ASIS 2015 Finals: Impossible (web225)

Reading time ~1 minute

This challenge was solved and the write up was written by one of my teammates, hege and me

Steps to solve this challenge:

if (md5($username) == $user_data[0]) {
    return array($username, base64_decode($user_data[1])); 
}
  • Process the user data and search for vulnerable username
  • Find
{ user = "adm2salwg", userMd5 = "0e004561083131340065739640281486", email = "[email protected]", active = "1" }
  • Find an other MD5 “collision” (as a lot of already known collision found on the web are “already used”)
  • Our collision was:
MD5("D8WKOXN880XR") == "0e299238785153218472769311512731"
  • Register a new user with this username (“D8WKOXN880XR”)
  • The get_user function will match adm2salwg’s user info instead of our new user’s thus leaking out adm2salwg’s password: 1W@ewes$%rq0
  • Login with adm2salwg / 1W@ewes$%rq0
  • Profit:
ASIS{d9fb4932eb4c45aa793301174033dff9}

HITCON CTF 2019 Quals: Reverse - EmojiVM

This challenge was a VM implemented where every instruction was an emoji. For the first part of the challenge we had to reverse a flag ch...… Continue reading

HITCON CTF 2019 Quals: Reverse - CoreDumb

Published on October 19, 2019

HITCON CTF 2019 Quals: Pwn - Crypto in the shell

Published on October 19, 2019