Your favorite source of silliness https://talsk.github.io/ Overcoming Niantic's Anti Cheating Mechanism - Recall Last we left off, I had successfully built a working Pokémon Scanner, having understood the internals of the Pokémon Go protocol: the app communicates using client-server protobuf remote procedure calls, sending a container of multiple request types at once. One specific request type numbered 106 - GET_MAP_OBJECTS - retrieves a list of Pokémon around a specific location by its S2 cell identifier. The scanner worked well for a couple of days, and I enjoyed the fruits of my labor (increasing the number of unique Pokémon I discovered by an order of magnitude). However, one quiet Wednesday evening, I started... Sat, 09 Aug 2025 07:30:34 +0000 https://talsk.github.io/2025/08/09/Hacking-Pokemon-Go-2.html https://talsk.github.io/2025/08/09/Hacking-Pokemon-Go-2.html A writeup on all challenges I solved in the 2025 OWASP CTF - This year’s AppSec IL 2025 had a CTF accompanying it during the 3 days before the event. I participated alone (hence why my team was “Loner”), and ended up placing 4th! Much better results than I expected. You might notice that in the writeup I have 12 solved challenges whereas in the event I have 11 - that’s because I solved the last one just about when the event ended and it didn’t count :( All because of a silly mistake in the C++ code. I blame Claude. Also on that note - this time around I heavily used ChatGPT,... Wed, 04 Jun 2025 07:05:34 +0000 https://talsk.github.io/2025/06/04/appsecil2025-writeup.html https://talsk.github.io/2025/06/04/appsecil2025-writeup.html Episode 005 - Challenge 03 - The Final Challenge - I’m on the final challenge of the CTF! And what a wild ride it has been. But, before celebration begins, there’s still one puzzle left to solve. In this challenge, I got…Nothing? No link, no files to download, just a flavor text and a hint: Look back at all the episodes and piece together a secret message. Hint: This code isn’t data but it could have prevented Aurora. Introductions are important. Okay. The first thought was that I need to somehow combine things from previous challenges. Maybe the flags? But it’s so uncommon to see such a thing in CTFs…... Mon, 09 Dec 2024 07:05:34 +0000 https://talsk.github.io/2024/12/09/hacking_google_ep005_challenge_03.html https://talsk.github.io/2024/12/09/hacking_google_ep005_challenge_03.html Episode 005 - Challenge 02 - Cryptography is Easy, I swear! - The second exericse of the last episode features a fun little “Chrome-is-offline” game of the Project Zero team capturing bugs (and avoiding walls, I wonder if there’s an analogy there) at https://pzero-adventures-web.h4ck.ctfcompetition.com/. Bug hunting game! Once the game is over, and your score is high enough, the website presents an option to be added to the high scores and then displays that page until refresh. I looked at the network traffic after this process and found the following requests: POST to /api/sign with the parameters name and score. The response is some hex-encoded value. POST to /api/highscores with the parameters... Wed, 27 Nov 2024 08:05:34 +0000 https://talsk.github.io/2024/11/27/hacking_google_ep005_challenge_02.html https://talsk.github.io/2024/11/27/hacking_google_ep005_challenge_02.html Episode 005 - Challenge 01 - A Blast From the 90s - It’s episode 5, baby! This is the last one on this CTF, and what a road it has been so far! But, there are still (at least) 3 challenges left. First, as I learned the hard way previously, you have to watch this episode’s video. This time, we’re covering a very cool team in Google - Project Zero! This team is in charge of making the internet a safer place, by allowing some of the most talented vulnerability researchers in the world to catch zero days and fix them before bad actors can. Nothing stood out in the video. There... Wed, 20 Nov 2024 06:05:34 +0000 https://talsk.github.io/2024/11/20/hacking_google_ep005_challenge_01.html https://talsk.github.io/2024/11/20/hacking_google_ep005_challenge_01.html Grab your popcorn, it's going to be good! - Intro(spective) In the past two weeks, right after DEFCON uploaded the videos for this year’s talks, I decided to not procrastinate as I usually do. Instead, I sat down, watched the talks, and made a short summary of each. I believed (and still strongly do) that it’s a sure way to embed the unique ideas and techniques presented into my head. Well, writing things is something I’ve always done—the hard part for me is posting them online. So, I decided this time I’ll tackle this by posting the summaries over LinkedIn and other networks. Easier said than done. Limiting the... Wed, 13 Nov 2024 08:05:34 +0000 https://talsk.github.io/2024/11/13/DEFCON-32-Solo-Watch-Party.html https://talsk.github.io/2024/11/13/DEFCON-32-Solo-Watch-Party.html Episode 004 - Challenge 03 - Git Good - Wrapping up this episode’s challenges, in this one I get a hint: Look around the site to find out how to contribute. This made me remember that, while reviewing the code during the challenge, there was this following handler: app.get('/contributing', authenticate, adminsOnly, function (req, res, next) { return res.render('contributing', { user: req.user }) }) It serves a contribution page, which the hint alludes to. However, it has the adminsOnly options which means that the code validates I’m logged in as an administrator user. Luckily, in the end of the previous challenge, I succesfully managed to hack my way into the... Sat, 19 Oct 2024 07:05:34 +0000 https://talsk.github.io/2024/10/19/hacking_google_ep004_challenge_03.html https://talsk.github.io/2024/10/19/hacking_google_ep004_challenge_03.html Episode 004 - Challenge 02 - Custom Auth Carelessness - So as described in the previous challenge, I actually solved this one beforehand, and it’s pretty short and sweet. Clicking on the challenge link, it downloads a compressed folder containing an implmentation of the server running at vrp-website-web.h4ck.ctfcompetition.com, however it doesn’t include the /import and /export endpoints. It does contain the rest of the pages, however, as well as the login functionality. The hint of this challenge also directs to this functionality as it pushes me to Try logging in as tin. Before checking out the source code, now that I have a valid username, I went to the login... Sat, 12 Oct 2024 08:05:34 +0000 https://talsk.github.io/2024/10/12/hacking_google_ep004_challenge_02.html https://talsk.github.io/2024/10/12/hacking_google_ep004_challenge_02.html Episode 004 - Challenge 01 - When Write becomes Read - Starting off episode 4, I learned from past mistakes and paid a bit more attention to the video. This time, it covers Google’s bug bounty program - an effort to pay white-hat hackers to catch the vulnerabilities before the bad guys do. In the episode’s into, there’s a hint I made sure to not miss: “Eduardo has the URL, but look through the frames to find the password.” Hint: https://storage.googleapis.com/gctf-h4ck-2022-attachments-project/google.png The video starts with a reference to Donald Knuth, a prominent figure in the area of theoretical computer science. Famously, when he pulished a book, he offered to pay a... Wed, 09 Oct 2024 06:05:34 +0000 https://talsk.github.io/2024/10/09/hacking_google_ep004_challenge_01.html https://talsk.github.io/2024/10/09/hacking_google_ep004_challenge_01.html Episode 003 - Challenge 03 - Android Corgis - Aaaand we’re back to zipped challenges. This time, it’s an image and an apk file. The image is a…QR code? Pretty QR Code It’s one of the cooler-looking ones - QR codes are rubost enough that even a large amount of noise won’t affect their usability. Anyway, I scanned it with my phone and landed on this website: Surprising Corgi Pixel-art A corgi! Very cute webpage indeed. Is there anything on it? Searching for links and inspecting the source I found nothing interesting. However, the URL is also interesting, I guess, since it was embedded in the QR: https://corgis-web.h4ck.ctfcompetition.com/aHR0cHM6Ly9jb3JnaXMtd2ViLmg0Y2suY3RmY29tcGV0aXRpb24uY29tL2NvcmdpP0RPQ0lEPWZsYWcmX21hYz1kZWQwOWZmMTUyOGYyOTgwMGIxZTczM2U2MjA4ZWEzNjI2NjZiOWVlYjVmNDBjMjY0ZmM1ZmIxOWRhYTM2OTM5 The... Thu, 03 Oct 2024 07:05:34 +0000 https://talsk.github.io/2024/10/03/hacking_google_ep003_challenge_03.html https://talsk.github.io/2024/10/03/hacking_google_ep003_challenge_03.html Episode 003 - Challenge 02 - Breaking Out on an Adventure - In this challenge - yet again another domain to socat to: shell-sprinter.h4ck.ctfcompetition.com. On connection, my terminal is cleared entirely and a nice ASCII art displaying Shell Sprinter