Quick and Dirty intro to OpenPGP & GPG

Pretty Good Privacy (PGP) is a model that provides cryptographic privacy and authentication for data communication. It was created by Phil Zimmermann in 1991. Today, PGP is a company that sells a proprietary encryption program, OpenPGP is the open protocol that defines how PGP encryption works, and GnuGP is the ...

more ...

The Peace Pipe at Hack.lu's Final CTF 2014

Last week was the Hack.lu Final CTF. In this post, I discuss one of my favorite crypto problems in that CTF: the "Peace Pipe".

Understanding the Problem

The problem starts with this weird story:

After a long day, you sit around a campfire in the wild wild web with ...
more ...

Exploring D-CTF Quals 2014's Exploits

Last weekend I played some of the DEFCAMP CTF Quals. It was pretty intense. For (my own) organizational purposes, I made a list of all the technologies and vulnerabilities found in this CTF, some based on my team's game, some based on the CTF write-ups git repo.

Vulnerabilities

Remote ...

more ...

Exploiting the Web in 20 Lessons (Natas)

cyber

Continuing my quest through the Wargames, today, I am going to talk about the 20 first levels of Natas, the web exploitation episode.

I divide the exploits into two parts. The first part contains the easy challenges that don't demand much art (and are a bit boring). The second ...

more ...

On Paillier Ciphersystem, Binary Search and the ASIS CTF 2014

img

The ASIS CTF happened last weekend. Although I ended up not playing all I wanted, I did spend some time working on a crypto challenge that was worth a lot of points in the game. The challenge was about a sort of a not well-known system, the Paillier cryptosystem.


The ...

more ...

Cryptography War: Beating Krypton

cyber

Continuing to talk about the Wargames, today I'll briefly go through Krypton, the cryptography episode.

The problems are very straightforward and very similar to those from the last CSAW CTF (see my post here).

Disclaimer: if you haven't played WarGames, but you are planning to, PLEASE DON'T ...

more ...

Smashing the Stack for Fun or WarGames - Narnia 0-4

One of my mentors, Joel Eriksson, suggested the quintessential WarGames, a collection of Security problems, divided into 14 interesting titles. I have been playing the games since last week, and they are awesome! To play the WarGames you SSH to their servers with a login that indicates your current level ...

more ...

Understanding the Shellshock Vulnerability

cyber

Almost a week ago, a new (old) type of OS command Injection was reported. The Shellshock vulnerability, also known as CVE-2014-6271, allows attackers to inject their own code into Bash using specially crafted environment variables, and it was disclosed with the following description:

Bash supports exporting not just shell variables ...

more ...

CSAW CTF 2014 - Forensics 300: "Fluffy No More"

This is the fourth and the last of the forensics challenge in the CSAW CTF 2014 competition. It was much harder than the three before, but it was also much more interesting.

The challenge starts with the following text:

OH NO WE'VE BEEN HACKED!!!!!! -- said the Eye Heart Fluffy ...

more ...

The Sharif University CTF 2014

It looked like a fun CTF, but I did not have the chance to play for too long. I managed to solve a few problems in the morning and the solutions are below.

Avatar: Steganography

The challenge starts with:

A terrorist has changed his picture in a social network. What ...

more ...