User Tools

Site Tools


trophycase

Trophy Case

Over the years we have participated in and organized many events. This page lists notable ones.

Overview

Items are tagged as Event, CTF or Hack.

  • '17 Feb Huge Leap and NEXT are FHICT events at which we organized workshops.
  • '17 Jan SecureLink CTF: 2nd place!
  • '16 Dec We hacked LeftClick systems used in many Fontys buildings.
  • '16 Nov RuCTFe: 82nd out of 133. We need to get better at attack/defense CTFs.
  • '16 Oct PvIB CTF: 1st place!
  • '16 Sep H4ckIT CTF: 133rd out of 460.
  • '16 Jun ExamPC Fontys' IT department asked us to hack an exam environment. We found various vulnerabilities.
  • '15 Oct PvIB CTF: 1st place!
  • '15 May HITB CTF: 11th out of 19. First on-site CTF, we went in just hoping to get more than zero points!

Linked events are explained in more detail below.

Huge Leap and NEXT

The first and second week of February 2017, Fontys organized Huge Leap and the NEXT week for the English and Dutch students, respectively. On both events we had a Hatstack Village at which we did lockpicking, a CTF and workshops like a crypto party.

Lock picking was popular and at NEXT 39 people took part in our CTF. A honorable mention should go to Glocom who managed to solve all but the hardest crypto challenge!

LeftClick Players

December 2016 - January 2017.

In many Fontys buildings, LeftClick Player systems are used to display information and promote activities or events. B4 noticed there was a tiny computer behind each screen and wondered how they had secured it. Together with Xesxen, Libra and Luc, the screens were hacked in short order and a report was delivered to LeftClick BV as well as Fontys' IT department to allow them to resolve the issues.

LeftClick thanked us for the report and noted that, ironically, next month they were going to launch a new version of their systems which resolves everything we found. On February 23rd 2017 we will receive them!

ExamPC

June 2016. No wiki page available.

ExamPC is a service developed by Fontys Dienst IT (Fontys' IT department). It's a USB stick that people can boot from on their own laptop to do exams. The idea is that after booting, you cannot access the files on your laptop's internal hard drive, cannot access websites except for a few whitelisted ones, etc. Dienst IT asked us to see whether we could crack the environment. As reward, the “best” one would receive a Garmin smartwatch of about 135 euros.

Libra and Luc were the main contestants and they found almost identical vulnerabilities. Among other, more theoretical issues, one could:

  • Find a program Dienst IT developed to tell the exam's invigilator who was logged in and extract the database password from it.
  • Exfiltrate data from the system by appending it to PDF files, since it won't be shown in the PDF. Could be used to exfil the spy program for later analysis.
  • Modify files on the USB stick before booting from it, allowing you to:
    • cheat by putting files there
    • get root by `cp cmd.exe utilman.exe`
  • Do DNS requests for arbitrary domains and record types, allowing to put notes in DNS, perhaps even setting up a DNS tunnel.
  • Go to the FHICT portal which contains a chat feature.
  • Run arbitrary binaries or bat/vbs files.
  • Connect via RDP to internal servers, if you set one up or find one with credentials, this would allow you to connect out.

In the end, Luc officially won but Max' results were so close that both received a smartwatch

trophycase.txt · Last modified: 2018/10/14 18:42 by 159.148.186.25