Rapid7 Blog

Brian O'Neill  



Metasploitable3 CTF Results and Wrap-Up

The Metasploitable3 CTF competition has wrapped up and we have our winners!  We had almost 300 flag submissions from more than 50 fine folks.  There were some really great right-ups submitted with great details on how flags were found.  Thanks to everyone who took time…

The Metasploitable3 CTF competition has wrapped up and we have our winners!  We had almost 300 flag submissions from more than 50 fine folks.  There were some really great right-ups submitted with great details on how flags were found.  Thanks to everyone who took time to submit a finding!  ON TO THE RESULTS! When we announced the competition, we didn't specify if team submissions were allowed or not.  Well, it turns out that  a team was in the top 3.  Team RUNESEC went bonkers and submitted all 15 flags over the course of 4 days.  Nice work RUNESEC.   We didn't want anyone to feel slighted so we decided to go ahead and (in the spirit of the season) be generous 🙂. Therefore, Team RUNESEC will receive a 2nd place prize as they were second to submit all the flags.  Additionally, the Top-3 individual submitters will receive prizes. These winners showed some tremendous talent and skill.  Vaibhav completed just 7 days after the contest was announced and Jonathan completed all the flags in roughly 12 hours!  A total of 4 individuals completed the challenge, based on reviews of the write-ups, and time of completion we have the top 3 winners. Top Individual Submitters 1st Place, Hak5 Pineapple: Vaibhav Deshmukh 2nd Place, LAN Turtle or Lock Pick Set: Igor Guarisma 3rd Place, LAN Turtle or Lock Pick Set: Jonathan Echavarria Top Team Submitter 1st Place, LAN Turtle or Lock Pick Set: Team RUNESEC Here is a break down of the top-10 submitters, please note that the grouping by count doesn't reflect overall standings, just the number of valid flags submitted. Top 10 Submitters Great work everyone! The card most frequently found where: The card most likely to be found first?  The Joker. We will be contacting the winners directly over the next few weeks to arrange delivery of the prizes.  And... as an added bonus EVERYONE who submitted a valid flag will get a Metasploit t-shirt!! Thanks again to everyone who participated, we've had a great time reviewing all the very creative and well-written submissions.  Going forward we will continue to add new and fun flags to Metasploitable3 as always, we'll keep you posted when we have some new flags to discover.  We will also be adding new options to exploit Metasploitable3 as they emerge.   If you have any ideas or things you'd like to see in future iterations of Metasploitable3 please feel free to comment on our Git page.  Metasploitable3 is an open source project so, if you're up to it, you can submit a pull request with any of your own ideas!  Check out the repo on git. I'd like to give a special thanks to sinn3r for all of his great work judging submissions and helping out everyone with questions.

Metasploitable3 CTF Competition: Update and Leaderboard!

The Metasploitable3 Capture The Flag Competition has been underway for about a week now and the submissions have been pouring in!  We're very excited to see so many great submissions. We're reviewing as fast as we can so if you don't hear back from us…

The Metasploitable3 Capture The Flag Competition has been underway for about a week now and the submissions have been pouring in!  We're very excited to see so many great submissions. We're reviewing as fast as we can so if you don't hear back from us right away, don't worry, you will.  For all valid submissions we will update this blog post and subsequent ones with the leaderboard. For any questions submitted we will get back with you as fast as we can, and for any invalid solutions submitted we will write back and let you know the reason. Got a question? Send it to capturetheflag [at] rapid7 [dot] com. Some of the flags are a little bit tricky and have been causing the most questions, so we wanted to add a little clarity. Firstly, all flags will be in the same design. If you see a flag that looks different than others, it's probably not a flag.  Additionally, all the real flags are .PNGs. There is also one flag where we lost some of the data, if you find one half flag, it counts. And don't forget, flags found in C:\Vagrant or the virtual box console don't count. Now that some housekeeping is out of the way, let's get on with the current results!! 😊 So far we have had 155 submissions from 31 individuals!  One rock-star submitter went BONKERS over the weekend and found 11 flags in 2 days.There's definitely still time to get submissions in and take over the leaderboard though! The Joker is the most common flag found and the Ace of Hearts has been the most tricky flag to find with 10 invalid submissions Top Submitters Card Counts Great stuff everyone! Keep those submissions coming in!

