saarsec

The ASIS 2018 Finals had some awesome challenges. One of them is the Android reversing and web challenge Gunshop. It was a lot of fun to use ARTist, an Android instrumentation framework, to leak the AES key, intercept https traffic and bypass custom certificate pinning.

Read more

We only managed to exploit the easy flaw in the CTF itself, but could not go after. Finally, we found the second bug and managed to build an exploit.

Read more

This service was once again one of those where it took us too long to write the exploits.

Read more