Race to Root

Unless you've gotten to this blog by freak accident, you are certain to be aware that next week is Black Hat USA 2014, and of course, we'll be there. You can find us at Booth #541, where we'll be running the Metasploit Race to Root, using the latest pre-release build of Metasploit Pro.

Now, this is not just a contest to see who can get their badge scanned the fastest. Oh no. This is a real, hands-on micro-sized capture the flag competition, run by our capable and talented in-house Metasploit experts, and we think it'll be a pretty fun experience. Like with most CTFs, you get to play the role of attacker, and your goal is to escalate privileges on the target network from a local user to Domain Administrator in the fastest possible time. Lucky for you, Metasploit's redesigned credential management makes this challenge pretty cake. We're confident that you'll be surprised (and possibly terrified) at how fast a a minor breach can turn into a total network-wide root compromise.

In addition, there are some pretty cool prizes on the line for the people who clock the fastest times. The first place winner will be awarded with a full, year-long license to Metasploit Pro, so that he or she may continue to pursue a career as the clearly brilliant and efficient hacker he or she is. Our second place winner will get a pair of our snazzy "Rapid7 Orange" Beats by Dre headphones, which should prove useful for drowning out the jeers from the aforementioned first place winner.


In addition to the Race to Root, we're also kicking off a month long contest for you exploit developers. Between August 1, 2014 and September 1, 2014, we're running Loginpalooza, a challenge to our open source developer community. If you're of the programming type, read on.

As mentioned last week, we open sourced the entirely new Metasploit credential engine. This represents a ton of work down in Metasploit's guts, since it refines and extends what a "credential" really represents in Metasploit's internals. Now, while we've already converted all of your most-used and most-useful modules to leverage the new credential scheme, there are about a hundred lesser-used modules left to convert.

The challenge is pretty straight forward: Read Dave @TheLightCosine Maloney's overview of how Metasploit Login Scanners are created, then start in on converting over modules that tickle your fancy.

The prizes for Loginpalooza are pretty sweet, as well. The person with the most contributions reworking the listed modules will receive a WiFi Pineapple Mark V Ultra Bundle 15000 from Hak5, and the runner up will get a Onion Pi Pack with mini Wi-Fi from Adafruit.

The Metasploit Framework GitHub wiki, Metasploit Loginpalooza, should have everything you need to know to get started and keep track of your progress. If you run into any problems or surprises, feel free to comment below.