Compass Security Blog

A Blog about Information Security...

Fun at Insomni’hack

Last Friday a little more than a dozen Compass Security Analysts traveled to Geneva and attended the Insomnihack conference and its CTF. Conference The conference featured a variety of topics, ranging from areas such as corporate IT security, distributed systems and malware analysis, or even unusual topics such as remote exploitation of game engines. DevOOPS: Attacks […]

Continue reading

Write-up: Capscii

The goal in the Capscii challenge was to solve 50 captchas consecutively in less than 100 seconds and prove that we are not human. The captcha was not your usual recognition of text though, it consisted of an operation (addition, subtraction or multiplication) on two numbers. Only problem, the numbers were printed as ASCII art on […]

Continue reading

Write-up: The Great Continuation

This challenge was web based and contained a mix of XSS, CSRF and CSP bypass. We were given two web pages, admin. and bot.control.insomni.hack, and challenged to break into the administration panel to take the control of the bots. The admin page had a login form containing an obvious reflected Cross-Site Scripting (XSS). However, it […]

Continue reading

Write-up: Who’s your daddy?

At this years Insomni’hack there was a fun Recon / OSINT challenge with the name “Who’s your daddy?”. A login page was presented to the participant, who had to try to reset the password of the page owner. On the login page the user was able to: Login with username / password Insert a username […]

Continue reading

Write-up: Smarttomcat2

Following the Insomni’hack 2017 teaser where the Smarttomcat1 challenge was available, a second version of the same challenge was proposed. Good write-ups for Smarttomcat1 may be found at https://ctftime.org/task/3308. To quickly summarize, one had to abuse a search function to access a tomcat manager page with default credentials. The challenge looked very similar, when performing a […]

Continue reading

Write-up: Secr3tMgr

One challenge at Insomni’hack CTF this year was about memory forensics on Android devices. The challenge provided a memory dump of an Android device along with the task to retrieve some encrypted information from it. Besides the memory dump, two additional files (module.dwarf and System.map) were provided: The first tool that comes to mind when […]

Continue reading

SharePoint: Collaboration vs. XSS

SharePoint is a very popular browser-based collaboration and content management platform. Due to its high complexity, proprietary technology and confusing terminology it is often perceived as a black-box that IT and security professionals do not feel very comfortable with. These days, web security topics are well understood by many security professionals, penetration testers and vendors. But what […]

Continue reading

SharePoint: How to collaborate with external parties?

Opening up an internal SharePoint farm to the Internet in order to share resources with external parties might seem a good idea, because it helps avoiding expensive infrastructure changes. However, in terms of security, this is not recommended because it does not sufficiently protect internal resources from external threats. The protection of internal resources hinges […]

Continue reading

Wrap-up: Hack-Lab 2017#2

What is a Hack-Lab? Compass Security provides a monthly playful occasion for the security analysts to get-together and try to hack new devices, dive into current technologies and share their skills with their fellows. This also includes the improvement of internal tools, the research of newly identified publicly known attacks, and security analysis of hardware […]

Continue reading

Hacking-Lab @ CodeMash 2017

What is CodeMash? CodeMash is a conference for software developers and IT security professionals. It takes place every year in Sandusky, Ohio, in the U.S. The event consists of two parts: two days of training sessions (called “PreCompiler”), followed by two days of conference with sessions. It attracts about 3’000 visitors and takes place in […]

Continue reading

« Older posts