Writeup by: Oliver Lyak (ly4k)

Solved by: Zopazz, Oliver Lyak (ly4k)

<img
  loading="lazy"
  decoding="async"
  alt="Challenge description"
  
    class="image_figure image_internal image_unprocessed" …</picture></figure></p>

Writeup by: Nicolai Søborg

Solved by: Nicolai Søborg, Rasmus Have

This year we managed to land a 13 place, again! (which is really a shame as top 12 gets swag …)

The challenge is a single python file that allows you to “run untrusted Java in a safe way”.

The code boils down to:

1. you upload two files: …

Writeup by: Zanderdk | linkedin

Solved by: ZZZ | linkedin, N00byedge | linkedin

Indie VMM - HXP 2021

In this challenge we are given a root access to a linux machine running in the linux tools hypervisor and the goal is to escape out of the hypervisor to access the flag file on the host system. During this challenge we …

Writeup by: andyandpandy

Solved by: andyandpandy, Hako

Writeup

The challenge has a race condition vulnerability, where you can delete your user and rapidly after send another request for the flag, which is successful when timed correctly.

Description

Web challenge

Challenge author: pspaul/SonarSource

To keep track of …

Writeup by: andyandpandy

Solved by: andyandpandy, eskildsen, 2by4

Writeup

This is most likely an unintended solution.

TL;DR: Create a note with two iframes. First iframe gets /s/secret-note, second gets from evil.com, which returns a html page where another iframe is loaded based on an 0-day CVE-2021-39175 in a …

Writeup author: Bawstaws

The Lost Bottle is the most awesome pirate game. It is about a young pirate, that lost her favorite bottle of old rum. She is now doomed to drink ordinary rum until she finds her bottle.

Flags: 2531.00

Tags: rev, misc, game

Introduction

After discovering that this is a game challenge I …

Writeup by: ChrRaz

We are given the following challenge description. A client and a server have been communicating the flag over an encrypted channel.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

Der er en Kuuuuuuuuuuuuuuurveeeeeee, er den ikke smuk?
En client og en server kommunikere over en krypteret kommunikationskanal. Se …

Writeup by: ChrRaz

When opening http://80s-commitments.hkn we are greeted with the following page:

<img
  loading="lazy"
  decoding="async"
  alt="The main page"
  
    class="image_figure image_internal image_unprocessed" …</picture></figure></p></!--></!-->

Challenge Description (967 points)

Play to win and log ’em all! Once you’ve seen all 151 Asciimon, talk to Professor Jack for the flag. We’ve included some data for the first couple rooms, you’ll have to figure out the rest yourself!

nc -v logemall-a2db138b.challenges.bsidessf.net 666

(author: …

Writeup by: Nicolai Søborg

TL;DR - bypassing a filter to generate two JWTs (RS256). Finding e and N from the two signatures and forge an arbitrary JWT (HS256).

Step 1: Getting two RS256 signatures

To get a signature we need to bypass a filter validated by jpv (“JSON Pattern Validator”).

This package has a …