Image for post
Image for post

RealWorld CTF 2021

This year I played the Real World CTF with team Sauercloud and we scored second place. I was involved in solving DBaaSadge, a web challenge, and am happy to share my writeup as a good source of knowledge for other people.

If you want to follow the writeup side-by-side with your own setup, you can find all the challenge files here.

The challenge

In the challenge, we get a Dockerfile that sets up a Postgres 10 database with two extensions: dblink and mysql_fdw. The first one is an extension by Postgres itself and allows the user to link and connect Postgres databases…


The Wacky TeXt Generator

Image for post
Image for post
wacky.buggywebsite.com

A few days ago, BugPoC announced another one of their great CTF challenges on Twitter. Since I have always learned a lot when solving their challenges, it was without questions that I played this one as well.

Challenge

The challenge rules were simple:

  1. You must alert(origin) showing https://wacky.buggywebsite.com
  2. You must bypass CSP
  3. It must be reproducible using the latest version of Chrome
  4. You must provide a working proof-of-concept on bugpoc.com

Setup

The challenge domain was wacky.buggywebsite.com. When opening the domain, the Wacky TeXt Generator displays a small editor and a button as it is shown in the title picture.

As the following…


Hack.lu Writeup

The challenge FluxCloud Frontline (web, hard) was part of the amazing Hack.lu CTF. It took a friend and me, both playing for the team FAUST, two evenings to crack the great challenge.

In the following, I describe the plain solution and leave out the many rabbit holes we stepped into.

The Challenge

With our brand-new FluxCloud Frontline product, we offer hyper-secure, ultra-rapid edge routing. Of course we have a bug bounty program too! If you can bypass our protections, you will be rewarded with a juicy flag. https://public.frontline.cloud.flu.xxx:8443/

When we open the challenge, we are provided with the source code of the…


The magic of GitHub search, API keys, and automation

Image for post
Image for post
Photo by the author

A few days ago, I discovered that Medium provides an API that everyone can request authentication keys for. While waiting for my key request to be approved, I searched on GitHub whether I could find accidentally uploaded keys. To my surprise, I found hundreds of files available in public repositories containing data that looked just like Medium authentication keys. Indeed, already the second key I tried was functional. In this article, I describe what a malicious user could do with these keys and how I automated the process of finding valid keys.


Are they possible and are they a real risk?

Image for post
Image for post
Photo by Dmitry Ratushny on Unsplash.

The first time I came across the service worker concept was during Defcon CTF. In one challenge, we had to register a service worker to intercept the user's traffic and reroute it to our server. This concept sounded interesting and dangerous, so I researched it and eventually realized it would be a good topic for an article about using service workers as a “Man in the Middle” (MitM) and if its application is feasible in the real world.

What Are Service Workers?

Of course, your first question is likely “What even is a service worker?” The Google web developer guidelines describe them as follows:


A bug bounty report

Image for post
Image for post

I was writing a new article on Medium when I started procrastinating and looking at the traffic this website is producing. Knowing there is a bug bounty program on Medium that I was awarded before, I thought maybe I am lucky once again and decided to play around with the following and unfollowing calls.

The GraphQL API

Medium uses GraphQL, initially developed by Facebook, to communicate with parts of their API and inform the database about follow and unfollow requests. To do so, only the target user-id is required, user authentication is verified via auth cookies. As answer a request, the server would…


Image for post
Image for post
Photo by David Rangel on Unsplash

A few weeks ago I found a bug in one of PayPal’s APIs that can easily be abused to allow excess fraudulent charges where the buyers are unknowingly charged more than they agreed on (read more here). Of course, I submitted it to PayPal’s bug bounty program, however, the report was rejected as fraud, theft, or malicious merchant accounts are out of scope.

All the people I explained the impact to were also surprised that the report was rejected, so it made me think: What should companies consider designing a good bug bounty program? In this article, I share my…


Image for post
Image for post

DEFCON CTF Quals

Yes… DEFCON is really cancelled this year, nevertheless I did not miss the chance to play the DEFCON CTF Quals. I participated with the team Sauercloud and spent most of the time with the pooot web challenge. Unfortunately, we were not successful in solving the challenge before the end of the Quals, but I continued and eventually figured the solution out. To document the solution for myself and hopefully help anyone who did not solve the challenge, here is my writeup.

What do we have?

The web is becoming more and more dangerous everyday. Our secure pooot proxy allows you to continue your browsing…


Image for post
Image for post
Photo by Breakslow on Unsplash

I like cooking, it is somewhat relaxing to take some time off and create a delicious meal. So a friend recommended to me an app called KptnCook and I have really enjoyed it. KptnCook only offers three recipes per day. The recipes are available for one day only and then they disappear. To save a good recipe I can store it in my favorites. Thus, you don’t feel overwhelmed by lots of recipes that you get in other apps.

Nevertheless, the curious person that I am, after a few weeks using the app, I thought about ways to trick the…


Image for post
Image for post
Photo by American Public Power Association on Unsplash

Another IoT Story

My parents bought a photovoltaic system developed to produce and use their own energy. Of course, as with every IoT-device nowadays, one may use an App to monitor the produced data. However, when I was home for Christmas my parents told me monitoring with an App is stupid and they want to store and view the data on their personal computer. After some research I found no PC interface available for the system and decided to dig deeper into it.

Reversing

To begin my research, I looked up the IP address of the system and scanned for open ports with nmap

FHantke

Computer Science Student. Interested in IT security and forensics. https://fhantke.de/

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store