Tis the time of the year, when boys and girls gather around their computers, waiting for the clock to strike 12. They furiously press F5, Apple-R, and BOTNET_ACTIVATE.exe in hopes of having the quickest fingers and the lowest ping to get one of a few golden tickets. But alas, many are not quick enough or are forgetful of such a holiday. It’s a holiday of dedication, sacrafice, and passion. It’s ShmooCon Ticket Season!

But alas, for those who overslept their alarms, couldn’t connect on GoGo, or “had to work”, Urbane has a holiday gift for you!

Five Days. Five Challenges. Five ShmooCon Tickets.

The Rules

As Urbane is sponsoring ShmooCon, we have a few extra tickets. Winning one is easy…..ish.

• Every weekday for 5 days starting December 17th, Urbane will post one challenge on this page and announce the update via our twitter account (@UrbaneSec).
• Follow the challenge instructions on this page for that day. Submission and winner varies based upon challenge.
• ….
• WIN A FREE SHMOOCON TICKET!

Some finer print:

Winners will be announced the following day and contacted with instructions on receiving their barcode. Barcodes are NOT for resale and will be sent via e-mail to winners on January 15th, 2015 (the day before ShmooCon) in order to prevent resale. Reselling winning tickets will be subject to public shaming or voiding of the barcode. Submissions will be judged by a panel of biased judges. Submission of content provides consent and license for Urbane to use submitted content in conjunction with this contest. And no, we won’t sign you up for some crazy mailing lists. Rules subject to change on a whim. Questions? Email shmoo15@urbanesecurity.com. Comments? Email devnull@urbanesecurity.com.

The Challenges

#1: Report-Writing Wednesday

Difficulty Rating: Low

SUBMISSIONS CLOSED! – Congrats to @mrb0t for going beyond just writing up a full disclosure, but also creating a fake defacement.

We’ll start the contest off simple and steal from our BSidesLV Badge Challenge playbook.

There have been a number of interesting vulnerabilities this year and more companies than ever participating in Bug Bounties. While many of the findings out of these programs are crazy awesome, many submissions include “less than legit” vulnerabilities.

Your challenge today is to write a fake vulnerability/finding/PoC and “responsibly” disclose it (whatever that means) to shmoo15@urbanesecurity.com.

Previous winning examples include:

• XSS in any website POC:highlight the url, delete everything in the bar, type “javascript:alert(1)”.
• Information Disclsoure: Copy/Paste leaks information to other programs.
• User Impersonation Attack: Deface Ars Technica and leave Dual Core music so everyone blames Dual Core. (Legal has asked us to remind you to not drop 0Day and for the secret love of god, and we don’t mean the passwords in Hackers, don’t actually deface a site….again.)
• You get the point…

Winners will be picked based on quality and hilarity. Just like in life, it’s not about length but quality of submission and what you can do with it.

Submissions close on December 19th at 12:00 EST. Get to it!

#2: Throwback Thursday

Difficulty Rating: Low

SUBMISSIONS CLOSED! – Congrats to @nheafer

Welcome to #TBT (throw back thursday), where everyone posts things from just last week!

This challenge is easy, but might require a call to your parents. You should call them anyways.

Submit your best real picture of you as a child (think grade or high school) geeking/nerding out to shmoo15@urbanesecurity.com (either as an attachment or as a imgur/etc. link). Examples include

• The LAN Party at Eugene’s dad’s house.
• Your basement electronics lab.
• Celebrating the Comic Books you just got for Christmas.
• That 486DX your parents just bought (or the IBM 519 and your deck of cards)
• Your first amateur radio swap meet.

Only one submission per person, so make it count! Winners will be picked based on cuteness and the number of “awwwes” raised by a panel of mothers.

Submissions close on December 20th at 12:00 EST. Get to it!

#3: CTF Friday…

Difficulty Rating: High

SUBMISSIONS CLOSED! – Tickets going to @sibios for the best entry and runner up @JimGilsinn as an A for Effort! The only two who submitted. Should have tried 😉###

Every weekend another CTF is popping up (just like cons – gotta catch them all!) and with every CTF, we see our ability to reverse, hack, and decipher put to the test.

This weekend, you’re on the other side of the table…. so to speak.

It’s time for you to develop and code out a multi-stage CTF challenge (in which the answer from one provides information or access to get to the next stage). Ideas? We’re not providing any this time. Details:

• Create one CTF challenge that has at least 3 “steps” to solve (i.e. 3 different types of hacks, a combination of decipher/hack/reverse, hack/decipher/hack, decipher/crack/hack/hack/hack/crack/decipher etc.). Shoot for 300-500 point level (out of 500). & As some “steps” may require specific system configurations (i.e. ssh keys, certain versions of a lib, compile flags), please document such. There’s no need to send us a full on VM.
• Keep it original. No copying and pasting a previous CTF challenge that was released.
• Submit the source and (when applicable) challenge items with details on how to solve them in a compressed format or mega upload via email to shmoo15@urbanesecurity.com.
• There may be bonus points if you actually stand up the challenge or create a VM for it….or there may not be. We just work here.

Unlike the previous challenges that required less effort, we’re treading a little more carefully on this. We may post high-level details on your challenge, but we will /not/ disclose the exact details of your challenge source/items without your written consent. No need to burn great work!

You have until 12:00 EST on Wednesday, December 22nd to submit. Don’t hesitate to email if you have questions.

#4: Monday Morning Calls

Difficulty Rating: Medium

Monday morning conference calls are the worst. Even worse is trying to remember all the various PIN codes for the bridges.

This time, your challenge is to figure out the 3 different 7-digit conference bridge codes for the number below:

860-94-SHMOO (860-947-4666)

Winner will be the first person to figure out the 3rd code and contact us via the instructions left in the message.

Your usual notes:

• No brute forcing, but multiple guesses are ok. There are some block measures in place, and some you just can’t brute force past.
• Winner will the the /first/ person to figure out the code
• We will release periodic hints based on questions submitted to shmoo15 [at] urbanesecurity.com

But where do you start? Here’s your first clue:

I wOn’t tell your SecreTs. your sEcrets are Safe with mE.

#5: Tuesday Travel

Difficulty Rating: Last Chance!

If you were waiting till now for things to get easier, you were sorely mistaken. Day 5? No new challenge. Most of us are traveling back home to spend the holidays with family. As no one has yet solved the Monday Morning Calls challenge, we’ll keep it running until the first one does. Don’t forget our previous clues!