Hacker News new | ask | show | jobs
Stripe CTF Post Mortem: A Would-Be Hacker's Tale (stephenwhitmore.com)
49 points by noffle 5028 days ago
3 comments
kijin 5028 days ago 

    <?php
    echo `cat ../password.txt`;
    ?>
That doesn't look like the work of a very talented hacker. Whatever happened to readfile() ?

The attack could also have been a lot more interesting if .php files were disallowed but short snippets like this could be hidden inside GIF images.

link
apawloski 5028 days ago
Why on earth would a "talented hacker" do anything other than the easiest effective method? If it doesn't work, then just try something else. They certainly wouldn't waste their time trying to hide code snippets in a GIF when you could just upload the above.

In short: the "talented hacker" is the one who compromises your system. The difficulty of execution does not matter if you get owned in the end.

link
Smudge 5028 days ago
> That doesn't look like the work of a very talented hacker.

Why not? Do all talented hackers use 'readfile()'?

link
vasco 5028 days ago
In one of the rounds the attack was exactly that, payload inside a gif
link
Smudge 5028 days ago
Really? Which level was that? I don't recall using such a technique, but maybe there were multiple solutions.
link
mbeattie 5028 days ago
He didn't talk about the last level for some reason.
link
noffle 5028 days ago
The astute reader will also note that Five and Six were also not discussed. From the fourth paragraph, "I will be discussing a subset of the nine challenges".
link
alttag 5028 days ago
Also skips 5 & 6. In a closing paragraph the author mentions the discussed levels were "some of my favourite levels".
link
mcpherrinm 5028 days ago
Perhaps that's the "would-be" part. The portion of people who solved it dropped off fairly heavily for the last level.
link
newnham 5028 days ago
last challenge?
link