Challenge: Phonebook

Category: web security

We are given an instance of a website that requires us to login when we navigate to it. There is a message indicating that there is a new update with how users can login and it is posted by someone who is likely an admin of the website.

After scanning the website, I first noticed that there is a reflected XSS vulnerability that exists with the message parameter in the URL leading to the login page. You could enter an img tag with JavaScript in the onerror attribute and the JavaScript would execute, which means there is…


Challenge: Impossible Password

Category: reverse engineering

We are given a file called “impossible_password.bin”. Using xxd, I looked at the header of the file and found out that it was actually an ELF which meant that it could be executed. When I set executing permissions and ran the file, it prompted me for an input, which I guessed would be a password.

Since there seemed to be no other features to the program, I opened it in IDA to try to discern what the first input should be. The first thing you see after entering main is a string called “SuperSeKretKey” being stored in…


Challenge: WebNet0

Category: Forensics

We are given a Wireshark packet capture file called “capture.pcap” and an RSA key called “picopico.key”. When you open capture.pcap in Wireshark you see a TLS stream that is likely to hold the flag somewhere in it.

When you follow the TLS stream, you can tell that it’s obviously encrypted since that is the job of the protocol. You can still make out a few headers, but none of these contain relevant information to find the flag. Using the given key file, we can decrypt the TLS stream by setting an RSA key in Wireshark’s TLS preferences.

To…


Challenge: Investigative Reversing 3

Category: reverse engineering and forensics

We are given a binary called “mystery” and an image named “encoded.bmp”. When I opened mystery in IDA, I saw that three files were being opened, two that are being read from (flag.txt and original.bmp) and one that is being appended to (encoded.bmp). I renamed the streams that were returned after each fopen call with the name of the file it referenced.

The next few blocks of assembly dealt with error handling in case these files are not found. If this is the case, the program prints an output message telling you to run mystery…


Challenge: messy-malloc

Category: binary exploitation

We are given a binary and it’s source code called “auth” and “auth.c”. By looking at auth.c, you can tell that this program is essentially a simple authentication program. There are a few important features of the source code that show us how everything works, which are the functions login, logout, print_flag, as well as the user struct that looks like the following.

In order to get the flag, a user needs to have the correct access code. …


Challenge: OTP Implementation

Category: reverse engineering

We are given a binary called “otp” and a text file called “flag.txt”. If you execute otp, you will notice that you need to pass a key as an argument in order for the program to run. When I opened otp in IDA, I saw that this key is scrambled with unknown logic, then compared to another string. If these strings match, the program prints “You got the key, congrats! Now xor it with the flag!”

This indicates that flag.txt does not contain any part of the actual flag, and finding the key is likely the only…


Challenge: vault-door-6

Category: reverse engineering

We are given java source code called “VaultDoor6.java”. Inside this file there is a password system, where if you input the correct password (or the flag) an “Access granted” message will be printed. There is only one significant method that we need to pay attention to called checkPassword.

In order for access to be granted, the function must return true. If the password passed to the function is less than 32 characters, false is returned. If any character of the inputted password does not match the condition specified in the if statement, false is returned as well…


Challenge: Need For Speed

Category: reverse engineering

We are given a binary called “need-for-speed”. When you first run the program, there is no needed input from the user. The program simply starts generating a key, but exits before the process is finished with the message “Not fast enough. BOOM!”. When I opened the program in IDA, I saw that there were four main functions that controlled the program logic.

The header function is only responsible for printing the banner when the program is first fun. If you look inside set_timer, you will see that there is a signal set up to terminate the program…


Challenge: reverse_cipher

Category: reverse engineering

We are given a binary named “rev” and a text file named “rev_this”. If you look at the contents of rev_this, you can see the output of rev, or an encoded flag. When I opened rev in IDA, I saw that two files were needed in order for rev to run: “flag.txt” and “rev_this”.

Flag.txt is opened in read mode, and rev_this is opened in append mode, which confirms that the output of rev is stored in rev_this each time it is run. The binary takes the original flag in flag.txt, encodes it, then appends it. After…


Challenge: B1ll_Gat35

Category: reverse engineering

We are given a windows executable called “win-exec-1.exe”. When you run the exe, it asks for a number between 1 and 5 digits long. After you input a number, it prints “Initializing…” then asks for a correct key for the access codes. If the key is correct, you get the flag, and if the key is wrong, the program exits.

When I opened the binary in IDA I saw that there was a lot of obfuscation. None of the typical C functions were named, and there were many sub processes that jumped to other sub processes that…

Alisya Kainth

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store