im_babyrev
CTF,

CSAW. Red Team competition. “Babyrev”

Babyrev is reversing challenge on CSAW “Red team competition” where have to pass 99 rounds of input 4-digits code based on some check function.  Main graph on IDA:  Disassembly of check(): Dump of assembler code for function check: 0x0000000000400893 <+0>: push rbp 0x0000000000400894 <+1>: mov rbp,rsp 0x0000000000400897 <+4>: mov QWORD

sshot-11
CTF,

Cybercamp 2018 quals: “Oh my G0d!”

Intro As a frequently player on cybergames and ctf’s this year wanted play on prequal of Cybercamp CTF 2018 organized by INCIBE. This allows me to take a snapshot of the maturity and quality of both platforms and challenges, apart from having a good time solving some problems (not always played

sshot-3
CTF,

Efiens CTF – mediumRE

Hi folks. This post is about a Efiens challenge, easy-medium RE that my colleague Cothan publish on twitter as a part of a set of them included on Efiens CTF. As described on his tweet, is an easy ctf that try to catch some talent people. I have spare time

score
CTF, Wargame,

S21SEC [DCS17CTF] – Namibia

Hi mates, During my spare time i have tried some tasks from DSC17 CTF by S21sec. I will comment here on those in which I found more difficult or fun. FBCTF was present as platform so from here tasks names will be countries associated. Namibia – 450 points  SREC Motorola Firmware

score
CTF, Wargame,

S21SEC [DCS17CTF] – Ucrania

Hi mates, During my spare time i have tried some tasks from DSC17 CTF by S21sec. I will comment here on those in which I found more difficult or fun. FBCTF was present as platform so from here tasks names will be countries associated. Ucrania – 450 points  Initial analisis Some

score
CTF, Wargame,

S21SEC [DCS17CTF] – Finlandia

Hi mates, During my spare time i have tried some tasks from DSC17 CTF by S21sec. I will comment here on those in which I found more difficult or fun. FBCTF was present as platform so from here tasks names will be countries associated. Finlandia – 400 points  I have an Excel

score
CTF, Wargame,

S21SEC [DCS17CTF] – Mauritania

Hi mates, During my spare time i have tried some tasks from DSC17 CTF by S21sec. I will comment here on those in which I found more difficult or fun. FBCTF was present as platform so from here tasks names will be countries associated. Mauritania – 400 points  First Run  Before

score
CTF, Wargame,

S21SEC [DCS17CTF] – Somalia

Hi mates, During my spare time i have tried some tasks from DSC17 CTF by S21sec. I will comment here on those in which I found more difficult or fun. FBCTF was present as platform so from here tasks names will be countries associated. Somalia – 800 points    They provide

ihacklabs
CTF, labs, Wargame,

IHackLabs, aprende de los mejores

Introducción Recientemente he probado “IHackLabs”, una plataforma de aprendizaje, laboratorios y certificaciones para estudiantes y profesionales. Me he reunido con Diana y Carlos, la gente detrás de esta idea, en “Sh3llCON2017 Congreso de Seguridad”. Todo el trabajo en torno a los laboratorios están destinados a reproducir los ejercicios del mundo

cropped-18997741986_d39e3eefdf_o.jpg
CTF,

LSE Epita format string

Time ago i can’t write on this blog. It’s normal when your time is full dedicated to work and study. Now, i have one hour to publish something related guess with ? Yes, ctf challenges :) Since this is only 1 point level and i think is basic for everyone

sssCaptura
CTF, PHP,

Hackover CTF – messagecenter

A long time since last writeup so i have decided comment a simple web level solved on “Hackover CTF”. It’s very old vulnerability related with type safe comparation on PHP and serialize function. We have a web login with normal test users (demo, demo2) and a ‘remember login’ function that help us

Captura
CTF,

HITB TEASER: SATCOM

WEB 1000 SATCOM Our division of foreign cyber affairs has been hard at work lately. While mapping out some obscure subnets (which we think belong to the intelligence agency that is investigating HEAVENWEB) we’ve come accross a Sattelite Communications Center. One of our employees managed to snag a copy of

ctfn0bs
CTF,

n00bs CTF Labs by Infosec Institute

This time InfoSec Institute bring us the opportunity to learn a very basic concepts for n00bs on a CTF with 15 Levels. Level 1 Just browse the source and see the comment. <!– infosec_flagis_welcome –> flag: infosec_flagis_welcome Level 2 Seems we have a broken image here. Just to see binary output

notsosecure
CTF,

Second NotSoSecure SQLiLab CTF

Dear fellow Hackers!, thanks for signing up for the 2nd SQLiLab CTF. The CTF is now on!. Before you go all out hacking the CTF, here are some rules of the engagement: 1. Strictly no brute-forcing. There is no need to brute-force anything. If we see any excessive brute-forcing attempt,

