coin_artist – 34700 $coin Puzzle Write-Up ($20,000)

Solvers:

A few of us recently participated in another puzzle and managed to be victorious, collecting 34700 $coin (est $20,000 at time of solve) prize. coin_artist of Blockade Game and Bitcoin fame recently launched a new crypto currency called $coin. She had the idea of having the coin's original value backed by the purchase of NFTs that cost several Ethereum.

There was a clever stipulation involved though, anyone who owned one of these original $coin NFTs would be able to solve a puzzle with a $coin reward once launched. Cloverme of Age of Rust (Space Pirate) purchased a few of these NFTs and gifted one of them to us. This gave us the chance to participate and attempt to solve her puzzle.

With the launch of $coin, it unleashed a new puzzle designed and created by Lee Sparks (motive).

Let's dive into it.

Continue reading

NahamCon – Trash the Cache Write-up (Web 1000)

I recently participated in the NahamCon CTF with the team Hacking for Soju. I was unable to complete this challenge before the end of the CTF, but managed to solve it the following day. Credits to maneolt and xehle for sharing notes and giving me a couple nudges.

Shout-out to the challenge creator Adam Langley (give him a follow) for keeping the hype going after the CTF ended and also making one of the better web CTFs I have seen!

It starts with Hackbookagram.com

Continue reading

JosieBellini’s Yours Truly Puzzle Walkthrough

We recently participated in the Yours Truly puzzle created by Josie Bellini (@josiebellini) and managed to secure a victory by being the first to solve the entire puzzle series. Here is a walkthrough of all the puzzles and how to unlock Josie’s Yours Truly puzzle wallet.

Team:

Continue reading

A Tale of Exploitation in Spreadsheet File Conversions


Researchers:


Intro

In our attempt to fingerprint LibreOffice as a PDF rendering service, we identified multiple implementation vulnerabilities.

This writeup covers our efforts to fingerprint LibreOffice, LibreOffice file detection (and abuse) & misuse of the LibreOffice Python-UNO bridge.

The unintended misuse of the Python-UNO bridge by the popular package unoconv resulted in CVE-2019-17400.

We believe our research here is not final, and encourage others to look into this area.

Continue reading

Montecrypto – ARGSS Write-Up

Montecrypto: The Bitcoin Enigma

A solve diary & challenge-by-challenge walkthrough by the crew who cracked it

ARG Solving Station: Luigy, en, JTobcat, ziot, motive, Askin, lucifers_cat
Special thanks to: Austin, nsnc, pipecork

Meet us and learn more in ARGSS https://discord.me/arg_solving_station

Continue reading

Escalating XSS in PhantomJS Image Rendering to SSRF/Local-File Read

I recently came across across a request on a bounty program that took user input and generated an image for you to download. After a little bit of a journey, I was able to escalate from XSS inside of an image all the way to arbitrary local-file read on the server. It's a private program, so I'm going to do my best to redact as much information as possible.

Continue reading

Airbnb – Web to App Phone Notification IDOR to view Everyone’s Airbnb Messages

airbnb_horizontal_lockup_print

Airbnb recently created a new feature called Experiences which allows you to book things to do rather than places to stay. With the new code changes that came along with Experiences, we discovered a page that allowed you to send yourself a text message with a link to download the Airbnb app. This sent a POST request to an API endpoint we had never seen before. Using the JS Parser tool we built we discovered another API call associated with it. We found that these API calls were vulnerable to Insecure Direct Object Reference (IDOR) and allowed you to view all messages on Airbnb by ID.

Continue reading

Airbnb – Ruby on Rails String Interpolation led to Remote Code Execution

airbnb_horizontal_lockup_print

@nahamsec and I discovered a Cross-Site Scripting vulnerability a few months ago related to Rails typecasting request variables into JSON. This caused the output to be JSON formatted and the JSON indexes would avoid XSS encoding. We decided to run with this concept and explore the rest of the website to see if we could identify other vulnerabilities using the same method. Along the way we discovered an interesting output from the /api/v1/listings/[id]/update API request. This led us to finding a Remote Code Execution vulnerability on Airbnb due to Ruby on Rails string interpolation.

Continue reading