[0ctf 2017] uploadcenter knote pwnable write-up

Categories CTF

0ctf is over for a week. We(NeSE) ranked 6th/908 at last. During the game, I looked at two pwnable challenges : knote and uploadcenter, I spent more than 16 hours on uploadcenter and 14 hours on knote. I found the info leak and race condition in knote and the info leak and mismatch in mmap/munmap size in uploadcenter. But I did not came up with the thread stack UAF exploit. So I wrote this article to write down what I thought most fun part of these challenges.

Continue reading “[0ctf 2017] uploadcenter knote pwnable write-up”

[UCSB iCTF 2017] pokemon(type: pwn) write-ups

Categories CTF

This is an interesting challenge in UCSB iCTF 2017, we had a lot of fun. But when we finished the exploit, the game server including the scoreboard went down before the end.

This wp contains only a writeup local exploit. One of my teammate improved it to achive arbitrary file read to get the flag. It’s a pity we can not actually get a real flag in the game.

Continue reading “[UCSB iCTF 2017] pokemon(type: pwn) write-ups”

ISCC 2016 mobile 500 GREEN

Categories CTF

ISCC第一阶段告一段落了,Mobile的题目很有趣,尤其是GREEN这题,坑多而且一不小心就算错

综合来说,这道题非常考验逆向能力和选手的耐心,主要的考察点如下:

  1. Android .so调试[参考]
  2. Android 的 broadcast机制
  3. Anti-emulator 检查及绕过
  4. 简单的anti-debugging
  5. lzo 压缩算法识别
  6. crc32 校验算法识别
  7. 从循环化过的代码中提取方程组系数
  8. 线性方程组求解

Continue reading “ISCC 2016 mobile 500 GREEN”

DEFCON 2016 CTF Quals pwnable banker writeup

Categories CTF

Banker is a big statically linked executable:

After the pain reversing the elf which contains 965 functions for about 8 hours(too slow)… I am clear what the server is doing and two vuls are found: Continue reading “DEFCON 2016 CTF Quals pwnable banker writeup”

0ctf 2016 writeup for VM challenge(reverse 7 pts)

Categories CTF

This is a write-up for the 0ctf 2016 quals “VM” reverse challenge worth 7 points.

The main process of solving this challenge contains 3 phase:

  1. Find the location of input check algorithm
  2. Reverse input transform algorithm
  3. profit

I wasted much life in the second phase. This function is flattend by a big switch structure and contains a lot of goto instruction. It’s hard to reverse such a function statically, So we use dynamic analysis and black box analysis. we make a few assumptions on the transform pattern. We can reverse the algorithm without understanding  assembly or decompiled code.

Continue reading “0ctf 2016 writeup for VM challenge(reverse 7 pts)”