lee/hpr-knowledge-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
hpr-knowledge-base/hpr_transcripts/hpr2827.txt
Lee Hanken 7c8efd2228 Initial commit: HPR Knowledge Base MCP Server 
- MCP server with stdio transport for local use
- Search episodes, transcripts, hosts, and series
- 4,511 episodes with metadata and transcripts
- Data loader with in-memory JSON storage

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-26 10:54:13 +00:00

206 lines
13 KiB
Plaintext
Raw Permalink Blame History

Episode: 2827
Title: HPR2827: Unscripted ramblings from my garage about my first CTF event
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr2827/hpr2827.mp3
Transcribed: 2025-10-19 17:22:49
---
This is HPR Episode 2827 entitled Uncripted Ramblings from my garage about my first CTF event.
It is hosted by Christopher M. Hobb and is about 14 minutes long and carries a clean flag.
The summary is, I briefly discuss a CTF event I want invited to and what I plan to bring with me.
This episode of HPR is brought to you by archive.org.
Support universal access to all knowledge by heading over to archive.org forward slash donate.
Hello hacker public radio. Hopefully you can hear me okay.
Taking advantage of a friend's recorder here that I borrowed to do some field recordings to record a quick episode since I haven't recorded one in quite some time.
Hanging out in my garage don't have a script in the garage because the wind causes this little recorder to peak out really hard.
The mics are very sensitive. It's a TASCAM DR40. I'd like to get one for myself eventually.
But in the meantime my borrow of friends when I want to make some recordings did some good field recording last night.
In the dark in the woods on a bridge by a lake so that was pretty cool. Maybe I'll put those online somewhere.
But I digress. I got a quick break here. My kids playing with the neighbor kids and I'm inventorying all my stuff for them.
All my stuff for an event in a couple of weeks. I got asked to be a ringer for a capture the flag event.
I'll leave out the details just because I'm not sure of what all it entails and I don't know how much I need to be anonymous before the event.
I mean if you know my handle and you've listened to my previous episodes and you look at my website and that sort of thing you'll know roughly where I live and it shouldn't be too hard to figure out who's putting on the event.
It's a large organization, a small part of a large organization and a loose organization.
But anyway just to avoid spoiling anything for me I'm not going to give out any of those details.
Just if I used to say that it's a run of the mill capture the flag event. I've never been to a capture the flag event.
I have a small business where I do a lot of things with that business. It's not my primary job.
My primary job right now. I'm a senior engineer for malware bites.
And I'm not really doing anything related to the malware directly but more things related to the provisioning of our software.
Unfortunately it's not free software but I get to work with free software tools regularly.
But I'm building neat systems to help people keep their computer safe.
Doing that all, doing some programming to make that happen.
But on the side I have a small business called ASHA Technologies ASCIA.
And I do a lot of things. I provision networks, I write code, I train people, that sort of thing.
And one thing that I do along with all of that is both penetration testing on the network level, on the social engineering level, fishing and that sort of thing.
And I also do physical breaking and entering for groups. Naturally this is all above the board, completely legal, under contract.
People who hire me to break into their stuff and do after-action reports and whatnot own all of the stuff that I'm breaking into.
So it's all legitimate.
I've been doing that for a number of years, probably over a decade now.
Been breaking into stuff for a long time.
In a part-time capacity with some subcontractors in mind.
So I have real-world experience with these things.
But I don't know what a capture-the-flag event will be like.
It seems to me that stealth will be near impossible because we're all there for the same reason.
It's a 26-hour event from what I understand.
There's supposed to be a party afterwards.
Getting a little too old for parties, but I'll enjoy the socialization maybe.
It's not too far from home, so that'll be nice.
I can drive there.
There's supposed to be a social engineering aspect, a lock-picking aspect,
and a digital computer aspect, network aspect.
I'm told that there's a lock-picking flag, there's a social engineering flag, and so on.
So I don't know if you use all of the skills together to get something done.
I don't know if you grab multiple flags.
I know absolutely nothing about the formats.
