Similar to last year, we perform a domain transfer request to show all the records in the domain, revealing the flag.

$> dig -t axfr ecwi.cysca @ns.ecwi.cysca

; <<>> DiG 9.8.3-P1 <<>> -t axfr ecwi.cysca @ns.ecwi.cysca
;; global options: +cmd
ecwi.cysca.     86400   IN  SOA ns.ecwi.cysca. admin.ecwi.cysca. 2015070401 28800 7200 864000 86400
ecwi.cysca.     86400   IN  NS  ns.ecwi.cysca.
ecwi.cysca.     86400   IN  A   172.16.5.80
ns.ecwi.cysca.      300 IN  A   172.16.5.53
proxy.ecwi.cysca.   300 IN  A   172.16.5.30
support.ecwi.cysca. 300 IN  A   172.16.5.85
www.ecwi.cysca.     300 IN  A   172.16.5.80
zonetransferflag.ecwi.cysca. 300 IN TXT "FLAG{749929CE145DD73A8D1530E2170B1587}"
ecwi.cysca.     86400   IN  SOA ns.ecwi.cysca. admin.ecwi.cysca. 2015070401 28800 7200 864000 86400
;; Query time: 221 msec
;; SERVER: 172.16.5.53#53(172.16.5.53)
;; WHEN: Wed Sep 30 19:35:44 2015
;; XFR size: 9 records (messages 1, bytes 289)

A couple of weeks back, the society I am a member of at Uni hosted a hackthon event, sponsered by Freelancer. For the uninitiated, a hackathon is an event where programmers literally turn pizza and drink into applications/code. (But in all seriousness, it’s an event where programmers develop a cool idea in a small timeframe and compete to be the ‘best’ product).

I formed a team with 2 friends from Uni. We set out to build a web platform for students of UNSW to list projects they have worked on in an easy to use web directory that they could use for employment and their own portfolio.

The webapp is written in Python/Python-Flask, uses MySQL as the backend (because mongo hates many to many relationships), and use Bootstrap to style the frontend, statically served from the server.

We wanted the following features from the service:

• A project has:
  • Web URL
  • Download URL
  • Marketing URL
  • Markdown formatted description
  • Ability to upload screenshots of the project
  • A project can have multiple contributors
• Project Page:
  • Showcase of all projects the user has worked on
  • About me for the user
  • Show who the user follows
  • Show who is following the user
• Home Page/General:
  • A-Z listing of all projects
  • Show latest 3 projects on the home page “ShowCase”
• Logins use UNSW’s LDAP service, so it’s all UNSW SSO.

There are some additional features we wish to work into it, such as reading README.md from github projects.

There are a few bugs hanging around still, along with some non-implemented features, such as multi contributors for a project. We’ll eventually get around to these, and finally launch it!

We plan to put it up on http://showc.se/, a domain I purchased for the project. It’s a nice play on words, and also is a valid regular expression, which matches “ShowCase”, but also is a play on CSE - Computer Science and Engineering.

It’s probably important to note that we came first in the Hackathon, each of the team members winning a UE Boom portable bluetooth speaker thanks to Freelancer!

Stick around for more, i’ll update this post when it’s live!

It’s currently CTF season, and as a member of UNSW’s security society, that means I get to play!

We began the season with CSAW CTF, where we (team K17) placed 1st in Australia/10th overall.

I did not participate in this CTF as much as I would have liked to, since I was already pre-occupied with the CSESoc Hackathon, however, I did lend a hand with Web 500 - A fake dating website where the aim was to recover Donald Trump’s TOTP key as well as his password. I managed to solve half of the challenge by finding an SQL injectable endpoint in a CSP reporting endpoint, where I dumped a password hash and other info about the account. We recovered the password hash using a dictionary attack, However the full solution required dumping of source code to determine how the TOTP key was generated, which another member of the team did, and thus solved the challenge.

The following weekend, Trend Micro CTF was running, which K17 also played in. We ended up coming in at 1st place globally out of 359 teams - A fantastic effort. Once again, I only participated lightly in this CTF. I worked on an Android APK reversing challenge, which I solved over the space of 2 hours. I will post a write up of this challenge soon!

Additionally, I was selected to play in CySCA (Australia’s Cyber Security Challenge) for UNSW3. UNSW entered 5 teams. My team (of 4) placed 3rd overall in the competition, but the entire UNSW effort was also amazing:

• 1st: UNSW1
• 2nd: UNSW2
• 3rd: UNSW3
• 4th: UNSW4
• 29th: UNSW5

I’ll be posting my write ups over the next few weeks, explaining my solutions to the problems that I solved for these CTF’s!

A musical adventure through progressive house, deep house, dance and indie dance.

It’s been a while since my last quadcopter post – mainly because i’ve been in the UK and didn’t take it with me.

The day that I left for the UK, the new frame that I ordered for the quad arrived.  Every time I upgrade to a new frame, the quad seems to shrink in size.

This new frame has quite a small wingspan, resulting in a downsize in propellors to a smaller 5″ diameter. It does however have a much lower weight footprint. Weighing in at only 58g, it’s 20g lighter than the old frame and has much more room for cable management and a nice place underneath (which I’ve modified) to hold the battery safely during flight.

Overall, I’m pretty happy with the new frame, however do hope it will be wide enough to still be able to freely manoeuvre the quad.