Various Write-ups from various CTFs..
as a Pwner for various team (Water Paddler, RootMeUpBeforeYouGoGo, etc...)
or alone to practice..(Team --> Armitage)
this index is not exhaustive, it's mostly challenges that have a write-up (there are more challenges in write-ups/ directory)
Heap Challenges
-
0CTF TCTF 2022 --> babyheap
seccomp in place, heap overflow due to type confusion, do chunk overlap for leak, then two tcache poisonning attacks
code execution via forging dtor_list table in tls-storage, and erasing the random value at fs:0x30 -
DiceCTF HOPE 2022 --> catastrophe
double free in fastbin, then overwrite libc strlen got entry with system() address
code execution when calling puts() function (that calls strlen...)
- MetaCTF 2021 --> hookless
double free in delete function,uaf in edit function (usable once),uaf in display() function too
House of Botcake attack, we overwrite IO_2_1_stdout with environ address to leak stack address
we write a ROP directly on stack to achieve code execution
- vsCTF 2022 --> EZorange
oob read/write in edit function, no free available, use same method than house of orange to free chunks
we free two chunks, then do tcache poisonning with the oob, and overwrite __malloc_hook
-
justCTF 2022 --> notes
fastbin dup attack, then write to __free_hook
-
idek CTF 2021 --> stacknotes
malloca alloc chunk on stack depending on size,we forge a fake chunk on stack, do a house of spirit attack on it
then alloc a chunk on stack with our ROP that overwrite return address -
Tamil CTF 2021 --> University
overflow in edit because of strlen on a non-zero terminated string, will give us a read/write primitive
we set tcache.count in tcache_perthread_struct to 7 , to make a chunk goes to unsorted, to have a libc address leak
we edit tcache_entry of bloc of size 0x20 to __free_hook -
HSCTF 8 CTF 2021 --> House of sice
double free vulnerability, using fastbin dup attack, then allocation on __free_hook
-
DownUnder CTF 2021 --> DUCTF Note
int8 overflow in edit function, then write in tcache metadata, then allocation on __free_hook
-
DigitalOverdose CTF 2021 --> flavor
double free vulnerability and uaf, then allocation on __free_hook
- GDG Algiers CTF 2022 --> Notes Keeper
use null byte overflow to make 0x118 chunk goes to tcache 0x20 size when freed
the do fastbin dup attack, to finally overwrite __free_hook
-
RaR CTF 2021 --> unintended
heap overflow because of strlen usage, then make overlapping chunk & tcache poisonning
finally overwrite __free_hook -
IJCTF 2021 --> ezpez
double free on tcache_head to have allocation in unsorted, leak libc, double free on stdin to modify filedescriptor and leak flag
-
HSCTF 8 CTF 2021 --> Use after freedom
unsorted bin attack, overwrite global_max_fast, then overwrite __free_hook
- Tamil CTF 2021* --> Vuln Storage
Code execution after exit
- Imaginary CTF 2022 --> rope
code execution via overwriting
_rtld_global+3848
, that is__rtld_lock_lock_recursive (GL(dl_load_lock))
and pivoting in_rtld_global
, viagets()
and setcontext gadget
Kernel exploitation challenges
- UTCTF 2022 --> bloat
use write primitive in kernel module, to overwrite modprobe_path
SIGROP challenges
FSOP challenges
-
SECCON CTF 2022 Quals --> Baby file
libc-2.31 based fsop exploitation, _wide_data is NULL and non reachable, we populate pointers first
then leak libc & random value at fs:0x30, we forge onegagdet mangled address and have code execution via _cookie_write -
Hack.lu CTF 2022 --> byor
libc-2.35 based fsop exploitation, _wide_data points on NULL chunk, we can overwrite stdout
code execution via _IO_wfile_underflow , we execute system('/bin/sh'), new standard for FSOP -
FCSC 2022 --> RPG
heap overflow in FILE structure, then we use FSOP read/write to overwrite __free_hook
restricted shellcode challenges
-
Redpwn CTF 2021 --> gelcode-2
shellcode with only opcodes from 0 to 5, and a seccomp that force open/read/write shellcode
-
MetaCTF 2021 --> sequential shellcode
shellcode where every byte must be bigger then the preceding one
-
Maple CTF 2022 --> EBCSIC
shellcode alphanumeric but restricted to cp037 charset
-
FCSC 2022 --> palindrome
need to write a palindrome shellcode, that can be read and executed in two direction
-
Aero CTF 2021 --> Shell Master 2
run and execute 16byte alphanumeric shellcodes
-
idek CTF 2021 --> Guardians of the Galaxy
shellcode that finds an previously left opened filedescriptor to escape chroot
-
KITCTFCTF 2022 --> movsh
shellcode composed only of mov and 2 syscalls only, with seccomp that only allow open,read,write,exit syscalls
Format string challenges
-
PBjar CTF 2021 --> wallstreet32
restricted format string with many format chars forbidden, use trick '%\n' to get a leak (libc-2.31 based)*
-
MetaCTF 2021 --> Simple Format Returned
