Introduction

This challenge is much easier than the VM escape challenge in SECCON 2017. It emulates parts of simple operations on CPU.
Read More »

Introduction

In this challenge, it gives a simplified model of virtual machine, that emulates the operations on CPU and an mapped IO. Beginning from this challenge, I plan to give a series of write-ups on virtual machine escape. This post is completely based on [1].
Read More »

Introduction

Finally come back from Spring Festival vacation. Since I think Readme-revenge is not a typical example on ROP attack. I think I can use the easiest challenge in CodeGate 2018 to demonstrate the usage of ROP attack.
Read More »

Introduction

This post gives a write-up on Blinkroot in HITCON 2015 and uses this challenge to demonstrate the return-to-dl_resolve method in glibc.
Read More »

Introduction

In this post, I want to give an example on how implicit malloc in printf can be applied to CTF challenges.
Read More »

Introduction

I take a weekend to view the write-up given by 217 [1]. I think their solution is so amazing, which is based on House of Lore. Therefore, I decide to write a new write-up on DEMOSCENEDB in CodeBlue CTF 2017 and demonstrate the usage of House of Lore again.
According to the post of challenge author [2], this challenge is supposed to be solved via House of Mind. However, 217 gave a solution on House of Lore and include many exploitation tricks, e.g. dl_open. In this post I will just mention about the tricks given above and give detailed tutorials later.
The exploit given in this post is completely based on the exploit of 217. The main work of this post is to rewrite the exploit in python with some debugging info and provide more details about the exploitation procedure.

So fucking interesting is heap exploitation.
Read More »

Introduction

Since I was trying to make an extra tutorial on House of Lore exploitation technique recently and found this challenge in SECCON last year, I decided to use this challenge to demonstrate the usage of House of Lore.
The binary of this challenge is a bit complicated, I will first introduce the work flow of this challenge and then explain how to develop the exploit.
Read More »

Introduction

I fail to solve this challenge during the contest. There is a simple buffer overflow vulnerability in this challenge and trigger control flow hijacking. But I spent a lot of time searching for ROP gadgets in the binary. After reading [1], I know I am too naive.
Read More »

Introduction

This is the only challenge I solve in 34C3 CTF. There is a Use-After-Free vulnerability in the programme. The biggest trouble for me in this challenge is how to set the testing environment for libc-2.26 and learn something new about Thread Cache malloc.
Read More »

Introduction

Due to some personal stuff during Christmas day. I did not solve this challenge during the contest. But I solved this last night and I decided to post my solution here. I am 100% sure that my solution is tedious and complicated. In future I may find a better solution.
Read More »