SHA2017 CTF – web 300 write-up

Another challenge written by me was the Web 300 – Eindbazen Election challenge running on This page contains a ranking of all Eindbazen members, a link to the Android voting software and a QR code.

I wrote this challenge, because we had all those cool images created by Thice and because Dutch election software is apparently broken. So I decided to create my own safe election software.

The goal of the challenge is to figure out how the Android application is talking to the website and to see if we can use that to get more information from the database or gain access to the website.


SHA2017 CTF – web400 write-up

I created several challenges for SHA2017 CTF. One of them was the web400 ‘A View of Holland‘ challenge, a web challenge featuring an image gallery with some nice images from Holland. I always try to create challenges which give a clear idea of what you should do. The challenge may be challenging, but it shouldn’t be a needle in a haystack. There were 2 solves of this challenge, so I succeeded in the challenging part and reading the write-up of ESPR I see that they followed the intended solution till the brute-forcing of the mt_rand seed.

This post will contain the write-up of the intended solution of this challenge.


Solving the Cyberlympic Pwnable WGZLiveLabsTrivia

This year I competed for the first time in the Cyberlympics contest. This year it was created by warl0ckgam3z. Our 4-man team managed to get to the third round in Europe, but we wasted too much time on some challenges and were beaten by two of last years finalists. One of the challenges in round3 was a pwnable named WGZLiveLabsTrivia. I didn’t solve it during the contest, but the day after and still wanted to write about it. So sorry about the delay. but here finally is the write up. (Also the team, that did solve this during the contest, used the same principle).


Resize Android Emulator Virtual Device

Lately I had to increase the size of an Android Emulator Virtual Device. I couldn’t simply recreate the device, cause I wanted to reserve all data and applications installed. Since it took me some while to figure out and find the instructions to do this, I decided to create this small Blog Post for future references.

To increase the size of a virtual device on Linux you can use the following commands.

Linux with RocketRAID 2320 – dataserver upgrade

A couple of months ago I decided to upgrade the OS of my dataserver. A server I created several years ago with 8 x 750GB hard disks serving a 4TB RAID-5 set. To handle the RAID-5 set I use a RocketRAID 2320 SATA-II Controller from HighPoint Technologies. Motherboard, CPU, memory and video card were replaced over the years, but the raid controller is still operational.

As OS I run Debian, started originally with Etch (I think) and in the years updated to now finally sid). Every update I had some trouble with the RocketRAID driver. Which I could solve with some tweaks.


Cybercrime Challenge 2014

Dit jaar heb ik meegedaan aan de Cybercrime Challenge: Operation High Impact van Team High Tech Crime van de Nationale Politie (ontwikkeld in samenwerking met Tweakers en QCSEC). Mijn dank voor de leuke uitdaging!

Dit deed ik niet onverdienstelijk, was als 4e klaar met het digitale pad (waar Dmitry als eerste klaar was), en als 1e die het tactische pad had opgelost en dus ook beide paden.

2e plek Cybercrime Challenge
2e plek Cybercrime Challenge

Ik was de tweede in snelste tijd, moest alleen Crypto Sjon voor me dulden. (Screenshot is ten tijde van het schrijven van deze blogpost. Inmiddels zijn de antwoorden online te vinden en worden mensen dusdanig gehint dat een snelle tijd halen erg makkelijk is).

Hieronder een omschrijving van alle challenges en hoe ik het opgelost heb. (Sommige challenges maken gebruik van social media, kan zijn dat deze niet meer beschikbaar zijn, alle downloadbare content heb ik gemirrored).

Steal WhatsApp update

When I wrote Steal WhatsApp database (PoC) I never expected it to go viral. I only wrote the article for myself and the few readers of my weblog. My brother and I started the research out of curiosity and ended with this Proof of Concept and blog post. But I’m happy with all the discussion it starts and the awareness it creates by users. My post was not meant to bash Android, WhatsApp or Facebook. I’m a happy consumer of all those products, but only question some design decisions.

However there is some room for some credits and some clarification. (more…)

Steal WhatsApp database (PoC)

“Is it possible to upload and read the WhatsApp chats from another Android application?”

With this question my brother and I started an interesting conversation which ended in underneath proof of concept. The tldr answer is: “Yes, that is possible”.


Telegram Spam?

We all heard the news that Facebook took over WhatsApp. Although I had never any problems using WhatsApp, I noticed in my environment that people were looking for a replacement. And it seems that the majority choose for Telegram. So I followed them. Too bad that after the installation of Telegram I started to receive SMS Spam.