I was given the opportunity to attend BSides Philadelphia and was able to compete in a CTF. I took home 3rd place playing by myself. I meant to form a group but I didn’t get around to it. The below is my write up for a couple of the problems I solved. I forgot to do the write up while I was there, so I apologize for not sharing the exact names of the challenges. I was also able to attend a couple of talks there.

Talks Attended

I really enjoyed the keynote about what it means to be a hacker and how to speak up for those who can’t speak up. His point was be the person Mr. Rodgers believed you could be. Mr Rodgers is a hacker he saw a problem and made an effort to fix it.

I also attended a talk about Operational Technology which is the technology you see on factory floors. The systems that speak to each other. He raised quite a few challenges in securing these systems because many times to vendor will bring their own access points. I also heard a little bit about how old networking things work. I want to investigate exactly what ThickNet was on my own time.

If it had been a multiday affair I would have liked to attend some more talks, but I was obsessed with the CTF cause I haven’t played in such a long time at a serious one.

Capture the Flag Challenges

They had a really nice mix of a challenge types including cloud, crypto, web and forensics. I really liked the forensics challenges. I’m not going to go super in depth on the write up because I don’t want to give up the challenges.

The CTF was ran by the talented folks at ThreatSims.

Cloud Challenge

The cloud challenge was to investigate a website and find a vulnerability in an s3 bucket policy. I was able to be openly listed, and versioning was enabled. I did not have my aws creds on my laptop, but anonymous access is possible within the cli via the --no-sign-request flag.

From here you had to look through a source code dump and find the creds from a past commit within the git. Never forget that adminer is amazing and literally the best sql web frontend ever.

The takeaway from this challenge is make sure you actually delete the objects from the bucket when you clean up a mess. Versioning is helpful but can still let you hurt yourself. Just like everything it is a balance.

Web Challenges

There was a fair number of web challenges that I really enjoyed, because they were deployed vulnerable versions of web applications and you had to exploit them. I really enjoyed the files.gallery challenge because it was a nice shell injection vulnerability. The start for all of these challenges was to search the CVE database for known issues related to these products and seeing if a write up exists for it yet. Odds are one is going to exist.

The vulnerability to exploit is described in depth by this POC. It allows you to inject whatever command you want into the container by uploading an MP4 file named in a specific way. There were a couple of restrictions on the commands you could use. I ran into issues with trying to use full paths to things. See the forward slashes are not valid file names. It also was not exactly clear what was on the path. I kept trying to pass things into bash but that didn’t exist on the path of the container, so I had to use sh.

Going from here I ended up writing a base64 file to copy the flag to the webroot.

Forensics

They gave a really neat forensics challenge with a network PCAP. It was a case of data exfiltration via email, but they threw in a couple of curveballs to how things are today. In the past people used to use real email clients instead of webmail. I miss when everything was a separate protocol instead of just being JSON over HTTP.

I found it really useful to use the protocol hierarchy breakdown view to decide where to get started in these kinds of challenges, as that gives you a strong hint of what is going on.

The nice thing about this pcap was that they already removed the TLS keys and decrypted all conversations.

The final challenge in this event was extracting the email with the secret data. You had to get this image file out of it. I really struggled with it because I couldn’t get the regular base64 to decrypt it properly. So I went hunting for a Linux email munging tool.

I discovered the reformime tool. I had to pipe the email through it it and then load the PNG into google reverse image search and then look on maps to find the actual file. I really liked this challenge because it blended the forensics with a bit of open source intelligence.

Overall I had a great time at BSides Philly, and would recommend any security professional in the area go and check it out. I learned a lot and met a bunch of cool people there.