First edition - Feel free to contribute
Capture the Flag (CTF) is a kind of information security competitions.
>Newbie guides
trailofbits.github.io
>Great collection and resource of CTFs that are long-running
captf.com
>Vulnerable Machines
vulnhub.com
>Events:
ctftime.org
Other urls found in this thread:
youtu.be
youtube.com
store.steampowered.com
github.com
github.com
github.com
hackthebox.eu
vulnhub.com
youtube.com
securitybytes.io
ethereal.htc:8080
ethereal.HTB:8080.
twitter.com
bumping
Bumping with a video
youtu.be
Hey some actual fun, have a bump.
Good stuff. bump
Nice thread, it's fun to see something new.
youtube.com
Bumping for epic bread
Contribution:
I don't know if it's related but there's a fun game on steam called Hacknet: store.steampowered.com
Also there's a "simulation/game" available at telehack.com.
Is this the hackerman general?
esport hackerman thread
So, are you going to play the defcon quals?
Last time I played, on 2016, I was only able to defeat 4 challenges and I missed some very easy ones.
It could be fun to make a team but these kind of thread never survive enough.
I never been to any CTF event, care to explain some of the challenges you faced?
I'm talking about the online quals, I don't remember in detail but I think they do the same 5 categories every year: binary, web, RE, forensic, misc(?). I only remember failing the SQLi because I was a dumb script kiddie trying to win with sqlmap.
One does not poo like the others
is it even worth getting into the hobby of this if you have zero patience for "for the next step of the puzzle you need the resulting hash of the previous password and the the last 64 bytes of an mp3 on the hidden partition, and if you can't figure that out then you're fucking retarded"
neat.
wish I wasn't a brainlet when it comes to this stuff.
>hey guys is it worth getting into football if i dont like playing with balls
>hey guys is it worth getting into writing if i cant stand the sight of words
>hey guys is it worth getting into cookery if i dont like food
>hey guys is it worth getting into a puzzle based activity if i dont like puzzles
cringe response
If you have fun doing it then it's worth it.
Just don't get frustrated, there's no reason to be stuck on one challenge too much time, the hacker mindset can only get you so far if you don't know the tools you have to use or the things you're expected to check. Sometimes reading a writeup is the best way to get on the next step.
Irongeek (Adrian Crenshaw), who has a ton of hacker conference recordings and resources for CTFs (and founded Derbycon), has been fired from Trustedsec over his political beliefs on Twitter, his personal site, and stream! He is no longer on the TrustedSec team webpage. This is the thanks he gets for years of service to the community recording conferences for people who can’t go.
I just won my first ctf event at my University this past weekend. AMA.
what were the problems? what solution were you proud of?
anyone have dumbshit moments like me?
>working on a natas problem yesterday, command injection into grep allows for a single character's worth of information leak
>first thing i think of is cut -b x /passfile, and it works, i loop through all 32 characters and pull out the password
>BUT i lost case information and digits, my password space was decimated but i still had something like 2*10^14 possibilities
>BRIGHTIDEA i can use tr once to map lower case to digits, finding the uppercase characters, then map digits to letters and get those out as well
>4 fucking hours and a tonne of searching and tinkering later and i realise they must be filtering characters as well as | , because nothing works like it does on my own terminal
>finally break down and search for solution
>find my exact idea (almost) but using grep does it better
wanted to punch myself in the dick
moral of story is always use grep if possible
made happier a few levels later with a side-channel attack of a sql server
>tfw u got the invite code
Hacker genius right here bros
Right now, I'm doing the cryptopals.com challenges. I'm on Set1, problem 6. Took a break to do some vulnhub machines (temple of doom, bulldog, gemini) and now I'm back trying to write my xor breaker function. Off-topic a little, but I saw a video of the guys who made the challenges(i think it was form defcon), total spergs, but they seem like genuinely good people to be around.
