Tag Archives: Derbycon

Derbycon 2019: Ending on a High Note

As most of you know, this year was the ninth and last Derbycon security conference in Louisville, KY. It was especially bittersweet for me, since it’s my hometown conference…and I just moved back to the area last year, hoping to save some travel money by having a major infosec con right in my backdoor.

The Marriott was a little better prepared this year, though the bar and on-premise restaurant still seemed a little understaffed. I was a little afraid about getting enough tickets for all my friends this year, as I thought this being the final one would mean an even bigger interest in it. This really wasn’t the case, as I had enough tickets for everyone well before September and even knew people who were still trying to sell their spare tickets all the way up to the day of the conference.

Having already blown my corporate training budget on SpecterOps’s excellent Red Team Operations course early in the year (I highly recommend it), I didn’t have any money to buy training this time around.  Dark Side Ops 1 was the only one I was really interested in, having taken their also-excellent Dark Side Ops 2 at last year’s Derbycon.

Being the last year of Derbycon and having most of the Eversec crew in town, I once again reverted to being a CTF zombie.  The only talks I really went to were the keynote and one by Rindert Kramer, from NCC Group’s Fox-IT acquisition in the Netherlands, about his custom LDAP-based C2 channel.  I unfortunately didn’t get to see my friend and colleague David Tulis (@kafkaesqu3) give his presentation on COM hijacking, as it conflicted with my son’s Saturday morning soccer game.

After the keynote and a quick lunch, the CTF room was open for business and we staked out a big table for our ever-growing CTF crew.  Besides the core of former Fidelity Investments pentesters, we had some new friends joining the mix, like Ashley Templet from Avalara, Jack Halon (@jack_halon) from NCC Group, Jeff Macko (@jmacko) from Kroll, old friend but first-time Derbycon attendee Ping (@n0tl33t), and several new faces that our Virginian friend Erwin managed to recruit. If you’re trying to CTF with a big crew like this, communication and organization is absolutely key! Since you probably don’t want to discuss vulnerabilities and attacks too loudly in a room full of your rivals, you need an online means of doing all this. For us, we had a special Slack channel just for CTF discussions and a Trello board for organizing tasks, keeping notes, assigning stuff, etc. We’ve been using Trello for years on CTF’s (I think it was Ray who suggested it) and it’s crucial to sharing info and keeping from duplicating effort on the same challenges.

Like previous years, the first day or so is pretty miserable because of the initial flood of people and skiddies doing dumb shit.  The ESXi server that the CTF team was using to host the challenges even got purple-screened multiple times.  By Saturday, it was behaving much better and we managed to make a lot of progress.  In true CTF zombie fashion, most of us stayed up well past midnight banging away at challenges.  My friend and teammate Ray (@doylersec) was kind enough to let me crash in his room for the night.

The CTF was devilish as ever.  The overarching theme was a parody of Derbycon called “DerpyCon”…which is stealing valor from my buddy Kyle Stone (@essobi) and his old pre-Derbycon house party. There was another, even more expansive MUD than last year, that Ashley spent a ton of time getting flags out of (which can still be played for a few more weeks at http://derbymud.mog.ninja/).

I was going to write up some of the challenges I personally participated in, but our old rivals “spicyweasel” (AKA Nettitude Labs) already posted their usual excellent write-up of the challenges…and they take many more screenshots and keep better notes than me.

But “spicyweasel” didn’t take home the top spot this time. After having chased them for years, Team Eversec managed to come out the winner! Like most of the competitors do every year, we once again donated our prize money to Hackers for Charity.

Thank you Derbycon for nine wonderful years! Thank you Derbycon CTF team for always putting on a great competition and inspiring all of us to put on our own CTFs at our companies and various local cons. And thank you to our rivals, like spicyweasel and SecureWorks’ “Illuminopi” team, for making every competition exciting, tense, and fun. We can only hope we can find another annual CTF as awesome as this one and play against all of you again.

Advertisements

How to Score Tickets to Your Favorite Security Conference (Now That Derbycon is Dead)

NOTE: For the last several years, I’ve been a master at scoring hard-to-get conference tickets, specifically for Derbycon.  I originally wrote this two years ago, but my Eversec teammates begged me not to post it.  I thought their fears of being outcompeted for Derbycon tickets were unfounded, but I honored their request.  Since Derbycon is over now, I’m going to reveal the secret to all of you!  These tips are easily applicable to any conference with limited and hard-to-get tickets, like Shmoo.

  • Follow the con’s Twitter account and turn on notifications for it: besides their website, Twitter is the main way most con organizers put out news.  Following them, and especially turning on notifications for when they tweet, is one of the easiest ways to keep abreast of what’s going on, official sales times, etc.  Organizers will announce sales times and sometimes even extra sales or ticketing system tests, so you could always get lucky that way.
  • Submit something to the Call for Trainers, Call for Workshops, and/or Call for SpeakersI know this isn’t going to be the best option for everyone, but if you have some cool skill you think you could teach or some neat topic you can present on, submit it!  If you get accepted, you automatically get a ticket and many cons will even give you an extra ticket for a partner/spouse/friend or even an honorarium.  I’ve even gotten a ticket for Derbycon before just for being on their talk waitlist, in case someone didn’t show and they had to fill a slot.

Continue reading