Public Penetration Test

18 to 20 August 2017

This is not a capture the flag, but it is educational.

I authorize and encourage those curious about hacking to participate in a public pentest.

I will make all of the logs from Azure and the server available via free, anonymous download after the test. All files will be hashed. No redactions or omissions.

This is a white box pentesting event.

Rules of engagement, identity of target and technical details released on 18 August 2017.

LAW ENFORCEMENT

This is security research. I have given notice and received permission from the provider. Don't kill my canaries.

HACKERS

If you get in, you've broken Azure IaaS. Disclose to vendor and get paid. I have no stake in your discovery.

PACKET MONKEYS

DDOS is outside of the scope of the pentest. I'm testing a default, low availabilty server. If the server is unavailable, that's research results.

I'll hide a box behind a service relay in Azure in a later challenge if there's interest. But cannons aren't welcome at this event.

SECURITY RESEARCHERS

This is a pentest of default setup of an IaaS virtual machine in Azure. Default Azure and server logging. I'll export and share unredacted, complete logs.

For forensics source, I will also retain the vhd for the server.

All files will be hashed before release.

The files will be publicly available for anonymous download.

OSCP, SECURITY+, CISSP CANDIDATES

Practice. Try harder. Something about enumerate.

FOLK

nmap doesn't play well over Tor. Figure out how to use your tools from Darknet. This is a good time to test. Fish in a stream.