Recent content by 0x90
-
[/MNT/AIN LIB] [CRYPTO] confident-hashes
confident-hashes SRC: https://library.m0unt41n.ch/challenges/confident-hashes This challenge allows the "breaching" of the admin hash and the goal is too reverse the hash function too obtain the password. Under the hood, this custom hash operates on 32 nibbles (4‑bit words), repeatedly XOR’ing...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [CRYPTO] locksmith
locksmith SRC: https://library.m0unt41n.ch/challenges/locksmith This chall provided a binary (could also be a remote), and it basically performed a encryption onto a password which was required too reverse. Every minute it changed.. It was a substituion / ceasar cipher... and based on the...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [CRYPTO] really-secure-application
really-secure-application SRC: https://library.m0unt41n.ch/challenges/really-secure-application RSA Crypto chall, we have some values give, so knowing rsa quick maths we can calc the missing pieces and decrypt the flag. So mainly we know 1 of the primes hardcoded q = 7 and n... n being p * q...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [CRYPTO] office-encryption
office-encryption SRC: https://library.m0unt41n.ch/challenges/office-encryption Thanks xNull for making a solveable crypto challenge <3 Sooo its substitution cipher and luckily we got the ranomly generated sbox provided. We have to invert the map, v -> key and key -> value and copy paste the...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] rain
rain SRC: https://library.m0unt41n.ch/challenges/rain PHP Templating libs kekw. We are allowd to upload our own themes and even watch them. Main security feature is the saving of the files as strict html, so we cannot create a normal/typical malicious file upload... But the Tempalting lib is...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] self-service
self-service SRC: https://library.m0unt41n.ch/challenges/self-service The challenge relies on client certificate authentication using a custom root CA (ca.pem) which recently expired. The server blindly trusts any submitted root certificate as long as the public key and subject match the...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] retro-serve
retro-serve SRC: https://library.m0unt41n.ch/challenges/retro-server This challs service allows execution of a list of commands... the way its check is kinda flawed tho it checks if the commands are within the commands... so if we craft a malicious command including an allowed command and chain...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] containment
containment SRC: https://library.m0unt41n.ch/challenges/containment The challenge exposes a /rename and /status endpoint in a minimal container environment running a Rocket-based Rust server. We leveraged the fact that certain files like /containment or /.dockerenv are always executable, even...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [REV] infinite_decoding_odyssey
infinite_decoding_odyssey SRC: https://library.m0unt41n.ch/challenges/infinite-decoding-odyssey This rev chall is pretty straight forward, with have a encryption or lets say a lil scrambling function which we should reverse. We have a scramble flag...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] post-webapp
post-webapp SRC: https://library.m0unt41n.ch/challenges/post-webapp By abusing alternate loopback notations like 127.1 or 0x7f000001, we glide past the naive filter without raising alarms. The server then fetches our crafted URL from 127.0.0.1, so the admin route trusts the request and happily...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] cyberpunk-weather-app
cyberpunk-weather-app SRC: https://library.m0unt41n.ch/challenges/cyberpunk-weather-app This challenge display weather data and uses an templating engine. During building of a string a command injection vuln was created within the else block.. we can inject python code and therefore obtained...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] dotcom
dotcom SRC: https://library.m0unt41n.ch/challenges/dotcom Solved this chall locally, submitted publicly shared flag. (hope thats fine) Reported chall as broken and fixed it. There is a .NET server and a BOT component, we need to make the bot write the flag into a textArea and somehow exfil...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] sleepy-sql
sleepy-sql SRC: https://library.m0unt41n.ch/challenges/sleepy-sql This challenge is pretty obvious that we have to perform sql inejction, the hard part is exfiltration tho, there is not reflection allowing us too read any data (like the flag). So we have to work with what we got, time. We can...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] legal-complaint-form
legal-complaint-form SRC: https://library.m0unt41n.ch/challenges/legal-complaint-form Okay first of all, i consider myself a PHP pro, but damn i h8 apache... my main stack is using nginx as webserver... This chall requires two main steps. 1. First of all there is a malicious fileupload vuln...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] pollpals
pollpals SRC: https://library.m0unt41n.ch/challenges/pollpals Typical JWT misconfiguration or lets call it completly fucked up flow/logic/implementation. The isAdmin function in auth.js has no signature check for the JWT, it just accept any JWT and extracts its info... const parts =...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups