As the offical write-up by f00l  stated, there is a data race in put_jar ()and get_jar(), and the attack window is pretty large thanks to the lock_mutex in both functions. Continue reading “[TCTF 2017 final] cred_jar (linux kernel driver pwn) write-up”
DEFCON is over, We ranked 20th in this CTF(in last year we ranked 49th), it’s time to do the write-ups and do some summary.
I solved the following 6 challenges in this CTF:
- Baby’s first — smash(pwnable)
0ctf is over for a week. We(NeSE) ranked 6th/908 at last. During the game, I looked at two pwnable challenges : knote and uploadcenter, I spent more than 16 hours on uploadcenter and 14 hours on knote. I found the info leak and race condition in knote and the info leak and mismatch in mmap/munmap size in uploadcenter. But I did not came up with the thread stack UAF exploit. So I wrote this article to write down what I thought most fun part of these challenges.
This is the most valuable challenge in NJCTF(worth 600 points). It is a a good practice to write shellcode too. pwntools provide handy APIs to write shellcode.
The child process is chroot jailed, to get the flag outside of the jail, we have to use “ptrace” to attach and modify the parent process to escape the jail.
There are many ways to exploit the vulnerability and we choose the following one
- add a syscall with negative number of registers and hijack the vtable to a stack position.
- input shellcode using the leave notes function
- call the hijacked function pointer
This is an interesting challenge in UCSB iCTF 2017, we had a lot of fun. But when we finished the exploit, the game server including the scoreboard went down before the end.
This wp contains only a writeup local exploit. One of my teammate improved it to achive arbitrary file read to get the flag. It’s a pity we can not actually get a real flag in the game.
Banker is a big statically linked executable:
root@ubuntu-test:~/defcon/banker# file banker
banker: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.24, stripped
root@ubuntu-test:~/defcon/banker# ls banker -lh
-rwxr-xr-x 1 root root 726K May 20 16:38 banker
root@ubuntu-test:~/defcon/banker# checksec banker
RELRO: No RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE
After the pain reversing the elf which contains 965 functions for about 8 hours(too slow)… I am clear what the server is doing and two vuls are found: Continue reading “DEFCON 2016 CTF Quals pwnable banker writeup”
This is the pwn challenge for the SSCTF final. It is a good example of hijacking the length field of a structure to achieve arbitrary read and write primitive. It also provides a playground to practice heap fengshui. Continue reading “SSCTF 2016 final pwn writeup”