Black Hat / DEF CON 26 – Talks > CTFs???

Two weeks ago I took my third trip for Vegas, this time for Black Hat / DEF CON 26.

Black Hat / DEF CON - Back to Vegas!

Since I was taking training at Black Hat this year, I ended up spending eleven total days (3 August - 14 August) in Vegas this year. That definitely took a lot out of me, and I was a bit worn down by Friday at DEF CON. That said, the training was awesome, and I'm sure I'll end up back in Vegas again.

I was a bit surprised that I didn't get a TSA golden ticket in my bag this year. Not only did I have all of my gear with me, but I also packed some protein powder. I was hoping to keep up my diet as best I could, but that didn't work out as well as I'd have hoped.

Black Hat / DEF CON - Protein powder

It was almost an even more awesome year, with Evo going on around the same time as Black Hat. Unfortunately, I was in class during the entirety of the tournament.

Black Hat / DEF CON - EVO

As always, it was hotter than I expected, or hotter than I'd ever want.

The tables were VERY kind to me this year, and I ended up +$500 in Blackjack and +$240 in Craps. That brings my three-year total to up $645 ($315 - $410 + $740)!

I also stayed at Caesar's the entire time this year, so didn't have to deal with last year's fiasco of switching.

Black Hat / DEF CON - Caesar's

Cons, People, and Vegas

I got to catch up with a few people this year, but missed out on a few others. That was alright, but I'm hoping to catch up with them again next year!

There were even more co-workers there this year, and we even went out for a round of Top Golf.

Black Hat / DEF CON - Top Golf

Since so many of us left at the same time, we also got to grab a "limo" on the way back to the casino.

Black Hat / DEF CON - Limo

Las Vegas Distillery

The RTP SecBeers group planned a day trip out to the LV Distillery, which was tons of fun.

This was actually the first distillery in Nevada, and they've operated for a while.

Black Hat / DEF CON - Distillery equipment

They make everything from vodka and gin, to various whiskeys, and even liqueurs. During our tasting, we got to try whatever we wanted, so I decided to taste the entire lineup!

Black Hat / DEF CON - Distillery offerings

In the end, I'm still a whiskey man though, so I had some extra tastes of those offerings.

Black Hat / DEF CON - LV Whiskey

Afterwards, we went to the Hi-Scores Bar Arcade, which was also a lot of fun.


Another year in Vegas, and another year of delicious (albeit expensive) food.

Just like last year, we had a wonderful group dinner at Momofuku. And, like last year, we got the fried lobster and shrimp bowl of joy.

Black Hat / DEF CON - Momofuku

We also stopped at the Bacchanal Buffet again for one meal, which is always far too filling.

Finally, I got to try a sushi burrito this year. It was definitely unique, especially considering I got a side of chips and queso.

Black Hat / DEF CON - Sushi burrito

SpecterOps Adversary Tactics: Red Team Operations

This course was incredible, and I could easily write an entire blog post about it. Actually, I still might, but we'll see...

I've never done any stealthy red teaming before, so that was a new experience for me. I've also never used Cobalt Strike before, but I was pretty enthralled with it by the end of the course.

Being actively "hunted" during the lab/CTF was incredibly valuable, as was the real-time feedback from the Cerberus IDS.

The class covered everything from infiltration, to stealth, to AD abuse, infrastructure, defense mechanisms, and everything in between.

One of my biggest takeaways was thinking about my infrastructure, how to configure and protect it, and the willingness to burn it at a moment's notice.

I also realized that I've never had visibility into my own attacks before, especially having never been a blue team member.

This has gotten me setting up more appropriate Windows lab environments, as well as multiple domains to practice those attacks.

I've also stood up my instance of HELK , so that I can actively hunt myself when it is all said and done.

Black Hat / DEF CON - HELK

Even if I don't write an entire post about this course, I've got plenty in the pipe after taking it.

Also, none of this mentions how awesome the instructors were. They were willing to help, many were experts in their own right, and they made a grueling 4 day course a ton of fun.

I think my only qualm about the course was how engaging the CTF was. There were times that I was more focused on the CTF than actually learning what they were trying to cover. That said, I came home with all the materials and solutions, so I can go over them at my leisure. It was worth it though, as we ended up tied for second when it was all said and done!

If you want to take this class, then I can HIGHLY recommend it.

BlackHat and Swag

After my training course, I had a little time to stop by the Black Hat vendor area. Having only heard tales and seen pictures before, this was definitely a new experience.

While I wasn't like my teammates attempting to get every piece of swag in the building, I did come home with a few bags, shirts, and trinkets.

My favorite piece of swag is probably this hat that I got. Infosec plus Marvel humor? I'm in.

Black Hat / DEF CON - Root hat

Other than that, it was interesting interacting with the vendors. Even after telling them what I did, many of them gave me the same generic CISO spiel for their product. The most interesting were the ones that actually talked to me like a person, and a penetration tester. I have to commend Bromium over the rest at this. I spent awhile talking to one of their CTOs I believe, and it was engaging. We discussed how their product actually works, and what potential downsides it might have. He picked my brain about how I might try to avoid it (staying in memory), and he said that would probably work. I'd like to reach out to them for a demo and to perform some research after that conversation.


I also stopped by the Pluralsight booth, and they had a "Security for Hackers and Developers" quiz with a leaderboard. I decided to give it a spin, and ended up beating second place by 21 points! This was a pretty intense quiz, but definitely heavy on the advanced exploit development side. If you're interested, you can find it here.

