-Premium KeyGrabber and a Yubikey NEO!


CTF: Know A Local RVA Company That Needs Security Help?

Do you know any local RVA companies that need security help?  Whether they can’t afford to hire help, are a Non-Profit organization or something else, the RV4sec CTF team is here to help!

This year we are working with Bugcrowd to allow CTF participants the ability to give back to the community. The live bug hunting aspect will provide real organizations security testing so they can better understand and improve the security posture of their online presence.

Please help us spread the work that an organization can receive free security testing by signing up for the BugCrowd platform here:
https://tracker.bugcrowd.com/organizations/programs/new

Once you signup please email us so we can help you through the next steps.

The testing will provide real world feedback on what an attacker would be able to see from the Internet, allowing you to understand what needs to be fixed.

If you have any questions please contact us to discuss!

This year’s CTF is being sponsored and brought to you by United Network for Organ Sharing (UNOS), a non-profit 501(c)(3) organization.

 

UNOS

 


CTF: New Hybrid Challenge Includes Live Bug Hunting!

ctfThe RV4sec CTF dev team has been hard at work for the last few months cooking up some great new challenges for this year’s Capture the Flag (CTF) event. We’re sticking with the tiered approach in an effort to bring a healthy mix of educational challenges, along with more difficult “hack the Gibson” challenges.

However, this year’s CTF has a new twist! We are combining the CTF you know and love with live bug hunting with the help of Bugcrowd!  Bugcrowd has run Bug Bashes at conferences before, but we are taking it to the next level at RV4sec: we’ll be incorporating aspects of the live Bugcrowd bug bounty system into the CTF scoring.  This means you can get involved in finding real live bugs on systems and they will count for points in the CTF. Isn’t that excellent?!

BugcrowdThe CTF has been a big success the last few years, and we are working hard to ensure that it continues to educate and provide a fun, safe environment to learn many aspects of IT, IT security, hacking and defending.

We are also working with Bugcrowd to allow CTF participants the ability to give back to the community. We are working on a process to allow local companies and not-for-profit organizations the ability to sign up to have their security tested as part of the CTF.  The live bug hunting aspect will provide real organizations security testing so they can better understand and improve the security posture of their online presence. In the end, isn’t that what IT security should be about?  We hope to provide more information on this very soon!

The CTF team is a mix of folks from many different facets of IT: we’ve got incident responders, hacker trackers, IT directors, pentesters, IT managers and everything in between. These folks have a passion for technology, enjoy exploratory dives into interesting problems, and want to share the joy, fun, frustration, learning, and general shenanigans that make the RV4sec CTF so much fun!

Our hope is that a healthy mix of folks will also come to participate in the free CTF hosted at RV4sec. We want everyone to come out and play, whether you’re new to tech, or you remember putting your first program on punch cards. Come out, plug in (well it’ll be wireless, but…) and get hacking, teaching, and learning.

Also, feel free to tweet us things you’d like to see in the CTF. It’s getting close but there may be time to get the ideas into a challenge. Use hashtag #rv4secctf and tweet to @pipefish_@mpbailey1911, or even @RVAsec with ideas and we’ll see what we can do.

Come out to the RV4sec conference and enjoy the training, the talks, and plan to stop by the CTF for some hackery!

Thanks again to UNOS for sponsoring the CTF, as well as the other organizations donating prizes.

We’ll see you there, and keep your eyes peeled for more information soon!

UNOS


RVAs3c Capture The Flag Update and Prizes Announced!

RVAs3c Capture The Flag:
The RVAsec Capture The Flag (CTF) is getting close! Below are details that are meant to ensure participants are prepared for the event. We’re excited to invite anyone and everyone who is interested in learning and exploring using different tools and techniques with hands on practical exercises to join us.

The team has worked hard to keep the “every man or woman” feel of the CTF from last year in effect. There are challenges of different varieties that should satisfy every skill level.

This year we are again going for the wireless competition, which allows a little bit of freedom as far as cables go. There will be a dedicated space setup in the vendor area, with some seating on first come basis. Please confirm in advance with the survey you will receive from the RVAs3c organizers soon to help us make sure we have enough space and can better guarantee you’ll be counted when that space is divided up.

We plan to have staff walking around to assist folks in case of any major issues, as well as to answer questions, within reason. We can’t give you the answers of course, unless you happen to have some massive dogecoin wallets laying around (kidding!).

