We are Recruiting!

Yes! We are actively recruiting individuals from the MD/DC/VA area for both online, on-site, and wireless CTFs.

To join our team solve this simple puzzle/captcha to find our New Member Orientation which contains a link to our discord server.

aHR0cHM6Ly9nb28uZ2wvNjJFVmpD


Friday, November 7, 2014

Kaizen @ National Business Park

On Tuesday November 4th, 2014, several of us participated in the Kaizen-CTF. This wasn't quite a Crimson Agent function as it was against the CTF rules for any collaboration, but several of us were present.

The format of the CTF consisted of 18 challenges, most of which were downloaded and required some analysis. Many of the challenges were locked until previous challenges were completed. I felt most of the challenges covered basic tasks. A notable exception were the Android Forensics challenges, which I really enjoyed. In comparison to a CTF such as CSAW, most of these challenges would fall in the 100-200 point range. However Kaizen-CTF was three and half hour competition, where CSAW is 48 hours. This made time management as important of a role as solving the challenges themselves.

Final Scoreboard
As one can see from the scoreboard, I skipped the coding and crypto challenges I felt would be too much of a time-sink. One example was to find a string from a pcap file that matched an md5 checksum, another involved creating a custom wordlist for john the ripper (very similar to work I've done here https://github.com/maetrics/john-scripts). Were I completing these challenges with a team, I would have switched into coder/brute force mode, and let my teammates perform the more manual work.

Though I was carefully managing my time/points, I would eventually lose my hold on third place due to taking a wrong but interesting path. On WebExp 3, the challenge involved getting data from a MySQL database. I unwittingly found my way onto the CTF's Amazon MySQL server, believing it to be the rightful target. I found out after the competition that this turned out to be the infrastructure database. It appears they thought they had prevented players from discovering this, but I had found a way around it. Sadly no points for unwittingly finding a vulnerability in the CTF, but it was a reported.

Me on the right
Overall all, I walked away with fifth place, out of 40 contestants, and another copy of the Red Team Field Manual, and I was the only one to complete the Binary Exploitation challenge. I will not be writing a per-challenge write-up as I normally do, since they re-use these challenges.

My suggestions for future Kaizen CTFs would be first more challenges, as it was almost possible to do all the challenges in the limited time. Having twice as many challenges would increase the pressure and give people more routes to score points. Second, Crimson Agents would have loved to play as a team, so a team version would be nice. Lastly, I would like to see Kaizen include challenges that reflect new techniques and research that has come out recent years.

But don't let these critiques give the impression that we didn't enjoy ourselves or the contest. This was certainly the best way to spend election night. I and others from our team would enjoy doing it again.

About Crimson Agents

Formed in 2013, Crimson Agents is a DC based recreational security team that competes in various computer security wargames and hacker jeopardy contests. Our team comprised of various professionals seeking to practice and enhance our skills in penetration testing, vulnerability development, computer network defense, forensics, and reverse engineering. In addition to exploitation based CTFs, we also compete in Wireless CTFs with several members who focus solely in this domain. Our sister team Threat Inc focuses on defensive exercises such as malware analysis, forensics, honeypots, and network captures. We reuse what we learn from our "Blue Team" research to make our "Red Team" operations more effective and vice-versa.