Monday, December 18, 2023

Security Testing Journal Entry | w/e Friday December 15, 2023 - "So Meta, So betta" ed.

Highlights for the week

Intentionally late post this week as I wanted to dedicate this entry to a really cool MetaCTF "Capture The Flag" event I participated in over the weekend and wanted to regale my tales of woe. I was part of a team from a group of people I met long before. I got some early wins with a few of the CTF tasks I took on. My teammate carried the team. He was phenomenal. While he took the Binary/Reverse Engineering challenges, some of the ones I took included:

  1. Decoded binary with https://cryptii.com/pipes/binary-decoder
  2. Find IP for given web domain - I used ping
  3. Find hash used for given value - $2y identifies this as Blowfish/bcrypt
https://unix.stackexchange.com/questions/430141/how-to-find-the-hashing-algorithm-used-to-hash-passwords
  4. “Captured in Transit” - find Flag in PCAP file {A fun one with wireshark, filter by HTTP}
  5. “Magically Mathematical” = web exploit {I struggled with this one, but it wasn't hard}
  6. “Validation = xml injection {I knew it was an XXE Vulnerability, but I couldn't get it to work. My teammate did}
  7. “Racer ….” — modifying the cart to add money and buy item {I knew the solution was to modify the payload, but it didn't work for me}
  8. “WAF” — trying to find the FLAG for a site that is protected
  9. “Connecting to remote network (hops) {this one was fun}

Overall, this was a great CTF experience compared to last time. The challenges were less intimidating. The buzzkill was the performance issues with some of the servers, making access to the challenges involving them all but impossible. 9/10 would recommend.

What We Loved

  1. CTF challenge was a highlight
  2. Going on another cruise for x-mas vacation

What We Learned

  1. Part of the CTF challenges meant learning some fun concepts. As always, when in doubt - google it.
  2. ISC(2) - Still moving through the modules
  3. Burp Suite - Finishing the modules on Access Control Vulns. Along with the Business Logic, these were super relevant.
  4. PW w. JS - Finished Adding API tests for basic features + Security. Moving along quite nicely through E2E flows.
  5. Cult.ure - Added notes, but fell behind on writing .. sorry!
  6. Husb - continued with 'Judicio', need to wrap that up

What We Longed For

  1. As always, a job and a paycheck.

What We Loathed

  1. Recruiter ghosting. But then I've become indifferent to the whole thing.

No comments:

Post a Comment