DerbyCon 7 – Legacy (September 2017)

Another year, and DerbyCon 7 – Legacy is in the books.


I was actually in Louisville two weeks before DerbyCon 7 for a bachelor party, so that was awesome.

This year I didn’t wander around too much, just spent a little time on 3rd and 4th Street.

Went a bit lighter on the bourbon this year after the bachelor party, but still partied hard Thursday. I ended up waking up to multiple texts/messages from my CTF and work team members asking if I was alive. I’ll consider that a successful night in Louisville!

The Con/People

It was another great year, and got to meet even more interesting people.

Spent a little time talking to Lee and crew again, and it was nice to catch up after Vegas.

Other than that, spent a lot of time drinking and hanging out with people’s whose names and handles I have since forgotten.

I also was able to meet up with hexwaxwing and get one of her super awesome stickers!

While I did eat at Smash Burger (the day after), I think the #TrevorForget got a bit ridiculous.


Well…this is an easy section this year. I think I read the title of most of the talks in the program, and that’s it.


Ah yes, the DerbyCon 7 CTF. Just like last year, I spent most/all of my time huddled around a table with the rest of EverSec.

In the end, we placed in 3rd, so not quite as good as last year. We ended up 425 points behind 2nd (SWaG) and a whopping 13,625 points behind first (SpicyWeasel).

DerbyCon 7 - CTF Scoreboard

The 2nd place team was actually the Secureworks Adversary Group (SwAG), aka my current employer.

DerbyCon 7 - SwAG

While it was all in good fun, I did catch plenty of flak for being a traitor. They ended up beating us in the end (even with our last second flags), so I get to keep my job as well!

The style of the CTF was similar to last year, with an open network and an unknown number of challenges to solve.

The theme this year was the DPRK/North Korea, and it was pretty fun.

To make it even more difficult than last year, there was even an 0day challenge in the environment. This was a vulnerability that TrustedSec found recently, and had already notified the vendor.

Thankfully, there was no Windows 98 this year, so we didn’t have to worry about that!

I plan on publishing at least one challenge write-up, so be on the lookout for that.

I may publish a write-up or two depending on my documentation, so be on the lookout. That said, if you can’t wait, Nettitude/SpicyWeasel already posted theirs, and they got challenges that even I didn’t.

It was a lot of late nights, but we definitely had some great team work and collaboration on a lot of the challenges. The people in the CTF room were great fun, and I got plenty of free bourbon and snacks from other teams.

The prizes weren’t actually given during the closing ceremonies this year, so we had some time to ourselves during them. We ended up receiving $500 in cash that we donated to HFC‘s Puerto Rican mission.

(No pictures from the closing ceremonies, but here is one that @LuxCupitor took of the back of us while receiving our prize)
DerbyCon 7 - CTF Prize

DerbyCon 7 – Conclusion

While I missed the closing ceremonies this year, we were able to grab some lunch and relax. In the end, over $15,000 was raised for Puerto Rican aid over multiple cons.

Unfortunately, this year’s tweets summed up some different feelings than last year

Also during the Closing Ceremonies was the 2nd Hackers for Charity auction. This was like nothing I had ever seen before. People who had donated their entire weekends at DerbyCon to charitable purposes raising thousands of dollars. At one point, a Louisville slugger made by Eddie sold for $2048 and was immediately re-donated. It then sold for $1024, being donated back one more time. The 3rd, and final price, was $769, making the total price (and donation) $3841.

The best way to sum up my feelings after DerbyCon was this Tweet of mine. I did get over the Louisville flu though, and made a speedy enough recovery.

Not as much excitement after this year, but plenty of ideas for challenges, write-ups, and exploits!

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.