Metasploitable3 Capture the Flag Competition

UPDATE: Leaderboard can be found on this new post! Plus, some notes that may be helpful. Exciting news! Rapid7 is hosting a month-long, world-wide capture the flag(s) competition! Rapid7 recently released Metasploitable3, the latest version of our attackable, vulnerable environment designed to help security…

UPDATE: Leaderboard can be found on this new post! Plus, some notes that may be helpful. Exciting news! Rapid7 is hosting a month-long, world-wide capture the flag(s) competition! Rapid7 recently released Metasploitable3, the latest version of our attackable, vulnerable environment designed to help security professionals, students, and researchers alike hone their skills and practice their craft. If you are unfamiliar with Metasploitable3, you can get up to speed with this blog post announcing its release. For an additional challenge in Metasploitable3, we've hidden several flags in the virtual machine that penetration testers can find to demonstrate their prowess. To honor the release of this new tool – and to have a little fun – we're hosting a month-long competition to see who can find the most Metasploitable flags! The competition will be very simple, and easy for anyone to participate in. For our leaderboard winners, we'll be giving out some great prizes as well as some Metasploit T-Shirts for others who submit a captured flag. Here's how it works. Download and install Metasploitable3. Dig in! Find those flags! Complete a simple write-up (see format below or template here), providing proof you've found one and you'll be added to the leaderboard. (Note: We may ask your permission to publish the write-up after the competition closes.) We'll keep a running tally of the leaderboard at the bottom of this blog post. On December 31st we'll announce the winners! Details There are currently 15 flags hidden in Metasploitable3, with more being added. When you find a flag, take a screenshot of it.  Put it in a doc with the following information: How did you get access to the machine? How did you spot the file? How did you extract the file? Note: In some cases, the files are easy to find so please describe the extraction process. A template can be found here. Please note: in the spirit of friendly competition, please only submit flags that have been found from a running metasploitable3 instance, not the vagrant folders used to build the instance.  Then email capturetheflag [at] rapid7.com and we'll review and add you to the leader board.  At the end of the month the top 3 people with the most submitted flags accepted will receive prizes. In the case of a tie, a set of subjective measures will be used to select the winners. The measure will be: creativity of methods used to obtain the flags and strength of the write-up. We reserve the right to award bonus prizes. And one note for our beloved Rapid7 employees: You are welcome to play along, but standings will be tracked separately and awarded accordingly. Prizes! 1st Place: Hak5 Pineapple 2nd Place: LAN Turtle or Lock Pick Set 3rd Place: LAN Turtle or Lock Pick Set The first 25 to submit a flag will get a Metasploit T-Shirt! We reserve the right to award bonus prizes. Any questions? Feel free to comment below or email community [at] rapid7.com and we'll get back to you. Happy Hunting! Leaderboard Get all the updates here: Metasploitable3 CTF Competition: Update and Leaderboard! Official Rules: Terms & Conditions The Metasploitable3 Capture the Flags competition is open to anyone. No purchase is necessary to participate. Eligibility is dependent on following the entry rules outlined in this guide. To Enter: Locate and screenshot flags found in Metasploitable3 and send a written submission detailing 1) how you got access to the machine; 2) how you spotted the file; 3) how you extracted the file, to capturetheflag [at] rapid7.com. A template can be found here or by searching for “Metasploitable3 CTF” on community.rapid7.com. Partial or incomplete submissions WILL NOT BE ACCEPTED as an entry and shall not be eligible for any prize. All submissions will be reviewed by Rapid7 for adherence to these Official Rules. Rapid7 may ask for permission to publish written submissions after the contest close. The leaderboard competition will open on Wednesday, December 7, 2016 at 12:00:01 ET and close on Saturday, December 31, 2016 at 11:59:59 ET. Entries submitted after this time may be eligible for additional prizes determined by Rapid7. In the event of a tie, Rapid7 will evaluate submissions to select the first place winner. A set of subjective measures will include 1) creativity of methods used to obtain the flags and 2) strength of the written submission. Rapid7 reserves the right to award bonus prizes. The leaderboard will be updated regularly with the final submissions being added by Tuesday, January 3, 2017 at 11:59:59 ET. Prizes/Odds of Winning: Only the prizes listed below will be awarded in the competition. Odds of winning depend on the number of eligible entries submitted by the close date. Prize is not transferable or redeemable for cash. Rapid7 reserves the right to make equivalent substitutions as necessary, due to circumstances not under its control. Please allow 3-4 weeks for delivery of any prize. Leaderboard Prizes Three (3) Prizes Leaderboard Position Prize Approx. Value 1st place Hak5 Pineapple (Nano Basic) $149.99 2nd place LAN Turtle OR Lock Pick Set $49.99 3rd place LAN Turtle OR Lock Pick Set $49.99 Additional Prizes Twenty-five (25) Prizes** The first 25 people to submit a flag will get a Metasploit T-Shirt (approx. value: $10) available from the online Rapid7 Retail Store. Rapid7 reserves the right to award additional T-shirt prizes. Competition host is Rapid7 LLC, 100 Summer St, Boston, MA 02110. By entering the competition, you agree to these terms and conditions. Employees and the immediate families of Rapid7 may not participate. If you have any concerns or questions related to these terms and conditions, please email capturetheflag [at] rapid7.com.

Honing Your Application Security Chops on DevSecOps

Integrating Application Security with Rapid Delivery Any development shop worth its salt has been honing their chops on DevOps tools and technologies lately, either sharpening an already practiced skill set or brushing up on new tips, tricks, and best practices. In this blog, we'll examine…

Integrating Application Security with Rapid Delivery Any development shop worth its salt has been honing their chops on DevOps tools and technologies lately, either sharpening an already practiced skill set or brushing up on new tips, tricks, and best practices. In this blog, we'll examine how the rise of DevOps and DevSecOps have helped to speed application development while simultaneously enabling teams to embed application security earlier into the software development lifecycle in automatic ways that don't delay development timeframes or require major time investments from developers and QA teams. What is DevOps? DevOps is a set of methodologies (people, process, and tools) that enable teams to ship better code – faster.  DevOps enables cross-team collaboration that is designed to support the automation of software delivery and decrease the cost of deployment. The DevOps movement has established a culture of collaboration and an agile relationship that unites the Development, Quality Engineering, and Operations teams with a set of processes that fosters high-levels of communication and collaboration. Collaboration between these three groups is critical because of the inherent conflict of development organizations being pressured to ship new features faster while operations groups are encouraged to slow things down to be sure that performance and security are up to snuff. DevSecOps and Application Security Getting new code out to production faster is a great goal that often drives new business, however in today's world, that goal needs to be balanced with addressing security. DevSecOps is really an extension of the DevOps concept. According to DevSecOps.org, “It builds on the mindset that "everyone is responsible for security" with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required. Web application attacks continue to be the most common breach pattern confirming what we have known for some time- that web applications are a preferred vector for malicious actors and they are difficult to protect and secure. According the 2016 Verizon Data Breach Report, 40% of the breaches analyzed for the 2016 DBIR were web app attacks. Today's web and mobile applications pose risk to organizational security that must be addressed. There are several well-known classes of vulnerabilities that can be present in applications; SQL Injection, Cross-Site Scripting, Cross Site Request Forgery, and Remote Code Execution are some of the most common. Why are Applications a Primary Target? Applications have become a primary target for attackers for the following reasons: 1. They are open for business and easily accessible: Companies rely on firewalls and network segmentation to protect critical assets.  Applications are exposed to the internet in order to be used by customers. Therefore, they are easy to reach when compared to other critical infrastructure and malicious attackers are often masked as legitimate desired traffic. 2. They hold the keys to the data kingdom: Web Applications frequently communicate with databases, file shares, and other critical information.  Because they are close, if they are compromised it is easier to reach this data which can often times be some of the most valuable.  Credit Card, PII, SSN, and proprietary information can be just a few steps away from the application. 3. Penetrating applications is relatively easy. There are tools available to attackers that allow them to point-and-shoot at a web application to discover exploitable vulnerabilities. Embed Application Security Early in the SDLC - A Strategic Approach So, we know that securing applications is critical. We also know that most application vulnerabilities are found in the source code. So, it stands to reason that application vulnerabilities are really just application defects and should be treated as such. Dynamic Application Security Testing (DAST) is one primary methods for scanning web applications in their running state to find vulnerabilities which are usually security defects that require remediation in the source code. These DAST scans help developers identify real exploitable risks and improve security. Typically, speed and punctiliousness don't go and in hand, so why would you go about mixing two things that might be thought of as having a natural polarity? There are several reasons that implementing a web application scan early in the SDLC as part of DevOps can be beneficial and there are ways to do it so that it doesn't take additional time for developers or for testers, it can be baked in as part of your SDLC and part of your Continuous Integration process. When dynamic application security testing first became popular, security experts often conducted the tests at the end of the software development lifecycle. That only served to frustrate developers, increase costs and delay timelines. We have known for some time now that the best solution is to drive application security testing early into the lifecycle along with secure coding training. Microsoft was one of the early pioneers of this with their introduction of the Secure Development Lifecycle (SDL) which was one of the first well-known programs that explicitly stated that security must be baked into the software development lifecycle early and at every stage of development not bolted on at the end. The benefits of embedding application security earlier into the SDLC are well understood. If you treat security vulnerabilities like any other software defect, you save money and time by finding them earlier when developers and testers are working on the release. Reduced Risk Exposure -The faster you find and fix vulnerabilities in your web applications mean less exposure to risk. If you can find a vulnerability before it hits production you've prevented a potential disaster, and the faster you remove vulnerabilities from production, the exposure you are faced with. Reduced Remediation Effort - If a vulnerability is found earlier in the SDLC then it's going to be easier and less expensive to fix for several reasons. The code is fresh, the developer is familiar with it and can jump in and fix it without have to dig up old skeletons in the code. There is less context switching (context switching is bad) when we find security defects during the development process. Additionally, if a vulnerability is found early then it is much more likely that there won't be other code relying on it so it can be changed more safely.  Finally, new code will be less likely burdened with tech debt and therefore be easier to fix. Reduced schedule delays - Security experts are well aware that development teams don't want to be slowed down. By embedding application security earlier in the SDLC, we can avoid they time delays that come with testing during later stages. These factors should help explain why incorporating application security into a DevOps mentality makes sense.  So how can a security-focused IT staff member help the developers get excited about this? Adopting a DevSecOps Mindset for Application Security - 8 Best Practices Build a Partnership Partnership and collaboration is what DevOps is all about. Sit down with your development team and explain that you aren't trying to slow them down at all. You simply want to help them secure the awesome stuff they are building. Help them learn by explaining the risk.  The ubiquitous “ALERT(XSS)” doesn't do a good enough job of pointing out the significance of a cross-site scripting vulnerability. Talk your developers through the real-world impact and risks.   Conduct Secure Code Training Schedule some “Lunch-n-Learn”s or similar session to explain how these vulnerabilities can emerge in code.  Discuss parameterization and data sanitization so developers are familiar with these topics.  The more aware of secure coding practices the developers are, the less likely they are to introduce vulnerabilities into the application's code-base. Know the Applications It helps when the security expert understands the code base. Try to work with your developers to learn the code base so you can help highlight serious vulnerabilities and can clearly capture risk levels. Security Test Early, Fail Fast. Failure isn't typically a good word, but failing fast and early is an agile development mindset that is applicable to application security. If you test early and often you can find and fix vulnerabilities faster and easier. The earlier new code is tested for security vulnerabilities the easier it is to fix. Security Test Frequently Test your code when new changes are introduced so that critical risks don't make it past staging.  Fixing issues is easier when they are fresh. Scan new code in staging before it hits production to reduce risk and speed remediation of issues. Integrate Security with Existing Tools Find opportunities a solution that to embed dynamic security testing early into your software development lifecycle by integrating with your existing tools. Seamlessly integrating security into the development lifecycle will make it easier to adopt. Here are some of the most effective ways of integration security testing into the SDLC: Continuous Integration - Many organizations achieve early SDLC security testing by integrating their DAST solutions into their Continuous Integration solutions (Hudson, Jenkins, etc) to ensure security testing is conducting easily and automatically before the application goes into production. This requires a application security scanner that works well in “point and shoot” mode and includes an open API's for running scans. Ask your vendor how their scanner would fit into your CI environment. Issue Tracking - Another effective strategy for building application security early into the SDLC is ensuring your application security solution automatically sends security defects to the issue tracking solution, like Jira, that is used by your development and QA teams. Test Automation - Many QA teams are having success by leveraging their pre-built automated functional tests to help drive security testing to make security tests even more effective. This can be done through browser automation solutions like Selenium. Rapid7's AppSpider is built with this in mind and includes a broad range of integrations to suit your team's needs. Learn more about how AppSpider helps drive application security earlier into the SDLC in this video. AppSpider is a DAST solution designed to help application security folks test applications both as part of DevOps and as part of a scheduled scanning program. Thanks for reading and have a great day.

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Upcoming Event


Rapid7's annual security summit is taking place September 12-14, 2017 in Boston, MA. Join industry peers for candid talks, focused trainings, and roundtable discussions that accelerate innovation, reduce risk, and advance your business.

Register Now


Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now