CTF,

Mission 1 & Mission 2 Write-Ups – Security-BSides London

Hi all!. Last february i have participated on Security BSides Challenges, here: https://www.securitybsides.org.uk/challenge1.html https://www.securitybsides.org.uk/challenge2.html Yesterday @AlecRWaters contacts me to confirm that we get second position on both challenges. So got a ticket to this  infosec conference. "Hi , I’m delighted to announce that you’ve won second prize in both Challenge 1 and

CTF,

PHDays 2014 Quals: PHP_JL writeup

This time another great quals CTF organized by guys and girls of PHdays. PHP_JL was another PHP with safe_mode and functions disabled. First we have to notice is the source of html output: <!– Notice: Undefined index: code in /var/www/index.php on line 53 Notice: Undefined index: code in /var/www/index.php on

CTF, Wargame,

Ghost in the Shellcode 2014: Write-up CTF247

This weekend we have 46 hours of hard ctf. Organization let tou play a ‘doom-style’ game that could be decompiled and must be pwned to achieve some missions. This task is one of two web challenges, a parody of CTF365 (lol).Going to ctf247.2014.ghostintheshellcode.com. was pretty simple since we notice there was

final
CTF, Wargame, XSS,

XSS Challenges

Here’s my journal to solve all the XSS Challenges writed  by yamagata21 on http://xss-quiz.int21h.jp/, This is an starter level to people who want to learn some cross-site scripting and its several ways to inject on differents browsers. XSS Challenges http://xss-quiz.int21h.jp Stage1: http://xss-quiz.int21h.jp Solution: <script>alert(document.domain);</script> Stage2: http://xss-quiz.int21h.jp/stage2.php?sid=e93e71eed43c3ab5668af6a5aa603cf66eedce70 Solution: “><script>alert( alert(document.domain))</script> Stage3: http://xss-quiz.int21h.jp/stage-3.php?sid=d362dd49b96c30f3e9a4a6ea0abafb0cef59ed2d Solution: The input in text box

CTF, Wargame,

NotSoSecure SQLi CTF – writeup

Access to challenge using a proxy like burp or zap and submit data to login. Notice the forwarded to: http://ctf.notsosecure.com/71367217217126217712/checklogin.php that contains: 7365637265745f72656769737465722e68746d6c This could be decoded ‘7365637265745f72656769737465722e68746d6c’.decode(‘hex’) in python to read secret_register.html >>> '7365637265745f72656769737465722e68746d6c'.decode('hex') 'secret_register.html' The registration page offers four fields that, when you register, create some session_id encoded

LittleSnapper
CTF, Wargame,

29C3 CTF: Node writeup

This 29C3 from Chaos Computer Club hackers. We participate as dcua team, awesome people trying the best effort for the challenges.  Nice job! Node Points: 200 Solves: 18 Description Node.js is smart, fast, easy and secure… Don’t you think so too? Hint: google and other sites always look at one file before

CTF, Wargame,

#PoliCTF 2012: “Este cifrado no es indescifrable”

