Hello, fellow information security enthusiasts!
Yesterday we reminded everyone of the upcoming competitions, namely CyberSeed on March 4th, National Cyber League the weekends of March 31st and April 14th, the NCAE CyberGames on either Feb 18th or March 11th, and the graduate student exclusive CPTC for next semester. Please, if you are interested in forming a team, let us know on Discord so we can plan accordingly, especially for CPTC as it involves writing a business proposal as part of the application.
We are also planning on showcasing a tool-of-the-week every week! This week’s tool is Lynis, a security auditing and compliance scanner for Linux, MacOS, and other Unix-like operating systems. If you have a Mac or Linux machine of your own or if you have a VM spun up, feel free to download and try this tool. You may find out some unsavory things in your machine’s configuration!
We are also planning to do a weekly challenge that members can complete outside of the club to earn badges. This week, we will be doing a steganography challenge. We will be announcing the challenge on the #weekly-challenge-chat channel in Discord, and you’ll be able to post the solution you found on the #weekly-challenge-submission channel. Spoiler tags are required for anything sent in the latter channel, so do not forget! We will be announcing the challenge sometime this week so keep an eye out. If you need help, this page is an incredible resource for steganography.
As for what went down in the club, we showcased two exploits: one which takes advantage of Chrome’s autofill passwords feature to steal someone’s password, and the other is a simple SQL injection attack on http://demo.testfire.net.
The first one involves these steps:
- Open Chrome/Firefox and go to a website that you’ve saved a password to and has auto-fill setup in your browser.
- Right click the password box and choose “Inspect Element”
- Change the type=”password” field to type=”text”
- You should be able to see your password in cleartext
As for the second one, we asked members to research on their own how to perform a simple SQL Injection Attack. They were able to successfully do so on http://demo.testfire.net, a site which is purposely vulnerable. If you find out how to do so on your own and show us proof on Discord, we’ll happily give you a badge for completing the task.
That was it for this week. Make sure to check out the Community page to see how fellow club members are doing!