So I'm sitting here while I have a break trying to inventory everything that I'm going to bring with me.
I'm a little nervous about driving with a bag of tricks, an hour, and some change away from my home.
If I get pulled over, that will be fun to explain.
I mean, there are all legal things, but when they're combined together, they look awfully suspicious, right?
So at the moment, you know, I'll bring a change of clothes, get the boring stuff out of the way,
a little, a little dop kit with some toiletries in it, some water, some snacks,
try and slim that down as much as possible, maybe some ibuprofen and caffeine pills.
I don't know, instant coffee.
We'll see what we need.
I'm definitely going to stay sober when I'm there because I got asked to be part of this team,
and I'm a little flattered to be part of the team.
I'm flattered that I was asked.
Makes me feel nice.
The people on the team are in corporate environments, big companies,
and they work on the security teams in those big companies, and I don't.
I mean, my full-time job, malware bytes is maybe 600 employees, so we're not real big,
and I don't do security stuff there per se, other than to secure my own code.
And my little side business is just me and a handful of subcontractors, so I'm kind of a small fish, right?
And I don't have any certifications.
I've just been doing this forever.
So for me to get asked to join a team for the event made me feel good.
I know it's a small event.
I know it's not a real significant thing, but it sure felt nice to be asked.
So what I intend to bring, I'm not real sure at the moment.
I'm going to bring my lockpicks because they say there's some lockpicking.
They are in a sorry state, though.
My rake and my double ball and my diamond pick are all three beat up severely.
And both of my tension wrenches are kind of bent, and I always have to bend them back in shape.
And it's just a mess, but I've had these picks forever, and they just keep on working.
And they feel right, you know, I know how they feel.
I know where the hotspots are.
I've kind of worn my shape into them, so I'll bring those.
Um, to be transparent, I've purchased almost all of the Hack 5 gear.
Uh, I guess that's kind of kitschy.
Uh, and I've made my own versions of a lot of their gear, but gosh, their stuff just looks so inconspicuous and it's tiny.
Uh, and it's inexpensive, so why not, right? Why not buy those things?
So I'll bring my Wi-Fi pineapple.
And I have the rabbit, which is really cool.
I love that one because it has multiple payloads.
Um, it's a little bigger than the ducky.
I do have the rubber ducky.
I'll bring that to, but having multiple payload options is going to be a lot of fun.
Um, I'll bring the packet squirrel.
Have that one too.
I think that's all of the Hack 5 things I have.
Probably bring a couple of Raspberry Pi Zero W's and some Ethernet adapters for them,
so that I can make a couple of Swartz casts.
Swartz cost?
I don't know how to say that.
Black throw.
You know, let's say a little computer running tour, we're running a tour hidden service with SSH.
So you just plug it into a network and then hopefully if it gets network connectivity,
you don't have to worry too much about firewalls and things like that.
Unless it's a larger organization that's really watching the packets closely.
Um, and then you can access that network via tour conveniently, you know,
from your home or the local cafe or whatever.
And I'll bring a laptop.
Um, I've got a spare laptop that I can wipe.
It's not very powerful, but I can use most of my tools on there, you know.
I really enjoy Midaspoit.
Ronin is no longer actively maintained, but I write a lot of Ruby for a living.
So I always like to have a copy of Ronin around because it's easy for me to quickly write plugins for it.
Of course, they're set.
I like set.
Social engineering toolkit.
And Multigo, I'm not very good with Multigo, but I'll probably bring a copy of Multigo and Burp Suite.
Also not very good with Burp Suite, but might as well bring it.
Um, the team has chosen a bird themed name and I'll spare the details,
but it's very geeky bird name.
And if you are familiar with April Fools and RFCs, I'm sure you can guess the name.
So we're coming up with all sorts of bird puns to go along with it.
Um, I don't have a handle yet, so I'm trying to think of some bird related handles.
And sticking with the bird theme, I'm going to install Parrot Linux on the laptop.
It's not entirely free software, but it amuses me.