FYI for people interested in crypto, Professor Cristof Paaf has a bunch of good videos on jewtube (in English).
I'm also currently studying for the Sec+ and OSCP, plan on taking both in the coming couple of months.
>inb4 useless certs
resume padding
Hopefully tho I can get good enough at bug bounties that I can make a living from home (need at least $4k/mo in my area).
/blog
I don't understand why so many people hate HtB just for the playful approach, sure, everyone can google the invite code but from the 80k accounts there's only a bunch that can do any kind of active machine. With 10 active machines defeated you can get to top 300 and that's when the fun begins.
How viable are bug bounties to make a living?
I haven't investigated much about them but I've heard that some of the big companies won't even pay you for some vulnerabilities, and from what I've seen on some bug bounty websites there's quite a lot of competition.
>unironically posting worst halo
did any of yall do National Cyber League?
It's pretty small (especially for the title) but I got ~300/4700 and that makes me happy
It's kind of easy getting the code for hackthebox actually.
When it said
>Feel fee to hack ur way in :)
I tried code injection because of the eval() script and got blocked. Wtf I thought this was how i would get 1337.
use a scapel not a god damn axe
>I can't figure it out because I don't know shit about web app pen.
>don't hate me
>Halo 3
>Worst Halo
I'm sorry what
They all suck, xbot.
Let me guess. His political views don't fall in line with modern extreme liberalism? I like that dude I follow him on youtube.
Is acting like a retard considered social engineering?
It certainly could be if it gets you the desired outcome
fuck off zoomers
Exactly. Part of the hacker scene basically turned sjw, and he didnt want to suck the CoC.
One too many people complained to TrustedSec about him and he got canned.
Take a closer look at OP's picture.
>Playable elites
>Halo 3
>Worst Halo
off yourselves
Well, the thread was already derailed.
This fuckin shit pisses me off. I'm not yet done school but I'm not looking forward getting into the IT industry anymore because of this type of shit.
who is actually playing on hackthebox here?
I haven't played in like two months but I'm thinking about playing again.
to anyone who wants to start playing CTF but doesn't know where to start:
>virtualbox.org
>kali.org
>vulnhub.com
Necromancer Walkthrough:
[spoiler]
Video: youtube.com
Text: securitybytes.io
[/spoiler]
(To any new players: don't feel bad for referring to the walkthrough sometimes if your are stuck. It's not the easiest of hobbies and sometimes you learn new things while reading walkthrough)
Don't die
I've been playing for an hour now. I got the entry code and finished the Jerry machine. I wanted to try something harder and I finally found a challenge with the Ethereal machine.
If someone happens to be playing r/n, do you know why when I try to go to ethereal.htc:8080 I get a 404? ping shows no result for the domain name.
ethereal.HTB:8080. My bad.
Did you try the hosts file? That works for me.
Godspeed my dude ty.
I'm hooked, send help.
would be neat to have some sort of irc channel about ctfs desu
Please senpai make/find one and share it here
I think there was a dead one for the hackeman general
>who is actually playing on hackthebox here?
I used to play on that site like 4 months ago but I stopped because I was kind of busy with something else back then and then I forgot about it. Thanks for reminding me though.
yeah, if I could talk with other people also interested in ctfs I would probably play them more.
is it possible to be good at computer security and still have a life?
irc://irc.freenode.net/#vulnhub
>not ut2004 in op's pic
wow i guess you tried
>Writing a presentation for netsec class
>Decided to base it on what kind of data I could get over the air in the university library just packet sniffing data between clients and the unencrypted wifi routers
>Almost literally get zero http POST data after an hour of sniffing with a room of a few hundred students
what the heck
There's WPA encrypted wireless AP's and about half the traffic goes into those instead of the unsecured wireless - how hard/easy would it be to sniff that data for passwords/logins?
I'm just a student so I'm still figuring out how this all works
I did that once in my university's library but only after being associated to the AP (WPA) and doing ARP poisoning.