Black Hat / DEF CON - Pluralsight score

They gave me a $100 Tapplock for my troubles, which was pretty awesome. Of course, it's the one that already has a few vulnerabilities, so I'm not sure if I'll find anything interesting.

Black Hat / DEF CON - Tapplock

Unfortunately, my reign atop the leaderboard didn't last very long. As I was finishing up the quiz, Sean showed up behind me. We talked for a while, and I finally convinced him to take it as well.

He ended up beating my score by 4 points, and we stayed on top until the end of the conference (as far as I know).

Black Hat / DEF CON - Leaderboard

It was all in good fun, and we got to explain to the vendors how we knew each other and what we did. Plus, we got a cute picture in front of our final scores!

Black Hat / DEF CON - Sean and Me


I managed to catch a lot more talks this year than the last two combined. It was nice not having to wait for them on YouTube, and I do enjoy some DCTV + food/recharging in my room.

While I'm not going to go over every talk I saw like in earlier years, there are a few that I'd like to cover.

  • Weaponizing Unicode: Homographs Beyond IDNs - while I've talked a bit about homoglyphs in the past, this was awesome. Not only were there some really neat attacks, there were also a few fun PoCs that I want to try. Other than that, the idea of using OCR as a defense completely blew my mind. It's so obvious, and a field that has already been studied quite a bit.
  • Practical & Improved Wifi MitM with Mana - I've never actually used Mana before, so this was nice. Mana seems like it can automate a lot of the wireless rogue device attacks that I've performed manually. Additionally, they've added a lot of functionality about enterprise networks, which might be nicer than the tools that I'm using. Finally, I really want to play in the simulated wireless lab that they mentioned.
  • Your Bank's Digital Side Door - this was an eye-opening talk, especially having worked in the financial industry before. I never really knew how OFX worked, or the differences between the versions. There were plenty of examples of potential vulnerabilities, poor implementations, and banks unnecessarily leaking information left and right.
  • Inside the Fake Science Factory - this talk was CRAZY. I knew of the publish or perish nature of science and academia, but not how bad it could get. The level to which some organizations, companies, and people will stoop is incredible. While it is not in English, I at least recommend you watch their documentary. Spoiler alert: their paper that was 100% computer generated they won best talk at a conference.
  • Demystifying MS17-010: Reverse Engineering the ETERNAL Exploits - this was definitely a technically heavy talk, and it was cut down to fit in the time slot. That said, zerosum obviously knows his stuff, and we have him to thank for the porting of some of the ETERNAL* exploits. I took his Malware Forward Engineering workshop last year, so I knew what to expect. That said, I got lost myself about halfway through or so. If you've ever been curious about how you've been able to own so many boxes with one exploit, then this is the talk for you.

Finally, while this was at the DEF CON vendor area and not an actual talk, it is still worth including. While walking around, we spotted a beagle wandering around near the Hacker Warehouse table! This was awesome, as I have one of these at home myself.

Black Hat / DEF CON - Beagle

DEF CON Workshop - Fuzzing with AFL (American Fuzzy Lop)

I took another free workshop this year at DEF CON, and this year it was about fuzzing.

While it isn't up yet, you should eventually be able to find the slides on the media server.

This was a 4-hour AFL workshop taught by Jakub Botwicz and Wojciech Rauner from Samsung Poland. Unfortunately, this wasn't really enough time to do a proper deep dive into some of the topics, and the sections felt a little sporadic here and there.

That said, I did get a few ideas for make flies and targets to assess, so that was good. I would have liked a bit more manual processing, as the provided make files abstracted almost everything out. Additionally, some exploitation (or at least triage) would have been awesome, but I know we were severely time limited.

I am looking forward to playing with AFL more, but the most interesting part was combining it with Qemu for black box fuzzing.

Black Hat / DEF CON - CTFs

Unlike the last two years, I did not spend a lot of time CTF-ing this year. After the grueling SpecterOps CTF, plus my time in Vegas already, I was a bit worn down by the time Thursday rolled around.

I started out in the Wireless CTF room. That said, most of the 802.11 challenges weren't working, so that was a little disheartening. Additionally, even with the bigger room, it was crazy crowded this year.

I was also invited by Tom/Dave/Joe to the OpenCTF room, but was never able to make it.

Finally, Welcome Thrillhouse Group had a small team rolling in the IoT CTF, but I just helped them with ideas and suggestions from a distance. That said, Matt did post a few write-ups, so definitely check them out!

While I would have loved to go 3/3 for DEF CON black badges, I'm ok with the way this year went. There are definitely pros and cons to spending the entire conference participating in CTFs. That said, I'm glad that I took a break from it all this year.

Black Hat / DEF CON 26 - Conclusion

This was my third year in Vegas, so I've at least got a FEW less tabs to show for it.

I did have some great fun and food this year, even including my airport nachos before leaving.

Black Hat / DEF CON - Nachos

That said, this was the first year that I thought about saying, "I'm not going next year." I'll probably still go, but I'm not sure if I can handle another 11 day trip next year.

Black Hat / DEF CON - Goodbye Vegas

Caesar's is still a better venue, but it cannot handle the sheer number of people who show up. Next year should add another 80,000 sq ft., but we'll see.

The only cons left on my docket this year are Derby and BSidesRDU, so it's time for the closing stretch!

doyler on Githubdoyler on Twitter
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

As an Amazon Associate I earn from qualifying purchases.

Common passed on this blog, I made it to a jam.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.