Web Crypto

More was written about this in the CTF course, but long story short:

  • Don't try to decrypt HTTPS traffic
  • If the challenge says there is custom crypto, it's probably the thing you are supposed to attack
    • Especially if the crypto is implemented using client side javascript
  • Most things are base64'd in web
  • URL encoding goes in the URL

HTTPs

I already said it, but I will say it again. If you are looking at a web challenge in Wireshark and trying to break the protocol, things have gone wrong. Look at the Network tab in Chrome Dev Tools, but don't try to break actual encryption. Luckily, there is bad crypto for you to be aware of, and unencrypted traffic using HTTP.

Basic Access Authentication

Basic access authentication is a method for an HTTP user agent (e.g. a web browser) to provide a user name and password when making a request. In basic HTTP authentication, a request contains a header field in the form of Authorization: Basic , where credentials is the Base64 encoding of ID and password joined by a single colon :

Digest Access Authentication

Applies a hash function to the username and password before sending them over the network. If this is properly setup you won't break it.

Anything else using HTTPS is going to not be breakable.

Hoppers Roppers 2024            Date: 2024-02-25 22:05:39

results matching ""

    No results matching ""