IceCTF 2016 – Geocities (web 100)

August 26, 2016

TLDR: shellshock, metasploit, pivot, sqlmap A cool web challenge, here the description: I recently stumbled onto this old site, it’s a miracle that it’s still up! It must be running some ancient technology and probably hasn’t been updated in years, it’s our lucky day boys! I first solved it like probably everyone else (index.cgi […]


32C3 CTF – Android Reverse-Engineering libdroid

January 9, 2016

I unfortunately didn’t have time to participate to the CCC CTF this year, but I wanted to look at the android reverse challenge and see if I could solve it using the Xposed Framework. So here we go, same toolkit as last time, Jadx, Genymotion and Android Studio (see here) Firing up an emulator with […]


SECCON 2015 Online CTF – Reverse-Engineering Android APK 1

December 7, 2015

After reading a write up of the Trend Micro CTF about someone discovering the Xposed Framework and wanting to use it to solve CTF challenges, I decided to do the same. In short, the Xposed framework allows to hook methods from an android application without having to modify the app. What I used: Genymotion (site) […]


ASIS CTF Finals 2015 – Giloph (crypto 300)

October 13, 2015

In this challenge we were given a normal network capture file of some “TCP” traffic. topsecret After carefully looking at the capture you can guess that it is not actually just TCP traffic but rather TLS traffic. Fix that in wireshark by right-clicking on a packet and choose to “decode as… > ssl” (That step […]


ASIS CTF Finals 2015 – 10-SED (crypto 175)

October 12, 2015

In this challenge we were given the source of a server which encrypts and decrypt messages for us with DES, a ciphertext and some kind of key. After looking at the source, you can observe how it handles the userinput, namely using the “key” to generate indices for reading from its own private key-list […]


ASIS CTF Finals 2015 – Strange (misc 150)

October 12, 2015

After downloading the ASIS typical .tar.xz archive, we got a png file with 14MB. After extracting we noticed that the file has dimensions of 344987×344987 pixels. OK that is huge! Since there was no preview of the picture generated, which would indicate a normal picture with something attached after the picture, we tried to open […]


0ctf 2015 quals – forward (web250)

March 30, 2015

At the start we’ve only got an url to our target webserver: When we click on “Login” we get a javascript popup which tells us “You Are Not Authorized!”. Then we click on “FLAG”, because that’s what we want. Unfortunately we don’t get a flag yet, but the source code of admin.php is revealed. Now […]

0 CTF 2014 – Killy The Bit (web200)

October 27, 2014

After reading other write-ups for this task (, I thought I should write one. Not that it is better (I really prefer the other solutions) but I find it interesting because it involves luck and brute force (that you actually don’t see often in a CTF :))I looked at the challenge after the three hints […]


ASIS Finals 2014 – XOROR (PPC 150)

October 13, 2014

Description Connect here and find the flag: nc 12431   Connecting to the given address, we are greeted by some ASCII art and a prompt to send “START” back to the server. Converting the “+” and “-” characters from the server to black and white pixels, you can recover something that looks like a […]


ASIS Finals 2014 – Match the pair (Web/PPC 200)

October 13, 2014

Description Play 40 levels of the game quickly in order to get the authorization to see the flag Match the pair is a traditional concentration mage and the user has to find eight image pairs containing a circle with the same color. The game logic is handled server side and the HTML code gives no […]

Get Adobe Flash player