Collegiate Pentesting Competition

Another year, another competition. Like last year (see previous post), I spent a significant time preparing since I haven’t messed with offsec tools in a while. I also thoroughly investigated past reports to try and find patterns in what vulnerabilities were present every year. Highly recommend this strat. CPTC

This year, we were penetration testing consultants for OuiCroissant, the owners of a mock social media company Flakebook. We were tasked with testing both their internal networks and the web app for 8 hours, then had 7 hours afterwards to write a formal report of our findings. I’m happy to note that I found the two critical vulnerabilities described in the report. I used metasploit to leverage an exploit for CVE-2019-9193 and be able to execute shell commands as the postgres user. From there, I was able to access the main database and see all user information, including passwords in plaintext. What a thrilling find! You can read more from our report here

Although we again didn’t advance to nationals, I had so much more fun this time thanks to being better prepared. It’s always a cool opportunity to mess around with some real infrastructure. I’m sad this’ll be my last one, but I’m motivated to keep learning offsec skills!