housecat-rtcp-ctf
Overriding JS to Perform SQL Injection (Housecat RTCP CTF Writeup: Blog from the future)
· ☕ 5 min read
The TL;DR of this challenge was SQL injection and overriding javascript (to skip the encrypt/decrypt functions). Challenge Challenge Name: Blog from the future Challenge Description: My friend Bob likes sockets so much, he made his own blog to talk about them. Can you check it out and make sure that it’s secure like he assured me it is? Link Solution JS Overriding Rule #1 of web CTFs: ALWAYS check robots.txt first! This time I found: User-Agent: * Disallow: /admin And in /admin there is a comment saying you need to use TOTP (Time Based OTP. Who does not use a TOTP for 2-factor authentication in 2020?

Breaking Math.random() and Predicting Random Numbers (Housecat RTCP CTF Writeup: JS Lotto)
· ☕ 3 min read
TL;DR? Here. PS: You need to do pip install z3-solver requests for this to work. Okay so a little confession: Before the CTF challenge, I didn’t think much of Cryptographically Secure Pseudo Random Generators (CSPRNGS), and thought they were just for very high security purposes, like defence against a state level hacking agency. I thought normal PRNGs were enough for day-to-day purposes and no one could realistically break it. After this CTF…oh boy, it takes 30 mins to break PRNGs (the one used by Javascript in Chrome/Firefox) and I’m never going to use those for security again. I should’ve never…