Forum Discussion

JRahm's avatar
JRahm
Icon for Admin rankAdmin
Jun 01, 2022

Capture the Flag!

Hey there community...are you ready to capture the flag?

We'll get the competition dates nailed down in the next week, but here are the details:

  • This CTF will be an individual exercise hosted in the F5 UDF environment. By commenting on this thread, we'll add you to the list and you'll get an invite to the competition.
  • The CTF will open June 21st at noon pacific and close June 24th at noon pacific.
  • This first CTF is not F5-centric, just an opportunity to grow or flash your red team skills against a very flawed web application.
  • There are no prizes associated, but we'll highlight the podium finishers on the DevCentral Connects live stream on June 28th.

We can't wait to see how everyone does!

Update Jun 17th: If you commented below, you should have an invite in your inbox. This will give you access to the vulnerable web application you will be attacking. To track your flags, please register at https://ctf.jimmypackets.com. Happy hunting!

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Jun 24, 2022

    Congrats AlexBCT on finishing first in our kickoff CTF! More details to come on Tuesday's Top5. Would love to hear from you (and the others who competed!) on what you thought of the challenge, the environment, the registration process, etc. We'll do more of these in the future and refine as we go.

    • nathe's avatar
      nathe
      Icon for Cirrocumulus rankCirrocumulus
      Jun 27, 2022

      Hey Jason, I thought it was a great challenge so kudos for putting the CTF on.

      From a registration point of view it was very straightforward and I got onto the environment pretty easily. The environment itself was pretty self-explanatory too, so I was able to get right on to the fun and games very quickly.

      Juice Shop was a great choice too, as it's got plenty of challenges, of all levels, and there's enough documentation online to provide handy hints, and hold your hand through some of them. This means all types of people can try their hand, which is what you want really. It reminded me of my WAF building days (f5 ASM of course) when I would try and craft exploits to get round the defences. I was very rusty, but enjoyed the challenge and the chance to learn, or re-learn, hacking skills.

      From a tools perspective, I used mainly Chrome Dev tools and OWASP Zap. With more time I would've probably made use of the Kali instance.

      I did get an error when I loaded the site within Mozilla Firefox, wish I had taken a screenshot but it seemed to suggest it wasn't 100% compatible (may have been just for me).

      Great work all. I just wish I had had more time, but that was mainly down to my own diary than the time allocated.

      Nathe

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Jun 13, 2022

    Capture the Flag will open June 21st at noon pacific and close June 24th at noon pacific. Course invites will be sent June 20th.

    We will announce results on June 28th on DevCentral Connects.

     

  • Amine_Kadimi's avatar
    Amine_Kadimi
    Icon for MVP rankMVP
    Jun 25, 2022

    Congrats AlexBCT and everyone who participated

    Would like to share the tools I've used: mainly fiddler and Firefox dev tools, and some online tools like cryptii.com, and Kali to solve the challenge of support team password but didn't know where to locate a word list file.

    I wish that next time we could get more time before the labs expire. 

  • Daniel_Wolf's avatar
    Daniel_Wolf
    Icon for MVP rankMVP
    Jun 26, 2022

    I used mostly Chrome and Firefox Developer Tools.
    Postman for automation and SQLi.
    ZAP for fuzzing or manipulating and resending requests.
    crackstation.net for passwords.

    The registration process was straight forward, the UDF environment was ok.

    The challenge was good. I have used the Juice Shop a couple of times, but never in a CTF. 

  • AlexBCT's avatar
    AlexBCT
    Icon for Cumulonimbus rankCumulonimbus
    Jun 26, 2022

    Thanks JRahm et.al.! Was a great challenge indeed, have learned loads! To be honest, I was lucky that I had last week off, so could spend quite a bit of time on it.

    Tools that I used; Firefox Developer tools a LOT, couple of Kali tools, though would have been good to have graphic user interface on the kali system or somewhere else inside the environment, so you get more "raw" access to Juice Shop server. I think there are a few challenges that can't be done (though I'd be happy to be proven wrong) because of the external layer. (for example the Cross-Site-Request-Forgery)

    This video that was referenced was also very helpful and helped me to get started with the SQLi stuff; 

    JRahm

    • JRahm's avatar
      JRahm
      Icon for Admin rankAdmin
      Jun 18, 2022

      not at all! I'll keep adding people up to the the final day of the CTF. You should have an invite in your inbox. See below for tracking flags in addition to the CTF environment

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Jun 18, 2022

    We have a holiday on Monday, so I sent your registrations early. Let me know if you didn't get one.

    The CTF environment won't open until noon on Tuesday the 21st, but you can complete your UDF registration at any time. To compete with each other, you'll need to sign up at https://ctf.jimmypackets.com to post the flags you find.

    • SaiBharath's avatar
      SaiBharath
      Ret. Employee
      Jun 21, 2022

      Hi John ,

      I haven't got a link to register for UDF environment , Can you please help me with that