Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Web100, 300 and 400 were completely blind and guessing only. I believe web300 or 400 randomly url_decoded your Github username in order to create an injection point. For web100 you had to "inject" a PHP file by bypassing a filename filter, but it would store the file as .jpg. Later admins in IRC told us that it is just a "simulation" and you simply get the flag if you bypass the filter (of course without giving out a formal notice about this on the website). The bug itself was apparently described on a famous Chinese security bug website: http://www.wooyun.org/bugs/wooyun-2015-0125982 If you don't know the bug, it's pretty much guessing only and random tampering with HTTP headers.
- Crypto200 had nothing to do with crypto. Crypto100 was almost good, except they truncated the plaintext for some reason, just so it would still involve at least *some* guessing I suppose. It still ended up being kind of fun.
- Misc100 was stego in a PDF document, apparently you just had to Google for PDF stego and try some of the tools until you find the right one. Misc300 was kind of fun.
- I didn't end up looking into RE and pwn in detail, but I think those were OK, although people in IRC tell me that there was a *lot* of guessing involved as well.
- Admins in IRC gave out significant hints in public, without adding them to the website. E.g. they mentioned that web300/400 is a MongoDB injection.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement