As droopy was not really hard and doesn't contain as much web vulnerability as I would hope for, I tried an other VM SecTalks: BNE0x03 - Simple There were also hints on the description of the machine but with my resolution they do not appear when just browsing the main page of vulnhub so I have not spoiled myself with the hints this time.

A few days ago, I installed a new pentesting box based on Arch Linux with Kali

in a virtual machine. In order to test it I select a light vulnbox on vulnhub : Droopy. There were two hints on the description of the machine on the vulnhub download page:

1. Grab a copy of the rockyou wordlist.
2. It's fun to read other people's email.

We will see how to use them in a moment :)

Still playing with the vulnhub machines this time it is the turn of FlickII. This one is different from the others as it has an android application associated. It would be a great exercice to play with mobile application, decompile it and see what is in the inside.

Recently I performed a MS Exchange configuration review. For the "old" version of exchange we can use the Microsoft Exchange Best Practices Analyzer (link is dead) For the new version of MS Exchange (2013 and 2016) the tools must be download from the office 365 market (link is dead). But most of the MS Exchange server are not directly connected to internet. That is why I used a tool developed by Paul Cunningham: Exchange Analyzer available on github.

After the Acid challenge I was really motivated. Therefore I give a look at another vulnhub machine I had already download since a while: NullByte.

Since Fart knocker in June I have worked on an other vulnhub machine: darknet. But this one is really hard and get me stuck. I was a bit demotivated to continue vulnhub's machines but I got some time this week, therefore I tried the Acid one.

I continued to play with the vulnhub virtual machine an started the TopHatSec - Fart Knocker. This VM is an Ubuntu 14.04 32 bits.

The goal of this challenge is to break into the machine and root it.

If you beat the box then please shoot me an email! Have fun guys! P.S. I got the word "Fart Knocker" from watching beavis and butthead back in the day. Otherwise you kids might not understand :)

I continued to play with the vulnhub virtual machine and started the TopHatSec - Freshly.

"The goal of this challenge is to break into the machine via the web and find the secret hidden in a sensitive file. If you can find the secret, send me an email for verification. :)"

This weekend (4 April 2015) take place the qualification round for "Nuit du Hack" CTF from 00:01 to 23:59. It was a Jeopardy CTF.

I have participated with the Zenk-Security team. At the end we got the 7th position and are qualified for the final which would be a Attack-Defense CTF in Paris in June.

I publish here the ones for the challenges I participated to and make a writeup of. All the writeup for this CTF are accessible here (in french).

The first of April is always the occasion for some great pranks. 2015 was a great year, as the CERN confirmed the existence of the Force, Google published a mirroring website and gentoo an old fashion one. In France we got a security event call SSTIC for which the tickets are very rare therefore the SSTIC challenge allows the ones with the flag to reserve a ticket. An April prank challenge was post yesterday.