perfectblue / ctf-writeups Goto Github PK

Can you please tell me how to include the header...

I rented a VPC in all three DCs in Amsterdam, and got ~1ms latency with significant fluctuation. I likely could have obtained a sufficiently crisp signal from one of them, but it would have required averaging over far more then the 10 attempts which you used.

Which DC did you use, and what latency did you get?

Just hii😁

1. How did you managed to leak both canary and pie address in one run within 90s?, for me, leaking canary takes about 60s and I ran my script from a server located in singapore.
   My solution leaks canary only and uses libsystem addresses for ROPing. I can confirm that the canary is correct but somehow it keeps crashing at my ROP chain remotely. (It works locally)
2. Do you have any idea why this happen? my local machine is 10.15.7

I read your solution and I see the commented code "sending 64 connections" through 64 different threads. In my understanding, this should hurt stability a lot. I just wonder how unstable it was compared with "sending 64 connections sequentially in one thread".

@stong

Hi

I'm facing crash issues after unpack WH2018.exe with upx394w\upx.exe. The unpacked file are keeping crash. Could you give me some suggestion? Thanks.

I have attached the file I'm trying to unpack.

WH2018_pe_fixed2.zip

Hello, sorry for this issue but I have a problem with the kvm file.
The problem that I have is that I don't know how to run the file. When I try to run it my Kali says that
"open /dev/kvm: No such file or directory" and I don't know what to do, I followed many tutorials about how to run this kind of binaries but none of these work for me.
Can you help me please?

Hello, I was going through the exploit code for the recent Tokyowestern CTF Quals posted by you. The specific script is here.
I just wanted to know why the bss with 0x20 offset was passed as a parameter to gets and also what is the purpose of adding the same value at the end of the payload as well.

It would be great if you could give a small explanation for that, it would definitely help me a lot.

https://github.com/perfectblue/ctf-writeups/blob/master/whitehat-grandprix-2018/pwn03_onehit.md
Hi i am author of this chal :D
You dont have to guess ASLR base if you can run system(null); (by answer "N0" when it ask "wanna ls -al")
Because it will leave the address of instuction after CALL do_system on the stack. I want to prevent you guess ASLR base by using AntiSPAM Machine but ... apparently it doesn't work :(

Hey cool write-up! I was wondering how you were able to get kernel addresses commit_creds(prepare_kernel_cred(0)); without root on the box?