From c6da1dac470e42f59a884cf0f5195aae09b38ded Mon Sep 17 00:00:00 2001 From: Ivaylo Ivanov Date: Sat, 18 Jan 2020 19:43:48 +0100 Subject: [PATCH] Add hxp36c3 writeup and fix seccon formatting --- writeups/ifkata/hxp36c3.md | 75 +++++++++++++++++++++++++++++++++++++ writeups/ifkata/seccon19.md | 22 +++++------ 2 files changed, 86 insertions(+), 11 deletions(-) create mode 100644 writeups/ifkata/hxp36c3.md diff --git a/writeups/ifkata/hxp36c3.md b/writeups/ifkata/hxp36c3.md new file mode 100644 index 0000000..33e571d --- /dev/null +++ b/writeups/ifkata/hxp36c3.md @@ -0,0 +1,75 @@ +# hxp 36C3 +## Overview +I found the CTF really interesting, but also frustrating. +I decided to focus only on includer, as it seemed intriguing and complex enough to do so. +Tackling the challenge was again a team effort, but unfotunately we couldn't solve it. + + +## Attempted challenges +### includer-web +#### Overview +The challenge consisted of a simple page which said "Hello, your sandbox is ". +There was no JavaScript, no styling, no input. + +#### Research +The first thing I did was to look into the provided files. Thus, I found the following information: +* the thing runs in a debian buster docker container, behind an nginx web server. +* a filename can be POSTed and the file will be evaluated if it does not start with `