[DEF CON 2017 Quals] pwnable and reverse writeups

Categories CTF

DEFCON is over, We ranked 20th in this CTF(in last year we ranked 49th), it’s time to do the write-ups and do some summary.

I solved the following 6 challenges in this CTF:

  1. Baby’s first — smash(pwnable)
  2. leo(pwnable)
  3. mute(pwnable)
  4. insanity(pwnable)
  5. pepperidge_farm(reverse)
  6. magic(crask2000)


vul: stack overflow

exploit: ROP + shellcode executing execve(“/bin/sh”,[“/bin/sh”,NULL],NULL)


vul: stack overflow,  the program download some shellcode and decrypt it, then it checks input pattern, if our input does not match any pattern, it will execute execute the shellcode. our input will be write to the stack. which cause’s an overflow.

exploit: ROP to execute system(“/bin/sh”)


the program first drops most of the syscalls including “write” using seccomp, after setting the seccomp fileter the program accept a long shellcode and execute the shellcode.

exploit: side channel attack to brute force the flag one byte at a time. if our guess is right, let the program go into an infinite loop, other wise let it die.


reversing: input is zlib decompressed, transformed and passed to the sphinx speech recognition tool. if the recognized text is in “insanity”*n + “insane” format, we can write a byte chr(n) into the stack, which will be later interpreted as opcodes.

the interpreter allow as to read and write stack space, so the exploit is very easy: overwrite the return address to execute system(“/bin/sh”)


this is a vm reverse challenge written in VMNDH, we have a built-in debugger in the emulater which support disassembly. So we just execute and watch the trace, from the trace I found some pattern, which allow me to infer the input length, than input is checked to satisfy the following function:

Then I solved it using angr.


This is a easy task which contains 200 program, I solved it with angr.

No Comments

Leave a Reply