Image for post
Image for post
Kringlecon 3 Greeting Card

Welcome to my write-up! Here you’ll find the steps needed to complete objectives and challenges. However some will not provide the answer. This is because if you follow the steps and understand what you’re doing; you’ll get the answer. If you’re only looking for the answer, there are other write-ups just a quick Google search away. This write-up will first cover the objectives followed by raspberry pi challenges.

System Status

Report Issues

Objective 1: Uncover Santa’s Gift List

Analyze image to find Santa’s gift for Josh Write. Relevant portion of image has been swirled which obfuscates the text. Need to “un-swirl” portions of the image to retrieve the flag.

  1. Loaded…

Image for post
Image for post
Image by David Krüger from Pixabay

This post details how to setup a root OpenSSL Certificate Authority using Elliptic-curve cryptography (ECC) based on the following two resources.

Tested with:

  • OpenBSD 6.6 GENERIC
  • LibreSSL 3.0.2

Root Certificate Authority Configuration

The greatest hurdle to building out a certificate infrastructure is planning. One must understand how certificates will be used short term and long term as both will impact the overall design. Much planning is centered around how certificates are issued to users/services. Not just…


Image for post
Image for post
Image by Harry Fabel from Pixabay

Relayd is a free load-balancer, application layer gateway, transparent proxy, and SSL/TLS gateway. It’s safe to say I would avoid placing a web server directly on the internet without placing relayd infront of it. While it may not have all the functionality of competing products (e.g. F5, nginx, haproxy) it has the right balance.

The following relayd.conf is similar to what I use as it achieves these three goals:

  1. Performs connection termination, including TLS.
  2. Updates HTTP request header with client information (e.g. X-Forwarded-For).
  3. Performs basic HTTP security checks.

Tested on: OpenBSD 6.6 GENERIC

relayd.conf

As the title states, this is the…


Image for post
Image for post
Image by Taken from Pixabay

The default web server in OpenBSD is httpd. A lightweight server with only the essentials and built secure from the ground up.

There are occasions when a website must be placed into maintenance and httpd.conf makes this easy with pattern matching.

Tested on: OpenBSD 6.6 GENERIC

Create Maintenance Page

Save the following (or similar) page to the website root as maintenance.html.

This technique will redirect all requests which is why no other files are referenced. Any styles or scripts must be specified directly in the maintenance page or hosted on a different website.

<!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0">…

Image for post
Image for post
Image by Pexels from Pixabay

Content Security Policy (CSP) is an HTTP response header used to protect the client against XSS, clickjacking, and loading untrusted content. When a page has internal scripts or styles, CSP can allow it by using a nonce or specifying it’s hash as a base64 encoded value. This post will show how to determine the value to be placed into the CSP.

For more information about the Content Security Policy specification see:

Content Security Policy Level 2 — W3C Recommendation, 15 December 2016

CSP Hash via PowerShell

The following PowerShell function can be used to calculate the SHA256 hash. …


Image for post
Image for post
Image by Frantisek Krejci from Pixabay

Online Certificate Status Protocol (OCSP) stapling is a standard for checking certificate revocation. Most commonly deployed on web servers using TLS and required if you’re aiming for an A+ on Qualys SSL Server Test. Even better, CloudFlare reports connection time improvement by up to 30% in some cases. [0]

The following is based on OpenBSD 6.7.

man relayd.conf

Manual page for relayd.conf states:

An optional OCSP staple file will be used during TLS handshakes with this server if it is found as a non-empty file in /etc/ssl/name:port.ocsp or /etc/ssl/name.ocsp. …

Image for post
Image for post
Image by Michal Jarmoluk from Pixabay

Microsoft Desired State Configuration (DSC) is a management platform where configurations use a declarative syntax. Traditionally configurations are made by finding the particular Group Policy setting (local or otherwise). With DSC, all of the settings are in a text file stating the desired value (i.e. declared) making configuration as code possible.

One of the difficulties adopting DSC is generating the configuration files as it can be quite time-consuming. Suppose you have a server in its production configuration that needs to be migrated to DSC. Generating the configuration for Services alone will take significant time let alone the Security Policy and…


Image for post
Image for post

There are services within Microsoft Windows operating system that one cannot easily configure as in StartupType=Disabled. This post will show how to ensure a service is disabled regardless of errors encountered when using traditional means (e.g. gui (MMC), commandline (cmd), PowerShell) and without delving into ACLs.

This issue was identified while implementing Microsoft Desired State Configuration (DSC) on Windows Server 2019.

All of the following was launched from an elevated command prompt as Administrator.

Microsoft Management Console (MMC)

When working with Microsoft Windows services, most use services.msc. To launch, simply type services.msc into the Run dialog box and click OK. Some services cannot be…


Stack of rocks
Stack of rocks

When implementing Server Side Includes (SSI) on nginx 1.16.1, extra bytes were being returned in the responses. While this wouldn’t be noticed when viewed in a webpage, it can provide information disclosure when viewing the raw stream. The extra bytes were caused by Transfer-Encoding: Chunked being used in the HTTP response.

Transfer-Encoding

The Transfer-Encoding HTTP header is defined by RFC2616 as:

The Transfer-Encoding general-header field indicates what (if any)
type of transformation has been applied to the message body in order
to safely transfer it between the sender and the recipient. …

lock over world map
lock over world map

Configuring HTTPS is not a simple update to a configuration file. Making changes to HTTPS protocols in Microsoft Internet Information Services (IIS) requires modifying the registry which in turn requires a reboot for the changes to become active. For ciphers, thankfully there are PowerShell cmdlets to make changes immediately active.

The following will provide some background and PowerShell snippets to help achieve that A+ on Qualys SSL Server Test. It has been tested on an Azure VM running the following:

  • Windows Server 2019
  • Internet Information Service (IIS) 10
  • PowerShell 5.1

Update: 2021–01–08

See the update at the end of this post for…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store