The Problem:


(Yes every problem is robot/beer related)

The (probably mspaint) webpage

The (probably mspaint) webpage, the newspaper secretly gives you a hint of the problem at hand. (Sneaky isn’t it?)

Here is what happens when we enter in a password:


Let’s dive into the source shall we?


Ooh, key.js – looks like something we’d be interested in!

Do you see it?

Do you see it?

Take a look through the source, you’ll notice something very particular. Bring your attention to:


It appears when this webpage was created the admin had a debug feature built in. This will probably give us a bit more data!

This script takes one argument and submits it with the debug variable set

We get this as an output:



Interesting, so we get two floats along with our response/success boolean. It would appear that this will show you how long the password check took.

Any ideas? I smiled on this problem because it’s very cool (at this point I had it figured out). Basically the idea is the program will stop checking the password once it encounters the first bad character.

Something like this:

Password = test

User input = tango

Computer says “Yep he’s got the t, that matches…Oh! ‘e’ isn’t correct, no need to go any further – stop execution and alert user of bad password.

So logically whatever character takes the longest for the program to compute is the correct letter! This is what is known in cryptography as a side channel attack.

Theory seems sound, let’s code it!


Simple function to try a key and return only relevant data from response


Infinite loop to try everything in character set and use whatever took the longest amount of time

Now that we have our code, let’s run it and hope for the best (or at least get a better picture of how this works if you haven’t gotten there yet!)



Character “A” had the longest load time



Ever closer! (Hope are charset is good!)


GOT IT! Thanks to our code alerting us when the password was good

Got it! Out comes our key and we’ve solved the challenge. This was very cool for me because it was a practical example of a side channel attack which I’ve always found very interesting. :)

Hope that elaborates clearly enough – any questions or comments please let me know!

Till next time,



I decided that this post should could be summed up pretty quickly with just a few pictures, so I’m doing this in more of a blurb format than a blog post :)

The challenge:


This was to allow some wiggle rooms for teams solving the same challenges.



Loved this challenge, was a lot of fun brainstorming ideas!



Pharming my blog readers (sorry about that)


Sorry guys, CTF fever!




Luring people to my blog via Reddit posts and false Pastebin(s)




Creating a script to use all international TOR exit nodes


Tmux is the best thing since sliced bread

Tmux is the best thing since sliced bread

Mild amounts of proxy scraping

Pretty fruitless attempt sadly (already had many countries at this point)

Pretty fruitless attempt sadly (already had many countries at this point)


Making my forum signature image the “secret” link


(This works because the browser still does an automatic GET request for images, regardless of whether or not they are actually a proper image format). I ended up stirring up an international thread on the forum I used just to obtain more obscure country flags 😉

Again, sorry about farming you guys for flag points but their was no malware or anything – just a small bit of JSON!

Till next time,


So I was screwing around with Android app hacking and I figured the Snapchat App for Android would be a cool read. While I was originally more interested in reversing the app and making a script to automate Snapchat it turns out someone has already done it:

Dang it!

The process was no a complete waste however, as I stumbled upon something very weird…

Note: To get this source for yourself you’ll need to get the Snapchat APK. Then use dex2jar to create a .jar file, now you can use a Java Decompiler to view the source (in Java). This is possible because Java compiles into bytecode (an intermediary language) and not into machine code.

If you check under the “ui” package:


You’ll notice this:



Here is the weird code I’ve found:


import android.content.Context;
import android.content.SharedPreferences;
import android.content.SharedPreferences.Editor;
import android.os.Build.VERSION;
import android.preference.PreferenceManager;
import android.view.MotionEvent;
import com.WazaBe.HoloEverywhere.widget.Toast;

public class PressureCooker
  private static final float MAX_OUTPUT = 40.0F;
  private static final float MIN_OUTPUT;
  private Context mContext;
  private CropProcessor mPressureProcessor;
  private LowpassProcessor mSizeProcessor;

  public PressureCooker(Context paramContext)
    this.mContext = paramContext;
    SharedPreferences localSharedPreferences = PreferenceManager.getDefaultSharedPreferences(paramContext);
    this.mPressureProcessor = new CropProcessor(localSharedPreferences.getFloat("HISTORICAL_LOW_PRESSURE", (0.0F / 0.0F)), localSharedPreferences.getFloat("HISTORICAL_HIGH_PRESSURE", (0.0F / 0.0F)));
    this.mSizeProcessor = new LowpassProcessor(localSharedPreferences.getFloat("HISTORICAL_LOW_SIZE", (0.0F / 0.0F)), localSharedPreferences.getFloat("HISTORICAL_HIGH_SIZE", (0.0F / 0.0F)));

  private float lerp(float paramFloat1, float paramFloat2, float paramFloat3)
    return paramFloat1 * (1.0F - paramFloat3) + paramFloat3 * paramFloat2;

  public float getFiltered(MotionEvent paramMotionEvent)
    if ((Build.VERSION.SDK_INT >= 14) && (paramMotionEvent.getToolType(0) == 2));
    for (float f = this.mPressureProcessor.getFiltered(paramMotionEvent.getPressure()); ; f = this.mSizeProcessor.getFiltered(paramMotionEvent.getSize()))
      return lerp(0.0F, 40.0F, f * (f * f));

  public float getHistoricalFiltered(MotionEvent paramMotionEvent, int paramInt)
    if ((Build.VERSION.SDK_INT >= 14) && (paramMotionEvent.getToolType(0) == 2));
    for (float f = this.mPressureProcessor.getFiltered(paramMotionEvent.getHistoricalPressure(paramInt)); ; f = this.mSizeProcessor.getFiltered(paramMotionEvent.getHistoricalSize(paramInt)))
      return lerp(0.0F, 40.0F, f * (f * f));

  public void onPause()
    SharedPreferences.Editor localEditor = PreferenceManager.getDefaultSharedPreferences(this.mContext).edit();
    localEditor.putFloat("HISTORICAL_LOW_PRESSURE", this.mPressureProcessor.mLowestInput);
    localEditor.putFloat("HISTORICAL_HIGH_PRESSURE", this.mPressureProcessor.mHighestInput);
    localEditor.putFloat("HISTORICAL_LOW_SIZE", this.mSizeProcessor.mLowestInput);
    localEditor.putFloat("HISTORICAL_HIGH_SIZE", this.mSizeProcessor.mHighestInput);

  public void resetLowPassFilter()
    LowpassProcessor.access$002(this.mSizeProcessor, (0.0F / 0.0F));

  private class CropProcessor
    private static final float DEFAULT_VALUE = 0.01F;
    private static final int INITIALIZATION_SAMPLES = 400;
    public float mHighestInput;
    public float mLowestInput;
    private int mNeededSamples;

    public CropProcessor(float paramFloat1, float arg3)
      this.mLowestInput = paramFloat1;
      Object localObject;
      this.mHighestInput = localObject;
      this.mNeededSamples = 0;

    public float getFiltered(float paramFloat)
      if ((this.mLowestInput != this.mLowestInput) || (this.mHighestInput != this.mHighestInput))
        this.mLowestInput = paramFloat;
        this.mHighestInput = paramFloat;
        this.mNeededSamples = 400;
        Toast.makeText(PressureCooker.this.mContext, 2131624111, 1).show();
      float f1;
      if (paramFloat < this.mLowestInput)
        this.mLowestInput = paramFloat;
        f1 = (paramFloat - this.mLowestInput) / (this.mHighestInput - this.mLowestInput);
        if (f1 <= 1.0F)
          break label152;
        f1 = 1.0F;
      while (true)
        if (this.mNeededSamples > 0)
          this.mNeededSamples = (-1 + this.mNeededSamples);
          float f2 = this.mNeededSamples / 400.0F;
          f1 = 0.01F * f2 + f1 * (1.0F - f2);
        return f1;
        if (paramFloat <= this.mHighestInput)
        this.mHighestInput = paramFloat;
        label152: if (f1 < 0.0F)
          f1 = 0.0F;

  private class LowpassProcessor extends PressureCooker.CropProcessor
    private static final float LOWPASS_RATE = 0.1F;
    private float mOldVal = (0.0F / 0.0F);

    public LowpassProcessor(float paramFloat1, float arg3)
      super(paramFloat1, localObject);

    public float getFiltered(float paramFloat)
      if (this.mOldVal != this.mOldVal)
        this.mOldVal = paramFloat;
      for (float f = this.mOldVal; ; f = this.mOldVal)
        return super.getFiltered(f);
        this.mOldVal = (0.9F * this.mOldVal + 0.1F * paramFloat);

To make things even more weird it’s not reference or used anywhere!

Seriously. It’s just a random class that’s never actually used anywhere:

Not sure what to think about this, I’ve put it here to see if anyone else reverses the Snapchat app and Googles this code ;). If you are reversing the code and have more info please let me know in the comments or personally as I’m interested as to why this is here at all.

Until next time,


So I recently had a good idea (probably in the shower).

One of the biggest issues when trying to penetrate a network is getting past the perimeter. The outside is almost most protected and if you had an internal user hacked you’d be well on your way to full compromise.

The normal idea here is usually to utilize spear phishing or attempt to get a user to click a link to a browser autopwn page, etc. Sadly, most people aren’t too keen on clicking random links they get in emails.

I started to think what email links do I click on? More specifically what links do I click on from users I don’t already know?


