Shearwater AusCert 2016 CTF

GAME OF MEMORY (500 pts) The 1337 and 100 work for the same company, they sit across from each other on the same network. 100 is working on building a challenge for the Shearwater’s AusCert CTF. 1337 wasn’t allowed to be part of the build team. Being spiteful, they decide to sabotage the build team. 100 needs the proof that 1337 sabotaged the team, can you help find the proof? Question 1: 100 pts What is the malicious process PID, at what time did the malicious process PID start and what is the parent process PID? The flag must be...

SecurityFest CTF 2016

This blog contains a write up of the solution I used to solve the XSS challenge “Space XSS I – Web”. This challenge was hosted by coresec, Cybercom Group, kits, hackrone, assured and ESET Challenge was hosted at URL: https://securityfest.ctf.rocks Space XSS I – Web (100) Yes even space suffers from XSS – level 1: http://xss1.zpuoznbj3die.co.uk/ Solves: 81 Author: avlidienbrunn Challenge URL http://xss1.zpuoznbj3die.co.uk/ When browse to URL found challenge it to alert(1) in firefox on this page. Found this page text on the page has a hyperlink to http://xss1.zpuoznbj3die.co.uk/?xss=stuff Changed the value of of xss=stuff to xss=<script>alert(1)</script> to see how...

Latest iOS 9.1 security flaw – allow user to update status on Facebook even if device is locked

Bug in iOS 9.1 which allows any user to update status on Facebook even if their device is locked. What is required on the device? Siri should be enabled Obviously, user should be signin into Facebook (Settings > Facebook) How can users replicate this bug on their devices? Start Siri and ask to update status on Facebook. Siri will ask for the message “you can ask siri to post anything“. Siri will then prompt for confirmation with a message (Post or Cancel). Tap on Post or tell Siri to Post. Siri will update this message to the Facebook even if...

Analysing Android memory Dump

This post is just about analysing an Android memory dump which was taken when device was doing something malicious but not known to me. As I will go through the memory I’ll try to go as-deep-as I can to figure what malicious activities were going-on and how and when they were executed. Memory Dump – “Will Provide Link” Prerequisites: Linux Machine (I’ll be using my custom pentestOS linuxmint) Volatility with goldfish profile configured Analysing Memory: Started analysing by dumping list of processes from the memory dump. “vol.py -f memory.dmp –profile=Linuxgoldfish-2_6_29ARM linux_pslist” pslist-output.txt – Link-pslist(inactive) Process with PIDs 47, 1255, 1454...

Connecting LCD Screen (16×2) to RaspberryPi and displaying temperature, IP and more #3 RaspoElectro

In this post, I will be using the RPi.GPIO library and Python to control the LCD.The LCD used in this post is based on Hitachi HD44780 LCD controller. Although the LCD has 16 pins available for interfacing, using the 4 bit mode only 6 GPIO pins are required (RS,E,D4,D5,D6,D7). NOTE : I’m not using Adafruit library because it is useless. What you Will Learn: How to connect 16×2 LCD (HD44780 or others) to GPIO pins. Basics of electronic circuit. Complex Python & Shell coding to display and clear messages from LCD. Calling system variables using python and displaying them on LCD What you need: Raspberry Pi configured...

Lighting up LED’s using RaspberryPi and Python #2 RaspoElectro

Lighting up Led’s using RaspberryPi and Python Once you’ve setup your Raspberry Pi according to my GPIO basics #1 RaspoElectro tutorial, you are ready for Led lighting project. Let’s light up an led using the Python programming language/script and the GPIO pins on your Raspberry Pi What you Will Learn: Basic electrical circuit and attach it to your RPi GPIO pins Simple Python program to control the circuit using IDLE IDE, hereafter GPIO cable What you need: Raspberry Pi configured with the GPIO library small led’s, any color 1 – 50 ohm resistor small jumper wires Breadboard My wiring structure GPIO 3...

GPIO basics on Raspberry Pi #1 RaspoElectro

This post is about explaining how GPIO works on Raspberry Pi GPIO – General-purpose input/output (GPIO) is a generic pin on an integrated circuit (commonly called a chip) whose behavior (including whether it is an input or output pin) can be controlled (programmed) by the user at run time. –wikipedia   GPIO on Raspberry Pi is 26-pin generic input/output that can be controlled/commanded using most of programming scripts/languages with built-in library to communicate with hardware.   Python GPIO library (RPi.GPIO 0.2) – Download RPi.GPIO 0.2 is a module to control Raspberry Pi GPIO channels. Installing GPIO module to Python library Installation is pretty easy, once you...

UNSW K17 CTF 2013

K17 CTF – 28/09/2013 (10 AM)  to 29/09/2013 (10 AM). I participated in K17 CTF hosted by the University of New South Wales (UNSW). There were 2 teams from “Northern Sydney Institute TAFE-Meadowbank Network Security degree”  0x4e534931 & 0x4e534932 with 4 members in each team. I was a team member of the 0xe534931 team and we got 20th position.   Task completion status Challenge – Help the NSA (50pts) The NSA has though it’s warrantless mass surveillance network managed to intercept this exchange between two potential terrorists. Unfortunately, they don’t quite know what to make of it. “It all looks like...

CSAW CTF 2013 – Qualification Round

Team HackoGram got #310 position worldwide with 1650 points and got #83 position in Undergraduate’s throughout. Also, was the 5th highest scoring Australian Team. CSAW CTF challenges were divided into 7 categories with points from 50 to 500 depending on difficulty of challenge. I’ll do writeups of all the challenges i was able to solve TRIVIA (250 points) TRIVIA-1: Drink all the brooze, ______ all the things! A: hack This was pretty easy, i think you should be able to solve this without google TRIVIA-2: What is the abbreviation of the research published in the Hackin9 issue on nmap by Jon Oberheide, Nico Waisman, Matthieu Suiche, Chris Valasek, Yarochkin Fyodor, the Grugq, Jonathan Brossard & Mark Dowd?...

Major Security Project – RaspAP (Smart Network Device)

Description of Project The concept of this project is to build a portable Access Point with secure authentication server, to serve a wired network, wirelessly using 802.1x and inspect an authenticated traffic entering the company’s network using Intrusion Prevention System. This project also covers the use of syslog server to store all logs of network to a centralised location using Raspberry Pi Model B Reason behind the Project The major reason behind this project is that most enterprises are using licence-based Access Points to serve wireless networks, whereas this portable $35 chipset can be placed upon anywhere within the network,...