Public Penetration Test
Public Penetration Test
18 to 20 August 2017
This is not a capture the flag, but it is educational.
I authorize and encourage those curious about hacking to participate in a public pentest.
I will make all of the logs from Azure and the server available via free, anonymous download after the test. All files will be hashed. No redactions or omissions.
This is a white box pentesting event.
Rules of engagement, identity of target and technical details released on 18 August 2017.
LAW ENFORCEMENT
This is security research. I have given notice and received permission from the provider. Don't kill my canaries.
HACKERS
If you get in, you've broken Azure IaaS. Disclose to vendor and get paid. I have no stake in your discovery.
PACKET MONKEYS
DDOS is outside of the scope of the pentest. I'm testing a default, low availabilty server. If the server is unavailable, that's research results.
I'll hide a box behind a service relay in Azure in a later challenge if there's interest. But cannons aren't welcome at this event.
SECURITY RESEARCHERS
This is a pentest of default setup of an IaaS virtual machine in Azure. Default Azure and server logging. I'll export and share unredacted, complete logs.
For forensics source, I will also retain the vhd for the server.
All files will be hashed before release.
The files will be publicly available for anonymous download.
OSCP, SECURITY+, CISSP CANDIDATES
Practice. Try harder. Something about enumerate.
FOLK
nmap doesn't play well over Tor. Figure out how to use your tools from Darknet. This is a good time to test. Fish in a stream.