MiniCTF Security WS 2020/2021

Unintended session sharing

Minecraft is not needed in order to solve this challenge.

Florian is now since almost a decade hosting his own Minecraft server. For hosting the server online even though there is no user authentication in Minecraft, Florian implemented his own security system. This system forces people who want to play on his server to log in to his website before they can join the Minecraft-Server.

Recently, Florian noticed that someone is stealing diamonds from his base. He set up a special script to ensure that the security mechanisms are always in place and also changed something in the way how sessions are handled.

We, the security-hazards, are sure that he messed something up. Since we are annoyed by him leaving his users so unprotected, we offer you all the diamonds Florian has if you manage to disable the security system for his account.

We will surely not burn down his house...

Floriware Minecraft
Montag, 1.2.2021


Wir nehmen mit Floriware Minecraft an einem MiniCTF teil. Die Website wurde dafür absichtlich mit einer Sicherheitslücke ausgestattet, welche Studenten der Security Vorlesung an der Universität des Saarlandes ausnutzen sollen, um an eine versteckte Flagge zu kommen. Aktuell sind deshalb der Minecraft-Server nicht erreichbar sowie alle normalen Benutzeraccounts entfernt.