is displayed. Pressing enter, a short story that feels like a text adventure telling me I have to escape. Alright… Shell Sprinter intro screen Text Adventure? And the screen changes to some sort of map. Energy Level is “Fine”, There’s an inventory, a scape_986e080b at the top, and a part of the map at the bottom. Up-down-left-right? Yeah, that works. I’m a little @ moving around. Looks like I’m discovering the map when... Fri, 27 Sep 2024 08:05:34 +0000 https://talsk.github.io/2024/09/27/hacking_google_ep003_challenge_02.html https://talsk.github.io/2024/09/27/hacking_google_ep003_challenge_02.html Episode 003 - Challenge 01 - Feelin' Right At Home - Welcome to Episode 3! The first challenge has a socat command again, to a different domain - multivision.h4ck.ctfcompetition.com. This time, the challenge hint says: Find the key, and put RFC 6749 to use. So I don’t know many RFC numbers, but this one I could identify even if I was woken up in the middle of the night - this is OAuth 2.0! As CTF challenges go, this is very surprising. Feels like playing on home turf. I ran the socat command. The server replied with: == proof-of-work: disabled == Password: I tried some random passwords, all resulted in the... Wed, 25 Sep 2024 12:06:34 +0000 https://talsk.github.io/2024/09/25/hacking_google_ep003_challenge_01.html https://talsk.github.io/2024/09/25/hacking_google_ep003_challenge_01.html Episode 002 - Challenge 03 - I Shell Break Free - In this challenge, there was no link to a website or to download anything. Instead, there’s a simple command - socat FILE:`tty`,raw,echo=0 TCP:quarantine-shell.h4ck.ctfcompetition.com:1337 socat is a tool allowing for opening simple two-way relays. In this case, the command will open a relay between the local terminal to the external server at quarantine-shell.h4ck.ctfcompetition.com:1337 via TCP. Upon running this, I get a nice welcome message: That's a long time to be stuck at home Running a simple ls command prints out the following: command blocked: ls check completions to see available commands In fact, almost anything I try to run prints out... Mon, 23 Sep 2024 13:05:34 +0000 https://talsk.github.io/2024/09/23/hacking_google_ep002_challenge_03.html https://talsk.github.io/2024/09/23/hacking_google_ep002_challenge_03.html Episode 002 - Challenge 02 - Timesketch Doesn't Like WSL - Well…That was a weird one - kind of solved it before I even started writing a log. Let’s go through my steps - downloading the file, I got a compressed file containing a Readme.md and a CTF CSV-EASY-final.csv files. The csv is not too large but not too small (1.6mb), so I opened the Readme first. It contains a short story about a fictional company detecting a compromised machine and collecting logs from it. My job is to sift through them, follow the malicious actor’s footsteps, and discover the flag. The file also contains a walkthrough on installing Timesketch. I’m... Sat, 21 Sep 2024 11:05:34 +0000 https://talsk.github.io/2024/09/21/hacking_google_ep002_challenge_02.html https://talsk.github.io/2024/09/21/hacking_google_ep002_challenge_02.html Episode 002 - Challenge 01 - Gaming Images - After beating Episode 1, I’ve been pretty pumped to see what comes next. The difficulty curve of this CTF so far is pretty unexpected. Some challenges I feel are straightforward, whereas others are quite difficult or simply have pretty obscure solutions. Anyway, the next episode’s video is all about threat analysis, following the attacker’s steps in the network. Let’s see what challenges are thrown my way. The challenge file is, yet again, a zip folder, with a hashed name. Inside is a single image. Opening it, and the logo of the H4CK1NG G00GL3 CTF stares back at me. It looks... Thu, 12 Sep 2024 09:05:34 +0000 https://talsk.github.io/2024/09/12/hacking_google_ep002_challenge_01.html https://talsk.github.io/2024/09/12/hacking_google_ep002_challenge_01.html Episode 001 - Challenge 03 - Serializing Chess - Clicking on the next challenge, I was welcomed by a familiar sight - it’s the same matrix chess game from the first challlenge of the first episode! I noticed that this time, however, there’s no “Master Login” button on the bottom of the page. Looking at the page’s HTML, not much has changed. The load_baseboard Javascript function is still there. Let’s try to use it again