BSidesSF CTF: Choose your own keyventure: rsa-debugger challenge!

Thanks to symmetric (aka Brandon Enright) for this wonderful guest post! I tried to proofread it, but holy math Batman!! --Ron / @iagox86 Hey all, this is symmetric here! I was thrilled to be once again involved in running the BSidesSF CTF with such creative teammates and skilled CTF players. My favorite challenge this year […]

BSidesSF CTF: Hard reversing challenge: Chameleon

For my third and final blog post about the BSidesSF CTF, I wanted to cover the solution to Chameleon. Chameleon is loosely based on a KringleCon challenge I wrote (video guide), which is loosely based on a real-world penetration test from a long time ago. Except that Chameleon is much, much harder than either.

BSidesSF CTF: Easy to hard Rust reversing challenges

As mentioned in a previous post, I was honoured to once again help run BSidesSF CTF! This is going to be a quick writeup for three challenges: config-me, rusty1, and rusty2. All three are reversing challenges written in Rust, although the actual amount of reversing required is low for the first two.

BSidesSF CTF: Difficult reverse engineering challenge: Gman

Once again, it was my distinct privilege to be a BSidesSF CTF organizer! As somebody who played CTFs for years, it really means a lot to me to organize one, and watch folks struggle through our challenges. And more importantly, each person that comes up to us and either thanks us or tells us they […]

In BSidesSF CTF, calc.exe exploits you! (Author writeup of launchcode)

Hey everybody, In addition to genius, whose writeup I already posted, my other favourite challenge I wrote for BSidesSF CTF was called launchcode. This will be my third and final writeup for BSidesSF CTF for 2019, but you can see all the challenges and solutions on our Github releases page. This post will be more […]

BSidesSF CTF author writeup: genius

Hey all, This is going to be an author's writeup of the BSidesSF 2019 CTF challenge: genius! genius is probably my favourite challenge from the year, and I'm thrilled that it was solved by 6 teams! It was inspired by a few other challenges I wrote in the past, including Nibbler. You can grab the […]

BSidesSF CTF wrap-up

Welcome! While this is technically a CTF writeup, like I frequently do, this one is going to be a bit backwards: this is for a CTF I ran, instead of one I played! I've gotta say, it's been a little while since I played in a CTF, but I had a really good time running […]

SANS Hackfest writeup: Hackers of Gravity

Last weekA few weeks ago, SANS hosted a private event at the Smithsonian's Air and Space Museum as part of SANS Hackfest. An evening in the Air and Space Museum just for us! And to sweeten the deal, they set up a scavenger hunt called "Hackers of Gravity" to work on while we were there! […]

dnscat2: now with crypto!

Hey everybody, Live from the SANS Pentest Summit, I'm excited to announce the latest beta release of dnscat2: 0.04! Besides some minor cleanups and UI improvements, there is one serious improvement: all dnscat2 sessions are now encrypted by default! Read on for some user information, then some implementation details for those who are interested! For […]

BSides Winnipeg Wrap-up

For those of you who are close to me, you'll know that my life has been crazy lately. Between teaching courses, changing jobs (here I come, Google!recently started at Google! (I'm slow at posting these :) )), and organizing BSides Winnipeg, I've barely had time to breathe! Things are still chaotic, of course (in fact, […]

Padding oracle attacks: in depth

This post is about padding oracle vulnerabilities and the tool for attacking them - "Poracle" I'm officially releasing right now. You can grab the Poracle tool on Github! At my previous job — Tenable Network Security — one of the first tasks I ever had was to write a vulnerability check for MS10-070 — a […]

Ethics of password cracking/dissemination

It's rare these days for me to write blogs that I have to put a lot of thought into. Most of my writing is technical, which comes pretty naturally, but I haven't written an argument since I minored in philosophy. So, if my old Ethics or Philosophy profs are reading this, I'm sorry!

Faking demos for fun and profit

This week Last week Earlier this month Last month Last year (if this intro doesn't work, I give up trying to post this :) ), I presented at B-Sides Ottawa, which was put on by Andrew Hay and others (and sorry I waited so long before posting this... I kept revising it and not publishing). […]

Update on my life, conferences, career, etc

Hey all! It's been awhile since I've written on my blog, and I apologize. I'm at a job now where I actually spend my day working instead of pondering, so it's hard to find time! :) So, what's new with me? I'm working on some cool new Nmap stuff right now, so I'm hoping to […]

Who’s going to Shmoocon?

Hey everybody, I'm heading to Shmoocon on Feb 4 - 8, so two things: a) Who wants to meet up? I have plans on the Saturday, but not much else yet. b) Please don't hack me while I'm gone. ;)

Toorcon Slides

Hey all, Thanks for everybody who came out to my Toorcon talk! I had a great weekend, even the part where I got stuck in San Fransisco and spent two full days getting home. Oops :) A couple people asked me if I'd put up my slides, so here you go: (If you want […]