[0ctf 2017] uploadcenter knote pwnable write-up

Categories CTF

0ctf is over for a week. We(NeSE) ranked 6th/908 at last. During the game, I looked at two pwnable challenges : knote and uploadcenter, I spent more than 16 hours on uploadcenter and 14 hours on knote. I found the info leak and race condition in knote and the info leak and mismatch in mmap/munmap size in uploadcenter. But I did not came up with the thread stack UAF exploit. So I wrote this article to write down what I thought most fun part of these challenges.

Continue reading “[0ctf 2017] uploadcenter knote pwnable write-up”

[NJCTF 2017] syscallhelper(pwn 600) write-up

Categories Uncategorized

This is the most valuable challenge in NJCTF(worth 600 points). It is a a good practice to write shellcode too. pwntools provide handy APIs to write shellcode.

The child process is chroot jailed, to get the flag outside of the jail, we have to use “ptrace” to attach and modify the parent process to escape the jail.

There are many ways to exploit the vulnerability and we choose the following one

exploit:

  1. add a syscall with negative number of registers and hijack the vtable to a stack position.
  2. input shellcode using the leave notes function
  3. call the hijacked function pointer

Continue reading “[NJCTF 2017] syscallhelper(pwn 600) write-up”

[UCSB iCTF 2017] pokemon(type: pwn) write-ups

Categories CTF

This is an interesting challenge in UCSB iCTF 2017, we had a lot of fun. But when we finished the exploit, the game server including the scoreboard went down before the end.

This wp contains only a writeup local exploit. One of my teammate improved it to achive arbitrary file read to get the flag. It’s a pity we can not actually get a real flag in the game.

Continue reading “[UCSB iCTF 2017] pokemon(type: pwn) write-ups”

ISCC 2016 mobile 500 GREEN

Categories CTF

ISCC第一阶段告一段落了,Mobile的题目很有趣,尤其是GREEN这题,坑多而且一不小心就算错

综合来说,这道题非常考验逆向能力和选手的耐心,主要的考察点如下:

  1. Android .so调试[参考]
  2. Android 的 broadcast机制
  3. Anti-emulator 检查及绕过
  4. 简单的anti-debugging
  5. lzo 压缩算法识别
  6. crc32 校验算法识别
  7. 从循环化过的代码中提取方程组系数
  8. 线性方程组求解

Continue reading “ISCC 2016 mobile 500 GREEN”

DEFCON 2016 CTF Quals pwnable banker writeup

Categories CTF

Banker is a big statically linked executable:

After the pain reversing the elf which contains 965 functions for about 8 hours(too slow)… I am clear what the server is doing and two vuls are found: Continue reading “DEFCON 2016 CTF Quals pwnable banker writeup”