Fristileaks meetup and its vuln VM

Organizing a meeting and filling the agenda

Last friday, 11th of December, was another episode of the loosely organised hacker-meetup called Fristileaks. Originally I had asked on twitter if there was another meeting scheduled, and got told that if I wanted a meeting I should organise one.

So I did; Fristileaks “Unlock my Pad” was born and both me and @Barrebas wanted to do something with lockpicking. That became the first item on the agenda. People said it also needed more cyber, so I volunteered @barrebas to give his ROP talk that he gave at BSidesLDN this year.

This however was still a little low on interesting things for a whole evening. Thankfully another regular Anne Jan Brouwer was kind enough to step and give a little presentation about an open source password manager project he runs called QtPass.

However, I felt it needed something to keep people busy in between. So I figured I’d make a vulnerable VM that should be hackable in about 4 hours, by someone with some experience in the field. Thanks to some testing and talking to both dqi and barrebas, this only took me a few hours.

The meeting

The location of the Fristileaks meetup was sponored by @DearBytes who by proxy of another regular Fristileaks attendant Rik van Dujin supplied not just a location, but also some beer, Club Mate and a few snacks. Many thanks for this! Other attendants supplied some Fristi (how could we have a Fristileaks without fristi!), cola and other beverages and snacks.

Both me and barrebas were royally late, because the weather sucked, it was a bit more driving than 2 hours and location was rather hard to find. You wouldn’t really expect a SOC to be located above a shoppingcenter, at least we didn’t!

Once at the meeting about 12 to 15 people had turned up, not unexpectantly no one on the “I might come” list came ;) Bas started up with his ROP talk, which was obviously geared at an audiance that had a bit more exploit development experience than most there present. Still, it was a very interesting talk and gave me at least more idea about the how/why of Return Orientated Programming.

We brought out the locks and lockpicks after that and had quite a bit of fun trying to pick some of the locks. A lot of people had never attempted lockpicking before, so gladly I brought some super easy locks. Interestingly barrebas ended up really sucking at lockpicking, even compared to the other first-timers ;)
I had bought a set “4 for 5 bucks” locks, thinking they would be rather trivial to pick and I spend being frustrated with those locks most of the evening…they were obviously not very trivial even for such incredibly cheap locks.

Anne Jan’s talk was quite interesting; I had never heard about the project myself. It was cool to hear how a project by someone can be received so enthousiastically by the community, and than also contributed to by others when they wanted features added. He’s been quite successful with getting QtPass into various distributions too!

In between this all I had thrown around 2 USB sticks with the .ova of Fristileaks, the hack-me VM I made. It was interesting to see people poke at it and how their thought processes went. However in the end only @rikvduijn came close to winning the lockpick set during the meeting. However the deadline passed and me and bas still had a 2.5 hour drive home, so I took the prize, a 5 piece lockpick set, back with me. (However by the time I came home, I had received a tweet that he got the flag and root).

Fristileaks 1.3 VM, and a writeup-competition

I figured other people might enjoy this little VM too, so had it put up on VulnHub, a well known resource for hackable VM’s. So you can now enjoy this little challenge too! You can download it from here. Fyi: if you have issues with DHCP, try manually setting the MAC address to 08:00:27:A5:A6:76

Because I was still stuck with a 5 piece lockpick set, and most of the regulars of VulnHub are sticker-crazy, I decided to throw a competition for this VM.

If people submit a writeup about how they got root and the flag before the 1st of januari 2016, I will decide a winner, and a few runner ups. The winner gets the lockpick set and a few stickers, and the others just some stickers. Just send me a tweet with your writeup, can even be a github gist if you don’t have a blog :) Make it amusing or interesting to read, and you might win some of these limited stickers!

tl;dr: had fun for an evening at Fristileaks hacker meetup in Den Haag, and made a vulnerable VM.