Logo

Posts

Confessions - Hack.lu 2020 Writeups

3 minute read Published:

Writeup for Confessions challenge of Hack.lu CTF 2020
Confessions Description Someone confessed their dirtiest secret on this new website: https://confessions.flu.xxx Can you find out what it is? Write-Up After some basic poking around and seeing what the website does we find that pretty much the whole thing is done by javascript calling a GraphQL backend. It seems the /graphql backend allows pretty much arbitrary queries, so let’s see what we can pull out of there. Using an adapted query from https://github.

Flagdroid - Hack.lu 2020 Writeups

4 minute read Published:

Writeup for flagdroid challenge of Hack.lu CTF 2020
Flagdroid Description This app won’t let me in without a secret message. Can you do me a favor and find out what it is? Write-Up For this challenge we get an APK file. Fortunately APK files are fairly well reversible (as is most Java based bytecode). In this case we just used an online service to “decompile” the APK for us, but there are plenty of tools you can use to do this locally if you want.

FluxCloud Serverless - Hack.lu 2020 Writeups

2 minute read Published:

Writeup for FluxCloud Serverless challenge of Hack.lu CTF 2020
FluxCloud Serverless Description To host stuff like our website, we developed our own cloud because we do not trust the big evil corporations! Of course we use cutting edge technologies, like serverless. Since we know what we are doing, it is totally unhackable. If you want to try, you can check out the demo and if you can access the secret, you will even get a reward :) Note: This version of the challenge contains a bypass that has been fixed in FluxCloud Serverless 2.

FluxCloud Serverless 2.0 - Hack.lu 2020 Writeups

3 minute read Published:

Writeup for FluxCloud Serverless 2.0 challenge of Hack.lu CTF 2020
FluxCloud Serverless 2.0 Description To host stuff like our website, we developed our own cloud because we do not trust the big evil corporations! Of course we use cutting edge technologies, like serverless. Since we know what we are doing, it is totally unhackable. If you want to try, you can check out the demo and if you can access the secret, you will even get a reward :) Note: This is the fixed version of FluxCloud Serverless.

Hack.lu 2019 Writeups

1 minute read Published:

Writeups for some challenges of Hack.lu CTF 2019
A few more writeups for the Nucular Power Plant, Time Machine, and COBOL OTP challenges from the 2019 Hack.lu CTF. https://git.insomnia247.nl/coolfire/hacklu-2019/blob/master/README.md

VincCTF 2018 TokenVault v1 writeup

1 minute read Published:

Writeup for the tokenvault 1 challenge of VincCTF CTF 2018
A writeup for nice little challenge from the 2018 VincCTF. A CTF full of crypto challenges. The TokenVault v1 writeup is a nice gentle introduction into exploiting cryptography bugs. https://git.insomnia247.nl/coolfire/VincCTF-2018/blob/master/TokenVault1.md#tokenvault-1

Kringlecon / SANS Holiday Hack Challenge 2018 Writeup

39 minute read Published:

Writeup for the SANS Holiday Hack Challenge 2018
Question 1: What phrase is revealed when you answer all of the KringleCon Holiday Hack History questions? For hints on achieving this objective, please visit Bushy Evergreen and help him with the Essential Editor Skills Cranberry Pi terminal challenge. Just quit vi, using :q Hi, I’m Bushy Evergreen. I’m glad you’re here, I’m the target of a terrible trick. Wow, it seems so easy now that you’ve shown me how!

Hack.lu 2018 Babyphp Writeup

1 minute read Published:

Writeup for the babyphp challenge of Hack.lu CTF 2018
Full writeup for the Babyphp challenge from the 2018 Hack.lu CTF. Lots of interesting PHP oddities to explore! https://git.insomnia247.nl/coolfire/hacklu-ctf-2018/blob/master/baby-php.md

PwCTF Pre-Qualifiers 2018 Writeup

1 minute read Published:

Writeup for the PwCTF pre-qualifiers of 2018
Just a short writeup of the pre-qualifier rounds for this years PwCTF. https://git.insomnia247.nl/coolfire/PwCTF-prequals_2018