April 2018 – NandTech

Apr302018 by NathuNo Comments

ZeroDays CTF 2018 – “edgescan” Challenge

The "edgescan" challenge under the "Reverse Engineering" category of the ZeroDays Capture the Flag 2018 event was pretty straightforward although I wasn't able to solve it during the actual event due to time pressure. So to start with, the challenge description went as follows: So edgescan kindly sent us a small challenge, we've tweaked it slightly. Enter the key to get your flag. Enjoy! Clues: The flag is in the usual format. The flag message is XORed with the key (12 chars). The first clue says "The flag is in the usual format" which means, it should be in the format of ZD2018{???????????????????} as per example flags given in the event. The second clue on the other hand says that the flag message is XORed with a 12-character key. During the event, I actually thought tha

CCNA CyberOps Experience

Security

The 'Cisco Certified Network Associate - Cybersecurity Operations' program has been quite of a ride! Coming from a software development background, it wasn't really my interest getting into computer networks but hey, Cisco offered the training and certification FREE of charges for qualified people! How cool is that? So, yes! I tried applying for the scholarship and blessed to be accepted! What is it? CCNA CyberOps is the newest version of the CCNA path as of the time of writing this article. This CCNA version specifically leads to understanding the basics in cybersecurity which discusses more about general network security and security operations. As of this day, this path doesn't have the Cisco Certified Network Professional (CCNP) and obviously Cisco Certified Internet Expert (CCIE...

ASUS Responsible Disclosure – SQL Injection

Security, Vulnerabilities

My CCNA CyberOps scholarship has finally ended which means more time to fool around in the internet! Yey! So recently, I decided to pursue some bug hunting because it has been a while since my last "capture the flag" practice and am already forgetting how to use tools in Kali. This made me look for some popular sites and led me to visit asus.com. After some information gathering, I came across the domain etrip.asus.com which then forwarded me to a Javascript file etrip.asus.com/eTrip/HO-js.js. Reading the script showed another file with a .jsp extension which had some parameters. I first visited the link without any parameters as I didn't really know what values are marked 'correct' in the system. After visiting, it just spitted out the source code which made me say "Wow! Tha...