06 Apr 2022
b1c_waves takes 2nd in the world and in high schools!
Though it was disappointing not getting 1st I did solve a pretty cool blockchain pwn challenge.
This challenge was solved and written up alongside Mullaghmore.
solfire
Challenge Presentation
.
├── Cargo.lock
├── Cargo.toml
├── Dockerfile
├── solfire.so
└── src
└── main.rs
The challenge description linked to this article, which is super helpful to understanding how Solana works. You should probably read it before continuing if you are unfamiliar.
We are given a main.rs
, which acts as our Solana blockchain “environment”. Under the hood it uses solana-poc-framework to simulate transactions, but we don’t need to attack that.
Let’s analyze what main.rs
does.
1) Reads in an integer into the len
variable
2) Reads in len
bytes of data, and writes it to a temporary file
3) Loads solfire.so
and the new file as on-chain programs
4) Creates new user
account
5) Prints out some pubkeys
6) Derives a program address with the vault
seed from the solfire.so
pubkey
7) Transfers 1,000,000 lamports into the vault, from the environment account
8) Transfers 10 lamports into the user account, from the environment account
9) Reads some pubkeys (we can specify if they are signer / writable pubkeys)
10) Reads another integer into the ix_data_len
variable
11) Reads ix_data_len
bytes
12) Creates a new Solana instruction to call our program with, with the instruction data being what we just gave it
13) Executes the instruction, and signs it with the user account
14) If we have more than TARGET_AMT
(50,000) lamports in the user account after the transcation, we get the flag!
From a high level perspective, main.rs
basically just loads solfire.so
and any program we write as onchain programs, then lets us call our own program with our own data as ourself. How do we get the flag then??
01 Mar 2022
This past weekend I did Codegate 2022 Junior Qualifiers to distract myself from other things in life. I had been really tired the whole week but I needed something to grind to take my mind off stuff.
Also this CTF was from 5 AM - 5 AM EST so I only worked on it for like half the competition.
I ended up getting 19th place, meaning I qualifed for the finals competition (top 20 were taken)! I’m hoping I can go to Korea this year and not have to be on Zoom, but COVID might say otherwise.
07 Feb 2022
For DiceCTF 2022, I wrote one heap challenge, “chutes-and-ladders”. Out of a little over 1.1k teams, it got 15 solves which is not bad for a medium challenge I think.
As expected, it is a flavortext-comes-first, based-off-a-meme challenge :D. I procrastinated on challenge writing until pretty much the day before the CTF. And I released it in the +12 hour wave, except it was at 6 AM. Go figure.
Just as a disclaimer, I started writing the final exploit literally at 4 AM running on minimal hours of sleep the night before, immediately after writing the entire challenge. So the explanation might be a bit rough.
12 Jan 2022
One of the first beginner counting tasks is choosing \(k\) objects from a pool of \(n\) objects, where the order does not matter. This is denoted as \(n \choose k\), and through some combinatorial reasoning we can derive the algebraically equivalent formula: \(\frac{n!}{k!(n-k)!}\).
This post is motivated by a run-on showerthought that I had one day: can I show algebraically that \(\frac{n!}{k!(n-k)!}\) is an integer?
I tried and failed a couple times over the course of maybe a month. Finally, in the trough of my calculus homework procrastination after I had exhausted every other possible distraction I turned once more towards this problem and banged it all out in 10 minutes.
07 Jul 2021
b1c + rogue waves gets 2nd globally in HSCTF 8!
We got first in high school teams, meaning we beat the redpwn teams once again!!!
I didn’t really do a lot besides the pwnables, only one or two extra challenges.
Use After Freedom
This challenge is made by poortho, meaning it is guaranteed to be a GLibc heap exploitation challenge.
Checksec returns:
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
Upon running the program, we are allowed to:
1. Obtain some freedom
2. Lose some freedom
3. Change some freedom
4. View some freedom
5. Exit
The provided libc is 2.27.