BreakIn CTF 2014

The Threads BreakIn CTF hosted by IIIT Hyderabad has just wrapped up. Shadow Cats did pretty well, placing 16th overall, completing 22/33 challenges, especially considering we only had 2 guys playing this CTF. Mad props goes out to Dan, and here’s hoping for a bigger team turnout next week for Ghost in the Shellcode.

I’m going to be doing some writeups of a couple of the challenges I thought were particularly interesting, as well as some topical information inspired by the CTF. I’ll be linking to the writeups below as they get published.


2014 OKRs

At work, we use the OKR system for managing our objectives. I’ve decided to set myself some annual objectives and list out their key results here. At the end of the year, I’ll grade myself on my OKRs and we’ll see how I’m doing.

  • Get better at reversing
    • Complete OpenSecurityTraining.info x86 class
    • Complete 3 reversing challenges from WeChall
  • Play CTFs
    • Compete in at least 3 CTFs
    • (Stretch Goal) Top 10% Finish
    • Complete the challenges on OverTheWire.org
  • Blogging
    • At least 1 Blog Post/week
  • Lose Weight & Exercise
    • Lose 25 lbs.
    • Get at least 60 minutes aerobic exercise a week
  • Become a more powerful vim/zsh user
    • Use vim keybindings in zsh
    • Read full zsh guide
    • Learn 6 new vim commands

DerbyCon CTF

While at Derbycon last weekend, I played in the Derbycon Capture the Flag (CTF). I played with some people from the DefCon Group back in Atlanta (DC404) – and we had a great team and that lead to a 5th place finish out of more than 80 teams with points on the board. Big shout out to Michael (@decreasedsales), Aaron (@aaronmelton), Dan (@alltrueic), and all the others who helped out.

It was an attack-only format, with a range of IPs designated as “in scope” and the goal being to, as the name implies, capture the flags. The systems included a Windows Active Directory server, a handful of Linux webservers, and a Windows Server serving up ASP.net backed by MS-SQL. One of the Linux webservers had a variety of challenges in directories on it, most of which could be solved offline. These included a Windows 8 memory dump for forensics, a series of encrypted hashes for some crypto, a pcap for network forensics, and some obfuscation/general challenges.

Every time I do a CTF, I learn a bunch of new stuff, mostly about my weaknesses and where I need to improve.

  • Windows AD Skills
  • MS SQL Skills
  • Binary Reversing
  • Memory Forensics

I’ll try to do a writeup of a few of the challenges in the next few days, as I’m just recovering from a post-con flu.


CTF Practice

Those who know me know that I might play in the occasional CTF competition. It's a good way to improve my skills, keep my mind sharp, and it's just plain fun. From a defensive security perspective, it's quite amazing to see how code that looks perfectly reasonable is, in fact, quite often very broken.  If you've never done a CTF, you should watch @rogueclown's "If You Can Open A Terminal, You Can Capture the Flag."

I do some extra practice between CTFs -- I'm currently working my way through the challenges on OverTheWire.org, and they've recently added support for scoring via WeChall, a scoring site for a variety of CTF/challenge sites.  In doing those, I've come across some good reading for anyone doing reversing/challenges/CTFs/etc:


Thoughts on NSA Surveillance

I'm going to make this quick -- trying to distill all my thoughts on the NSA into a blog post is impossible, but I feel the need to post something. I believe the actions of the NSA violate my privacy, violate the 4th amendment, and violate the rights of every person on the Internet.  The US Government has Betrayed the Internet, and We Need to Take It Back.  While I don't want to give free reign to terrorists, we have been talking about how our Constitution is what makes America great, and yet we have shredded that very document.  I lose sleep over this not because of the ways the government claims its being used, but over the ways it could be misused -- the next Hoover, the next Nixon, the next McCarthy.  It's time for us to return to a government that respects our rights and our constitution; It's time to return to checks and balances; It's time for America to be free again.  I've been a member of the EFF for several years now, and it (along with organizations like the ACLU and other civil liberties organizations) is the only hope I have left for our country.