Sebastian's Blog

software developer. security enthusiast.

Category: HACKvent 2019

HV19.H4 Hidden Four

Hidden four hasn’t got a description. As hidden four came out the same day as HV19.14 Achtung das Flag I thought it must be about that challenge. As the flag from HV19.14 looks pretty messed up, and as the code states at some point that Only perl can parse Perl!, I thought, maybe just run […]

HV19.14 Achtung das Flag

The given perl code is a game similar to the popular game Achtung, die Kurve! resp. curve fever. We could play the game and move the curve using the keys n and m. When catching a displayed character a new would appear. As this is pretty hard I took a closer look at the source […]

HV19.13 TrieMe

So this time we got an web application and the corresponding – following – source code. The code creates a trie and stores the security token auth_token_4835989 and a string entered by the user in it. Later it checks if the trie contains the security token, if not, the flag is returned. I had a […]

HV19.12 back to basic

The zip file contained a executable named BackToBasic.exe. The program takes a flag and tells us if the flag is wrong or right. As this was written in VisualBasic I used VB Decompiler to decompile the executable to basic code. After some reading through the lines I found that the user input is compared with […]

HV19.H3 Hidden Three

Hidden three came out the same day as HV19.11 Frolicsome Santa Jokes API came out. And as the API was the first challenge were we had to deal with a remote server, maybe the flag is hidden on the remote server. A quick scan using nmap reveals that there is another port opened: port 17. […]

HV19.11 Frolicsome Santa Jokes API

The given API consists of three endpoints: /register, /login, /random. The workflow is the following: Register a user Login in and retrieve auth token Get random Joke using auth token When creating a basic user, logging in and calling /random we would receive a JSON-Object containing the actual joke, the author of the joke and […]

HV19.10 Guess what

When running the binary it asks for an input to validate. Putting test returns nooooh. try harder! So I thought, that the right flag would be the valid input. Putting a single space or multiple characters separated by a space returns various bash errors. Firing up gdb shows that various subprocesses are spawned: first an […]

HV19.09 Santas Quick Response 3.0

So the qr code looks broken. Doing a reverse image search on the first image reveals that the image was taken at Cambridge North railway station. The cladding of the building features a pierced design derived from Rule 30. So I thought maybe generate a Rule 30 image, put it over the qr code and […]

HV19.08 SmileNcryptor 4.0

Introduction You hacked into the system of very-secure-shopping.com and you found a SQL-Dump with $$-creditcards numbers. As a good hacker you inform the company from which you got the dump. The managers tell you that they don’t worry, because the data is encrypted. Dump-File: dump.zip Goal Analyze the “Encryption”-method and try to decrypt the flag. Hints […]

HV19.H2 Hidden Two

Again a hidden flag. Challenge Description As Hidden Two came out the same time as HV19.07 Santa Rider I thought it might be again of the challenge that also came out that day like before with Hidden One. I thought it was odd, that there was a download for a zip containing the video of […]