CTF video write-ups

Playlists: Various CTFs | Riscure CTF

Part 1 of reverse engineering another AVR firmware. Zeta Two shows us how to get started with reversing the code for the ATmega328P (AVR) chip. This was a challenge from the rhme2 competition. In this video we identify some I/O functions and the main() function.

Solving the AES whitebox crypto challenge without even touching crypto or AES.

Exploring some of the notes and thoughts I had analyzing the whitebox crypto challenge.

Long story short, we reverse more and more of the binary and with some hints we realize, it's AES afterall.

We start to reverse engineer a crypto binary with Hopper.

part 1/2: https://www.youtube.com/watch?v=sJPhsE_XeKI

Part 2 of solving the exploitation challenge from RHme3. In the last video we found the bug and now we create the exploit.

Exploitation challenge from the RHme3 qualification round. We use ltrace to understand what the binary does and then use gdbinit to create custom logging.

We perform a fault injection on an arduino board to break out of a endless loop. We drop the power for a very short amount of time so the microprocessor calculates something wrong. Skip to 0:56 if you don't want to see my cringy acting.

Generating random numbers on computers is not easy. And while the intended solution was really hard, the challenge had a problem with the random number generation, which allowed me to solve it.

Terrible DPA explanation and sharing my experience solving the side channel analysis challenge "piece of scake" from the rhme2 CTF.

Preparing an arduino nano board to perform a power analysis side channel attack and explaining how that can be used to break RSA. Also proof I can't count.

We are going to recover a ECDSA private key from bad signatures. Same issue the Playstation 3 had that allowed it to be hacked.

Whack the mole was a fun little challenge that was not so much about security, but to figure out how the game works, and then play it and win.

We overflow a buffer and slowly figure out that we can control memory addresses to leak other data.

Solving the casino challenge of rhme2 abusing a format string vulnerability.

Using the greatest common divisor (GCD) to factorize the public modulo into the secret primes, so we can forge a RSA signature.

Solving "Photo Manager" from the riscure embedded hardware CTF by bypass a buffer overflow mitigation through bruteforcing a stack cookie.

We are using radare2 together with avr-gdb and simavr to reverse engineer the challenge "Jumpy" which implemets a password checking algorithm.

We are looking at the datasheet of the ATmega328p and learn about harvard architecture and how serial communication on an assembler level looks like.

The first challenge I solved for the embedded hardware CTF by riscure. It implements a Secure Filesystem which prevents you from readeing files without knowing the correct token for a file.

Explaining what serial is, debugging it with a Saleae Logic Analyzer and figuring out how to talk to the board.

Soldering the arduino board, installing drivers for OSX and flash challenges with avrdude. The CTF will run until the end of February, the other videos will come after that.

I got some stuff very wrong, so I really felt like making a proper update video to explain it.

Solving a crackme implemented in JavaScript that attempts to obfuscate the algorithm through some anti-debugging.

Solving the babyfengshui challenge from the 33c3 CTF live on stream.

Easy solution of list0r web challenge from the 33c3ctf thanks to unintended bugs in the challenge.

Solving Eat Sleep Pwn Repeat (ESPR - 150 pwn) challenge from the 33c3ctf. Dumping the binary through a format string vulnerability, leaking libc addresses in the global offset table, finding the matching libc and overwriting [email protected] with system() to get RCE.

Last video from the BRUCON CTF 2016. Covering "Breaking the crypto", "Log Analysis BSQLi" and "Crypto".

Failed challenge that exposed real security issues with an anonymous mail service, and solving "Lockpicking" and "Restricted Access" from the BruCON CTF 2016.

BruCON CTF video write-up: Not all packets, Reverse Beer, Virtual Lockpick

Commented walkthrough of the security CTF Internetwache 2016. Exploitation challenges.

In part 1 we reverse engineered the algorithm, now we implement a radare2 script in python to recover the flag and defeat the encrypted code.

Part 1 is about understanding the algorithm with binary.ninja and gdb. Zwiebel is a reversing CTF challenge with encrypted self-modifying code.

Commented walkthrough of the security CTF Internetwache 2016. Crypto challenges.

Commented walkthrough of the security CTF Internetwache 2016. Web Hacking challenges.

CORRECTION: I explained the stack canary with the `fs` register wrong. The `fs` register has an address and the stack canary is stored at offset +0x28 from that address.

Solving 'teufel' - pwnable 200 from the 32c3ctf. I didn't solve it during the CTF but worked through several writeups and doing some more research. Now that I understood it I recorded solving the challenge and recorded commentary for it.

Video writeup from the EFF-CTF 2016 that was running during Enigma Conference

First 4 levels of: http://pwnable.kr/play.php

Part 1: reverse engineering the functionality of the cookbook binary with IDA

Part 1: reverse engineering the functionality of the cookbook binary with IDA

Part 1: reverse engineering the functionality of the cookbook binary with IDA

In this video we only focus on the mathematical solution for software_update from the 34c3 CTF.

This challenge from the 34C3 CTF implemented a software update in python. In part 1/2 we try to understand the code and think about possible attacks.

Two years ago I failed to solve the readme challenge at the 32c3ctf. Since then I have learned a lot and I got another chance!

We only had a phone and solved challenges with online tools before the teams did it.

Recently I attended fsec 2017 in croatia. And there was a cool CTF challenge I solved during the conference that I wanted to share.

This was considered a hard challenge. After finding and analysing the source code we found a GQL injection. Unfortuantely there is a system in place that will ban you for too many requests. So we use a modified binary search algorithm to finish in time.

At first I was not able to solve the mindreader challenge and then I got spoiled. I have a critical look at my approach and figured out two major mistakes I made.

This challange was an amazing team effort. There were multiple steps necessary for the solution and different people contributed. The final big challenge was a bash eval injection, but without using any letters or numbers.

This short php code contains a critical vulnerability. In this video I will explain in detail what I think while analysing it.

Search Tags