well classical format string, need bruteforce
-
Maple CTF 2022 --> printf
well classical format string, need bruteforce
-
Imaginary CTF 2021 --> inkaphobia
well classical format string, need bruteforce
-
IJCTF 2021 --> baby sum
simple format string
-
FCSC 2022 --> Formatage
well classical format string, need bruteforce
-
DigitalOverdose CTF 2021 --> uncurved
format string on heap with seccond that forbid execve, and bit a of bruteforce
-
Asis CTF Quals 2022* --> Baby Scan II
abuse format string in snprintf to have a write anywhere primitive
then overwrite exit got entry with _start, then overwrite atoi with printf for leaks
then overwrite atoi() with system() for code execution
Various ROP challenges (or Buffer overflow style)
-
MetaCTF 2021 --> An Attempt Was Made
restricted rop, execve forbidden, few gadgets (no libcsu_init gadget), use only add_gadget to forge gadgets
-
Hayyim CTF 2021 --> warmup
simple rop challenge
-
Hayyim CTF 2021 --> cooldown
more restricted rop challenge
-
Fword CTF 2021 --> blacklist revenge
seccomp in place to forbid execve, no stdout/stderr output, so a mix of ROP+connect back shellc<brode
-
DefCamp CTF 2022 --> blindsight
blind remote ROP with no binaries given
-
TamuCTF 2022 --> Rop Golf
restricted ROP with few gadgets
-
SunshineCTF 2022 --> [RII] Magic the GatheRIIng
oob write on stack, leak, then onegadget..
other architecture based challenges (arm,mips,riscv,etc...)
-
LINE CTF 2022 --> simbox (arm)
ARM challenge based on gnu simulator 11.2 (with custom patch), we rop it, and dump flag
-
JustCTF 2022 --> arm (aarch64)
simple aarch64 exploitation challenge
-
HackIM CTF 2022 --> Typical ROP (riscv)
simple riscv gets buffer overflow exploitation challenge
Automatic exploit generation challenges
VM Escape challenges
-
Fword CTF 2021 --> Peaky and the brain
funny challenge, web application written in python, convert an image to brainfuck language, then execute brainfuck code
oob write on stack in brainfuck interpreter, seccomp in place forbid execve, so open/read/write shellcode translated in brainfuck -
CyberSecurityRumble CTF 2022 --> riscv-jit
escape from a riscv bson parser inside a riscv jit interpreter to a riscv shellcode,
then escape from a riscv just in time interpreter via a oob write in rwx zone, and execute x86 shellcode -
CyberSecurityRumble CTF 2020 --> bflol
oob read/write in a brainfuck interpreter , we dump our leaks on stack
then overwrite return address with a onegadget -
404 CTF 2022 --> Changement d'architecture II
a sort of arm lite vm, oob read/write in registers access, that permit overwrite FILE structure
then we get code execution via FSOP -
0CTF TCTF 2022 --> ezvm
escape a stack machine type of vm, via an oob write, we leak an address on heap via program logic trick
then we get execution on exit, by forging a dtors_table in tls-storage and erasing random val at fs:0x30 -
RCTF 2022 --> bfc
escape a brainfuck recompiler, via an oob read/write underflow on heap, then do heap exploitation via brainfuck (crazy)
then we get code execution by overwriting libc GOT entries of strlen and memcpy, and causing a malloc error
the malloc error will launch __libc_message() function that will call strlen and memcpy
PTRACE related challenges
-
Balsn CTF 2022 --> Asian Parents
interesting challenge where a parent process trace a child process to filter his syscalls via
ptrace
-
NahamCon EU CTF 2022 --> Limited resources
challenge where a parent process trace a child process to modify his code via
PTRACE_POKEDATA
and like this, escape of the restricted seccomp to dump the flag via child
Windows challenges
- INTENT CTF 2022 --> PwnMe
simple buffer overflow, we do a little ROP that makes stack executable via a call to
VirtualProtect()
then we jump to a simple windows shellcode that calls cmd.exe
Uncategorized challenges (but worth reading)
-
Google CTF Quals 2022 --> FixedASLR
great challenge, attack on LFSR based with a known output, to calculate canary (generated by the LFSR)
use a ROP and a SIGROP for shell execution -
FCSC 2022 --> httpd
interesting challenge, exploitation of syslog() format string vuln by child process, that exploit the parent process
child process http authentification has a buffer overflow in base64 decoding to a fixed buffer on stack -
FCSC 2022 --> deflation
buffer overflow when decompressing zlib compressed data, then restricted ROP
-
Balsn CTF 2021 --> orxw
interesting challenge where a parent can only write, and a child process can only open and read
stdin,stdout,stderr are closed, so we use time to extract flag content by testing each char, and blocking when right guess -
RealWorld CTF 2022 --> Shellfind
exploiting a 0 day in a DLINK DCS-960L camera, via a buffer overflow in an udp service