The next iteration of the itenium Security Bootcamp is at the Michigan Technology Conference 2024. Its vulnerable applications will be running for the duration of the conference: exploit the vulnerabilities (hack!?) and submit captured flags in the Portal website.
Here is how those that will participate can prepare themselves.
If the term SQL Injection does not ring a bell, you may want to start by reading up on that and other vulnerabilities such as: XSS, CSRF, OWASP, …
Super Tips:
Statements in this blog that have a 😉 emoji, ignore at your own peril 😉
GUARD YOUR API KEY WITH YOUR LIFE
Your API key is how the game keeps track of your progress.
The API key is required to login and to submit captured flags (=score points).
You should have received yours by email.
If you do not have an API key, contact one of the game admins.
Divide & Conquer
It’s possible to play in a team!
At the start of the conference we will communicate how to:
Once you’ve reached the Portal, you can login with your API key which will generate a JWT token used for authentication.
BREAKING NEWS: All MITechCon sessions STOLEN, mere days before the conference start!
It is assumed that Alexander Cipher from ACME Coding Con is behind the theft of the priceless mitechcon-2024-sessions.zip (probably because they had insufficient material of their own).
But don’t panic just yet, there is hope still: our hacker liaison discovered ACME Coding Con has scheduled a major portal migration on thursday 21 March. We managed to secure migration API keys, which will enable us to infiltrate their portal and, with some clever hacking, retrieve our beloved zip.
Bring your own ethernet cable and make sure your laptop has an ethernet port!
You do not want to perform a brute force attack on wifi, trust us.
You are a seasoned hacker or really want to dive into this.
Kali linux is an open-source, Debian-based Linux distribution geared towards security tasks, such as Penetration Testing and Security Research.
Metasploit is the world’s most used penetration testing framework.
You can install this on Windows!
There is a Docker image for pretty much all the tools you’ll need.
Already install Docker for Windows and download the Docker images at home!
docker pull instrumentisto/nmap
docker pull paoloo/sqlmap
docker pull vanhauser/hydra
docker pull adminer
docker pull mongoclient/mongoclient
docker pull rediscommander/redis-commander
docker pull jrottenberg/ffmpeg
See “ALSO IN THIS SERIES” for our specific blog posts on using nmap, hydra and sqlmap.
Open Dev Tools with F12.
The following tabs will be interesting for the bootcamp:
You could also monitor network traffic with a tool like Fiddler or Wireshark
If you are unsure how to get started
nmap scan on the server the Portal is served from to discover moreAs part of the Security Bootcamp, two (vulnerable) WordPress blogs are spun up, visit them from the Portal for more useful information:
The Hacker’s Toolkit Blog contains posts on hacking tools and general info on JWT, Capturing Flags and more
The Security Audit Blog contains clues for the treasure hunts.
Just performing a certain hack does not score points, you have to locate the flag that is revealed by the hack.
Make sure to check the response body after you have performed a hack 😉
The following case-sensitive regex will match a flag:
[A-Z]{2,5}-[a-zA-Z0-9. -]{4,50}
Other things that score points:
Check the blog post in The Hacker’s Toolkit Blog in-game for more info!
The Vault is where Alexander Cipher has hidden our precious zip. It is the end game and will open on friday 22 March at 11AM.
But you can continue playing until friday 22 March at 5PM, when the winners will be announced.
Many of the flags found in the game are somehow encrypted with simple ciphers.
Attempt to open the Vault by entering all your decrypted flags as passphrase and score Vault multipliers.
Beware, incorrectly decrypted flags will cost points!
Check the blog post in The Hacker’s Toolkit Blog in-game for more info!