Yes, spam, and you probably do as well. I’m not talking Viagra ads, I’m talking the newsletters I’ve been signed up for (that I clearly never signed up for). Having a popular email address (mandatory et gmail) I often get subscribed to a lot of random newsletters. What do you do when you get a lot of newsletters? You click the unsubscribe link. Usually it’s just one click and your unsubscribed, so why wouldn’t you click it?

I hate all you people who use “mandatory” as fake email address.

The idea is literally to spam your users with newsletter emails, eventually they will get fed up with them and click the unsubscribe link. Even better, you don’t have to pretend to be anyone they trust so their is no research that needs to be done. Just spam and wait for them to unsubscribe.

Some issues with this method:

  • Gmail users might just filter your emails straight to spam (just make more newsletters mwuahaha)
  • Creating newsletters that look legit (I’d personally just clone another newsletter)
  • Admins will quickly start marking your emails as spam
  • Cat facts are not a viable newsletter anymore

Personally I think it’d be a lot more effective if you made the unsubscribe link large/noticeable. It’d be even better if you actually didn’t stop sending them the newsletters – forcing non-techy users to forward the emails to the IT guys.

I think you see where this is going…

Even further if you made the newsletters embarrassing it might make the users even more inclined to click the unsubscribe link (porn sites/dating sites/etc). Other ideas I had include making the unsubscribe link an email and perhaps force users to display images so you can get their IP, etc. Perhaps even having an email that says to reply to the email with an unsubscribe link for simple email client fingerprinting…

To end, I’m surprised I haven’t read about this idea before! It seems so simple :)

TL;DR: Spam, Click, Pwn

Till next time,


The beginning of the Web 200 problem for the Sharif University CTF Quals started with a screen like this:



So it’s a hybrid login/sign-up form, probably due to the fact that coding two pages is a lot of work for a temporary CTF.

Once you’ve logged in you are presented with a website like so:



Ah, I love the smell of weird input in the morning.



Ooh, and there is the flag we are looking for!

We have the ability to create new “items” as well, let’s try that out.



Once we’ve added the item we are shown this:


So we can delete or view the “item” we’ve added, let’s checkout what’s under “View”.




Neat, what’s the URL look like decoded?




Ooh! Looks like they are including a file with the path name in the URL!

Let’s modify that a bit and see what happens.



Interesting, this looks like a local file inclusion vulnerability? But is it?




After putting that URL in your browser you get this as output:



Neat! So you can now see the PHP source code of any files inside of the root web directory!

So I’d just like to say something here, I spent literally 2 hours banging my head to beat the above piece of code. I was so sure you had to beat the security measures by reading some configuration file!

Spoiler alert: That’s not the vulnerability you’re exploiting at all.


Before you continue reading, try practicing by looking through the mirrored PHP code below for vulnerabilities:

The main page for logging in:

The page that allows us to view the source of pages:

The panel page that lets you view your items/other items:

See if you can find the answer yourself, else continue on reading.

Let’s try reading another file shall we?






Long story short, their SQL looked clean, their wasn’t anything to obvious until I saw this:



Getting closer to the answer? Notice how after you create an account it does this:**




So hopefully you’ve got a whiff of what’s bad about this but in case you haven’t, this is how registration works:

  1. Username is checked to ensure it’s not “admin”
  2. Username and password are checked to ensure nobody else is using them
  3. If they don’t exist then it registers them
  4. After it has registered you, the program removes tab characters from your username.
  5. The cookies are then generated, the “auth_user” is your username and the “auth_hmac” is your username HMAC MD5 hashed with a secret $hmackey
  6. You are then redirected to the panel page to view/create items.

So what if my name was “admin[TAB]”?

  1. Username is checked to ensure it’s not “admin”, which it isn’t (it’s “admin[TAB]”)
  2. The username is checked to ensure nobody else has used it (which it hadn’t been, the CTF people probably made sure of this)
  3. Since “admin[TAB]” wasn’t registered it was created in the database
  4. My username was then stripped of the tab characters, meaning my username is now just “admin”
  5. My cookies are now generated, using HMAC MD5 with my username “admin” and the secret $hmackey
  6. I’m then redirected to the panel page.

Neat, let’s try it!



Tamper Data Firefox Addon

Tamper Data Firefox Addon

Let’s just grab a tab character…


And put it after my username…


Notice the tab character after “admin” for my username

After submitting it, we get this:


I like the look of that! Come on baby, let’s see an admin account!


Perfect, we were authenticated as admin and can now view the flag!





Ah, no better feeling


I also will include the other things I tried (just in case it’s helpful to anyone):

  • Tried to brute-force the secret key (because I had the algorithm + my username)
  • Thought their was a way to somehow to read the credentials.php file