Open InfoSec Days in Tomsk. Activity summary
A few weeks ago I wrote about free classes in informational (without) danger in Tomsk .
The news has become quite widespread, classes are taking place, and this post is a short story about what is going on in the classroom, how you can “join” us and gain knowledge without being in Tomsk.
Who has no habr-account can read here
They take place on Saturdays, approximately at 3-5 pm in the 106 audience of the IBU "Friendship" . For the duration of about an hour. Classes are built in a similar way:
More than 120 people came to the first lesson. There were 70 chairs, brought about 40 more, all the seats were occupied + people stood. Apparently they heard familiar words somewhere and came for the sake of interest, having no base. Well, that was expected. It was very difficult to conduct a class, but I didn’t want and there are still no criteria for participants and what they had to face - it was just necessary to go through. For the period of waiting the demoscene was spinning, creating a little atmosphere.
About 40 ~ 50 people came. It was already easier both from the side of the organization, and from the side of simply conducting the lesson. It was pretty fast. The demonstration is also not tired, missed in 45 minutes.
A little more people came than in the second lesson. This occupation and the following (sql inj) - rather on target hacking. Dismantled LFI / RFI, demonstrated the use of null-byte injection on live bourgeois hosting. We tried LFI through Apache logs, got the right to execute arbitrary commands on the server in several ways.
')
After classes during the week on the site laid out:
Available by reference .
And here we were not spared. A small report from TV-Tusur:
While it is difficult to assess what all this will result in. But after the first lesson, as a result, the mail test from mail.ru on XSS by one of the participants in our classes ( flexo ), and “successful” at that (article “We're taking away other people's cookies from mail.ru” )
Materials, program and classroom news are available at the link: oisd.sergeybelove.ru
VKontakte group (discussions, wishes, questions on occupations): vk.com/openinfosecdays
A playlist with class records: www.youtube.com/playlist?list=PLC01F29C5DAC8590F
PS I will be glad to suggestions on selected topics while the web is still on. Just as we finish the head of the attacks on web applications, we move on to network attacks and attacks on the OS and will not go back.
... And yes, someone wanted to organize something similar in his city. All materials are available, and I am always ready for cooperation, contacts are indicated in the profile.
The news has become quite widespread, classes are taking place, and this post is a short story about what is going on in the classroom, how you can “join” us and gain knowledge without being in Tomsk.
Who has no habr-account can read here
About classes
They take place on Saturdays, approximately at 3-5 pm in the 106 audience of the IBU "Friendship" . For the duration of about an hour. Classes are built in a similar way:
- Presentation. A bit of theory about the topic of the occupation, the chosen vulnerability In the case of vulnerabilities - the assessment of threats, causes, a bit about protection.
- Practice. Laboratory conditions are created for the demonstration (written previously for the script / site, the server / modules / modules are configured in an appropriate way) and an attack based on vulnerabilities is carried out.
1st session, September 17th Xss
More than 120 people came to the first lesson. There were 70 chairs, brought about 40 more, all the seats were occupied + people stood. Apparently they heard familiar words somewhere and came for the sake of interest, having no base. Well, that was expected. It was very difficult to conduct a class, but I didn’t want and there are still no criteria for participants and what they had to face - it was just necessary to go through. For the period of waiting the demoscene was spinning, creating a little atmosphere.
2 lesson, September 24. CSRF
About 40 ~ 50 people came. It was already easier both from the side of the organization, and from the side of simply conducting the lesson. It was pretty fast. The demonstration is also not tired, missed in 45 minutes.
3 lesson, 1 October. File inclusion
A little more people came than in the second lesson. This occupation and the following (sql inj) - rather on target hacking. Dismantled LFI / RFI, demonstrated the use of null-byte injection on live bourgeois hosting. We tried LFI through Apache logs, got the right to execute arbitrary commands on the server in several ways.
')
Course materials
After classes during the week on the site laid out:
- presentation
- video recording from two cameras (with the second one yet, but soon it will be necessary to convert)
- vulnerable scripts or scripts exploiting the vulnerability
Available by reference .
mass media
And here we were not spared. A small report from TV-Tusur:
Where we are going?
While it is difficult to assess what all this will result in. But after the first lesson, as a result, the mail test from mail.ru on XSS by one of the participants in our classes ( flexo ), and “successful” at that (article “We're taking away other people's cookies from mail.ru” )
Materials, program and classroom news are available at the link: oisd.sergeybelove.ru
VKontakte group (discussions, wishes, questions on occupations): vk.com/openinfosecdays
A playlist with class records: www.youtube.com/playlist?list=PLC01F29C5DAC8590F
PS I will be glad to suggestions on selected topics while the web is still on. Just as we finish the head of the attacks on web applications, we move on to network attacks and attacks on the OS and will not go back.
... And yes, someone wanted to organize something similar in his city. All materials are available, and I am always ready for cooperation, contacts are indicated in the profile.
Source: https://habr.com/ru/post/129599/
All Articles