This entry was a flash challenge in the PoliCTF event. The cipher was [ Vigènere (es) |  Vigènere (en) ] and the key SIXTEENTHCENTURYCRYPTO. 1. Open Cryptool and analyze Histogram, Frequency and set in text options the alphabet to use. (A-Z). Don’t identify yet? :-) YWLWIZRGPPKYHHUMPRJAHKEMCBVWGMVCTBEIXGBVDDKHZQPBRXRKYWTGBIEGFFJXDSEIKRSJLHBCTCKYTGCKCIASUWJYSVGLVHIIXLPBCPPDNHAVB-MLIFXJWVVMSFDVYCUTAATFTVXUXATEAJOZJKKWDYFWXBMMXVHUKIACIPRJVKPLAMKETWEARINSXXVLRKERWXGHQOBXSSVVOQRFIIYVZMCMVWZBUCXUHZGMZIIIRCERTOSFBPHJXUXWCWGNMLYNCWPLGGKFTXIQPPVLFHGVMPVQSXOLPLKXLRXUFSSLIDCCNDJEPDWLWCWGKBIKYXUTCNVZGTHAWKHJEABJGLBECUYAZRWHIYPQPIGBNSFQNKEKFKJLDOSEJBKXLR5MOCHNRNYYVZQHTRDGKHPSAZLTVRFYDZGICSUMLIHBRKFHTGXVFYFSVFDDNFVIFECPVOLUXBLCKBQNLPGRZISXEPVMANIPAUKRJVPTTFWWCVSYELLVLBLYNFQUMCHHOIKMYWGHZRINDCJSUGCRMSNMKGSABKKGVFTLVZGZLVLVGCQXHMAMVVIYXJYMPVQPGREMKPMXUZBPWJBFCQQFLQXCFBEXMVJTFYLLUYTYWJCLAWDMQAIXENUELRHHDYASCJLSVQKEMIHHMESAOYIQCKGDGKGZALAMYEHNANRMICVRGCMVWQOISARKDQVQLIWDGIRWXAWIKLXSZXHPMAZUEBHFPIACKMTASAVESNMFMYERJVCCNBUQXMMSAHMVVHMBRLFKFTMFMBEBWXUXYGMFLIDCVYGCZHWZOBFPLPYQRTPCKFVYGHVCMVQKCMFGAVLRKYTPWVJIROFLFGNYFMPEIVGNFJGIYCVSSVAHTTEXZUMBGUEBYYCGXCFKBRSYUTKVLRYLVCFFKIHCTRBVXXBMOKRXTHUQRVYZTGQWRLEASBAASHGINFCMCRXBKWOLERQLFUXRFMFDULPKXWDTXGGIPHLTGVGAPMWIADGTGZJBXCNGKUSYBWZRKEENHIJARUQMFLPQRUHQUGFKFXLVSXMXRAUHZVSOEUDCYVJAVSJBXBRPLMOGVRTLVRJFQTFCJMOXWTBGZKFYXNYYPFRWXFKIKWXLRRDKPYUYYCNUYRVCMVQTFPRUBVETTCERTLRWUSLWIWMJLHBTIYHIBGPXDDKHZMDNMPGRFQYAXYUMPCWAHCCQKMSEZBYTSEBEEMYNFNRCMLFWMXVDUQALHONCTVYUKOALTASABNSFRGUYNYTKCGKCJLFLIEFXAJIEXQVPGRKNKWSLLYTVBUSGQFPBZAJTMCLDAZBWXSPHYTYCMSFSTICPLCFIKWVSORVWSSRILPEFKBHBKMKLIJRTYISGMBVZGJRDYMGCXGHMARVWVCTHZAAFSINFFMAMSXUXUQAUBAYAJRLRXZDWOTHEZLBVPRKBVNTFKXLSVGLNSVQXYJICKIDGUVBNHIHMXVIEAWHNPUXXVKCEBTWWFZBMYVAPHUCBNLJGNVLIHPWLFXRXPHUUIAMFRQVEGVAHAALNKLGMVGRQMBRRUZJTGQWTXLXRVZOVMQXMKPQPCSMVWWIWFEVELAXBKYDGPURWBGUWRGXVLHMYLNMCKFCJDDKUGBQXRQBKLVLNGZFSTYSCWFWLVXEVFTNQETKYRREZRXSSFEFLLIQMVGQOXXKFGWGUMVGNKHZIZULTJBKYMCTZLDNFEMJHVCUBZJSCXQRQVFPTFWFLQAIABKSFXUTNWYKILTLGBCPMMGRTUFJEXYUMORPTFCJMQAERJHYFWGAYPYTVNTKGHMZMMZRLZQMSRILTGJCTGBGBEBRKVYAJIPKCDCUFDIAWKOLOIVAFLPXEXGRGPLLZGCOVQHCSHMOGRVPILJFJSVZSKBVHYEYEVYXUXZZDVYMUGCNMJUIVGHWCWFNHDYTBCSUILQCRSYFXLYLNMCJCGZDNHIXMBEEWVYLGPNGXZDAFSLHIDLPXIONLPUIRDNYCPZYHDMGCQHWXNGKDIFBXVKGFLTRSSZCKSQGHUKKUMILRUZBTMVWOXMIWBYWCVYBUDCPKYCWHGOBMLIEPLULNEFXGXVRWXASNFYXLBYUQZRFVVPVYYILVSTIGIZRKLXIEUYWMTXMIMVWSBRMWJXHNPYHPVQQLLSVFQXQH 2. Automatic Vigènere Decipher of the given text:

zombusiness
CTF, Wargame,

CTF Hack.lu: Mini Zombie Business (+100pt) write-up

We got to make some business with our zombie in https://ctf.fluxfingers.net:2076/mini/. There’s a zombie image and at first look we get some data encoded on it. <form/name="a"/data-a="Fcabdux ehiktgmaj:nopylqrsvf_wz(&quot;){}.?L="></form> <div/id="&#x61;"></div>//id="a" <img/src="zomb.png"/onclick="dafuq()"/> There is a <script> tag with several unescape functions and after convert it from url-encode and unicode text we get:

Wargame,

OWASP 2012 Online Competition

Para los que queráis ‘hackear’ en un entorno seguro y legal, Hacking-Lab ha promovido a través de su patrocinador OWASP un nuevo wargame con la posibilidad de ganar algún premio, como la asistencia a las AppSec USA y AppSEC Latam 2012. Personalmente me gustan este tipo de ‘challenges’, ya que despiertan en

LungoJS,

BuscaTuits1.2: Actualización a LungoJS 1.2

Acabo de añadir un repositorio en GitHub para actualizar la webapp “BuscaTuits” y adaptarla a la nueva versión de LungoJS 1.2. He corregido algunas inconsistencias para Android4+ relacionadas con el scroll y modificado el propio LungoJS 1.2 añadiendo un método que permite añadir un  <markup> por encima del scroll para

Android,

Intercambio de datos con JSON en Android SDK

Json es un formato compacto de intercambio de datos soportado por librerías en Android SDK. En este post vamos a escribir un par de funciones para entender como recuperar un fichero json de la web de TusPerlas y así de paso avanzar el pŕoximo artículo de nuestra primera aplicación en Android.   El código