Skip to main content
  1. Tags/

security

2023


ImaginaryCTF rrng

Imaginary CTF is not your classical weekend CTF. Instead, they have been publishing fun challenges almost every day since April 2021 – pretty impressive. I’ve been solving some of their challenges here and there. This one, from last month, was especially fun. Also I wanted to try a jupyter notebook style write-up. Let me know if this helps comprehension or maybe too much mixing of code and text. The challenge states:

One Pixel Adversarial Attack - RCTF catspy

This post is about turning a photo of a cat into a photo of a goldfish by changing only one pixel, at least according to resnet50. With Organizers we participated in RCTF during the close race at the end 2022 to be #1 on CTFtime. This literally meant to participate in every high rated CTF and solving every challenge, including the miscy of the misc. The challenge catspy appeared at around 2am in the misc category and the description states:

2022


Operation System Security Lecture Summary

Lecture summary of the lecture operation systems security, organized with self test toggles. The lecture is concerned with binary exploitation from an offensive as well as a defensive point of view. I can really recommend the lecture, if you are interested in modern security mechanisms implemented by operating systems and hardware. Basic DefinitionsWhat is a vulnerability?What is the definition of an exploit? Set-uid-bitAllows an executable, that is owned by the user, to use root privileges during execution

b01lers CTF resnet Model Inversion

With KITCTF we participated in the bo01lers CTF and finished 6th. There were some quite fun challenges. Including the resnet challenge, which is a machine learning challenge. I hope to see more machine learning challenges in the future. Challenge description: A naive AI startup released a new visual password system based on State-of-the-Art Neural Network technology. Wanting to save on costs they reuse the popular Resnet model to create embeddings which input password images are checked against hoping to leverage the feature extraction capabilities of Resnet.

Insomnihack Teaser 2022: Herald

Read more writeups at kitctf.de Challenge description: Our lab administrator has just passed out from a strange virus. Please help us find the password to his messaging app so we can identify what he was working on and save his life. We are given an apk (Android Package) starting it, it asks for username and password to enter. It does not require any network connection, so it is a classical CrackMe.

2021


hxp CTF: shitty blog

Read more writeups at kitctf.de Challenge description: Please use my shitty blog ­čĄÄ! We are given a docker container running php. The only notable things about it, is that there is a readflag binary on the server and that the webroot is /var/www/html. Other than that only index.php is interesting: <?php // TODO: fully implement multi-user / guest feature :( $secret = 'SECRET_PLACEHOLDER'; $salt = '$6$'.substr(hash_hmac('md5', $_SERVER['REMOTE_ADDR'], $secret), 16).'$'; if(! isset($_COOKIE['session'])){ $id = random_int(1, PHP_INT_MAX); $mac = substr(crypt(hash_hmac('md5', $id, $secret, true), $salt), 20); } else { $session = explode('|', $_COOKIE['session']); if( !

hack.lu CTF 2021 Writeups

Tenbagger # Challenge description: I think I took it too far and made some trades and lost everything. My only chance to fix my account balance is a tenbagger. We are given a pcap and open in Wireshark. It contains a lot of what looks like normal web browsing. But somewhere in there are a few FIX messages. FIX is the Financial Information eXchange protocol. First, I thought that we need to get the credentials from the FIX login, but there are no such packages.

ASIS CTF 2021 Writeups

These are writeups for the first CTF I participated in during a weekend. Before that I only solved some picoctf and Google Beginners quest challenges after the events. I played with KITCTF the CTF team of the Karlsruhe Institute of Technology. Factory # Challenge description In the simplest terms, factory misco-graphy is the ratio of output to input! The challenge file is only one pdf. Opening the only shows the text “Real-World Misco-graphy”.

2020


Fuzzing Schutzma├čnahmen

Dieser Blogeintrag ist eine Seminararbeit, die ich im Sommersemester 2020 im Rahmen des Seminars Schwachstellensuche am KIT geschrieben habe. Ich habe das LaLeX einmal durch pandoc gejagt, sodass ich es hier auf meinen Blog schmei├čen kann. M├Âglicherweise leidet die Formatierung darunter. Das Seminar selbst war wie einen Konferenz gestaltet, inklusive Peer-Reviews von anderen Teilnehmern des Seminars mit HotCRP. Dabei habe ich ├╝ber das Inhaltliche hinaus noch viel ├╝ber den Prozess des Peer-Review gelernt.

Sicherheit am KIT

F├╝r die Vigen├Ęre-Chiffre sind mir spontan diese Einzeiler eingefallen, es gibt sicherlich sch├Âneren Pythoncode, aber zum schnellen ausprobieren in der Python-Shell sind die Funktionen ganz praktisch. In der Vorlesung und der ├ťbung besteht der Unterschied von 1 in der Definition. def encrypt(k, m): return ''.join([chr(((ord(k[i % len(k)]) + ord(x) + 1) % 26) + ord('A')) for i, x in enumerate(m)]) def decrypt(k, c): return ''.join([chr(((ord(x) - ord(k[i % len(k)]) - 1) % 26) + ord('A')) for i, x in enumerate(c)]) Themen├╝bersicht