Sorry, We are not Recruiting!

We are not actively recruiting at this time. We may have spots open after CSAW.

(updated: 3/22/2018)

Sunday, June 24, 2018

DIY Wireless Fox Hunting Lab

Wireless Fox Hunting is a high-tech version of Hide-and-Seek. Except in this version, one person  (the fox) hides, and multiple people seek after them. Additionally, as this game is about RF signal hunting, the foxes don't need to hide out of sight and are often walking among unperceptive seekers.

Accurate depiction of a Wireless Foxhunt
If you're looking to participate in a Wireless Village CTF, then you will need to learn how to hunt the foxes and have lots of practice doing it. If you're interested in learning how to perform a fox hunt, then I'd suggest looking into SANS SEC617: Wireless Penetration Testing and Ethical Hacking. This post will be about putting together the resources for a practice lab.

Wednesday, October 7, 2015

Debycon IoT Village CTF

Due to winning the BSidesCharm Wireless CTF, I missed out on Independent Security Evaluators' SOHO Router Hacking Workshop, which was a very enticing subject for me. I also missed out on attending Defcon due to a job change, and thus missed out on the IoT Village by the same organization. Come Derbycon, I was determined to attend their session. Sadly, they weren't holding workshops at this convention.

I initially settled for capturing packets from their lab of IoT devices for a future post for the I See Dead Packets blog. I did capture a bunch of NetUSB broadcasts along with other protocols, which will lead into a future post.

Saturday, April 18, 2015

BSidesCharm15 Wireless CTF

We've been participating in wireless CTF's for the past two and a half years with the first being at BSidesDC '13. After Shmoocon '15, noticing how the wireless CTF's were growing to include SDR and complex wireless challenges, we decided to go after wireless competitions with the similar focus as any other competition. This focus and preparation allowed us to take first place at BSidesCharm'15.

Thursday, March 5, 2015

BkP'15 - School Bus - Web Challenges (Prudential/Symphony/North Eastern University/Museum of Fine Arts/Longwood Medical/Bringham Circle)

Many of these web challenges I surprised myself with. I learned PHP a long time ago, and barely used it ever since. Often I would look over and not see a vulnerability, or mistake the vulnerability. It wasn't until deeply researching the key lines of code did I find the actual vulnerability. Because of these vulnerabilities ability to hide under careful reading, these challenges have taught me to be suspect of any PHP code.

As a side note, Boston Key Party laid out their challenges this year on a map with 4 train routes. So these challenges are stops along one train route in Boston, but I prefer to image Mister Roger's trolley making its way through the land of web development make-believe.

BkP15 - School Bus - Riverside

On the School Bus route of the Boston Key Party 2015 CTF, we found ourselves up against the Riverside challenge.  (For those who aren't familiar -- as I wasn't -- Riverside is the name of a station in Boston and likely goes with the theme of public transportation lines used to liven up the standard Jeopardy-style CTF.)

Monday, March 2, 2015

PragyanCTF - Steganography - What you see is what you get.

This was my first time competing in the PragyanCTF and they did a great job. Each category had a variety of challenges with varying difficulty. Knowing this is a stego challenge, we should look if there are embedded files within the jpeg they give us: stego_50.jpeg.

Using binwalk we can check for embedded files:

PragyanCTF - Misc - Are you a good ripper?

After downloading and unpacking the original file, we are given a file. After running the command 7z x,  7zip prompts us for a password.

Using fcrackzip I specified a dictionary type attack using the popular rockyou.txt wordlist in kali. The location is /usr/share/wordlists/rockyou.txt

About Crimson Agents

Formed in 2013, Crimson Agents is a DC based recreational security team that competes in various computer security wargames and hacker jeopardy contests. Our team comprised of various professionals seeking to practice and enhance our skills in penetration testing, vulnerability development, computer network defense, forensics, and reverse engineering. In addition to exploitation based CTFs, we also compete in Wireless CTFs with several members who focus solely in this domain. Our sister team Threat Inc focuses on defensive exercises such as malware analysis, forensics, honeypots, and network captures. We reuse what we learn from our "Blue Team" research to make our "Red Team" operations more effective and vice-versa.