Bas Bosschert is a freelance Linux administrator, Android developer and security specialist from the Netherlands with more than 10 years of experience in the field of security and Linux/Unix administrating. Bas plays CTFs as part of the Eindbazen team and had a huge role in organising several CTF’s in the past, which includes creating challenges in categories like binary, crypto, forensics, networking, pwnables and web, but also hosting and securing systems, challenges and scoreboard.
Another challenge written by me was the Web 300 – Eindbazen Election challenge running on https://vote.stillhackinganyway.nl/. This page contains a ranking of all Eindbazen members, a link to the Android voting software and a QR code.
I wrote this challenge, because we had all those cool images created by Thice and because Dutch election software is apparently broken. So I decided to create my own safe election software.
The goal of the challenge is to figure out how the Android application is talking to the website and to see if we can use that to get more information from the database or gain access to the website.
I created several challenges for SHA2017 CTF. One of them was the web400 ‘A View of Holland‘ challenge, a web challenge featuring an image gallery with some nice images from Holland. I always try to create challenges which give a clear idea of what you should do. The challenge may be challenging, but it shouldn’t be a needle in a haystack. There were 2 solves of this challenge, so I succeeded in the challenging part and reading the write-up of ESPR I see that they followed the intended solution till the brute-forcing of the mt_rand seed.
This post will contain the write-up of the intended solution of this challenge.
This year I competed for the first time in the Cyberlympics contest. This year it was created by warl0ckgam3z. Our 4-man team managed to get to the third round in Europe, but we wasted too much time on some challenges and were beaten by two of last years finalists. One of the challenges in round3 was a pwnable named WGZLiveLabsTrivia. I didn’t solve it during the contest, but the day after and still wanted to write about it. So sorry about the delay. but here finally is the write up. (Also the team, that did solve this during the contest, used the same principle).
Lately I had to increase the size of an Android Emulator Virtual Device. I couldn’t simply recreate the device, cause I wanted to reserve all data and applications installed. Since it took me some while to figure out and find the instructions to do this, I decided to create this small Blog Post for future references.
To increase the size of a virtual device on Linux you can use the following commands.
A couple of months ago I decided to upgrade the OS of my dataserver. A server I created several years ago with 8 x 750GB hard disks serving a 4TB RAID-5 set. To handle the RAID-5 set I use a RocketRAID 2320 SATA-II Controller from HighPoint Technologies. Motherboard, CPU, memory and video card were replaced over the years, but the raid controller is still operational.
As OS I run Debian, started originally with Etch (I think) and in the years updated to now finally sid). Every update I had some trouble with the RocketRAID driver. Which I could solve with some tweaks.
Dit deed ik niet onverdienstelijk, was als 4e klaar met het digitale pad (waar Dmitry als eerste klaar was), en als 1e die het tactische pad had opgelost en dus ook beide paden.
Ik was de tweede in snelste tijd, moest alleen Crypto Sjon voor me dulden. (Screenshot is ten tijde van het schrijven van deze blogpost. Inmiddels zijn de antwoorden online te vinden en worden mensen dusdanig gehint dat een snelle tijd halen erg makkelijk is).
Hieronder een omschrijving van alle challenges en hoe ik het opgelost heb. (Sommige challenges maken gebruik van social media, kan zijn dat deze niet meer beschikbaar zijn, alle downloadbare content heb ik gemirrored). (more…)
Ok, bad title, cause that is not possible. But it was the goal I wanted to achieve and there are some solutions for it. In Android development the strings.xml file is used to store all Strings in, so you can add support for multiple languages or at least have one place where you can change all your text. (more…)
When I wrote Steal WhatsApp database (PoC) I never expected it to go viral. I only wrote the article for myself and the few readers of my weblog. My brother and I started the research out of curiosity and ended with this Proof of Concept and blog post. But I’m happy with all the discussion it starts and the awareness it creates by users. My post was not meant to bash Android, WhatsApp or Facebook. I’m a happy consumer of all those products, but only question some design decisions.
However there is some room for some credits and some clarification. (more…)
We all heard the news that Facebook took over WhatsApp. Although I had never any problems using WhatsApp, I noticed in my environment that people were looking for a replacement. And it seems that the majority choose for Telegram. So I followed them. Too bad that after the installation of Telegram I started to receive SMS Spam.