to access the .php files. function load_baseboard() { const url = "load_board.php" let xhr = new XMLHttpRequest() const formData = new FormData(); formData.append('filename', 'baseboard.fen') xhr.open('POST', url, true) xhr.send(formData); window.location.href = "index.php"; } I made... Sun, 08 Sep 2024 09:05:34 +0000 https://talsk.github.io/2024/09/08/hacking_google_ep001_challenge_03.html https://talsk.github.io/2024/09/08/hacking_google_ep001_challenge_03.html Episode 001 - Challenge 02 - 10 Seconds to Killswitch - Downloading the next challenge, I got a file with a long name again a5eecbd1dc5ad07e38b062cdabfb3e63da36847e727fa666903f9dc1094e24160d68d0ed95378102ae20c7bca84f3638825c4433833b08886f918b7fa90fec56. The file utility claims that it’s a zip. Unzipping and I have an executable named wannacry. Very similar to the previous challenge so far. Opened it in IDA. This time, it’s a much smaller binary - about 16 functions with debug info again leaking the functions’ names. I decided to run strings on the executable returns. It printed out a LOT of valid-looking strings, about a thousand valid single-word strings. Huh. Among them I spotted https://wannacry-killswitch-dot-gweb-h4ck1ng-g00gl3.uc.r.appspot.com// which is a slightly different appspot subdomain than the one... Mon, 26 Aug 2024 12:05:34 +0000 https://talsk.github.io/2024/08/26/hacking_google_ep001_challenge_02.html https://talsk.github.io/2024/08/26/hacking_google_ep001_challenge_02.html Episode 001 - Challenge 01 - Brute-force Decryption - So I’ve passed the first episode (and got a token with my name in reward!). I watched the chapter’s video (very well produced, by the way), and I expect some reverse engineering efforts. Anyway, let’s dig in. Clicking on the challenge downloads a file with a really long name cec5317acaa111092eef6da3df8e260dccd69ce8b17aa445a26a7a6771f972301ac3ff20108cf86aa868da1463e486347114e0456ba5b5ca2a3a399f69391e76. As should be the norm for unknown files, running the file utility on them almost always helps. tal@Tal:~$ file cec5317acaa111092eef6da3df8e260dccd69ce8b17aa445a26a7a6771f972301ac3ff20108cf86aa868da1463e486347114e0456ba5b5ca2a3a399f69391e76 cec5317acaa111092eef6da3df8e260dccd69ce8b17aa445a26a7a6771f972301ac3ff20108cf86aa868da1463e486347114e0456ba5b5ca2a3a399f69391e76: Zip archive data, at least v2.0 to extract, compression method=store Alright. Let’s open it. Within the zip is another tar-gzip file which I also decompressed (tar -xvf challenge.tar.gz) which... Sun, 25 Aug 2024 12:05:34 +0000 https://talsk.github.io/2024/08/25/hacking_google_ep001_challenge_01.html https://talsk.github.io/2024/08/25/hacking_google_ep001_challenge_01.html Episode 000 - Challenge 02 - Operation Aurora - Initial Search Opening the challenge, it’s a simple webpage that has some predefined files to choose from and a search term, which defaults to aurora. Inspecting the source code, I saw that the Javascript blocks search terms under 4 character. Gotta verify that this check happens on server-side too later. The list of file names is not really verified, so that potentially mean I can access any file on the system - another LFI? At the end of the HTML, there’s a commented out <!-- /src.txt -->. Maybe a clue for a specific file to search for? Default term -... Sat, 24 Aug 2024 12:05:34 +0000 https://talsk.github.io/2024/08/24/hacking_google_ep000_challenge_02.html https://talsk.github.io/2024/08/24/hacking_google_ep000_challenge_02.html Episode 000 - Challenge 01 - Playing Chess - A web site with some cool matrix-looking chess. Let’s try to play a little. I progressed well, even captured the queen and had the upper position. But then all the enemy peons turned into queens. What??? Lost :( Let’s play around. Clicking START doesn’t work. It does navigate me to index.php which tells me it’s PHP. Reset my PHPSESSID cookie to reset the board. Clicking on any piece sends a GET to index.php with the parameter move_start={cell}, possibly so that the server correctly shows the available moves. Moving a piece will then send another GET parameter: move_end=YToyOntpOjA7czoyOiJkMiI7aToxO3M6MjoiZDQiO30=. Interesting, it’s a... Fri, 23 Aug 2024 13:05:34 +0000 https://talsk.github.io/2024/08/23/hacking_google_ep000_challenge_01.html https://talsk.github.io/2024/08/23/hacking_google_ep000_challenge_01.html