MSC100 – Base32
This one was harder for me. Made some bad mistakes at the beginning which really left me clueless.
The description was that someone encrypted text with base32 but did something wrong. So I tried to decrypt it with some online decoders but they all went crazy because of characters which are not compatible with the encoding. After a while, I found out, that you can decrypt the text with base32 but only one line after another. Then I really started to decode the text by hand… and went really crazy and cursed so loud that a friend of mine looked over my shoulder and told me that you can easily do that with the CyberChef website and a special function. After that it was really easy… and I felt so stupid doing it by hand. This is the link to the decryption function.
Now after decrypting the code, I inspected it but there was no flag and no interesting function. So I suspected, that it has something to do with the wrong or misleading character in the encoding.
And yes the flag was the binary-encoded representation of the characters 8 and 9. What a pain.Spacer
Weitere Posts zum Thema Web-Security und Penetration-Testing
Penetration Test Report ISIS12
Dieser Penetration Test wurde durchgeführt von Patrick Eisenschmidt. Inhaltsverzeichnis Timeline Dokumentenversion 1. Einführung 2. Technische Umgebung und Randbedingungen 3. Kategorisierung der Schwachstellen 4. Findings 4.1. XSS (Cross Site Scripting) 4.2. Benutzung eines schwachen Algorithmus zur Berechnung von Kennwort-Hashes Timeline Zeit Beschreibung 08.01.2019 Bericht an den Ansprechpartner der Hochschule gesendet 09.01.2019 Bericht wurde an den Hersteller…
NET100 – Perfect hit
This was a quite easy but fun challenge.It’s about extracting data from a pcap file with SIP communication captured. If we take a look at the .pcap we see some SIP communication which can be easily inspected via the setting “Telephonie” in Wireshark. With that, we can see that there are two calls and one…
MSC100 – Base32
MSC100 – Base32 This one was harder for me. Made some bad mistakes at the beginning which really left me clueless. The description was that someone encrypted text with base32 but did something wrong. So I tried to decrypt it with some online decoders but they all went crazy because of characters which are not…
WEB100 – XXE Denial of Service
This challenge was the usual XXE attack called entity injection with the goal to crash the server. This reminded me of the old but good billion laughs attack. With this attack, your recursive include entities which include further entities to overload the RAM of the XML parser and crash the program.To execute the attack we…
Untersuchung der Kommunikation der App UniNow
Die Kommunikation der App UniNow wurde von Patrick Eisenschmidt auf personenbezogenen / datenschutzrelevante Daten geprüft. Dein ganzes Studium immer dabei. Mit UniNow hast du alle wichtigen Informationen rund um dein Studium in nur einer App! Egal ob Noten, deine Mails oder deinen Stundenplan – du hast alles immer und überall dabei! Inhaltsverzeichnis Dokumentenversion 1. Einführung…
CRY100 – Decrypt this text
This challenges is about decrypting the text inside a file. At first, it does not pretty good. Most characters are not printable or just jibberish.Sadly I can’t remember correctly what the description said (have to write it down next time) but I guess something about the text is XOR’d and the key has to be…
WEB200 – The rocket clock
This challenge was a web challenge. A PHP code to inspect and to tell what’s the problem with it and then exploit the weakness in the servers running this application. At first, I tried to take a look at the input which is controlled by the user. This is where we can manipulate and send…