[NJCTF 2017] syscallhelper(pwn 600) write-up

Categories Uncategorized

This is the most valuable challenge in NJCTF(worth 600 points). It is a a good practice to write shellcode too. pwntools provide handy APIs to write shellcode.

The child process is chroot jailed, to get the flag outside of the jail, we have to use “ptrace” to attach and modify the parent process to escape the jail.

There are many ways to exploit the vulnerability and we choose the following one


  1. add a syscall with negative number of registers and hijack the vtable to a stack position.
  2. input shellcode using the leave notes function
  3. call the hijacked function pointer

Continue reading “[NJCTF 2017] syscallhelper(pwn 600) write-up”

Teaser CTF 2015 writeup(So easy, power level)

Categories Uncategorized

Teaser CTF is launched by Dragon Sector, is a Polish security Capture The Flag team. It was created in February 2013 and currently has 13 active members.

I solved two challenge in the first evening(so easy, power level) and tried to solves the pwnable challenge quine on Sunday Morning but failed, I found a write-any-where vulnerability but I didn’t see how to exploit. Continue reading “Teaser CTF 2015 writeup(So easy, power level)”

Install ropc(based on bap 0.4) on ubuntu 14.04

Categories Uncategorized

I wanted to play with ropc and died a little in installing ropc. Firstly we have to install BAP 0.4. To compile BAP, we need to install ocaml 3.12.1 from source(because ocaml 4.0 can not compile BAP 0.4). Then we need to install camomile from source.(again the default apt-get camomile version failed in the compilation).

add configure.ac:

PS: the following package should be installed before compiling bap0.4.

another issue is :

It’s such a pain that a end up installing bap using opam…