Monthly Archives: December 2017

BSides Raleigh 2017 CTF Write-Ups

Taking some inspiration from my friend, Ray, I decided I’d write up some of the solutions to the various challenges I saw at this year’s BSides Raleigh CTF (capture-the-flag) events.ย  And this time, I actually remembered to save some notes and screenshots!

This isn’t a record of every single challenge I saw, just a few that I thought were particularly interesting or noteworthy.

๐Ÿ†˜.html

This was a simple one…which I like, because I suck at CTF crypto challenges.ย  The page was just these emoji spread out:

๐Ÿ˜ฎ๐Ÿ˜ฎ ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜‘๐Ÿ˜ฎ ๐Ÿ˜‘๐Ÿ˜ฎ๐Ÿ˜‘๐Ÿ˜‘ ๐Ÿ˜‘๐Ÿ˜‘๐Ÿ˜‘ ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜‘ ๐Ÿ˜‘๐Ÿ˜ฎ๐Ÿ˜‘๐Ÿ˜ฎ ๐Ÿ˜ฎ๐Ÿ˜‘ ๐Ÿ˜‘๐Ÿ˜ฎ ๐Ÿ˜ฎ๐Ÿ˜‘๐Ÿ˜ฎ ๐Ÿ˜ฎ ๐Ÿ˜ฎ๐Ÿ˜‘ ๐Ÿ˜‘๐Ÿ˜ฎ๐Ÿ˜ฎ ๐Ÿ˜‘ ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜ฎ ๐Ÿ˜ฎ๐Ÿ˜ฎ ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜ฎ ๐Ÿ˜‘ ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜ฎ ๐Ÿ˜ฎ ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜‘๐Ÿ˜ฎ ๐Ÿ˜ฎ๐Ÿ˜‘๐Ÿ˜ฎ๐Ÿ˜ฎ ๐Ÿ˜ฎ๐Ÿ˜‘ ๐Ÿ˜‘๐Ÿ˜‘๐Ÿ˜ฎ ๐Ÿ˜ฎ๐Ÿ˜ฎ ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜ฎ ๐Ÿ˜‘ ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜ฎ ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜‘๐Ÿ˜‘ ๐Ÿ˜ฎ๐Ÿ˜‘ ๐Ÿ˜‘๐Ÿ˜ฎ ๐Ÿ˜‘๐Ÿ˜ฎ ๐Ÿ˜ฎ๐Ÿ˜ฎ ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜‘ ๐Ÿ˜ฎ ๐Ÿ˜ฎ๐Ÿ˜‘๐Ÿ˜ฎ ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜ฎ ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜‘ ๐Ÿ˜ฎ๐Ÿ˜‘๐Ÿ˜ฎ ๐Ÿ˜‘๐Ÿ˜ฎ๐Ÿ˜‘๐Ÿ˜‘ ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜‘ ๐Ÿ˜ฎ๐Ÿ˜‘๐Ÿ˜‘๐Ÿ˜ฎ ๐Ÿ˜‘๐Ÿ˜ฎ๐Ÿ˜‘๐Ÿ˜ฎ ๐Ÿ˜ฎ๐Ÿ˜‘ ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜ฎ ๐Ÿ˜ฎ ๐Ÿ˜‘๐Ÿ˜ฎ๐Ÿ˜ฎ

So I noticed right off the bat that there were only two emoji being used:ย ๐Ÿ˜ฎย andย ๐Ÿ˜‘.ย  My initial thought was maybe this was something in binary, but I was dissuaded from that because of the variable lengths of emoji strings.

The next thought was Morse code!ย  So I copied the emojis into Sublime, did a find/replace for each character, to get this:

.. ..-. -.– — ..- -.-. .- -. .-. . .- -.. – …. .. … – …. . ..-. .-.. .- –. .. … – …. …– .- -. -. .. …- . .-. … ….- .-. -.– ..- .–. -.-. .- … . -..

Running that through a Morse code translatorย yielded the message:

IFYOUCANREADTHISTHEFLAGISTH3ANNIVERS4RYUPCASED

So naturally, the flag was TH3ANNIVERS4RY.

Continue reading

Advertisements

My Grand Tour of Pentest Interviews

Late lastย year, I began looking for a new job. ย Earlier this year, I finally got one! ย I was interested in branching out into the broader world of penetration testing and red teaming, with more external clients and more broadly-scoped sorts of engagements. ย This was something of a sell to prospective employers though. ย I do have close to a decade of infosec experience, but only a few years of that is pentesting and I’ve always been an in-house pentester doing mostly web app and mobile stuff. ย That means that I am something of a noob when it comes to breaking in from the outside; I’m familiar with a lot of the tech and methodology, just haven’t done a lot of it hands-on (outside of CTFs and stuff like that). ย I’ve been in the broader industry for a while, meaning my salary requirements are a little higher, and I absolutely wasn’t going to relocate again so soon after my last move for my old job.

All of this and extremely high demand for pentesters at the moment meant I went through A LOT of interviews. ย Some of them broke down over salary expectations. ย Some of them I quit early because I could tell it wasn’t what I was looking for. ย Some of them weren’t budging on relocation. ย One I completely hosed myself on because I bluffed too hard during the salary negotiation phase. ย At least oneย of them probably thought I was a complete dumbass.ย  But in the end, one employer won out and I’m now happily hacking clients, mostly from the comfort of my own home.

Besides having lots of experience beingย interviewedย for pentest jobs, I also have some experience inย interviewingย people for pentest jobs.ย  At one of my previous employer, I was involved in telephone screenings and in-person interviews of a dozen or so different candidates to join our team there.

Because I went through so many different interviews recently and have experience trying to assess pentest candidates, I figured that put me in a unique position to grade these different companies and throw in my own opinion on the best way to do it.

My intent is half to just be amusing for those who are curious about how different companies are interviewing people, maybe those trying to find out what to expect the next time they start looking for a new gig; but I’m also writing this and hoping that some recruiters and hiring managers will see this.ย  I hope this will give you some insight into how your competition might be assessing candidates, what you’re doing right in your own process, what you’re doing wrong, and how you could be doing it better. Continue reading