02
May
2012

Plaid CTF 2012 – Bunyan

We found a simple web application that robots made to serve tmp files for debugging purposes. SSH into the machine as your_user@174.129.69.147 and exploit the web app to read their secret.
Title: Bunyan (200)
Category: Pwnables

The challenge consists of web server written in Go.
{Read More}

09
Jan
2012

GitS teaser 2012 – hackquest

This challenge is a remote exploitation challenge in a text-based adventure game. The game binary is quite complicated for a C program, using a bunch of structs and unions to store the game data. The bug which can be exploited is not one of the standard memory corruption bugs, but is instead an error in the way the game logic deals with these structures.

Here’s how we found the bug, and how we exploited it.

{Read More}

09
Oct
2011

Secuinside 2011 CTF – Challenge 11

Challenge #11 consists of two binaries, chal1 and chal2. As if exploiting one binary
wasn’t worth any points!

chal1

The vulnerability

Chal1 is an NX-protected x86-64 binary with fixed addresses for libc and ASLR for the stack.
It suffers from a strcpy() vulnerability. A string is copied from argv[3] to a fixed size buffer.
But not before we overcome the fact that the binary exits when there are *any* arguments
at all. Luckily, when there are 0 elements in argv, argv[3] points to envp[2].

While the convention for environment variables is “VARNAME=value”, the kernel does not
enforce it, it just copies NULL-terminated strings. This means we can put any binary data
on the top of the process’ stack, encoding the NULL-bytes by just starting another string.
{Read More}