In this forensic challenge, a company has been compromised and their initial investigation led to a suspicious workstation. The CEO was very anxious about a potential exfiltration, and we were provided with a network dump of that workstation in the hope that we would be able to help him make some sweet dreams again. After … Continue reading Insomni’hack 2023 – hex-filtrate writeup

The GDBug file is an ELF binary: It simply requires a valid serial that we should identify: The strings do not reveal anything, besides a fake flag which is not accepted: Anyway, the binary doesn’t seem to have particular protections: There only seems to be a basic anti-debug: But old versions of GDB and Radare2 … Continue reading GDBug write-up

The Apiculture challenges are dedicated to API attacks. The second level basically looks like a webpage dedicated to beehives: A quick look in the Developer Tools reveals a call to the /api/v4/products/ endpoint: This endpoint indeed permits to get the beehives JSON. It is also impacted by an Improper Data Filtering vulnerability since it contains … Continue reading Apiculture 2 write-up

The Apiculture challenges are dedicated to API attacks. It is basically a honey’s addict website: To solve the first challenge, we should pay attention to the call to the /api/products/ API: This endpoint provides information to the Angular front-end so that the page can be rendered in the browser… But it is impacted by an … Continue reading Apiculture 1 write-up