Sharkzwithlazers

Sharkzwithlazers

Insomni'hack teaser 2020 - Inso File Manager 1 (Web)

TL;DR Dont trust user suppplied data, don´t screw up your jwt validation. Understanding the application The Ino Filemanager lets us, after registration, upload files and make them publicly available. After registering a user and logging in, we observed that we were issued a JSON Web Token (JWT). The

SharkyCTF 2020 - Logs in! Part 2

Building upon part 1 of this challenge, we continue to gather useful insights about how the target application works by using the enabled Symfony development tools. This time, we're using these insights to hack our way into a database that's used by a backend service which we normally wouldn't be

Insomni'hack teaser 2020 - Secretus (Web)

TL;DR Reusing example configurations is bad. Secretus was a pure Web challenge which presented us with a minimal form. The form did actually have no purpose as there were no handlers executed upon clicking the button or doing anything else, such as making a handstand while looking at the