thái

Last week or so I joined CLGT to take part in HackJam 2009 by Sapheads. AFAIK this is the first CTF that Sapheads organizes, but they had done a very good job. To most people's surprise, the contest attacted quite a lot of teams from around the world, and it had quickly become an international competition. Did I tell you that we're the winner ? Ha ha ha this is our very first win since the name CLGT was born. BTW, HackJam 2009 was a success because Sapheads had kept their promise which is to "provide challenges that greatly resemble real world scenarios and environments, at the same time, adding fun and educational ingredients to them". We really had fun ^_^, not disturbing pains *_*, in solving the challenges. Thank you Sapheads! We're looking forward to HackJam 2010. I promised to some people in #sapheads that I would release some writeups about the challenges after the contest ended, and here they are. Sorry for the delay, I have been busy working with v...

Flickr's API Signature Forgery Vulnerability Thai Duong and Juliano Rizzo Date Published: Sep. 28, 2009 Advisory ID: MOCB-01 Advisory URL: http://netifera.com/research/flickr_api_signature_forgery.pdf Title: Flickr's API Signature Forgery Vulnerability Remotely Exploitable: Yes 1. Vulnerability Description Flickr is almost certainly the best online photo management and sharing application in the world. As of June 2009, it claims to host more than 3.6 billion images. In order to allow independent programmers to expand its services, Flickr offers a fairly comprehensive web-service API that allows programmers to create applications that can perform almost any function a user on the Flickr site can do. The Flickr's API consists of a set of callable methods, and some API endpoints. To perform an action using the Flickr's API, you need to select a calling convention, send a request to its endpoint specifying a method and some arguments, and will receive ...

Challenge 2 Challenge 2 is simple yet interesting. The initial target is a Python 2.2 byte-compiled file, so the first job is to decompile it to get the source code. Fortunately, decompyle just works: $ decompyle newbie.pyc Thu Aug 27 02:13:25 2009 # emacs-mode: -*- python-*- import urllib def some_cryption(arg): pass a = 'http://' dummy = 'http://korea' b = 'uxcpb.xe' b = b.encode('rot13') c = 'co.kr' cs = '.com' d = '/vfrp/uxuxux' dt = '/hackers' d = d.encode('rot13') dx = 'coolguys' ff = urllib.urlopen(((a + b) + d)) f_data = ff.read() file = open('hkhkhk', 'w') file.write(f_data) some_cryption(f_data) file.close() You can see that the purpose of this script is to download some data from a fixed URL, and save them to a file named hkhkhk . We ran the script, and it indeed downloaded this file . As the script suggests, the content of hkhkhk is encrypted by some cipher. Opening hkhkh...

This post is about challenge 8 which made gamma95 and I feel so lost when it comes to web hacking. Challenge 8 (not accessible atm) is the only web hacking challenge in WOWHacker's CTF. In hindsight it's not very difficult, but in fact it took us almost 1 day to solve it. This is a classic PHP local file inclusion attack. If you set the parameter ty and the cookie 71860c77c6745379b0d44304d66b6a13 to the same file name, the vulnerable PHP script in challenge 8 would try to include that file. Here's what the code looks like: $ty = $_GET["ty"]; $page = $_COOKIE[" 71860c77c6745379b0d44304d66b6a13 "]; if ($ty != $page) { echo "Error!"; } else { if (include($ty) != 'OK') { echo "Can't find that page!"; } } Update : gamma95 has just noticed me this challenge may not be a PHP local file inclusion attack. Maybe it's just a vulnerable readfile call like this: $ty = $_GET["ty"]; $page = $_COOKI...

Last week team CLGT took part in the WOWHacker CTF. I was in charged of crypto challenges, so I decide to write something about challenge 1 and challenge 10. 1. Challenge 1 Challenge 1 is...crazy hahaha. Only one or two teams could solve it until the author (hello hinehong :-D) gave out a list of 7 hints. I have designed some web-related crypto challenges (which you will see soon ^^) so I think the difficulty of challenge 1 relies on how fast people can guess the meaning of the cookie. It would be easier for the teams if the author sets the cookie as cookie = cipher + "|" + key. BTW, here's my solution. When you access the link above, you'll see a bunch of javascripts. After decoding those javascripts (which I leave as exercise for readers), you'll see a form whose target is http://221.143.48.96:8080/you_are_the_man_but_try_again.jsp. This form accepts a parameter named "hong" which is either true or false. If you set hong=true, the server sends ...

Sau khi mém vào vòng chung kết CodeGate 2009, rồi chỉ lọt vào top 20 của Defcon 2009, lần này, sau 02 ngày thi đấu liên tục, team CLGT đã xuất sắc vượt qua vòng loại của WOWHacker 2009 trong khuôn khổ ISEC 2009 !!! vị trí cuối cùng của CLGT là hạng 8/45+ đội. ISEC là một trong những hội thảo an toàn thông tin lớn nhất châu Á, với sự tài trợ của các cơ quan an ninh đầu não của Hàn Quốc. Năm nay hội thảo có thêm cuộc thi Capture The Flag, do nhóm hacker lừng danh WOWHacker làm ban giám khảo. Mình sẽ viết tường thuật chi tiết sau. Các báo cáo kỹ thuật có thể xem ở trên trang của team CLGT . PS: Team CLGT đang tìm mạnh thường quân để tài trợ chi phí cho chuyến sang Hàn Quốc du đấu vòng chung kết vào đầu tháng 9, bạn nào có thông tin liên quan thì vui lòng liên hệ với mình nha. khó khăn lắm đội mới vượt qua vòng loại, nên nếu chỉ vì không đủ tiền mà không đi đấu chung kết thì rất uổng phí.