CampCTF Spam100 – pwn

Few days ago I had the chance to attend to Chaos Communication Camp 2015.
I personally had a great time camping, swimming in the lake and catching up with friends I usually bump into conferences like this — including an old friend from high school I haven’t seen in ages.

This year CCC Aachen held a capture the flag competition at the event named CampCTF. The CTF was open for everyone interested and there was no requirement of physical presence at the camp to play.

I admit I barely touched my computer while at the camp — I was more keen to enjoy a good time with friends and have holidays — I had a go with some of the challenges of the CTF.

Without further ado, let’s proceed with the actual write-up of one of the challenges of the CTF: Spam100.
Continue reading “CampCTF Spam100 – pwn”

CampCTF Spam100 – pwn

Positive HackDays 2012 $natch write-up

Sometime ago while browsing old backups I stumbled upon a raw write-up I did for $natch, a vulnerable Internet banking application created for a CTF-style competition organized by the folks of Positive Technologies. They held this contest at PHDays 2012 in Moscow and at the 29th Chaos Communication Congress in Hamburg.

I participated in the contest at the 29C3 and scored second place (in fact I found more bugs than the winner and certainly would have won if my laptop’s network card hadn’t bailed out – I had to borrow one from the organizers so I could play).

This post will discuss in detail every vulnerability found within the application, along with the relevant vulnerable source code, and explain all steps necessary to successfully exploit them.

Continue reading “Positive HackDays 2012 $natch write-up”

Positive HackDays 2012 $natch write-up