Let’s connect to the service : After some tests, Notfound found (*tadam tss*) that the phone field can be used to inject hexa code when you register a new user : After that, when you log as the « po » user and type the « HISTORY » command, the injection happened. So (after many tests…) let’s try to […]
This task is a Crackme/Reverse task worth 500 points from the Nuit du Hack qualifications. We were given an ELF : superman: ELF 32-bit LSB executable, Intel 80386, invalid version (SYSV), for GNU/Linux 2.6.24, dynamically linked, interpreter 04, corrupted section header size This task is very similar to the Clark Kent. Except that there is […]
Description: Romors say that something is buried in treasure.ctf.0ops.sjtu.cn, happy treasure hunting. 🙂 First of all, we do a DNS request : Well, we see that the IPv4 pointing on localhost, but the IPv6 is more interesting. Let’s try a ping6 on it: Well, it works 🙂 We decide to traceroute6 on it : Ok, […]
This task is a web task worth 250 points from the 0CTF 2015. There is an input field, and two buttons : Login and FLAG. FLAG gives us the source code of the task, without the db credentials : At this point, I was a bit sad, because I wanted to get the flag. 😦 […]
> crackme1 – First of all, execute the binary ( ‘coz I know that’s not a malware) : – Well, let’s try with gdb ! – That’s very interesting ! This part of assembler code means : – Call the function strlen – Compare to 0x1337 (4919) + return(strlen) and 0x1342 (4930) – Jump if […]
> STEG1 : [Google phishing file ?] – This challenge was a file named « Google.fr ». First of all, as usual, I used the ‘file’ command from BSD. The file was a tar.gz archive : – Well, at the end, there are two files. Taking a quick look at the .html file reveals in a comment […]
– For this challenge, a .pcap file was given : – Since I discovered scapy, which is a python library, I use it with Wireshark or tshark or tcpdump. So, let’s have a look at this capture using scapy : So, the capture constained 51 TCP packets and 6 sessions. We can see easily that’s […]
WEB1 : [X0X0.html] – First of all, beautify the code using jsbeautifier.org (or another one) Add document.write() and delete last () at the last line : – The output is the following (without the indent) : Flag : [0bfuscat3d{js}] ———————————————————————————————————————————————- WEB2 : [G00d_Luck.html] Open with firefox, right click, inspect the element, will return […]
Those files were given : – So, I had three PEM certificates and a S/MIME entity text file. Well, that’s have a look at a certificate, using openssl : I noticed that the exponent is the smallest possible ( the RSA public exponent e is an integer between 3 and n – 1 […]
Thx to fr0g for these writeups ! cscamp-2014-pe100 cscamp-2014-elf100 tinyctf-2014-speed-writeup-rev300 Enjoy
Hexpresso 