ECW 2018 - Web - Intrusion (5 challenges) 10 min read - Oct 21, 2018

ECW 2018 is a French Jeopardy challenge organized by the PEC (French Pôle d’Excellence Cyber) in partnership with the Bretagne county, Airbus and Thales. Intrusion is a 4 (+1 extra) challenge based realist web scenario. It aims Ruby on Rails and cookie manipulation in order to become admin on the production website.

ECW 2018 - Web - Troll.JSP 4 min read - Oct 21, 2018

ECW 2018 is a French Jeopardy challenge organized by the PEC (French Pôle d’Excellence Cyber) in partnership with the Bretagne county, Airbus and Thales. “Troll.JSP” is challenge based on the CVE-2017-5638 exploitation, executing code to change a session variable and then display the flag.

ECW 2018 - Web - SysIA 3 min read - Oct 21, 2018

ECW 2018 is a French Jeopardy challenge organized by the PEC (French Pôle d’Excellence Cyber) in partnership with the Bretagne county, Airbus and Thales. SysIA is a challenge based on a LFI (Local File Inclusion) exploitation using the bash_history and the updatedb tool to find the flag.

Windows 10 & GPO - Hardening against personal data leak 9 min read - Oct 19, 2018

Since the release of the Windows 10 operating system, many questions about user privacy have been raised. Indeed, even if our data were already collected before, Microsoft has opened their communication on the data collection with Windows 10. It allows mani people to open their eyes and become aware of things happenin.

Web containers - Stop data sharing between websites 8 min read - Sep 27, 2018 If you regularly use an Internet browser and you know a little bit about Web technology, you generally know what data is retrieved by the different websites that you visit. If not, just know that each visited website stores information about you through different mechanisms (cookies in particular) which can for example identify you so you no longer have to enter your credentials. However, this is only a small part of the data that publishers recover.
Android Internet Box and Privacy - The iceberg summit 6 min read - Sep 13, 2018

A little lighter post this time, dealing with connected internet boxes, and specifically the Miami Bboxes (which is a French ISP). Indeed, having one of these boxes, I wondered what I could find from a privacy point of view and what a basic and curious user could do with parameters. We will therefore see here that a certain number of default parameters are activated and that it is possible to act on them. I should point out that no box was mistreated in the context of these experiments : D.

Best security practices for WordPress installations 11 min read - Mar 31, 2018

If you want to set up your own website but you are not an expert, you may have seen the word “Wordpress” spread. It is a CMS (Content Management System) to help in the the creation of a website. Basically, it facilitates creation and management by providing a ready-to-use interface. Now all you have to do is customize your site and write your articles! No need to write code (even if it is possible to search and modify manually) !

The password reuse threat 12 min read - Dec 17, 2017

I’m sure you’ve already heard it thousand times, but questions about passwords on Internet are more than ever critical for your privacy and personal data. Nowadays, Internet is used for (almost) everything and by (almost) everyone, from the simple cooking website to your bank account, through social networks, marketing websites or even your mailboxes. It makes a lot of websites, account, and so, passwords.

ECW 2017 - Web - Path Through 3 min read - Nov 30, 2017

The ECW 2017 is a French Jeopardy challenge organized by the “Pôle d’Excellence Cyber” in partnership with the “Région Bretagne”, Airbus and Thalès. Path Through is a web challenge based on blind SQL Injection.

ECW 2017 - Web - Hall of Fame 3 min read - Nov 23, 2017

The ECW 2017 is a French Jeopardy challenge organized by the “Pôle d’Excellence Cyber” in partnership with the “Région Bretagne”, Airbus and Thalès. Hall of Fame is a web challenge based on Union SQL Injection.

Quaoar Virtual Machine - Walkthrough 8 min read - Nov 20, 2017

“Quaoar” is a “Boot2Root” VM originally created for the Hackfest 2016 CTF. It aims to train your computer security skills. You just have to launch the Virtual Machine, and then find a way to get root ! This VM is in free access on Vulnhub.

TamuCTF 2017 - Steganography - Musical Bits 5 min read - Nov 12, 2017

The TamuCTF is a Jeopardy-style CTF. This walkthrough is explaining the “Musical Bits” challenge which is a Steganography challenge. I worked with Iptior on this one and it tooks severals hours of pain before success! Let’s go!