https://blog.sohamsen.me/en/tags/housecat-rtcp-ctf/Recent content in housecat-rtcp-ctf on GhostPosts™Hugo -- gohugo.ioenhi@sohamsen.me (Soham Sen)hi@sohamsen.me (Soham Sen)© 2020, All Rights ReservedSun, 26 Apr 2020 19:59:05 +0530https://blog.sohamsen.me/en/posts/overriding-js-sql-injection/Sun, 26 Apr 2020 19:59:05 +0530hi@sohamsen.me (Soham Sen)Mon, 11 Mar 2024 19:08:00 +0530https://blog.sohamsen.me/en/posts/overriding-js-sql-injection/The TL;DR of this challenge was SQL injection and overriding javascript (to skip the encrypt/decrypt functions). Challenge Challenge Name: Blog from the future Challenge Description: My friend Bob likes sockets so much, he made his own blog to talk about them. Can you check it out and make sure that it’s secure like he assured me it is? Link Solution JS Overriding Rule #1 of web CTFs: ALWAYS check robots.txt first! This time I found: User-Agent: * Disallow: /admin And in /admin there is a comment saying you need to use TOTP (Time Based OTP. Who does not use a TOTP for 2-factor authentication in 2020?Soham Senweb-ctfhousecat-rtcp-ctfCTF Writeupshttps://blog.sohamsen.me/en/posts/breaking-math-random/Sun, 26 Apr 2020 19:07:36 +0530hi@sohamsen.me (Soham Sen)Mon, 11 Mar 2024 19:08:00 +0530https://blog.sohamsen.me/en/posts/breaking-math-random/TL;DR? Here. PS: You need to do pip install z3-solver requests for this to work. Okay so a little confession: Before the CTF challenge, I didn’t think much of Cryptographically Secure Pseudo Random Generators (CSPRNGS), and thought they were just for very high security purposes, like defence against a state level hacking agency. I thought normal PRNGs were enough for day-to-day purposes and no one could realistically break it. After this CTF…oh boy, it takes 30 mins to break PRNGs (the one used by Javascript in Chrome/Firefox) and I’m never going to use those for security again. I should’ve never…Soham Senmiscellaneous-ctfhousecat-rtcp-ctfCTF Writeups