CySCA 2015 Writeups

I’ve recently published all my writeups for CySCA 2015’s Web Pentest component as well as Corporate Pentest, however, Corporate Pentest is incomplete.

Corporate Pentest

Some writeups based on my experience during the competition. This was the first time I had ever experimented with corporate pentest style problems, hence why I did not get very far. I do, however, wish to share my experience.

  1. Danger Zone
  2. Sales Pitch
  3. Explain This: Sales Pitch
  4. Murphys Law
  5. Flash Flood

Web Applications Pentest

Whilst writing these writeups, I actually stepped through them using the CySCA 2015 challenges, rather than guessing them from the notes I had taken during the competition.

CySCA have yet to release a “CySCA In A Box” yet, so I thought, rather than just making the challenge work just for me, I thought it would be beneficial to create a Vagrant environment so that anyone can get the challenges up and running in no time at all.

Head on over to this repo/page on my github for instructions on getting set up.

  1. In Plain Sight
  2. Bots Dream Of Electric Flags
  3. The Eagle Has Landed
  4. Love Letters
  5. Business Excellence
  6. Turn It On And Off
  7. Terminal Situation

If you’ve got any questions, feel free to tweet me: @nickw444

CySCA 2015 - Web Application Pentest 6 - Terminal Situation

Note: If you're interested in actually doing these challenges, check out this post on how to get the environment set up.

It’s no coincidence this challenge is called Terminal Situation, we have a terminal sitting right in front of us.

Continue reading →

CySCA 2015 - Web Application Pentest 5 - Turn it On & Off Again

Note: If you're interested in actually doing these challenges, check out this post on how to get the environment set up.

As an executive, we notice we’ve got some additional functionality. We notice another menu item “IT Support” and the “Executive Board” option on the home page.

Continue reading →

CySCA 2015 - Web Application Pentest 4 - Business Excellence

Note: If you're interested in actually doing these challenges, check out this post on how to get the environment set up.

We need to gain access to the CVO (Angelina’s) account. In order to do this, we most likely will need to steal a cookie. We take a look in the leave details section and put in a leave request to see if it’s XSS protected. Additionally, we notice that the session cookie on this website is not HTTPOnly. Time to steal.

The browser will prevent javascript accessing HTTPOnly cookies, hence, if it was HTTP Only, we would be looking in the wrong place.

We do the naive thing and just put <h1>Hello</h1> in. However, the ticker spits out WARNING: XSS detected! You have been reported.. Additionally, it appears the XSS is stripped client side too.

Continue reading →

CySCA 2015 - Web Application Pentest 3 - Love Letters

Note: If you're interested in actually doing these challenges, check out this post on how to get the environment set up.

Now that we’re logged in, lets take a poke around and see what we’re dealing with. There appears to be sections to:

  • Apply for leave, where we submit a text request. Maybe XSS or Injection on this?
  • Staff Directory, details about different staff members.
    • The “Network Administrator” has some binary in his profile. We’ll decode that later.
  • There seems to also be a message board. Maybe XSS or Injection.
  • There’s also a mail inbox.
Continue reading →