Schedule a Demo

Last week, NetSPI’s Mainframe Pentesting Team won first place in the inaugural SHARE Capture the Flag (CTF) event sponsored by Broadcom!

NetSPI’s Mainframe Pentesting Team won first place in the inaugural SHARE Capture the Flag (CTF) event sponsored by Broadcom!

For those unfamiliar, SHARE is an industry conference dedicated to mainframes, covering everything IBM z/OS related. The conference features in-depth talks ranging from zArch assembly optimization and CICS/IMS application development to z/OS administration and security system updates for TopSecret, ACF2, and RACF. NetSPI is a regular attendee, with its Director of Mainframe Penetration Testing, Philip Young, actively volunteering for the SHARE cybersecurity track, helping with talk selection.

Michelle Eggers and David Bryan Presenting their Talk at SHARE Capture the Flag (CTF) event sponsored by Broadcom
Michelle Eggers and David Bryan Presenting their Talk at SHARE Capture the Flag (CTF) event sponsored by Broadcom

Michelle Eggers and David Bryan Presenting their talk.

This year at SHARE, NetSPI presented two notable talks. The first, which launched the cybersecurity track, was delivered by David Bryan, Principal of Mainframe Penetration Testing, and Michelle Eggers, CICS/IMS Penetration Testing Lead. Titled, Mainframe Blackbox Network Pentesting, the presentation explored various vulnerabilities encountered during past mainframe penetration tests. The talk covered critical areas such as SNA discovery using open-source tools, misconfigured CICS regions, vulnerable web application integrations, and techniques for gaining elevated account access without authentication.

Philip Young (right) presenting his talk with Chad Rikansrud (left)
Philip Young (right) presenting his talk with Chad Rikansrud (left).
NetSPI’s Mainframe Pentesting Team: Michelle Eggers, David Bryan, Philip Young.
NetSPI’s Mainframe Pentesting Team: Michelle Eggers, David Bryan, Philip Young.

The second talk, Attacking OMVS: Yet Another Mainframe Vulnerability Source, was presented by Philip Young, Director of Mainframe Penetration Testing at NetSPI, and Chad Rikansrud, Software Security Researcher at Broadcom. As the title suggests, the presentation explored the various methods of leveraging OMVS (z/OS UNIX) during penetration testing, demonstrating how misconfigurations can be exploited to execute authorized code or assume different system accounts.

In a first for SHARE, the cybersecurity track introduced a Capture the Flag event, hosted and organized by Broadcom. The CTF was structured into three distinct sections: a quiz section testing z/OS knowledge, a z/OS section, and an advanced z/OS experts section. 

After swiftly completing the quiz section on the first day, David and Michelle focused on the z/OS section. The flags in this section were designed progressively, with each challenge naturally leading to the next. Their first breakthrough came through careful enumeration, where they discovered full read access to user job outputs. In one user’s job output, they not only found a flag but also uncovered a username and password in a commented-out job card. 

While the organizers have requested discretion about the specific challenges, the remaining flags demanded extensive knowledge across various domains, including surrogate profiles, Unix commands, dataset permissions, RACF commands, and password cracking techniques. 

The z/OS experts section, comprising just three flags, proved to be the most challenging. Philip, with David’s assistance, tackled these flags, with one particularly difficult challenge taking upwards of six hours to solve. The skills required were incredibly specialized, spanning z/OS assembly, debugging with the built-in TSO TEST debugger, understanding RACF passtickets, hex editing, reverse engineering, and exploiting z/OS buffer overflows. NetSPI distinguished itself as the only team to successfully capture all three flags in this section.

The competition was incredibly tight; it was a neck-and-neck battle between NetSPI and two other top-performing teams. As the CTF progressed, the scores remained close. Ultimately, NetSPI’s deep technical expertise and persistent problem-solving approach allowed the team to pull ahead, securing first place with a total score of 4,537 points. This victory showcased the team’s exceptional skills and ability to excel under pressure. Congrats to the second and third place teams! Second place was not far behind when the NetSPI team completed the final challenges. 

This achievement underscores NetSPI’s deep expertise and innovative approach to mainframe security testing. And we look forward to the next SHARE Capture the Flag event.

The final score at the end of the CTF
The final score at the end of the CTF.

Authors:

Headshot of Philip Young

Philip Young

Director, Mainframe

Explore More Blog Posts

Web Application Pentesting

Getting Shells at Terminal Velocity with Wopper

April 23, 2025

This article introduces Wopper - a new NetSPI tool that creates self-deleting PHP files and automates code execution on WordPress using administrator credentials.

Learn More
Adversary Simulation

CVE-2025-21299 and CVE-2025-29809: Unguarding Microsoft Credential Guard

April 15, 2025

Learn more about the January 2025 Patch Tuesday that addresses a critical vulnerability where Kerberos canonicalization flaws allow attackers to bypass Virtualization Based Security and extract protected TGTs from Windows systems.

Learn More
Web Application Pentesting

CVE-2025-27590 – Oxidized Web: Local File Overwrite to Remote Code Execution

April 9, 2025

Learn about a critical security vulnerability (CVE-2025-27590) in Oxidized Web v0.14 that allows attackers to overwrite local files and execute remote code execution.

Learn More