Sebastian's Blog

software developer. security enthusiast.

HV19.17 Unicode Portal

After registering and logging in, I got a page showing different Unicode characters and their different representations. The website also allows to view some part of the source code: The registerUser function actually updates a users password (INSERT INTO … ON DUPLICATE KEY UPDATE password=) if we register with an existing username. But we only […]

HV19.16 B0rked Calculator

After poking around with ghidra I found the part which checks the input and calls the responsible math function (which are all nop). I used ghidras rename feature to rename these functions. Searching for references to this functions shows, that there are also called in another part of the program. The part calculates some string […]

HV19.15 Santa’s Workshop

The given page shows a counter of processed gifts. The source code reveals, that there is a connection to a MQTT broker. Directly connecting to the MQTT broker and subscribing to the $SYS/broker/version topic, returns the following message: So the broker is running Mosquitto 1.4.11 which does contain a vulnerability which bypasses authentication when the […]

HV19.H4 Hidden Four

Hidden four hasn’t got a description. As hidden four came out the same day as HV19.14 Achtung das Flag I thought it must be about that challenge. As the flag from HV19.14 looks pretty messed up, and as the code states at some point that Only perl can parse Perl!, I thought, maybe just run […]

HV19.14 Achtung das Flag

The given perl code is a game similar to the popular game Achtung, die Kurve! resp. curve fever. We could play the game and move the curve using the keys n and m. When catching a displayed character a new would appear. As this is pretty hard I took a closer look at the source […]

HV19.13 TrieMe

So this time we got an web application and the corresponding – following – source code. The code creates a trie and stores the security token auth_token_4835989 and a string entered by the user in it. Later it checks if the trie contains the security token, if not, the flag is returned. I had a […]

HV19.12 back to basic

The zip file contained a executable named BackToBasic.exe. The program takes a flag and tells us if the flag is wrong or right. As this was written in VisualBasic I used VB Decompiler to decompile the executable to basic code. After some reading through the lines I found that the user input is compared with […]

HV19.H3 Hidden Three

Hidden three came out the same day as HV19.11 Frolicsome Santa Jokes API came out. And as the API was the first challenge were we had to deal with a remote server, maybe the flag is hidden on the remote server. A quick scan using nmap reveals that there is another port opened: port 17. […]

HV19.11 Frolicsome Santa Jokes API

The given API consists of three endpoints: /register, /login, /random. The workflow is the following: Register a user Login in and retrieve auth token Get random Joke using auth token When creating a basic user, logging in and calling /random we would receive a JSON-Object containing the actual joke, the author of the joke and […]

HV19.10 Guess what

When running the binary it asks for an input to validate. Putting test returns nooooh. try harder! So I thought, that the right flag would be the valid input. Putting a single space or multiple characters separated by a space returns various bash errors. Firing up gdb shows that various subprocesses are spawned: first an […]