The Benno MailArchiv Web-App (benno-web prior 2.1.0.2) is vulnerable to Cross-Site-Request-Forgery. To exploit the vulnerability the attacker sends a link to a prepared page to a Benno MailArchiv user. The link then is able to trigger actions in the name of the user such as changing the users password (if the user is logged in).
The Benno MailArchiv Web-App is vulnerable to cross-site-scripting if benno-rest-lib / benno-rest prior 2.10.1 is used. To exploit the vulnerability the attacker sends an email containing malicious javascript to an mailbox which is archived by Benno MailArchiv. When a user logs into the Benno Web-App and views the malicious e-mail, the javascript is executed.
The protective feature of WPS Hide Login can be bypassed by sending a crafted POST request containg the field post_password towards the default WordPress login url /wp-login.php. In file /classes/plugin.php on line 494 the plugin explicitly checks for the absence of this POST field but no else-case is defined.
I haven’t solved this during the contest, but I want to share my solution. The zip file contained a binary file named brcmfmac43430-sdio.bin; which is a Broadcom 43430 SDIO firmware. After some time poking around using ghidra I found a base64 encoded string Um9zZXMgYXJlIHJlZCwgVmlvbGV0cyBhcmUgYmx1ZSwgRHJTY2hvdHRreSBsb3ZlcyBob29raW5nIGlvY3Rscywgd2h5IHNob3VsZG4ndCB5b3U/ which decodes to Roses are red, Violets are blue, DrSchottky loves […]
The page asks for a username and files to be downloaded. Dowloading the flag is not allowed. Submitting the form leads to another page with a download link and the password for the generated zip file. The generated files are all stored within the /tmp folder. Apache allows indexes on this folder so sorting the […]
The attached file turned out to be an intel hex file containing some kind of an arduino program or something. Loading the file in ghidra and poking around showed some methods which seem to just swap around variables. I recreated this behaviour in python and got the flag. The flag is HV19{H3y_Sl3dg3_m33t_m3_at_th3_n3xt_c0rn3r}.
The information provided was pretty helpful. Ten years ago (2009) there was a big password leak, known as rockyou. As his password is 16 characters long we have to check every 16 characters password from the rockyou wordlist. As santa uses NIST-P256 with the SHA256 hash of the password as key, we can simply hash […]
The attached zip file contains a binary named game. Using ghidra to analyze the file showed, that this is some PS4 executable. The code opens a file /mnt/usb0/PS4UPDATE.PUP, validates the md5 hash and xors some content of the file with a key contained in the executable. As ghidra was unable to properly resolve references, it […]
I immediately recognized this as emojiCode. The EmojiCode debugger has an option to prettify the code, which helped a lot. As the documentation isn’t that good, I had to google for most of the emojis to find out what’s going on. Basically, the program takes some user input. Then it runs over an existing string, […]
The attached zip file contained a binary called dance which is an actual iOS binary. It will ask you for some input and will return the flag. After looking at the crypto implementation I thought that this could be the Salsa20 cipher – which would also fit the name. Analysing the main function and the […]