I also wrote some reverse challenges this year: Void, Cyp.ress and Bashed!. We will cover them all in the last part of the blog post. Void Challenge Summary I made a simple webpage that checks whether the flag is correct… Wait, where are the flag-checking functions? We are given a static webpage (source code here), where it asks us for the flag: The goal is to provide a legit flag.| Mystify
Surprisingly, I also wrote three series of web challenges this year: Custom Web Server, Mystiz’s Mini CTF and ⚡. They are all inspired from the real-life – either from security reviews or the bugs I came across while developing web apps. Custom Web Server (1) Challenge Summary Someone said: ‘One advantage of having a homemade server is that it becomes much harder to hack.’ Do you agree? Give reasons.| Mystify
In the second part, I will cover the remaining cryptography challenges, including Almost DSA, mAEStro and Mask-mask-RSA. Almost DSA Challenge Summary According to an external auditor, my code implementing the data signature algorithm (DSA) has a one-byte security fix on a critical issue. Well, I am not bothered. Convince me by giving me the flag! Attachment: almost-dsa_148b8b2cd8c78df02bbdc24bd7fa3f56.zip We are given $(p, q, g)$, the public parameters of the data signature algorithm (DSA).| Mystify
Black Bauhinia co-organizes the HKCERT CTF for the fifth year. I wrote 18 challenges (in 11 series) this year and here is a series of blog posts covering all of them. I will cover two cryptography series in the first part: RSA LCG and Pigeon Post.| Mystify