The real problem wasn't collecting the traffic, the problem was TLS/SSL encryption that made almost all of the data gibberish. All I could get was info from some guy that posted in some game of thrones forum and a bunch of images, but most of webpages with login function used TLS/SSL. Now I don't remember if I ever tried SSL strip but you could try that.
I want to stay completely passive. It's a school network and I don't think the admin would be happy if they found out I was setting up an AP and doing MITM attacks in the library...
Man natas is alot of fun. OTW is love desu
I'll be doing SquareCTF with my college team this weekend. I hope I can sink my teeth into some good crypto problems.
Did anyone on the off chance try the abomination that was IceCTF a couple months ago?
>crypto problems.
the cryptopals.com challenges are fun. I'm still trying to get the correct key size for a xor-encrypted ciphertext using a sliding window approach to counting coincidences, but the tips they give on cryptopals are confusing and my test runs turn up false-postives all the time. I worked on it for probably 6 hours yesteray, back at it today. Might watch a few lectures from Cristof Paaf, if I stay stuck or I may just try another vulnhub box.
You can stay completely passive watching traffic. I don't there's an admin watching all the traffic. Probably has sensors set up watching "sensitive" areas to see if anyone is trying to have the Gibson.
Not really thread related but something funny happened. Got a mail today on my university account. Very generic message "Dear User This is a [reminder of an important meeting](link). Regards University" possibly sent to every student and staff. Sender is some foreign girl and the strange link triggers a phishing warning so my guess her account got hacked.
First time I've ever seen this.
I've done all the cryptopals. I love cryptography and it is what I mostly do at CTFs. I also have watched all of Cristoff Paars lectures, much to my enjoyment. For finding repeating xor key length, you have to find the shortest Hamming distance for the range of possible lengths.
Hey just started looking into how to pursue ctf's anyone have any good books to learn from that would be best coming from a javascript/python web developer? I'm mostly interested in web pen testing but I enjoy the jeopardy style ctf's online to start getting an idea of how everything is perceived.
RAKASTAN TEIT ÄIJJÖT! :DD
anyone have active discord servers for this kind of thing?
>discord
>hackerman
wtf use irc. benis :DDD
bumping for cyberpatriots
>you have to find the shortest Hamming distance for the range of possible lengths.
Right, but when I either take only 2 blocks worth of bytes and find the hamming distance (i tested out my ham_dis function and it works perfectly) I get a lot of false positives. The same thing happens when I take the entire xypher text worth of KEYSIZE length blocks and xor each of those, summing up the total and normalizing, I get a bunch of false positives on my tests. Does the cipertext have to be a certain length for this to work?
>xor each of those
meant to say find the hamming distance...
Maybe Im just overthinking this.
Also perfectly analogous response. Sometimes you have to trade one for the other.
nvm, figured it out. whew feel like a total brainlet, cause I did overthink it and it was just taking the first set of KSIZE blocks.
Not OP but I know a guy who has been pretty successful in security.
The answer sure looks like "no" for anyone remotely normie, or "Kinda" if semi-spergs are your kind of people.
Super good dude. I miss hanging out with him.
>soycord
>bitching about discord
>don't offer any IRC alternative
Well you are retarded because you already got everything from past levels. But it doesn't work like that, that would be easy
Hey don't be so annoying. Thank you
>125x125
>gaylo
You did good. Next time you will be smarter and do better, but yeah it sucks. But it's about the journey, if you tried hard, you learned something. Every time you see something similar you will be faster and better.
Keep at it user. It's all about learning
>freenode
Why do people always pick the cucked servers run by FBI/SJW?
bump of life
what is this
Talking about dumb shit, I was stuck on Ypuffy's priv esc for like 3 days so I decided to take a break (two weeks). Now I checked it again and solved the thing in 30 minutes.
Sometimes you just have to clear your mind.