I love using sponges for crypto Who doesn't, right? This past weekend was the Boston Key Party (BKP) CTF which was a fun and challenging event. The challenge I spent the most time working on was the Crypto 200 point challenge titled "Sponge". The challenge was to find a collision with the known value "I love using sponges for crypto" using a custom hashing algorithm ... READ MORE
Capture The Flag
Capture the Flag 2017 – Example Challenges
Early next year, RSM will host its fourth annual Capture the Flag event. We wanted to give our potential participants some background information and examples of the types of problems they will encounter. Coding: https://warroom.rsmus.com/ctf-example-coding/ Cryptography: https://warroom.rsmus.com/ctf-example-cryptography-2/ Forensics: ... READ MORE
CTF Example – Web Application Security
During RSM's 2016 Capture the Flag (CTF) event, the Web Application Security category took the format of a full-blown web application penetration test. Participants could accomplish the 100 point challenge simply by exploring and mapping out the web application. By the time participants reached the 500 point level, they had performed password guessing, SQL injection, bypassed ... READ MORE
CTF Example – Social Engineering
When a client requests a Social Engineering assessment, they are wanting to test any weaknesses found in the people themselves, not necessarily technology. After all, it's often easier to just ask someone directly for their password instead of trying to find an exploit for an application. In the context of a penetration test, typically this takes the form of impersonating ... READ MORE
CTF Example – Physical Challenges
In the Physical Challenge category, problems are focused on simulating technical skills that a consultant might have to use on an asssessment. Two major skills that come in handy are knowledge about lockpicking and security cameras. Lockpicking Lockpicking is something of both an art and a science. The scientific part is easy to understand as illustrated by this fantastic ... READ MORE
CTF Example – Web Application Security Part II
In our previous post, we talked about using robots.txt to uncover hidden information about a target website. By the end of this post you should be able to: Use dirb to spider a website for directory content Use Burp to attempt a brute forcing attack You will need the following: Kali Linux virtual machine installed and ready to go The following ISO file ... READ MORE
CTF Example – Hacking
CTF Example – Hacking Although hacking can have multiple different meanings, in the context of the RSM CTF the hacking category focuses on the active exploitation of vulnerable services. In this blog, you should expect to come away with the following skills: Use VMWare to set up and configure a safe test lab environment Use Nmap to find out what services are running on ... READ MORE
CTF Example – Coding
You sit there in front of your desk after getting hired in to a security position, and quickly realize that it is no point-and-click job. Security on both sides of the house leverage the power of programming to automate tasks. This can be anything from alerting on specific key words on logs, to making a quick script to gather information for the environment you just caught a ... READ MORE
CTF Example – Wireless Security
Each of RSM's previous Capture the Flag events has included a challenge in which participants were tasked with tracking down a specific wireless access point. There are many examples of the practical applications of being able to accomplish such a task. These include manually verifying potential rogue access points and signal triangulation (which is an entire science in and of ... READ MORE
CTF Example – Cryptography
Our Cryptography challenges have historically been paper-and-pencil options, requiring less raw, technical skill to complete. The category is meant to be a more approachable option for participants who favor puzzles instead of hacking or coding. The example I'll walk you through in this post is no exception. The 300 point challenge from our 2016 CTF event required the ... READ MORE