Last week, we celebrated the 13th edition of Ekoparty. The event which takes place every year in Buenos Aires, Argentina is one of the biggest security conferences in the LatAm region. The conference serves to be the flagship hug in South America, bringing together hackers, security researchers, security professionals and people that are interested in the scene. It allows everyone to come together to see what's happening in the industry, learn something new and meet up with friends.
This year, Infobyteon top of being one of the organizers of the conference, Faradaywas an official sponsor of the event and we also decided to organize for the first time a challenge for the attendees.
As in past editions, it was a huge team effort preparing the stand and this year was no different. Every year, we try to make an interactive space where you can get to know the company and hopefully have a bit of fun :) This year the stand included a drone racing course, demos of everyone's favorite pentesting and vuln management platform (Faraday), new merch and for the first time a Mini CTF! With a PS4 for the first place winner!! (Not bad, right).
The challenge consisted of attacking a server that had a number of Web challenges: Some were source-code, with a reversing challenge and exploiting binaries (for those of you that enjoy the IDA or Ollydbg). Also, we had a ''special'' challenge that required hacking a Drone (for all you IOT fans).
First Prize: Playstation 4 - 500 GB.
Second and Third Place: Drone Eachine e011.
When we were making the Infobyte challenge 2017, we tried setting certain objectives with different ideas in mind:
The Challenges should be associated with a vulnerability
They should be developed in a real-world scanario, whtere someone needs to discovers vulnerabilities and report them.
The challenge should have diversity so that the participants can show their skills in pentesting, web application, code review and reversing.
They should be integrated with Faraday, our platform for vuln mangement and collaborative pentesting.
Trying to follow our objectives as closely as possible we put together challenges to fit everyone's tastes, including not only for the vulns for their difficulty. After the challenge, there were even a few vulns that were never solved and that are active for other challenges and CTFs.
Some of these challenges involved:
Simple concepts such as doing a Port scan with NMap and discovering a high Port with a service that returned the flag if someone was connected several times to the port, or an redirect open which in the redirection sent a special Header, which contained the flag.
A couple trickier challenges such as Vsftpd service with a custom backdoor. There you discovered a code in a backup file, where by applying code review, in the difference between the source-code delivered and the original version of the service, you were able to find the back door!
We included a XXE, which was fairly easy to exploit, but you needed to know that the stream to read the flag was hidden in the xxx.php file was php:// and no file:// because it was already filtered.
A different challenge that consisted of hijacking a drone that we had at the stand. (No one could solve it, but one of the participants was really, really close). We wanted to give a shout out to everyone that participated and stay tuned, we're going to be publishing the details to solve it here on the blog :)
30 teams registered and 7 were active participants.
Check out the point breakdown:
Congrats RL_TEAM, CSALAZAR y NULL for making the top 3 spots!!!
From everyone here at Infobyte, we were happy to be able to organize this activity and see everyone working hard, learning new things and enjoying themselves. Seeing this passion is why we organize Ekoparty every year. For everyone of you!
Thanks everyone for participating and we hope it was as fun for you as it was for us. See you next year! (Contribution by Josh Mador)