WiCyS/SANS Scholarship Update:

Recently passed GFACT with a 100% score! I'm almost 2 weeks into SEC401 materials for GSEC as of writing, just completed 100% of the video portion. Much of the content I've studied before, so I'm focusing mostly on the new portions as I prepare for my first practice test.

CTF Preparation

I signed up for the Capture The Flag (CTF) at WiCyS conference in Dallas! I thought about creating a VM in a public cloud provider, like AWS, to run my Kali box from, but instead I'm just going to run it from my laptop. I have an RTX2060 in the laptop, so for a CTF I'd imagine that's plenty of compute for any hashes I may need to crack. With hashcat using the GPU it exhausts the standard rockyou wordlist in about 30 seconds. Even with any mutations, I'm sure compute will not be a bottleneck.

I am planning to build a POST endpoint on this domain, or maybe my other (currently) unused one, so that I can send data to it, if needed, during the CTF. It seems like I've ran into situations in the past where having a publicly accessible IP or domain that data could be POST to was useful for some CTF challenges. I'm imagining a scenario where you suspect you have blind OS command injection, meaning the output of the commands you're executing are not being returned, but you're unable to pop a reverse shell, maybe due to lacking privileges.

Keep an eye out for a blog post on the POST endpoint. Currently I'm leaning toward storing the data in Cloudflare R2. I'm pretty positive I could capture and store the data just using the structure of this blog, with it being built using Next.js. There's already an API endpoint for the mailing list (that I removed), all I'd have to do is add in the Cloudflare R2 package(s) and tie it together.

Not much else to report at the moment. The warmer weather has me excited to break out my mountain bike for the first time!