software developer. security enthusiast.
I haven’t solved this during the contest, but I want to share my solution. The zip file contained a binary file named brcmfmac43430-sdio.bin; which is a Broadcom 43430 SDIO firmware. After some time poking around using ghidra I found a base64 encoded string Um9zZXMgYXJlIHJlZCwgVmlvbGV0cyBhcmUgYmx1ZSwgRHJTY2hvdHRreSBsb3ZlcyBob29raW5nIGlvY3Rscywgd2h5IHNob3VsZG4ndCB5b3U/ which decodes to Roses are red, Violets are blue, DrSchottky loves […]
The page asks for a username and files to be downloaded. Dowloading the flag is not allowed. Submitting the form leads to another page with a download link and the password for the generated zip file. The generated files are all stored within the /tmp folder. Apache allows indexes on this folder so sorting the […]
The attached file turned out to be an intel hex file containing some kind of an arduino program or something. Loading the file in ghidra and poking around showed some methods which seem to just swap around variables. I recreated this behaviour in python and got the flag. The flag is HV19{H3y_Sl3dg3_m33t_m3_at_th3_n3xt_c0rn3r}.
The information provided was pretty helpful. Ten years ago (2009) there was a big password leak, known as rockyou. As his password is 16 characters long we have to check every 16 characters password from the rockyou wordlist. As santa uses NIST-P256 with the SHA256 hash of the password as key, we can simply hash […]
The attached zip file contains a binary named game. Using ghidra to analyze the file showed, that this is some PS4 executable. The code opens a file /mnt/usb0/PS4UPDATE.PUP, validates the md5 hash and xors some content of the file with a key contained in the executable. As ghidra was unable to properly resolve references, it […]
I immediately recognized this as emojiCode. The EmojiCode debugger has an option to prettify the code, which helped a lot. As the documentation isn’t that good, I had to google for most of the emojis to find out what’s going on. Basically, the program takes some user input. Then it runs over an existing string, […]
The attached zip file contained a binary called dance which is an actual iOS binary. It will ask you for some input and will return the flag. After looking at the crypto implementation I thought that this could be the Salsa20 cipher – which would also fit the name. Analysing the main function and the […]
After registering and logging in, I got a page showing different Unicode characters and their different representations. The website also allows to view some part of the source code: The registerUser function actually updates a users password (INSERT INTO … ON DUPLICATE KEY UPDATE password=) if we register with an existing username. But we only […]
After poking around with ghidra I found the part which checks the input and calls the responsible math function (which are all nop). I used ghidras rename feature to rename these functions. Searching for references to this functions shows, that there are also called in another part of the program. The part calculates some string […]
The given page shows a counter of processed gifts. The source code reveals, that there is a connection to a MQTT broker. Directly connecting to the MQTT broker and subscribing to the $SYS/broker/version topic, returns the following message: So the broker is running Mosquitto 1.4.11 which does contain a vulnerability which bypasses authentication when the […]