This is an interesting challenge in UCSB iCTF 2017, we had a lot of fun. But when we finished the exploit, the game server including the scoreboard went down before the end.
This wp contains only a writeup local exploit. One of my teammate improved it to achive arbitrary file read to get the flag. It’s a pity we can not actually get a real flag in the game.
Continue reading “[UCSB iCTF 2017] pokemon(type: pwn) write-ups”
Banker is a big statically linked executable:
root@ubuntu-test:~/defcon/banker# file banker
banker: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.24, stripped
root@ubuntu-test:~/defcon/banker# ls banker -lh
-rwxr-xr-x 1 root root 726K May 20 16:38 banker
root@ubuntu-test:~/defcon/banker# checksec banker
RELRO: No RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE
After the pain reversing the elf which contains 965 functions for about 8 hours(too slow)… I am clear what the server is doing and two vuls are found: Continue reading “DEFCON 2016 CTF Quals pwnable banker writeup”
1. prodmanager(180 points)
prodmanager is a product manage system. After a short investigation of the source code, I found that there is a UAF vulnerability of double linked list. Actually the program did not manage product list and lowerest price list properly, an item which is freed in the product list still presents in the lowerest price list. Continue reading “Plaid CTF 2015 writeup(prodmanager, clifford, ebp, unknown)”
This is a list of handy gdb commands for reference: Continue reading “gdb commands”
I participated the Backdoor CTF 2015 and found something very weird: “chmod +x” will change function’s offset. I will figure this out later. Continue reading “Backdoor CTF 2015 echo: “chmod +x” will change function’s offset”
I spent several hours on this challenge, the logic of this program is simple and an information leakage vulnerability was discovered. But I was not familiar with malloc’s heap management scheme and failed to exploit this vulnerability.
The vulnerability has its root in no
'\0' was appended to the input note, it’s possible to leak a heap pointer by crafting a string before the heap pointer. But I didn’t know how then, after reading this and this writeup I finally figured out how to do this. This and this also help a lot to understand heap exploitation technique. This article is a record for reference. Continue reading “0CTF-2015 freenote: playing with malloc library”
The general idea to pwn this toy online store system is as following, firstly we need to find a control flow hijack vulnerability which in this case is a vtable hijack based on heap buffer overflow, secondly we will bypass all the integrity checks in the program and the memory defenses(e.g. ASLR) to call “system(“sh”)” in libc.
Continue reading “BCTF 2015 pwn challenge: zhongguancun”