When: Friday, 06/06/2014 – Start time will be near 10am EST, and end time will be at or prior to 4pm EST; announcements will be made onsite. Also, note that we have CTF prep time on Day 1 if you have questions or need helping getting setup. The first 10 people that show up to the prep session will get a custom SecuraBit USB case. The RVAsec schedule also reflects this: http://rvasec.com/schedule/
Where: Same location as the con itself (http://rvasec.com/location/) in the main vendor room.
Who: Living humanoid-ish… seriously, this is for everyone from hobbyists, sys/net admins, infosec pro’s, tinkerers, makers, fixers and breakers… come out and play. We’ll all teach, learn and grow together!
What: …to do. See below:
DO bring a wireless network enabled laptop. This will be primarily wireless access so make sure you have that capability.
DO have the ability to run Backtrack 5r3 (http://www.backtrack-linux.org/downloads/), Pentoo (http://www.pentoo.ch/) or Kali Linux (http://www.kali.org/) either as a virtual machine, from bootable media (CD/DVD flash drive), or installed as your OS. Most of the scenarios in the CTF can be completed with the tools within these security-centric Linux distributions. Not a requirement per se, but a BIG suggestion.
DO understand that the CTF network is a closed private network, and will not have Internet access. CTF Participants will have the ability to connect to a separate guest wireless network with internet access for research, tool downloads, etc. during the event, but will have to disconnect from the CTF network to do so. Do not rely on this entirely though, if that wireless goes down it may be beneficial to bring your own hotspot.
DO listen to and respect any instructions and guidance provided at the event. We want to provide an environment that is conducive to learning, tinkering, exploring and having a good time.
What: …NOT to do. See below:
DON’T use words or phrases like “irregardless”, “all of the sudden” or “cybergeddon”.
DON’T feed or pet any of the conference organizers or volunteers.
DON’T attack any other CTF participants (logically or physically).
Pre-Register: If you plan to participate in the CTF we ask that you check the CTF option when registering for RVAsec or if you’re unsure if you did already, email us atfeedback@securabit.com and we’ll make sure you’re accounted for.
************  What you can win? *******************

There are some awesome prizes lined up.

First place is a HackRF Pre-order, which is a really great way to learn about wireless beyond the standard 2.4 and 5GHz most are used to from mainstream access points.

Second place is a Pineapple courtesy of Hak5, for all your pwning needs.

Third place is the Android Hacker’s Handbook, to assist you in understanding all sorts of wonderfully evil things you can do to your phone or tablet, or anything else running Android!

If you have any questions please let us know!

 

 


RVAsec CTF: What to expect this year!

Last year RVAsec had its first CTF and it was a huge success.   The team has been planning to make the event this years even better and have a lot in store.  We caught up with Chris Gerling to get some information on what to expect this year.
(RVAsec) The CTF was aimed to be a bit of a different take than normal and huge hit at last year’s at RVAsec. Can you tell us a little about it?
Chris: We wanted to build an “Everyman” CTF, which allowed people from all skill levels and professions to participate and learn. Our goal was education, and to give people a platform for that to happen on. The trick was balancing easy challenges with medium and very difficult as well, giving everyone a challenge without making them feel too confused. We believe it worked very well.
(RVAsec) How many people participated? How did the RVAsec attendees do with the CTF?
Chris: 37 people ended up participating and nearly all scored on at least one challenge. It was really awesome to see people learning and solving problems, and even surprising themselves with what they could figure out.
(RVAsec) What were some things that you learned from last year?
Chris: We learned that the registration process needs to be cleaner, and we need to do a better job of keeping track of people for giving our prizes. It’s also going to be beneficial to have the event more organized with goals we want to hit in terms of announcements, at every stage of the event.
Hardware wise, we’re using a smaller machine that doesn’t weigh as much. The AP we used, which was a WNDR4500 held up well, but we’re going to augment that this year and look into providing wired access.
(RVAsec) What are the plans for the CTF this year?
Chris: We plan on offering a similar style CTF, with a tiered approach. Possible additions are a more robust story line, and a free 1 hour seminar for brand new participants who have never done a CTF before.
(RVAsec) If someone wanted to participate, what would you recommend they do to prepare?

Chris: There are a plethora of tutorials available on youtube and securitytube. There are also challenges available at https://www.honeynet.org/challenges that are really great to learn on.  Getting familiar with tools like Wireshark, and basic command line usage in a distribution such as Kali Linux will be very valuable.  From a DFIR standpoint downloading and learning the SANS SIFT workstation is also one way to learn forensics tools.

(RVAsec) Can you give attendees any hints or teasers about the CTF?
Chris: Only if you bring us some beer. 😉  We’ll actually be releasing some teasers once we’ve got more content built out in the coming weeks!
(RVAsec) How do people sign up to participate?
Chris:  You can register for the CTF when you purchase your ticket for RVAsec, or directly on the SecuraBit web site.

(RVAsec)  Do you need any help?  If so, what and how can people or companies help out?
Chris: We can always use help in creating this. We’re really ramping up over the next few weeks and starting to build things. If you want to build a challenge, or have any content at all you want to contribute, we definitely need that. If you’re really motivated and want to push on us all to do the best job we can, we’d love to have you on the team.

