As every year, some Compass Security Analysts travelled to Geneva and attended the Insomni’hack conference and it’s enjoyable CTF.
As every year, some Compass Security Analysts travelled to Geneva and attended the Insomni’hack conference and it’s enjoyable CTF.
For this task, we had SSH access to the server guess.insomni.hack and the task was to read the flag in the /home/flag directory. We were able to get the flag without even solving the challenge :)
Similar to the previous challenge we were provided with an Excel spreadsheet (vba02-bitminer_4052500b4f2120d3d3ae458b339ec1f16e89e870.xls) that again contained macro code that would be executed when opening the document.
In this challenge we were provided with an Excel spreadsheet (vba01-baby_272038055eaa62ffe9042d38aff7b5bae1faa518.xls). Analyzing the document using olevba (https://github.com/decalage2/oletools/wiki/olevba) quickly revealed that it contains obfuscated VBA macro code that is executed when the document is opened. Challenge Description Our Solution
The vbaby challenge was a simple ASP web application that accepted a single page parameter. We initially thought that it could be a local file inclusion vulnerability and therefore tried a path traversal attack:
This challenge was about LDAP injection.
In this challenge we were given the source of a vulnerable PHP page and were tasked with the exploitation.
This year again a small delegation of Compass Security was present at Insomni’hack in Geneva. On the novelties this year, the workshops spanned over two days (Tuesday and Wednesday) and the conference followed the same direction (Thursday and Friday). There was also a new kind of CTF, labeled blue-team CTF, called Boss of the SOC. […]
Last Friday a little more than a dozen Compass Security Analysts traveled to Geneva and attended the Insomnihack conference and its CTF. Conference The conference featured a variety of topics, ranging from areas such as corporate IT security, distributed systems and malware analysis, or even unusual topics such as remote exploitation of game engines. DevOOPS: Attacks […]
The goal in the Capscii challenge was to solve 50 captchas consecutively in less than 100 seconds and prove that we are not human. The captcha was not your usual recognition of text though, it consisted of an operation (addition, subtraction or multiplication) on two numbers. Only problem, the numbers were printed as ASCII art on […]
© 2024 Compass Security Blog