What is a Hack-Lab? Compass Security provides a monthly playful occasion for the security analysts to get-together and try to hack new devices, dive into current technologies and share their skills with their fellows. Topics The following topics, tools and technology has been discussed during this Hack-Lab: Nessus Automation Tools, Automate Everything, Frida on an […]
The ESP8266 WiFi module from ESPRESSIF is a commonly used, low cost (less than 2 US$) WiFi module that exists in different PCB layouts. Often used for IoT projects and easily programmable using the Arduino IDE or with Mongoose OS and its web based IDE. The ESP8266 modules are covered with a metal shield. Under the shield is a WiFi/CPU chip, […]
Last Friday a little more than a dozen Compass Security Analysts traveled to Geneva and attended the Insomnihack conference and its CTF. Conference The conference featured a variety of topics, ranging from areas such as corporate IT security, distributed systems and malware analysis, or even unusual topics such as remote exploitation of game engines. DevOOPS: Attacks […]
The goal in the Capscii challenge was to solve 50 captchas consecutively in less than 100 seconds and prove that we are not human. The captcha was not your usual recognition of text though, it consisted of an operation (addition, subtraction or multiplication) on two numbers. Only problem, the numbers were printed as ASCII art on […]
This challenge was web based and contained a mix of XSS, CSRF and CSP bypass. We were given two web pages, admin. and bot.control.insomni.hack, and challenged to break into the administration panel to take the control of the bots. The admin page had a login form containing an obvious reflected Cross-Site Scripting (XSS). However, it […]
At this years Insomni’hack there was a fun Recon / OSINT challenge with the name “Who’s your daddy?”. A login page was presented to the participant, who had to try to reset the password of the page owner. On the login page the user was able to: Login with username / password Insert a username […]
Following the Insomni’hack 2017 teaser where the Smarttomcat1 challenge was available, a second version of the same challenge was proposed. Good write-ups for Smarttomcat1 may be found at https://ctftime.org/task/3308. To quickly summarize, one had to abuse a search function to access a tomcat manager page with default credentials. The challenge looked very similar, when performing a […]
One challenge at Insomni’hack CTF this year was about memory forensics on Android devices. The challenge provided a memory dump of an Android device along with the task to retrieve some encrypted information from it. Besides the memory dump, two additional files (module.dwarf and System.map) were provided: The first tool that comes to mind when […]
SharePoint is a very popular browser-based collaboration and content management platform. Due to its high complexity, proprietary technology and confusing terminology it is often perceived as a black-box that IT and security professionals do not feel very comfortable with. These days, web security topics are well understood by many security professionals, penetration testers and vendors. But what […]
Opening up an internal SharePoint farm to the Internet in order to share resources with external parties might seem a good idea, because it helps avoiding expensive infrastructure changes. However, in terms of security, this is not recommended because it does not sufficiently protect internal resources from external threats. The protection of internal resources hinges […]
© 2017 Compass Security Blog