From Ctf to Cve: How Application of Concepts and Persistence Led to a Vulnerability Disclosure

As an industry, we are always looking for ways to sharpen our skills. We have education, certifications, and mentorship programs. A staple at Defcon as well as most other conferences is the Capture the Flag (CTF) competitions. As a blue teamer, in an effort to sharpen my skills, I started downloading CTF VMs and working through them. For more applicability, I started applying these concepts to things outside the CTF for bug bounties, but to no avail. As luck would have it, I left Burp on and logged in to configure my lab wireless router to use for testing and learning wireless hacking. While the antennae that I bought to attack wireless were being used, they weren’t being used in the same sense of attack. I logged into the router and noticed several vulnerabilities in the router’s authentication scheme. This presentation breaks down the concepts of the CTF and how I applied them through the research and responsible disclosure process.