Exploiting API vulnerabilities is an offensive technique. Trying it on real systems is against law and you might be prosecuted. Always do experiments with test hosts and users.
You have access to an HSM API for PIN verification and you have been able to intercept an encrypted PIN block with the corresponding offset and decimalization table:
Encrypted PIN block: e0cbc26e7c292e25 Offset: 5493 Decimalization table: 0123456789012345
Can you recover the plaintext PIN?
The PIN verification API is available in a docker image and you can invoke it as follows:
docker run --rm secunive/seclab:hsm e0cbc26e7c292e25 5493 0123456789012345 CORRECT
No hurry! You don’t need to complete the challenge by the end of the class! Take your time … deadline is 5 December 2023. As usual send a message on slack with the description of your solution!