As the offical write-up by f00l  stated, there is a data race in put_jar ()and get_jar(), and the attack window is pretty large thanks to the lock_mutex in both functions. Continue reading “[TCTF 2017 final] cred_jar (linux kernel driver pwn) write-up”
DEFCON is over, We ranked 20th in this CTF(in last year we ranked 49th), it’s time to do the write-ups and do some summary.
I solved the following 6 challenges in this CTF:
- Baby’s first — smash(pwnable)
0ctf is over for a week. We(NeSE) ranked 6th/908 at last. During the game, I looked at two pwnable challenges : knote and uploadcenter, I spent more than 16 hours on uploadcenter and 14 hours on knote. I found the info leak and race condition in knote and the info leak and mismatch in mmap/munmap size in uploadcenter. But I did not came up with the thread stack UAF exploit. So I wrote this article to write down what I thought most fun part of these challenges.
This is an interesting challenge in UCSB iCTF 2017, we had a lot of fun. But when we finished the exploit, the game server including the scoreboard went down before the end.
This wp contains only a writeup local exploit. One of my teammate improved it to achive arbitrary file read to get the flag. It’s a pity we can not actually get a real flag in the game.
Banker is a big statically linked executable:
root@ubuntu-test:~/defcon/banker# file banker
banker: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.24, stripped
root@ubuntu-test:~/defcon/banker# ls banker -lh
-rwxr-xr-x 1 root root 726K May 20 16:38 banker
root@ubuntu-test:~/defcon/banker# checksec banker
RELRO: No RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE
After the pain reversing the elf which contains 965 functions for about 8 hours(too slow)… I am clear what the server is doing and two vuls are found: Continue reading “DEFCON 2016 CTF Quals pwnable banker writeup”
This is the pwn challenge for the SSCTF final. It is a good example of hijacking the length field of a structure to achieve arbitrary read and write primitive. It also provides a playground to practice heap fengshui. Continue reading “SSCTF 2016 final pwn writeup”
This is a write-up for the 0ctf 2016 quals “VM” reverse challenge worth 7 points.
The main process of solving this challenge contains 3 phase:
- Find the location of input check algorithm
- Reverse input transform algorithm
I wasted much life in the second phase. This function is flattend by a big switch structure and contains a lot of goto instruction. It’s hard to reverse such a function statically, So we use dynamic analysis and black box analysis. we make a few assumptions on the transform pattern. We can reverse the algorithm without understanding assembly or decompiled code.
三个漏洞：1.堆溢出 2.double free 3.任意内存读 Continue reading “RCTF pwn400 shaxian writeup”
VolgaCTF is over and I wrote this short writeup for later reference. Continue reading “VolgaCTF short writeup(interstellar, tiny_bash, mathproblem, pwnie)”