Writeup author: Bawstaws The Lost Bottle is the most awesome pirate game. It is about a young pirate, that lost her favorite bottle of old rum. She is now doomed to drink ordinary rum until she finds her bottle. Flags: 2531.00 Tags: rev, misc, game Introduction After discovering that this is a game challenge I quickly …

Writeup by: ChrRaz Kuuuurveen We are given the following challenge description. A client and a server have been communicating the flag over an encrypted channel. Der er en Kuuuuuuuuuuuuuuurveeeeeee, er den ikke smuk? En client og en server kommunikere over en krypteret kommunikationskanal. Se om du ved hjælp af source …

Writeup by: ChrRaz 80s Commitments When opening http://80s-commitments.hkn we are greeted with the following page: We are given a public key and a “commitment”. If we enter this commitment into the “reveal” box we get redirected to the following page which shows an embedded youtube video. …

Challenge Description (967 points) Play to win and log ‘em all! Once you’ve seen all 151 Asciimon, talk to Professor Jack for the flag. We’ve included some data for the first couple rooms, you’ll have to figure out the rest yourself! nc -v logemall-a2db138b.challenges.bsidessf.net 666 (author: …

Writeup by: Nicolai Søborg Cr0wnAir TL;DR - bypassing a filter to generate two JWTs (RS256). Finding e and N from the two signatures and forge an arbitrary JWT (HS256). Step 1: Getting two RS256 signatures To get a signature we need to bypass a filter validated by jpv (“JSON Pattern Validator”). This …

Writeup by: Zanderdk Introduction On the 2021-01-26 qualy released this article describing a “new” (actually 10 year old) bug in sudo that allows an attacker to do privilege escalation though a heap buffer overflow. Unfortunately they did not release exploit/POC so I decided to build one myself and failed. …

The Vault The challenge is a simple HTML file with a keypad that allows you to input 4 digit pin. The file loads main.js and calls Module.ccall('validate') to check the pin. Upon beautifying the JS we see that it calls run() which in turns runs: preRun(); initRuntime(); // => __wasm_call_ctors => …