A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Louisville InfoSec CTF 2009 (Hacking Illustrated Series InfoSec Tutorial Videos)

Louisville InfoSec CTF 2009

    This video summarizes one possible way contestants could have completed the Capture The Flag event at the 2009 Louisville Infosec. Tools and concepts used in the video include: Backtrack 4, Kismet Newcore, Nmap, Metasploit, Meterpreter, Firefox, SQL Injection, Cain, Truecrypt and 7zip.

    The winning team was comprised of Rel1k (Dave Kennedy), Pure-Hate, Archangel, and Titan. Yes, Dave did compromise my personal laptop during the event, teaches me for not mitigating 0 days before the conference. :) When Archangel told me he was bringing Dave in for his team, I knew which way thing were going to go down. Rel1k and Purehate are Backtrack 4 developers, and Archangel and Titan are no slouches either. Congrats guys. Here is Dave's writeup of the event:
http://securestate.blogspot.com/2009/10/louisville-metro-infosec-capture-flag.html
Thanks to Ben Thomas for the photos.

Download video from:
http://www.archive.org/download/Irongeek-ctf631/Irongeek-ctf631.wmv
or
http://blip.tv/file/get/Irongeek-ctf631.wmv

Streaming Flash:

 

Scenario:

    The admins try to run their network as a tight ship, but you have been brought in to do a pentest. You know the admins have a Truecrypt volume out there with Personally Identifiable Information (PII). Your goal is to find it, and decrypt its contents till you get a list of names and Social Security Numbers. Little hints will be given via a comment wall on one of the web servers. To win points bring proof to the judge that the particular flag task has be completed. These are the "flags", and their point values:

0. Attach to the Wireless network (hint:CTF is in the name) and show the judge how you got the SSID. 15 points
(Name will be given if you can't find it, but you won't be able to get points for it.)
1. Find the IP of the of the Windows box named WinCTF owned by IronGCorp, and list 3 or more open ports. 5 points
2. Find the IP of the x86 based Linux box ran by IronGCorp, and list 2 or more open ports. 5 points
3. What box are the admins running their Intranet site on, and what is the web server type/version? 5 point
4. What is the Windows box's (WinCTF) Administrator password? 10 points
5. What is the x86 Linux box's Root password? 5 points
6. Copy PII.tc (a true crypt volume) to your box. 10 points
7. Password to the PII.tc file. 10 points
8. Password to a non x86 based Linux box. 10 points
9. Password to a 7zip archive. 10 points
10 The decrypted PII.csv file. 25 points

    Highest point score at the end of the game wins. If two contestants have the same points at the end of the game, the first to accumulate their point total wins. Obviously, if you play as part of a team you have to figure out amongst yourselves how to split the prize. The winner will get up on stage and explain what he did when he picks up his prize.


Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2016, IronGeek
Louisville / Kentuckiana Information Security Enthusiast