It's a security distribution that fits the bird theme silly things to get excited about.
And of course, I'll give the machine a bird name as its host name or some bird related thing.
I'll probably buy a burner phone or a burner sim and not to protect my anonymity, but to help with social engineering.
If there's a social engineering aspect, I do wonder if I'm going to have to call somebody.
And if I call somebody from a number and I mess up, I want to have another number available so that I can call them.
In case I get flustered, something I do when I do my pin tests is always by two burner sims.
Maybe a burner phone and a burner and an extra burner sim.
And my phone, my personal phone has room for an extra sim card if I take out the SD card.
I can run two sims in it or I can run one sim and an SD card.
So that's also an option.
I guess voiceover IP is doable as well, but the quality is not always there unless the Wi-Fi is really strong.
So, probably get a couple of burner sims.
Really, I can't think of much else. Multi-tool, right? Need a multi-tool always.
But that's just part of stuff I carry every day.
I'm not into the EDC culture, but I do have an array of things I keep in my pockets and my bags.
But I think that's about it. I can't think of what else to take with me.
I'm certainly open to ideas for what to take to capture the flag events.
And if any of you have attended a capture the flag event, I would like to know more about them.
I don't use Slack and I don't use Discord. I really hate WebChat a lot.
I don't like bloated web things.
And I don't use social media anymore.
I haven't used social media for a very long time.
Now, not even the free stuff, the Fediverse stuff.
So, I'm out of the loop.
And if any of you have any ideas about capturing the flags, please let me know.
I do hang out on IRC, but it's about it.
I guess I could try and join the IRC channels for these folks, but they seem to prefer Discord and Slack.
So, I can't talk to them and the only information I have comes from the team.
And the website is very sparse.
So, I'm going to be going into this thing, not knowing anything.
So, it'll be very interesting to see how it all pans out.
And also, if you have bird-related handles I could go by, I would really appreciate that.
That would be cool.
Hopefully this episode will get posted before the event, and I can get some feedback.
But, yeah, we'll see what happens.
Any tips or tricks for capturing the flag would be greatly appreciated.
There's supposed to be some talks too, so I'm looking forward to that.
I hope the talks aren't too bad.
The security scene in this area is not very big.
I don't know a lot of them, but it's not very big, so I'm curious how well populated the event will be.
How many people will be there, but I'm excited.
It'll be interesting.
And I wonder how well my real world, I guess, for lack of better words, hacking skills,
and what not.
We'll carry over into this event.
Maybe I'll give an after-action report as a podcast if I think about it.
Maybe too zonked.
But I'll try to take notes, and I'll try to let people know how it goes.
Yeah, I think that's about it.
So, with that, I think I'm going to wrap up this episode.
Big free-form thing, just kind of rambling.
I know it was a short one.
Hopefully it was enjoyable, and definitely let me know what you think about Capture the Flags.
And if you've done them, let me know what that's like.
And better yet, instead of just letting me know directly in the comments,
why don't you record an episode?
That would be a pretty cool hacker-public radio episode,
is a discussion of what goes on at Capture the Flag events.
Would love to hear that.
Okay, everybody.
Thanks for your time.
Thanks for listening.
Thanks for supporting HPR.
I'll leave some information about how you can contact me in the show notes.
And yeah, thanks for everything, guys.
And gals.
Happy hacking.
You've been listening to hacker-public radio at hacker-publicradio.org.
We are a community podcast network that releases shows every weekday, Monday through Friday.
Today's show, like all our shows, was contributed by an HPR listener like yourself.
If you ever thought of recording a podcast, then click on our contributing to find out how easy it really is.
Hacker-public radio was founded by the digital dog pound and the Infonomicon Computer Club.
And it's part of the binary revolution at binrev.com.
If you have comments on today's show, please email the host directly.
Leave a comment on the website or record a follow-up episode yourself.
Unless otherwise stated, today's show is released on the Creative Commons,
Introduction, ShareLight 3.0 license.
Reference in New Issue View Git Blame Copy Permalink