Sorry, We are not Recruiting!

We are not actively recruiting at this time. We may have spots open after CSAW.

(updated: 3/22/2018)

Wednesday, October 7, 2015

Debycon IoT Village CTF

Due to winning the BSidesCharm Wireless CTF, I missed out on Independent Security Evaluators' SOHO Router Hacking Workshop, which was a very enticing subject for me. I also missed out on attending Defcon due to a job change, and thus missed out on the IoT Village by the same organization. Come Derbycon, I was determined to attend their session. Sadly, they weren't holding workshops at this convention.

I initially settled for capturing packets from their lab of IoT devices for a future post for the I See Dead Packets blog. I did capture a bunch of NetUSB broadcasts along with other protocols, which will lead into a future post.

Saturday, April 18, 2015

BSidesCharm15 Wireless CTF

We've been participating in wireless CTF's for the past two and a half years with the first being at BSidesDC '13. After Shmoocon '15, noticing how the wireless CTF's were growing to include SDR and complex wireless challenges, we decided to go after wireless competitions with the similar focus as any other competition. This focus and preparation allowed us to take first place at BSidesCharm'15.

Thursday, March 5, 2015

BkP'15 - School Bus - Web Challenges (Prudential/Symphony/North Eastern University/Museum of Fine Arts/Longwood Medical/Bringham Circle)

Many of these web challenges I surprised myself with. I learned PHP a long time ago, and barely used it ever since. Often I would look over and not see a vulnerability, or mistake the vulnerability. It wasn't until deeply researching the key lines of code did I find the actual vulnerability. Because of these vulnerabilities ability to hide under careful reading, these challenges have taught me to be suspect of any PHP code.

As a side note, Boston Key Party laid out their challenges this year on a map with 4 train routes. So these challenges are stops along one train route in Boston, but I prefer to image Mister Roger's trolley making its way through the land of web development make-believe.

BkP15 - School Bus - Riverside

On the School Bus route of the Boston Key Party 2015 CTF, we found ourselves up against the Riverside challenge.  (For those who aren't familiar -- as I wasn't -- Riverside is the name of a station in Boston and likely goes with the theme of public transportation lines used to liven up the standard Jeopardy-style CTF.)

Monday, March 2, 2015

PragyanCTF - Steganography - What you see is what you get.

This was my first time competing in the PragyanCTF and they did a great job. Each category had a variety of challenges with varying difficulty. Knowing this is a stego challenge, we should look if there are embedded files within the jpeg they give us: stego_50.jpeg.

Using binwalk we can check for embedded files:

PragyanCTF - Misc - Are you a good ripper?

After downloading and unpacking the original file, we are given a file. After running the command 7z x,  7zip prompts us for a password.

Using fcrackzip I specified a dictionary type attack using the popular rockyou.txt wordlist in kali. The location is /usr/share/wordlists/rockyou.txt

PragyanCTF - Android - Hackerz

When first getting this file, we were a little unsure about what steps to take for this challenge. As this was my first time attempting an Android based challenge I used the Googles for ideas.
While one team member was working on getting the circle.apk file to work with an emulator to see if that would provide us with any insight into the challenge I decided to work on unpacking the apk file as not to duplicate efforts. 

About Crimson Agents

Formed in 2013, Crimson Agents is a DC based recreational security team that competes in various computer security wargames and hacker jeopardy contests. Our team comprised of various professionals seeking to practice and enhance our skills in penetration testing, vulnerability development, computer network defense, forensics, and reverse engineering. In addition to exploitation based CTFs, we also compete in Wireless CTFs with several members who focus solely in this domain. Our sister team Threat Inc focuses on defensive exercises such as malware analysis, forensics, honeypots, and network captures. We reuse what we learn from our "Blue Team" research to make our "Red Team" operations more effective and vice-versa.