Did you think I forgot? Nope!
After a short hiatus for the #DEFCON watch-party, #HackingGoogle #CTF posts are back with the first challenge of the last episode!
In this one - did you forget to feed your Tamagotchi? Because it returned for revenge on this challenge, reborn from the egg on this image file manipulation challenge.
Full write-up on the blog: https://taltechtreks.com/2024/11/20/hacking_google_ep005_challenge_01.html
Miss some #hackinggoogle #ctf action?
Well you're in for a treat - the last challenge of episode 4 is here!
Possibly one of the shortest solutions so far: only had to abuse some lesser known Git feature.
Saturday reading material on the blog --> https://talsk.github.io/2024/10/19/hacking_google_ep004_challenge_03.html
It's #hackinggoogle time!
The 2nd challenge of episode 4 continues exploring the same bug bounty website.
It features a relatively simple authentication bypass challenge - one of those showing how easy it is to make mistakes when developing your own.
Some Sunday reading material in the blog :) --> https://talsk.github.io/2024/10/12/hacking_google_ep004_challenge_02.html
We're in episode 4, baby!
The episode explored a familiar sight - the Google Bug Bounty website! (But in some alternate universe where it had many bugs...)
The first challenge was a bit of a doozy - I had to go through the entire 2nd and the beginning of the 3rd challenges to get past a roadblock I bumped into.
But in the end - I managed to exploit a write primitive which turned into the ability to read any file on the system, and beat the first challenge.
Writeup on the blog - https://talsk.github.io/2024/10/09/hacking_google_ep004_challenge_01.html
So far, the #HackingGoogle #CTF has produced amazing challenges.
They were, however, all over the place in terms of subjects and pushed the extent of my knowledge.
Episode 3 challenge 3 did not disappoint and threw in some Android reverse engineering - I had to break a secure sharing system of images of...corgis?
Everything on the blog :) -> https://talsk.github.io/2024/10/03/hacking_google_ep003_challenge_03.html
Whoa, they programmed a whole game into this challenge! 🤯
This challenge was something else - I needed to complete a game - keys, monsters, passwords and all that, and then my least favorite type of puzzles - Python sandbox escape - and a quite hard one at that!
But, I persevered, managing to get the flag for this one after a few hours in total.
#HackingGoogle #CTF is picking up!
https://talsk.github.io/2024/09/27/hacking_google_ep003_challenge_02.html
OAuth. Non-human identities. It's something I posted about a lot.
You can imagine my complete surprise that the first challenge of the 3rd episode in #HackingGoogle #CTF was all about stealing leftover credentials of a Google service account to run an OAuth flow and steal a very sensitive file about the Google Glass 2.0!
Read here (sorry about the ramble about OAuth no one asked for!):
https://talsk.github.io/2024/09/25/hacking_google_ep003_challenge_01.html
With a stark change from the previous challenge, this one upped the difficulty curve significantly!
It was a very limited sand-boxed shell environment that I had to break free from. This required some very creative thinking and techniques - like overriding bash's own built-in commands.
Short but thorough write-up on the blog:
https://talsk.github.io/2024/09/23/hacking_google_ep002_challenge_03.html
Well this one's short - the designers probably wanted me to experiment with Timesketch - a forensic analysis tool. However, turns out Excel is as effective! :)
Full (but quick) write-up here: https://talsk.github.io/2024/09/21/hacking_google_ep002_challenge_02.html
Moving to episode 2 of #hackinggoogle, the first challenge is the official image of the #CTF, and explores the idea of embedding secret data inside an image - steganography!
Some silly mistakes later, I was able to extract the flag from the image!
Blog post follows
https://talsk.github.io/2024/09/12/hacking_google_ep002_challenge_01.html
Tal
