34C3 CTF PWN LFA Write-up

Introduction

I did not take this challenge during the contest. But after reading the write-up of [1][2][3], I think it’s a good chance to learn about ruby and sandbox escape. According to my test on the local machine, it seems that using one_gadget to get shell is also feasible. In this post, I will talk about how to trigger the vulnerability and hijack control flow to get shell in the end.
Since this is my first time to write ruby script also my first time to write ruby escape, please forgive my ugly code XOrz.
Read More »

HITB XCTF 2017 BabyQEMU Write-up

Introduction

This post is completely based on the write-up [1] given by KITCTF. This post will give more details on io function in the binary, e.g. hitb_dma_timer, hitb_mmio_read and hitb_mmio_write.
Since a single post cannot cover everything involved in this challenge. I will put more focus on the vulnerability analysis and exploit development in this post. More topics about this challenge will be given in my post on QEMU internals.
Read More »

N1CTF 2018 PWN NULL Write-up

Introduction

Working in the wrong direction means going far away. After reading the write-up in [1], I think this is not a difficult challenge. During the contest, I was hesitating between House of Orange and House of Mind. After reaching dead end in both solutions, I hope to seek some hints from the title of the challenge. Therefore I turn to this post [2], seeking some possible hints in file stream on /dev/null. But the result shows that I think too much on that and I should start from the easier ones.
I need to record what I think during the contest and set a reminder for myself.
Read More »