Author Archives: ch1kpee

About ch1kpee

I hack for Cthulhu, sweet Hexley (OSX/Darwin mascot) avatar by @datapacke7

Derbycon 2019: Ending on a High Note

As most of you know, this year was the ninth and last Derbycon security conference in Louisville, KY. It was especially bittersweet for me, since it’s my hometown conference…and I just moved back to the area last year, hoping to save some travel money by having a major infosec con right in my backdoor.

The Marriott was a little better prepared this year, though the bar and on-premise restaurant still seemed a little understaffed. I was a little afraid about getting enough tickets for all my friends this year, as I thought this being the final one would mean an even bigger interest in it. This really wasn’t the case, as I had enough tickets for everyone well before September and even knew people who were still trying to sell their spare tickets all the way up to the day of the conference.

Having already blown my corporate training budget on SpecterOps’s excellent Red Team Operations course early in the year (I highly recommend it), I didn’t have any money to buy training this time around.  Dark Side Ops 1 was the only one I was really interested in, having taken their also-excellent Dark Side Ops 2 at last year’s Derbycon.

Being the last year of Derbycon and having most of the Eversec crew in town, I once again reverted to being a CTF zombie.  The only talks I really went to were the keynote and one by Rindert Kramer, from NCC Group’s Fox-IT acquisition in the Netherlands, about his custom LDAP-based C2 channel.  I unfortunately didn’t get to see my friend and colleague David Tulis (@kafkaesqu3) give his presentation on COM hijacking, as it conflicted with my son’s Saturday morning soccer game.

After the keynote and a quick lunch, the CTF room was open for business and we staked out a big table for our ever-growing CTF crew.  Besides the core of former Fidelity Investments pentesters, we had some new friends joining the mix, like Ashley Templet from Avalara, Jack Halon (@jack_halon) from NCC Group, Jeff Macko (@jmacko) from Kroll, old friend but first-time Derbycon attendee Ping (@n0tl33t), and several new faces that our Virginian friend Erwin managed to recruit. If you’re trying to CTF with a big crew like this, communication and organization is absolutely key! Since you probably don’t want to discuss vulnerabilities and attacks too loudly in a room full of your rivals, you need an online means of doing all this. For us, we had a special Slack channel just for CTF discussions and a Trello board for organizing tasks, keeping notes, assigning stuff, etc. We’ve been using Trello for years on CTF’s (I think it was Ray who suggested it) and it’s crucial to sharing info and keeping from duplicating effort on the same challenges.

Like previous years, the first day or so is pretty miserable because of the initial flood of people and skiddies doing dumb shit.  The ESXi server that the CTF team was using to host the challenges even got purple-screened multiple times.  By Saturday, it was behaving much better and we managed to make a lot of progress.  In true CTF zombie fashion, most of us stayed up well past midnight banging away at challenges.  My friend and teammate Ray (@doylersec) was kind enough to let me crash in his room for the night.

The CTF was devilish as ever.  The overarching theme was a parody of Derbycon called “DerpyCon”…which is stealing valor from my buddy Kyle Stone (@essobi) and his old pre-Derbycon house party. There was another, even more expansive MUD than last year, that Ashley spent a ton of time getting flags out of (which can still be played for a few more weeks at http://derbymud.mog.ninja/).

I was going to write up some of the challenges I personally participated in, but our old rivals “spicyweasel” (AKA Nettitude Labs) already posted their usual excellent write-up of the challenges…and they take many more screenshots and keep better notes than me.

But “spicyweasel” didn’t take home the top spot this time. After having chased them for years, Team Eversec managed to come out the winner! Like most of the competitors do every year, we once again donated our prize money to Hackers for Charity.

Thank you Derbycon for nine wonderful years! Thank you Derbycon CTF team for always putting on a great competition and inspiring all of us to put on our own CTFs at our companies and various local cons. And thank you to our rivals, like spicyweasel and SecureWorks’ “Illuminopi” team, for making every competition exciting, tense, and fun. We can only hope we can find another annual CTF as awesome as this one and play against all of you again.

Advertisements

How to Score Tickets to Your Favorite Security Conference (Now That Derbycon is Dead)

NOTE:ย For the last several years, I’ve been a master at scoring hard-to-get conference tickets, specifically for Derbycon.ย  I originally wrote this two years ago, but my Eversec teammates begged me not to post it.ย  I thought their fears of being outcompeted for Derbycon tickets were unfounded, but I honored their request.ย  Since Derbycon is over now, I’m going to reveal the secret to all of you!ย  These tips are easily applicable to any conference with limited and hard-to-get tickets, like Shmoo.

