Recent content by 0x90
-
[/MNT/AIN LIB] [WEB] agebarrier
This challenge isnt supposed to be easy LOL The amount of time i invested into figuring this out is disgusting... So basically there is a jwt age check... you can generate tokens with an endpoint. If your token is 18+ years old you can access the flag.. The whole trick was to set different...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] rtfm
Yea this one was a lil harder, cba to read documentation... const u = await prisma.user.findUnique({ where: { username: c.username, password: c.password, }, }); if (!u) { return new Response('UNAUTHORIZED', { status: 401 }); }...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] x-is-for-execution
Beginner friendly command injection. Only safeguard is a client sided html pattern, which prevents you from properly escaping the command literals. Soo We can just delete the pattern attribute (or send a request manually), escape the shown base command and print out the flag in...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] critical-integrity
Owww myy gaawwd, JWT trickery! The challenge is to not login as guest, but login as admin and visit /admin. There is a cookie set, which is a JWT We can basically just change the user, to admin and encode it again...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [CRYPTO] confident-hashes
confident-hashes SRC: https://library.m0unt41n.ch/challenges/confident-hashes This challenge allows the "breaching" of the admin hash and the goal is too reverse the hash function too obtain the password. Under the hood, this custom hash operates on 32 nibbles (4‑bit words), repeatedly XOR’ing...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [CRYPTO] locksmith
locksmith SRC: https://library.m0unt41n.ch/challenges/locksmith This chall provided a binary (could also be a remote), and it basically performed a encryption onto a password which was required too reverse. Every minute it changed.. It was a substituion / ceasar cipher... and based on the...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [CRYPTO] really-secure-application
really-secure-application SRC: https://library.m0unt41n.ch/challenges/really-secure-application RSA Crypto chall, we have some values give, so knowing rsa quick maths we can calc the missing pieces and decrypt the flag. So mainly we know 1 of the primes hardcoded q = 7 and n... n being p * q...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [CRYPTO] office-encryption
office-encryption SRC: https://library.m0unt41n.ch/challenges/office-encryption Thanks xNull for making a solveable crypto challenge <3 Sooo its substitution cipher and luckily we got the ranomly generated sbox provided. We have to invert the map, v -> key and key -> value and copy paste the...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] rain
rain SRC: https://library.m0unt41n.ch/challenges/rain PHP Templating libs kekw. We are allowd to upload our own themes and even watch them. Main security feature is the saving of the files as strict html, so we cannot create a normal/typical malicious file upload... But the Tempalting lib is...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] self-service
self-service SRC: https://library.m0unt41n.ch/challenges/self-service The challenge relies on client certificate authentication using a custom root CA (ca.pem) which recently expired. The server blindly trusts any submitted root certificate as long as the public key and subject match the...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] retro-serve
retro-serve SRC: https://library.m0unt41n.ch/challenges/retro-server This challs service allows execution of a list of commands... the way its check is kinda flawed tho it checks if the commands are within the commands... so if we craft a malicious command including an allowed command and chain...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] containment
containment SRC: https://library.m0unt41n.ch/challenges/containment The challenge exposes a /rename and /status endpoint in a minimal container environment running a Rocket-based Rust server. We leveraged the fact that certain files like /containment or /.dockerenv are always executable, even...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [REV] infinite_decoding_odyssey
infinite_decoding_odyssey SRC: https://library.m0unt41n.ch/challenges/infinite-decoding-odyssey This rev chall is pretty straight forward, with have a encryption or lets say a lil scrambling function which we should reverse. We have a scramble flag...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] post-webapp
post-webapp SRC: https://library.m0unt41n.ch/challenges/post-webapp By abusing alternate loopback notations like 127.1 or 0x7f000001, we glide past the naive filter without raising alarms. The server then fetches our crafted URL from 127.0.0.1, so the admin route trusts the request and happily...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] cyberpunk-weather-app
cyberpunk-weather-app SRC: https://library.m0unt41n.ch/challenges/cyberpunk-weather-app This challenge display weather data and uses an templating engine. During building of a string a command injection vuln was created within the else block.. we can inject python code and therefore obtained...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups