category iot - hard solution unfortunately the infra was down by the time I got to the writeup We’re given an IP and credentials, along with a reference to mosquito. There was also a URL that accepted a username, a password and OTP. I used MQTT Explorer to connect to the mosquito server. With a bit of patience, an office topic received a message with a “u” and “p” flag, base64 encoded....
category mobile - medium solution This was a fun one. We get an .apk to download. Open it in jadx and quickly see this is a React App. package com.microscopium; import com.facebook.react.ReactActivity; public class MainActivity extends ReactActivity { /* access modifiers changed from: protected */ @Override // com.facebook.react.ReactActivity public String getMainComponentName() { return "Microscopium"; } } Being React, I expected a large chunk of the logic to be in a JavaScript file, which could be found in the resources section....
category mobile - easy solution We get an .apk to download. Open it in jadx. And check the com.congon4tor.resourceful.FlagActivity class. There is a reference to the string flag{ and resource called md5. Checking out the resources section, the md5 is revealed to complete the flag.
category mobile - easy solution We get an .apk to download. Open it in jadx. And check the com.example.hack_the_app.MainActivity class. Run the app in a simulator (or a phone whatever you want), enter the credentials and find the flag.
category binary exploitation - easy solution The file we download is a ELF executable. $ file ret2basic ret2basic: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=3ca85eae693fed659275c0eed9c313e7f0083b85, for GNU/Linux 4.4.0, not stripped Running it hints the vuln. $ ./ret2basic Can you overflow this?: AAAA Nope :( $ $ ./ret2basic Can you overflow this?: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA [1] 9615 segmentation fault ./ret2basic $ Disassembling the binary, we find that main() eventually calls vuln where the overflow exists....
category web - medium solution The challenge URL dropped us on a page related to fitness, with not a lot of interesting interactions. Navigating the pages you’d see a URL scheme where a page parameter is set. Eg: page=about. An about.php also exists, so this was potentially vuln to LFI. Using .. in the page parameter resulted in a warning message indicating that some filtering was taking place....
category web - medium solution We’re given an archive to download, agenttester.zip. This contained a Dockerfile and a python web application. The files in the archive had many secrets redacted which were set using environment variables. One specifically interesting one was CHALLENGE_FLAG, which we could assume was the target value to leak. The challenge URL dropped us on a page where we need to login. So, create an account, login and land on the home page of the agent tester....
category web - medium solution The challenge URL drops us on a page where we need to login. So, create an account, login and land on the home page of a blog. After creating a new post, you can see who visited your blog in the profile section. Poking around will reveal that if you tamper with your user agent string, that is what will show up in the analytics section....
category web - medium solution The challenge URL drops us on a page where we can submit cereals. We are also given two files to download, index.php & log.php. I quickly spotted an unsafe deserialisation bug in the provided files. The cleaned up and relevant PHP code from both files were: index.php <?php include 'log.php'; class CerealAndMilk { public $logs = "request-logs.txt"; public $request = ''; public $cereal = 'Captain Crunch'; public $milk = ''; public function processed_data($output) { echo "Deserilized data:<br> Coming soon....
category web - medium solution This was a tricker, but fun one. The challenge URL drops us on a login page with an OTP field. Signing up for an account responsed with a JSON structure containing a url key with an otpauth URI. Request POST /signup HTTP/1.1 Host: challenge.nahamcon.com:30809 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://challenge....