BSidesSF on System Overlord

BSidesSF CTF 2023: Lastpwned (Author Writeup)

david@systemoverlord.com (David Tomaschik) — Sun, 23 Apr 2023 00:00:00 +0000

I was the challenge author for a handful of challenges for this year’s BSidesSF CTF. One of those challenges was lastpwned, inspired by a recent high-profile data breach. This challenge provided a web-based password manager with client-side encryption.

CTF 101: Just Try It!

david@systemoverlord.com (David Tomaschik) — Mon, 17 Apr 2023 00:00:00 +0000

Table of Contents {:toc}

As I’m helping to organize the BSides San Francisco CTF this weekend, I thought I’d share a little primer for CTFs for those who have not gotten into them before.

What is a CTF?

I suspect that most people in the information security (“cybersecurity”) space have already heard of Capture the Flag (or CTF) competitions, but in case you haven’t, I wanted to provide a short overview.

BSidesSF 2022 CTF: Login4Shell

david@systemoverlord.com (David Tomaschik) — Mon, 20 Jun 2022 00:00:00 +0000

Log4Shell was arguably the biggest vulnerability disclosure of 2021. Security teams across the entire world spent the end of the year trying to address this bug (and several variants) in the popular Log4J logging library.

The vulnerability was caused by special formatting strings in the values being logged that allow you to include a reference. This reference, it turns out, can be loaded via JNDI, which allows remotely loading the results as a Java class.

This was such a big deal that there was no way we could let the next BSidesSF CTF go by without paying homage to it. Fun fact, this meant I “got” to build a Java webapp, which is actually something I’d never done from scratch before. Nothing quite like learning about Jetty, Log4J, and Maven just for a CTF level.

BSidesSF 2022 CTF: TODO List

david@systemoverlord.com (David Tomaschik) — Thu, 09 Jun 2022 00:00:00 +0000

This year, I was the author of a few of our web challenges. One of those that gave both us (as administrators) and the players a few difficulties was “TODO List”.

Upon visiting the application, we see an app with a few options, including registering, login, and support. Upon registering, we are presented with an opportunity to add TODOs and mark them as finished:

If we check robots.txt we discover a couple of interesting entries:

BSidesSF 2022 CTF: Cow Say What?

david@systemoverlord.com (David Tomaschik) — Tue, 07 Jun 2022 00:00:00 +0000

As the author of the Cow Say What? challenge from this year’s BSidesSF CTF, I got a lot of questions about it after the CTF ended. It’s both surprisingly straight-forward but also a very little-known issue.

The challenge was a web challenge – if you visited the service, you got a page providing a textarea for input to the cowsay program, as well as a drop down for the style of the cow saying something (plain, stoned, dead, etc.). There was a link to the source code, reproduced here:

BSidesSF 2021 CTF: Net Matroyshka (Author Writeup)

david@systemoverlord.com (David Tomaschik) — Fri, 12 Mar 2021 00:00:00 +0000

Net Matroyshka was one of our “1337” tagged challenges for the 2021 BSidesSF CTF. This indicated it was particularly hard, and our players can probably confirm that.

If you haven’t played our CTF in the past, you might not be familiar with the Matryoshka name. (Yep, I misspelled Matryoshka this year and didn’t catch it before we launched.) It refers to the nesting Matryoshka dolls, and we’ve been doing a series of challenges where they contain layers to be solved, often by different encodings, formats, etc. This year, it was layers of PCAPs for some network forensics challenges.

BSidesSF 2021 CTF: CuteSrv (Author Writeup)

david@systemoverlord.com (David Tomaschik) — Mon, 08 Mar 2021 00:00:00 +0000

I authored the BSidesSF 2021 CTF Challenge “CuteSrv”, which is a service to display cute pictures. The description from the scoreboard:

Last year was pretty tough for all of us. I built this service of cute photos to help cheer you up. We do moderate for cuteness, so no inappropriate photos please!

Like my other write-ups, I’ll do this from the perspective of a player playing through and try not to assume internal knowledge.

BSidesSF 2021 CTF: Encrypted Bin (Author Writeup)

david@systemoverlord.com (David Tomaschik) — Mon, 08 Mar 2021 00:00:00 +0000

I was the author for the BSidesSF 2021 CTF Challenge “Encrypted Bin”, which is an encrypted pastebin service. The description from the scoreboard:

I’ve always wanted to build an encrypted pastebin service. Hope I’ve done it correctly. (Look in /home/flag/ for the flag.)

I thought I’d do a walk through of how I expected players to solve the challenge, so I’ll write this as if I’m playing the challenge.

Visiting the web service, we find an upload page for text and not much else. When we perform an upload, we see that we’re redirected to a page to view the encrypted upload:

BSides SF 2020 CTF: Infrastructure Engineering and Lessons Learned

david@systemoverlord.com (David Tomaschik) — Thu, 27 Feb 2020 00:00:00 +0000

Last weekend, I had the pleasure of running the BSides San Francisco CTF along with friends and co-conspirators c0rg1, symmetric and iagox86. This is something like the 4th or 5th year in a row that I’ve been involved in this, and every year, we try to do a better job than the year before, but we also try to do new things and push the boundaries. I’m going to review some of the infrastructure we used, challenges we faced, and lessons we learned for next year.

Running the BSides SF 2019 CTF

david@systemoverlord.com (David Tomaschik) — Sun, 10 Mar 2019 00:00:00 +0000

I’ve just written a post for the BSidesSF blog about running the BSidesSF 2019 CTF. Check it out and feel free to get in touch if you have feedback.

BSides SF CTF Author Writeup: Flagsrv

david@systemoverlord.com (David Tomaschik) — Fri, 08 Mar 2019 00:00:00 +0000

Flagsrv was a 300 point web challenge in this year’s BSidesSF CTF. The description was a simple one:

We’ve built a service for the sole purpose of serving up flags!

The account you want is named ‘flag’.

BSides SF CTF Author Writeup: Cloud2Clown

david@systemoverlord.com (David Tomaschik) — Thu, 07 Mar 2019 00:00:00 +0000

The Challenge

Sometimes you see marketing materials that use the word cloud to the point that it starts to lose all meaning. This service allows you to fix that with clowns instead of clouds. Note: there are 2 flags, they should be clearly labeled.

BSidesSF 2017

david@systemoverlord.com (David Tomaschik) — Wed, 15 Feb 2017 00:00:00 +0000

BSidesSF 2017 was, by far, the best yet. I’ve been to the last 5 or so, and had a blast at almost every one. This year, I was super busy – gave a talk, ran a workshop, and I was one of the organizers for the BSidesSF CTF. I’ve posted the summary and slides for my talk and I’ll update the video link once it gets posted.

I think it’s important to thank the BSidesSF organizers – they did a phenomenal job with an even bigger venue and I think everyone loved it. It was clearly a success, and I can only imagine how much work it takes to plan something like this.