Today Sebastian opened his mailbox and saw a new email popping up. You have received fax, document 00311594 from email@example.com with a file attached. Let’s have a closer look at it :)
The evening after the hacklu CTF I had the urge to hack on some other challenges. Ctftime.org listed the ekoparty CTF 2015 as the first entry and there was one day left. In this blogpost I’m going to write up my solutions for the following challenges:
- Slogans ( Trv 50)
- SSL Attack (Trv 90)
- Blocking truck (Trv 100)
- Pass Check (Web 50)
- XOR Crypter (Cry 200)
- Press it (Misc 100)
And some notes on other services I’ve tackled.
During the last two days, the Hacklu CTF 2015 was held. It’s a jeopardy-style CTF and Sebastian joined to have some fun ;) Here’s the writeup of the following challenges:
- Module Loader (Web, 100)
- PHP Golf (Coding, 75)
- Guessthenumber (Coding, 150)
- Bashful (Web, 200)
Sebastian reinstalled his Arch Linux recently and continued to build some AUR (Arch user repository) packages. He’ll share some of the security related ones with you.
Sebastian participated in a CTF (capture the flag) a couple of months ago. One challenge he faced was the task of restoring a git repository from a directory listing enabled webserver. With directory listing, it was pretty easy, but Sebastian was curious if it’s possible to restore git respositories without directory listing and how common this misconfiguration flaw is.
With that idea in mind, we began to develop some tiny tools and started to do some research. The results were not as bad as anticipated, but nevertheless surprising.
In this blogpost we will discuss a simple information disclosure problem called unauthorized AXFR. This can be used to leak DNS settings of a particular target, thus revealing internal / private considered DNS entries.
We’ve checked Alexa’s Top 1M for this kind of issue and came to some interesting results.
Sebastian recently discovered an interesting CSRF bypass and we would like to share this finding with you.
2014 was another very awesome year. We’ll write about some of the highlights in this article and tell you about why 2014 was important for us and our project @internetwache. Last but not least, we’ll give a sneak preview of our plans for 2015.
First of all: We wish all our readers a happy new year! A special writeup about Internetwache in 2014 and other projects will be published in about a week.
To be honest we planed to publish an article every day of the #31c3, but as you might have read in the other posts: We were very busy meeting cool people, hearing awesome talks and finally being tired as hell :) So we decided to postpone the blogposts after the #31c3. Finally we got some time after New Year’s Eve (without internet) to write down the experiences of the last two days.
Our second day at the #31c3 was also very nice - we want to summarize our impressions of the second day in this blogpost. But before we start we will let you know how we finished the first day.