  • Follow the con’s Twitter account and turn on notifications for it: besides their website, Twitter is the main way most con organizers put out news. ย Following them, and especially turning on notifications for when they tweet,ย is one of the easiest ways to keep abreast of what’s going on, official sales times, etc.ย  Organizers will announce sales times and sometimes even extra sales or ticketing system tests, so you could always get lucky that way.
  • Submit something to the Call for Trainers, Call for Workshops, and/or Call for Speakers:ย I know this isn’t going to be the best option for everyone, but if you have some cool skill you think you could teach or some neat topic you can present on, submit it! ย If you get accepted, you automatically get a ticket and many cons will even give you an extra ticket for a partner/spouse/friend or even an honorarium. ย I’ve even gotten a ticket for Derbycon before just for being on their talk waitlist, in case someone didn’t show and they had to fill a slot.

Continue reading

Dark Side Ops 2 Review + Derbycon 2018

derbycon_8_logo.png

Being from the Louisville metro area (and recently having moved back with my family), Derbycon is one of the highlights of my year.ย  The general conference ran from Friday, October 5th, to Sunday, October 7th, at a brand new location, the Louisville Downtown Marriott!ย  Every previous year, the neighboring Hyatt has hosted it, but the move meant a bigger venue with more rooms for all the activities.ย  Despite more space, the Derbycon team actually decides not to significantly increase the number of tickets sold, in order to keep the smaller, more familial feel.ย  I really like this about Derbycon and the crammed, chaotic atmosphere is one of the reasons I haven’t been to DEFCON yet…though I think I’m going to finally make myself go to it next year, just to get one under my belt.

For only about a grand more than a con ticket, you have the opportunity to sign up for one of several excellent training courses that run on the Wednesday and Thursday before the conference.ย  And trust me, $1000 might sound like a lot, but this is a steal compared to what you’ll pay for courses like this at SANS or Blackhat.ย  Last year, I took @FuzzyNop’s Modern Red Team Immersion Bootcamp, which was very heavily focused on open-source intelligence (OSINT) gathering, selecting good spear phishing targets, and crafting convincing phishes.ย  This year, I went towards the more technical side of red teaming with Silent Break’s Dark Side Ops 2: Adversary Simulation.

Continue reading

NCC Con 2018 iOS CTF Solutions

I just returned from NCC Group’s internal North American conference, a nice respite from the cold East Coast to sunny San Diego.ย  I’m a remote employee, so it’s always a blast getting to hang out with my New York office coworkers and seeing awesome presentations from colleagues from across the country.ย  One of the highlights was the mini-CTF put on by Sid Adukia and Dean Jerkovich.

This CTF consisted of an iOS app bundle compiled to run on the iOS Simulator, thus able to run on any Mac with Xcode and not requiring a jailbroken device.ย  I’ve been doing iOS application pentests for years and it was really cool to see a CTF challenge using this!ย  This is the first one I’ve seen since DVIA came out years ago.

Perhaps the biggest challenge was the fact that this was a Simulator app.ย  Had it been an ARM-compiled iOS app that I could put on a jailbroken device, I would’ve solved a lot of these challenges in a few minutes.ย  Most of my time was spent googling for how to do stuff like dump the keychain or hook methods on the Simulator instead of on a jailbroken device.

I’ve been worried recently just what the future of iOS security is going to look like.ย  It seems we’ve been thrown a few bones in the last month, with Project Zero’s Ian Beer recently publishing the “tfp0” vulnerability and Jonathan Levin publishing LiberiOS, the first jailbreak for versions of iOS 11.ย  But fewer and fewer people are publicly releasing jailbreaks.ย  I don’t blame them either. Due to the enormous sums being offered by exploit brokers, many would argue you’re a moron for giving away million-dollar exploits for free.ย  Someday soon, those of us in iOS security testing might be forced to have our clients compile x86 versions of their apps for us and run them all in the iOS Simulator.ย  The good news is that a surprising number of the same tools and techniques you would normally use on a jailbroken device will also work with a Simulator app on macOS!ย  Some things don’t, but if you’ve ever chased the latest jailbreak and found that half the stuff on Cydia doesn’t yet work for your version of iOS, then you’re already used to life on the bleeding edge. Continue reading

BSides Raleigh 2017 CTF Write-Ups

Taking some inspiration from my friend, Ray, I decided I’d write up some of the solutions to the various challenges I saw at this year’s BSides Raleigh CTF (capture-the-flag) events.ย  And this time, I actually remembered to save some notes and screenshots!

This isn’t a record of every single challenge I saw, just a few that I thought were particularly interesting or noteworthy.

๐Ÿ†˜.html

This was a simple one…which I like, because I suck at CTF crypto challenges.ย  The page was just these emoji spread out:

