This post is a writeup for a challenge I was working on during justCTF 2023. I didn’t solve it during the competition, unfortunately. But I decided to take a look at it afterwards, as it seemed interesting! (and I also needed some rev challenge for a class in the university :D) Description Some time ago I hosted a service that allowed me to do calculations on my computer. One day I noticed someone was executing the same code over and over again. Read more...

The m0leCon CTF Teaser took place this weekend. We played only very lightly, as most of the team was busy organizing the HackTM CTF 2023 Finals in Timișoara. I solved this challenge only, while taking a break from exam preparation :P Description I wrote a simple website with some linux command examples, I hope you’ll like it! Author: @Giotino Files: linux-examples.zip Solves: 14 Points: 222 Approach When first looking at a web challenge, I like to first explore its functionality without looking at the source code. Read more...

I just published Vsolve - a solver for substitution ciphers. It implements the Jakobsen’s algorithm to perform a bigram analysis of the ciphertext, find the most probable key and get the plaintext without knowing the key. The tool does things that I missed in other tools, mainly it’s: cross-platform - CLI tool written in Rust, extensible - adding a new language is just a matter of adding a config file, and capable - full UTF-8 support, built-in IoC calculator and the list goes on. Read more...

I use docker-compose to manage services on a majority of my servers. But I find it hard to keep the containers up-to-date. So I wrote this simple bash script, that rebuilds and thus updates all the docker-compose projects in a directory. It even has an option to ignore some of the folders by putting a file named .docker-compose-updater-ignore in them. I decided to publish it here as someone might find this useful. Read more...

Kybersoutěž AKA Czech Cybersecurity Competition is a "CTF" for high school/university students in the Czech Republic. It consists of two rounds and finals. The first round is a survey covering basic CS terms and definitions. The second round, which is covered in the blog post, is more CTF-like. Both take place online. After them, if you qualify, you go to the final, which is an on-site one-day CTF. Individual phase in the morning followed by a team phase in the afternoon. Read more...

TL;DR: I got pissed with HPLIP not working, then the HP Smart app requiring account registration and reverse engineered the network communication and the HP Smart app to develop a tool called HPSimpleScan written in Go, that can be used to scan (not only) from this printer. In the process I’ve written a Kaitai Struct definition of the long-forgotten DIME format and contributed it to the Kaitai Struct formats repo. Read more...

I manage a few websites and domains with the hosting provider active24.cz, one time I decided to take a closer look at their security. After a while of fiddling around I noticed a bunch of postMessages flowing between support.active24.cz and active24.cz origins every time the page was loaded, it was the live support chat system they were using. The main page was iframing https://support.active24.cz/scripts/generateWidget.php and then included a script to communicate with it, handing over information like user ID, if the user is logged in etc. Read more...

In the summer of 2020, I found a not-so-interesting but impactful XSS on the DuckDuckGo search engine. I looked into the security of their Cloud Save feature, which lets you have your preferences (colour scheme, styles etc.) saved and then restored in a privacy-friendly way using a passphrase. The passphrase gets hashed and is used as an API key to access them. I enumerated all the possible options you can save in the preferences object and found two interesting ones. Read more...