Introduction

I did not take this challenge during the contest. But after reading the write-up of [1][2][3], I think it’s a good chance to learn about ruby and sandbox escape. According to my test on the local machine, it seems that using one_gadget to get shell is also feasible. In this post, I will talk about how to trigger the vulnerability and hijack control flow to get shell in the end.
Since this is my first time to write ruby script also my first time to write ruby escape, please forgive my ugly code XOrz.
Read More »

Introduction

This is the only challenge I solve during the competition. It only involves some exploitation technique on Fastbin.
Read More »

Introduction

This challenge seems to be the first seen House of Rabbit in CTF competition. This challenge follows the sample code given in [1]. More details on House of Rabbit are given in my previous post House-of-Rabbit.
Read More »

Introduction

This post is partially based on [1] and [2]. In this challenge, it involves a customized memory management and seccomp escape.
Read More »

Introduction

A nice challenge to lead me revisiting the source of libc malloc. Please read my post on A Revisit to Large Bin first before reading this post.
Read More »

Introduction

I take this challenge as a variation of FSOP (File Stream Oriented Programming). The glibc library given in this challenge is already patched with an extra check on the validity of the vtable of fake file stream. Though I have mentioned some bypass techniques in my previous posts, I use so-called vtable reuse attack to finally get the shell.
Read More »

Introduction

This post is completely based on the write-up [1] given by KITCTF. This post will give more details on io function in the binary, e.g. hitb_dma_timer, hitb_mmio_read and hitb_mmio_write.
Since a single post cannot cover everything involved in this challenge. I will put more focus on the vulnerability analysis and exploit development in this post. More topics about this challenge will be given in my post on QEMU internals.
Read More »

Introduction

Working in the wrong direction means going far away. After reading the write-up in [1], I think this is not a difficult challenge. During the contest, I was hesitating between House of Orange and House of Mind. After reaching dead end in both solutions, I hope to seek some hints from the title of the challenge. Therefore I turn to this post [2], seeking some possible hints in file stream on /dev/null. But the result shows that I think too much on that and I should start from the easier ones.
I need to record what I think during the contest and set a reminder for myself.
Read More »

Introduction

It is an easy menu challenge. I thought there may be some security issues with multi-threading in exploitation like race condition. But it seems there is no need on that in this challenge.
Read More »

Introduction

At the first glance of this challenge, I thought it was reverse challenge + menu challenge on pwn. However, I found that it was reverse challenge + shellcode challenge.
Read More »