Sebastian's Blog

software developer. security enthusiast.

XSRF in Benno MailArchiv Web-App (benno-web < 2.10.2) (CVE-2023-38348)

The Benno MailArchiv Web-App (benno-web prior 2.1.0.2) is vulnerable to Cross-Site-Request-Forgery. To exploit the vulnerability the attacker sends a link to a prepared page to a Benno MailArchiv user. The link then is able to trigger actions in the name of the user such as changing the users password (if the user is logged in).

WPS Hide Login 1.6.1 Protection Bypass (CVE-2021-3332)

The protective feature of WPS Hide Login can be bypassed by sending a crafted POST request containg the field post_password towards the default WordPress login url /wp-login.php. In file /classes/plugin.php on line 494 the plugin explicitly checks for the absence of this POST field but no else-case is defined.

HV19.24 ham radio

I haven’t solved this during the contest, but I want to share my solution. The zip file contained a binary file named brcmfmac43430-sdio.bin; which is a Broadcom 43430 SDIO firmware. After some time poking around using ghidra I found a base64 encoded string Um9zZXMgYXJlIHJlZCwgVmlvbGV0cyBhcmUgYmx1ZSwgRHJTY2hvdHRreSBsb3ZlcyBob29raW5nIGlvY3Rscywgd2h5IHNob3VsZG4ndCB5b3U/ which decodes to Roses are red, Violets are blue, DrSchottky loves […]

HV19.23 Internet Data Archive

The page asks for a username and files to be downloaded. Dowloading the flag is not allowed. Submitting the form leads to another page with a download link and the password for the generated zip file. The generated files are all stored within the /tmp folder. Apache allows indexes on this folder so sorting the […]

HV19.22 The command … is lost

The attached file turned out to be an intel hex file containing some kind of an arduino program or something. Loading the file in ghidra and poking around showed some methods which seem to just swap around variables. I recreated this behaviour in python and got the flag. The flag is HV19{H3y_Sl3dg3_m33t_m3_at_th3_n3xt_c0rn3r}.

HV19.21 Happy Christmas 256

The information provided was pretty helpful. Ten years ago (2009) there was a big password leak, known as rockyou. As his password is 16 characters long we have to check every 16 characters password from the rockyou wordlist. As santa uses NIST-P256 with the SHA256 hash of the password as key, we can simply hash […]

HV19.20 i want to play a game

The attached zip file contains a binary named game. Using ghidra to analyze the file showed, that this is some PS4 executable. The code opens a file /mnt/usb0/PS4UPDATE.PUP, validates the md5 hash and xors some content of the file with a key contained in the executable. As ghidra was unable to properly resolve references, it […]

HV19.19 🎅

I immediately recognized this as emojiCode. The EmojiCode debugger has an option to prettify the code, which helped a lot. As the documentation isn’t that good, I had to google for most of the emojis to find out what’s going on. Basically, the program takes some user input. Then it runs over an existing string, […]

HV19.18 Dance with me

The attached zip file contained a binary called dance which is an actual iOS binary. It will ask you for some input and will return the flag. After looking at the crypto implementation I thought that this could be the Salsa20 cipher – which would also fit the name. Analysing the main function and the […]