๐Ÿ˜ฎ๐Ÿ˜ฎ ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜‘๐Ÿ˜ฎ ๐Ÿ˜‘๐Ÿ˜ฎ๐Ÿ˜‘๐Ÿ˜‘ ๐Ÿ˜‘๐Ÿ˜‘๐Ÿ˜‘ ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜‘ ๐Ÿ˜‘๐Ÿ˜ฎ๐Ÿ˜‘๐Ÿ˜ฎ ๐Ÿ˜ฎ๐Ÿ˜‘ ๐Ÿ˜‘๐Ÿ˜ฎ ๐Ÿ˜ฎ๐Ÿ˜‘๐Ÿ˜ฎ ๐Ÿ˜ฎ ๐Ÿ˜ฎ๐Ÿ˜‘ ๐Ÿ˜‘๐Ÿ˜ฎ๐Ÿ˜ฎ ๐Ÿ˜‘ ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜ฎ ๐Ÿ˜ฎ๐Ÿ˜ฎ ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜ฎ ๐Ÿ˜‘ ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜ฎ ๐Ÿ˜ฎ ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜‘๐Ÿ˜ฎ ๐Ÿ˜ฎ๐Ÿ˜‘๐Ÿ˜ฎ๐Ÿ˜ฎ ๐Ÿ˜ฎ๐Ÿ˜‘ ๐Ÿ˜‘๐Ÿ˜‘๐Ÿ˜ฎ ๐Ÿ˜ฎ๐Ÿ˜ฎ ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜ฎ ๐Ÿ˜‘ ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜ฎ ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜‘๐Ÿ˜‘ ๐Ÿ˜ฎ๐Ÿ˜‘ ๐Ÿ˜‘๐Ÿ˜ฎ ๐Ÿ˜‘๐Ÿ˜ฎ ๐Ÿ˜ฎ๐Ÿ˜ฎ ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜‘ ๐Ÿ˜ฎ ๐Ÿ˜ฎ๐Ÿ˜‘๐Ÿ˜ฎ ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜ฎ ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜‘ ๐Ÿ˜ฎ๐Ÿ˜‘๐Ÿ˜ฎ ๐Ÿ˜‘๐Ÿ˜ฎ๐Ÿ˜‘๐Ÿ˜‘ ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜‘ ๐Ÿ˜ฎ๐Ÿ˜‘๐Ÿ˜‘๐Ÿ˜ฎ ๐Ÿ˜‘๐Ÿ˜ฎ๐Ÿ˜‘๐Ÿ˜ฎ ๐Ÿ˜ฎ๐Ÿ˜‘ ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜ฎ ๐Ÿ˜ฎ ๐Ÿ˜‘๐Ÿ˜ฎ๐Ÿ˜ฎ

So I noticed right off the bat that there were only two emoji being used:ย ๐Ÿ˜ฎย andย ๐Ÿ˜‘.ย  My initial thought was maybe this was something in binary, but I was dissuaded from that because of the variable lengths of emoji strings.

The next thought was Morse code!ย  So I copied the emojis into Sublime, did a find/replace for each character, to get this:

.. ..-. -.– — ..- -.-. .- -. .-. . .- -.. – …. .. … – …. . ..-. .-.. .- –. .. … – …. …– .- -. -. .. …- . .-. … ….- .-. -.– ..- .–. -.-. .- … . -..

Running that through a Morse code translatorย yielded the message:

IFYOUCANREADTHISTHEFLAGISTH3ANNIVERS4RYUPCASED

So naturally, the flag was TH3ANNIVERS4RY.

Continue reading

My Grand Tour of Pentest Interviews

Late lastย year, I began looking for a new job. ย Earlier this year, I finally got one! ย I was interested in branching out into the broader world of penetration testing and red teaming, with more external clients and more broadly-scoped sorts of engagements. ย This was something of a sell to prospective employers though. ย I do have close to a decade of infosec experience, but only a few years of that is pentesting and I’ve always been an in-house pentester doing mostly web app and mobile stuff. ย That means that I am something of a noob when it comes to breaking in from the outside; I’m familiar with a lot of the tech and methodology, just haven’t done a lot of it hands-on (outside of CTFs and stuff like that). ย I’ve been in the broader industry for a while, meaning my salary requirements are a little higher, and I absolutely wasn’t going to relocate again so soon after my last move for my old job.

All of this and extremely high demand for pentesters at the moment meant I went through A LOT of interviews. ย Some of them broke down over salary expectations. ย Some of them I quit early because I could tell it wasn’t what I was looking for. ย Some of them weren’t budging on relocation. ย One I completely hosed myself on because I bluffed too hard during the salary negotiation phase. ย At least oneย of them probably thought I was a complete dumbass.ย  But in the end, one employer won out and I’m now happily hacking clients, mostly from the comfort of my own home.

Besides having lots of experience beingย interviewedย for pentest jobs, I also have some experience inย interviewingย people for pentest jobs.ย  At one of my previous employer, I was involved in telephone screenings and in-person interviews of a dozen or so different candidates to join our team there.

Because I went through so many different interviews recently and have experience trying to assess pentest candidates, I figured that put me in a unique position to grade these different companies and throw in my own opinion on the best way to do it.

My intent is half to just be amusing for those who are curious about how different companies are interviewing people, maybe those trying to find out what to expect the next time they start looking for a new gig; but I’m also writing this and hoping that some recruiters and hiring managers will see this.ย  I hope this will give you some insight into how your competition might be assessing candidates, what you’re doing right in your own process, what you’re doing wrong, and how you could be doing it better. Continue reading