Sponsors are welcomed if any want to donate prizes to give away. We will give you a shout out and display your logo on the scoreboard.
(RVAsec) Anything else?
We can’t wait to see people learn again, and are very grateful to have a place to put this event on in RVAsec!  If you want to get involved, have questions or want to sponsor please contact us at ctf@securabit.com

RVAsec CTF Update

RVAsec is just about a week away and we are excited for many reasons!

This year’s conference marks several firsts:

  • two days of talks
  • two speaker tracks
  • and of course the first RVAsec Capture the Flag (CTF) event!

For more details about the CTF, please check out http://rvasec.com/ctf/

We’ve had a number of people pre-register (http://securabit.com/ctf/), which is fantastic, and you can pre-register all the way up to the day before CTF. The only requirements are that you are an RVAsec attendee and you bring your own laptop. You can even show up to the CTF and participate without pre-registration, space permitting.

And, of course, there are prizes!

1st Place – Nexus 7 PwnPad
2nd Place – Raspberry Pi
3rd Place – 1 BSides Las Vegas ticket
4th Place – 1 BSides Las Vegas ticket
5th Place – The highest of fives


RVAsec Capture The Flag Update!

The RVAsec Capture The Flag (CTF) is getting close. The details below are meant to ensure participants are prepared for it! We’re excited to invite anyone and everyone who is interested in learning and exploring different IT/infosec tools and techniques in hands-on, practical exercises, to join us.

WHEN: 06/01/2013 – 10am-2pm.  The exact time is subject to change but it will be on Saturday.

WHERE: We will have a table at the conference.  You must be a registered conference attendee to participate.

WHO: Living humanoid-ish… seriously, this is for everyone from hobbyists, sys/net admins, infosec pros, tinkerers, makers, fixers and breakers… come out and play. We’ll all teach, learn and grow together!

WHAT TO DO:

  • DO bring a network-enabled laptop.

  • DO have the ability to run Backtrack 5r3 (http://www.backtrack-linux.org/downloads/), Pentoo (http://www.pentoo.ch/) or Kali Linux (http://www.kali.org/) either as a virtual machine, from bootable media (CD/DVD flash drive), or installed as your OS. Most of the scenarios in the CTF can be completed with the tools within these security-centric Linux distributions. Not a requirement, per se, but a BIG recommendation.

  • DO understand that the CTF network is a closed private network, and will not have Internet access. CTF Participants will have the ability to connect to a separate guest wireless network with Internet access for research, tool downloads, etc., during the event, but will have to disconnect from the CTF network to do so.

  • DO listen to and respect any instructions and guidance provided at the event. We want to provide an environment that is conducive to learning, tinkering, exploring and having a good time.

WHAT NOT TO DO:

  • DON’T use words or phrases like “irregardless”, “all of the sudden”, “cybergeddon” or “cyber Pearl Harbor”.

  • DON’T feed or pet any of the conference organizers or volunteers.

  • DON’T attack any other CTF participants or any VCU devices (logically, physically or emotionally).

Pre-Register: If you plan to participate in the CTF we ask that you pre-register here: http://securabit.com/ctf/ for administrative purposes.  The first 20 people will receive a free 8GB USB 3.0 Flash Drive! (You have to show up and participate!)

Sponsor: We are still seeking sponsors to help with the CTF costs.  If you are interested or know someone that would be willing to support the CTF please contact sponsors@rvasec.com

Hope to see you there!  If you have any questions please let us know!


New Style Of Capture The Flag (CTF) Coming To RVAsec!

RVAsec had an amazing inception last year, and we have been busy at work planning the second iteration, which will take place from May 30th to June 1st, 2013 on the VCU campus in Richmond, VA.  This year’s event should be every bit as exciting and full of great opportunities to learn and connect with your fellow colleagues.

In conjunction with the SecuraBit podcast (which is also in Richmond), members of the richSEC organization are putting together a Capture the Flag (CTF) event to be held during the conference.  The goal of the CTF is not simply to be a venue for folks to flex their tech skills, but rather an interactive learning/demonstration of real world scenarios that affect anyone that has a computer network.

The team has been hard at work coming up with what we like to call an “everyman” type of CTF. Not elitist, not intimidating and something that won’t take up all of a participant’s time at the con; a CTF where any level of IT participate. Whether you’re a student, a hobbyist, or don’t even have the word “security” in your job description, we’ve got something you will be able to play with and actually learn from!  That’s our challenge:  to ensure some folks aren’t intimidated by what we have up, but also not to bore anyone with simplicity.

The CTF’s goal: everyone involved is challenged, forced to use critical thinking (not just push the easy button on a tool) and has “ah ha!” moments.  We want anyone to look at a challenge and say “That could really happen in my environment! Let’s fix that!”.  Security professionals who have not had firsthand experience with how penetration testing takes place will also see some of the attack vectors that can be used (not just MS08-067). The penetration testers and reverse engineers out there will hopefully find themselves challenged as well.

We will provide more information as it becomes available.  If you are interested in helping please let us know!