Security

SANS Holiday Hack Challenge 2018

Introduction The following post outlines the technical steps taken to complete the SANS Holiday Hack Challenge 2018. A copy of the PDF of this post is available HERE Cranberry Pi Challenges The Name Game https://docker.kringlecon.com/?challenge=pwshmenu We just hired this new worker, Californian or New Yorker? Think he's making some new toy bag... My job is to make his name tag. Golly gee, I'm glad that you came, I recall naught but his last name!

Continue reading

Exploiting XXE Vulnerabilities in Apache NiFi

Introduction I’ve based this write up on a fantastic one published by Chris Davis from Counter Hack on the SANS Pen-testing blog. The actual exploit itself is one that has been acknowledged and fixed in the latest public build of NiFi (1.4.0). The reason for this post is purely for education purposes, as I’d worked with XML External Entity attacks in the past; but never fully understood how and why they work.

Continue reading

SANS Holiday Hack Challenge 2017

Introduction The following post outlines the technical steps taken to complete the SANS Holiday Hack Challenge 2017. A copy of the PDF of this post is available HERE North Pole and Beyond Story The Online portion of this years SANS Holiday Hack can be seen in the following overworld map. Each level had a few places that points could be earned: A Physics based Snowball challenge where you were required to complete a set of level specific challenges by directing a snowball around a map.

Continue reading